Support at its best :)

Comic for February 12, 2012 from Dilbert Daily Strip

Image via Wikipedia

Related articles

• Book Review – How’s That Underling Thing Working Out for You? by Scott Adams (duffbert.com)
• Scott Adams on IP theft: “It feels like a compliment” (RexBlog.com)
• I can’t do that, Dilbert (languagelog.ldc.upenn.edu)
• November 12, 2011: My Top 5 Favorite Comic Strips! (josephmallozzi.wordpress.com)
• Comics Crossover – Barney & Clyde (the-unmutual.blogspot.com)
• Strip where Dilbert confronts boss; looses chair (ask.metafilter.com)
• User Interface for Reality (dilbert.com)
• ArcaMax Launches Dilbert and Four Other Famous Comic Strips (prweb.com)

0.000000 0.000000

Steve Jobs 1955-2011

Rest in Peace Steve.

Thanks

37.307301 -121.856796

SOA, Cloud and the network–part 1

Image via Wikipedia

It is now a quite very long time we talk about new architectures for our environment.
What is leading the way, nowadays, is talking about SOA and Cloud, but what do really means for us implementing those architecture in our networks?
One of the problem I’ve noticed when talking with customers and partners is that they usually try to use the same techniques they used for the old network deployment to the new ones. this is a mistake for several reasons, but for a mere philosophical point of view make a little, if not at all, sense to apply old rules to new ideas.
So what has really changed in those approach (cloud and SOA) that will require us to shift our way to project ad deploy networks?
Let’s say there are some evident changes, first of all the topology of connection has been dramatically modified. when once we could simply think of an identity between user or service, and relative IP address this is not more possible.
The reason behind this are easily found in both client and server side of this equation.
No more physical servers location
virtualization simply change the rules of the game, braking the identity between the physical location of a server and the service provided. this is a huge change in the way we should plan and deliver our service.
The classic structure was something like that:

The service used to be provider by one or more servers with a physical defined location and IP.
The client usually shared the same configuration with a well defined physical location and a fixed IP (or an address taken form a well defined pool).
With this situation was relatively simple to define rules of access and security.
User where defined by the  membership to a specific directory group (Active Directory or LDAP or …who really cares?) as well as client computer was identified and identified by it’s IP range.
From a service delivery and security perspective this was translated in two completely separated set of activities:
The owner of the network used to set delivery and security rules based on IP and MAC address, creating table to allow or block access to physical locations defined by it’s IP range. Tis way there was a sort of identity between IP structure and topology that was then copied at upper layer by software services.
The owner of the service was, at the same time, able to ignore the network structure and limit the relative security and delivery to the authentication of the requester, providing a set of different access to the different layer or services provided by the software.
This approach lead information technology for decades, ten something happened: the disruptive introduction of virtualization.
Virtualization has been a successful technology because of the promise of lower the TCO of our networks.
The original idea was to abstract the physical server from OS and application, making the physical server able to run multiple different instances.
The advantage was a standard physical layer interface seen by OS (no more drivers nightmares, bios upgrade pain and stuffs like this) and the possibility to reduce the overall number of physical devices running more instance on one Hardware.
The increasing power of hardware platforms made this approach approach successful, but at the beginning the virtualization technique was just used to hide the physical server and nothing more.

Nothing were really changed here, beside the fact that more services were running on the same physical platform.
But changing technology create new needs and so the virtual infrastructures evolved to something completely new.
Basically the abstraction layer provided by the virtual environment has been expanded in order to offer a complete abstraction from the physical layer topology. Nowadays virtual environment allow to have virtual environment running  as an unique environment on different HW and different locations, at the same time the services running inside this environment are able to move from an hardware structure to another one just according the required computational needs, for the same reason instances can be created on the fly by the service layer or the virtual environment layer.
This is a radical change in the design of applications, security and networks. While before a simple IP was a good token to recognize a physical layer, a virtual one and a service one, now everything is more complex.
From a logical point of view it is clear that the problem in design is that we have multiple required connection inside the virtual environment, the entities inside the virtual environment can create complex relationship between them (think of a classic SOA implementation) as well they need to instance the physical layer.
There are obvious problems related to authentication, identity flaw control, network control and monitoring inside the virtual environment as well as the interaction with the physical environment. In a single Datacenter the physical backplane and the communication between the physical servers is usually a problem solved with datacenter specific technologies as Unified computing by cisco.
Actually the situation is a way more complex if we consider a geographical implementation as it is used to build SaaS or cloud architectures.
Different environment can be located in different datacenter able to offer a single virtual environment.
Application living in the virtual severs can be located anywhere and change location upon request or load requirement.

In this situation we add another complexity to the structure, since the virtual layer needs physical geographical connections that emulate the single virtual environment, and at the same times applications need to communicate outside and inside their virtual environment.
The physical network layer need to manage several different kinds of traffic: the communication between the virtual layer units, the communication between different services that can be in need to communicate outside the virtual environment (typical SOA requirement) and the communication with client requiring service (we’ll explode this further in a few).
 
This kind of situation is typical in cloud implementation where the physical location of the provided service should not influence the client experience no matter where it is.
In a typical SOA implementation we add a new level of complexity since the service provided can be generated by different unit that can be stored generated and delivered in different fashion.

