Archive

Archive for the ‘-English-’ Category

Architectural Solution Integration to Contain ICT Supply Chain Threats

August 6th, 2011 No comments

[Note] This paper was submitted to the 2nd Cyber Security Summit @London at June 1-2. A novel idea was explored to touch the critical concern surrounding ICT supply chain threats. You are welcome to download it and share your comments with the authors. Here are some comments at the web, thanks to Jart.

Threats to Supply Chain IntegrityAbstract — Information Communication Technology, which has been more and more critical in the modern economy and society , means more than information technology and traditional telecommunications. The integrity of ICT supply chain has slightly different meaning than the traditional security and assurance. Partly for the sake of difficulties to technically testify the increasingly complicated modern ICT products, it’s by no means to figure out an end to end integrity assurance program and methodology, letting alone test cost and timing factors.

This paper investigates the threats of ICT supply chain integrity, particularly covert channel. An architectural approach, named as Architectural Solution Integration, is given out to assure the integrity of ICT system and contain the potential threats through supply chains.  The quantitative assessment of ICT supply chain integrity is discussed as well, followed by the future work analysis.

Key Words — ICT Supply Chain Integrity;Assurance;Security;Covert Channel

Download the paper…

GRC Regulatory Landscape

November 24th, 2010 No comments

Global and local regulations are evolving across all industries and sectors. Here is a selection of the ever-increasing number of regulatory frameworks:

  • All sectors and industries –

Enterprise Risk Management (ERM), Electronic discovery (e-discovery), Financial Statements (IFRS,GAAP), Sarbanes Oxley (SOX), EuroSox, Customer Data Privacy and Protection (EU e-privacy), Business Continuity Management, Data Protection Act (EU, UK, Germany), IT Security, IT Controls and Compliance (ITIL, CobiT, ISO), Payment Card Industry Data Security Standard (PCI DSS). Read more…

Categories: -English-, Security Tags: , , ,

D8: Steve Jobs Onstage: Full-length Video

June 7th, 2010 No comments

Of course, in black Jobs is cool. Beetles is his favorite. It is a very interesting interview, a lot of fun, particularly when Jobs talked about their “relationship” with Google…

Strategic Thinking on Symantec Acquisition

May 27th, 2010 No comments

Last week, Symantec(NASDAQ:SYMC) acquired the security businesses of VeriSign (excluding iDefense). There have been tons of news reports and comments by market observers and analysts.  In general, given that both negative and positive comments are valid, the below chart gave a different perspective to evaluate the acquisition strategy of Symantec.

Stock price of Symantec, CA, McAfeeIt’s a 5 year stock price chart of Symantec, with comparison against that of CA(NASDAQ:CA), McAfee(NYSE:MFE), and Nasdaq.

The overall changes in 5 years are:

  • Symantec down by: -35.14%
  • CA down by: -30.60%
  • McAfee up by: +21.87%
  • while Nasdaq up by: +9.67% Read more…

Quote of Security – 11

March 25th, 2010 No comments

Why we need security metricsAnother way of thinking about it, specifically that if you want security then you must control the future, if you want to control the future then you must be able to draw conclusions from what you know, if you want to draw conclusions then the basis for those conclusions must be reproducible, and if you want reproducible bases you have to have a measurement regime.

- Dan Geer

Quote of Security – 10

March 25th, 2010 No comments

- Good enough is good enough.
- Good enough always beats perfect.
- The really hard part is determining what is good enough.

- by Ravi Sandhu

You can download the whole paper here.

Title changed to “Cloud & Telecom Security”

March 8th, 2010 No comments

This morning, you might have noticed that the blog title was changed to “Cloud & Telecom Security”. Yes, it’s true.

From one or two years ago, my interests and focus have changed to around cloud computing and telecom or ICT security, while P2P was touched very occasionally.  I believe the new title can reflect the new focus better and hope you like it.

Cutting-Edge Network Behavior Audit Technology from BMST

December 14th, 2009 No comments

Startup In China

November 19th, 2009 No comments
Categories: -English- Tags: , ,

Microsoft Tuesday Vulnerability Report of Nov.2009

November 12th, 2009 2 comments

HP Acquiring 3Com increases the oligopoly of IT arena

November 11th, 2009 6 comments

hpweb_1-2_topnav_hp_logoBy this acquisition, HP enters enterprise networking market with strong threat management product line from Tippingpoint.

