Cloud & Telecom Security

[Note] This paper was submitted to the 2nd Cyber Security Summit @London at June 1-2. A novel idea was explored to touch the critical concern surrounding ICT supply chain threats. You are welcome to download it and share your comments with the authors. Here are some comments at the web, thanks to Jart.

Abstract — Information Communication Technology, which has been more and more critical in the modern economy and society , means more than information technology and traditional telecommunications. The integrity of ICT supply chain has slightly different meaning than the traditional security and assurance. Partly for the sake of difficulties to technically testify the increasingly complicated modern ICT products, it’s by no means to figure out an end to end integrity assurance program and methodology, letting alone test cost and timing factors.

This paper investigates the threats of ICT supply chain integrity, particularly covert channel. An architectural approach, named as Architectural Solution Integration, is given out to assure the integrity of ICT system and contain the potential threats through supply chains.  The quantitative assessment of ICT supply chain integrity is discussed as well, followed by the future work analysis.

Key Words — ICT Supply Chain Integrity；Assurance；Security；Covert Channel

Download the paper…

2010年3月31日，绿盟科技宣布其入侵防御产品（NSFOCUS NIPS）顺利通过NSS Labs的严格测试，荣获NSS Labs Approved认证，并且被NSS Labs认定为最高级别——“Recommended”，由此，绿盟科技自主研发的IPS产品成为中国安全厂商中惟一获得该权威机构认证的产品。NSS Labs也在其官方网站同期发布了完整的测试报告。

NSS Labs的测试非常严格，在业界有很高的影响力。此次NIPS的产品测试包括了十多个厂商的20多款产品，基本上大家熟知的品牌都可以找到，例如IBM ISS, Tippingpoint, McAfee, Juniper, Sourcefire, etc.。下面是在NSS Labs上可以找到测试报告的产品： Read more…

引子：

观放白鹰二首（李白）
八月边风高，胡鹰白锦毛；
孤飞一片雪，千里见秋毫。

RSA大会一向是网络安全圈子里的大场面，传统上各路老大都会赶来捧场，也作为自己后面一年市场理念、产品技术的首发之地。好，对于到场的老大们就不一一赘述了，我们看看哪些大厂没有来。

缺席的第一家是Oracle。大家知道，Oracle其实已经悄悄成为安全圈子里的实力派，尤其是在2005年购并Oblix、2009年购并Sun以后，其在身份和访问控制IAM领域、数据库安全领域、审计等都有很长的产品线。一方面，Oracle的CEO Larry Ellison经常对云计算冷嘲热讽，一方面在几次展会都看到Oracle在不断推进Oracle的云计算解决方案。一方面，Oracle在迅速发展其网络安全解决方案能力，另一方面Oracle又不“与狼共舞”，来拜RSA的山头。这就叫有个性。期间碰到了几位从Oracle过来的朋友，个人身份参与。

缺席的另外一家是Juniper。Juniper在购并Netscreen后，安全产品行销全球，在FW/IPS/VPN等领域实力强劲，是相关产品评论不能不提的厂商，“地球人没有不知道的”。不知为什么，Juniper对家边上的RSA不对眼。Juniper有Speaker出场，可是不参展。Juniper不到场，肯定不是“差钱”。

华为的缺席也情理之中，又在意料之外。华为-赛门铁克（华赛）在国内也一直以国际行销出名，很多同行以其为国际化的模范。华为不愿与这些充满小资情调、脸上写着盲目自信的展览会同流合污，甚至也不屑参加什么Gartner、什么SC Mag的产品评比。”酒香不怕巷子深“吗！呵呵。

闲话讲完，还是来看看这次大会有什么新鲜内容吧。 Read more…

Cloud Bursting是Amazon技术专家Jeff Barr创造的名词，讲的是如何使用云计算来解决在线零售网站季节性“突发”流量带来的“溢出”请求。也就是短时间的、时效性很强的那种突发流量，IT自己采购硬件扩容，ROI不是很合算，因为有效的使用时间很短。这时候就是云计算大显身手的商业时刻show time。因为云计算服务天生就是“租”的，随用随租的模式使得云服务更有效率地解决季节性、或事件性突发业务。 Read more…