This kind of complexity is hard to manage with traditional techniques. the first thing that we have to realize is that we need to extend the control inside the virtual environment and its units form a network , authentication and identity point of view.
Since the post is not strictly on SOA architecture I would not go deeper on the modules authentication and security needs and I will talk generally of some network requirements.
Any service that need to communicate with another inside or outside the the virtual environment trough a network protocol (TCP\IP v4 or TCP\IP v6) usually need to be provided with some sort of connection link. this can be provided by a physical switch or a virtual one running in the virtual environment. using a physical switch can be, apparently, a great solution, in terms of performances and security. this is actually a misconception for several reasons:
First of all the communication outside the virtual environment require an overload to both the service and the virtual environment, if we widen the structure in a geographical scale this overload can be barley manageable.
Second aspect to keep in mind is that some network attack in this situation are easier since the real communicator is hided by the virtual shield. impersonating a service and access data is so not a remote threat.
If the physical cannot scale well, the virtual one has, on the other side, another set of  problems: resource consumptions (cpu and network latency for instance) the need to interface with the physical environment, a non matching vlan system and so on.
The problem is to overcome those limitation and keep the good from the two solutions
The solution the market is presenting nowadays is the integration between a virtual switch layer with a physical one datacenter scalable.
The idea is to have a single switch with two faces, one in the virtual world and one on the physical world. Cisco Nexus is a good example of this kind of approach.
As well as the switching similar requirement are related to firewalling. Since what happen inside a virtual environment is in a sort of black box from the outside world, keeping a security eye to check if the correct communication are in place an nothing strange happen is mandatory. Again we  have a dichotomy between the physical and virtual world, the solution nowadays is to adopt a virtual firewall able to deal with internal virtual environment communications. A good example can be found again in Cisco with VSG and Virtual ASA.
Cisco VSG Security in a Dynamic VM Environment, Including VM Live Migration


Basically this kind of solutions address two needs: manage and secure virtual internal traffic, and give an interface from the physical world to the virtual one and vice versa.
Alas this is only one part of the equation, since if from one side we have the problem to control manage and deploy the services we want to provide, on the pother end we have the problem to deliver those service to someone who can use it.
Here the problem again is evolving due to several factors: the vanishing of the physical borders of our networks, the consumerization of browser capable devices, the shift in use from simple data to rich context aware multimedia contents, just to name a few.
Users try to access resources from anywhere with different devices and we are barely able to know from where they will connect to the resources.
the initial situation was relatively easy to manage, as for the server also the client were easily locable. an IP address was more than enough to build a trust relationship between client and server.

With the Datacenter consolidation the number of servers and devices growth, but again with a limited presence of remote users the location of both side were quite easy understandable. The introduction of vlan technologies, stateful inspection firewall, the use of L3\L4 switches, the pervasive use of access lists were addressing (at least apparently) most of the issues.

The virtualization opened a break into this structure introducing a first layer of indetermination, virtual servers and services where not physically defined by the IP, since the could share the same physical location.

while adding complexity from “server” side, also the client side were expanding with an higher presence of remote users and the introduction of new services on the network (who does not have an IP phone nowadays?)

more devices means more network requirements, and so datacenter complexity, thanks to the virtual technology, expanded beyond the physical constrain of a single physical location. as we discussed before this lead to a series of problems that were paired with the expansion form the client side of remote and local  users using different devices.

And then comes the cloud, and the final vanishing of any physical predetermined location for our client and our services.

Client and server side so evolved in an interconnect way, but network components and design were not always following this thread.
Using old fashion access lists, IP based network policies, Static VLan Assignment to manage this situation create a level of complexity that makes things unmanageable. nowadays firewalls require thousands of rules to accomplish every dingle special need, alas we have all a lot of special needs.
It’s clear to me in this situation that we need to shift from a static design to a dynamic one, able to accomplish the different needs of this evolving environment. A technology like Cisco Trustsec address those kind of requests, using SGT (Secure Group Tagging) basically dynamically assign vlan membership upon user identity, regardless IP or location, driving the packets to destination accordingly to the needs, and encrypting the network communication. To drive correctly the traffic regardless the IP is a mandatory requirement in a dynamic Cloud or SOA environment.
As important as driving correctly the network traffic there is also the need to determine witch kind of access we want to assign, we have plenty of devices like tablets, smartphones, laptop, ip phones, printers, scanners, physical security devices, medical equipment that need to access somehow our services and need to be authorized on the network. Using a Network Access service is mandatory as well to be able to correctly filter the devices, both on wireless and wired networks (think of what happened recently in Seattle to understand this kind of need). Again we can think of a cisco product like ISE to accomplish this.

End of part 1

Related articles

• What is soa in active directory (wiki.answers.com)
• Security Needs to be as Dynamic as Your Virtual Environment (sourcefire.com)
• Digging Deeper into VXLAN, Part 1 (blogs.cisco.com)
• Client asks for 100% uptime (serverfault.com)
• Cisco, Microsoft cooperation provides alternative to VMware (infoworld.com)
• Virtualization Security: Your Biggest Risk Is Disgruntled Insider (informationweek.com)
• VXLAN Deep Dive, Part 2: Looking at the Options (blogs.cisco.com)
• VSG: Vive la difference! A Tutorial for HP (blogs.cisco.com)
• Defcon: VoIP used for controlling botnets | PCWorldme.net (portadiferro2.blogspot.com)
• IPv6 Will Cause Some Security Headaches (portadiferro2.blogspot.com)
• Securing Your Virtual Infrastructure (portadiferro2.blogspot.com)
• Major Websites DNS Hacked (portadiferro2.blogspot.com)
• Beyond the TV: Multiplatform and Cloud-Based Tech (portadiferro2.blogspot.com)
• VMware, Cisco Announce Virtual Extensible LAN for the Cloud (portadiferro2.blogspot.com)
• Report: The missing data from Operation Shady RAT (portadiferro2.blogspot.com)
• Cisco unveils safety, security and communication offerings (portadiferro2.blogspot.com)
• IPv6 calls for relook at spam filtering (portadiferro2.blogspot.com)
• Getting Started With Cloud Compliance (portadiferro2.blogspot.com)
• Clickview – Virtulise (edugeek.net)
• Design Considerations for Business Applications in EAI (infotrendz.wordpress.com)
• CCNA Discovery 2 Chapter2 v4.1 (ccnadiscov.wordpress.com)
• Conviture ConVit Enterprise Cloud – KVM and Xen virtual data centers (zdnet.com)

http://feeds.feedburner.com/portadiferro

Anonymous vs BART (Simpson?) part2

Still I read a lot on Anonymous hacking group, even that they threaten children or declare war against UK for expenditure cuts, also Strauss khan seems to be threatened by Anonymous.

