This morning, you might have noticed that the blog title was changed to “Cloud & Telecom Security”. Yes, it’s true.
From one or two years ago, my interests and focus have changed to around cloud computing and telecom or ICT security, while P2P was touched very occasionally. I believe the new title can reflect the new focus better and hope you like it.
今天著名安全媒体SCMagzine公布2010年各安全奖项入围名单,最后的大奖将于2010年3月2日在旧金山公布。
从这次的入围名单上看,安全大厂如Cisco,Juniper,Symantec,等成为最大的赢家,到处闪现他们的身影。功夫不负有心人,这次Cenzic, HyTrust,e-DMZ, Palo-Alto等新秀也终于展露头角。BigFix能够获得优秀安全公司入围,你觉得有些惊奇吗?Dave Cullinane凭借云安全联盟CSA的快速成长和成功,荣获最佳CSO/CISO入围。
希望看到我们中国的企业也成为国际战场的逐鹿者!
Best Anti-Malware Solution
Astaro Internet Security for Astaro Security Gateway
AVG Technologies for AVG Internet Security Business Edition
Cisco for Cisco IronPort S-Series Secure Web Gateway
ESET for ESET NOD32 Antivirus 4
McAfee for McAfee Web Gateway
Symantec Corp. for Symantec Endpoint Protection Small Business Edition Read more…
By this acquisition, HP enters enterprise networking market with strong threat management product line from Tippingpoint.
The vulnerability and threats research of DVLabs will greatly improve HP’s capability and image at these areas, so that HP’s competition against IBM will become more effective. X-Force of ISS is one of the critical advantages of IBM over HP, at overall one-stop IT arena.
Historically, after the acquisition of an independent security company, their selling model and focus will change to more aligned with major businesses. As for HP’s scenario, their security product lines, including the IPS/UTM, focuses on their global enterprise customers and outsourcing partners. The security department, mostly, will lose some momentum to find and obtain new customers, instead, they will be more interested at existing customers, bundled within other bigger IT/service orders. Read more…
Actually, the whole thread was originated with a message at discuss@securitymetrics.org “Request for ideas” by Dimitrios Stergiou. Dimitrios likes to have some recommendations for his master program. By a sudden idea, I dropped him a message to recommend him to work on this true or false problem at security metrics.
It’s true or false: 70% of security incidents are due to insider threats?
I just read one book, “The New School of Information Security”, by Adam Shostack, Andrew Stewart, Addison-Wesley, 2008, where I found one interesting argument by the authors. The authors doubt the statement that 70% of security incidents are due to insider threats. You know, many consultants and books, articles regard this statement as one basic hypothesis at security. What’s your idea about it?
Completely a surprise, I found Adam, Andew, Dan and many experts jumped in to this discussion thereafter. A lot of fresh ideas emerged at discussion threads. In order to get more experts into this topic, I submitted a discussion at SecurityMetrics group, LinkedIn.
This RSA/IDC report has some information related to this topic – Insider Risk Management: A Framework Approach to Internal Security(Thanks to Hammud). It is a good reference. In summary it told us two things that: Read more…
That’s an excellent post on the vision of WAF and vulnerability assessment. I agree to the points that “accuracy” should be the top priority of remote web assessment and integration between VM and WAF.
However, this gives us another hint – we need a commonly adopted standard format to exchange the message – similarly what the industry did on IDMEF before. It’s not an optimistic goal from historical perspective. So in short term, before that standards, integration inside one single vendor and product alliance will be the pioneer on the automation/ integration between VM+WAF.
CNCERT/CC 2009 Conference
CNCERT/CC 2009 Conference will be held at Oct.21, Changsha, Hunan Province, China. This is the consecutive 6th conference since 2004. Here is the English agenda.
