Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Sunday, April 07, 2013

Pandemic Cyber Security Failures Open An Historic Opportunity For Investors

Research conducted by the National Security Agency (NSA), in conjunction with the Department of Defense, FBI, Department of State, local law enforcement, civilian security agencies, and large security providers such as Mandiant and McAfee have shown that government and industry alike suffer from poor security practices. The result of the research, published by the Center for Strategic and International Studies at the request of Congress, led to the establishment of the Top 20 Critical Security Controls for government and private networks alike. Indeed, the NSA recommended security practices conjoin many top traditional security practices already codified in leading professional security standards such as National Institute of Standards and Technology (NIST) 800-53. The alarming aspect of the study is that while competent security standards for protecting America’s networks and systems had already been developed, the standards have been poorly implemented across the country.


Some examples of large security breaches resulting from poor security practices include a recent Distributed Denial of Service Attack (DDOS) against Spamhaus which clogged Internet lines leading Matthew Prince, Chief Executive of Cloud Flare, to compare the attack to a nuclear bomb.

From my discussions with top security professionals at leading security organizations, including Big 4 consulting and assurance companies, software such as Antivirus and Intrusion Detection and Prevention (IDS/IPS) are currently only marginally effective at catching security threats. In addition, many security solutions are installed out of the box with little modification or customization to the needs of each network, leading to reduced or ineffective defense.

For instance, Fireeye is a product that has developed a learning system that collects data on existing attacks from their subscribers using their custom tools. While hackers previously had the upper hand in combining security known weaknesses into highly complex attacks, Fireeye tools use the same method of sharing security breaches with each other to raise the defense profile of each of the subscribers on the network quickly.

In addition, VMware’s partnership with Cisco hardware networking products provides a robust, integrated security solution with a hardware provider that dominates the corporate LAN network device space.

Costs for adoption of OpenStack software are cheaper than VMware, but the system is newer and not as well documented. Most companies run both Linux and Windows servers, and I expect in a similar way VMware and OpenStack will coexist as solutions in the cloud space. In addition to a maturing product portfolio, IT leaders would do well to strengthen focus on security by hiring technicians with a proven security background, such as Information Assurance and Security professionals.



Posted on 04/07