Stop GIGO Data with Better Information Management

B. Ostergaard
B. Ostergaard

Summary Bullets:

  • The looming GIGO data storm
  • Information management capabilities are more important than cheap storage capacity

Ease of storage expansion as well as lower storage costs per TB, combined with the drive to be more security ‘compliant’, threaten to combine to create a perfect data storm. Present conditions seem to encourage regulators and government agencies to insist that public sector institutions as well as corporations collect and retain even more data that is not required for operational purposes, but might be needed in future, or might be needed for public safety, or might aid future issue handling. Corporate governance, risk, compliance (GRC) policies are going in the same direction. The bottom line is: added operational costs.  Privacy issues aside, from a cost-benefit perspective two facts spring out: first, some 98% of what is stored is never viewed again, and second information management is way behind the curve. To put it bluntly: garbage in, garbage out (GIGO) is a growing problem because duplication, inconsistencies, randomness as well as systemic errors, lead to massive waste. Policy decisions based on such data risk being flawed and misleading, rather than those based on well-informed analysis of timely and reliable data. Clearly, it’s easier to just add more data to storage than to actually create an information management policy and capability that gives some assurance that data used for decision-making is valid to some defined degree. Continue reading “Stop GIGO Data with Better Information Management”

Just to Be on the Safe Side: BT and IBM Both Announce New Unified Security Divisions

B. Ostergaard
B. Ostergaard

Summary Bullets:         

  • BT and IBM are consolidating their security capabilities in response to customers’ demand for more coherence.
  • The FUD factor has been somewhat toned down as customers focus on securing their business processes.

The past week brought two significant organizational announcements in the managed security service provider (MSSP) market.  BT Global Services is finally bringing its diverse security capabilities under one hat (i.e., BT Assure), and IBM is following suit, bringing its far-flung security expertise into a single division  (i.e., IBM Security Systems, reporting into the Software Middleware Group). Continue reading “Just to Be on the Safe Side: BT and IBM Both Announce New Unified Security Divisions”

The Thin Red Line between Quality Control and Root Kit Privacy Invasion

B. Ostergaard
B. Ostergaard

Summary Bullets:

  • Mobile carriers only want to make sure our traffic is OK; they just forgot to ask.
  • Anything put on an open platform can be taken off, but what about the ethics behind such actions?

 Carrier IQ (CIQ) is a very discreet U.S. software company with an application which it claims helps network providers diagnose a range of problems on Android devices, including identifying user location, causes of premature battery drainage, dropped calls, and other system problems.  The reason for discretion is the fact that the app is preloaded onto mobile phones before being sold to customers, and once loaded, it is very hard to spot, has a wide range of preset permissions to monitor and report any and all user activities on the device to the carrier, and cannot be turned off.  In other words, CIQ meets the definition of a root kit.   

Continue reading “The Thin Red Line between Quality Control and Root Kit Privacy Invasion”

Ouch, Quarterly Financial Reports Highlight Managed Service Quality Issues

B. Ostergaard
B. Ostergaard

Summary Bullets:

  • MSSPs are having to invest more in improving their service quality, as customers get more critical
  • The solution could be better overall customer support and more security outsourcing

Reviewing the latest Q3 2011 financial performance metrics, a common trait is emerging: many service providers (carriers like Verizon and IT service providers like T-Systems) are investing a lot of their revenues into improving the quality of their managed service delivery – which has put a dent in Q3 profits. Some are making the investments defensively because customers are complaining; others are doing it proactively to avoid future grief. Continue reading “Ouch, Quarterly Financial Reports Highlight Managed Service Quality Issues”

KISS Your Security Measures

B. Ostergaard
B. Ostergaard

Summary Bullets:

  • Pay attention to basic security procedures and attitudes
  • Explore quantifying the risk from an insurance perspective

Most attacks on most networks could be defeated with just four key strategies according to this year’s winner of the SANS Institute 2011 US National Cybersecurity Innovation Award – Australia’s Defence Signals Directorate: patching applications and always using the latest version of the software, keeping operating systems patched; keeping admin rights under strict control (and forbidding the use of administrative accounts for e-mail and browsing); and whitelisting applications. The basis of these recommendations is that security is a behavioral problem, not a technical problem.  In other words, if users don’t have the basic security procedures and the right attitude, no amount of technology investment is going to create the needed security. Continue reading “KISS Your Security Measures”

Social Engineering – Industrialized Exploitation of Human Helpfulness

B. Ostergaard
B. Ostergaard

Summary Bullets:

  • Helpful people are the first targets
  • Provide simple security commandments to follow under pain of dismissal

The most compelling briefings at this year’s RSA Security Conference in London were focused on how companies can make the journey from their governance, risk and compliance process and the resulting security policy to actually making it work throughout their enterprise, where getting people aligned with security is a real sticking point. It’s not that employees actually want to spill company secrets – mostly, they just want to be helpful to ‘perceived’ colleagues. How many times do we actually read error messages or listen to security warnings? How often do we reflect on the veracity of a caller who seems really nice and obviously knows a lot about the company? Continue reading “Social Engineering – Industrialized Exploitation of Human Helpfulness”

With Poison in the Well, Is It Time to Head for the Cloud?

B. Ostergaard
B. Ostergaard

Summary Bullets:

  • Poison in the Well: APTs threaten basic Internet trustworthiness
  • Head for the cloud (services), but look for open standards to avoid vendor lock-in

Network-centric cloud services are emerging as the new computing paradigm for performance-hungry, cost-conscious business customers.  Recent surveys show that businesses are looking at the full span of private, hybrid and public cloud services in their adoption plans.  Yet, most IT security professionals express serious and legitimate concerns about the security of cloud services, as well as how cloud adoption can adhere to corporate governance, risk and compliance (GRC) policies.  IT security professionals are also increasingly alarmed by advanced persistent threats (APTs) that are undermining the very structure of the public Internet.

Continue reading “With Poison in the Well, Is It Time to Head for the Cloud?”