Patternstag:blog.ncircle.com,2012:/blogs/patterns//62012-02-06T16:54:17ZMovable Type 3.38Overcoming the Fear of Disclosuretag:blog.ncircle.com,2012:/blogs/patterns//6.6832012-02-06T16:49:16Z2012-02-06T16:54:17Z Everyone's been talking about Verisign's 10K disclosure of a cyber security breach that happened in 2010. The comments seem to be focused on surprise that a company like Verisign was hacked, and various opinions about how the company handled...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
Everyone's been talking about Verisign's 10K disclosure of a cyber security breach that happened in 2010. The comments seem to be focused on surprise that a company like Verisign was hacked, and various opinions about how the company handled the disclosure.
I think the real topic for discussion from this news is why the employees that discovered the breach in 2010 decided not to inform management. It's easy to point fingers, but I doubt this was a case of dereliction of duty. It's much more likely that Verisign did not have a security culture that supported this kind of disclosure. Even if there was one in place, it certainly did not prove to be effective.
In light of the new SEC guidance, every company should be asking themselves if they have a policy that explicitly mandates security awareness and disclosure. Even if your security practice is top notch, it takes real effort to build a company culture that values healthy security behavior. Those of us who have been at it for as long as I have know that the human factors are the hardest to manage.
For IT and security professionals, breaches imply error. Ask yourself honestly what your security team would do if a security incident takes place? Will they be too afraid of negative consequences to report a security incident? This is a very grey area when the impact of the incident is unknown. I've always been a fan of role playing and tabletop exercises because they give everyone a mental model and practice at the events that are too hard to master while in crisis.
Time for some serious introspection followed, hopefully, by action.
]]>
It's 10 p.m., Do You Know Where Your Source Code Is?tag:blog.ncircle.com,2012:/blogs/patterns//6.6762012-01-25T01:18:30Z2012-01-25T01:25:49Z Last week a hacker by the name of 'Tama Tough' claimed he was going to release the full source code for Symantec Corp's flagship product, Norton Antivirus software. With open-source software, all the source code is always available for...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
Last week a hacker by the name of 'Tama Tough' claimed he was going to release the full source code for Symantec Corp's flagship product, Norton Antivirus software. With open-source software, all the source code is always available for everyone to see, but in this case Tama Tough was threatening to disclose the commercial closed source code.
The ramifications of this threat, especially since there is an implied disclosure of source code, were huge. For example:
- If the code was published any secrets in the code could have become a problem for Symantec
- Access to source code means cyber criminals could add malicious code and compile it into a product that mimics the look and feel of the original but is designed to do a number of very bad things that are is almost impossible for end users to detect. (Beware of buying software from anything other than a trusted source because the deal with not be a good deal for you.)
- The raw logic of the program would have been exposed and, given this knowledge, an expert would probably find new kinds of vulnerabilities
Even though the disclosure didn't happen, the security implications of an intellectual property breach are enormous. This threat is a wake up call for everyone - when was the last time you reviewed your source code security protection?
If it's been a while, here are a few questions to help you get started:
- Do you know every single place this source code exists; both in operation and backups?
- What safeguards do you have in place to protect your source code and how would you know if it was taken?
- If your source-code was stolen, what is the plan to keep the business operational and your customers safe?
- Finally, do you have a plan to manage the crisis of public perception an event like this could cause considering the 24X7 news cycle and social communications channels?
If you don't have clear, specific answers to all of these questions, you have just been put on notice. Symantec just reminded all of us that it's time to revisit the security protection around intellectual property. If you've got that under control, spend some time looking at business continuity and crisis communication plans to make sure they include this scenario and involve support, sales and marketing and legal teams.
This is a tabletop exercise you really need to work into your schedule in the near future. It is the type of event that requires a companywide response and the more prepared you are, the better chance you have of containing the damage.
The problem with being a successful business is that you become more attractive to a better class of cyber criminals. It's the classic good news / bad news problem. The good news is that your intellectual property is recognized as having significant value. The bad news is that now you are attracting the attention of more sophisticated cyber criminals.
Be proactive and be the hero and leader when this type of event happens; be reactive and be the goat. Your move.
