So what do you when your main product is broken into by hackers, your intellectual property is in the hands of the unknown, and customers are in an uproar....it's time to get serious. Back in March RSA admitted that hackers broke into their systems and compromised their RSA tokens. Then came an attempted hack into Lockheed Martin based on their use of RSA tokens. With the millions of customers that use RSA tokens people are starting to worry. While RSA has been tight lipped about the attack, what exactly has been compromised, and what customers can do....competitors are starting to take action.
First you need to ask yourself if you could possible trust RSA at this point in time? Their reputation has been tarnished because of the serious hack and clients are wavering because of the lack of response coming from RSA. Companies should now start asking themselves...is it time to switch vendors?
Google has implemented 2 factor authentication into their Gmail recently that makes use of mobile phones. There are a few open sources projects that also make use of this concept which is gaining in popularity. Another alternative for companies is to look at other vendors that can offer the same products as RSA, but at a much lower price. Entrust is a great company that claims to be able to offer great cost savings to customers that make the switch. In addition Symantec also offers 2 factor authentication via tokens and is giving away $5 for each token that clients trade in and move over to Symantec instead. With that kind of savings on trade ins how could you afford not to trade in?! EMC, the parent company of RSA also doesn't seem too concerned as RSA only makes up 7% of their total annual sales.
While it takes time and planning to make the change over to another vendor and product I think that there will be a major shift in 2 factor tokens coming. I'll be interested to see what vendor takes over as a leader in this space.
Thursday, June 9, 2011
Tuesday, June 7, 2011
A Lack of Education
About two weeks ago Rafal Los (aka Wh1t3Rabbit) posted a blog entry pondering the question of who is responsible for security; the business people or the security team? While I don't want to rehash a lot of what has been already said in his great blog post, I do want to bring up a point that was made during this awesome conversation (you should definitely read his blog post if you get a chance). Out of all the colleges in the US how many of them provide a course relating to network/web security? The answer is much less than you think. With all of the IT security professionals out there you would think that there would be some undergraduate and graduate courses in network and web security that deal with many of the issues plaguing businesses today. The sad truth is that rarely do such courses exist, and the ones that do don't seem to carry the education of students far enough. There are two issues which I see here that relate directly back to the Business vs. Security post; why are IT students the only one taking security courses when it is a common problem across all areas of study and how do we fix the lack of education in this area?
The first issue poses probably the greatest threat today because anyone outside of the "IT realm" tends to not understand why security is important (some people in the realm don't understand it either). When you look at the number of businesses in the US you will see that most of them don't have anything to do with IT. You have financial companies, real estate, retail, construction, and many more. The one thing they all have in common however is the fact that IT and computers are ubiquitous in the business world. People use web applications, Google, email, Microsoft Office, and tons of different applications and utilities to conduct business. So if more "business" people are exposed to IT why should the security professionals be the only ones responsible for understanding how it works? I'm not saying every single person should have formal IT security background, but a single course on security wouldn't kill anyone. In fact, I would go as far as to say that requiring a single course on security would decrease the amount of compromised accounts and identity theft in the US because of the higher level of education that students would be armed with. A "Business Security" course could explain to users the dangers of visiting any link that pops up in their email, or why the corporate ban on Facebook is actually imposed on them (there are many different topics that could be covered). We should stop relying on the security professionals and customized education programs of companies to train and educate users because it isn't working. This concept really doesn't work for smaller businesses that can't even afford to develop or implement such programs. We need students entering the workforce to be more educated about security to help protect the companies that they go work for when they graduate. Just because you are an English or History major doesn't mean you won't be touching a computer for the rest of your professional career. Why have we all been accepting of the fact that security is an "IT" related function?
