Aardvarks to Zorillas - Anything goes

Initially thought of calling this blog.. " Death of the Phone Company.. Long Live the Phone Company" then changed it to something interesting and simple.. Well Oxymorons are fun, and the way the voice calling is evolving, it is a great time to be in. First we had Google Voice - The grand central of ideas coming to fruition and then we have a slew of products that make use of google Voice. There are so many opportunities that we may see the old gaurds failing if they do not move up the order and provide the necessary services as well as upgrade technologies. Gizmo5 and similar companies may take the mantle of AT&T.. But then the biggest block to the move from PSTN to VoIP is the cost of the phone instruments. Hopefully this is on its way too.. a tumultous times but an area to be watched in the coming days. How do I use Google Voice, Gizmo5, My Android G1, and SIPDroid and a Clearwire Modem? These devices can make a big difference to how I have come to use my Phone in the

It is crazy that a cash starved as well as food starved North Korea spends useful funds on Nuclear Armaments, Unfortunately, this is because of the overtures from US that make them belligerent.  US is a trigger happy country and want to act as the cop of the world. This is never an area where there is common world opinion. When countries are cornered by the US and put under pressure, they tend to do something on the contrary. Export of US ideas to other countries is considered a cultural invasion and is always resented upon. This is very similar to the US missionaries that push Christianize the world by economic incentives rather than as a philosophy and as a spiritual way to attain salvation.  Why does not the US take on the North Koreans they way they did with the IRAQIS. The economics of such intervention is never positive and even though North Koreas is much worse than IRAQ was under Saddam, still we do not see the US trying to destabilize North Korea and bring US brand of democrac

Is PCI-DSS enough to ensure security of personnel data. Is it the minimum required to protect user information. But the way the standard has been prescribed, it looks more like a system designed to transfer the incidence from the card issuing organization to the organization handling information for the card issuers. If the controls are adequate, why are there breaches. Is the system designed to protect the end user sufficient and complete enough to warrant a certification. What does the certification achieve. If you look at the issues in hand, it is clear that the problem is not with the organization handling the data but the protection afforded by such systems to personnel information. Is it not that the card industry to protect itself have an publicly available standard that has gone through peer reviews and public scrutiny imposed on organizations which process credit/debit card information inadequate?  The balance between what is prescribed in the standard and what is required

Been hearing about this worm since November 2008. The researchers have found that it may have a payload that it may unleash today. Not sure how bad it could be, depending on all those un-patched machines out there in the wild. So what does it do.... It has a very interesting payload and we have already seen more than 4 variants. Interestingly it looks like they let version A and B to check on how the community is going to respond. The cabal to counter its domain generation algorithm got a new lease and a new algorithm in the C version and also contains a p2p communication mechanism. The other part is how a digital signatures can be used effectively to control the compromised host. This is important to protect other bot commanders to take over the already compromised Conficker bots. Network traces have not yielded much, but looks like it is a widely distributed system which has already started pushing the latest DLL updates across to the already compromised machines. Lets look at the ch

Organizations fail as a consequence of decisions taken by the collective intellect of the powers at the board. They are successful because of the same powers that make effective, efficient decisions and manage risk. As an investor every individual looks at a number of parameters before investing. These rules of investing have over the years been honed and tuned to such a level that the health of an organization can be gleaned from the statistics and information available to the public. Do any of the organizations that have got funding from the Government eligible as good Investments or Investment Grade? None of them would pass the muster, they are bleeding organizations which should have been asked to die or scale down become more efficient. Well now that the funding has been secured, what is the guarantee that these funds are to be utilized properly and efficiently. Would the Government end up with another body to oversee governance of these Organizations. Are we ready and prime for

Humans have and will always be using techniques we now call Threat Modeling. The circumstances we are in and history is full of threat modeling techniques employed at and effectively used to counter an  adversary. The adversary has multitude of forms and attacks utilizes any vector for effectively neutralizing your efforts to counter the adversary. So what do we do when we say threat modeling. Is threat an adversary? There are tomes written on the approach towards an adversary. Here in this blog, I will term "Threat Modeling" as something akin to understanding the adversary in terms of the threat he brings to the table and the varied tools (Armaments) in his disposal, his ability to understand your weaknesses and exploit it. All this put together helps the incumbent to understand the posture he has taken viz the adversary and therefore understands the various actions and reactions thereof. The activity to list all the threats, countermeasures, weaknesses and appropriate actio