]]>
Not-For-Profit also means Not-For-Losstag:blog.ncircle.com,2012:/blogs/patterns//6.6712012-01-17T15:18:29Z2012-01-17T15:26:07Z So here's the deal; just because you are a non-profit organization doesn't mean you don't have to be concerned with the threats on the Internet. Last I checked, not-for-profit also means not-for-loss. In fact, as a non-profit you may...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
So here's the deal; just because you are a non-profit organization doesn't mean you don't have to be concerned with the threats on the Internet. Last I checked, not-for-profit also means not-for-loss. In fact, as a non-profit you may be a more attractive target for some kinds of attackers, especially 'hacktivists' if they believe your organization is 'bad'.
For example, earlier in 2011, PBS was the victim of a LulzSec attack. You can read about the drama connected with the attack, but the point I'm making is that your business model and it's relative level of altruism doesn't affect the security or insecurity of your computer systems.
While this may sound completely obvious, all too often I hear something like, 'Oh, I don't really have to lock those systems down because there is nothing on them to steal'.
Here's the problem with that line of reasoning: even if you have nothing to steal in terms of information, the systems and applications they run can be attacked, controlled and then used for criminal purposes. Your computers and computer network can be used as a weapon by the bad guys.
In fact, it's very common for organized crime to compromise as many connected computer systems as they possibly can. Once they get them all under remote control the bad guys wait for the perfect time and then use thousands of compromised computers to pull off a distributed denial of service attack on a targeted business. If attacked company pays the attackers a fee and they will stop the attack. It's a very common form of cyber extortion.
If I were a non-profit, I would do a quick scan with PureCloud just to see where my security stands. There's no excuse for lousy security anymore, if you are able to shop online, you have the skills to run PureCloud. And, at the very least, you will know if you have a security problem that you need to address.
Everyone should scan your their networks and secure their systems, and not just the ones with confidential information on them.
Take security seriously, your business and the entire Internet will thank you.
]]>
Survey Says!tag:blog.ncircle.com,2012:/blogs/patterns//6.6692012-01-11T23:43:05Z2012-01-11T23:56:38Z PWC just completed and published what they call the Global Economic Crime Survey and for those of you paying attention, there should be no surprises. For those not paying attention, these reports do well in how one goes about...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
PWC just completed and published what they call the Global Economic Crime Survey and for those of you paying attention, there should be no surprises. For those not paying attention, these reports do well in how one goes about socializing the craft of IT risk management.
Some highlights:
- 34% of respondents experienced economic crime in the last 12 months (13% increase from 2009)
- Almost 1 in 10 who reported fraud suffered losses of more than US$5 million
- Cybercrime now ranks as one of the top four economic crimes
- Reputational damage resulting from cybercrime is the biggest fear for 40% of respondents
- 40% of respondents don't have the capability to detect and prevent cybercrime
- 56% of respondents said the most serious fraud was an 'inside job'
- Senior Executives made up almost half of the respondents who didn't know if their organization had suffered a fraud
Getting hacked sucks but ignorance just makes it suck even more.
It is no longer just an IT thing as the report points out and you really will need to socialize surveys like this on a regular basis. Cadence is key because you need to keep these issues top of mind but not be a pest.
There is just no excuse anymore. You have tools like benchmark.ncircle.com, you have free reports like the one above, its up to you now.
]]>
I haz digital cheezeburger and SOPAtag:blog.ncircle.com,2011:/blogs/patterns//6.6642011-12-21T16:49:48Z2011-12-21T20:48:18Z If I sell you a cheeseburger and you give me five dollars, once I give you a cheeseburger we have completed our transaction. You have less cash and I have l fewer cheeseburgers. This straight forward physical transaction is...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
If I sell you a cheeseburger and you give me five dollars, once I give you a cheeseburger we have completed our transaction. You have less cash and I have l fewer cheeseburgers. This straight forward physical transaction is not how digital information transactions work.
When you read this blog post, I still have the blog post. When you purchase a digital image, I still have the image. If you were to pirate or steal any of my digital information this information, I still have it. This is the crucial difference between physical transactions and digital information transactions.
When we choose to make something digital, we change it from a rival good, something physical, to a non-rival good. The implications of non-rival good transactions on commerce and society are profound because our transaction models are based on rival goods.
