So, I was looking through the various blogs hosted over at Computer Weekly when I came across a discussion on Stuart King's Risk Management blog. See
http://www.computerweekly.com/blogs/stuart_king/2009/02/public-sector-vs-private-secto-1.html
Stuart and his co-blogger Duncan Hart have started one of those discussions that you should never start. A subject almost as delicate as religion, politics and questioning the choice of allegiance of that big group of blokes in the football shirts. The question? Whether security is better in the public or private sector. Ouch.
It's one of those discussions bound to stir up opinions – often uninformed and vitriolic. It's a good excuse for those in the private sector to dig out the well-worn cliches and condescending attitudes with respect to public sector security whilst those in the public sector can come back with their own traditional ripostes. My own opinion – I have to admit a little bias here having spent the last few years predominantly in the public sector – is that the two areas are so vast as to make such trivial comparisons worthless. You can find good security in the public sector as surely as you can find weak security in the private sector – yes, I'm looking at you utility and manufacturing organisations (amongst others).
I spent the early part of my career doing penetration testing and vulnerability assessments across a wide spread of sectors and I found as many problems in certain private sectors as I did in HMG. Yes, you will tend to find pretty good security in those organisations where a lack of control will tend to result in a monetary hit but there was certainly no guarantee.
HMG have at least taken steps to improve security with the release of the Security Policy Framework and other initiatives aimed at making the (usually) adequate guidance that was previously embodied within the Manual of Protective Security more widely available Think ISO27001 with extra doses of physical security, personnel security and various other goodies. Together with the public Good Practice Guidance on offer from both CESG and the CPNI and there's a wealth of information available – never mind the stuff that does not make it into the public domain. More importantly still, following the Hannigan Review of Data Handling Procedures in Government, there is an added impetus to making sure that the mandatory minimum requirements within the various HMG standards are enforced. It may take time, but information assurance in the public sector is on the way up.
Can the same be said for the private sector?
Given the length of this posting, I'll leave that topic for another day.
Friday, 20 February 2009
Monday, 9 February 2009
Round-up
So what caught my eye over the last week or so?
A couple of interesting stories concerning the exploitation of a couple of well-known organisations - Kaspersky and phpbb:
http://hackersblog.org/2009/02/07/usakasperskycom-hacked-full-database-acces-sql-injection/
http://hackedphpbb.blogspot.com/
It's good to the level of detail provided by the attackers of how exploitation took place, and the level of proof provided that the events occurred roughly as described.
I also came across a couple of informative papers, one by Bas Alberts of Immunity providing a useful critique of the Microsoft Exploitability Index and a paper by David Chappell which provides an overview of the Microsoft Azure cloud computing platform. Both available from Microsoft:
http://download.microsoft.com/download/3/E/B/3EBDB81C-DF2F-470B-8A64-981DC8D9265C/A%20Bounds%20Check%20on%20the%20Microsoft%20Exploitability%20Index%20-%20final.pdf
http://download.microsoft.com/download/e/4/3/e43bb484-3b52-4fa8-a9f9-ec60a32954bc/Azure_Services_Platform.pdf
Enjoy...
UPDATED: Kaspersky have now announced that they are bringing Dave Litchfield in to perform an audit of their database - and to publically share his findings. Now the public sharing of the results if security audits is certainly something I would like to see more of! It's a great way of establishing trust - provided that the auditor is someone well-respected by the community you are seeking to establish trust between.
A couple of interesting stories concerning the exploitation of a couple of well-known organisations - Kaspersky and phpbb:
http://hackersblog.org/2009/02/07/usakasperskycom-hacked-full-database-acces-sql-injection/
http://hackedphpbb.blogspot.com/
It's good to the level of detail provided by the attackers of how exploitation took place, and the level of proof provided that the events occurred roughly as described.
I also came across a couple of informative papers, one by Bas Alberts of Immunity providing a useful critique of the Microsoft Exploitability Index and a paper by David Chappell which provides an overview of the Microsoft Azure cloud computing platform. Both available from Microsoft:
http://download.microsoft.com/download/3/E/B/3EBDB81C-DF2F-470B-8A64-981DC8D9265C/A%20Bounds%20Check%20on%20the%20Microsoft%20Exploitability%20Index%20-%20final.pdf
http://download.microsoft.com/download/e/4/3/e43bb484-3b52-4fa8-a9f9-ec60a32954bc/Azure_Services_Platform.pdf
Enjoy...
UPDATED: Kaspersky have now announced that they are bringing Dave Litchfield in to perform an audit of their database - and to publically share his findings. Now the public sharing of the results if security audits is certainly something I would like to see more of! It's a great way of establishing trust - provided that the auditor is someone well-respected by the community you are seeking to establish trust between.
Sunday, 1 February 2009
Well, here we go then. Time to enter the wild and wacky world of the security blogger. Whilst I search for fresh inspiration, I'll use this first post to link to some of my past writings over at Computer Weekly:
http://www.computerweekly.com/Articles/2007/12/14/228602/virtualisation-is-not-a-theoretical-risk.htm
http://www.computerweekly.com/Articles/2008/04/09/230220/database-administration-security-strategy.htm
http://www.computerweekly.com/Articles/2008/09/03/232119/metrics-programmes-need-right-design-to-justify-security.htm
http://www.computerweekly.com/Articles/2009/01/23/234393/security-zone-cloud-security-pie-in-the-sky.htm
No promises of regular updates or ground-breaking thinking, but hopefully there'll be something of vague interest here every so often. And if you're one of those types who hates blogs that mix business and personal lives, please move along - I really can't be bothered to maintain two of these things!
Until next time...
http://www.computerweekly.com/Articles/2007/12/14/228602/virtualisation-is-not-a-theoretical-risk.htm
http://www.computerweekly.com/Articles/2008/04/09/230220/database-administration-security-strategy.htm
http://www.computerweekly.com/Articles/2008/09/03/232119/metrics-programmes-need-right-design-to-justify-security.htm
http://www.computerweekly.com/Articles/2009/01/23/234393/security-zone-cloud-security-pie-in-the-sky.htm
No promises of regular updates or ground-breaking thinking, but hopefully there'll be something of vague interest here every so often. And if you're one of those types who hates blogs that mix business and personal lives, please move along - I really can't be bothered to maintain two of these things!
Until next time...
Subscribe to:
Posts (Atom)
