Failing an audit sounds like the last thing any company wants to happen. But that's because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a "friendly" exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you're not failing any audits there are two possible explanations:
Andreas M. Antonopoulos |
05 Oct |
Read more
For years, Facebook users have been clamoring for better privacy controls and clarity, while Facebook engineers oscillate between improvements and major privacy snafus. Every now and then a new wave of exasperated users cry out "That's it, I'm leaving". Up to now, users really didn't have anywhere to go after quitting, so they effectively quit the social media scene, self-ostracized (MySpace is equivalent to being exiled, perhaps worse). Now that they have somewhere else to go (Google+), Facebook is ramping up its privacy controls and seems to be taking privacy more seriously. Let the privacy competition begin!
Andreas M. Antonopoulos |
08 Sep |
Read more
For two decades, the dominant security model has been location-centric. We instinctively trust insiders and distrust outsiders, so we build security to reflect that: a hard perimeter surrounding a soft inside. The model works best when there's only one connection to the outside, offering a natural choke point for firewall defense.
Andreas M. Antonopoulos |
15 Aug |
Read more
The torrent of <a href="http://www.networkworld.com/news/2011/061511-smartphones-tablets-security.html">smartphones and tablets entering companies</a> has created some interesting challenges for security managers. The new devices introduce new operating systems, new development environments and <a href="http://www.networkworld.com/news/2011/022811-smartphones-security.html">new security risks</a>, but no new control. The scariest acronym in security might well be "BYOD," or "bring your own device." As companies develop security and mobility strategies to deal with these devices, it is worth bearing in mind the lessons learned from managing laptops. But it is also worth applying some of the new lessons from smartphones on the laptops, too!
Andreas M. Antonopoulos |
28 Jul |
Read more
Desktops and servers are being transformed by <a href="http://www.networkworld.com/news/2010/102510-burning-questions-virtualization-storage.html">virtualization</a> and multi-core CPUs, but that effect is a bit harder to see in <a href="http://www.networkworld.com/topics/security.html">security</a>. Multi-core CPUs especially hold the possibility of completely transforming how and where we do security. One of the effects is to shift more of the security functions into the network. Another may be to radically change the software architecture within and across security appliances.
Andreas M. Antonopoulos |
16 Jul |
Read more
In previous columns I have repeatedly emphasized the importance of interoperability and the danger of security fragmentation. Security is so fragmented that it is often hard to discern between hype and reality. Large security vendors try to draw you into a single-vendor closed integration package. Small vendors try to sell you the latest magic bullet, presenting what should be a feature as a whole new industry. Inevitably, you are left to cobble together disparate systems in order to get the depth of defense and layering of controls that you need.
Andreas M. Antonopoulos |
02 May |
Read more
A new week, a new rash of attacks against security vendors, email marketers and banks. It would be easy to point fingers and laugh at the irony, especially in the case of security vendors, but that would be both petty and shortsighted.
Andreas M. Antonopoulos |
14 Apr |
Read more
Whenever the topic of security is mentioned in the context of cloud computing, it is usually discussed as the "big barrier" to adoption. The perceived or actual lack of security in the cloud makes it impossible for businesses to make the leap into this new computing paradigm. I propose a different perspective: Security will rescue cloud computing.
Andreas M. Antonopoulos |
18 Mar |
Read more
<a href="http://www.networkworld.com/topics/data-center.htm">Data center</a> architecture has been changing quite dramatically over the past few years. In many data centers, organic growth had left them broken up into <a href="http://www.networkworld.com/news/2008/101308-boston-college-data-center.html">application silos</a>. The standard three-tier architecture was copied for each application leading to a fairly hierarchical network. In this architecture, some core security services, such as firewalls and intrusion prevention, were concentrated at the root of the network tree, closest to the ingress routers and around any DMZs.
Andreas M. Antonopoulos |
11 Jun |
Read more
In the movies the government has always got the best toys, the cutting-edge technology and the tightest security standards. Those who have worked on security projects within the government know that in real life government security standards and implementations can vary all across the range from quite serious to laughable.
Andreas M. Antonopoulos |
05 Mar |
Read more
I often hear from IT executives that it is hard to recruit and retain "good security people." Many lament the shortage of skills in this area and cannot reconcile the skills offered with the positions that need to be filled. Is there really a shortage of good security people? Or just a mismatch in the skills and the jobs?
Andreas M. Antonopoulos |
14 May |
Read more
In the adversarial environment of information security, new types of attacks emerge constantly. Just recently, a very highly targeted phishing attack against CEOs used the pretext of a federal grand jury subpoena to lure executives to a site hosting malware. Let's face it: Most of the innovation in this industry is on the other side, the "dark" side. We are unfortunately forced to keep reacting to new ingenious attacks every few years.
Andreas M. Antonopoulos |
17 Apr |
Read more
People don't notice change when it's gradual. Sometimes, however, small, incremental changes add up in a way that isn't noticed until a change in degree becomes a change in kind.
Andreas M. Antonopoulos |
19 Mar |
Read more
The scientific field of biology has provided many useful metaphors, such as "virus" and "infection," for the study of malware. Many researchers have used biology and evolution science to create innovative defenses against malware, in many ways simulating the functions of biological immunity systems. I find that biological sciences and especially evolution provide some great insights into the behavior of malware, malware creators and malware defenses over longer periods of time. I also see a lot of parallels between the evolution of malware and the evolution of darknets (stealthy peer-to-peer, or P2P, networks).
Andreas M. Antonopoulos |
13 Feb |
Read more
There are two ways to predict the future with 100% accuracy. You either have the power to shape the future to your predictions (the God method) or you make your predictions vague enough so that they fit most conceivable outcomes (the Nostradamus method). For those of us without omnipotence and with a desire to write something meaningful, that leaves the alternative: extrapolate from in-depth research, solid statistics and current trends and hope for minimum volatility (disruptive innovation or externalities) in the outcome.
Andreas M. Antonopoulos |
20 Dec |
Read more