So far, as a society, we have been trying to wrap non-rival goods into a rival transaction model in order to prove that digital goods have clearly changed hands. As evidenced by almost all forms of digital copyright protection, this approach has been a complete failure.
Extreme attempts at managing digital transactions the same way we manage physical transactions have been so far off the mark that they are either completely unusable or ridiculously expensive. The Stop Online Piracy Act (SOPA) manages to incorporate both these attributes.
There are other ways to solve this problem. One strategy is to provide free content to everyone and offer high resolution or higher value content for a purchase. You can try to charge for the lower resolution / value content but once someone accesses this content they can stream it out of the country and monetize it in other markets where US the laws do not apply. This is why digital media has been wreaking havoc on the outdated commerce models based of newspapers, record companies, cable companies and Hollywood movie studios.
SOPA is another misguided attempt to reach for a rival solution in a non-rival world. The hard truth is that there is no way to completely stop online piracy. There will always be loss, there will always be theft. It's pointless to seek a new, perfect digital transaction model that has the same attributes and non-rival commerce.
The laws and rules that support digital media commerce should seek fairness and balance. We should be designing digital commerce systems should for optima, not maxima.
SOPA won't work. It's too late to put the digital genie back into a physical transaction bottle. The Internet ecosystem will eventually reject arbitrary boundaries and correct itself.
If SOPA is representative of our best collective efforts to solve the non-rival goods problem it's going to be one hell of a ride before we collectively figure this out.
Reference: photo by Leandro Ardissone
]]>
Are my privates showing?tag:blog.ncircle.com,2011:/blogs/patterns//6.6622011-12-13T21:01:59Z2011-12-13T21:16:00Z In a recent blog post in the New York Times Bits Blog, Nick Bilton makes a strong claim that privacy is on its deathbed, but I see this problem a little differently. Perhaps privacy seems dead, but it's also...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
In a recent blog post in the New York Times Bits Blog, Nick Bilton makes a strong claim that privacy is on its deathbed, but I see this problem a little differently. Perhaps privacy seems dead, but it's also possible that it's in the process of being reincarnated.
Yes, Facebook is 6 years old and 800 million users strong but statements about how hard it is to protect personal information and achieve some level of anonymity has been discussed over 20 years. Anyone remember the Anonymity FAQ on ftp.uu.net back in the day? #datingmyself
Online privacy is more understandable as a verb than a noun because it is incredibly context sensitive. In reality, online privacy isn't a single thing, it's a process.
Part of the reason that online privacy is so difficult to pin down is that the concept of 'public' and 'private' in the information space are much trickier than they are in the physical world. Within a community, social norms are defined and redefined over long periods of time resulting in a collective understanding of things public versus private. But, when you have cross communal mashups and cultures, who stabilizes the norms and at what frequency? It's fairly common online for information set A to be public in one context but private in another.
In my opinion, the only way to understand privacy is within the context of the online 'game' an individual chooses to play. I'm using the term 'game' as a frame for players, rules, payoffs, winning, losing, etc. In this context, the term game can apply to almost anything including national laws, commerce and online dating to name just a few.
When looking at privacy through the lens of the individual, we often talk about consequences shaping a persons' behavior. Consequences are a major factor, but today they apply very late in the game.
To change behavior, you have to first think about the value propositions behind why people share information because, unlike the physical world, once information is disclosed online there is no way to un-disclose it.
Information is, by its very nature, connected to other information creating a directed graph that can be traversed. This giant set of networked information is makes it so easy to find information you may not want to be found. The rule of unintended consequences says that the individuals most likely to find things you would prefer to remain private are generally not playing your game. They are likely to be playing a completely different game with an entirely separate payoff.
I don't have any answers to this enormous problem, but I do know that it's going to get a lot worse before it gets better. There is just too much money to be made by selling information about you to make significant change possible in the near term.
When we finally have real privacy solutions, individuals will have be able to authorize and control access to their metadata. This will require a completely different approach to privacy and will affect the business models of every major Internet brand.
Until then, my best advice is to behave as if your privates are showing. Work very hard to disclose only information you know you can protect or that is feasible to recover.
