Archives for March 2011

The Five Competitive Forces That Shape Strategy

In 1980, Michael Porter published, Competitive Strategy explicating the five competitive forces that shape corporate strategy. This book is still must reading, although it is not universally accepted as the definitive book on corporate strategy.

Here is a January 2008 HBR article by Michael Porter showing that Porter is as strong a believer in his approach today as he was 30 years ago.

The Four Personas of the Next-Generation CIO

Ray Wang’s guest blog at Harvard Business Review cites The Four Personas of the Next-Generation CIO:

  1. Chief “Infrastructure” Officer
  2. Chief “Integration” Officer
  3. Chief “Intelligence” Officer
  4. Chief “Innovation” Officer

is it possible to do all four? Would it make sense for the CIO to assign a “deputy” CIO for each of these four functions?

IT in the Age of the Empowered Employee

I recently came across this blog post from Harvard Business Review, IT in the Age of the Empowered Employee. The author, Ted Schadler, who recently co-authored a book entitled, Empowered, seems to have coined the term, “highly empowered and resourceful operatives (HEROes).” These people represent 20% of the employees in an organization who aggressively seek out information technology solutions on their own without the IT department’s support.

Schadler recommends managers and IT support HEROes’ efforts:

What caught my eye of course is, “Provide tools to manage risk.” Yes, enable the use of Web 2.0 applications and social networking by mitigating the risks they create. Next Generation Firewalls come to mind.

SIEM resourcing – in-house or outsource?

Anton Chuvakin wrote an article on the costs associated with Security Information & Event Management SIEM and log management which will help you decide whether you should do SIEM in-house or outsource to a Managed Security Services Provider. Anton breaks the costs down into the following categories:

  • Hard costs
    • Initial costs
    • Ongoing operating costs
    • Periodic or occasional costs
  • Soft costs
    • Initial costs
    • Ongoing operating costs
    • Periodic or occasional costs

BTW, in my experience, I have seen the total cost of a SIEM project (hard + soft) range from 10% of SIEM license costs (for shelfware SIEM “deployments”) to a mind-boggling 20x of license cost.

SSL Traffic Monitoring is a must-have security control

More and more web traffic is being encrypted, which is blinding organizations to potential threats. The Goldman Sachs programmer who was sentenced to 8 years in prison used SSL to encrypt his file transfers.

If your firewall cannot decrypt SSL, you must upgrade. It’s as simple as that.

RSA breach and APT – Detection Controls and Access Control

I would like to comment on RSA’s use of the term Advanced Persistent Threat (APT) in their Open Letter to RSA Customers. From my perspective, any company’s trade secrets are subject to APTs from someone. There is always some competitor or government that can benefit from your trade secrets. All APT means is that someone is willing to focus on your organization with resources of approximately the value of a penetration test plus the cost of acquiring a 0-day attack.

This means that you must assume that you are or will be compromised and therefore you must invest in “detection controls.”  In other words, your security portfolio must include detection as well as prevention controls. Important detection controls include intrusion detection, behavior anomaly detection, botnet command & control communications detection, and Security Information & Event Management (SIEM). If you don’t have the resources to administer and monitor these controls then you need to hire a managed security services provider (MSSP).

Furthermore, organizations must take a close look at their internal access control systems. Are they operationally and cost effective? Are you compromising effectiveness due to budget constraints? Are you suffering from “role explosion?” A three thousand person company with 800 Active Directory Groups is difficult to manage, to say the least. Does your access control system impede your responsiveness to changes in business requirements? Have you effectively implemented Separation of Duties? Can you cost effectively audit authorization?

How concerned should you be about the RSA breach?

Ars Technica provides an excellent analysis of the potential threats to users of RSA Secure-ID tokens as a result of the breach RSA announced.

