Friday, January 25, 2008

Just for fun!

As with many folks I do have interests outside of my chosen profession. This is the first movie I have ever made using my Canon Powershot A95 and Apple iMovie 08. I shot this on Monday of this week. Enjoy!


Digital Certs and Smart Cards the Future of Info Security

Bill Gates: Digital Certs and Smart Cards the Future of Info Security

Your browser may not support display of this image.

Speaking in the opening keynote address of the RSA Conference 2007 in San Francisco, Microsoft Chairman Bill Gates said that security needs to migrate from the computer infrastructure to the end user, in order to cope with the changing environment of portable devices inside corporate networks.

“Security is the fundamental challenge that will determine whether we can successfully create a new generation of connected experiences that enable people to have anywhere access to communications, content and information,” he said.

“This challenge is going to get a lot tougher,” he said. “The threat landscape has evolved in dramatic ways. When we first began working on Vista most attacks were done for notoriety. Today it is a lot more serious and nefarious than it was five years ago,” he added.

In his last keynote speech at RSA the Microsoft chairman criticized conventional passwords. “Passwords are not only weak, but passwords have the huge problem that if you get more and more of them, the worse it is,” he said. “Smart cards and certificates in general is the way to go. Enterprises should start to migrate from passwords to smart cards. We are laying the groundwork so that we can have certificate-based roots of trust.”

– Fiona Raisbeck, SC Magazine, at RSA Conference in San Francisco February 6, 2007.

Sunday, January 20, 2008

My Wonk Died

I was going back through some old posts and saw my writing about my inner wonk. I just wanted to share that I believe the Wonk in me is dead. I've evolved beyond that point and with my thoughts focused on "transparency" I think I have hope for a better tomorrow. Now to drag that better tomorrow into today!

Transparency Arrived Today

I see the disconnection between the user and what is really going on under the hood in the same way we see people on the freeway disconnected from the chaos just a few inches away. I think the way to break the "hamster wheel of pain" is to stop treating risk as a model that all things form into. Rather we need to factor risk as a "driver" in a machine we'll call the Automated Processing Environment (APE).

The APE is essentially stupid slow and constantly vulnerable to attack from smaller, faster, and more agile life forms. The ape isn't simply a collection of hardware, software and security controls. It is physical, human, and logical. I believe that we have to move on from the SDLC, CIA, and all models that have been crafted before this time because the complexity of attacks that we see in our environments simply can not be captured with current thinking in a way that helps us move forward.

If we shift the paradigm and factor in that, at the most basic level, we have human, physical, and logical assets all interacting with one another in a constant state of flux it becomes next to impossible to authentically predict, or better yet, assess the risk posture of the APE. The piece meal approach to providing a “cure” to the information security challenges simply will not make muster any more. We must address all components at once. Why? If all pieces of the APE triad (Human, Physical, or Logical) are not addressed at the same time, and with the same vigor, than the triad will collapse, and once again become vulnerable from the segment that was not equally bolstered. I've talked about transformation before in previous posts but I think that trying to improve one section at a time will never work because we will always be chasing the "tail of the dragon".

The same is true for mitigating risk to data. All too often I have seen huge efforts to implement technical solutions that do yield "a result" but that result is never fully understood. Manufacturers love to show dashboards showing all the security data that has been collected but in the end the dashboard serves no tangible purpose to understanding what is going on in the APE.

To break the cycle we must change the way business is done. We must become more closed and bring more sensitive data closer to home. This could be done by "purging" all sensitive data from systems that are in the wild and bring the data literally inside the walls of the Data Center. We need to move to a use of both the client/server and the more feudal approach of thin client architecture that pulls data processing into centrally managed activities in order to strike a risk based cost balanced approach. An awareness of who, what, where, and when sensitive data is being processed will help reduce the threat of loss of the data into the wild. Just like a diamond on display in a museum is protected but shared through the exhibition.

But by far the greatest weakness in the APE triad is the human factor. Behaviors must be modified and addressed immediately upon discovery. When I worked the flight line I saw folks sent home immediately after any kind of accident. One case sticks out in my mind at SFO where the tug driver ran a container into the side of an aircraft. He immediately was sent for a drug test and ordered to take a week without pay. Hence I would say the level of intensity and focus during a turn around was extreme. The danger was present and the risks real. That fear does not exist in the mind of the average user but should in those APE users that roam in a hostile world.

To be truly transparent means not only to report the control failures but to have visibility into any area of the enterprise allowing issues to be fully and freely expressed before they manifest themselves into security events.

Saturday, January 12, 2008

Did you know you can do something about...

Did you know that you can help reduce the national debt? You sure can by sending the government money directly to pay down the debt. Unlike taxes which are controlled by politicians and rarely go towards paying the national debt you can make a difference.

How do you make a contribution to reduce the debt?

Make your check payable to the Bureau of the Public Debt, and in the memo section, notate that it is a Gift to reduce the Debt Held by the Public. Mail your check to:

Attn Dept G
Bureau Of the Public Debt
P. O. Box 2188
Parkersburg, WV 26106-2188

Or you can fire your elected official and hire (vote) for someone who will be responsible to the people that put'em in office!