]]>
Which Half of Your Business Are You Protecting?tag:blog.ncircle.com,2011:/blogs/patterns//6.6592011-12-07T22:15:40Z2011-12-07T22:22:24Z When you purchase a house you order an inspection. Would it make sense to tell the inspector to assess just the outside or the front of the home? Or, if you were buying a car, would you have a...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
When you purchase a house you order an inspection. Would it make sense to tell the inspector to assess just the outside or the front of the home?
Or, if you were buying a car, would you have a mechanic check the things only on the driver's side?
That would be nuts, right? You would just be putting a rope around your own neck.
Why then, do people think that it's ok to assess only Internet facing devices when they scan their networks?
There was a time when security scanning was so expensive and so complicated that companies could only afford to scan interface facing devices. But those days are gone and there is no longer any excuse for half measures with security scans.
Historically, bad guys used to 'push' attacks at internet facing devices and firewalls were very effective at blocking those bullets. Today, local networks are exposed to a wide variety of attack vectors that never even touch the firewall.
For example, these days an attack can be 'pulled' in via internal users browsing the Internet. Firewalls offer no protection against malware infections that come through a web browser.
The path to better security is knowledge, and the player with the best knowledge wins. Your task is to have more knowledge about your own network than the bad guys. That means you need to scan your whole network, especially devices behind the firewall.
You might think you can't afford to scan your whole network. You might think you aren't technical enough, or that you need to be an expert to complete a comprehensive security scan and fix all the problems it finds. All that has changed with Purecloud.
If you can order holiday gifts online you're enough of an expert to operate PureCloud successfully. And, until December 16, you can scan your entire network for free. Check it out.
http://purecloud.ncircle.com
]]>
Why Small Businesses Need to Think Like Cyber Criminalstag:blog.ncircle.com,2011:/blogs/patterns//6.6562011-12-02T00:45:20Z2011-12-02T02:10:43Z No business should assume they are too tiny or obscure for a cyber attack. In fact, smaller businesses are a favorite target for cyber criminals because they usually don't have the cyber security safe guards of larger organizations. That's...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
No business should assume they are too tiny or obscure for a cyber attack. In fact, smaller businesses are a favorite target for cyber criminals because they usually don't have the cyber security safe guards of larger organizations. That's the bad news.
The good news is that you don't have to be a security or a technology expert to protect your business from cyber criminals. You do have to change your mind set about security and get educated . You also have to think like a cyber criminal to protect your business from cyber criminals.
Start by thinking about your data. How would your business be hurt if a cyber criminal had access to your customers' credit card numbers or online financial data? How about confidential product and partner information? Could your business survive if you lost access to your website or email?
Next, think about where this data resides on your network. If you don't know where your data is (and data isn't always where it's supposed to be) you can't protect it.
Now consider minimizing the number of systems that contain critical information, the cyber security equivalent of circling the wagons. This allows you to concentrate the greatest levels of protection on areas where a data breach could have the most serious consequences.
Finally, spend some time creating security policies or adapting free templates for your unique business. Take the time to explain the reasons behind the policies to your employees and keep them updated on security issues. The easiest ways for a cyber criminal to get access to your network is to steal user credentials or hack a password.
Remember, cyber criminals are opportunists on the look-out for the equivalent of a smash-and-grab robbery. Make sure your business isn't an easy target.
]]>
How Do You Know You Are Secure?tag:blog.ncircle.com,2011:/blogs/patterns//6.6482011-11-18T21:39:23Z2011-11-18T21:45:17Z A recent study by the National Cyber Security Alliance and Symantec found that 85% of small companies think their company is cyber-secure but many fail to take even basic cyber security precautions. It's easy to think you are secure....Tim Keaninihttp://blog.ncircle.com/blogs/patterns
A recent study by the National Cyber Security Alliance and Symantec found that 85% of small companies think their company is cyber-secure but many fail to take even basic cyber security precautions.
It's easy to think you are secure. But how do you know you are secure? What evidence do you have that your cyber security is at least as good, and hopefully better than, other businesses your size?
The first thing every business should do is to think like an attacker. The ugly reality is that organized crime has been cultivating specialized hacking skills in order to target small businesses because they typically have fewer security controls in place than larger enterprises. It's definitely not a fair fight.
