J Wolfgang Goerlich's thoughts on Information Security
Disposable end-point model

By wolfgang. 26 May 2009 03:52

One project in my portfolio at the moment is building what I call a disposable end-point model. It is a low priority project, but an ongoing one. The goal is to deliver the best user experience at the lowest price-point.

Portability is a must. Think about the concerns over swine flu and the like. What is your pandemic plan? My pandemic plan, at least from a technology standpoint, is straightforward. People work from home over the vpn and run apps from Citrix. So the end-point devices must be portable and dual-use.

Yet traditional notebooks are expensive. My firm, like most, has an inventory of aging notebooks. These older computers are costly to maintain (studies show ~$1K per device per 2 years) and replace if lost or stolen (studies show ~$50K per incident).

The sweet spot are computers that are cheaper than supporting aging devices and disposable if lost or stolen. No local data means no security incident, which erases the risk exposure of stolen devices. These inexpensive computers should be light-weight and easily ported from office to home. So I am looking at netbooks, which run around $500.

I spoke with Jeff Vance, Datamation, about these ideas. He recently wrote an excellent article that summarizes the netbook market and how data center managers are looking to use the devices: Will Desktop Virtualization and the Rise of Netbooks Kill the PC?

Tags:

Architecture | Security | Virtualization

Your IT Skills are Dying -- Time to Study

By wolfgang. 20 May 2009 04:22

Global Knowledge released an article on Ten Dying IT Skills. The top-ten include:

  1. ATM
  2. Novell NetWare
  3. Visual J++
  4. WAP/WML
  5. ColdFusion
  6. RAD/Extreme Programming (this I doubt)
  7. Siebel
  8. SNA
  9. HTML
  10. Cobol

Please pardon me while I get a little nostalgic.

 

I once buttered my bread by being fairly proficient at five of the above. I began in May of 1995 as a Systems Administrator for Novell Netware. I still do some Netware today, though only because I am engaged in a migration from GroupWise on Netware to Exchange on Windows. Being able to do both Netware and Windows engineering got my foot in many doors, and took me into many odd projects.

 

For example, around the turn of the century, I was involved in laying a multi-site ATM network. We used AT&T as the provider for the point-to-point links. I then back-ended the ATM onto an enterprise network switch that was capable of 100 Mbps. It was rather exciting, and I remember spending lots of time pouring over technical manuals to learn the ins-and-outs of ATM.

 

Another time I did a web user interface project with HTML and ColdFusion. I had been hacking web pages together with Notepad since getting a dial-up Internet connection. Using ColdFusion was first time that I reached any sort of professional developer status. It was quite fun, though I quickly passed on to Visual Studio and .Net development.

 

I cannot recall if it was before or after the HTML / ColdFusion project, but around that same time I wrote a BlackBerry application. It was a proof-of-concept for a financial firm. Basically, it pulled back the top ten customers based on assets from an accounting system, and indexed them with the CRM system. The sales people then could see the name and number of their top accounts. The delivery mechanism? WAP/WML. I did most of the work with Notepad and a BlackBerry emulator.

 

Now a favorite phrase of mine is that those who live by the sword die by the arrow. In technology, you have to be constantly training to keep relevant. My goal is 20% of my time be spent on acquiring new skills. Though I know this intellectually, articles like Global Knowledge are still a good reminder. Everything that I knew ten years ago is virtually irrelevant. Everything that I know today will shortly become a dying skill.

 

With that, I am back to hitting the books.


Tags:

General

HVAC Security Controls

By wolfgang. 15 May 2009 09:56

I have received a few responses from my haiku idea. One came from a fellow, whose poetic skills I admire, and poked a little fun at me. He offered the following as an example:

The servers are hot!
The data center is warm!
What will happen now?

It made me smile and, actually, was rather timely. As data centers in the northern hemisphere move into the summer months, our attention turns towards air conditioning. HVAC (Heating, Ventilation, and Air-conditioning) falls under physical security. Returning to the haiku, the servers are hot. What will happen now? A denial of service.

Some basic controls can be built around HVAC systems to prevent a DoS. The first few revolve around redundancy. HVAC systems should be dedicated and spec'd with ample capacity to cool the room in question. Internal redundancy can be achieved by dual compressors and controllers. External redundancy can be achieved by dedicate n+1 power lines and dual intake vents. Speaking of intakes, these should be in a protected space to prevent tampering or build up of debris. The HVAC itself should be in a physically secure location.

In summary, here is a checklist of items for an InfoSec pro to audit with his facilities personnel:

  • Dedicated HVAC
  • n+1 tonnage capacity
  • Internal redundancy
  • External redundancy (power/air feeds)
  • Positive pressurization (vent the area of dust, debris, and possible smoke)
  • Physical security of the HVAC unit
  • Physical security of the HVAC intake vents
  • Clear supply and return vents

Regards and keep cool,

J Wolfgang Goerlich

Tags:

Physical Security | Security

How to gracefully lose control over computing assets

By wolfgang. 12 May 2009 06:34

Cloud transition is about how to gracefully lose control over computing assets.
http://securityblog.verizonbusiness.com/2009/05/06/on-clouds-and-the-evolving-role-of-the-ciso/

This is a good article. It traces the history of security from the military-minded security pros of yesterday, to the risk management security pros of today, to the great unknown of tomorrow. Given information security is about guarding information assets, InfoSec may shift toward vendor management and away from technological prowess. "For example, even in the case of stuff covered by compliance (you know, that critical Confidentiality stuff we’d never move to the Cloud), vendors will be quick to sell certified solutions (we’re already seeing this, actually)."

"Now in addition to worrying about measuring things like control effectiveness, A/V coverage, and risk, we’re going to have to understand things like: what level of Governance information are we going to require from which vendors? Once we have that Governance information, what are we going to actually do with it in order to make decisions?"

Tags:

Risk Management | Security

InfoSec Poetry and Hacker Haikus

By wolfgang. 11 May 2009 03:17

I just read "Hackers Can Sidejack Cookies" in The New Yorker. The hacker poetry made me smile and then made me think. Blogs are to ballads like tweets are to haiku. I have been wondering what best to post on Twitter. Perhaps I'll start posting daily 'hacker haiku' that summarize InfoSec themes and ideas.

 

Here is my first stab at a hacker haiku. This is in regards to cloud service providers and the need to build controls and a perimeter-less security model.

 

Clouds form on the horizon

Redefine security
Perimeter-less

Tags:

General | Security

    Log in