Tags: blogs, WordPress
The stats helper monkeys at WordPress.com mulled over how this blog did in 2010, and here’s a high level summary of its overall blog health:
The Blog-Health-o-Meter™ reads Fresher than ever.
A Boeing 747-400 passenger jet can hold 416 passengers. This blog was viewed about 3,000 times in 2010. That’s about 7 full 747s.
In 2010, there were 23 new posts, growing the total archive of this blog to 37 posts. There were 75 pictures uploaded, taking up a total of 9mb. That’s about 1 pictures per week.
The busiest day of the year was April 7th with 32 views. The most popular post that day was OneNote in the Cloud.
Where did they come from?
The top referring sites in 2010 were 188.8.131.52, mobilenoter.com, ifreestores.com, iheartonenote.com, and stumbleupon.com.
Some visitors came searching, mostly for onenote iphone, iam governance, one note iphone, motorola5200, and mobilenoter.
Attractions in 2010
These are the posts and pages that got the most views in 2010.
OneNote in the Cloud September 2009
OneNote, iPhone and Wi-Fi January 2010
Send Back Pictures to OneNote January 2010
1st Impressions – IBM and IAM Governance August 2009
OneNote to go … September 2009
Tags: blogs, PostAWeek
2010 has been a bit of a watershed for me and the new direction for my career has left me seriously short on time. Sadly, one of the things that has suffered is the time I’ve devoted to this blog. I’ve promised myself that I’m going to rectify this in 2011, by posting on this blog once a week throughout the year.
I know it won’t be easy, but it might be fun and it will be inspiring. Therefore I’m promising to make use of The DailyPost, and the community of other bloggers with similar goals, to keep me going, including asking for help when I need it and encouraging others when I can.
If you already read my blog, I hope you’ll encourage me with comments and likes, and good will along the way.
Wishing you a peaceful and prosperous New Year,
This time last year, we were cruising the Caribbean, on our way to the Panama Canal.
This year, looking out the window of V1951 Towers, I can see the Christmas lights in the trees reflecting on the snow.It’s been another frenetic and eventful year, with business making an unexpected but thus far fruitful change of direction.
We’re taking just a short break over the holiday period and we’ll be back in the office (and back on WordPress) from Wednesday December 29th, but in the meantime, we’d like to wish all our friends and colleagues
Best Wishes for the Holidays
Happy and Prosperous New Year
We look forward to chatting with you again in 2011.
Tom and Hilary
Tags: cloud, compliance, governance, risk
Recently, I was reading the Times on the early train to London, and I came across a multi-page section on Cloud Security – proof positive that cloud services are now firmly on the business agenda. While I understand the attraction of cloud in delivering quick, cost effective and scalable solutions to business problems, it strikes me that it also presents yet another opportunity for the business to cut IT (and particularly IT Security) out of the decision making process.
A few weeks back the BCS Information Systems Security Group held their AGM at IBM Bedfont and a number of IBMers including myself presented during the course of the day. My topic was “Maintaining Security Governance in the Cloud”.
My central theme was that cloud computing offers the prospect of delivering IT capacity that dynamically flexes to meet changing business requirements.However, this flexibility and cost-effectiveness comes at a price.There is a substantial risk that sensitive information will leak out of the business, and the lack of transparency of the provider’s security processes make it essential that the business’s security governance processes are adapted to reflect these new risks.
So, faced with a new set of risks and preparing to trade control over IT systems (and their security) for the benefits of the SPI model of cloud services, never has it been so vital for the business to take good advice from security Subject Matter Experts on the increased governance processes needed to protect the business data and (more importantly) its reputation. Studies and surveys regularly report that 75% or more of businesses view security as the biggest single inhibitor to moving their IT operations into the Cloud. This suggests that those businesses understand – at least intuitively – that traditional controls are built on physical access to the technology stack and that Cloud deployment models mean that control is passed to the Cloud Provider. Nevertheless, a recent study conducted by Ponemon Institute for Symantec (“Flying Blind in the Cloud. The State of Information Governance“) suggests that businesses are prepared to enter into contracts with Cloud Service Providers, without engaging their IT security team to advise them:
- 65% select a CSP based on market reputation (word of mouth) while only 18% utilise their in-house security team to carry out an assessment
- 80% admit that their in-house security team is rarely or never involved in the selection of s CSP
- 49% are not confident that their organisation knows all the cloud services that are deployed.