The same study also identifies the average annual cost of cyber security attacks on small and medium sized businesses at $188,000 dollars. What's more, statistics show that 60% of businesses will close within six months of a cyber attack.
Facing this grim reality is critical. The odds are stacked against small businesses that just think they are secure. If you aren't sure your network is secure, you need to step up your game.
]]>
Seriously Siritag:blog.ncircle.com,2011:/blogs/patterns//6.6382011-10-13T17:52:58Z2011-10-13T18:05:06Z How about this for a Siri session: User: Is my network secure today? Siri: You have 5 critical vulnerabilities that need your attention User: Fix them, rescan, and send me a report. Siri: Will do. :-) Before Siri was...Tim Keaninihttp://blog.ncircle.com/blogs/patternsHow about this for a Siri session:User: Is my network secure today?Siri: You have 5 critical vulnerabilities that need your attentionUser: Fix them, rescan, and send me a report.Siri: Will do.
:-)
Before Siri was an Apple product offered in the new iPhone 4S, it was the product from the mind of Tom Gruber, CTO and VP of Design for Siri.com. It is Gruber's definition of ontologies within an Artificial Intelligence context that is frequently quoted:
"An ontology is a specification of a conceptualization"
Gruber has done such great work over the years that I feel I need to say something today about Siri and its application of ontologies and Semantic Technology.
At a high level, what makes Siri a long term success in my opinion is that it facilitates both the demand as well as the supply side of the equation. The demand side being how the user experiences the role of a personal assistant but this is enhanced greatly by the fact that the supply side is a massive data aggregator of sources; the corpus as whole forms all things interesting to a person needing assistance. It is through ontological models and reasoning engines that this is all connected so it is again the case that the whole is great than the sum of all the parts.
Some of you may have seen the work I have done on ontological reasoning for risk ranking and scoring. I've also been a big evangelist [and pain in the ass at times] for the W3C Semantic Technology stack to be the basis of IT Vendor Interoperability. If you believe otherwise, I'm always up for a good argument; maybe we will both come away learning something new.
The work that Gruber has done in the application of Ontological reasoning for commercial application has finally hit mainstream but he is not alone. Others have leveraged these unique capabilities and they include the BBC, Best Buy, Overstock.com, New York Times, Amdocs, the Library of Congress and US Department of Defense, to name a few. Other commercial companies are also using it for a competitive advantage like Seevl , and Attune , and don't forget the most important one, nCircle who has been leveraging the power of ontologies since 2001. If you wonder how nCircle is able to scan a network so precisely or how nCircle IP360's Focus query engine is able to infer and synthesize relevant information from terse search terms, it is all about leveraging domain ontology.
User: Please compare my security metrics to my peersSiri: You need nCircle Benchmark silly. Go tohttps://benchmark.ncircle.com/
:-)
]]>
Browser in the Middletag:blog.ncircle.com,2011:/blogs/patterns//6.6292011-09-28T20:50:10Z2011-09-28T21:08:01ZOn November 15th of 2011, Amazon will start shipping a new tablet called the Kindle Fire or Fire for short. It is inexpensive and introduces a new architecture for web browsers with Amazon Silk. This video explains most of it....Tim Keaninihttp://blog.ncircle.com/blogs/patterns
Look carefully at the details given at 1:49 in the video when they talk about the 'split' architecture. Ummm...you mean to tell me that everything I do with Silk will be there for Amazon to mine and analyze? Wow, clear cache? Too late!
With all this information on the consumer think about the precision they can achieve with marketing to that buyer; IMO they should be giving these away. Spend more than 'x' per year and the Fire is free? Sounds like a retailers dream come true. :-)
]]>
Snap to the Timeline Gridtag:blog.ncircle.com,2011:/blogs/patterns//6.6252011-09-26T18:45:33Z2011-09-26T18:48:28Z Last week, I watched Zuckerberg give his keynote at Facebook's f8 Developer conference. Overall I thought he did a great job telling his story of where Facebook has been with its user interface and where it is going. The...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
Last week, I watched Zuckerberg give his keynote at Facebook's f8 Developer conference. Overall I thought he did a great job telling his story of where Facebook has been with its user interface and where it is going. The latest is a shift to a more temporal layout in what they call Timeline. I'd like to share my observations and opinions on Facebook's Timeline.
