Metrics. Not Just For Breakfast Anymore

Over the past couple of years, I have found myself being drawn back to my IT roots, looking to solve the same old problems that plagued IT when I was so much younger had a full head of hair, and still had to learn that I hadn’t learned it all quite yet.  Back in the day, my boss asked me how the systems were running, and how IT was performing.

I thought a moment, and responded, “All of the systems appear to be running well, we haven’t had any downtime lately, and the server room is humming along nicely.”  He waited.  I broke the silence with “It’s all good.”  My boss, being the patient and well mannered fellow that he was, reiterated, “So the systems are all up, but how is IT doing?  Are we at capacity on any of the systems, and are our processes working like they should?”  I couldn’t respond honestly, so I admitted it.  He had never asked me before how our processes were working, so it must have been all that golf he had been playing lately that had gotten to him.  We were blind to whether we were doing the right things, and doing them well or poorly.  My engineers and I had put together some fantastic systems and processes for the company, reliable, scalable, capable, but had forgotten to consider how we would be able to measure when we needed to scale, improve, support, or replace them.  DOH!  We did have basic system health gauges, but that was just for monitoring CPU and RAM thresholds.  Time to think bigger, and smaller.

Why do we collect metrics?  Metrics are a critical component of Management, whether it be Information Security, or Projects, and Programs.  If you aren’t monitoring your exposures and measuring your results, how will you know whether you have been successful?  IT is all about strategy.  We implement systems in order to meet business objectives.  IT systems support the objectives of the business.  The business could still run without IT.  Much slower, ineffecively, inefficiently, and at a retarded pace, but the business could still run.  Without metrics, how do you prove the value that your IT or Security team is bringing to the organization?  How do you justify continued spending on improvements, new tools, new technologies? Continue reading →

Got Any iPad App Recommendations?

As I’ve been bragging all week long, my beautiful wife bought me an iPad2 for Christmas this year.  I’ve been poking around the app store, downloaded some new tunes (the kids have had it with my ragged old country music), and have scooped up as many free or cheap tools as I can find.  I’ve downloaded, tried and deleted so many apps already, but I’m still looking for a few choice ones.

What apps do you find useful?

My keepers list so far:

• Media/News
  • Facebook
  • LinkedIn
  • ResumeHD
  • CardMunch (for Linkedin)
  • CityNews
  • TO CityMinute
  • TheStar
  • DarkReading
  • CIO Digest
  • Security Tech Reader
  • ProSec Mag
  • WordPress Blogger
  • International Gamers News
  • National Cyber Security News
  • McAffee Threat Feed
  • CP24 News
  • Toronto Metro
  • FeedlerRSS
  • Bunch of iBooks (PDF)
• Travel
  • Toronto Path Map
  • TTC Rocket Man
  • TripIt
  • iTranslate
  • Compass
  • WeatherEye
• Utility
  • CompassFree Spreadsheet
  • QRScanner
  • Sci-Calculator
  • Project Mgmt Flash Cards
  • Liquid Planner
  • iJobs
  • Monster Job Search
  • CCTV Tools
  • Vtrace
  • NoiseSniffer
  • Fing (Network Scanner)
  • MobiControl
  • NetStat
  • Log Caliper
  • iVulnerable (CVSS Lookup)
  • Free WiFi Finder
  • Unit Converter
  • Cisco Tech Support Tools
  • Cisco Subnetting
  • NetMon
  • 5-0 Radio (Police Scanner)
  • Gadget Guide
  • SAP StreamWork
  • AnyConnect
  • SpiceWorks (LAN Management)
  • ROVE Mobile Admin
  • Dog Trainer
• Audit
  • Mobile Auditor
  • Device Inspector
  • iWorkFlow
  • Audit411
  • Internal Auditor Mag
  • iAuditor
  • CMO Audit Tools
  • Palm-T Home Inspector
  • Audit360Pro

Cloud Computing Challenges & Rewards

It’s Friday, and I finally don’t have an interview scheduled.  Time to post another long winded entry.  Someone ought to hire me and take away all this free time…  (My golf-pro career move didn’t fly well with the wife…)   Let’s talk about cloud computing again.

Cloud computing is a technological advance that can bring great benefits to almost any business.  Like all major shifts in technology, adoption of cloud computing brings with it inherent risks.  My opinion on cloud computing thus far is based on reading, discussion with others, and some limited observation.  I have not implemented a cloud solution, audited a cloud environment, or managed a cloud environment.  Yet.  I have been observing the technology as it has developed for the past 6 years or so, and although I do not consider myself an expert by any means, I have an understanding of the concepts and have formed an opinion.

