Cloud & Telecom Security

继续整理关于安全考核指标体系(Metrics System)的一些想法和大家的反馈。

# 安全考核指标体系有什么意义？有什么价值？

第一， 从各种视角反映出当前组织的安全保护和运行状态，向管理层提供战略和战术层面的反馈，以及趋势分析
第二，用以诊断各种流程存在的优势和不足，并提供何以改进的提示
第三，用以组织的绩效考核

# 在设计安全指标体系时应该注意的要点，同时也可以说是好的指标体系的特点：

• 与业务目标相关。这是第一位的要点。安全指标体系不是为了指标而指标，为了标准而指标，而是为了核心业务目标而制定。因为不同的组织企业，在不同的历史阶段有不同的业务目标，所以指标体系也不会有全世界通用的”灵丹妙药”。需要根据自己的特点而制定，但是可以参考一些业界的最佳实践。
• 定义清晰，易于理解。大部分的指标是要团队、很多团队的协作才能实现的。所以，指标制定出来后，需要宣传贯彻，需要申请资源和协作。清晰易懂的指标体系帮助形成目标一致的合力synergy。
• 前后一致，可测量，容易收集，低成本。大家都很了解SMART原则，这里也适用这一原则，即指标要具体(Specific)，可量化(Measurable)，可达成(Achievable or Attainable)，现实的(Realistic)，并且有限定的时间期限(Timely)。有明确的收集频率，收集源，较低的收集成本。
• 可控制，通过行动可以影响结果。指标应该有明确的责任人和达成共识的阈值。责任人明确通过努力而影响并达成该指标。
• 可以进行数量化、图形化的呈现

指标中的一部分会成为KPI，即关键绩效指数。这时通常有两种类型，其一是当前可以达成，但是需要一直保持，例如设备利用率；其二是通过努力在一定时间内达成，例如当前的每百设备高危漏洞数量是10个，设立的目标是降至每百设备1个。 Read more…

ZDnet reports that HP, Lenovo join Dell in extending Windows XP. It’s very ironic! It’s also interesting. Why MicroSoft just want to upgrade to a software that most customers and partners dislike or even hate? Meanwhile, why a brandnew OS that Microsoft spent billions of dollars to develop doesn’t get any acceptance by the users?

This is not just because of the higher hardware resources needed by Vista. Today, 1GB memory only cost less than 20$. It’s very cheap. The real reason is that the users can not find a reason for them to upgrade. They just can not convince themselves and the board.

A few days ago, Microsoft released Windows XP SP3 and Vista SP1. From the web reports, the performance of Vista SP1 doesn’t get improved, while XP SP3 is more satisfying to most of users. That’s the point. Read more…

WordPress released its version 2.5.1. It includes a number of bug fixes, performance enhancements, and one very important security fix. It’s recommended to upgrade older versions ASAP. The fixes include:

Performance improvements for the Dashboard, Write Post, and Edit Comments pages.

Better performance for those who have many categories

Media Uploader fixes

An upgrade to TinyMCE 3.0.7

Widget Administration fixes

Various usability improvements

Layout fixes for IE

Actually, when I installed 2.5, I expected there might be 2.5.1 with security fixes released soon. It comes after one month.

This evening, I read one whitepaper sent by Paul a few days ago. This is a good whitepaper which covers much CISSP knowledge and financial terms, e.g. probability, NPV, etc. This whitepaper makes a new term – ROSI. It means Return On Security Investment.

This diagram is copied from the whitepaper which is used to illustrate the security investment and attitude. It’s interesting. Actually, security awareness is one of most important jobs of all CISO. They must be very good at promoting security and communicate with financial controllers and business decision makers.

It’s very cool that you can calculate quantitively the return against security investment, even though it must come along with a lot of assumptions.