This annual event is generating more and more influence to not only China information security community, society, industry, but also the related parties at Asia Pacific and even worldwide. You can find a number of famous regional CERT organizations and reps from carriers, large enterprises, vendors, say, SingCert, ThaiCert, VNCert, China Telecom, China Mobile, China Unicom, ICBC, CCB, etc. Read more…
10月13日到14日, 两周后, SC Magazine举办的World Congress大会将在纽约举行. 会议地点: Read more…
数月前,应该是二月份,有个帖子讲2009年的安全市场预期,中间和大潘讨论到了2009年的前景,我们俩“谨慎地”预测了一下:“赵博谨慎看多,潘总静候春天”。昨天读到安永公司的一份2008年安全市场调查报告,其中有几个数字很有趣,我把它们转帖过来:
Historically, the IT function is one of the frst to feel the pressure to reduce expenditures, and traditionally,information security has been closely linked with IT. Our survey confrms the link between IT and information security is still very strong (71% of respondents meet monthly with IT), but the pressure to reduce costs does not appear to be carrying over to the information security function. In fact, only 5% of respondents indicate they will be reducing annual expenditures for information security and 50% plan to increase their investment in information security as a percentage of total expenditures.In addition, only 33% of respondents cite adequate budget as a challenge to delivering their information security initiatives. Read more…
据Wired报道,美国Homeland Security Advisory Council已经提交草案,建议将目前国家威胁预警系统从5种减到3种。
“9·11”恐怖袭击事件发生后,美国建立了一套5级国家威胁预警系统,用绿、蓝、黄、橙、红5种颜色代表从低到高的5种危险程度。橙色这一警戒级别要求美国联邦和州政府以及企业都增加一系列相应的安全措施。布什政府过去曾4次提高恐怖威胁警告级别。
这次调整建议的主要出发点是5种颜色级别过于繁杂,不利于准确传递威胁信息,容易在大众中造成不必要的疑虑和担心。Homeland Security Advisory Council建议化繁为简,将预警级别调整为以下三个:
关于印发《企业内部控制基本规范》的通知
【时间:2008年07月10日】
为了加强和规范企业内部控制,提高企业经营管理水平和风险防范能力,促进企业可持续发展,维护社会主义市场经济秩序和社会公众利益,根据国家有关法律法规,财政部会同证监会、审计署、银监会、保监会制定了《企业内部控制基本规范》,现予印发,自2009年7月1日起在上市公司范围内施行,鼓励非上市的大中型企业执行。执行本规范的上市公司,应当对本公司内部控制的有效性进行自我评价,披露年度自我评价报告,并可聘请具有证券、期货业务资格的会计师事务所对内部控制的有效性进行审计。执行中有何问题,请及时反馈我们。 Read more…
It’s reported that the U.S. Department of Homeland Security was looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. It’s an inspiring finding from unique viewpoint. A slight bite by injection into the grid might lead to an overwhelming avalanche. Isn’t it horrible?
However, what I am thinking is that Internet cloud services have many similarity to those of power grid, ie. these threats and potential attacks are very possibly valid to Internet clouds. What and how Internet clouds respond/react to these potential similar attacks to those against power grid? Yes, those dominant cloud service providers have very robust and strong infrastructure all over the world, how large the bandwidth, how many the servers, how many square feet the data centers, blah blah. Further, there are automatic load balancing and distribution system among those distributed data centers. Once one set of servers and/or circuits, the services would be transfered to other servers and circuits automatically. Your services WILL be there, keeping the same, or NOT? Read more…
Information is the new currency of business – a critical corporate asset whose value rises and falls at different times, and in different ways, depending on when, how, where and by whom it is placed into circulation as a medium of exchange.
Therein lie the risks. And the opportunities.
“Safeguarding the new currency of business”, Findings from the 2008 Global State of Information Security Study®, PWC
Many business units are being drawn into using cloud services by the attractive economics, bypassing IT departments to host their applications and data in the cloud directly. This creates several problems for the IT organizations with reduced internal and external control.
- From RSA Whitepaper “The Role of Security in Trustworthy Cloud Computing”.
Even they are not directly for Cloud services, but there were cases that BUs signed contracts with 3rd providers to host their applications directly, bypassing IT department. Obviously, it’s not good practice from governance perspective. It might be a head-up for CIOs at Cloud time.
If security experts do not fully understand the business, organizational roles, and people in general, they will not make the security sale. Security experts must be educators, which means they must understand human beings outside of their world, because all parties influenced and affected by security (and that’s everybody) need to understand, in a balanced fashion and in terms they understand, what security means to them.
- “Mission-Critical Security Planner”, by Eric Greenberg
Two basic kinds of online websites are online banks and online games. Unlike what we were doing for traditional system security, we must take care of both front-end servers and customers’ applications. Yeah, customer’s desktops and applications! A lot different!
No matter what mode is, C/S or B/C, we need to make sure both careless users and vulnerable applications are in good security posture. This brings by far tough challenges to security team. Un-registered game server(SiFu in Chinese), phishing website , Cheating Program(WaiGua in Chinese ), variable trojans, leaked password, or compromised users’ system , lots of servers reside in distribute IDCs , different operating systems and applications , all of this make security mess up .
Here is an economic way for your reference. Read more…
Recent Comments