Over the past few years, I have talked to a lot of people involved in the cloud computing and virtualization space, mostly but not entirely from a security point of view.  Many of these folks are focused on maturing the technology, scoping the solutions available, and solving the challenges for Enterprise cloud computing adoption.  I have summarized these interactions here, and will add to them as I continue to learn and understand cloud computing better.

What Is Cloud Computing

The biggest challenge for cloud computing adoption as I see it remains the fact that it is just so hard to grasp.  IT is used to protecting a perimeter and touching a server farm.  With cloud, you can’t just head on down to the server room and visit the farm to reassure yourself that all is well.  For the IT folks like me that majored in the “buck stops here” school of IT management, where command and control of the IT infrastructure are the core of the security mind-set, handing over the keys to the kingdom to some third party is initially viewed as an act of treason. Continue reading →

World IPv6 Day, Adoption Tracking

Yesterday was “World IPv6 Day”, and many ISPs and large organizations participated in testing the new IP communications protocol around the world.  Computerworld reports that Arbor Networks, which provided network monitoring support for the test, observed a sharp rise in HTTP traffic as more than 400 Web sites including Google, Facebook and Yahoo began supporting IPv6 in production mode as part of the ongoing experiment.  IPv6 traffic continues to steadily increase.  No major outages or security breaches were reported at the 400-plus corporate, government and university websites participating in the trial.

IPv6 is an upgrade to the Internet’s main communications protocol, featuring an expanded addressing scheme to alleviate the looming IPv4 address shortfall, while also enabling better security and reliability.  World IPv6 Day is a 24-hour trial of the new Internet standard that is being sponsored by the Internet Society.

Dragon Research Group has provided some high level stats around adoption by visitors to their site over the past year, and a handy-dandy IPv6 Test page.   According to DRG, the top 10 countries by the routed origin of the covering IPv6 prefix for those sources since 2010 accessing dragonresearchgroup.org were:

country code% of total IPv6 visitors
US	60%
JP	7%
CN	5%
NL	4%
GB	4%
FR	3%
BR	3%
DE	2%
CH	1%
AU	1%

Mark Richard Prior has an interesting scorecard up on his blog, indicating the successes, challenges and evolution of the testing and adoption of IPv6.  If you are interested, these are all definitely sites worth visiting.  Kudos and thanks, Mark and DRG, for showing the initiative to start gathering this intell, and for having the moxy to keep it updated.

The scorecard identifies 5 key services and uses them as an indicator of usage.

1. Web server accessible via IPv6;
2. Email deliverable via IPv6;
3. DNS name servers accessible via IPv6;
4. An NTP service accessible via IPv6; and
5. A Jabber service accessible via IPv6

The list should update weekly and suggestions for additions are welcome.  There is also a CGI script to test a domain that is not already in the list available at the bottom of the page.

http://www.mrp.net/IPv6_Survey.html

 

VMware Buys Shavlik

VMware has acquired Shavlik Technologies, a provider of IT management solutions for small and midsize businesses (SMBs). Terms of the deal were not disclosed, and it is expected to close later this quarter.  Following this acquisition, VMware will be offering SMBs a full portfolio for managing, monitoring and securing IT environments, including the cloud.  One more nice and timely pairing.

Microsoft Security Intelligence Report (vol 10)

Microsoft has released volume 10 of their Security Intelligence Report, covering 2010.

The SIR is the results of an  investigation of the threat landscape, analyzing exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, internet services, and Microsoft  Security Centers.  In SIRv10, Microsoft presents a short video that  calls attention to the second most commonly detected fake anti-virus software:  Win32/FakePAV.   The video describes how Win32/FakePAV steals credit card  information, and then shows how to remove the trojan.

In addition to the Win32/FakePAV feature, they continue to highlight the ongoing threat of botnets in “Battling Botnets,” which was  released in 2010.

Key Findings:

• Application versus operating system or web browser vulnerabilities continued to account for the majority of vulnerabilities in 2010.
• The total number of application vulnerabilities declined 22.2% from 2009.
• Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods.
• Exploitation thru Java is rising since Q2 2010.  Exploitation on the Java platform far exceeds Adobe software and OS platforms.
• Malicious IFrames account for a large number of attacks over HTTP, likely indicating the effect of hijacked and compromised websites.
• Conficker is the most active malware family in the Enterprise environment and only 9th in the general Internet environment.
• JS/Pornpop is the most active malware family on the non-corporate Internet environment.
• Phishing sites targeting social networks are increasing and they are effective in getting themselves presented to victims.
• Overall OS level vulnerability counts is steady and browser vulnerability count is increasing slower.

