tag:blogger.com,1999:blog-12119888168659326222024-02-22T08:35:00.383-08:00Thoughts want to be sharedJust some stuff I had to get out of my head, mostly Security, Governance and Service Management relatedOsama Salahhttp://www.blogger.com/profile/05830483075525430345noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-1211988816865932622.post-11842084994568460342013-12-19T01:45:00.003-08:002013-12-19T01:47:51.547-08:00'IT Project' Management Ramblings<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Here a few comments on "IT" Projects. Some were learnt the hard way (and then learnt again and again).</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Project Sponsorship<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Do you have a sponsor? You Do? Great than everything will
work out just fine (and I will win the lottery tomorrow). Are you sure you have
the right sponsor? Not so sure anymore? Does the sponsor have the most to win
or most to lose? If the project was assigned a project manager before agreeing
on the sponsor then that’s a clue that the ride will be bumpy? If you don’t have
the right sponsor try your best to change the sponsor. If you can’t then try to
get someone else stuck with the project instead of you.<o:p></o:p></span></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Project Length<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Can the project be split-up? Nothing wrong with splitting it
up. If you face resistance from people that don’t like splitting up projects
give it a positive spin and start talking about a “program”, “roadmap” etc. maybe
you can get them to accept your approach.<o:p></o:p></span></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">No, it’s not your Baby!<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Don’t get attached to the project. Don’t get too excited
about the technology you will get to implement. If you do then please go get a
life! Be objective, be stiff. It’s OK to not even be convinced with the project’s
value. You have to deliver the deliverables on time, budget and quality. The
value is usually someone else’s problem (usually this secretive entity is
called “the business”). On the other hand if it turns out that you are the one
making the business case and promises of value that can only be realized by the
business itself then you likely have setup yourself up to fail.<o:p></o:p></span></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Project Team<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Is everyone who will be assigned a significant task in this
project part of the project team? Get them all into the team. They need to
become part of “we” else they will be outsiders and you might get to regret
that.<o:p></o:p></span></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Commitment<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Do you suspect someone will be a trouble maker? Every
project has someone who isn’t convinced, is too busy, and has more important
things to do. Expose them, assign them a task very early on in the project and
act according to the results.<o:p></o:p></span></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Dedication<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">If you project team isn’t dedicated to the project then you
will constantly compete with others on the attention of your team members. They
most likely have other responsibility that are more significant than your own
project. Don’t forget that! Your resources will never give you the attention
you expect (and they can’t since they are not dedicated to your project). You
will need to follow-up not frequently but continuously to keep them on track
and pull them back.<o:p></o:p></span></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Planning<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">No project is too small not to plan for it. You only know
that you need or don’t need a plan until you actually start developing one.
Bare minimum you need a charter and schedule. Small projects usually turn out
to be more problematic than you anticipate.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Eisenhower said “Plans are useless, planning is everything”.
No plan is ever final until you achieve your goal. Assuming you don’t have
either a crystal ball or a time machine then it’s OK to update the plan. <o:p></o:p></span></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<b><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Failure<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">At the closure of the project we get to declare if it was
successful or failed. If it failed, then it most likely did already early on.
