[Note] This paper was submitted to the 2nd Cyber Security Summit @London at June 1-2. A novel idea was explored to touch the critical concern surrounding ICT supply chain threats. You are welcome to download it and share your comments with the authors. Here are some comments at the web, thanks to Jart.
Abstract — Information Communication Technology, which has been more and more critical in the modern economy and society , means more than information technology and traditional telecommunications. The integrity of ICT supply chain has slightly different meaning than the traditional security and assurance. Partly for the sake of difficulties to technically testify the increasingly complicated modern ICT products, it’s by no means to figure out an end to end integrity assurance program and methodology, letting alone test cost and timing factors.
This paper investigates the threats of ICT supply chain integrity, particularly covert channel. An architectural approach, named as Architectural Solution Integration, is given out to assure the integrity of ICT system and contain the potential threats through supply chains. The quantitative assessment of ICT supply chain integrity is discussed as well, followed by the future work analysis.
Key Words — ICT Supply Chain Integrity；Assurance；Security；Covert Channel
Download the paper…
2010年3月31日，绿盟科技宣布其入侵防御产品（NSFOCUS NIPS）顺利通过NSS Labs的严格测试，荣获NSS Labs Approved认证，并且被NSS Labs认定为最高级别——“Recommended”，由此，绿盟科技自主研发的IPS产品成为中国安全厂商中惟一获得该权威机构认证的产品。NSS Labs也在其官方网站同期发布了完整的测试报告。
NSS Labs的测试非常严格，在业界有很高的影响力。此次NIPS的产品测试包括了十多个厂商的20多款产品，基本上大家熟知的品牌都可以找到，例如IBM ISS, Tippingpoint, McAfee, Juniper, Sourcefire, etc.。下面是在NSS Labs上可以找到测试报告的产品： Read more…
缺席的第一家是Oracle。大家知道，Oracle其实已经悄悄成为安全圈子里的实力派，尤其是在2005年购并Oblix、2009年购并Sun以后，其在身份和访问控制IAM领域、数据库安全领域、审计等都有很长的产品线。一方面，Oracle的CEO Larry Ellison经常对云计算冷嘲热讽，一方面在几次展会都看到Oracle在不断推进Oracle的云计算解决方案。一方面，Oracle在迅速发展其网络安全解决方案能力，另一方面Oracle又不“与狼共舞”，来拜RSA的山头。这就叫有个性。期间碰到了几位从Oracle过来的朋友，个人身份参与。
闲话讲完，还是来看看这次大会有什么新鲜内容吧。 Read more…
Categories: -Chinese-, Architect, Cloud, Security, Telecom 2010, CSA, 网络安全, RSA, 云计算, 云安全, 云安全联盟
Cloud Bursting是Amazon技术专家Jeff Barr创造的名词，讲的是如何使用云计算来解决在线零售网站季节性“突发”流量带来的“溢出”请求。也就是短时间的、时效性很强的那种突发流量，IT自己采购硬件扩容，ROI不是很合算，因为有效的使用时间很短。这时候就是云计算大显身手的商业时刻show time。因为云计算服务天生就是“租”的，随用随租的模式使得云服务更有效率地解决季节性、或事件性突发业务。 Read more…
网络安全最常谈及的一个词 – 边界。这个边界是最早的网络安全焦点，养育了Checkpoint,PIX,Netscreen,ISS,等等安全公司和著名品牌。很多安全威胁、攻防、解决方案都围绕边界发生。我们讲P2P/IM/SNS等的出现侵蚀了传统的企业网络边界，天涯海角四处漫游的用户使得边界越来越“虚”，但是，边界依然是我们的第一防御重点，很多安全配置都成为标准配置，包括防火墙/IPS/IDS/UTM, Anti-DoS, VPN, WAF,等等。
值得注意的是，这个“Deperimeterization”并不是不要边界防护，而是在传统“边界”防护的基础上，强调了“虚拟边界”和云服务内部安全。事实上，对抗拒绝服务、及时发现并修复Web漏洞、面向Web服务的细粒度有能力身份认证授权的WAF等在云安全中至关重要。 Read more…
Actually, the whole thread was originated with a message at email@example.com “Request for ideas” by Dimitrios Stergiou. Dimitrios likes to have some recommendations for his master program. By a sudden idea, I dropped him a message to recommend him to work on this true or false problem at security metrics.
It’s true or false: 70% of security incidents are due to insider threats?
I just read one book, “The New School of Information Security”, by Adam Shostack, Andrew Stewart, Addison-Wesley, 2008, where I found one interesting argument by the authors. The authors doubt the statement that 70% of security incidents are due to insider threats. You know, many consultants and books, articles regard this statement as one basic hypothesis at security. What’s your idea about it?
Completely a surprise, I found Adam, Andew, Dan and many experts jumped in to this discussion thereafter. A lot of fresh ideas emerged at discussion threads. In order to get more experts into this topic, I submitted a discussion at SecurityMetrics group, LinkedIn.