The second issue here stems directly from the lack of choices those wanting to learn about security face. If an undergraduate in computer science or information systems major wants to enter the information security field they will be hard pressed to find anything that will really help them build a solid foundation in this area. The standard two courses that colleges offer are usually cryptography and a general network security course that touches lightly on a few different areas. While these are both good courses there is nothing currently available that will show students how to program securely, defend a network, implement services securely, or become a penetration tester. These are all topics that many IT professionals should know regardless if you are a security professional, developer, or system administrator. Most people you find in these roles today have been hired there from other positions they have held where they *hopefully* have gained some experience in these areas. There are many security professionals today that are so under qualified in the role that they are in, and yet we wonder why major corporations and people's personal data is hacked and stolen all the time?! Seriously though can you really blame the "security guys"? What training is available to them? Someone posed a question in a forum I'm a member of which asked for a recommendation on a training course. This person said their boss wanted the entire IT team to go to a security class on defending a network for system administrators (or something related). Do you know that after a week of suggestions and replies that there really was nothing available for them to attend? The current offerings deal with basic entry level security (like the Security+ classes) or hard core penetration testing (like CEH and SANS). What happened to providing quality education or education at all for that matter?!
I think that both of these problems are serious areas that need to be addressed before you can really answer the question Business vs. Security. If each person in the business had at least *some* knowledge of IT security and security professionals where better trained, companies would have an easier time defending themselves and not have to waste so much time on risk management and remediation from hacks. Companies would also benefit from not having to spend so much on customized training programs, security products, and audits which would in turn increase their bottom line. Seriously...find me a CEO who wouldn't be happy about that!
The first issue poses probably the greatest threat today because anyone outside of the "IT realm" tends to not understand why security is important (some people in the realm don't understand it either). When you look at the number of businesses in the US you will see that most of them don't have anything to do with IT. You have financial companies, real estate, retail, construction, and many more. The one thing they all have in common however is the fact that IT and computers are ubiquitous in the business world. People use web applications, Google, email, Microsoft Office, and tons of different applications and utilities to conduct business. So if more "business" people are exposed to IT why should the security professionals be the only ones responsible for understanding how it works? I'm not saying every single person should have formal IT security background, but a single course on security wouldn't kill anyone. In fact, I would go as far as to say that requiring a single course on security would decrease the amount of compromised accounts and identity theft in the US because of the higher level of education that students would be armed with. A "Business Security" course could explain to users the dangers of visiting any link that pops up in their email, or why the corporate ban on Facebook is actually imposed on them (there are many different topics that could be covered). We should stop relying on the security professionals and customized education programs of companies to train and educate users because it isn't working. This concept really doesn't work for smaller businesses that can't even afford to develop or implement such programs. We need students entering the workforce to be more educated about security to help protect the companies that they go work for when they graduate. Just because you are an English or History major doesn't mean you won't be touching a computer for the rest of your professional career. Why have we all been accepting of the fact that security is an "IT" related function?
The second issue here stems directly from the lack of choices those wanting to learn about security face. If an undergraduate in computer science or information systems major wants to enter the information security field they will be hard pressed to find anything that will really help them build a solid foundation in this area. The standard two courses that colleges offer are usually cryptography and a general network security course that touches lightly on a few different areas. While these are both good courses there is nothing currently available that will show students how to program securely, defend a network, implement services securely, or become a penetration tester. These are all topics that many IT professionals should know regardless if you are a security professional, developer, or system administrator. Most people you find in these roles today have been hired there from other positions they have held where they *hopefully* have gained some experience in these areas. There are many security professionals today that are so under qualified in the role that they are in, and yet we wonder why major corporations and people's personal data is hacked and stolen all the time?! Seriously though can you really blame the "security guys"? What training is available to them? Someone posed a question in a forum I'm a member of which asked for a recommendation on a training course. This person said their boss wanted the entire IT team to go to a security class on defending a network for system administrators (or something related). Do you know that after a week of suggestions and replies that there really was nothing available for them to attend? The current offerings deal with basic entry level security (like the Security+ classes) or hard core penetration testing (like CEH and SANS). What happened to providing quality education or education at all for that matter?!