In fact, businesses need to enlist the specialist knowledge of their security SMEs to help with the selection of a CSP and the negotiation of contracts. The Cloud Security Alliance suggests in “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” that, together, they need to:
- Review specific information security governance structure and processes, as well as specific security controls, as part of due diligence when selecting cloud service providers
- Incorporate collaborative governance structures and processes between the business and the provider into service agreements
- Engage their Security SMEs when discussing SLAs and contractual obligations, to ensure that security requirements are contractually enforceable.
- Understand how current security metrics will change when moving to the cloud.
- Include security metrics and standards (particularly legal and compliance requirements) in any Service Level Agreements and contracts.
Security SMEs will help to bring this about, when we can present a clear and unambiguous explanation to the business as to how the balance of risks and controls is altered in e Public Cloud and how this needs to translate to more sophisticated shared governance. this in turns requires that we have a precise definition of what Cloud is and a robust baseline of cloud security knowledge. The Cloud Security Alliance has introduced the Certificate of Cloud Security Knowledge (CCSK) to address this latter issue. This certification is not designed to replace existing well-established schemes, such as CISSP, CISM and CISA, but rather to demonstrate competence in the specific security challenges of Cloud deployments, by testing an understanding of two significant and authoritative documents:
- Cloud Computing. Benefits, risks and recommendations for information security. ENISA Report November 2009
The CCSK is strongly supported by a broad coalition of experts and organizations from around the world. The collaboration with ENISA means that the world’s two leading organizations for vendor neutral cloud security research are providing the foundation for the industry’s first cloud security certification. CSA’s breadth of industry participation and strategic alliances are being leveraged to communicate the need and value of this certification to employers within cloud providers, cloud consumers, consultants and variety of other stakeholders. I’ll nail my colours to the mast here and commit to sitting the CCSK exam before the end of this year. How about you?
Tags: encryption, GSM, hacking, IAM, IMSI Catcher, mobile phone, one time password, SMS
At a recent briefing on Cyber Security, one of the speakers remarked that there’s no correlation between the size (numbers, budget, resources) of the attacker and their capability to mount an attack on your networks. My friend and former colleague Nik Barron drew my attention recently to a presentation at Defcon 18 on the subject of “Practical Cellphone Spying“.
It’s common knowledge that the crypto scheme in GSM is so weak that it’s easily broken, but in fact, if you’re within radio range of a target cellphone it’s possible to intercept calls and SMS (text messages) by bypassing the crypto scheme entirely. In his talk, Paget explains how to build and operate an IMSI catcher, a fake GSM base station which can trick a target handset into sending you its voice traffic. In fact, GSM phones are designed to accept instructions from the BTS (GSM base station). Even if instructed to turn off crypto, the handset will not warn the user. Paget’s solution is based on an overlap between the ISM (Industrial, Scientific, medical) Band and the GSM Band in the US. This band is also a ham band (ISM is a secondary use), so it’s possible to operate with an amateur radio licence and the necessary equipment can be built by a reasonably skilled amateur for around £1,000.
So, while what Paget proposes – the ability to seduce mobile phones to connect to a fake base station and to use those connections to intercept voice or SMS communications – has been possible for a long time, but crucially, it was always sufficiently difficult and expensive (hundreds of thousands of dollars) that it remained in the province of intelligence services, organised crime or other well-funded adversaries. While the price (and the expertise needed) is still probably just beyond the point where the public might attempt to “listen in” on their neighbours, it’s possible to envisage “drive by” interception, using systems built primarily around a laptop (or even a handheld device).
Why does this concern me? Well, my main area of expertise is around the design and implementation of Identity and Access Management (IAM) systems. In my field, it’s common practice to use SMS messages for out-of-band transmission of credentials, either for distributing new credentials or for one time passwords, used as part of a multi-factor authentication scheme. We must now seriously question our trust in SMS as a secure transport for these applications.
Tags: DESlock, disk encryption, Kensngton lock, PGP, phishing, security, sensitive information
A recent article in the Times caught my eye. It was discussing the notion of “extreme jobs”. I think most of us can agree with the idea that there’s been an inexorable increase in the pressure on us to always be available, working longer and longer hours and still prepared to answer the mobile phone to a customer or the boss late into the night, at weekends and even on holiday.
Coupled with the ready availability of increasingly sophisticated mobile technology, it’s inevitable that many of us will take work home with us, or at least, outside the safety of the office environment. For many of us, that means we’re taking with us sensitive information and the consequences of the loss of that data could be catastrophic.