Reading news seems that they’re an unstoppable force of nature…

I left my thoughts last time on why internet and why now, and why  they’re so (in)famous.

So about the first point: why internet? 

If they’re a unstructured movement is natural that they choose, grow and move onto the media that makes communication most easier.

The relatively growing of importance of social media, messenger and other communication systems made very easy recruitment and association on the met.

We saw tons of example in our recent history, think about the spontaneous protest that have strike country with despotic government, but also the recent riots in UK where social network apparently played a major role into spreading voices (it’s a viral marketing technique at the end, sin’t it?)

Another aspect of internet is that it’s quite easy to make a lot of damage with a relatively low technical knowledge. I’m not saying that into the anonymous galaxy there are not real hackers, but mostly looks act and attack like script kiddies. alas on the internet security is still far away to be a solid reality, and most of the site and service that offer service are not design and protected (think about the Sony hacking affair).

We should also consider that we knows what happen only after the hacks, this means that could have been several try before a successful hack. And if the number of attacker grows it amplify the chance to obtain a result.

The second questions is why now?

Well this is the time of the internet, where media amplify every thing happened, and sometimes with a little dramatization instead of a serious analysis :)

So the great exposition, the easy of communication and aggregation, the poor status of security and the relatively anonymity that internet offer makes this time the perfect time for anonymous like activities.

The question so is how we manage something like this?

to be continued…

Related articles

• Anonymous vs BART (Simpson?) (portadiferro.blogspot.com)
• San Francisco Transit Blocks Cell Service To Thwart Protest, Draws Ire of Anonymous (mashable.com)
• SpyEye Hacking Tool Now Accessible To The Criminal Masses (portadiferro2.blogspot.com)
• Anonymous Hackers Are Hypocrites, Not Hacktivists (informationweek.com)
• Disguised Member of “Anonymous” Defends Action Against BART’s Anti-Protest Censorship (alternet.org)
• Anonymous-led protest against BART becomes violent (rt.com)
• Anonymous Strikes BART In Wake of Cell Shutdown (news.dice.com)
• Anonymous Creates a Ruckus for BART! (michaelhyde84.wordpress.com)
• Hackers again target Bart website (bbc.co.uk)
• Hacker Group Anonymous Attacks myBart.org Site [News] (makeuseof.com)
• Anonymous Protests BART Cell Service Shut Down: opBART Begins (lafiga.firedoglake.com)
• Anonymous hacks US defense contractor (portadiferro2.blogspot.com)
• FCC Investigates BART Over Cellphone Shutdown (pcworld.com)
• Hackers strike at BART again, release data on police officers (digitaltrends.com)
• Anonymous BART Protest Shuts Down Several Underground Stations (portadiferro2.blogspot.com)
• Anonymous hacks BART police website; publishes officers’ info (brainguff.wordpress.com)
• Hacker Group Outlines Demands For BART, Threatens Even More Protests (huffingtonpost.com)
• Anonymous hacks BART police website; publishes officers’ info (zdnet.com)
• The Real Consequences of an Anonymous Data Leak (h30499.www3.hp.com)
• Anonymous planning another BART protest (sfgate.com)
• Anonymous Leaks BART Officers’ Emails and Passwords [San Francisco] (gawker.com)
• Anonymous Peacefully Hacks MyBART.org, Posts User Data (sfist.com)
• Anonymous Can’t Agree on BART Protests and Hacking Tactics (blogs.sfweekly.com)
• Anonymous Hacks BART Website, Leaks User Info and Passwords [Hacktivism] (gawker.com)
• Anonymous hacks BART in protest, spills innocent customer data (geek.com)
• Anonymous hackers deface Syria’s Ministry of Defense website (portadiferro2.blogspot.com)
• Anonymous threatens ‘impostor’ hacker group in India (portadiferro2.blogspot.com)
• Anonymous’ new social site hacked, defaced (portadiferro2.blogspot.com)
• Infamous hacker group Anonymous pays the Indian cyberworld a visit (portadiferro2.blogspot.com)
• Owners of hacked computers will be punished, says official (portadiferro2.blogspot.com)
• Banks prepared for Anonymous hacking plans (portadiferro2.blogspot.com)
• Anonymous hackers breach San Francisco’s Bart transport website (guardian.co.uk)
• BART’s website hacked for 2nd time (cnn.com)
• Spanish Police Arrest “Leaders” of Anonymous (portadiferro2.blogspot.com)
• Daily hack news (portadiferro2.blogspot.com)

http://feeds.feedburner.com/portadiferro

Anonymous vs BART (Simpson?)

Image via WikipediaOK the latest are that group anonymous is attacking BART system in San Francisco. It’s a very funny target from my point of view, probably because thinking of an hacking attack to our Italian subway system would be ridiculous. Just because nobody would notice it of course

But the last Anonymous attack make me wonder what is really anonymous, and similar group like lulzsec or web-ninja and so on.

Are those a real groups? And what are the reasons behind their moves? Do they really have a defined  agenda? and a boss or a hierarchy?

Usually press and police try to consider those groups as organized crime or terrorist.  so we can read news on a new hacking group leader arrested, and even if this could sound a good info the truth is that those act does not stop, “ou contraire”, they rise up.

Like the Hydra once you cut a head other two grown up? Or this is a highly structured and efficient organization, able to act and replace the troops with military precision?

