You are currently browsing the Hayes On Security weblog archives for September, 2009.
25 September 2009 by Jeff Hayes.
Politically conservative, I question the value of many government agencies and jobs. By their nature, every single government job consumes taxpayer funds. Not one of them produces a single dollar.
Certainly there are many jobs and roles that are required from government. It is the opinions along this line that significantly define our political differences. Some feel government is the answer to many of our problems, other do not. I am in the later.
Nevertheless, I have many acquaintances that earn their living by working security for the federal, state, country and local governments. I do not have any ill-feelings towards any of them. Some of these jobs are very interesting. But are they absolutely required?
I attended our local InfraGard meeting this week. A good group and a good meeting. We heard a presentation from Access Data on computer forensics, some excellent insights from a civilian security specialist from Hill AFB, and a presentation from a gentleman from DHS. This latter presentation got me thinking about the scope of the DHS. Has it quickly expanded beyond what is reasonable?
There is a role that one of the groups performs: an infrastructure survey. One or more federal employee will come to your site — any site — and do a 4-7 hour assessment of your physical security, preparedness, etc. The billing fee? Zero. Cost? Not free. Certainly a service like this is useful. Any security officer would be dumb to not take advantage of a service like this. Another set of eyes can only help. But it is the best use of taxpayer funds?
Just like cash for clunkers, it is great deal for those people who needed a new car (or security assessment), but a bad deal for those of use who were unable to take advantage of the offer (or who did our own either ourselves or paid for a third-party to do it for us). Those that did not need a new car (new assessment) at that time were forced to fund those that did.
If the Department of Labor was completely eliminated, would anyone besides the employees notice? What about the Departments of Education, Commerce or Housing & Urban Development? Does the DHS need a Science and Technology Directorate?
The problem with government in all nations is that it is too big. It does not matter which political party is in power, government grows. Most of the growth is well intended. But the value is very questionable.
In the security world, the powers that be, they justify their positions, programs and plans as necessary to protect us and our operations. Security people over-blow most situations. Without fear, uncertainly and doubt, they would be without a job. Politicians do the same: the other guy’s special interest is corrupt and not required but theirs is.
I appreciate the men and women that are trying to protect us. I just think there are too many of them in roles that do little to reduce or manage risk.
Posted in Homeland Security, Infrastructure Security | Print | No Comments »
10 September 2009 by Jeff Hayes.
When I began my career in the 80s, I worked for a firm (NCR Comten) that competed against IBM. We provided communication processors for the mainframe/cluster controller/terminal industry. In the 90s, I worked for firms (Network Systems, Xylan, Alcatel) that sold channel extension, security appliances and switching products against Cisco. In both cases, were with outsider, trying unseat the incumbent. Outside of feature/function/benefit/pricing comparisons and long-term personal relationships between the sales team and customer, we had to combat fear, uncertainly and doubt (FUD).
FUD is based on the notion that if you — the customer — buy the incumbent’s product, you will regret it. Comments might include: “it will not work as advertised;” “the long-term costs will be greater than what you think;” “it will be a support nightmare;” and “your administrators and end users will not like the new solution.” In the security space, the points are the same but the infosec vendors add a new spin to fear.
Security entrepreneurs recognize a problem that is not being properly addressed by current products. They design, develop, test and market a new mousetrap. The challenge for all of them is to find a market large enough to cover the investment and to build a business upon the new market. Few people are aware that many of these problems exist. Enter marketing.
The infosec firm needs to define the problem so more people are aware of it. They need to expand the scope of it. They need to make you feel like if you don’t have this product, you are opening yourself up to a security disaster.
We all know technology and the exploitations evolve. Many of these new products do have merit but most do not. That’s why so many of these firms go out of business or cannot grow beyond $5-20 million in annual revenue. The lucky ones find an exit strategy by being acquired.
I was reading an article in CSO magazine, 7 Reasons Websites Are No Longer Safe. Though not a infosec vendor, it makes the read think that all Web sites are insecure and you might as well forget about it trying to secure them. Hum. So all of the e-commerce, banking and investment sites are unsafe?
