|
| Recent
Articles |
MDA And Business Rules
I was writing a book review on "Real-Life MDA" and I realized that many of my comments about the book were really about MDA or Model Driven Architecture in general. With this in mind I thought I would dump a few...
Technical Certificates Declining In Value
Monster.com is reporting that some IT Certifications are actually declining in value. Allan Hoffman, Monster Tech Jobs Expert is reporting tonight that some certificates might not be as valuable as the person getting...
IT Degrees: The Popularity And Broad Specialty Range
Information Technology degrees, or IT degrees are very popular for an excellent reason: the demand has never been stronger for individuals to keep today's...
Innovation, Maintenance And Open Source
A NetworkWorld article quotes Google's GM of Enterprise Business as saying: "insane complexity of technology is leading companies to spend 75% to 80% of IT...
Preventing A Brute Force Or Dictionary Attack
To understand and then combat a brute force attack, also known as a dictionary attack, we must start by understanding why it might be an appealing tool...
IT And Help Desk Customer Satisfaction...
IT and help desk customer satisfaction surveys provide information and insight for achieving breakthrough increases in IT and corporate effectiveness. This article describes the reasons for and benefits from...
|
|
|
04.19.07
The Perfect Security Product?
 By
Dan Morrill
Still have not found the perfect security product, come close a couple of times, but no cigar.
It is not for lack of looking, however, our way of looking at a security product is as a small security firm that needs to be up and running 24X7 and offer exemplary support for our clients.
Maybe our standards are just too high, or we just have a very robust security evaluation program that can root out a lot of issues early on in the user, manager, or architecture side of the house.
We will usually evaluate not just the functionality of a security product but we also try to break into it, or just break it (fail over open is a great feature). There is usually a whole or a UI (User Interface) issue that crops up in most of the products that we look at and test.
Some products do not even make it past the sales call, we try to be as best informed about a product before going into a sales call, and most sales people are just not able to answer any news about bad press. Let alone trying to discuss previously discovered vulnerabilities in a product to let us know that they have been fixed, or at least addressed.
Service and Maintenance is another fun issue when dealing with new products, normally we will have some crisis while we are in testing phase, and throw that over the wall at the support side of the house, and start marking minutes until we get a response back. Then we gauge the response on how well they solved the problem, even if it is obscure. If we cannot get back up and running quickly, then why buy the security product?
Obviously, we talk to many folks, and try to get the more interesting technology in our hands out there, from DRAC to Virtualized Administrative consoles, to find out that the security implementation works great on the HTML pages, but not on the JS, CSS, or XSS pages of the system. While we have to take the HTML pages in chunks, we have free and clear access to the rest of the virtualized administration system. A lot like the old VMware kernel from about 3 years ago (note if you are using old VMware, update its worth it, if you are using a system based on the old VMware kernel, talk to the manufacturer, or for fun have your security team go digging around the system).
Wired is talking about some of the work that they have done with their testing in the article "How Security Companies Sucker Us With Lemons" which is well worth reading. They state on some of the USB sticks that they have been looking at:
I see this kind of thing happening over and over in computer security. In the late 1980s and early 1990s, there were more than a hundred competing firewall products. The few that "won" weren't the most secure firewalls; they were the ones that were easy to set up, easy to use and didn't annoy users too much. Because buyers couldn't base their buying decision on the relative security merits, they based them on these other criteria. The intrusion detection system, or IDS, market evolved the same way, and before that the antivirus market. The few products that succeeded weren't the most secure, because buyers couldn't tell the difference. Source: Wired
It behooves a company to have an exceptionally good hack and pen crew, or at least access to an exceptionally good hack and pen crew that knows how to break stuff. Especially for technology that is going to be evaluated or used in a company before the buying decision is made. The technology might be good, but as with any system, especially security systems and public facing systems, it is always best to know what the vulnerabilities are long before the bad folks figure it out.
Comments
About
the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
|