It’s just not easy to see failure early on. It’s like a parasite on your back,
everyone can see it but not you. It will keep growing until it crashes you with
its weight. When you acknowledge its existence it’s already too late. Don’t
misread the signs, don’t keep hoping things will get better. They probably
won’t if you don’t make changes that have impact and address the root causes of
your problems.</span><o:p></o:p></div>
<br />
<div class="MsoNormal">
<br /></div>
</div>
Osama Salahhttp://www.blogger.com/profile/05830483075525430345noreply@blogger.com0tag:blogger.com,1999:blog-1211988816865932622.post-689816920098999582013-12-11T00:36:00.000-08:002013-12-11T00:37:35.002-08:002014 Security Predictions Compilation<div dir="ltr" style="text-align: left;" trbidi="on">
I've put together a compilation of the 2014 Security Predictions I could find. You can download the Excel sheet <a href="https://drive.google.com/file/d/0B23AyRPec4wRNmhxT2JNNlJ2LTQ/edit?usp=sharing" target="_blank">here</a> if you are interested. This tag cloud summarizes the result.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj72h18zWh86Eb_CUAFwVHJvK1B4lI74h1M1PbCCqUrCRSy3i7cs5BAqI4FXs57_wYob1hiuiFLuzkJnQsosPYe_USy0evUhu0IOd9Fmh1aQGaUqwyk4pk8N5JvHU7g1hdwIWK63W5gbvAq/s1600/2013-12-11_10-41-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj72h18zWh86Eb_CUAFwVHJvK1B4lI74h1M1PbCCqUrCRSy3i7cs5BAqI4FXs57_wYob1hiuiFLuzkJnQsosPYe_USy0evUhu0IOd9Fmh1aQGaUqwyk4pk8N5JvHU7g1hdwIWK63W5gbvAq/s400/2013-12-11_10-41-51.png" width="400" /></a></div>
<div>
<br /></div>
<div>
So what do security experts think will keep us busy in 2014?</div>
<div>
<br /></div>
<div>
<b>1. Internet of Things</b>: As if the onslaught of mobile devices wasn't enough to worry about, you will need to look after your fridge, TV, toaster etc. Will there be a patch Tuesday for LG or Samsung appliances? Not underestimating the threat, I don't believe it will be a major concern in 2014. My guess is that it's currently fashionable to talk about "Internet of things" and that's why it pops up so frequently. </div>
<div>
<b>2. Mobile</b>: Mobile threats are on top of the list. Business demands access to corporate services via mobile devices (It seems to be irrelevant which case has actual business value and which doesn't) and your job is to make sure that the demand (should we call it wishes?) is met in a secure matter.</div>
<div>
<b>3. Cloud</b>: Cloud uptake might have taken a hit with the NSA revelations. I'm sure Mr. Snowden will keep us busy in 2014 with new revelations but nonetheless demand for the cloud will remain and so does the need to secure it. On one hand you have to work with the business units that resist the cloud due to some security concerns etc. and might be rejecting a valuable service due to a misunderstanding of the risks and on the other hand you have end users who want to make use of every possible cloud service irrespective of those 'made up' risks that IT keeps talking about. You are just keeping them from being productive, from collaborating and communicating etc. all those nice words that the business is unlikely to be actually measuring or attempting to measure.</div>
<div>
<b>4. Social Media Exploitation</b>: Not as obvious as the previous points, but we've seen it coming. Criminals will make 'even' better use of social media in targeting their victims.</div>
<div>
<b>5. BYOD</b>: It goes hand in hand with number two and three. Are we going to read about cases where BYOD went totally wrong and brought companies to it's knees for rushing into it? Nothing to worry about A dozen or so MDM vendors are lining up to give a helping hand with time proven solutions that quickly adapt to the changing mobile threat landscape (sprinkled with unicorn tears..) You probably will end up using a small subset of the controls that are "reasonable" to implement because your end users don't think it's that reasonable at all. You will probably end up making exceptions because some manager's device won't comply with your policy etc. Maybe another vendor can sell us a system for managing exceptions too?</div>
<div>
<br /></div>
<div>
So it's mostly more of the same, happy 2014!</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
References:</div>
<div>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 587px;">
<colgroup><col style="mso-width-alt: 18784; mso-width-source: userset; width: 440pt;" width="587"></col>
</colgroup><tbody>
<tr height="25" style="height: 18.75pt;">
<td class="xl66" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.computerweekly.com/opinion/Security-Think-Tank-ISFs-top-security-threats-for-2014"><span style="color: blue; text-decoration: none;">ISF’s top
security threats for 2014</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.gtsecuritysummit.com/2014Report.pdf"><span style="color: blue; text-decoration: none;">Georgia Institute of
Technology: Emerging Cyber Threats Report 2014</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.fortinet.com/press_releases/2013/fortiguard-labs-reveals-top-10-threat-predictions-2014.html"><span style="color: blue; text-decoration: none;">Fortinet’s
