[Note] This paper was submitted to the 2nd Cyber Security Summit @London at June 1-2. A novel idea was explored to touch the critical concern surrounding ICT supply chain threats. You are welcome to download it and share your comments with the authors. Here are some comments at the web, thanks to Jart.
Abstract — Information Communication Technology, which has been more and more critical in the modern economy and society , means more than information technology and traditional telecommunications. The integrity of ICT supply chain has slightly different meaning than the traditional security and assurance. Partly for the sake of difficulties to technically testify the increasingly complicated modern ICT products, it’s by no means to figure out an end to end integrity assurance program and methodology, letting alone test cost and timing factors.
This paper investigates the threats of ICT supply chain integrity, particularly covert channel. An architectural approach, named as Architectural Solution Integration, is given out to assure the integrity of ICT system and contain the potential threats through supply chains. The quantitative assessment of ICT supply chain integrity is discussed as well, followed by the future work analysis.
Key Words — ICT Supply Chain Integrity;Assurance;Security;Covert Channel
Global and local regulations are evolving across all industries and sectors. Here is a selection of the ever-increasing number of regulatory frameworks:
All sectors and industries –
Enterprise Risk Management (ERM), Electronic discovery (e-discovery), Financial Statements (IFRS,GAAP), Sarbanes Oxley (SOX), EuroSox, Customer Data Privacy and Protection (EU e-privacy), Business Continuity Management, Data Protection Act (EU, UK, Germany), IT Security, IT Controls and Compliance (ITIL, CobiT, ISO), Payment Card Industry Data Security Standard (PCI DSS). Read more…
Of course, in black Jobs is cool. Beetles is his favorite. It is a very interesting interview, a lot of fun, particularly when Jobs talked about their “relationship” with Google…
Last week, Symantec(NASDAQ:SYMC) acquired the security businesses of VeriSign (excluding iDefense). There have been tons of news reports and comments by market observers and analysts. In general, given that both negative and positive comments are valid, the below chart gave a different perspective to evaluate the acquisition strategy of Symantec.
It’s a 5 year stock price chart of Symantec, with comparison against that of CA(NASDAQ:CA), McAfee(NYSE:MFE), and Nasdaq.
Another way of thinking about it, specifically that if you want security then you must control the future, if you want to control the future then you must be able to draw conclusions from what you know, if you want to draw conclusions then the basis for those conclusions must be reproducible, and if you want reproducible bases you have to have a measurement regime.
This morning, you might have noticed that the blog title was changed to “Cloud & Telecom Security”. Yes, it’s true.
From one or two years ago, my interests and focus have changed to around cloud computing and telecom or ICT security, while P2P was touched very occasionally. I believe the new title can reflect the new focus better and hope you like it.
By this acquisition, HP enters enterprise networking market with strong threat management product line from Tippingpoint.
The vulnerability and threats research of DVLabs will greatly improve HP’s capability and image at these areas, so that HP’s competition against IBM will become more effective. X-Force of ISS is one of the critical advantages of IBM over HP, at overall one-stop IT arena.
Historically, after the acquisition of an independent security company, their selling model and focus will change to more aligned with major businesses. As for HP’s scenario, their security product lines, including the IPS/UTM, focuses on their global enterprise customers and outsourcing partners. The security department, mostly, will lose some momentum to find and obtain new customers, instead, they will be more interested at existing customers, bundled within other bigger IT/service orders. Read more…
Actually, the whole thread was originated with a message at discuss@securitymetrics.org “Request for ideas” by Dimitrios Stergiou. Dimitrios likes to have some recommendations for his master program. By a sudden idea, I dropped him a message to recommend him to work on this true or false problem at security metrics.
It’s true or false: 70% of security incidents are due to insider threats?
I just read one book, “The New School of Information Security”, by Adam Shostack, Andrew Stewart, Addison-Wesley, 2008, where I found one interesting argument by the authors. The authors doubt the statement that 70% of security incidents are due to insider threats. You know, many consultants and books, articles regard this statement as one basic hypothesis at security. What’s your idea about it?
Completely a surprise, I found Adam, Andew, Dan and many experts jumped in to this discussion thereafter. A lot of fresh ideas emerged at discussion threads. In order to get more experts into this topic, I submitted a discussion at SecurityMetrics group, LinkedIn.
That’s an excellent post on the vision of WAF and vulnerability assessment. I agree to the points that “accuracy” should be the top priority of remote web assessment and integration between VM and WAF.
However, this gives us another hint – we need a commonly adopted standard format to exchange the message – similarly what the industry did on IDMEF before. It’s not an optimistic goal from historical perspective. So in short term, before that standards, integration inside one single vendor and product alliance will be the pioneer on the automation/ integration between VM+WAF.
Gartner, the leading marketing analysis and strategy firm, released its newly-brew TOP 10 technology list today. They are:
1 Cloud computing. Cloud has been the top buzz-term in the past months. Gartner raised it from No.2 at 2009 to TOP1 at 2010. With no doubt, this statement will be quoted by tons of articles and vendor solutions in the following seasons.
2 Advanced analytic. I would rather explain it as data correlation and data mining tech. This seems to be similar to “business intelligence” (No.9 at 2009).
3 Client computing. Mostly client computing is critical for the security impact to the whole Internet.
4 Greet IT. It was No.1 at 2008, and No.10 at 2009. Anyway, it’s a concept, containing a lot of technologies, customs, culture, etc.
5 Reshaping the data center, with new designs and approaches that include building out incrementally in pod-based approaches, adding only power, chillers and generators to support initial needs.
6 Social computing. It has been deeply involved into daily life. Facebook, Twitter, LinkedIn, etc.
7 Security activity mornitoring. A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity – often with real-time alerting or transaction intervention. Personally, I think this is similar to the No.2.
8 Flash memory. It’s a new face to TOP 10.
9 Virtualization for availability. While virtualization has been melted into cloud computing and other diverse areas, Gartner leaves “availability”.
10 Mobile applications. No comments at this moment. There have been a lot of developers and app stores you can find at the web. It reflects the hotness. Read more…
Abstract — Information Communication Technology, which has been more and more critical in the modern economy and society , means more than information technology and traditional telecommunications. The integrity of ICT supply chain has slightly different meaning than the traditional security and assurance. Partly for the sake of difficulties to technically testify the increasingly complicated modern ICT products, it’s by no means to figure out an end to end integrity assurance program and methodology, letting alone test cost and timing factors.
Recent Comments