Sunday, September 27, 2009
How much government control in cyber crisis
I read this article on MSNBC.com "How much government control in cybercrisis". There have been 18 bills already already introduced in Congress to define when and how the federal government should step in in case of digital disaster. The very number of bills is an indication that this subject is not understood or represented correctly by the lawmakers. It raises so many questions. What is the risk of an all out cyber attack? Should the federal government be given the authority to shut down the internet? Is this the right approach? Experts say that a system under attack should not be shut down, but isolate it and filter out the bad traffic from the good. Does the government have the agility to do something like that? I don't see it so much as a political issue as a technical one. The problem is that there is no one set way of implementing cyber security due to the vastness of the systems in place. Will there ever be a cut and dried way of securing information, or will it remain a moving target for the forseeable future?
Sunday, September 20, 2009
I have been aware for some time that I have the ability to track exploits in the web sites I support, before the network people know that anything has happened.
This article in www.searchsecurity.com confirms the role of the developer in website security. The fact that most attacks penetrate browsers through infected web pages places responsibility for security on the developer. The high incidence of SQL injection again places responsibility on the developer to think about how the data layer is implemented, and not just take the first example that they see on MSDN as the template for the data access layer.
These tools:
This article in www.searchsecurity.com confirms the role of the developer in website security. The fact that most attacks penetrate browsers through infected web pages places responsibility for security on the developer. The high incidence of SQL injection again places responsibility on the developer to think about how the data layer is implemented, and not just take the first example that they see on MSDN as the template for the data access layer.
These tools:
- Vulnerability Scanning
- Penetration testing
- SDL and source code security scanning
- Web application firewalls
- Choice of browser
- Application whitelists
will not be effective until they are combines with good coding practices like:
- Error Handling, including logging
- Client AND server validations
I like the idea of categorizing all web servers according to business risk. This idea can be combined with adherence to different security standards, like HIPAA.
This is from a developer's point of view, any discussion on that?
Saturday, September 19, 2009
CNG 275 - What I have learned so far
- VMWare is a lot harder to work with than it looks
- Networks are not easy to set up
- Security means locking everything down
- VPN and wireless networks don't mix
- Network people don't get Developers, and vice versa, it's a cultural thing
- The boundary area between network and the web application is a lonely place, with neither side having all the answers all the time
Application Firewall
After class on 9/16, I did a search on Application Firewall, also called Deep Packet Inspection Firewall. I found that a Web Application Firewall is an appliance server plug in or filter that applies a set of rules to an HTTP conversation. An Application Layer Firewall is a computer networking firewall operating at the application layer of a protocol stack. This firewall looks at the request/response within the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. Some of them look for attack signatures. The firewall can be either hardware or software and are installed in front of the webserver, between the server and the client.
Anyone have any experience in setting one of these up?
Anyone have any experience in setting one of these up?
Monday, September 14, 2009
Melissa Hathaway, acting directory for cyberspace, advocates for more communication and cooperation between public and private entities - http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1368168,00.html?track=sy160#
Thursday, September 10, 2009
How much are you worth on the black market?
Symantec has a tool to calculate the worth of your personal information on the black market to hackers here. In the IT World article , I liked the part about how hard it is to sell hacked information on the black market because of all the con artists.
Monday, September 7, 2009
"E-mail hacking services prove hard to prosecute"
Your email password can be had for a little as $33! The two good points that this article makes are:
Your email password can be had for a little as $33! The two good points that this article makes are:
- The way computers work is counter intuitive to people, when a pop up asks if you want to accept an unauthorized certificate, it is asking "Do you want to be hacked?"
- There is less computer security than what we want (Peter Eckersley, staff technologist for Electronic Frontier Foundation), the more complexity, the less security
AND, it is only a misdemeanor if nothing is done with the hacked info. So careful what you have in the inbox, access to it can be cheaply purchased.
Subscribe to:
Posts (Atom)