Download and read this interesting report.

AlignIT – Microsoft Cloud Computing

I just spent the day at the Mississauga Microsoft campus listening to a presentation and taking part in a discussion regarding cloud computing.  Although I have read about and am familiar with the concept, this technology is new to me, and it was great to see a working environment to understand it better.  I can hardly wait to roll up my sleeves and get to work planning, implementing and managing a cloud computing environment!  I guess I need to find a like minded employer first.  Any takers?

I was quite surprised to see these interesting stats posted on the opening slide:

• 50% of business devices are expected to be smartphones by 2014.
• 84% of organizations have a remote workforce.
• 85% of data center capacity is idle on average.
• 70% of IT budgets are spent maintaining operations.

Now, the first two don’t surprise me much, as they represent the fruits of our labors from the challenges that all IT teams have faced over the past 10 years.  Mobility, connectivity everywhere, and portable device enablement.  Wouldn’t it be nice if we could optimize those last 2 figures though?  Imagine what your IT teams could do in the way of innovation and business enablement if we could take 20 points off each of those numbers.  What wonderful new solutions would you be able to provide to your customers’ IT problems with an extra 20% of budget or processing power?

Ruth Morton presented a very brief summary of how IT as we know it has evolved.  The 70’s & 80’s “hurry up and wait” mainframe days, the 90’s client/server architecture bringing power to the desktop, the 2000’s acceptance of remote and mobile access and success of the internet and web, and today’s virtual environments and sprouting implementations of cloud computing.  Ruth spent some time discussing the characteristics NIST has documented as defining a cloud computing environment.

• On-demand self-service capable,
• Ubiquitous network access,
• Transparent location resource pooling,
• The ability to elastically expand and contract based on demand,
• A pay as you use, measured service model.

Continue reading →

ITIL Service Lifecycle Overview

Traditionally, IT has been managed and maintained through fire-fighting efforts, remaining reactive and with a technology focus.  The world view is one of “users”, isolated silos of information and responsibility, ad-hoc problem solving, informal processes, and operational in nature.  The frequently cited objective of “alignment with the Business” characterizes a common problem faced by the leadership of IT organizations.   Those who succeed in meeting this objective are the ones who understand the need to be Business-minded.   When an IT organization has an internal focus on the technology being delivered and supported, they lose sight of the actual purpose and benefits that their efforts deliver to the Business.

ITIL builds upon existing IT practices by providing a process driven focus, pro-active problem prevention, viewing the world through service colored glasses with “customers” rather than users, seeking integration and information sharing, making processes SMART – simple, manageable, achievable, repeatable and timely.  ITIL has a service and service level orientation, focusing on continuous measurement and improvement.

The objective of the ITIL Service Management practice framework is to provide services to business customers that are fit for purpose, stable, and reliable.  The core disciplines provide structure, stability and strength to service management through durable principles, best practices, formal methods and tools, while protecting investments, and providing the necessary basis for measurement, learning and improvement.  The ITIL Framework has been redesigned in version 3 to make building out IT services strategy more straightforward and maintaining or improving them, logical.  The ITIL service life cycle consists of 5 major considerations, containing several processes for managing and developing the services IT provides through to maturity.  The life cycle itself is iterative, and multi-dimensional, ensuring that lessons learned in one area can be applied to other areas as well.

It is often helpful to understand the bigger picture when discussing a framework as large and multi-layered as Information Technology and Service Management.  Below is an overview of some of the key terms and ITIL practice areas.  The ITIL core guidance consists of 6 books.  Each volume is consistently structured, making interpretation and cross referencing easier.

1. Introduction to ITIL Service Management
2. Service Strategy
3. Service Design
4. Service Transition
5. Service Operation
6. Continual Service Improvement

In addition to the core guidance there is large body of official and unofficially developed complementary guidance available, as well as examples and templates for many tasks.  Additionally, other frameworks are referenced and related to align with ITIL practices, such as CoBIT, Six-Sigma, and ISO.  To me, ITIL is quite simply; documented common sense that works.  Continue reading →

Prepare For APT Attacks

APT (advanced persistent threat) attacks have been in the press since 2006, but are only now gaining real media attention due to recent high-profile attacks, and IT teams must prepare to deal with these threats before they become commonplace.  Some security practitioners consider APT an “overblown marketing term” and others will argue that it only affects the military or government agencies.  In the military, the term APT has been used to describe a process of maintaining intelligence operations and conducting information warfare against an enemy.  In information security terms, hundreds of companies around the world have been completely and utterly compromised by information security APTs, which allow hackers to mine and exfiltrate sensitive corporate data under the security radar, over an extended period of time.