FortiGuard Labs Reveal Top 10 Threat Predictions for 2014</span></a></td>
</tr>
<tr height="50" style="height: 37.5pt;">
<td class="xl67" height="50" style="height: 37.5pt; width: 440pt;" width="587"><a href="http://www.netutils.com/documents/whitepapers/NUSL/The_Top_Five_Enterprise_Security_Threats_for_2014.pdf"><span style="color: blue; text-decoration: none;">Network
Utilities Systems: The Top Five Enterprise Security Threats for 2014 (and
what to do about them)</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.businessnewsdaily.com/5563-7-cybersecurity-risks-for-2014.html"><span style="color: blue; text-decoration: none;">Business News
Daily: 7 Cybersecurity Risks for 2014</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://researchcenter.paloaltonetworks.com/2013/12/2014-predictions-cybersecurity-trends/"><span style="color: blue; text-decoration: none;">Palo Alto 2014
Predictions: Cyber Security Trends</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://researchcenter.paloaltonetworks.com/2013/12/2014-predictions-mobile-security/"><span style="color: blue; text-decoration: none;">Palo Alto 2014
Predictions: Mobile Security</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://about-threats.trendmicro.com/us/security-predictions/2014/blurring-boundaries/"><span style="color: blue; text-decoration: none;">Trend Micro
Security Predictions for 2014 and Beyond</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.cutimes.com/2013/12/04/5-cyber-threats-coming-at-you-in-2014"><span style="color: blue; text-decoration: none;">Credit Union
Times: 5 Cyber Threats Coming at You in 2014</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.fireeye.com/blog/corporate/2013/11/top-security-predictions-for-2014.html"><span style="color: blue; text-decoration: none;">FireEye Top
Security Predictions for 2014</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.geoconnexion.com/news/lancopes-2014-security-predictions"><span style="color: blue; text-decoration: none;">Lancope's 2014
Security Predictions</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.net-security.org/secworld.php?id=16022"><span style="color: blue; text-decoration: none;">Neohapsis 2014
Predictions</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.symantec.com/connect/blogs/2014-predictions-symantec-0"><span style="color: blue; text-decoration: none;">2014
Predictions from Symantec</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.websense.com/content/websense-2014-security-predictions-report.aspx"><span style="color: blue; text-decoration: none;">Websense 2014
Security Predictions</span></a></td>
</tr>
<tr height="25" style="height: 18.75pt;">
<td class="xl67" height="25" style="height: 18.75pt; width: 440pt;" width="587"><a href="http://www.informationsecuritybuzz.com/securitybuzz/wp-content/uploads/zscaler-2014-security-cloud-forecast-whitepaper.pdf"><span style="color: blue; text-decoration: none;">Zscaler 2014
Security Cloud Forecast</span></a></td>
</tr>
<tr height="50" style="height: 37.5pt;">
<td class="xl68" height="50" style="height: 37.5pt; width: 440pt;" width="587"><a href="http://www.informationweek.in/informationweek/news-analysis/286417/key-information-security-predictions-2014"><span style="color: blue; text-decoration: none;">5 Key
Information security predictions for 2014 (Tarun Kaura, Technology Sales,
India SAARC, Symantec)</span></a></td>
</tr>
</tbody></table>
</div>
</div>
Osama Salahhttp://www.blogger.com/profile/05830483075525430345noreply@blogger.com0tag:blogger.com,1999:blog-1211988816865932622.post-20998491529434881202012-03-07T09:03:00.000-08:002012-03-07T09:03:48.405-08:00Switching to Android<div dir="ltr" style="text-align: left;" trbidi="on">I've replaced my iPhone for a Galaxy Nexus. Mostly because I got bored with the iPhone and both my wife and I had to replace our phones because they stopped working correctly.<br />
<br />
To summarize the experience: The Galaxy Nexus and Android have their flaws, but I don't miss the iPhone and I've no intention to return to it for now.<br />
<br />
Here is my experience:<br />
<ul style="text-align: left;"><li>Love the bigger screen.</li>
<li>The back side of the phone gets hot when you use it for a while.</li>
<li>The built in speaker is too weak. The iPhone's speaker is much better.</li>
<li>Battery life is comparable to the the iPhone. Both need charging at the end of the day. For whatever reason my Nexus' batter life seems to have improved compared to when I first got it a few months ago.</li>
<li>Love the widgets.</li>
<li>Android Market region restrictions are stupid. I'm in the UAE and I can't even get some free Google stuff like Google Currents, have to search the net and find someone sharing the package file. Also am using the Amazon Appstore, but that's not an option for everyone since you need an US credit card.</li>