Alas I do not think they’re right. Considering the way they act and the target they choose it looks more like social networking environment.

It looks like more as an unstructured group, leader does not means boss, and links and groups does not identify a hierarchy. If we do not put this in mind we will have a few chance to understand this phenomena. With this in mind it’s easier to understand the aggregation model of those groups, underground culture, acktivism, emulation are all drivers. Of course in such environment is quite easy to have criminal infiltration and manipulation but those are not the main drivers.

A diffuse sense of eager for justice is the main vector, also a sense of revenge against official institutions. If we analyze the first targets, big corporations, police enforcement agencies, governments who are fighting civil rights looks like we have a sort of new “68″.

But why now and why internet? There are several good reason that are joining all together.

I will talk about this next time

Related articles

• The Inevitable Taiwanese Animation of Anonymous’ BART Protest (sfist.com)
• Anonymous hacks US defense contractor (portadiferro2.blogspot.com)
• BART Website Still Down After ‘Anonymous’ Hack (huffingtonpost.com)
• Anonymous BART Protests of the Day (geeks.thedailywh.at)
• Hacker Group Anonymous Attacks myBart.org Site [News] (makeuseof.com)
• Anonymous on Bart cyber attack (allthingsd.com)
• Anonymous Hackers Attack BART Web Site – How to Protect Yourself (lockergnome.com)
• Hackers strike at BART again, release data on police officers (digitaltrends.com)
• Hackers again target Bart website (bbc.co.uk)
• Anonymous BART Protest Shuts Down Several Underground Stations (portadiferro2.blogspot.com)
• Anonymous Leaks BART Officers’ Emails and Passwords [San Francisco] (gawker.com)
• Anonymous Creates a Ruckus for BART! (michaelhyde84.wordpress.com)
• Anonymous Goes After BART After Cell Phone Shutdown (textually.org)
• Another Follow Up of the Day: Anonymous Hacks BART, Releases Officer Info (geeks.thedailywh.at)
• Anonymous At War With San Fran’s BART (pinkbananaworld.com)
• Anonymous Targets BART Over Cellphone Cut – WSJ.com (dean-bowman.com)
• BART Police database hacked – names and addresses posted online (nakedsecurity.sophos.com)
• Hackers protest BART decision to block cellphones – BusinessWeek (news.google.com)
• Anonymous attacks BART: Bay Area Transit Website Hacked, Information Leaked In Protest (redantliberationarmy.wordpress.com)
• Another BART website hacked – Anonymous doesn’t take credit (cbsnews.com)
• Letters to the editor, Aug. 17 (sfgate.com)
• Bits Blog: Anonymous to BART: We Hack. We Organize, Too (bits.blogs.nytimes.com)
• FCC reviewing SF subway cell shutdown (news.cnet.com)
• Anonymous claims release of BART police officers’ data (powersthatbeat.wordpress.com)
• Anonymous-led protest against BART becomes violent (rt.com)
• Anonymous Plans Second BART Protest (pcworld.com)
• BART Protests: Police Arrest Demonstrators, Multiple Stations Closed (huffingtonpost.com)
• Anonymous planning another BART protest (sfgate.com)
• Anonymous Hackers Are Hypocrites, Not Hacktivists (informationweek.com)
• BART says closing stations keeps passengers safe (sfgate.com)
• Anonymous vs BART (Simpson?) (portadiferro.blogspot.com)
• Hacking Group Anonymous Vows to ‘Kill’ Facebook (portadiferro2.blogspot.com)
• SpyEye Hacking Tool Now Accessible To The Criminal Masses (portadiferro2.blogspot.com)
• Anonymous’ new social site hacked, defaced (portadiferro2.blogspot.com)
• Banks prepared for Anonymous hacking plans (portadiferro2.blogspot.com)
• Anonymous threatens ‘impostor’ hacker group in India (portadiferro2.blogspot.com)
• Daily hack news (portadiferro2.blogspot.com)
• Breaches: Tales and Lessons Learned (portadiferro2.blogspot.com)

http://feeds.feedburner.com/portadiferro

Cisco Context-aware Security Webcast on August 9, 2011

Cisco Context-aware Security Webcast on August 9, 2011

Free Webcast August 9, 2011 1 p.m. Eastern Time, 12 p.m. Central Time, 10 a.m. Pacific Time Attend from wherever you are. Free White Paper Dynamic, Flexible Security Architecture By Andreas M. Antonopoulos, SVP and Founding Partner, Nemertes Research Free White Paper Cisco Cloud Security Accelerates Cloud Adoption Gartner 2011 CIO Survey revealed that almost half of all CIOs expect to operate their applications and infrastructures via cloud technologies within the next five years. Read this white paper to learn more about how Cisco cloud security solutions help remove cloud adoption barriers. Find Out More About Cisco SecureX The Cisco SecureX Architecture delivers policy-driven security in a scalable and consistent manner, to increase business growth and measurably reduce risk. Visit the Cisco SecureX Architecture and Identity Services Engine websites or contact your Cisco account representative to learn more. Are you challenged with protecting your workplace as more and more users bring their tablets and smart phones to your network? You are not alone. Even as workforces become more mobile and new technologies like data center consolidation and virtualization transform the IT industry, security remains static, location-based and inflexible. To meet the needs of the new, dynamic work environment, businesses must approach security with new thinking. A context-aware security approach permits flexible, policy-based security that travels with the user, no matter where and how the network is accessed. Cisco and Nemertes Research invite you to a live webcast about improving security in today’s dynamic work environment. During this webcast, Andreas Antonopoulos, Senior Vice President of Nemertes, will discuss: Why much of today’s security can barely keep up in a fast-changing environment Why the focus of security must shift from where the user is to who the user is How an identity-centric security architecture can permit secure, always-on business Additionally, Fred Kost, Director of Security Solutions of Cisco, will provide a deep-dive technical review of the newly launched Cisco Identity Services Engine and share with you: The latest information about the new Cisco SecureX Architecture How you can implement context-aware and policy-driven security in a scalable and consistent manner for business growth while measurably reducing risk “Companies need to transform their security infrastructure, to remove location-specific controls and introduce an identity-centric architecture that offers dynamic, flexible, mobile, policy-based security.” – Andreas M. Antonopoulos, Nemertes Research