I think that both of these problems are serious areas that need to be addressed before you can really answer the question Business vs. Security. If each person in the business had at least *some* knowledge of IT security and security professionals where better trained, companies would have an easier time defending themselves and not have to waste so much time on risk management and remediation from hacks. Companies would also benefit from not having to spend so much on customized training programs, security products, and audits which would in turn increase their bottom line. Seriously...find me a CEO who wouldn't be happy about that!
Friday, June 3, 2011
Lulz Security Strikes Again
For those of you that have been following security news lately a group called Lulz Security has been hitting some big name targets lately. First they started off with FOX then moved on the PBS and the latest today includes Sony. First off let me make a note that this is the fourth time Sony or one of its subsidiaries has been hacked within the last 45 days.
While I don't condone hacking (unless you have permission first of course), can you really blame Lulz Security? Seriously....when you leave your house do you leave the front door open? If you run into the store for an hour do you leave your laptop and cell phone on the front seat of your car with the windows open?! It's not like Lulz Security is pulling off crazy insane hacks to compromise these sites...they used a basic SQL injection attack! Not to mention that everything they stole from Sony was stored unencrypted....let me say that again UNENCRYPTED! What is wrong with you Sony?!
Once the PS3 network was compromised and 77 million people had their personal information stolen don't you think that you should started encrypting your other databases? I mean seriously why would you take such a risk with peoples personal info like that?
Another thing that I wanted to point out is that Lulz Security has been hit hard by DDoS attacks since announcing that they have made the data they stole available for download on their site. As of this morning their site was unavailable although I'm sure it will come back up again later today. Why would I assume it is going to come back up...well because the team over at Lulz Security actually *knows* a thing or two about security and are leveraging a product from CloudFlare. This not only super charges their site providing them with more bandwidth, but also secures their data in the cloud. Lulz Security has also made mention in their Twitter postings that their F5 is warding off attacks like they are nothing.
Again while I don't condone hacking...kudos to Lulz Security for being able to leverage technology correctly showing companies like Sony what it means to implement a website securely and without issues :-P Companies really need to start asking themselves...if hackers can break into their networks and websites...why is it that their very skilled, highly paid, security team can't protect against these attacks? Many it is time for companies to start re-reevaluating their security staff and stop blaming people like Lulz Security for breaking into their site!
I will update here as more information about these particular hacks or more hacks from Lulz Security develop.
While I don't condone hacking (unless you have permission first of course), can you really blame Lulz Security? Seriously....when you leave your house do you leave the front door open? If you run into the store for an hour do you leave your laptop and cell phone on the front seat of your car with the windows open?! It's not like Lulz Security is pulling off crazy insane hacks to compromise these sites...they used a basic SQL injection attack! Not to mention that everything they stole from Sony was stored unencrypted....let me say that again UNENCRYPTED! What is wrong with you Sony?!
Once the PS3 network was compromised and 77 million people had their personal information stolen don't you think that you should started encrypting your other databases? I mean seriously why would you take such a risk with peoples personal info like that?
Another thing that I wanted to point out is that Lulz Security has been hit hard by DDoS attacks since announcing that they have made the data they stole available for download on their site. As of this morning their site was unavailable although I'm sure it will come back up again later today. Why would I assume it is going to come back up...well because the team over at Lulz Security actually *knows* a thing or two about security and are leveraging a product from CloudFlare. This not only super charges their site providing them with more bandwidth, but also secures their data in the cloud. Lulz Security has also made mention in their Twitter postings that their F5 is warding off attacks like they are nothing.
Again while I don't condone hacking...kudos to Lulz Security for being able to leverage technology correctly showing companies like Sony what it means to implement a website securely and without issues :-P Companies really need to start asking themselves...if hackers can break into their networks and websites...why is it that their very skilled, highly paid, security team can't protect against these attacks? Many it is time for companies to start re-reevaluating their security staff and stop blaming people like Lulz Security for breaking into their site!
I will update here as more information about these particular hacks or more hacks from Lulz Security develop.
Subscribe to:
Posts (Atom)