网络安全最常谈及的一个词 – 边界。这个边界是最早的网络安全焦点，养育了Checkpoint,PIX,Netscreen,ISS,等等安全公司和著名品牌。很多安全威胁、攻防、解决方案都围绕边界发生。我们讲P2P/IM/SNS等的出现侵蚀了传统的企业网络边界，天涯海角四处漫游的用户使得边界越来越“虚”，但是，边界依然是我们的第一防御重点，很多安全配置都成为标准配置，包括防火墙/IPS/IDS/UTM, Anti-DoS, VPN, WAF,等等。

云计算环境中，上述的传统边界依然存在，但是作为云服务用户，却需要更多考虑不依赖边界防护的解决方案，更为纵深防御的解决方案，因为云服务从性质上说是多租户的。你无法保证你的“室友”对你是无害的。从此意义上说，云计算环境下的安全架构设计需要更多考虑“边界”或“虚拟边界”的“室内卫生”。这是个巨大的商机，为此，Oracle,IBM,HP,CA,等近期都提高了基于数据库、大型应用自身的、IAM等的安全方案。两周前（1月19日）参加了Oracle在泽西城办的一个技术论坛。Oracle重点推介了围绕着数据库的身份、认证、授权、SOD职责分离、超级用户权限管理、审计等等一长线产品和解决方案。CA的安全广告也到处可见。

值得注意的是，这个“Deperimeterization”并不是不要边界防护，而是在传统“边界”防护的基础上，强调了“虚拟边界”和云服务内部安全。事实上，对抗拒绝服务、及时发现并修复Web漏洞、面向Web服务的细粒度有能力身份认证授权的WAF等在云安全中至关重要。 Read more…

Actually, the whole thread was originated with a message at discuss@securitymetrics.org “Request for ideas” by Dimitrios Stergiou. Dimitrios likes to have some recommendations for his master program. By a sudden idea, I dropped him a message to recommend him to work on this true or false problem at security metrics.

It’s true or false: 70% of security incidents are due to insider threats?
I just read one book, “The New School of Information Security”, by Adam Shostack, Andrew Stewart, Addison-Wesley, 2008, where I found one interesting argument by the authors. The authors doubt the statement that 70% of security incidents are due to insider threats. You know, many consultants and books, articles regard this statement as one basic hypothesis at security. What’s your idea about it?

Completely a surprise, I found Adam, Andew, Dan and many experts jumped in to this discussion thereafter. A lot of fresh ideas emerged at discussion threads. In order to get more experts into this topic, I submitted a discussion at SecurityMetrics group, LinkedIn.

This RSA/IDC report has some information related to this topic – Insider Risk Management: A Framework Approach to Internal Security(Thanks to Hammud).  It is a good reference. In summary it told us two things that: Read more…

Gartner, the leading marketing analysis and strategy firm, released its newly-brew TOP 10 technology list today. They are:

• 1 Cloud computing. Cloud has been the top buzz-term in the past months. Gartner raised it from No.2 at 2009 to TOP1 at 2010.  With no doubt, this statement will be quoted by tons of articles and vendor solutions in the following seasons.
• 2 Advanced analytic.  I would rather explain it as data correlation and data mining tech. This seems to be similar to “business intelligence” (No.9 at 2009).
• 3 Client computing. Mostly client computing is critical for the security impact to the whole Internet.
• 4 Greet IT. It was No.1 at 2008, and No.10 at 2009. Anyway, it’s a concept, containing a lot of technologies, customs, culture, etc.
• 5 Reshaping the data center, with new designs and approaches that include building out incrementally in pod-based approaches, adding only power, chillers and generators to support initial needs.
• 6 Social computing. It has been deeply involved into daily life. Facebook, Twitter, LinkedIn, etc.
• 7 Security activity mornitoring.  A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity – often with real-time alerting or transaction intervention. Personally,  I think this is similar to the No.2.
• 8 Flash memory. It’s a new face to TOP 10.
• 9 Virtualization for availability. While virtualization has been melted into cloud computing and other diverse areas, Gartner leaves “availability”.
• 10 Mobile applications. No comments at this moment. There have been a lot of developers and app stores you can find at the web. It reflects the hotness. Read more…

Oct.18 2009(Beijing time), China CCTV news reported the release of national vulnerability database of China.