© 2011 Cisco Systems, Inc. and/or its affiliated entities Share | Refer a colleague

Antonio Ierano EUROPEAN CONSULTING SYSTEMS ENGINEER Borderless Network: Security anierano@cisco.com Phone: +39 039 629 5092 Mobile: +39 331 628 9653 Follow me on Twitter @Antonioierano Follow my tech Blogs: PostOffice and PostOffice2 Check my profile on LinkedIn	Cisco Security Intelligence Operations Senderbase

Related articles

• Cisco Partner Invite Reminder – Context Aware Solutions (blogs.cisco.com)
• Q&A From July 2011 Security Bulletin Webcast (blogs.technet.com)
• Cisco says layoffs won’t derail SecureX (infoworld.com)
• Cisco Partner Event: Industrial Intelligence for Manufacturers (blogs.cisco.com)
• Cisco Partner Invite Reminder: Warehouse Management with Intermec (blogs.cisco.com)
• Cisco Live Wrap-Up: Jokes from William Shatner, a Video Recap, and More (blogs.cisco.com)
• Cisco Cius headed to Verizon late summer, IT departments celebrate (engadget.com)
• IT security’s scariest acronym: BYOD, bring your own device (infoworld.com)
• YouTube – Cisco SecureX Files Social Engineering.flv (portadiferro2.blogspot.com)
• Zero Day – Cisco systems (portadiferro2.blogspot.com)
• Cisco Context-aware Security Webcast on August 9, 2011 (portadiferro.blogspot.com)
• Cisco Aims for a Go-anywhere Router (portadiferro2.blogspot.com)
• Gartner: New security demands arising for virtualization, cloud … (portadiferro2.blogspot.com)
• PostOffice 2 Tutorial: Cisco Routers Add Web Security with Cisco ScanSafe (portadiferro.blogspot.com)
• Tutorial: Cisco Routers Add Web Security with Cisco ScanSafe (portadiferro2.blogspot.com)
• Cisco Moving Confidently Along its Any Device Journey (blogs.cisco.com)
• YouTube – Cisco Intrustion Prevention System (portadiferro2.blogspot.com)
• Cisco again looks to debunk the multivendor network (portadiferro2.blogspot.com)
• Cloud security: how to protect your data (portadiferro2.blogspot.com)

http://feeds.feedburner.com/portadiferro

Risk and Security: how much to spend? first step:define the process – 005

We can now, after this long intro, try to do a little test to see if we can really define a good method to determine how much to spend for security needs.

First of all we should try to define which process we want to consider. I opted for the Email systems because this is, generally speaking, a strongly neglected and misunderstood  area of IT process.

While mail is widely used and accepted as a communication media worldwide there are a few implementations that consider email security as a whole process involving users, data, and business value. the usual consideration we find around email is:

• why our mailbox is so little
• spam is annoying
• it is not a big issue if we stay without email for a while
• ….

well we should try to understand what email system really is.

I will use a top down approach trying to highlight all the issues and references that could have an impact in business and in the security space.

Then we will try to understand what security approach and technologies would be more useful and we could discover some unexpected relationships.

Sending and E-mail

What means allowing someone to use email?
What is email impact to our business?
What is the value of this service?
And the value of the data processed?

Those are questions that we all should be able to answer when dealing with a mail systems. The choice we do will impact our business widely in terms of productivity and customer satisfaction so we should not underestimate this.

So first of all let’s try to define what we’re talking about.

Basically sending an e-mail is a process that allow a User A to send information to a User B.

From a user perspective this require to give some info to the email client in order to be able to allow the message to be correctly delivered.

the User A experience is based on 4 basic steps:

access to email client
bein able to put the destination address and the recipient address
add the info to the email
send the message

Accordingly the User B should be able to recieve the message, open it and read it. At the end B should also be able to eventually answer to the message.

Right at this level we can start doing some consideration around the email system:

Who can access this service?
Who should provide this service?
Could we allow multiple services?
Do we neeed to control the information sent\recieved?
Do we need to control sender and recipients?
Do we need to define devices allowed to send messages?
Do we need to define a perimeter to send\recieve messages?
Do we need to define SLA related to this service?
…

of course answering those questions could open new subquestions, for example:

“Who can access this service?” should imply at least:

• can we recognize the users?
• what is the general knowledge of those users? do they need training?
• can we force an identification?
• can we log them?
• do we have to store the data sent?
• is there any legal implication?
• how we control unwanted access? is this a problem?
• ….

and for the other questions:

Who should provide this service?

• can we provide it internally?
• Could we externalize the service?
• do we need to hold locally some data?
• are there any legal implication?
• ….

Could we allow multiple services?

• Do we offer just one service (internal mail)?
• Do we allow the use also of personal email systems (Like Google, yahoo, Live…)?
• Can we implement control policy on any system?
• …

Do we neeed to control the information sent\ received?

• Do we manage sensitive information?
• Is there any kind of communication that would be dangerous to be sent out by employee?
• Do we receive sensitive information with this media?
• how we control the trustworthiness of information received?
• is any legal implication?
• …

Do we need to control sender and recipients?

• do we need to impose limit to access the mail systems?
• do we need to prove our sender identity o the recipient?
• do we need to check if someone is sending message on behalf of someone else?
• …

Do we need to define devices allowed to send messages?