One of my current tasks is preparing security awareness training for colleagues working on a large Public Sector bid. We’ll be delivering this training to highly skilled and very experienced IT professionals, but looking around, I’m reminded that what is obvious and necessary to a security specialist is often at best an annoying distraction to others. We all have to remember that mishandling sensitive information can have grave contractual and even legal consequences both for an individual and for their employer. So, take a look at these 5 simple precautions, to make sure it’s not you that makes the headlines.
1: Pay attention to the physical security of your laptop while travelling
Any attempt to work outside the office almost inevitably means taking a laptop, loaded with project data (including sensitive commercial and even personal data) with you while you’re travelling. No matter how you travel, it’s bound to present plenty of opportunities for your laptop to be lost or stolen. It’s fair to assume that, generally the motive for theft is to sell the laptop onwards, rather than a concerted attempt to obtain any data stored on it. However, you should take reasonable care not to advertise that you might be a valuable target. Don’t for example wear your company pass outside the building. The risk is greatest, when you have to leave the laptop unattended:
- While driving, keep the laptop out of sight, in the boot of your car.
- When staying in a hotel, keep the laptop in a safe, if one is provided in your room.
- When using the laptop in a public place, secure the laptop with a Kensington lock.
2: Use whole disk encryption to protect your data
If your laptop is lost or stolen, the cost of replacing the hardware is relatively minor – and it’s insured anyway, isn’t it? The real cost of the incident is the loss or disclosure of sensitive information stored on the laptop. To protect against this, you should install whole disk encryption software. This ensures that all the data on the laptop’s disk is encrypted, when the laptop is shut down. Only when the laptop is powered up and the authorised user completes pre-boot authentication, is the disk data decrypted and available for use. Commercial software is available from a number of well-known vendors, including PGP and DESlock. You should bear in mind that, unless care is taken, even the authorised user may be unable to decrypt the data on the disk. You should make sure that:
- You run the operating system’s disk maintenance utilities to defragment the disk and check and mark any bad areas on the disk;
- You should make a full backup of the disk volume(s) before installing the encryption software;
- The install process will give the opportunity to create Emergency Recovery Information – make sure you write this ERI to a CD or other removable medium and store it somewhere safe;
- Most importantly, the encryption software only takes effect when the laptop is shut down or hibernated. You should never travel with your laptop in standby.
3: Protect yourself against eavesdropping when working in public places
One of my favourite tech commentators is Peter Cochrane, who writes a regular column for Silicon.com. Earlier this year, Peter reported on how easy it was to collect sensitive information from fellow travellers on the train. Anyone who travels regularly on commuter train services will be familiar with indiscreet conversations and (even worse) one-sided mobile phone conversations, that give away far more sensitive information than they should. Do resist the temptation to discuss sensitive matters in public places and try to curtail calls to your mobile until you can find somewhere more private.
Back to Peter Cochrane again. During his frequent air travel, he noticed people using mobile phones to photograph – or even video – the screens of other people’s laptops. His blog shows how it’s possible (given enough patience and a bit of experimenting) to get a reasonable picture of someone’s laptop screen. This situation is easily fixed for a modest outlay, through the use of a privacy screen. These clip over the laptop screen and make it impossible to read the screen unless you’re directly in front of it. These screens work along the same lines as polarising sun glasses – do make sure they’re fitted the right way round.
4: If you must use removable media, take extra care
It’s almost an immutable law of nature that, if you copy sensitive data to removable media, eventually, that media is going to get lost. The simplest remedy of course is not to use removable media. My current employer bans the use of these devices on Public Sector projects and, at one time, at least one UK government department filled the USB ports of laptops with superglue, to be absolutely sure. Of course, a blanket ban isn’t always practicable, so, if you do need to use a memory stick, removable drive or similar, here are a few suggestions:
- Don’t ever allow the use of personal removable devices – you have no idea how or where they’ve been used before or will be next
- Have a pool of memory sticks for your project, clearly marked and with some sort of unique identifier. Make team members check them in and out (with a signature) when they need them and make sure that missing or overdue devices are always followed up immediately.
- Always encrypt the device. As we discussed earlier in this article, the use of whole disk encryption when dealing with sensitive information is absolutely vital. So, if all your team members have the capability, it’s crazy not to use it for removable devices as well.
- It’s well worth the effort to select only the minimum amount of data for copying onto the removable media. It might be quicker to export the whole contents of a database, but you must do everything in your power to limit the potential loss.
5: Always use a secure connection over public networks.
