Category Archives: Quotes and Excerpts

Controlling Access to Information and Functions

Computer systems, databases, and storage and retrieval systems contain information that has some monetary or intrinsic value. After all, the organization that has acquired and set up the system has expended valuable resources to establish and operate the system. After undergoing this effort, one would think that the organization would wish to control who can access the information that it has collected and stored.

Access controls are used to control access to information and functions. In simplistic terms, the steps undertaken are something like this:

  1. Reliably identify the subject (e.g., the person, program, or system)
  2. Find out what object (e.g., information or function) the subject wishes to access
  3. Determine whether the subject is allowed to access the object
  4. Permit (or deny) the subject’s access to the object
  5. Repeat

The actual practice of access control is far more complex than these five steps. This is due primarily to the high-speed, automated, complex, and distributed nature of information systems. Even in simple environments, information often exists in many forms and locations, and yet these systems must somehow interact and quickly retrieve and render the desired information, without violating any access rules that are in place. These same systems must also be able to quickly distinguish “friendly” accesses from hostile and unfriendly attempts to access—or even alter—this same information.

The success of an access control system is completely dependent upon the effectiveness of the business processes that support it. User access provisioning, review, and revocation are key activities that ensure only authorized persons may have access to information and functions.

– excerpt from an upcoming textbook on information systems security

Demystifying UTM and NGF

You may be here to understand the difference between Unified Threat Management (UTM) and Next-Generation Firewalls (NGF).

Here’s the punch line: there really isn’t a difference. UTM and NGF are two marketing terms that have been developed to put a label on the advance of products designed to provide various protective capabilities. The two terms do represent a somewhat different point of view; let me explain.

UTM is the representation of products that began to combine previously-separate capabilities like anti-virus, anti-spam, web filtering, and so on. This was an answer to the fragmentation of different discrete products, each with its own small task.

NGF is the representation of firewall manufacturers who began to realize that they needed to incorporate many other types of threat-prevention capabilities into their firewalls, such as (you guessed it), anti-virus, anti-spam, web filtering, and so on.

UTM and NGF were different a few years ago, but as product makers from both ends filled in functionality, they met in a common middle where there’s no longer any practical difference.

  • sidebar from an upcoming book. Copyright (C) 2012 someone.

Threats

Threats.

Not just hypothetical ideas, but real: spam, malware, botnets, hackers, and organized crime. They want to own your systems, steal your data, and use your systems to attack tomorrow’s victims.

A generation ago, firewalls were enough for this. Today, alone, they hardly make a difference. Instead, a plethora of defenses are needed to repel the variety of attacks that bombarding every corporate network more rapid than the frenzied spattering of a Geiger counter next to a Chernobyl souvenir.

  • excerpt from an upcoming book (someone owns the copyright, but I can’t tell you who)

Classification of data center reliability

The Telecommunications Industry Association (TIA) released the TIA-942 Telecommunications Infrastructure Standards for Data Centers standard in 2005. The standard describes various aspects of data center design, including reliability. The standard describes four levels of reliability:

  • Tier I – Basic ReliabilityPower and cooling distribution are in a single path. There may or may not be a raised floor, UPS, or generator. All maintenance requires downtime.
  • Tier II – Redundant ComponentsPower is in a single path; there may be redundant components for cooling. Includes raised floor, UPS, and generator. Most maintenance requires downtime.
  • Tier III – Concurrently MaintainableIncludes multiple power and cooling paths, but with only one path active. Includes sufficient capacity to carry power and cooling load on one path while performing maintenance on the other path. Includes raised floor, UPS, and generator.
  • Tier IV – Fault TolerantIncludes multiple active power and cooling distribution paths. Includes redundant components, including UPS and generator. Includes raised floor.
Excerpt from CISA All-In-One Study Guide, 2nd edition

Taking a Wider View of Application Security

Bookmark This (opens in new window)

As a software developer, you have a lot to worry about when writing and testing your code. But if you faithfully use secure coding guidelines from the Open Web Application Security Project (OWASP), test your code with security tools, and conduct peer code reviews, then your application will be secure, giving you worry-free sleep at night.

Wrong.

OK, sorry about that. I put that trap there for you, but I didn’t really expect you to step into it. I want to help you expand your thinking about application security.

Read rest of article here (redirects to softwaremag.com)

Personal integrity

A thought on personal integrity, from my business manager and wife, Rebekah Gregory:

“Simply recognizing a problem does not qualify us to fix it. We should strive for personal integrity rather than cashing in on what is broken. In this way we cultivate genuine trust and become dependable leaders.”

Implementation of audit recommendations

The purpose of internal and external audits is to identify potential opportunities for making improvements in control objectives and control activities. The handoff point between the completion of the audit and the auditee’s assumption of control is in the portion of the audit report that contains findings and recommendations. These recommendations are the imperatives that the auditor recommends the auditee perform to improve the control environment.

Implementation of audit recommendations is the responsibility of the auditee. However, there is some sense of shared responsibility with the auditor, as the auditor seeks to understand the auditee’s business, so that the auditor can develop recommendations that can reasonably be undertaken and completed. In a productive auditor-auditee relationship, the auditor will develop recommendations using the fullest possible understanding of the auditee’s business environment, capabilities, and limitations, in essence saying, “here are my recommendations to you for reducing risk and improving controls.”  And the auditee, having worked with the auditor to understand his methodology and conclusions, and who has been understood by the auditor, will accept the recommendations and take full responsibility for them, in essence saying, “I accept your recommendations and will implement them.” This is the spirit and intent of the auditor-auditee partnership.

- from CISA Certified Information Systems Auditor All-In-One Study Guide – the last words written into the draft manuscript, completed a few hours after the last of the Fourth of July fireworks have burst in the night sky