3comLogoThe vulnerability and threats research of DVLabs will greatly improve HP’s capability and image at these areas, so that HP’s competition against IBM will become more effective.  X-Force of ISS is one of the critical advantages of IBM over HP, at overall one-stop IT arena.

tplogo5Historically, after the acquisition of an independent security company, their selling model and focus will change to more aligned with major businesses.  As for HP’s scenario, their security product lines, including the IPS/UTM, focuses on their global enterprise customers and outsourcing partners.  The security department, mostly, will lose some momentum to find and obtain new customers, instead, they will be more interested at existing customers, bundled within other bigger IT/service orders. Read more…

True or False: 70% of security incidents are due to insider threats?

November 10th, 2009 8 comments

security_new_schoolActually, the whole thread was originated with a message at discuss@securitymetrics.org “Request for ideas” by Dimitrios Stergiou. Dimitrios likes to have some recommendations for his master program. By a sudden idea, I dropped him a message to recommend him to work on this true or false problem at security metrics.

It’s true or false: 70% of security incidents are due to insider threats?
I just read one book, “The New School of Information Security”, by Adam Shostack, Andrew Stewart, Addison-Wesley, 2008, where I found one interesting argument by the authors. The authors doubt the statement that 70% of security incidents are due to insider threats. You know, many consultants and books, articles regard this statement as one basic hypothesis at security. What’s your idea about it?

Completely a surprise, I found Adam, Andew, Dan and many experts jumped in to this discussion thereafter. A lot of fresh ideas emerged at discussion threads. In order to get more experts into this topic, I submitted a discussion at SecurityMetrics group, LinkedIn.

This RSA/IDC report has some information related to this topic – Insider Risk Management: A Framework Approach to Internal Security(Thanks to Hammud).  It is a good reference. In summary it told us two things that: Read more…

Comment to “Vulnerability assessment integration with web application firewalls”

November 9th, 2009 No comments

That’s an excellent post on the vision of WAF and vulnerability assessment. I agree to the points that “accuracy” should be the top priority of remote web assessment and integration between VM and WAF.

However, this gives us another hint – we need a commonly adopted standard format to exchange the message – similarly what the industry did on IDMEF before. It’s not an optimistic goal from historical perspective. So in short term, before that standards, integration inside one single vendor and product alliance will be the pioneer on the automation/ integration between VM+WAF.

Gartner released Top 10 technologies at 2010

October 21st, 2009 1 comment

Gartner, the leading marketing analysis and strategy firm, released its newly-brew TOP 10 technology list today. They are:

  • 1 Cloud computing. Cloud has been the top buzz-term in the past months. Gartner raised it from No.2 at 2009 to TOP1 at 2010.  With no doubt, this statement will be quoted by tons of articles and vendor solutions in the following seasons.
  • 2 Advanced analytic.  I would rather explain it as data correlation and data mining tech. This seems to be similar to “business intelligence” (No.9 at 2009).
  • 3 Client computing. Mostly client computing is critical for the security impact to the whole Internet.
  • 4 Greet IT. It was No.1 at 2008, and No.10 at 2009. Anyway, it’s a concept, containing a lot of technologies, customs, culture, etc.
  • 5 Reshaping the data center, with new designs and approaches that include building out incrementally in pod-based approaches, adding only power, chillers and generators to support initial needs.
  • 6 Social computing. It has been deeply involved into daily life. Facebook, Twitter, LinkedIn, etc.
  • 7 Security activity mornitoring.  A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity – often with real-time alerting or transaction intervention. Personally,  I think this is similar to the No.2.
  • 8 Flash memory. It’s a new face to TOP 10.
  • 9 Virtualization for availability. While virtualization has been melted into cloud computing and other diverse areas, Gartner leaves “availability”.
  • 10 Mobile applications. No comments at this moment. There have been a lot of developers and app stores you can find at the web. It reflects the hotness. Read more…

Twitter has performance issue now and again!

October 21st, 2009 No comments

This morning Twitter seems to be in trouble of performance issue.  Actually, this is not first time to get the below screen:

Twitter performance issue again

Read more…

Categories: -English-, Cloud Tags: , ,