Finally, when you’re out of the office and you need to work, be careful to secure your communications. Assume that all networks (in hotels or other public spaces, in customer sites and even at home) are hostile. Always use a Virtual Private Network (VPN) connection to encrypt all your traffic when connecting to your organisation’s intranet from outside and never use a public computer or your home computer to connect to the intranet.
So, to summarise, a mixture of sensible procedural precautions, together with a few simple and inexpensive technical additions can do much to control the risks of taking sensitive information outside the normal office environment. These measures might be a little inconvenient, but they will go a long way to ensuring that you’re not the one found responsible for a data loss, resulting in massive reputational damage, the loss of contracts and potentially huge fines for your employer.
A while back I wrote about the frustration of losing broadband at a critical time (is there ever a good time for it to happen?). So, I was intrigued come across this post on the “Speaking Freely” blog by Digital Ghost. It’s from February 2007, but you can catch more recent posts here.
We all know that we need to keep on top of the housekeeping on our PC, particularly if we use it for business as well as home use. The truth is, we don’t bother until something goes wrong.
Take a look at 5 (well, 6 actually, but you can read them for yourself) eminently sensible things to do while you’re waiting for your broadband provider to come to your rescue.
via Speaking Freely
Tags: backup, Backupify, CA, cloud, Google Docs, IBM, Identity Management, Lotus Quick Rooms, wiki
I’ve written before in this blog about the difficulties of managing information across multiple computers and other devices, when you’re an independent consultant, looking to stretch your budget using (mostly) free tools. In those posts, I’ve speculated that at some point, I would need to resolve the problem of how to collaborate in real-time with colleagues. As it happens, it was after my recent return to the corporate world that the first real need came up.
I accepted an assignment to write a short document for an important customer. The document was to be co-authored by me and a colleague, with other members of our team making contributions or acting as reviewers. The problem was that we had a very short period of time to produce a first draft and it was unlikely that we’d be able to find much time working together in the same office – a clear case for online collaboration.
The nice thing about my current employer is that staff are actively encouraged to experiment with social media, collaboration and other tools. So in casting around for a solution, there were no shortage of suggestions. Keep in mind that:
- We didn’t have the time to be very formal in our approach;
- There was no clear demarcation on who should write each section – we anticipated that we’d all contribute to all of it;
- It was to be only a short (no more than 20 page) document.
Given who we work for, the logical first step was to try out Lotus Quickr. This web-based system allows real-time collaboration for teams and can work both inside and outside the corporate firewall. It was useful for building a library for the reference material we needed for our task, particularly with connectors allowing us to drag and drop files into the library on the Windows desktop and to use it from within email (Lotus Notes) and IM (Lotus SameTime). However, while it has all the facilities for managing collaboration on a document, they proved too formal for our requirements. Documents must be checked out for editing and then checked back in for review. That was just too slow (and single user!) for our purposes.
Our next attempt was to use a wiki. This allowed us to work on our document collaboratively, either in a simple markup language or using a WYSIWYG editor from a web browser. So far, so good. The problem came when we tried to simultaneously edit the document. Wikis are designed to be open for anyone to edit. The philosophy is that incorrect information, bad grammar or typos will be quickly corrected by someone else. This is fine, if you have the time to break your document into a series of hyperlinked pages. For us though, when we were both working simultaneously, the last one to save changes was confronted with either overwriting his coauthor’s changes or discarding his own.
Finally, my co-author (Identity and Access Management specialist Matt Kowalski) persuaded me that we should try Google Docs. We both use a number of Google services already (in my case, Buzz and Wave, as well as Calendar), so it was a simple matter to set up an account, import our existing draft from Microsoft Word and get started. Google Docs is like using the 50% of functionality in Word that everyone uses, without being slowed down by the other 50% that no-one uses. Even the toolbars are familiar enough to start working straightaway. You of course have control over who can collaborate and who can view, but within those boundaries, everyone can work simultaneously. This can be a little unnerving at first, seeing changes happen elsewhere on the page, as you’re typing.
Google Docs allows some collaboration apart from document editing. It provides an online chat window when collaborators are editing or viewing the document at the same time. However, it occurred to me that the whole idea of Google Wave is to provide more sophisticated collaboration tools. The downside of Wave of course is that you can’t create, edit or share documents. However, you can work around that by integrating the two services, using the Google Wave iFrame gadget. I know that Google Wave will be shut down at the end of this year, but for now, it seems worth taking the time to experiment. To me, it seems to work well, albeit in somewhat limited screen real estate.
