In our review of cryptographic algorithms, we will start with the Message-Digest, MD5 hashing algorithm. This isn’t because MD5 is “the best” or even “the first” (it’s certainly neither of those). In fact, it’s not technically an encryption algorithm at all. It is important though, as a precursor to other encryption algorithms we will talk…
How much will you give me for this password? Over and over we say that the weakest link in the chain of information systems security is “people.” Social engineering is truly an effective way of gaining access to sensitive systems and data. This morning I was listening to the news and was shocked to hear…
For some time now, we’ve been writing about how traditional methods of identifying stranded IT assets fall far short, because of the fact that utilization-based metrics do not accurately reflect value returned to the business by the IT asset. Enterprises are living with substantial drag on their IT operations budgets because of unused or underused servers and server software.
In my classes at the university, I sometimes give students a project to create a malware pet shop or malware zoo.¬† The purpose is to make the students more aware of the “biodiversity” that really exists out there in the malware world.¬† We also often talk about the increasing use of malware and other network-based attacks by governments against other governments or industries within a country.¬† Then of course there is the extension of that in the form of cyber terrorism.
Over the past few weeks there has been a lot of press for the Stuxnet (Trojan) worm.¬† What is interesting to share with you about this malware du jour is that rather than targeting personal information or productivity on a person’s PC, this critter is designed specifically to target control systems commonly used in manufacturing plants and other industrial facilities including critical public utility infrastructure.
Stuxnet exploits a previously undisclosed vulnerability in Windows to access management software for Siemens SCADA (Supervisory Control and Data Acquisition) systems that are commonly found in manufacturing, industrial, and utility systems.¬† These types of systems are typically not connected to the Internet, but the malware travels by USB device (e.g., a thumb drive).¬† Once the malware discovers the Siemens application software, it copies project files to an external web site.¬† Other actions are not yet reported, but it’s clear that with access to key control systems, serious disruption could be accomplished even beyond theft of manufacturing process information.¬† Stuxnet has the ability to upload code to programmable logic controllers (PLCs) in SCADA systems.¬† The PLCs determine how industrial systems operate.
In my IS Security class at the university, I was recently moderating a discussion thread where my students posted their opinions on Internet content filtering. The question was a simple one, “Some schools and libraries use Internet content filters to prohibit users from accessing undesirable Web sites. These filters are designed to protect individuals, yet some claim it is a violation of their freedom. What are your opinions about Internet content filters? Do they provide protection for users or are they a hindrance?”
The class is composed of a collection of Generation X and a few Boomers.¬† The opinions collected were very consistent and surprising, at least, to me.
Through several posts on this blog, we discussed the many aspects of confusion around the term, “Cloud Computing.”¬† After attending this year’s Cloud Expo in New York City and seeing the same three-layer stack (IaaS, PaaS, SaaS) slide in fifty half of the presentations, I have to conclude that confusion still exists in the minds of the IT community trying to come to terms with the ongoing commotion over “Cloud.”¬† In this writer’s humble opinion, there is very little new food for thought that’s emerged from the Cloud conversation over the past year.*¬† ¬†The proliferation of genuine commercially available cloud services, and the proliferation of conferences and articles on cloud computing seemingly have not improved the understanding of those who are confused about what is and what isn’t cloud computing.¬† ¬†In this article, we will touch upon those old misunderstandings and some of the new ones.
A quick perusal of a typical contemporary IT project portfolio will show a strong representation of projects dependent upon, or directly related to the data center.¬† Changes in the growth and scale of data processing, applications, content storage, data communications, risk, compliance, and maturity of IT governance are all in some way connected to the data center facility and operational framework supporting the IT environment.
We collected data from the field and from discussions with enterprise leaders, to examine the breadth of issues involving the data center that are causing the IT executive to lose sleep. ¬†¬†While there were a multitude of issues revealed, and articulated from several perspectives, we consolidated the information into five categories and share those with you here.
As I’ve watched the momentum of the Cloud, it’s caused me to reflect upon earlier discussions about data center physical security. It’s long been my opinion that physical security will soon emerge (or re-emerge) as a top issue in data center planning, since businesses and consumers alike are increasingly reliant on the data and transaction processing being concentrated into these facilities.
In the late ‚ 1990’s, I was in the UK prospecting for data center space for an initial European footprint for E*Trade. During that prospecting trip, I toured an old AT&T data center in a remote area North of London. This facility was surrounded by earthen berms at least eight feet high, as well as a very sturdy barbed wire fence. Why all this for a facility in the middle of the country side?
When launching a new data center build project, where the data center will be located is a fundamental issue. There are many factors in deciding where the data center will be, but all of these factors can arguably be consolidated into two issues- Risk and Cost.
We mention risk in terms of Risk Management. Even if a data center is not specifically a disaster recovery site, many issues involving the physical location of the data center are evaluated to assess risk to availability of the equipment and data that would reside there. For example, exposure to environmental threats such as flooding, storms, earthquakes, and so on is often evaluated. Man-made environmental threats such as proximity to chemical plants, railways, gas lines, and so on are included here too. Risk management evaluations will also consider factors such as local crime rate, political stability, and threats from war or terrorism. For a security and risk management professional, this list is long, but any risk exposure is also prioritized and weighted for pragmatic consideration when evaluating site selection for a data center.
There’s a piece by Jim Finkle in Reuters this morning about the rise in cybercrime in social networking sites.¬† The article mentions that MySpace had been plagued by this for several years, but now with the increasing popularity of Facebook, the criminals are going where the game is.
Per the article, “Facebook is the social network du jour. Attackers go where the people go. Always,” said Mary Landesman, a senior researcher at Web security company ScanSafe.
Scammers break into accounts posing as friends of users, sending spam that directs them to websites that steal personal information and spread viruses. Hackers tend to take control of infected PCs for identity theft, spamming and other mischief.“