The infosec industry makes its money by making people feel insecure. Fear is key to the marketing message. For most businesses, they do not need all of these leading-edge security devices or software. The sky is not following, despite the vendor-speak.
Posted in Infrastructure Security, Web Security | Print | No Comments »
9 September 2009 by Jeff Hayes.
One truly meaningful use of modern cellular networks, aside from gaming, sports scores and TV streaming is mobile telehealth.
Sensors are placed near or on individuals with medical conditions and updates communicated via the cellular network to a location that will record, analyze and act upon, if necessary. For example, regular communication of a person’s blood pressure taken every couple of of hours for a week.
The authenticity, integrity and confidentiality of the data path must be guaranteed. This raises the need for secure communications for mobile telehealth devices.
One must question the current security model followed and implemented by the mobile teleheath device manufacturers. Some will take it serious, others will not.
Posted in Remote Access, Privacy | Print | No Comments »
8 September 2009 by Jeff Hayes.
There are things that we should fear and there are things we should not fear. Lost data due to poor backup procedures, not safeguarding core intellectual property, and security policies with no enforcement teeth are things we should fear. Terrorism (unless you are DHS or are a high-value target) is one that we ought to put low on our list of concerns.
Joan Goodchild, Senior Editor, CSO magazine wrote the Seven Deadly Sins of Building Security:
This list is a solid list based on the prudent man principle of information security: Those with responsibility to invest money in order to secure the operations should act with prudence, discretion, intelligence, and regard for the safety of capital as well as the desired and resulting level of information security.
There are all types of security people — and we need them all — from the firewall/IDS/network security specialist and physical security specialist to the policy writers and auditors. However, we need a manager that sees and understands all of the key parts of organizational security and can map them to coincide with the organizational goals.
The key is to make a regular and complete assessment, implement accurate and quality processes, procedures and technology solutions, and to manage and monitor it continuously. Then stay at it, doing it over and over. Boring yes, but good security was never designed to be exciting. It needs to be in place when it is needed.
Finding one that can balance between what is good and financially in-line for the organization and what a security purist hopes for is where you will find the prudent man (or woman) of information security
Posted in Security Management, Security Policy | Print | No Comments »
2 September 2009 by Jeff Hayes.
I am a big fan of the BBC program called Spooks. It is marketed in the USA as MI-5, viewed on some PBS stations or online from Netflix. (If you like the Fox show, 24, you will like MI-5/Spooks). Most of the episodes deal with terrorism. A key piece of technology they use in their investigations and surveillance is closed-circuit television (CCTV). It got me thinking about the question: are we better or worse off with a ubiquitous CCTV system?
Britain and many European nations are heavily wired with CCTV. London boroughs have anywhere from 0.25 to 4 CCTV cameras per 1000 people. Back in 2002, the average citizen in the UK was caught on CCTV cameras 300 times a day; this number has increased because the number of cameras have increased. The U.A.E. is deploying thousands of CCTV cameras (and security guards) at an increasing number of locations within their transportation system. The USA is increasing the use of CCTV cameras, deploying them at various locations including public gathering places and major road intersections.
The are good at recording crime in urban areas. But there is a major privacy issue at play. One must avoid the position that “if you are not doing anything illegal, then you should not be concerned; that they are for the public good — for our own safety.” With that argument then why not place government-monitored cameras in your house, backyards, classrooms, churches?
Should we used cameras for catching speeders? Why not? It is in the best interest of society’s safety isn’t it?
The problem is that the scope of the cameras expands from terrorism and serious crimes like rape, assault and robbery. It morphs into the fields of sociology and psychology. It then becomes an invasion of privacy. CCTV cameras have been used to investigate dog fouling, littering, public urination, misuse of a disabled parking passes, false claims for damages, and spying on a person who was working while off sick. We might detest any and all of these but do we want our government policing these at significant tax payer cost?
Apparently many societies say yes. Others, including me, say no.
Posted in Physical Security, Homeland Security, Privacy | Print | 1 Comment »