• can we expose mail through a web-mail interface?
• can we allow mail being read on mobile devices?
• do those devices have to be company owned or could be of any kind?
• do we force a VPN connection to access email?
• …

Do we need to define a perimeter to send\recieve messages?

• can anyone send\recieve email?
• are any limitation for role or location?
• can we define subset of needs that require special care (ie. legal dept, HR, contracts…)?
• ….

Do we need to define SLA related to this service?

• what are expected SLA expectation?
• can we define sla for the several aspects of the service as delivery time, storage, access, uptime…..?
• ….

Wow

As we can see there are a lot of interesting question that can be raised when we talk a put mail, and we just do not entered the real deployment of the process, we just set up a black-box between sender and recipient.

Some of those question would be better addressed going deep into the process and once exposed the link between email and other business processes. but right now we understood that an apparently easy process like providing and email system should rise several security concerns.

So let not try to understand what is the value of this process related to our business.

Once we understood that sending email involve sending data, we should try to evaluate what kind of data and the value of this data are processed.

In nowadays environment Email systems are one of the most important (although neglected) asset. We actually use email to send any kind of communication, with different level of importance.

From personal note, to projects, presentations, confidential communication, also legal or HR communications and business contract and offers are sent by email.

But E-mail systems is also used for hold and storage those information, basically our mail-servers and the relative client interfaces are used as a not structured database that hold our intellectual property.

Studies estimate that over 90% of company intellectual properties are stored in email systems. 

So would this worth a protection?

in order to better define the process we should also try to understand risk that this systems is exposed to, but to do so we should, first of all, try to understand some little technical implication of email systems.

to be continued ..

Related articles

• How to Control & Manage Email Risks in Business (thinkup.waldenu.edu)
• What’s new in free mail: Gmail, Yahoo Mail, Hotmail… (melvinz.wordpress.com)
• Email in the World’s Languages – Part III (circleid.com)
• The surprising most popular email clients (lancewiggs.com)
• The new email marketing metrics (antezeta.com)
• How can I prevent Spam? (recipenet.wordpress.com)
• Avoiding Identity Theft from Phishing Scams (turbotax.intuit.com)
• Google boosts Gmail’s anti-phishing feature (infoworld.com)
• Gmail Adds Detailed Sender Information To Improve Security (ghacks.net)
• Dustin Kirkland: Introducing rootsign! (dustinkirkland.com)
• Gmail Adds Read Receipts in Google Apps Business (labnol.org)
• How long to send e mail from New York to London (wiki.answers.com)
• 10 Rules to Reverse the Email Spiral (aggercommunications.com)
• 14 ways to remove the attention barriers in your email marketing (email-marketing-reports.com)
• Automating your Email with Tout (techattitude.com)
• In depth with FollowUp.cc: Reminders, calendar and task list in one (thenextweb.com)
• Thunderbird 6 Beta Released, New Logos Upcoming (ghacks.net)
• 5 Thunderbird Add-Ons That Will Make it Better Than Gmail (makeuseof.com)
• Six Do’s and Don’ts of Email Design (marketingprofs.com)
• Lessons Learned: Productivity Tips For Running A Web Design Business (smashingmagazine.com)
• Stunnel – How to use Gmail With Older Software (ghacks.net)
• A Short List Of Handy Free Microsoft Outlook Downloads (ghacks.net)
• Persona Email Client Prototype (konigi.com)
• How to Control & Manage Email Risks in Business (thinkup.waldenu.edu)
• Ross Technologies Ltd Announce New Tonsho Plugin for Microsoft Exchange (prweb.com)
• Get a Flashback (ontrackindiablog.wordpress.com)
• Save Our Inboxes! Adopt the Email Charter! (emailcharter.org)
• Why do you need email etiquette? (propertywikia.wordpress.com)
• NHS Email Footer (chalisque.wordpress.com)
• WebLOQ Expands Its Encrypted Email Service with Delivery of LOQMail 2.0 (prweb.com)
• Risk and Security: how much to spend? first step:define the process – 005 (portadiferro.blogspot.com)
• PostOffice: Risk and Security: how much to spend? (intro continue again:)) – 003 (portadiferro2.blogspot.com)
• Risk and Security: how much to spend? (intro continue again:)) – 003 (portadiferro.blogspot.com)
• Botnets And Google Dorks: A New Recipe For Hacking (portadiferro2.blogspot.com)
• EA resets users’ passwords following LulzSec hack | Naked Security (portadiferro2.blogspot.com)
• Talking Points – Security week review (portadiferro2.blogspot.com)
• Risk and Security: how much to spend? (…and again again:)) – 004 (portadiferro.blogspot.com)
• Risk and Security: how much to spend? (intro and more ) – 002 (portadiferro.blogspot.com)
• Hacker pleads guilty to breaching AT&T to obtain iPad user email addresses (portadiferro2.blogspot.com)
• Surge in attachment spam a sign of desperation, say experts (portadiferro2.blogspot.com)

http://feeds.feedburner.com/portadiferro

Back on Track

Image via WikipediaI haven’t post much lately,  sorry but I’ve been quite busy and times at work have been hectic. I’m in a short vacation those days but I’ll start posting something
Thanks for the ones who commented on my blogs.
cheers
Antonio

http://feeds.feedburner.com/portadiferro

"La Notte della Rete"

Non sarà una vigilia tranquilla per l’Agcom: sarà, piuttosto, “La Notte della Rete”. Il 5 luglio, a 24 ore dall’approvazione della Delibera definita “ammazza-Internet” dai blogger italiani, artisti, esponenti della rete, leader politici, cittadini e utenti del web si troveranno a Roma per una no-stop contro il provvedimento.
Per maggiori informazioni sul provvedimento dell’Agcom vai alla pagina: www.agoradigitale.org/nocensura

L’evento si svolgerà martedì 5 luglio dalle 17.30 alle 21 presso la Domus Talenti a Roma ( via delle Quattro Fontane, 113 ) partecipa anche tu alla nostra mobilitazione. Fai sentire la tua voce!