原来一直坚持这个博客是一个纯粹的技术博客，可是最近西方关于奥运的一些举动非常让人气愤。转帖下面一篇邮件传递的热帖，强烈支持奥运圣火传递！强烈支持北京奥运会！ Read more…

拉丁美洲的一个关于网络犯罪的会议上发现了一个有趣的现象。当前的网络犯罪越来越多的体现出高度地域化的特征，换句话说，网络攻击、钓鱼等被定制为只针对某个特定的国家或者地区，或者用户群体。这些定制过的攻击很少会越过设定的边界。这样定制过的地域化的恶意攻击变得更加隐蔽，更难被国际范围的反病毒公司检测发现，所以可以隐蔽持续更长的时间。 从这个意义上来说，本土防病毒公司将会更有优势，国际反病毒公司需要开设更多的本地化的研究中心和快速响应中心来应对这种地域化的趋势。

近日，在线支付行业的权威机构PCI委员会发布了相关应用的数据安全标准 – PA-DSS。之前，该委员会发布的PCI-DSS数据安全标准偏重于系统和基础设施层面。这次发布的新数据安全标准主要是为了解决支付应用的安全问题。

据报道，这次发布的PA-DSS主要定义了在线支付相关的第三方接口的数据安全标准，对内部开发用于自用的应用则不是这次安全标准的目标范围。

该标准的前身是Visa公司的Payment Application Best Practices (PABP)，该最佳实践已经获得了不少公司的认可采用，包括American Express, MasterCard Worldwide, Discover and JCB International等。PCI委员会希望通过这次采标让更多的企业接受这个数据安全标准。预计相关的审计、扫描工具将会出现新的商机。

据报道，在2010年7月1日前，所有相关成员公司的第三方销售和支付应用将会被要求符合上述标准。

这段时间又到了总结过去、瞻望未来的时间，又要计划新的一年安全运营的目标和考核指标，大家都讲SMART，道理没错。可是一年的大方向是什么？然后确定下来的实现目标又是什么？带着一些问题，抱着试试看的心情，我在LinkedIn里提交了一个问题：how to measure the information security operations? 出乎我的意料的是，我得到了许许多多热心的、精彩的回答。非常有启发性。等我仔细整理后，再给大家一些分享。

安全考核（度量metrics、测量measurement）指标体系等是很意思的话题，可以说安全经理们天天都要打交道的问题。MBA的课程以及很多管理课程都会强调“如果你无法测量它，你就无法管理它！”， 包括ITIL也是遵循同样的逻辑。在安全运营这里这个原理也成立。所以说，问题就不再是要不要安全指标考核体系，而是如何选择适当的、正确的指标了。适当的、正确的安全考核指标应该体现出当前的工作和努力方向，它可以帮助安全团队与非安全团队、非安全专业人员更好地了解信息安全的工作和状况。同样，这些指标体系(Metrics System)对做好高级管理层的沟通并获取他们的支持也非常重要。

在这个课题上，已经有很多非常完整的参考资料，例如NIST SP800系列中的SP800-55，“Security Metrics Guide for
Information Technology Systems”，SP800-80, “Guide for Developing Performance Metrics for Information Security”，以及大家已经推荐的若干本专著，网络链接，都非常不错。

各位有什么好主意、思路不妨也分享一下。

Mozilla has published a “Critical” Security Advisory to address stability problems introduced by fixes for security issues in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1380). Some users experienced crashes during JavaScript garbage collection. Upgrade to version 2.0.0.14 for Firefox and Thunderbird and version 1.1.10 for  SeaMonkey to fix this issue.

It’s reported that Redhat halts plans for comsumer focused Linux. It’s a little surprise and disappointed news.

Last year, the greater china reps of Redhat visited us and recommended their desktop Linux solution to us. The benefits of Linux desktop include lower license cost and zero virus threats and etc. At that time, they told us that many MNCs have begun to adopt desktop Linux.

Taking into the current SaaS wave, in the long run, the value of traditional operating system is shrinking,while the content and web services are ramping up. This is partly the reason why Microsoft is proposing to Yahoo.

Why Redhat stops the desktop Linux?

If you like it, secure and protect it ! particularly your WP.

The plugin “WP Security Scan” is a good one to help secure your WP installation. Click here to download it.

The below is a brief report after its initial scan:

WordPress Version: 2.x You have the latest stable version of WordPress.
Your table prefix should not be wp_. Click here to change it.
Your WordPress version is successfully hidden.
WordPress DB Errors turned off.
No user “admin”.
The file .htaccess does not exist in wp-admin/.