Security Verification is a process through which Code can be analyzed. However, as prerequisite, it needs to be addressed with due consideration of What the application is and the business operation that it supports. The main reason for this is that it would be very difficult to prioritize and address the weaknesses. The threat modeling is an important tool and along with the threat model a security review would be an indispensable tool in identifying the root cause of vulnerabilities – CODE. Based on the prioritized functions and possible attack vectors – For example Protocol Errors may be a potential area for Input validation problems. Based on the preliminary build, it is possible for a preliminary scan of the code base. This should provide a base input that can again be cleaned up to remove unwanted areas to concentrate the efforts and to move to areas of potential weaknesses. The easiest way to achieve this is to use a Static Code Analyzer, a lot of tools are available both open s

Software design is the important stage where the code is really put to work to deliver or build an business function and application. This is a stage where the SRS (Software Requirements Specifications) is finalized and signed off for design and development. The major difficult in software design is to incorporate the business requirements as well as do threat modeling to understand the attack surface of the applications. Many applications do not show up problems in regular normal use but show up funny ways of responding when provided with a different input or action not generally considered as part of the application design. The major areas that a threat model derived needs to address are – The Microsoft STRIDE model provides the following areas to be addressed as part of the design. 1. Spoofing 2. Tampering 3. Repudiation 4. Information Disclosure 5. Denial of Service 6. Elevation of Privilege 7. Integrity of Data Even though all aspects are not covered most of

One of main tenants of secure application development is to include Information Security Planning at the earliest in the projects that are executed. It has been our experience, that to include or to make provisions for security and related concepts into the application at a later date is very difficult and expensive. The major design model that we use are the TOGAF open standards and SUP – a derivative of RUP customized for use in our organization. It is mandatory that a resource from the Information Security Team is included from the inception stage in any projects. We ensure that projects do not exclude the Information Security aspect of the project by ensuring that no projects get approval to procure or be issued a Project ID (for project tracking as well as for resource allocation) unless an approval is provided by the IT Integration and Security team. We have found that this has vastly improved our project delivery schedules as well as to improve the Information Gathering stage, w

I have worked in a few places where PKI has been deployed and managed manually. We have had major issues in managing the keys issued and the nightmare we had as we updated our key management systems. (excel sheets) At one of the organizations I worked for, the system used a internally generated PKI for managing a large set of devices. These devices were issued certificates and are needed to connect to the server. This being an important and critical system involving devices all across the United States and Canada was such a pain to maintain as the certificates expire at different times and it was difficult to keep of track of expiring certificates, equipment that are pulled off the network and those that needs to expired for some reason. The main certificate server based on OpenSSL had the root certificate and the copies of the client certificates were maintained in a USB FoB key and locked away. The process is so contorted and involved two FTEs to handle this job on a regular basis (E

Security Verification is a process through which Code can be analyzed. However, as prerequisite it needs to be addressed with due consideration of What the application is and the business operation that it supports. The main reason for this is that it would be very difficult to prioritize and address the weaknesses. The threat modeling is an important tool and along with the threat model a security review would be an indispensable tool in identifying the root cause of vulnerabilities – CODE. Based on the prioritized functions and possible attack vectors – For example - Protocol Errors may be a potential area for Input validation problems. Based on the preliminary build, it is possible for a preliminary scan of the code base. This should provide a base input that can again be cleaned up to remove unwanted areas to concentrate the efforts and to move to areas of potential weaknesses. The easiest way to achieve this is to use a Static Code Analyzer, a lot of tools are available both open

Communication and Operations Management 1 Network Security IDS How are the Signatures Managed? IPS Is this Linked to the Incident Management Systems? 2 Network Management Encrypted Authentication Credentials How is data Managed, Do all the users share a single Database? 3 Administrative Ports - How is it managed Is Administrative Privileges restricted to Ips or ports ? 4 Network Logging What kind of logging is done 5 Virus Protection - Servers How are you protected from Virus, On a common platform do you scan all documents for Virus before upload 6 Administrative Activity Logging Is all Admin Activity Logged? What are the parameters Logged 7 Log-on Activity Logging Is the Logging of individuals maintained including time sheet users? 8 Log Retention How long are the logs retained 9 Web Site Privacy Policy What about Privacy Policy. What is the due care polic

The traditional way to develop software is to write down the Software Requirements Specification (SRS) document and then bring it to the table for security to review them. It is always an after thought and it involves lot of selling from the Information Security Team to do the selling to make a few changes to the SRS. Many a times when the SRS is written down and the Business Analyst picks up the nuances of the application to document the SRS, a major area not covered is Information Security. We have also found instances where the Information Technology folks define security in such a way that it suits their platform or technology they are comfortable with. The major trouble with this model is that the Business Analyst is so intent on the functionality of the application and the Technologists – Architect and the Project Manger are intent on building an application in time and with budgets, that InfoSec issues are on the back burner. The approach that is best recommended is for the Inf

Briefly describe the typical size and organization of an IT team that you have managed. Include the division of responsibilities, how you track progress, etc. My experience ranges from me working independently, mainly to maintain my independence when I perform audits to managing a team of more than 25 - 100 consultants in various roles. I have handled multiple projects simultaneously where we have multiple consultants (typically from five to ten) working on multiple projects. We have used a set of tools to specifically monitor progress as well as the milestones. The projects involved were simple roll out of products (Microsoft Active Directory Domain Builds, Log Consolidation, Vulnerability Management) in line with product specifications to complex integration of systems that involves building multiple SoA interfaces for healthcare applications. For a successful project there needs to be proper delegation, personally I believe a person can deliver if he is not micromanaged, identifyi

I was one of the first takers for the exam, though I did not qualify for the fifty percent discount by a day. Took the exam in early November and it was quite an experience considering the fact there is very little information available as to the content and nature of the exam. With the experience of having taken the PMP exam, comes in handy as the jargon used in the exam is very much in line with the PMI-PMP speak. It is imperative to note that though the exam was very much in line with the draft documentation on the Risk Management Process thats been published, it had a few elements of surprise as well. As a risk manager, having been accustomed to taking risk in the negative connotation, it needs to be noted that RISK is considered positive as well as negative. This being the rule of the thumb, it facilitates in understanding the questions properly and to subsequently answer them. The approach that I took to address the examination was to ensure that I run through the glossary from

E-learning an area that is of immense interest to me personally. Been working on various projects over the years and have found many of them wanting in some areas and not a single product being able to fill the void. As part of this exercise, I ended up evaluating a few of the open source products that leverage on many platforms that already exist. For example the LMS based on Joomla is a case in point. One of the most interesting of the Open Source projects is ILIAS. This product provides interactivity as well as custom builds for each of the teacher student groups. There are oodles of other projects that have reached a stage where they can be effectively used. These include moodle, Sakai, OLAT and many more. One of the issues that often crop up in the selection of course ware is the proprietary nature of the content that needs to be generated within the LMS rather than porting content available from different sources. The standard for such work is SCORM. It is imperative to look at

TOGAF as a Architecture Framework. Been running through the TOGAF framework and have been overall impressed with the structure of the process. From the way it is structured you can make out that it is a mish mash of Agile and reusable component model that is in vogue similat to any SOA roll outs. More thoughts on its way as rummage through this material October 20th 2008 NOKIA N810 / ROKU NETFLIX DEVICE / PS3/Mac Mini Nokia N810 tablet is a device that can provide with hours of online time with good capabilities to handle most day to day activities. Been using this device for the last few weeks and it has replaced many times the use of my Laptop and Desktop. Nice configurable interfaces with fantastic set of applications make it a desirable device to use. Typical uses on a daily basis : I use it watch YOUTUBE. At times it is not great with a 3G connection through my Nokia 6655 (Service from AT&T) but streams well through the Wifi connect. Pairing up with the Nokia 6655 is