I attended the Information Security exhibition “Infosec” at Olympia yesterday.
This was very popular this year and was packed out. The vendors presented the usual mix of boxes with button, diagrams, gorgeous young women and pushy bald salesmen.
In my purely subjective opinion vulnerability scanning seems to have grown in popularity and there were some good products in this line. End point security was being pushed though perhaps not as hard as last year.
I attended one pretty good seminar where some guy had worked out the value lost for each record of data which had been stolen by hackers. He claimed this worked out at £ 43 per record.
All computer and application systems that I am aware of (and I’m aware of a lot) have the concept of an Administrator. The name may vary (eg root, supervisor or admin) but function is the same. They allow the user to do ANYTHING on the system.
Traditionally this has been necessary to allow the technicians to install and manage the system but in this era of ubiquitous networked computing this emerges as a gaping hole in security.
Manufacturers are starting to address this though not as quickly or thoroughly as the should. Oracle have a product called Digital Vault which bolts on to their Database Management System (DBMS) to segregate the role of the manager of a database from the security administration. Other Intruder Detection/Prevention Systems provide monitoring of administration activity from outside.
However, these are all separate products and Operating Systems, DBMSs and applications all require an overhaul of their administrative role architecture. The role of the administrator needs splitting out into multiple roles to deliver segregation of duties. Interestingly Novell made moves in this direction with the auditor role starting in Netware 4 as I recall.
Cross site scripting raised it’s ugly head again and I don’t think users are well enough informed of just how dangerous this can be. Opening a link sent by a hacker can inadvertently provide that hacker with administrative access to your PC and anything else your PC has access to. All without a user knowing.
Do not open links in Emails from unknown sources. – This can’t be stressed enough!
A company named Qualys had an interesting scanner which allowed vulnerabilities and policies to be mapped into a framework such as COBIT. This is an excellent idea as it allows IT governance practitioners a way of interfacing with the technical aspects of systems.
The image of IT workers is of introverted nerds. Some are of course but this was the old days. IT has become big business and by turning over so much money the IT industry now attracts salesmen. Hoards of them, lounging around in suits balling into their blackberries.
I had intended to spend two or three days at Infosec but after one day I’d had enough. By the time I left the sun had come out and London looked pretty good.