In the last quarter of IS433 – Security Management at DePaul I posed the following questions. While I’m still reading through the research papers I thought I’d post these to the site.
1. There appears to be a set of security controls that are like commodities an organization cannot do without these days. Some examples may be SPAM or web content filtering, antivirus, authentication technologies, remote access controls (VPN, SSL VPN, etc.). What do companies see as the entire profile of commoditized security technologies (those that do not offer a competitive advantage) and those that set them apart from other organizations? Are there security technologies or controls that do create a competitive advantage, and if so find an organization that has and profile how they have used this advantage. (Possible books: The New School of Information Security by Shostack http://www.amazon.com/New-School-Information-Security/dp/0321502787 ).
2. Related to point 1 above, how has this changed the focus of security groups (or security blueprint) in the past few years? Do security groups or functions focus more on risk management and closer alignment with the business, or do they focus more on making sure the commoditized controls above function correctly? What is the difference between risk management and security?
3. Why are IT auditors so annoying? (That may be a rhetorical question). Has SOX, HIPAA, industry regulations, etc. actually helped focus security functions or organizations or simply created distractions? I’d be looking for research in this area and actual numbers if possible.
4. How are security groups, or are they at all, using metrics to show value to an organization? If so how do they differ from IT metrics? Is IT using metrics to show organizational efficiency and cost savings? If no one seems to be using metrics why may this be the case? Too difficult to track, not a priority of IT management? If security groups are using metrics what metrics seem to hold the most value? (Possible books: Beyond Fear Uncertainty and Doubt http://www.securitymanagement.com/article/security-metrics-replacing-fear-uncertainty-and-doubt, or Beyond Fear by Bruce Schneier http://www.schneier.com/book-beyondfear.html).
5. What are the effects of Web 2.0 or social media and user-generated content on information security? How has media helped or hurt security? Are there safe ways to allow social media, or should we even allow social media as an outlet for users of an organization from a security perspective? This one is very broad and can be taken in many directions…
6. Visualization of security events (Possible book: Applied Security Visualization http://www.amazon.com/Applied-Security-Visualization-Raffael-Marty/dp/0321510100/ref=sr_1_1?ie=UTF8&s=books&qid=1241707763&sr=1-1 or the Edward Tufte visualization books if you dare). Can you generate real data and try some of the techniques presented in the book?
7. Cloud computing and the current state with regards to information security. Challenges? Any major legal issues related to compliance? Do you trust the current providers?
Kind of a misleading title, but the fact that I’m sitting in a Caribou Coffee with 6 other people who are all using their laptops to watch movies, surf, or do work, it struck me that everyone outside the corporate walls seems to be using a Mac. Of those 6 people I see 4 MacBook Pros, 1 Macbook, and 1 lonely HP Netbook. It could be that I’m on a college campus and that the Mac is the current “in” laptop to have based on Apple’s genius marketing campaign.
The other side of that campaign is based on the the fact misconception that the OS X is more secure than Windows. In 2007 OS X had 243 total software flaws that required patching versus just 44 for XP and Vista combined (OK, mainly XP since no one is actually using Vista). Also, the current release of the OS 10.5.7 fixes nearly 70 security flaws in OS X. One thing to keep in mind if you’re looking purely at the number is that OS X has many security patches to a singe Windows patch. As anyone on a linux box who has run the yum -y update command recently should be able to tell you, each component of the system requires an individual update or patch. Since OS X is built on many of these open source components it is no wonder the numbers seem to be in Windows’ favor.
If we can assume that OS X is as flawed as, if not more than, Windows then why aren’t we seeing a barrage of attacks against OS X? I think the right question should be is this even a viable platform to attack? If the motive of current attacks is money in the form of credit cards, bank accounts, identities, etc. then we can speculate as to why not. Ignoring the fact that OS X holds a low market share of the market, if most users are college student using Mac’s would it even make sense to compromise a system to access a credit card that has a $500 limit…mainly because the student filled out an application just to get a free $2 tee shirt. Or, is it the fact that Windows is so easily compromised that it makes no sense to go after Macs. I’m going with the latter for now.
While I wrote this a while ago I’m glad I held off on posting it. Since that time a study was conducted at the University of Virgina of incoming freshmen and which OS they picked for their laptop. Seems that Apple is starting to take a larger share of the higher ed. market...well, at least at Virginia. The issue around the total number of vulnerabilities in OS X was also covered today in an IBM ISS meeting I attended to discuss the findings from the X-Force 2008 Security Study.