Along with the upsoaring of the Internet applications, the vulnerability number is also in a sharp growth. So the update and automation of vulnerability information is becoming more and more critical for the whole information ssytems. Vulnerability Database is used to research, collect, release, automate the lifecycle of vulnerability management, which is regarded the core of the related activities. Although there have been a series of open source vulnerability database(e.g. OSVDB, etc.), commercial maintained vulnerailibity database(e.g. CERT CVE, Bugtraq, NSFocus VDB, etc.), it’s still regarded very essential to setup one authoritive database for the industry, particularly for government and research organizations. Read more…

本想取个大题目，中/美互联网的比较，可自已不是这方面的专家，想想还是这个题目合适一些，做为我这段时间浏览过的一些网页的整理，再加上我对国内网页的了解，做一个比较，整理几点不同，更专业的评价就留给大家吧。

一、    对网页的定位认识不同
1.网站是为了给用户提供服务的 Read more…

现在, 苹果是唯一一个能够和Google相提并论的公司, 我是说在比酷Cool, 在企业形象方面. 即使在Jeff 的WWGD书中, 也特意提出自己总结的以Google为榜样的未来企业原则对苹果不适用. 为什么苹果可以例外? 仅仅是因为Jobs嘛? 它可以起诉自己的用户, 自己的Fans, 它依然拥有狂热的遍布天下的拥趸, 依然占据着媒体的头版. 我们又该如何?

苹果平板电脑新细节曝光 采用iPhone OS系统 Read more…

和大家共享两份AIIM的白皮书, 一份讲的是Enterpise 2.0, 一份讲的是ECM – Electronic Content Management.

今天在会议上看到了OpenText, KnowledgeLake, Oracle, HP, IBM等公司的ECM方案.  按照KnowledgeLake讲他们与Microsoft Sharepoint的集成方案比Filenet便宜甚多, 实施很快. 大家谁家在用Oracle的ECM吗? Oracle拿出Garnter的象限图证明自己是排名第一的leader, 还是让我小小的吃了一惊. Read more…

数月前，应该是二月份，有个帖子讲2009年的安全市场预期，中间和大潘讨论到了2009年的前景，我们俩“谨慎地”预测了一下：“赵博谨慎看多，潘总静候春天”。昨天读到安永公司的一份2008年安全市场调查报告，其中有几个数字很有趣，我把它们转帖过来：

Historically, the IT function is one of the frst to feel the pressure to reduce expenditures, and traditionally,information security has been closely linked with IT. Our survey confrms the link between IT and information security is still very strong (71% of respondents meet monthly with IT), but the pressure to reduce costs does not appear to be carrying over to the information security function. In fact, only 5% of respondents indicate they will be reducing annual expenditures for information security and 50% plan to increase their investment in information security as a percentage of total expenditures.In addition, only 33% of respondents cite adequate budget as a challenge to delivering their information security initiatives. Read more…

读到一个不错、很有思想的帖子，来自于Steven Fox，推荐给大家。

Read more…

It’s reported that the U.S. Department of Homeland Security was looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. It’s an inspiring finding from unique viewpoint. A slight bite by injection into the grid might lead to an overwhelming avalanche. Isn’t it horrible?

However, what I am thinking is that Internet cloud services have many similarity to those of power grid, ie. these threats and potential attacks are very possibly valid to Internet clouds.  What and how Internet clouds respond/react to these potential similar attacks to those against power grid? Yes, those dominant cloud service providers have very robust and strong infrastructure all over the world, how large the bandwidth, how many the servers, how many square feet the data centers, blah blah. Further, there are automatic load balancing and distribution system among those distributed data centers.  Once one set of servers and/or circuits, the services would be transfered to other servers and circuits automatically. Your services WILL be there, keeping the same, or NOT? Read more…