This RSA/IDC report has some information related to this topic – Insider Risk Management: A Framework Approach to Internal Security(Thanks to Hammud). It is a good reference. In summary it told us two things that: Read more…
Gartner, the leading marketing analysis and strategy firm, released its newly-brew TOP 10 technology list today. They are:
- 1 Cloud computing. Cloud has been the top buzz-term in the past months. Gartner raised it from No.2 at 2009 to TOP1 at 2010. With no doubt, this statement will be quoted by tons of articles and vendor solutions in the following seasons.
- 2 Advanced analytic. I would rather explain it as data correlation and data mining tech. This seems to be similar to “business intelligence” (No.9 at 2009).
- 3 Client computing. Mostly client computing is critical for the security impact to the whole Internet.
- 4 Greet IT. It was No.1 at 2008, and No.10 at 2009. Anyway, it’s a concept, containing a lot of technologies, customs, culture, etc.
- 5 Reshaping the data center, with new designs and approaches that include building out incrementally in pod-based approaches, adding only power, chillers and generators to support initial needs.
- 6 Social computing. It has been deeply involved into daily life. Facebook, Twitter, LinkedIn, etc.
- 7 Security activity mornitoring. A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity – often with real-time alerting or transaction intervention. Personally, I think this is similar to the No.2.
- 8 Flash memory. It’s a new face to TOP 10.
- 9 Virtualization for availability. While virtualization has been melted into cloud computing and other diverse areas, Gartner leaves “availability”.
- 10 Mobile applications. No comments at this moment. There have been a lot of developers and app stores you can find at the web. It reflects the hotness. Read more…
Oct.18 2009(Beijing time), China CCTV news reported the release of national vulnerability database of China.
Along with the upsoaring of the Internet applications, the vulnerability number is also in a sharp growth. So the update and automation of vulnerability information is becoming more and more critical for the whole information ssytems. Vulnerability Database is used to research, collect, release, automate the lifecycle of vulnerability management, which is regarded the core of the related activities. Although there have been a series of open source vulnerability database(e.g. OSVDB, etc.), commercial maintained vulnerailibity database(e.g. CERT CVE, Bugtraq, NSFocus VDB, etc.), it’s still regarded very essential to setup one authoritive database for the industry, particularly for government and research organizations. Read more…
Categories: -English-, Architect, Cloud, Security, Telecom CERT, CNVD, CNVDB, CVE, NIST, NVD, SVM
1.网站是为了给用户提供服务的 Read more…
现在, 苹果是唯一一个能够和Google相提并论的公司, 我是说在比酷Cool, 在企业形象方面. 即使在Jeff 的WWGD书中, 也特意提出自己总结的以Google为榜样的未来企业原则对苹果不适用. 为什么苹果可以例外? 仅仅是因为Jobs嘛? 它可以起诉自己的用户, 自己的Fans, 它依然拥有狂热的遍布天下的拥趸, 依然占据着媒体的头版. 我们又该如何?
苹果平板电脑新细节曝光 采用iPhone OS系统 Read more…
和大家共享两份AIIM的白皮书, 一份讲的是Enterpise 2.0, 一份讲的是ECM – Electronic Content Management.
今天在会议上看到了OpenText, KnowledgeLake, Oracle, HP, IBM等公司的ECM方案. 按照KnowledgeLake讲他们与Microsoft Sharepoint的集成方案比Filenet便宜甚多, 实施很快. 大家谁家在用Oracle的ECM吗? Oracle拿出Garnter的象限图证明自己是排名第一的leader, 还是让我小小的吃了一惊. Read more…
Historically, the IT function is one of the frst to feel the pressure to reduce expenditures, and traditionally,information security has been closely linked with IT. Our survey confrms the link between IT and information security is still very strong (71% of respondents meet monthly with IT), but the pressure to reduce costs does not appear to be carrying over to the information security function. In fact, only 5% of respondents indicate they will be reducing annual expenditures for information security and 50% plan to increase their investment in information security as a percentage of total expenditures.In addition, only 33% of respondents cite adequate budget as a challenge to delivering their information security initiatives. Read more…
It’s reported that the U.S. Department of Homeland Security was looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. It’s an inspiring finding from unique viewpoint. A slight bite by injection into the grid might lead to an overwhelming avalanche. Isn’t it horrible?
However, what I am thinking is that Internet cloud services have many similarity to those of power grid, ie. these threats and potential attacks are very possibly valid to Internet clouds. What and how Internet clouds respond/react to these potential similar attacks to those against power grid? Yes, those dominant cloud service providers have very robust and strong infrastructure all over the world, how large the bandwidth, how many the servers, how many square feet the data centers, blah blah. Further, there are automatic load balancing and distribution system among those distributed data centers. Once one set of servers and/or circuits, the services would be transfered to other servers and circuits automatically. Your services WILL be there, keeping the same, or NOT? Read more…