<li>I didn't come across any application from my iPhone past that I missed on my Android. And I don't miss the billions of apps on the Itunes Appstore, even if they cost just a few dollars it's a waste of money and time to keep searching for the next cool app or deal you might miss.</li>
<li>Like the ability to replace the keyboard. I installed SwiftX.</li>
<li>When you hold the phone upright (portait) you get at the bottom three touch buttons. The one in the middle (Home) is just under the keyboard. Quite often I'm typing away and touch it instead of the space bar and ooops you are out of the app you were running. Annoying, but I'm getting better at avoiding it. In landscape mode you don't have that issue. Easily avoidable if they make the home button slight less sensitive when the keyboard is out.</li>
<li>The autorotate is too slow for my taste, should be slightly faster.</li>
<li>Camera is OK, obviously nowhere close to the iPhone 4s.</li>
<li>Not sure how google is rolling out their updates, but I typically get an update two weeks after ppl in the US are already getting it (two updates so far).</li>
</ul><div>I still have my iPad and I don't think I'll replace it.</div><br />
<br />
</div>Osama Salahhttp://www.blogger.com/profile/05830483075525430345noreply@blogger.com0tag:blogger.com,1999:blog-1211988816865932622.post-16875680356945535222011-07-31T10:48:00.000-07:002011-07-31T10:51:49.466-07:00FAIR Risk Management Taxonomy<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">The FAIR Risk Management methodology is impressive work. Even if you never are going to use it, I suggest you read it as it broadens your understanding of risk management.</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">A while back FAIR was handed over to the Open Group, I hope that will have positive effects and it will spread and develop further.</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">You can find it <a href="https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12239">here</a></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">.</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">I've mapped the taxonomy into a full map. It comes handy every now and then, just to remind my self of all the aspects that I need to consider when analyzing risks.</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B23AyRPec4wRNGM4MGVkNTEtNmUwNS00MTg5LWE2MWItNGQ5YjU4NTQyM2Ex&hl=en_US"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipntPKtN0qrtl28FpTR-y0FrZPzscrfhMkHt-jMyTP47ORojBxQW45Wf9xwiGt0pcMCPC7Rzp1WVXcMArHnIwUKMJr0raDwz1jlIIcVKKbOmn2pAW7rkCAU3cw4pnNY8RUSDL-sgXkQUA3/s1600/FAIR.jpeg" /></a></div><div class="separator" style="clear: both; text-align: center;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><a href="https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B23AyRPec4wRNGM4MGVkNTEtNmUwNS00MTg5LWE2MWItNGQ5YjU4NTQyM2Ex&hl=en_US">Click here for SVG Version.</a></span></div></div>Osama Salahhttp://www.blogger.com/profile/05830483075525430345noreply@blogger.com0tag:blogger.com,1999:blog-1211988816865932622.post-50072628298646212382011-06-08T21:20:00.000-07:002011-06-08T21:20:45.731-07:00Focus on the situation not the control types<div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Arial, Helvetica, sans-serif;"> </span><span style="font-family: Arial, Helvetica, sans-serif;">We all know the three </span><a href="http://en.wikipedia.org/wiki/Security_controls"><span style="font-family: Arial, Helvetica, sans-serif;">security control</span></a><span style="font-family: Arial, Helvetica, sans-serif;"> types: preventive, detective, corrective. When you are analyzing how to mitigate a risk you typically think about these three control types. </span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">I find it more inutiative to focus on the stage of the event: pre-event, event, post-event. This way of addressing the problem creates context and leads faster to the identification of suitable controls.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Wikipedia maps the control types to the event stages like this:</span><br />
<li><span style="font-family: Arial, Helvetica, sans-serif;">Before the event, <b>preventive controls</b> are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;</span></li><br />
<li><span style="font-family: Arial, Helvetica, sans-serif;">During the event, <b>detective controls</b> are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;</span></li><br />