The first thing I want to point out is that data being accessed initially via Timeline was always there, it was just a pain in the ass to access or organize in a meaningful manner. It is not a lack-of-data problem that is being addressed; it is a sense-making problem because there is too much data to organize. We see the same patterns in IT security where all these systems are emitting data but centralizing & synthesizing it is what transforms data to information and ultimately from information to actionable insight.
Facebook is certainly not the first to leverage a timeline as an explanatory device. Apple's TimeMachine utilizes the same pattern when applied to the set of tasks related to archival and backup. But I will say that in the case of Facebook, there are serious benefits to this temporal grid as they co-execute their strategy with their most vital asset: their community.
When looking for a common grid across the Facebook universe, the one standard that everyone across the world understands is the concept of time. Certainly the members of Facebook understand the concept of minutes, hours, days, months, years, and this constant is understood by machines equally as well. The primitives that make up Timeline are semantically stable and this is extremely important. Both humans and machines can perform temporal reasoning to organize and explain the data. Timeline, is the new 'snap-to-grid' of Facebook.
With a more explicit representation of time, a higher resolution of understanding can be placed on past and current events, and newly created inter-graph relationships can be formed.
My first example would not be a single person's timeline but, some common event that happened within the same hour across a group of people. I can imagine apps allowing you to play with a temporal slice across some group of people or play your own version of On-This-X-in-History scenario where X is any measure of time.
Remember that Facebook can also include physical location values so an application can leverage time, place, and other application specific attributes. All these things have always been there in terms of data, it’s just that now Timeline allows people to understand and interact with it in a more usable manner.
Timeline is a way to display and organize profile and application data in a manner that 1 billion people will be able to use and understand. While many will complain, you would be hard pressed to find another concept that is semantically stable across this number of people.
Photo reference
http://www.flickr.com/photos/fdecomite/406635986/sizes/s/in/photostream/
]]>
Adapt or Dietag:blog.ncircle.com,2011:/blogs/patterns//6.6162011-08-10T22:15:14Z2011-08-10T22:36:15Z 'Griefers', for those of you who need a reference, are those players in online games that enjoy deliberately engage in destructive or annoying activities to the detriment of the other players. They believe that the Internet should be used...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
'Griefers', for those of you who need a reference, are those players in online games that enjoy deliberately engage in destructive or annoying activities to the detriment of the other players. They believe that the Internet should be used for non-serious activities. If you use the Internet for something serious, like commerce, then they target the community with some awful experience. If you want to know more, WIRED online has done many articles on griefers and all one has to do is Google "WIRED GRIEFERS" to learn more.
Some gaming communities have a history of dealing with griefers and have evolved effective technical and social countermeasures. Others game communities remain blissfully ignorant, although they may someday have to deal with this reality. There is definitely a 'griefer' pattern: Talented hacker (capabilities) + strong cause (criteria for victim list) = neo-griefer.
If you massively expand this worldview the 'game' is the entire global Internet, and griefers are talented individuals that want to disrupt Internet activity claiming virtual scalps of their victims in the name of multiple causes.
What began with one prominent group of 'hacktivists', now has expanded to many. Victims of these groups include major brands like Sony and Bank of America, as well as federal, state and local government websites. Hacktivists are targeting everyone and anyone that offends their varied values or violates their principles. So far, the moral of this story is that no company on the Internet is safe from hacktivist attention. If you are marked by them as the enemy, you are in for some pain.
For some people, an appropriate response to these threats is only required if they are assaulted. Others will see the headlines, understand the implications and harden their defenses before they are assaulted. There are always laggards, and for them, change will only come when regulators put in place some basic requirements to raise the minimum amount of security. The problem with this approach group is that your first incident may put you out of business. On the other hand, life is all about chance I guess and you can take your chances.
The rate of change in IT practices evolves in direct response to that of the environment and recently the environment has become extremely hostile. It's easy to stand back and 'see what happens', but for some this might also mean an unrecoverable loss, for others a really hard and expensive lesson.
