Read up on the latest ideas and technologies from companies that sell hardware, software and services. Extending Business Solutions across the Organisation
SOA Governance: Rule your SOA
Application Modernization: Preserving Your Organization’s DNA
The IP Storage payoff: Turning your investment into efficient, affordable results
The Secrets of C-Suite Success
How to Protect Business from Malware at the Endpoint and the Perimeter
Growth Strategies in Uncertain Times: Building and Maintaining Lasting Client Relationships in Professional Services Organisations
The State of Internet Security
Newsletter Subscription
Many Information Security practices have outcomes that are difficult to quantify. How do you prove that your measure is effective at preventing whatever malicious activity is out there from being effective against your system?
Antivirus and antimalware tools can easily point to the number of attempts blocked as measures of their success, but they aren't so good at identifying the attacks that are quite effective at completely bypassing their protection. System and network hardening, an essential component of any Information Security plan, is one of the toughest mechanisms to accurately quantify without actually measuring what is trying to enter the network, but it is one of the most effective tools in the Information Security specialist's toolbox.
If you don't log, if you don't measure what is going on, then it makes the job of quantification so much harder. The problem of correctly identifying what is in those logs is difficult enough that a mini-specialisation has established itself around interpreting log files. Getting the balance right can be difficult, for example over-sensitive Snort (an Intrustion Detection System) rules can give the impression that far more is taking place than actually is. Likewise, an under-sensitive ruleset will ignore malicious activity or completely miss it if a rule has not been created.
How do you quantify the effectiveness of a mechanism when the threat is something that has not been seen before and it strikes at 2 am or at another time when there is no one directly observing the system?
Statistics delivered by Jay Beale, of Bastille-Unix, in his DefCon 14 presentation demonstrated that Bastille was able to defeat every major threat to Red Hat 6, even before the threats were known. Statistics like this are best gathered after the fact, but they do point to how effective a thorough hardening process can be for systems and networks when faced with an unknown threat.
One of the big problems that people find when they go to apply a hardening process is that they encounter usability problems as a system or network is progressively locked down. The resultant compromise between usability and security is one that is situation-dependent and should be at the core of risk and threat management assessments (if they are carried out). The introduction of a Secure Development Lifecycle and greater awareness of security as a core part of the development process is resulting in more applications that are inherently more secure and are able to be locked down without loss of significant capability, something which is going to be of more importance in the future as more devices gain networking abilities and more sensitive data is moved onto networked devices.
While the situation is improving, there is still a significant corpus of applications that do not behave properly when locked down against unwanted access and it is these that cause the greatest problems for system hardeners.
There are a range of products and system that are available, both commercially and Open Source, which can aid in the process of hardening, including Bastille and SELinux. It doesn't just stop at the Operating System, with the NSA providing a range of useful [[xref:http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1 |guides]] for hardening everything from a web browser, through to network hardware. If you or your organisation don't have a plan implemented to mitigate the risk to your systems and hardware that is represented by non-hardened systems, then it would be a good time to consider one.
2008 CIO Summit
19th August, 2008 Four Seasons Hotel, Sydney Developed in partnership with CIO Magazine, IDC, INTEP and the CIO Executive Council.
The world of the CIO is extremely complex and diverse. Multiple priorities demand attention and decisions are needed instantly. Individual teams need to be driven towards common goals, and businesses strive to become more mobile, agile and responsive. For CIOs, the challenge never ends.
Every year the CIO Summit identifies what is top of mind for CIOs across Australia and New Zealand, and offers insight for CIO benchmarking and vendor strategic planning alike.
Recent IDC research shows that over 59% of CIO's believe that 'to achieve their business strategies, technology should be used more aggressively than today.'
Join us on August 19th to discover how this is possible with the latest technologies including Virtualisation, Web 2.0, IP Surveillance and Software as a Service (Saas).
Click here for more information.
Please email Denyse_Robertson@idg.com.au for further information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
'I have a lost laptop horror story for you' 30 June, 2008 10:08:14
The devil of identity theft is in the details that follow...The devil of identity theft is in the details that follow: Russ Jones tells a tale of woe that isn't particularly dramatic -- or rare -- and yet it's exactly the kind of story that worries me enough to ignore my better judgment and buy identity-theft protection from my insurance provider. - +
SQL attacks lobs onto pro tennis site 02 July, 2008 11:52:19
Wimbledon perfect time for crook's criminal racket.Visitors to the Association of Tennis Professionals Web site have potentially been infected with spyware after apparent lax security allowed a malicious script to be injected across its pages. - +
Hacking tools: A new version of BackTrack helps ethical hackers 30 June, 2008 10:57:21
BackTrack is the quickest way to get access to hundreds of (legal) hacking toolsVersion 3.0 of BackTrack has been released. BackTrack is a Linux-based distribution dedicated to penetration testing or hacking (depending on how you look at it). It contains more than 300 of the world's most popular open source or freely distributable hacking tools. - +
Japanese military loses data again 02 July, 2008 08:17:21
Japan's Self Defense Force lost sensitive data on joint US-Japan military exerciseJapan's Self Defense Force lost sensitive data pertaining to a joint US-Japan military exercise last year, the Ministry of Defense said Tuesday. - +
ACLU, EFF sue US gov't over mobile phone tracking 03 July, 2008 08:37:23
Two civil liberties groups sue the US Department of Justice over mobile phone trackingThe American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) are asking a federal court to order the US Department of Justice to turn over records about the agency's tracking of mobile phone users.
Ballarat Grammar Improves Student Access to Computer Based Learning with HP ProCurve 04 July, 2008 16:49:00
Media release: 40 Per Cent of Australian Businesses Do Not Validate Their Data 04 July, 2008 10:29:00
Kaseya helps turbo charge BlueFire’s service delivery model 03 July, 2008 17:23:00
Computershare Selects Symantec for Data Loss Prevention Globally 03 July, 2008 14:52:00
DST International moves to new Shanghai office 03 July, 2008 13:21:00
|
||
|
||
|
|
||
|
Application Modernization: Preserving Your Organization’s DNA
Modernization has once again attained buzz-word status. But like any other term with billions of dollars swimming around it, modernization has taken on some unexpected connotations. Read on to discover how to embrace modernization in your organization successfully.
Subscribe to CIO