<li><span style="font-family: Arial, Helvetica, sans-serif;">After the event, <b>corrective controls</b> are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.</span></li><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">The only problem I have with that is the mapping of "During event, detective controls". When an event is occurring your only option of action is not just detective controls, you could also have additional "preventive" controls for example a worm is spreading in your network (event) and you are shaping your network traffic to slow it down or prevent it from spreading further. I suppose one could argue that you are preventing it from creating a new event, but that would be looking at the event as a series of isolated incidents which I believe would be countrproductive to looking it as one single event.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">This approach has been known in the injury prevention field as the </span><a href="http://en.wikipedia.org/wiki/Haddon_Matrix"><span style="font-family: Arial, Helvetica, sans-serif;">Haddon Matrix</span></a><span style="font-family: Arial, Helvetica, sans-serif;">, which basically addresses the three stages but investigates them through different factors.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3QcmN8cFn9-puhJNAEJ0FzXI5i8tGMfzevVWa2oT8KzNhmmu9D4MRMOcqWzJiFLD3T18zw80DatEgPLO_JsRE1fTynvxAhs9TrI0ksGtReeTKXmsZbN_dOSMZvn32p8mr7tmhhJJL6Qi6/s1600/Haddon.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3QcmN8cFn9-puhJNAEJ0FzXI5i8tGMfzevVWa2oT8KzNhmmu9D4MRMOcqWzJiFLD3T18zw80DatEgPLO_JsRE1fTynvxAhs9TrI0ksGtReeTKXmsZbN_dOSMZvn32p8mr7tmhhJJL6Qi6/s400/Haddon.jpg" t8="true" width="400" /></span></a></div><div align="left" class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: Arial, Helvetica, sans-serif;">Interesting are also the possible ways to react in the three stages (reproduced below from Wikipedia), which is easily applicable to Information Security problems if you replace "agent" with "threat agent" and "host" with "asset".</span></div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;"><span class="mw-headline" id="Pre-event"><strong><span style="font-family: Arial, Helvetica, sans-serif;">Pre-event</span></strong></span></div><ol><li><span style="font-family: Arial, Helvetica, sans-serif;">Prevent the existence of the agent.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Prevent the release of the agent.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Separate the agent from the host.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Provide protection for the host.</span></li>
</ol><h3><span class="mw-headline" id="Event"><span style="font-family: Arial, Helvetica, sans-serif; font-size: small;">Event</span></span></h3><ol><li><span style="font-family: Arial, Helvetica, sans-serif;">Minimize the amount of agent present.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Control the pattern of release of the agent to minimize damage.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Control the interaction between the agent and host to minimize damage.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Increase the resilience of the host.</span></li>
</ol><h3><span class="mw-headline" id="Post-event"><span style="font-family: Arial, Helvetica, sans-serif; font-size: small;">Post-event</span></span></h3><ol><li><span style="font-family: Arial, Helvetica, sans-serif;">Provide a rapid treatment response for host.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Provide treatment and rehabilitation for the host.</span></li>
</ol><span style="font-family: Arial, Helvetica, sans-serif;">If anyone has some good ideas how to apply the Haddon Matrix to information security and can suggest some factors to use, please share.</span></div>Osama Salahhttp://www.blogger.com/profile/05830483075525430345noreply@blogger.com0tag:blogger.com,1999:blog-1211988816865932622.post-51658170192781731582011-04-13T07:22:00.000-07:002011-04-13T07:23:54.826-07:00What's in a name?<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL_xSUVlq2YR1pYNijsUe3QKgosov1XX2u-Zm_GW4vkIh7L5Pre0ISrshS9N-NXqMvfy5SCmQ0DWUug3ZHB8MCRQlc59qcm33j4K45AIFnbdUT-kykTP3uigtwIDlmfq0AlaS0Gg1zdLgY/s1600/books.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL_xSUVlq2YR1pYNijsUe3QKgosov1XX2u-Zm_GW4vkIh7L5Pre0ISrshS9N-NXqMvfy5SCmQ0DWUug3ZHB8MCRQlc59qcm33j4K45AIFnbdUT-kykTP3uigtwIDlmfq0AlaS0Gg1zdLgY/s200/books.jpg" width="195" /></a></div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Every now and then I hear that we are supposed to speak in the language of the business. In principle I agree to that, after all it's about communication and since we are the service provider and the business is the customer we have to fall back on the taxonomy they are using. But that's about it, don't exaggerate.</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Take for example the service catalog, why would you refer to "E-Mail" as "Messaging Service" or "SAP" as "Enterprise Resource Planning" when for the past decade the customer has gotten used to these terms and is more confused by us trying to impose a perceived business language on them. My guess is that the user is perfectly OK with "Primavera" and probably confused if you suddenly start referring to it as "Enterprise Project Management". Maybe you can use those business terms in categorization, grouping etc. or in the service description but not necessarily in the service name if it's deviating from what business is really using on daily basis. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">The point is that we are not on a crusade to stomp out technical jargon if it's perfectly well understood and used by the business. IT is no longer alien and it's an integral part of everyday life. OMG and LOL are to be included in the the <span class="Apple-style-span" style="color: #222222; line-height: 20px;">Oxford English Dictionary, the times have changed.