Let there be no mistake, knowledge is power. Anyone that still thinks that power is centered on real estate and other hard assets is about to get their world rocked. We are collectively going through a painful learning process, but the evolution of organisms is full of these inflection points. The Internet is no place for the weak, adapt or die.
]]>
IPv6 new version of bignesstag:blog.ncircle.com,2011:/blogs/patterns//6.6082011-06-06T16:47:55Z2011-06-06T16:53:23Z When the Internet was born, big was big but not at big as IP version 6 definition of big. The difference between IPv4 and IPv6 is that we go from a 32bit address space to a 128bit address space...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
When the Internet was born, big was big but not at big as IP version 6 definition of big. The difference between IPv4 and IPv6 is that we go from a 32bit address space to a 128bit address space (yes, that's 2 to the power of 128). Big! That is 340 undecillion or (340 x 10^33 x 1000).
With IPv4, your service provider gave you one IP address. When IPv6 is implemented and we have an address space of 128bits, theatrically, that is 665,570,793,348,866,943,898,599 addresses per meter squared of the planet Earth! Here's the good news, it will be a while until you run out of IP addresses.
The flip side of this new definition of big is that there are a lot of other implications. For example, this huge address space means finding vulnerabilities and rogue devices on your network is significantly harder. On most networks it's typical for a subnet to contain 256 addresses (8bits). With IPv6, typical becomes 2^64 or 18,446,744,073,709,551,616. If we take a traditional scanner, and for easy math, assume that checking if a host is present at each of these addresses at a rate of one per second, completing the 256 addresses could be done in little over 4 minutes time. Scanning the same subnet with IPv6 would take some 5 billion years. Yeah, that changes things.
IPv6 has some facilities in the protocol for auto-configuration and auto-discovery but there is no denying that there are more places for threat agents to hide and traditional methods of network scanning will not work. IPv6 means new network scanning technologies need to be invented.
nCircle has been aware of this for quite some time and design work began in 2001. Over the next 24 months, the nCircle product line is going to deliver a series of innovative technologies that will redefine IPv6 vulnerability scanning. ]]>
Fitness is to Compliance as Gaming is to Securitytag:blog.ncircle.com,2011:/blogs/patterns//6.5982011-05-19T13:22:43Z2011-05-19T13:28:35Z I thought it might be interesting to use certain aspects of a sports event like the FIFA World Cup to understanding Products, Compliance, and Security in a more holistic manner. The FIFA World Cup has been held every 4...Tim Keaninihttp://blog.ncircle.com/blogs/patterns
I thought it might be interesting to use certain aspects of a sports event like the FIFA World Cup to understanding Products, Compliance, and Security in a more holistic manner.
The FIFA World Cup has been held every 4 years since 1930, and the appeal of this event spans geographical and political boundaries hopefully making it a great explanatory device. There are three aspects to the World Cup that I'll highlight to make my point: technology, fitness, and gaming. All of these are present in this sporting event and are understood in multiple languages and cultures.
Products, compliance, and security will be explained in the same way we understand the Technology, Fitness, and Gaming in the World Cup.
Products play an important role, but like soccer, technology alone will not win games. We can talk about fancy shoes or the technology of the ball itself but they are just infrastructure supporting higher level goals and objectives.
We can speak about compliance as being like the fitness program and training a team must painfully endure in order to even have a shot at the World Cup. Compliance alone is a great gauge of operational fitness but even the fittest teams can be out played.
Lastly, there is a gaming strategy aspect to the World Cup and this is truly what the discipline of security is all about. Let me point out here that, unlike the game of soccer, IT security is a game that is not played to win; you are playing to 'not-lose' -- a much more appropriate framing of the strategy. You cannot plan offensive measures so you must concentrate mostly on the continuity of your business. Your dominant strategy is to raise the costs for your adversary.
IT operations have matured to a point where fitness and compliance are well understood but unless we frame security as a game, measurement and management will be difficult. For example, instead of asking the operational question of 'how long does it take to patch', a better security game question would be 'how feasible would it be for the adversary to know that this target is unpatched'. I've spoken about this concept of a knowledge margin before and I will be talking about it more in upcoming posts.
Compliance, like fitness, is about operational integrity while security is about gaming. We are playing the security game to not-lose.
]]>