Of course, if I’m going to consider using such a combination for real work, I need to consider security – that is after all my speciality. The first consideration is to be able to back up and restore anything I commit to Google Docs. For this, I turned again to Backupify. Sure enough, their free service includes backup of a single Google Docs account. I configured it and by next morning, I’d received an email confirming the first successful backup. To be sure, I accessed the archive at Backupify. I opened the archive, located my document and opened it, without any drama at all.
For a real commercial solution using Google Docs, it would be necessary to add further security. CA Technologies recently announced new cloud based capabilities for its Identity and Access Management (IAM) suite, allowing customers to provision users with credentials in Google Apps (including Google Docs) and also to enforce access through CA Siteminder and for business partners through CA Federation Manager. No doubt other vendors either have or are developing equivalent capabilities.
By way of a conclusion, we found a solution to our dilemma – a multiuser, real-time collaboration system, to edit and then publish a document. In practice, it was easy to use and the necessary security can be easily (and to some extent for free) added. Give it a try yourself – if you want to try it in Wave, then you’ll have to be quick.
Tags: Data Loss Prevention, firewall, Identity Management, keystroke logging, Macafee, Marcus Ranum, Personally Identifiable Information, phishing attack
A post on Twitter from @backupify the other day amused me …
“Google Apps has the same vulnerability as Microsoft products: Users”
They were making the point (explained further in their blog) that, according to a poll, a significant number of administrators, if they were fired, would take with them business sensitive information. Now, I’m not looking at those that take business sensitive information (customer databases, price lists, R&D files) as serious as that might be. What interests me is that a significant number said they’d take a key set of credentials with them. Yet another reminder of how vulnerable our online identity can be.
It also occurs to me that you can’t always expect to mitigate users’ behaviour with software based controls, particularly when those users are members of the general public, with, at best, a sketchy idea of what online security is all about. back in 2003, I was working as lead architect on an Identity Management solution for ABSA, South Africa’s biggest retails bank (and now part of the Barclays group). 3 customers had funds removed from their accounts through ABSA’s internet banking facilities, in what appeared to be the country’s first documented case this type of crime. It transpired that the 3 customers had picked up a keystroke logger, not having the necessary security software installed on their home PCs. Nevertheless, it was their Bank that reaped the bad publicity.
Since then, banks around the world have done much to try to protect their customers, offering free or highly subsidised anti-virus software, offering various alternatives to the wholly inadequate use of passwords for authentication and even in some cases, confirming transactions through SMS message to your mobile phone. My business bank account is protected by a token, which generates a one time password (OTP) as well as a conventional password. My Bank also supplies me with free anti-fraud software from Trusteer. The Rapport browser plug-in protects session information stored in the browser and defends against man-in-the middle attacks, trojans and phishing scams. Most significantly for this discussion, it also monitors the user’s activity on the web and warns if the user attempts to use their Internet banking password in conjunction with another site.
Still though, users will continue fall victim to identity theft because of unwise behaviour online. So, I was pleased to see Macafee launch a decent eguide to Identity Theft on their website recently. As well as the guide, Macafee provide an online self-assessment tool. By answering a series of questions, you can build a picture of the risks you run of identity theft, based on your online behaviour. The risk assessment tool generates a detailed report in PDF.
Working through the tool, I found that my risk is assessed as moderate. I could guess as I carried out the assessment which answers were affecting the score, but I feel comfortable that I’m making informed decisions to accept some risks. After all, you can’t remove all risks, only mitigate some and accept the rest. In fact, for many years, Marcus Ranum, who is widely credited with designing the first ever commercial firewall, published a picture of a set of wire cutters, under the title “The Ultimate Firewall”. This illustrates the basic dichotomy in computer security – that for total security you can’t have any connectivity. All security is a compromise with usability.
The Macafee eGuide and risk assessment tool are welcome resources, provided that they’re brought to the attention of users. Of course, their publication coincides with the launch of Identity Protection features into their flagship consumer packages. These features prompt the user for permission before Personally Identifiable Information (PII) is sent to a web site. This is the consumer equivalent of the Data Loss Prevention (DLP) solutions, which are beginning to be deployed by large organisations. These packages aim to identify information assets (files to you and me) on computer systems) that contain PII and apply policies to control what can be done with those files. This in turn limits the dangers of accidental or malicious leakage of the PII through USB sticks, email attachments, printed copy and so on. All these technologies will of course help, but ultimately, each of us is responsible for protecting our identity through responsible online behaviour. At least for now, too many users are completely unaware of the risks in what they do online. To find out more about the risks, try starting at the UK Information Commissioner’s website.