Fra i presenti già confermati:
Olivero Beha, Rita Bernardini, Emma Bonino, Pippo Civati, Nicola D’Angelo, Juan Carlos de Martin, Tana de Zulueta, Antonio Di Pietro, Dario Fo, Giovanbattista Frontera, Alessandro Gilioli, Peter Gomez, Beppe Giulietti, Fabio Granata, Margherita Hack, Carlo Infante, Giulia Innocenzi, Ignazio Marino, Gianfranco Mascia, Gennario Migliore, Roberto Natale, Luca Nicotra, Leoluca Orlando, Flavia Perina, Marco Perduca, Marco Pierani, il Piotta, Donatella Poretti, Enzo Raisi, Franca Rame, Fulvio Sarzana, Marco Scialdone, Guido Scorza, Mauro Vergari, Carlo Verna, Vincenzo Vita, Vittorio Zambardino.

Come fare per dare il tuo sostegno all’iniziativa:

• Fai girare la notizia, condividila con i tuoi contatti [QUI IMMAGINE FACEBOOK + LINK ALLA POSSIBILITÀ DI FARE SHARE]
• Conferma la tua adesione alla mobilitazione tramite la pagina www.agoradigitale.org/lanottedellarete e tramite il corrispondente evento facebook http://www.facebook.com/event.php?eid=186527864733678
• Pubblica la notizia dell’evento de LA NOTTE DELLA RETE sul tuo blog e manda in onda la diretta in streaming dal sito de Il Fatto Quotidiano. Compilando il form che trovi all’indirizzo  www.agoradigitale.org/lanottedellarete riceverai nelle prossime ore il codice per l’embed della trasmissione sul tuo sito web.
• Firma la petizione all’Agcom all’indirizzo www.sitononraggiungibile.it e manda un messaggio ai membri dell’Agcom qui: http://www.avaaz.org/it/it_internet_bavaglio ;
• Informati sugli ultimi sviluppi della mobilitazione e sugli altri modi per entrare in azione dal sito http://www.agoradigitale.org/nocensura.

Mancano poco piu’ di 48 ore all’approvazione del regolamento. Non c’e’ piu’ tempo da perdere!

Luca Nicotra
Segretario dell’Associazione Agorà Digitale

Related articles

• Italian telco regulator grants itself power to censor Internet; Obama administration approves (boingboing.net)

http://feeds.feedburner.com/portadiferro

an obscure administrative body could get huge powers to censor the internet.

Dear friends,

In a few days, the Communications Authority could agree on a mechanism that would lead to the closure of any foreign website, arbitrarily and without a judicial review. Let’s flood the Authority with messages to defend our freedom of information on the Internet!

Our government has launched a fresh attack on our freedom to access information. In a few days, an obscure administrative body could get huge powers to censor the internet.

The party-nominated Communications Authority is about to agree on a mechanism that could even lead to the closure of any foreign website – from Wikileaks to Youtube to Avaaz! — if suspected of violating copyright laws. Experts are already denouncing the unconstitutionality of this regulation, but it will take an avalanche of public opposition to stop this new assault on our democratic freedoms.

There’s no time to lose. Next week the Authority will vote the law, and if we build a massive public outcry against internet censorship, we could tip the balance. Let’s flood the members of the Authority with messages urging them to abstain from adopting the regulation and preserve our right to access information on the Internet. Act now and forward this email to everyone!

http://www.avaaz.org/en/it_internet_bavaglio/?vl

Over the years, Berlusconi has sought to control information on the Internet, but so far his attempts have failed. Now, away from the headlines, his government has a real chance to expand its tentacles into the Internet unless citizens speak up.

The new regulation would allow the Communications Authority to remove content suspected of copyright infringement from Italian websites without judicial oversight. Worse still, the publication of a suspected song or text could even lead to the shutting down entire foreign websites, including information sites, free software portals, video platforms like YouTube, or public interest websites like WikiLeaks.

If approved, this new measure would de facto grant legislative and judicial powers to an administrative body, whose functions should be exclusively consultative and supervisory, paving the way for unchecked and arbitrary decision-making. The Authority, hoping to avoid public scrutiny, is trying to rush through the decision, scheduled for next week.

But together we can build a massive public outcry and persuade key undecided members of the Authority to oppose the regulation and instead refer the issue back to the only body that has constitutional powers to legislate on this issue. Send a message now and forward this as widely as possible:

http://www.avaaz.org/en/it_internet_bavaglio/?vl

Governments are increasingly scared of the Internet as a tool for open public debate and citizens’ mobilization, so they’re trying to impose stricter censorship rules. But citizens are fighting back, like in the UK, where public opposition has forced the government to withdraw copyright legislation aimed to put a gag on the Internet. In Italy, last year we also managed to stop the infamous “Legge Bavaglio”. Let’s win again!

With determination,

Giulia, Luis, Ben, Ricken, Pascal, Benjamin and the rest of the Avaaz team

———————–

Cari amici,

Fra pochi giorni l’Autorità per le comunicazioni potrebbe votare un provvedimento che metterebbe il bavaglio alla rete, arrivando perfino a chiudere siti internet stranieri in modo arbitrario e senza controllo giudiziario. Inondiamo i membri dell’Autorità di messaggi per difendere la nostra libertà d’informazione su internet!

Il nostro governo ha lanciato un nuovo attacco alla libertà di accesso all’informazione, e fra qualche giorno un organo amministrativo sconosciuto ai più potrebbe ricevere poteri enormi per censurare internet.