</span></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Don't loose focus of what the services are offering but don't necessarily brand them forcefully with supposedly business friendly terms.</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">And while we are talking about names, what were they smoking when they came up with "IT Infrastructure Library"? It's such a lousy name, it has no meaning at all. Every now and then I catch myself talking and referring to ITIL as if it were something self contained (that's the best word I could come up with to describe it). The goal of improved Service Management becomes an after thought and that stupid (forgive my 5 year old choice of words) ITIL moniker abstracts it and doesn't help. </span></div>Osama Salahhttp://www.blogger.com/profile/05830483075525430345noreply@blogger.com0tag:blogger.com,1999:blog-1211988816865932622.post-83333676945539449722011-03-23T02:31:00.000-07:002011-03-23T02:43:30.495-07:00Some thoughts about good metrics...<div dir="ltr" style="text-align: left;" trbidi="on"><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;"><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">If you are like me then you must be facing some measurement challenges every now and then at work. There are some general rules that one needs to be aware of. Below is a short summary of some of those measurement rules, they mainly come from three sources that I highly recommend:</span></div><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;"></div><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;"><br />
<b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;"><a href="http://www.howtomeasureanything.com/"><span style="color: blue; font-weight: normal;">Doug Hubbard, How to measure anything, Finding the value of "intangibles" in Business</span></a> </span></b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;"></span></div><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;"><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;"><a href="http://www.issurvivor.com/shop/article_KJR/Keep-the-Joint-Running%3A-A-Manifesto-for-21st-Century-Information-Technology.html?shop_param=cid%3D1%26aid%3DKJR%26"><span style="color: blue;">Bob Lewis, Keep the Joint Running, A Manifesto for 21st Century Information Technology</span></a><br />
<b><a href="http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989"><span style="color: blue; font-weight: normal;">Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty and Doubt</span></a> </b></span><br />
<span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;"><br style="mso-special-character: line-break;" /> </span></div><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;"><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">Let's start with defining "Measurement". Doug Hubbard offers a simple definition for measurement<b> <i>"<span style="color: black;">A set of observations that reduce uncertainty where the results is expressed as a quantity."</span></i></b><span style="color: black;"> (he looks at it as an information issue, read the book if that sounds interesting to you). </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;"><span style="color: black; font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">So basically if your observation is expressed as a quantity and you know after it more than you did before then we can call this observation a measurement. The additional point here is that the benefit of the measurement should be higher than the cost of making the measurement; else it's not of much value. </span></div><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;"><b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">So what are the characteristics of good metrics?</span></b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;"></span></div><ul type="disc"><li class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 10pt; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list 36.0pt;"><b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">Complete and Relevant</span></b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">: Good metrics are connected to important goals. Good metrics are the translation of goals expressed in English to math. The measure must accurately cover your needs to be useful. In some cases you might need multiple measurements to support your business needs. One metric alone might not be sufficient for drawing conclusions and decision making. Also remember that everything changes; your once relevant metrics might not be as relevant in the future. </span></li>
<li class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 10pt; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list 36.0pt;"><b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">Consistent</span></b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">: Good metrics always go into on direction if things improve and the other if they deteriorate. The measure will always be the same no matter who carries out the measurement and records it. You can always count on the numbers. It's not a subjective exercise. If feasible the measurement should be automated.</span></li>