In addition, this page at Weblog Tools Collection has  a very good post on “ten security tools for WordPress”.

主流运营商的基础设施上已很少在ATM/FR继续投资，而是更多转向更新的IP/MPLS，表现在市场上，ATM/FR不再是运营商的主推产品，传统的点到点专线价格已呈上升趋势，而MPLS产品则逐渐取得价格优势，成为市场上广域网解决方案的主要选择。这一点在北美地区体现的尤其明显，欧洲运营商也有类似的特征。但是北美和欧洲并不代表世界，中国日本亚太印度中东很多地区传统的专线仍然具备价格优势，依然还是运营商的主要产品构成，而MPLS则处于市场推广阶段。Gartner的技术趋势分析认为大约在2010年，全球的运营商将普遍转向MPLS，帧中继将会彻底退出市场。在未来两三年里，主要的MPLS接入产品将包括专线、xDSL以及以太网。

另外还有一个显而易见的趋势就是Internet正在开始承载越来越多的企业应用，IP VPN被广泛用以企业内部、企业间数据交互以及其他关键度较低的数据业务，例如内容分发以及电子邮件、及时消息等，而将IP话音、ERP/CRM等依然运行在专线和MPLS上面。这时，专线和MPLS则和IP VPN一起构成了一个混合的企业广域网，通过相互间的业务分担和备份，企业可以大幅度降低广域网络的费用。

相对于帧中继和ATM，MPLS的主要优势体现在同一张IP网络上面提供不同应用和不同服务水平的能力， 能够为运营商提供更大程度的灵活性和产品多样性，从而降低运营成本、提高市场反应速度和竞争力。现在越来越多的企业已经或者正在准备将自己的骨干网迁移到MPLS上面来。此时，合理正确的收集用户业务的网络需求，对流量设计合理的优先级(CoS/CDR)以及QoS非常重要。

CNCERT released their annual report on the overall security status at China for 2007. You can download this report at their website. This report is in Chinese.

At this report, some numbers and trends are highlighted.

Compared against those numbers at 2006, security incidents and botnet(zombie) hosts at China increased rapidly, or even upsoared.

• website phishing – 1.4 times
• malicious code at web pages – 2.6 times
• defaced websites – 1.5 times
• Trojaned hosts – 22 times….

where the Trojaned hosts are estimated to up to one million (995,154) IPs compared against 44717 IPs at 2006.

据NetworkWorldAsia报导，HP近日承认在所售的USB盘中携带了蠕虫，给客户带来安全威胁。

HP所售的USB软盘(HP USB Floppy Drive Key)是用在HP的Proliant服务器产品线上的，集成了软驱和USB盘，有256M和1GB两种型号。SANS的一位安全专家怀疑蠕虫是在HP的某个工厂感染上的。

If a compromised drive is plugged into a USB port on any machine on the network, the worms may spread “to any mapped drives on the server,” HP’s alert said.

Up-to-date anti-virus software should detect the malware, but HP didn’t specify which of the many available programs would find and then delete the worms. Symantec Corp., for example, has signature definitions in its collection for both pieces of malicious code, which it identifies as “Fakerecy” and “SillyFDC.”

一些最新的杀毒软件已经可以检测出感染的蠕虫。

This morning I read one news about the ATT(Anti-Theft Technology) technology from Intel. It’s expected to enable the enterprises and organizations to remove the sensitive/confidential data at stolen/lost laptops. It’s a technology based on Intel chips.

Data loss and protection have been one of the top priorities of CIOs and CISOs. Such kind of incidents of data loss and leakage might bring un-predicted troubles and legal risks to the company. Attrition has a good listing of such kind of incidents.

When I talked about this tech news with my colleagues, I got to know there are already some software technology in place to realize somewhat similar functionality. Computrace from Absolute.com is one of them. This page shows how this technology works. Lenovo has partnered with Absolute on this technology. In addition, in order to enhance its security protection of laptops and desktops, Lenovo also partners with Utimaco. Safeguard security software, including Safeguard Easy, Leakproof and etc. are good security enhancements to Thinkpad users, besides other TVT software enhancement.