L’Autorità per le comunicazioni, un organo di nomina politica, sta per votare un meccanismo che potrebbe perfino portare alla chiusura di qualunque sito internet straniero – da Wikileaks a Youtube ad Avaaz! – in modo arbitrario e senza alcun controllo giudiziario. Gli esperti hanno già denunciato l’incostituzionalità della regolamentazione, ma soltanto una valanga di proteste dell’opinione pubblica può fermare questo nuovo assalto alle nostre libertà democratiche.

Non c’è tempo da perdere. La prossima settimana l’Autorità voterà la delibera, e se insieme costruiremo un appello pubblico enorme contro la censura su internet potremo fare la differenza. Inondiamo i membri dell’Autorità di messaggi per chiedere di respingere la regolamentazione e preservare così il nostro diritto ad accedere all’informazione su internet. Agisci ora e inoltra l’appello a tutti!

http://avaaz.org/it/it_internet_bavaglio/?vl

Negli anni Berlusconi ha cercato più volte di controllare l’informazione su internet, ma finora i suoi tentativi sono sempre falliti. Ora, lontano dai riflettori, il governo ha la possibilità concreta di espandere i suoi tentacoli sulla rete, a meno che i cittadini non alzeranno la voce per fermarlo.

La nuova regolamentazione permetterebbe all’Autorità per le Comunicazioni di rimuovere contenuti sospetti di violazione del copyright da siti internet italiani senza alcun controllo giudiziario. Ancora peggio, la pubblicazione di una canzone o di un testo sospetto potrebbero perfino portare alla chiusura di interi siti internet stranieri, inclusi siti d’informazione, portali di software libero, piattaforme video come YouTube o d’interesse pubblico come WikiLeaks.

Se approvata, la nuova regolamentazione garantirebbe di fatto poteri legislativi e giudiziari a un organo amministrativo le cui funzioni dovrebbero essere esclusivamente consultive e di controllo, aprendo così la strada a un processo decisionale arbitrario e incontrollato. L’Autorità, nella speranza di passare inosservata, sta velocizzando al massimo la decisione, che è prevista per la prossima settimana.

Ma insieme possiamo costruire un enorme grido pubblico e convincere i membri chiave dell’Autorità che sono ancora indecisi a opporsi alla regolamentazione e rimandare così la questione all’unico organo che ha i poteri costituzionali per legiferare sulla materia: il Parlamento. Manda un messaggio ora e inoltra l’appello il più possibile:

http://avaaz.org/it/it_internet_bavaglio/?vl

I governi sono sempre più impauriti da internet, che è diventato uno strumento per aprire il dibattito pubblico e per la mobilitazione dei cittadini, e stanno cercando così di imporre regole più strette di censura. Ma i cittadini stanno rispondendo, come in Gran Bretagna, dove l’opposizione dell’opinione pubblica ha costretto il governo a ritirare la legislazione sul copyright che voleva mettere un bavaglio alla rete. In Italia lo scorso anno siamo riusciti a fermare la “legge bavaglio” liberticida. Vinciamo di nuovo!

Con determinazione,

Giulia, Luis, Ben, Ricken, Pascal, Benjamin e tutto il resto del team di Avaaz

FONTI

Campagna di Agorà Digitale, Altroconsumo e altre associazioni contro la delibera AGCOM sulla rimozione automatica dei contenuti su internet:
http://sitononraggiungibile.e-policy.it/

6 luglio, muore il web italiano:
http://espresso.repubblica.it/dettaglio/6-luglio-muore-il-web-italiano/2154694

Agcom, si sveglia l’opposizione politica: “Modifica diritto d’autore spetta al Parlamento”:
http://www.lastampa.it/_web/CMSTP/tmplrubriche/giornalisti/grubrica.asp?ID_blog=2&ID_articolo=1219&ID_sezione=&sezione=

Internet: Fini su delibera Agcom, no ai paletti, si tuteli la libertà:
http://www.adnkronos.com/IGN/News/Politica/Internet-Fini-su-delibera-Agcom-no-ai-paletti-si-tuteli-la-liberta_312189942267.html

D’Angelo (Agcom): “La libertà non è un procedimento amministrativo”:
http://zambardino.blogautore.repubblica.it/2010/12/15/dangelo-agcom-il-decreto-romani-un-errore-aver-paura-della-liberta/

Delibera n. 668/10/CONS dell’Agcom, Lineamenti di provvedimento concernente l’esercizio delle competenze dell’Autorità nell’attività di tutela del diritto d’autore sulle reti di comunicazione elettronica:
http://www.agcom.it/Default.aspx?DocID=5415

Il governo britannico pronto a rivedere i suoi piani per bloccare i siti che violano il copyright (in inglese):
http://www.computerweekly.com/Articles/2011/02/02/245187/Government-to-review-plans-to-block-copyright-infringing.htm

Support the Avaaz community! We’re entirely funded by donations and receive no money from governments or corporations. Our dedicated team ensures even the smallest contributions go a long way — donate here.

---

Avaaz.org is a 9-million-person global campaign network that works to ensure that the views and values of the world’s people shape global decision-making. (“Avaaz” means “voice” or “song” in many languages.) Avaaz members live in every nation of the world; our team is spread across 13 countries on 4 continents and operates in 14 languages. Learn about some of Avaaz’s biggest campaigns here, or follow us on Facebook or Twitter.

This message was sent to anierano@cisco.com. To change your email address, language, or other information, contact us via this form. To unsubscribe, send an email to unsubscribe@avaaz.org or click here.

To contact Avaaz, please do not reply to this email. Instead, write to us at www.avaaz.org/en/contact or call us at +1-888-922-8229 (US). 

http://feeds.feedburner.com/portadiferro