In information security, these are targeted attacks launched using malware vectors, and as their name implies, they are employing zero-day unreported vulnerabilities, advanced coding practices, and automated behaviors to increase the effectiveness of their penetration capability, covert operation, and continued existence. They are persistent at attacking their target, and remaining in operation, often for years.  Once inside the organization, APTs are not easily detected, contained and removed.  Victimized companies will often continue on with their daily business unaware of the problem, and when they are eventually detected, they are often misdiagnosed as other less impressive malware and given an incorrect or incomplete treatment.  If the malware agent is unable to communicate with its Command & Control (C&C) center, it will often attempt to reach another one, or use another communication channel or method to quietly squawk away your secrets.

Not every malware infection indicates an APT attack.  Consultants are tempted to identify every bot-agent or Trojan found as an APT and dream up long-term, radical incident handling and remediation engagements from unseen and unknown attackers.  I’ve had to disagree more than once with consultants and responders on whether APT was part of an active security event.  The first step in handling an APT attack is understanding what separates it from a targeted hacker or a classic malware agent.  Once it is properly defined and understood, detecting and eliminating these kinds of attack tools can become easier.

APT attacks started to be reported by the mainstream press in January 2010 with Google’s announcement of a major APT incident, and continue with the more recent RSA compromise involving  theft of information concerning SecurID technology.  That particular breach has been followed by serious reaction and concerns from users of the technology.  The impact and aftermath of that incident are still unfolding.  The hacking group Anonymous’ HBGary email leaks show that Dupont, Disney, Johnson & Johnson, Sony, and GE have been affected, along with several law firms and insurance companies.   Global financial companies and banks have also been impacted by the APT threat.  McAfee recently revealed that the world’s biggest oil and energy companies have also become victims.

Finding, containing and eliminating an APT attack requires careful advance planning and stealthy implementation to avoid alerting the attackers to your defensive maneuvers. The Canadian government had to isolate its largest financial departments, blocking access to and from the Internet in order to contain an APT threat and repair the damage that it caused.  In every single case that I am aware of, the targeted organizations had actually been under attack for months or even years, undetected.

The attackers are selecting their targets very carefully.  Where other malware vectors tend to be arbitrary, finding targets of opportunity, APT attacks are aimed precisely at targets of choice.  The attackers spend a fair amount of time researching and learning about the organization that they are about to attack, its personnel, its market, its interests, its hierarchy, its policies and culture.  They will custom build the installation routines and the malware agent to virtually eliminate the potential for anti-virus and other detections.  There will be no signatures for the malware, and they will rarely use that particular agent anywhere else simultaneously.  The attack itself will be well planned, often using social engineering tricks to get the program inside the perimeter.  Users will be targeted specifically, sometimes using their personal home email and less protected home networks to get onto laptops, USB sticks and other media that can make their way into the workplace.  Insiders may be used, and not just the ones that you screen and hire.  You may be the target, but an upstream business partner, downstream service provider, or consultancy may do the hiring.  Your network may even just serve initially as a conduit for the real target; a business partner, a consultant that works for both you and the ultimate target, or a shared service provider.  Consider yourself a current target if you hold sensitive information beneficial to foreign governments, or have relationships with those who do.

Key target characteristics include:

Continue reading →

-=[FREE]=- Comodo Time Machine

In the spirit of Business Continuity Awareness Week, here is my plan for home computing disaster readiness.  As most are aware, I am seeking my next success, and cannot afford to have downtime at this critical employment junction.  My primary means of initial contact for procuring a position remains email and online.  The kids and now the grandkids seem to dominate the cordless telephone, and hunting it down in the labyrinth that is our multi-level home is a monumental task, even with the handy “locator beacon” from the charging station.  I go on that mission only when I really have to.

Over the weekend, I completed the tasks involved in upgrading my computer hard drives, and clean installing my operating system.  I replaced the small IDE boot drive with a 2TB SATA drive, maxing out all 4 SATA connections, and eliminating the IDE bottleneck.  The IDE interface is considerably slower, and now there is once again, room for data to grow.  And it will…

While I was at it, I took the time to try Comodo’s Time Machine (CMT) product.  It can be thought of as Windows Restore Point on steroids.  It provides the user with the ability to create images or snapshots of their system at various stages of installation, protecting the system from corruption, degradation, and malware infection by allowing the user to rollback at any time to a previously good configuration.  Here is how it rolled out for me:

Continue reading →