IT Security: The View From Here - Details

Listing ID: 1473

Title: IT Security: The View From Here

Description: Rob Newby's blog covers all things security, including PCI. He offers great perspectives and unvarnished, practical commentary.

Category: Computers : Security

Owner:

listed on: July 27, 2008 04:32:58 PM

Number Hits: 3 times

Recent Posts:

Pitchforks in sheds - 2008-10-31 11:45:00

I once heard someone describe network tools as 'pitchforks in sheds' - the basic premise being that although the tools themselves were all incredibly useful, without someone to use them, they are essentially useless. I've looked at a lot of security tools in my time, and have seen some great ones. HP recently showed me WebInspect, which looks like a great hacking tool on its own, and an awesome development and QA tool in conjunction with other pieces of software in the family. They obviously know this, because they invited me to a dinner which I sadly couldn't make. I always think that when a company is confident enough to invite critics for a dinner, the tool is probably a market leader which wants to stay in that position. If it's just a presentation, then it's probably a start up. Just a thing I've noticed over the years... anyway, back to the point. There are a great many tools out there which are very useful for networks, security focused or otherwise. However, without someone to roll-out, manage, and insert into processes - i.e. to get them used now and in the future - you may as well make a big pile of company cash in the car park and have bonfire night early.

Build your own network - 2008-10-29 11:48:00

I had an interesting security conversation today, about network architecture. Hmm... don't run away just yet. I think we'd all be agreed that it is safest to put your production networks away from your testing networks, and to make sure the data in your test areas is not live sensitive data - I'm not going to go over well trodden ground. I also think most would agree that splitting web servers from applications and both from data is the way forwards, and using firewalls to split them out is only sensible. We may also split out external and internal DMZs on the internal and external firewalls, and of course our internal LAN. This is all stuff that can be found in books and on websites, of course. But what of the relatively new worlds of web services and 'cloud computing'? I chuckled recently when these were referred to as Marketecture. In reality, these don't change anything about the way we build systems, in fact sometimes they are just making it unnecessarily complicated for the poor souls designing and building it. Back to my interesting conversation though. Picture if you will a 3 tier network, external firewall with external DMZ hanging off it, and an internal firewall with the LAN and data tiers hanging off it. Where do you put the application tier? My companion pointed to a case where it was also hanging off the internal firewall, and asked whether it shouldn't be attached to the external firewall as well. I argued the point that it didn't really matter as you could just punch a hole through the internal firewall anyway, but is that really such a good idea? No, not really, so I capitulated, and realised that that was in fact how I have always done it in practical terms, I'd just never really thought about it too hard until faced with the direct question. The fact of the matter is, the diagrams we draw of these things are really only ever representative. I don't think I've ever seen a network diagram which could be used to trace a real physical network - to make the important decisions, yes - to dismantle and rebuild, no.

In my opinion... - 2008-10-15 11:26:00

It's funny, I keep getting invited to dinners, phone calls, webinars, etc... by people who have done surveys, created documents, got an expert in, etc... and I keep on politely turning things down. Not because I don't want to speak to people, far from it, I'd love to talk all day, but because I have more pressing engagements, and my life, to get on with. I received a missive from Compuware earlier in the week, who have actually done a really good job of surveying IT professionals and printing out some relevant statistics. It makes a refreshing change from previous surveys I've had to rip apart here. Having said that, I'm not really 100% sure what they are trying to achieve with it, and fully expect them to explain by return of mail tomorrow... HP have also come knocking, with an invitation for dinner up in London in a couple of weeks. On a Monday night. I don't know about you guys, but I have busy weekends, stay up late, watch "Poker After Dark" (Hellmuth is a dick isn't he?), occasionally even play poker and even less frequently win, but I'm always up past my bedtime. Monday morning, I get up at 6am, drive to the gym, churn out a couple of k's, and by the time I go home I'm ready for anything except getting on a train to London. I'm normally asleep on the sofa by 6:30pm. I know exactly why they approached me though, and I AM interested in what they have to say, just not in London on a Monday night. Southampton on a Wednesday lunchtime, when they're paying, different matter entirely. And I think that's really my point here. Neither of these companies is wrong, bad, or even out of line. They have both done good things, reached out to me in a polite and positive way. However, I can't help thinking that something isn't working. How much research gets done in the name of security, only to find that 70% of attacks/breaches/losses are accidental/internal/external/laptops? How much of it do you read? How many solicitations do you receive on a daily basis for your opinion/answers/blog space/ or just to plain sell to you? How do you like it? I like the personal approach, and don't even mind when it comes through a third party, although I'd prefer it was direct from the companies themselves - shows more respect somehow. Just a perception maybe? I like the offer of something for my time/blog space/amazing company - it doesn't have to be much, but I kind of value my time, and it doesn't normally come that cheap. I hate being sold to. I've worked for vendors all my working life in one way or another, and know what every sales cue sounds like a mile away. I will most likely lead you down a very inviting path and slam the door in your face rather than buy anything, sorry, but I just don't own the budget, I'm a contractor. By the way, you can hire me... :)