What we're reading, week of 6/30

From Schneier on Security… Security and Human Behavior Bruce Schneier contributes this very thought-provoking post from the first “Security and Human Behavior” workshop, prompting a discussion of how perception and human psychology affect not only the way people assess their security, but the way security professionals devise solutions for problems. Schneier asserts that “[m]any real attacks on information systems exploit psychology more than technology. […] Technical measures can stop some phishing tactics, but stopping users from making bad decisions is much harder. Deception-based attacks are now the greatest threat to online security.” Agree or disagree?   From Rational Survivability… VirtSec Not A Market!? Fugghetaboutit! Christofer Hoff responds to the current discussion among bloggers of whether or not virtualization security is a market unto itself. Hoff’s position: VirtSec is simply the next step in the evolution of the existing InfoSec market.   From Security Fix… Forty Percent of Web Users Surf With Unsafe Browsers Some interesting statistics here – from a Swiss study revealing that nearly half of Internet users over an 18-month period were not using the most updated, currently patched version of their web browsers. Brian Krebs at Security Fix takes a stab at explaining why: most browsers have a woefully inadequate process for pushing updates to their...

What we’re reading, week of 6/30

From Schneier on Security… Security and Human Behavior Bruce Schneier contributes this very thought-provoking post from the first “Security and Human Behavior” workshop, prompting a discussion of how perception and human psychology affect not only the way people assess their security, but the way security professionals devise solutions for problems. Schneier asserts that “[m]any real attacks on information systems exploit psychology more than technology. […] Technical measures can stop some phishing tactics, but stopping users from making bad decisions is much harder. Deception-based attacks are now the greatest threat to online security.” Agree or disagree?   From Rational Survivability… VirtSec Not A Market!? Fugghetaboutit! Christofer Hoff responds to the current discussion among bloggers of whether or not virtualization security is a market unto itself. Hoff’s position: VirtSec is simply the next step in the evolution of the existing InfoSec market.   From Security Fix… Forty Percent of Web Users Surf With Unsafe Browsers Some interesting statistics here – from a Swiss study revealing that nearly half of Internet users over an 18-month period were not using the most updated, currently patched version of their web browsers. Brian Krebs at Security Fix takes a stab at explaining why: most browsers have a woefully inadequate process for pushing updates to their...

What we’re reading, week of 6/23

From JJ’s Security Uncorked… Network Based Entitlement… A Rose by Any Other Name JJ reviews Rohati’s recently-announced “Network-based Entitlement Control,” drawing the conclusion that Rohati’s approach to NAC is no different than what can already be accomplished by traditional hardware solutions available.   From Emergent Chaos… Not quite clear on the subject This blogger corrects a news story about SSL encryption on the Pirate Bay (a large BitTorrent tracker based in Sweden), explaining that encryption will have no impact on the protection of people using the site: “SSL is a great technology for protecting content. You don’t care that the attacker knows you bought something, you want to protect your credit card number. It’s not very good at protecting the mere act of communication.”   From Andy, IT Guy… The nick of NAC gave me a paddy whack Andy writes about the problems his organization has had deploying their NAC solution from a testing environment into a live one. His anecdote highlights that no product, no matter how easily implemented, can overcome the “people problems” existent in so many IT...

What we're reading, week of 6/23

From JJ’s Security Uncorked… Network Based Entitlement… A Rose by Any Other Name JJ reviews Rohati’s recently-announced “Network-based Entitlement Control,” drawing the conclusion that Rohati’s approach to NAC is no different than what can already be accomplished by traditional hardware solutions available.   From Emergent Chaos… Not quite clear on the subject This blogger corrects a news story about SSL encryption on the Pirate Bay (a large BitTorrent tracker based in Sweden), explaining that encryption will have no impact on the protection of people using the site: “SSL is a great technology for protecting content. You don’t care that the attacker knows you bought something, you want to protect your credit card number. It’s not very good at protecting the mere act of communication.”   From Andy, IT Guy… The nick of NAC gave me a paddy whack Andy writes about the problems his organization has had deploying their NAC solution from a testing environment into a live one. His anecdote highlights that no product, no matter how easily implemented, can overcome the “people problems” existent in so many IT...

Inside and outside the network perimeter

Frank Cassano has written a series of posts at BlogInfoSec titled “Assessing Your Organization’s Network Perimeter” (see Part 1 and Part 2). We had a quick chat with NCP’s Rene Poot to get his perspective on Cassano’s analysis. Here’s what Rene had to say: What should be mentioned as (one of the many) details would be that users within a company using WLAN although physically within the confines of the building are to be treated as remote access users. Someone outside on the street with a laptop and a malicious intent should be able to detect and possibly participate within the WLAN if not secured enough, as if they’re within the building and as one of the users. It’s therefore imperative to realize that physical and virtual perimeters do not necessarily coincide! Another point would be how far do I want to ‘extend the perimeter’ and use the right ‘technology’ to fulfill the requirements: Incidental access to internal resources can best be facilitated with SSL-VPN access. This allows for a limited access to internal resources by those that need it; such as suppliers/consultants/contractors and so on. This doesn’t require the user to install a ‘client’, but merely downloads the code within the browser and uses the browser to access the internal resources, and this access can be carefully controlled centrally on the SSL-VPN gateway. Conversely a full time employee may require to have access to the ‘regular’ resources he would normally have at his desk, while he’s on the road. An ‘full access’ or ‘LAN emulation’ (working remotely as if one is sitting at one’s desk) VPN solution would...