Aardvarks to Zorillas - Anything goes

I have worked in a few places where PKI has been deployed and managed manually. We have had major issues in managing the keys issued and the nightmare we had as we updated our key management systems. (excel sheets) At one of the organizations I worked for, the system used a internally generated PKI for managing a large set of devices. These devices were issued certificates and are needed to connect to the server. This being an important and critical system involving devices all across the United States and Canada was such a pain to maintain as the certificates expire at different times and it was difficult to keep of track of expiring certificates, equipment that are pulled off the network and those that needs to expired for some reason. The main certificate server based on OpenSSL had the root certificate and the copies of the client certificates were maintained in a USB FoB key and locked away. The process is so contorted and involved two FTEs to handle this job on a regular basis (E

Security Verification is a process through which Code can be analyzed. However, as prerequisite it needs to be addressed with due consideration of What the application is and the business operation that it supports. The main reason for this is that it would be very difficult to prioritize and address the weaknesses. The threat modeling is an important tool and along with the threat model a security review would be an indispensable tool in identifying the root cause of vulnerabilities – CODE. Based on the prioritized functions and possible attack vectors – For example - Protocol Errors may be a potential area for Input validation problems. Based on the preliminary build, it is possible for a preliminary scan of the code base. This should provide a base input that can again be cleaned up to remove unwanted areas to concentrate the efforts and to move to areas of potential weaknesses. The easiest way to achieve this is to use a Static Code Analyzer, a lot of tools are available both open

Communication and Operations Management 1 Network Security IDS How are the Signatures Managed? IPS Is this Linked to the Incident Management Systems? 2 Network Management Encrypted Authentication Credentials How is data Managed, Do all the users share a single Database? 3 Administrative Ports - How is it managed Is Administrative Privileges restricted to Ips or ports ? 4 Network Logging What kind of logging is done 5 Virus Protection - Servers How are you protected from Virus, On a common platform do you scan all documents for Virus before upload 6 Administrative Activity Logging Is all Admin Activity Logged? What are the parameters Logged 7 Log-on Activity Logging Is the Logging of individuals maintained including time sheet users? 8 Log Retention How long are the logs retained 9 Web Site Privacy Policy What about Privacy Policy. What is the due care polic

The traditional way to develop software is to write down the Software Requirements Specification (SRS) document and then bring it to the table for security to review them. It is always an after thought and it involves lot of selling from the Information Security Team to do the selling to make a few changes to the SRS. Many a times when the SRS is written down and the Business Analyst picks up the nuances of the application to document the SRS, a major area not covered is Information Security. We have also found instances where the Information Technology folks define security in such a way that it suits their platform or technology they are comfortable with. The major trouble with this model is that the Business Analyst is so intent on the functionality of the application and the Technologists – Architect and the Project Manger are intent on building an application in time and with budgets, that InfoSec issues are on the back burner. The approach that is best recommended is for the Inf

Briefly describe the typical size and organization of an IT team that you have managed. Include the division of responsibilities, how you track progress, etc. My experience ranges from me working independently, mainly to maintain my independence when I perform audits to managing a team of more than 25 - 100 consultants in various roles. I have handled multiple projects simultaneously where we have multiple consultants (typically from five to ten) working on multiple projects. We have used a set of tools to specifically monitor progress as well as the milestones. The projects involved were simple roll out of products (Microsoft Active Directory Domain Builds, Log Consolidation, Vulnerability Management) in line with product specifications to complex integration of systems that involves building multiple SoA interfaces for healthcare applications. For a successful project there needs to be proper delegation, personally I believe a person can deliver if he is not micromanaged, identifyi

I was one of the first takers for the exam, though I did not qualify for the fifty percent discount by a day. Took the exam in early November and it was quite an experience considering the fact there is very little information available as to the content and nature of the exam. With the experience of having taken the PMP exam, comes in handy as the jargon used in the exam is very much in line with the PMI-PMP speak. It is imperative to note that though the exam was very much in line with the draft documentation on the Risk Management Process thats been published, it had a few elements of surprise as well. As a risk manager, having been accustomed to taking risk in the negative connotation, it needs to be noted that RISK is considered positive as well as negative. This being the rule of the thumb, it facilitates in understanding the questions properly and to subsequently answer them. The approach that I took to address the examination was to ensure that I run through the glossary from

E-learning an area that is of immense interest to me personally. Been working on various projects over the years and have found many of them wanting in some areas and not a single product being able to fill the void. As part of this exercise, I ended up evaluating a few of the open source products that leverage on many platforms that already exist. For example the LMS based on Joomla is a case in point. One of the most interesting of the Open Source projects is ILIAS. This product provides interactivity as well as custom builds for each of the teacher student groups. There are oodles of other projects that have reached a stage where they can be effectively used. These include moodle, Sakai, OLAT and many more. One of the issues that often crop up in the selection of course ware is the proprietary nature of the content that needs to be generated within the LMS rather than porting content available from different sources. The standard for such work is SCORM. It is imperative to look at

TOGAF as a Architecture Framework. Been running through the TOGAF framework and have been overall impressed with the structure of the process. From the way it is structured you can make out that it is a mish mash of Agile and reusable component model that is in vogue similat to any SOA roll outs. More thoughts on its way as rummage through this material October 20th 2008 NOKIA N810 / ROKU NETFLIX DEVICE / PS3/Mac Mini Nokia N810 tablet is a device that can provide with hours of online time with good capabilities to handle most day to day activities. Been using this device for the last few weeks and it has replaced many times the use of my Laptop and Desktop. Nice configurable interfaces with fantastic set of applications make it a desirable device to use. Typical uses on a daily basis : I use it watch YOUTUBE. At times it is not great with a 3G connection through my Nokia 6655 (Service from AT&T) but streams well through the Wifi connect. Pairing up with the Nokia 6655 is