Long time friend David Giard had me back on his video series to talk about my security design principles series. It’s always a pleasure to chat with David. Check out our conversation below, and his entire Technology and Friends series on YouTube.
Archive for the ‘Uncategorized’ Category
CyberSecurity design weekly recap for October 26-31.
This week: Renzo Piano and the California Academy of Sciences. There’s a tension when designing a security architecture. The architecture must meet and mirror culture of the organization. The design can’t run contrary to how the organization works. But at the same time, the new controls must facilitate a cultural change towards a more secure way of being. The architecture mirrors while it modifies. Principle: Design for change and stability.
Previously: Paul Hekkert and the Unified Model of Aesthetics. Most Advanced, Yet Acceptable (MAYA) is the name Hekkert has given this principle. How advanced can the design be while still remaining familiar, still being acceptable, still looking like work? The answer will vary from organization to organization due to culture. But the question must remain top of mind for security leaders pushing the envelope. Principle: Balance familiarity with novelty.
One thing more: I was asked this week: “How can companies reduce the human errors that so often lead to security breaches?” Here’s the thing. The number one cause of problems in early flight? Human error. The number one cause of manufacturing accidents? Human error. Number one cause of nuclear power plant problems? Human error. Security problems? Yep, human error. The root cause of all these issues: poor design.
Check out User Friendly: How the Hidden Rules of Design are Changing the Way We Live, Work & Play for more on the root cause of human error in flight, manufacturing, computing.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
In the Take Controls from Useless to Un-Useless to Useful principle, I wrote about the art of Chindōgu. I was reminded of Kenji Kawakami’s work this week. Matty Benedetto has brought design anarchy into modern times, solving modern problems, with his Unnecessary Inventions.
Consider the mask t-shirt (The Coro-Neck):
No doubt, we need more Matty Benedetto in security control design.
The Entprisers Project has an article on hybrid cloud.
What are the key considerations for hybrid cloud security?
As we recently noted, “Hybrid cloud should strengthen your organization’s security posture, not diminish it. But that doesn’t mean improved security is a default setting. While security fears are declining as cloud matures, security remains an ongoing challenge that needs to be managed in any organization.”
CIO Security LockHybrid cloud security is a big topic; it can be hard to know where to focus. What are the hybrid cloud security questions that you should bear down on now? It starts with visibility. “Too often in modern IT, CIOs and other IT leaders have blind spots in their environments, or they focus too narrowly (or even exclusively) on their on-premises infrastructure,” cybersecurity veteran J. Wolfgang Goerlich, who serves as VP of strategic programs at CBI, told us.
Other key issues include asset ownership controls; compliance controls; security tool interactions; communications, and risk assessment. As your hybrid cloud strategy grows, so should your security planning.
Read more here: https://enterprisersproject.com/hybrid-cloud
Even in the face of being declared dead — often and repeatedly since 2004 — the firewall remains a viable security control. De-perimeterization simply leads to a specialization of controls between IT in the cloud and IT on the ground, with the firewall taking on new roles internally. Especially for payment processing, healthcare, and energy, the firewalled network is still a key element of today’s standards and regulations.
The trouble is, all firewalls share a weakness. It isn’t in the IP stack, firmware, or interfaces. No, the weakness is much more fundamental. All firewalls depend on proper configuration and are a single change away from a breach.
Barracuda Networks is well known for its Web Application Firewalls (WAF) which protect against attacks such as SQL injection and others listed in the OWASP Top 10. Back in 2011, however, a change process went awry and disabled Barracuda’s WAF protection for its own servers. Within hours, some tens of thousands of records were stolen via an injection vulnerability on a Barracuda website. All it took was a single misconfiguration.
FireMon Security Manager 8.0 Tools for firewall change management have sprung up to address these concerns. Centralizing the audit log for all changes on all firewalls is great for looking back, however, as Barracuda experienced, a breach can happen within hours. IT admins require real-time detection and notification on changes, which is one of the many features FireMon offers. It can model complex changes and provide a what-if analysis cross-referencing the firewalls with an organization’s policy and compliance obligations.
Firewalls will continue to be a foundational control for an organization’s internal IT. The control for the controller, the watcher for the watcher, is secure change management. This means change planning, detection, auditing, and alerting. Operationally, it also means tracking history and the ability to troubleshoot issues by comparing changes across time. For organizations running complex segmented networks, management tools like FireMon are invaluable for preventing breach by change.
Executives run businesses based on risk versus reward, right? To get action, we need to convey the dollars at stake and the likelihood there will be a loss. You’ll often see this as Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO).
The difficulty I run into is that there is not much hard data on the likelihood of an attack and the typical cost. We can guess, but then the figure ends up being skewed and the rationale does not stand up to scrutiny by senior management. I am hopeful that the recent disclosure laws change this by providing solid statistical information.Posted by Wolf Goerlich