RSA’s announcement was not specific in the information it gave, so exactly what this means for SecurID isn’t clear. In the likely worst case, the seed values and their distribution among RSA’s 25,000 SecurID-using customers, may have been compromised. This would make it considerably easier for attackers to compromise systems dependent on SecurID: rather than having to acquire a suitable token, they would be required only to eavesdrop on a single authentication attempt (so that they could determine how far through the sequence a particular token was), and from then on would be able to generate numbers at their whim.

The article also covers more benign, more grave, and less likely possibilities. I would think that RSA customers are receiving more precise information.

While Secure-ID is probably the most popular two-factor authentication solution, it may be worth noting that there are many other choices available from RSA and its competitors.


Fear, Information Security, and a TED Talk « The New School of Information Security

Fear, Information Security, and a TED Talk « The New School of Information Security.

TEDMed talk by Thomas Goetz – great talk about making health information understandable to patients in order to motivate them to action. Adam blogged about it because it reinforces his notion that fear does not motivate management to invest in information security.

Thomas suggests a four step feedback loop – Personalized Data, Relevance, Choices, Action.

For health care Thomas shows that the key problem is poor information presentation design. Is the problem the same in information security or is it the lack of relevant information to present?

In information security, people, and especially management, don’t act because they don’t believe that more firewalls, SSL and IDS will protect their cloud services. They don’t believe that because we don’t talk about how well those things actually work. Do companies that have a firewall experience fewer breaches than those with a filtering router? Does Brand X firewall work better than Brand Y? Who knows? And absent knowing, why invest? There’s no evidence of efficacy. Without evidence, there’s no belief in efficacy. Without a belief in efficacy, there’s no investment.

We’re going to need to move away from fear and to evidence of efficacy. Doing so is going to require us all to talk about investments and outcomes. When we do, we’re going to start getting better rapidly.


PCI And Virtualization « PCI Guru

PCI And Virtualization « PCI Guru.

The PCI Guru (a pseudonymous PCI QSA) wrote a nice introduction to virtualization security with respect to PCI compliance. If you are not familiar with virtualization, he/she starts with the basics – defining “bare-metal” vs. “hosted” hypervisors and pointing out that hypervisors are operating systems.

Maybe PCI Guru is planning another post which will go further, but I feel it’s important to point out that along with the virtual machines, there are virtual switches which are located on the host system. Therefore traditional networked based security solutions have no visibility into and therefore no control of the traffic between VMs on the same host.

In addition, when organizations take advantage of the flexibility of virtualization by quickly creating and moving VMs as needed to meet application performance and availability requirements, it’s very difficult, to say the least, for network security administrators to keep up with the changes.

For these reasons, a new type of product has entered the market – the hypervisor-based firewall, which should reside right in the hypervisor. In addition to controlling traffic among VMs on a host, the hypervisor-based firewall needs to be able to identify newly added VMs and automatically apply the appropriate policies.

Furthermore, a good hypervisor-based firewall should perform host intrusion detection functions since it’s in the hypervisor and can see into the VMs.

Finally, there are performance considerations. Since we are talking about host-based technology, the question of CPU resource drain must be examined. In other words,how much performance are you giving up in return for the security you are gaining?





Your guide to the seven types of malicious hackers | Security Central – InfoWorld

Your guide to the seven types of malicious hackers | Security Central – InfoWorld.

As you may have gathered from previous posts, I recommend the SANS 20 Critical Security Controls for Effective Cyber Defense as an information security road map for medium and large enterprises. The controls are selected and prioritized by answering the following questions:

  • Who are the attackers?
  • What are their objectives?
  • What attack vectors do they use?
  • What target systems did they use to gain entry?
  • What types of protection could have stopped them?

Roger Grimes provides a comprehensive answer to the first question with the following seven types of attackers:

  1. Cyber criminals
  2. Spammers and adware spreaders
  3. Advanced Persistent Threat agents
  4. Corporate spies
  5. Hacktivists
  6. Cyber warriors
  7. Roue hackers