You are currently browsing the Hayes On Security weblog archives for July, 2009.
31 July 2009 by Jeff Hayes.
P2P legislation talk is rearing its head again.
House Oversight and Government Reform Chairman Edolphus Towns today is expected to blame the Bush administration for having a laissez-faire attitude that has allowed privacy and security problems posed by peer-to-peer networks to persist online. At a hearing on the topic, he is likely to call for legislation to guard against inadvertent file-sharing, heightened FCC involvement and the creation of a public awareness campaign to inform people about the dangers of P2P software.
Making a law outlawing P2P software is not the answer, policy enforcement is. It is not P2P service providers fault that enterprise users elect to load and use P2P software for access to images, programs, and entertainment.
P2P software is something found on just about every home computer where there is a user under 30 years of age. They see the direct benefits of “free” music, TV shows and movies. Most have never experienced negatives: no police knocking at their door or security incidents rending their computers into boat anchors. Most have no idea what the risks are.
Using P2P software and public services on business or organizational networks raises a whole series of issues. Copyright infringement, unlicensed software and security issues galore from Trojan and bots to offensive materials can make their way throughout the network, not to mention the bandwidth usage and productivity issues.
If P2P software is found withing the enterprise, then there is either poor education, weak policies, poor enforcement or a combination of all three. A law will still require education and enforcement. Solid policy and associated enforcement is better medicine than Congressional actions.
Posted in Security Policy, Infrastructure Security | Print | 1 Comment »
23 July 2009 by Jeff Hayes.
Limited to tech-savvy insiders and those passionate about security, darknets allows users to share files and communicate anonymously. For most, they need to install special clients; e.g., Freenet or WASTE. A pair of researchers from HP are planning to unveil a browser-based version next week at Black Hat they dub Veiled.
Great for the individual that elects to participate, not so great for the enterprise. Why? Because shared files are encrypted, fragmented and redundantly stored across the darknet. With a browser-based version, content can be published anonymously into the darknet with hyperlinks to other documents stored within the network.
For most enterprise users, there is no reasonable need for a darknet capability. A darknet application is a method to avoid the prying eyes of the “corporate police.”
The organizational security policy should contain a statement that “outlaws all darknets unless specifically authorized.” As an agent of a business or organization, a user would be required to abide by the policy set forth by the organization.
Posted in Infrastructure Security, Privacy | Print | No Comments »
22 July 2009 by Jeff Hayes.
We have heard it for the past year of so: cloud computing is the future. However, cloud computing has been around for years and is nothing new. What is new is the marketing spin that is placed upon it.
Back in the late 80s when I first got into the computer networking business, we drew the WAN as a cloud. It was nothing more than a representation of the network that belonged to someone else. If I needed to describe a connection between two remote facilities and it was not a dedicated connection, I’d draw a line from each facility representation; i.e., router, to a central cloud. The physical path was not important, it was the virtual path that mattered.
Most of us that use free, Web-based email; e.g., Gmail, Hotmail, Yahoo! Mail, are using cloud computing. Social networking sites; e.g., Facebook, hi5, Photobucket, Flickr, and Twitter are cloud-based applications. Web-based CRM packages are cloud computing applications; e.g., Salesforce. com.
All we really know as the average Joe and Jane is we have a computer interface into the cloud; i.e., a browser. We don’t know or care where the actual routers, firewalls and servers are. For most people, they have never heard of those words or could not describe them. We just know how to access these applications. We have an implicit trust. For most applications, that is fine. But for highly confidential and proprietary information, knowing where and who has physical access to those devices should be a concern.
The concern with cloud computing is the multi-tenant nature of the hosting design. It helps to have a dedicated device within the cloud, like a dedicated web server at the hosting provider. But it does not eliminate the physical security issues associated with the facility. Sure, only authorized people are allowed access to the data center, but it is real easy for any authorized person to fiddle and wander into areas that they should not be in.
Cloud computing is nothing new, it is just a new spin on a long-standing concept. And cloud security principles are nothing more than normal security principles. If it works in an enterprise deployment, it most likely will work in a cloud deployment.
Posted in Cloud Computing | Print | 2 Comments »
3 July 2009 by Jeff Hayes.
I admit it, I am a social media junkie. I have three classes of accounts for three different purposes: two business related (including myCSO Solutions) and one personal. Like most thinks in life, there can be too much of a good thing. And social media can be one of them.
A recent article in “CSO” magazine Seven Deadly Sins of Social Networking Security, provides good advice for businesses using social media:
One of the purposes of using social media for businesses is to help establish the company’s credibility in the particular target market it chooses to compete. If you are a company that builds satellite receivers, then your commentary should be on telecommunications, namely satellite communications. If you are a restaurant chain, you should comment on the food industry and your segment therein.
If I am going to follow you on Twitter or be your fan on Facebook, I better get something for it. Not a lot but enough to keep me interested. Maybe I need to know if you are running a special for the month, have a new product or are attending or sponsoring an industry event.
I don’t need to know where you went to lunch or that Suzie was promoted from assistant office manager to office manager.
Because of the popularity of social media sites, there are some dark sides to them. This is in the minuet minority but prudence is warranted. This is especially the case with Twitter. There are millions of Twitter accounts that are set up for garbage purposes and are not with the silicon they consume. The key is to be careful who you follow, making sure the content is appropriate for what you are trying to do.
I would recommend for a business to be more involved in content creation and promotion on chosen social media accounts than being actual consumers of them.
A reasonable approach to social media, that includes coupling it with a solid search engine optimization plan for your web site, will help drive viewers to your company’s web site. The end goal for social media should be to increase revenues for the company. Social media should be considered a marketing tool. If done with taste and proper messaging, those following your social media sites will get what they expect and not a bunch of spam, inappropriate ramblings or security exploitations.
Posted in Social Network Security | Print | 1 Comment »