The EFF posted this article about a new found vulnerability in what they refer to as Popular Disk Encryption Technologies. After reading the details, it seems more like a vulnerability in File Encryption technologies -- these are the technologies that require a user to enter a password in order to encrypt or decrypt files and folders on the file system. The difference in my view is that the term Disk Encryption is usually used to refer to products that encrypt or protect the entire disk when it's shut down. This is important, though. File encryption is particularly important in shared use scenarios where you want to protect files or data from people who have physical access to your machine. What this tells us is that even if you log out or put the computer in sleep mode, someone can come along and run software to get the data that is stored in RAM which may include your encryption key (password). What they didn't say is whether other types of passwords or credential information is also stored in RAM. It's another argument for two-factor authentication where a password alone wouldn't be enough to carry out an attack on the data. At least, how I read it is that the password is what could be stored in RAM and not necessarily the protected data.
Friday, February 22
Friday, February 15
Thanks for keeping us honest Ian! I would be pretty blind to claim that overall regulatory compliance can be solved with any IT solution (...or set of ...or service of). But I didn't make that distinction in my previous post. But, is that the basic point you're making? ...that IT compliance is a subset of overall Compliance? Or is there more to it?
I guess what I was thinking is that the service would not only provide controls that put you in compliance and evidence that proves you're compliant but also could tell you which questions you should be answering. ...even with regard to current trends in regulatory and market pressures (which no doubt change over time).
Understanding that big-C Compliance requires much more than IT controls, would it seem more realistic if we said IT-compliance-as-a-service? or IT-Audit-as-a-service?
The main thing I'm wondering is if organizations would get value from an external party taking over the IT audit portion so that the org itself (who might be anticipating regulatory pressure) wouldn't have to figure out which questions to ask, how to ask them, how to build controls to get the right answers, and how to prove that the answers are what they should be.
Thursday, February 7
Mark Macauley thinks CaaS - Compliance as a Service may be the new frontier. I like the concept. It seems to me that organizations are struggling with how to attack compliance issues. Fortune 500's with a compliance officer and a separate internal audit staff are probably able to come up with a methodology and processes for dealing with compliance. But, it's not easy. Or cheap. Smaller organizations especially don't have the resources to put people full time on figuring out compliance. I think there are definitely organizations out there that would love to have a third party who is willing to be an expert and own compliance for them. To understand which questions need to be answered and how to get the answers. And in the process of making life easier, reduce cost as well. Sounds good Mark.
Monday, February 4
Thanks to IT Business Edge for taking some time to speak with me about the insider threat. Now, I'm going to take a moment to argue with myself on one point. While I do think non-malicious breaches occur far more often than their malicious counterparts, I do also concede that so far it appears that the malicous attacks have brought about more monetary damages (which is usually the bottom line in corporate environments). So, the question of which is a bigger threat probably depends on which beans you're counting. Strictly from an audit and policy perspective, you want to be sure that policies are being enforced, which is why the numerous security breaches we often see in our daily routines seem like a bigger threat. They're more likely to cause problems in an audit or compliance project. And they open holes which can be exploited during malicious attacks. So, if you don't patch the holes that are often exploited by non-malicious personnel, it could come back to bite you in the bottom line.
NetVision launched a new web site focused on our solution for reporting and monitoring on Windows and Active Directory. The solution is pretty cool. If you're having trouble understanding how to generate reports or apply real-time monitoring for Active Directory, you should check it out.
This is not a SIEM solution designed to collect logs from as many sources as possible. This is a very focused solution on Identity information in Active Directory. The listener is embedded into Active Directory so that we're not reliant on the security event logs, which provides non-repudiable proof of events that are taking place. And it means that we're not limited to the information provided by the event log (there is a limited set of attributes available for a user object change, for example). We can tell you what changes were made, when the change occurred and who initiated it. All of which is valuable audit and compliance information.
We also have advanced filtering capability on the listeners so that you can filter events by type, object, or actor. This means that you only collect relevant data which reduces storage and makes it easy to get to the data you want on the reporting side. We can tell you things like user attributes and group memberships, changes to user accounts or groups, inactive user accounts, OU changes, file system Access Control List changes, file system access attempts and file adds or changes. And we provide policy and report templates that make it easy for you to get up and running.
So take a look and let us know if you have questions.