<li class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 10pt; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list 36.0pt;"><b><span lang="EN-US" style="font-family: "Arial", "sans-serif"; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">Expressed as a cardinal number or percentage</span></b><span lang="EN-US" style="font-family: "Arial", "sans-serif"; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">, not with qualitative labels like “High”, “medium”, and “low”</span><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;"></span></li>
<li class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 10pt; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list 36.0pt;"><b><span lang="EN-US" style="font-family: "Arial", "sans-serif"; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">Expressed using at least one unit of measure</span></b><span lang="EN-US" style="font-family: "Arial", "sans-serif"; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">, such as “defects”, “hours”, or “dollars”</span><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;"></span></li>
<li class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 10pt; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list 36.0pt;"><b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">Communication</span></b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">: The results need to be communicated. Measurements are typically shared with others. </span><span lang="EN-US" style="font-family: "Arial", "sans-serif"; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">It should be easily recognizable what the metric means. When the metric drops/rises to unexpected levels the source of the problem and the necessary actions are clear to your audience.</span><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;"></span></li>
<li class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 10pt; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list 36.0pt;"><b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">Presentation</span></b><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-GB; mso-hansi-theme-font: minor-bidi;">: The presentation of measurements can be as important as the measurement itself. Spend some time on data visualization and always keep it simple.</span></li>
</ul><div class="MsoNormal" style="line-height: normal; margin: 0cm 0cm 0pt;"><br />
</div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: "Arial", "sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">One last tip, question conventional wisdom and metrics that are suggested by others to you. Validate them using the above rules. Every now and then you will come across a metric mentioned in a reputable source that just doesn’t stand the validation test.</span></div></div>Osama Salahhttp://www.blogger.com/profile/05830483075525430345noreply@blogger.com0tag:blogger.com,1999:blog-1211988816865932622.post-55253635778677524422011-03-18T06:23:00.000-07:002011-03-18T07:40:39.699-07:00Security Firm RSA got hacked...what does that mean to the rest of us?<div dir="ltr" style="text-align: left;" trbidi="on">By now anyone following information security must have heard about the RSA hack. If not go and google it for <a href="http://news.google.com/news/more?pz=1&cf=all&cf=all&ncl=dsjDZedrL6ExZTMpOfGFtU2LFGbFM">details</a>. What exactly happened is not clear, RSA is talking about some sophisticated attack, but I guess they would say that no matter what. It doesn't really matter.<br />
<br />
So what does that mean to the rest of us:<br />
<ul style="text-align: left;"><li>If you are going to get hacked or not seems to be only a function of wether you are an attractive target or not. All other variables (attack vectors, risk, vulnerability...) seem to be just noise. It comes down to incentives and economics.</li>
<li>I still meet too many people whose eyes sparkle when they get the chance to talk about the latest security tools they implemented. Typically those start to fall apart a few months after the implementation. But the lesson here is that as much as you depend on security tools they are only as good as the people that designed them, the implementation and maintenance. Additionally they also can be your Achilles heel. Besides the complexity that they add, every now an then we find security tools that can somehow be exploited.</li>
<li>Instead of running after the latest security hypes, make sure you cover the basics: least privilege, segregation of duties, change management, zoning, incident response, risk management, recovery, patch management, awareness, social engineering, default deny, defense in depth.....</li>
</ul><div>And this concludes my first post.</div><div><br />
</div></div>Osama Salahhttp://www.blogger.com/profile/05830483075525430345noreply@blogger.com0