Cyber Security Policy

President Obama has put Information Security firmly on the government agenda with his speech about forming a new office at the White House led by a 'Cyber Security co-ordinator'.

I think the success or failure of such a role will depend on the same factors that make Information Security work in the private sector - commitment from the top and buy in from the major stakeholders. There seem to be alot of unanswered questions, besides who will hold the post, such as what level of authority the position will hold, what kind of budget it will control and if it will be more than a single point of coordination for existing agencies.

Protecting a business is difficult enough, ensuring there is adequate resources, executive support is maintanied over time along with continuing co-operation from various departments and divisions. Protecting a country, where there is a history of inter-agency antagonism and where private industry hold so much power of parts of the critical infrastructure is a mammoth task.

I wonder how long it will be before our government decides they too need someone in charge of information security? If they do, I can only hope it is handled better than the National Braodband Network and the government web filter. Experience suggests otherwise however...

As an update there is a great opinion piece on the history of the 'cyber-czar' and what it may amount to here

Retransmission Steganography

Now this is just plain cool, creating a covert channel from the retransmission of data in protocols that support retransmissions eg TCP and CSMA/CD (the method used by ethernet switches to stop collisions). Like any good hack, it utilises essential and helpful features in a method not intended by the original designers.... I like it

Securing Computers for Prisoners

This is something which would pose some unique security challenges but looking at the article (linked below) they seem to have done a reasonably nice job, though it is difficult to tell without all the technical details. I particularly like the touch of see through cases to stop the inmates from hiding things inside.

Original Story

Default Passwords

In case you need any more reasons to change default passwords on your systems...

A separate IT department in the company a friend works for had, while attempting to configure a new SAN which they had just purchased, managed to accidentally access the management interface to the SAN that hosts the main file server (the management tool apparently auto discovers all matching devices on the network). Upon discovering several existing LUNS and being true intellectual giants, they assumed that said LUNS must be factory defaults and deleted them... All of them...

Thankfully the file server is part of a DFS pair so the impact was minimal, but it could have been one of those incidents that keeps sys admins at work 'til the wee small hours running restorathons.

Adobe's patch tuesday!

Looks like Adobe have recognized the need to organize their security efforts! I guess with all the recent bad press about security holes in Acrobat and Adobe Reader they've decided to get organized. Aligning their 'patch day' with Microsoft's patch tuesday is a nice touch and helps make life that little bit easier for the administrators out there. No comment on their blog about it, but I hope this quarterly 'patch tuesday' also includes flash....

More here

Oh noes

Just what the world needs, another Information Security Blog!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme