Friday, February 26, 2010

A is for Application, J is for Jacked

…Criminal-toasty Application Jacked, Data’s tasty stolen too, You’re Application’s Hacked.  Application’s Jacked, Application’s Jacked - hum hum the rest in your head, glad to plant a jingle in you, to sing out all day!

Almost every day now, there seems to be a report about some ‘important’ system getting breached or some credit cards/identities being stolen or insecure infrastructures getting exposed with schools, universities, municipalities, states and even entire countries being the latest victims.  The recent 7Safe UK Security Breach Investigations Report stated, “86% of all attacks, a weakness in a web interface was exploited” and in his blog last week, Jeremiah Grossman wrote about the discrepancy in security spending verses the types of attacks that occur.  He breaks down the numbers to show that most of the security spending goes to perimeter defense like firewalls and says, ‘Organizations spend their IT security dollars protecting themselves from yesterday’s attacks, at the network/infrastructure layer, while overlooking today’s real threats.’ 

This got me thinking – will we ever get ahead of the game?  Is it a question of habit?  Is it being uninformed or not understanding the true nature of the threats?  Is it just checking the compliance box and not really going after true protection?  Is it a budget, education, staffing or perception issue?  Are the crooks way smarter?  Are there too many areas to secure – applications, code, infrastructure, DNS, data, and any other piece that needs to be protected?  Are there just a whole mess of insecure systems on the internet just waiting to get jacked?  Or a combination of all these?  Probably depends on many, mixed factors depending on organization, personnel, region and what can be accomplished within whatever boundaries are placed on those who are tasked to implement a solution.  Many security professionals over the years focused on a particular discipline like network, database, application and so forth yet many of those same folks are now tasked with understanding and securing all areas of the organization.

IMG00003 Almost every second of our life, we make choices/decisions hopefully based on the best information we have at the time.  Maybe we ask for additional advice, if available, to make a more informed decision.  Sometimes emotions come into play when trying to come to a rational conclusion and we all know the head and the heart can pull you in opposite directions.  There’s a part of me that wants to scold those who are lazy with securing data.  (Incidentally, I did that last night at the Disney on Ice show – one of the vendors had a clipboard with a stack of credit card receipts sitting right in front of the register for people to use to sign their slips – I could have easily slipped that into my jacket while he wasn’t looking and disappeared into the crowd with a stack of signed CC receipts.  I informed him that his ‘ease of use’ was actually not so smart.  He pulled it and later, while the clipboard was still there, the receipts were absent.)  Then there’s the other side that feels the need to educate and help those who might not understand the ramifications of their actions – the softer side of psilva.

In our personal life, while we might ponder or struggle with the huge, life changing decisions like a job change or moving the family, and after careful consideration we usually make the right choice but it’s all the little miniscule, insignificant decisions we make throughout the day that defines our character.  When the basis for our decisions is coming from several different factors and the outcome can effect many swaths both across the organization and the public at large, that can make it a much more difficult endeavor, especially when it comes down to Infrastructure vs. Application, even though both should get attention.  We can yell, bang our head against the wall, plead and beg, but security is a though beast to tame for typical IT departments.  Even if they do declare Application Security is top priority, there may be many other factors holding them back.  We probably still have a way to go when it comes to prioritizing dollars based on actual attack stats until it hits close to home – by then, it’s too late.

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, banking, education, economy, technology

Digg This

Friday, February 19, 2010

F5 Web Media On-Demand

We’ve had some exciting announcements of late, like the BIG-IP Edge Gateway and the BIG-IP LTM VE, and lots of great content has been developed to highlight the benefits of these solutions.   It’s been a while since I’ve updated you about our Social Media sites and the various ways we deliver F5 content.   More than a year ago, we started to follow and contribute text, audio and video to the multitude of public Social Media outlets.  DevCentral has always been our social, community driven site, well before some of these newer social networks but we also recognized the need to engage with the various communities on the internet.  What started out as experiment, especially the Audio Whitepapers, multi-media has now become a mainstay of the various forms of F5 content offered, allowing you to get the latest from F5, anytime and anywhere.

Recent Videos

 

Recent Audio White Papers

 

F5 Networks Social Media & Content Sites

 

Thanks for reading, listening and watching.  If there is anything you’d like to see, let us know!!

ps

Technorati Tags: F5, BIG-IP, v10.1, Edge Gateway, Pete Silva, security, application security, network security, blogging, blogs, social networking

Digg This

Tuesday, February 9, 2010

Security - Still in the Driver’s Seat

A couple recent surveys reveal that for 2010, Security is back at the top of IT’s focus.  It seemed for a while there that Cloud Computing was starring in most questionnaires that asked about future IT spending plans.  If you remember, Security was still riding shot-gun slamming on the imaginary brakes in the passenger seat.  ‘Hey Cloud, You still can’t turn down that alley without my presence,’ Security would constantly nag from the navigator position.  Don’t get me wrong, Cloud Computing is still a powerful IT resource but according to a recent Infonetics survey,
Security upgrades, both for IT security and physical security, was the #1 change named by respondent organizations when asked what major changes they planned for their data centers over the next two years……For those who are expecting ‘the cloud’ to be a savior of the IT industry, our study is a bit of a reality check: while there is some interest in cloud-based services, particularly on the software side, the majority of respondents have no concrete plans for it. Virtualization is the more important trend and technology, as it is a critical tool for organizations to make their infrastructure more efficient and manageable,” advises Matthias Machowinski.
It’s not that Security ever took a back seat, it’s just many enterprises had to take a hard look, investigate new options and make difficult decisions over the last year on where to invest IT resources.  Unfortunately, it doesn’t seem like crooks ever need to get budget approval and continued their daily system onslaughtWhile credit cards and SSNs are still top targets, stealing Carbon Credits is the new bounty for the criminal element.  Were they just being eco-friendly?  Not in the least.  The 250,000 carbon credit permits that were taken are worth more than $4 million and was resold, probably to an unsuspecting buyer.

The Enterprise Strategy Group also released a Research Brief on the 2010 Networking Spending Trends and here too, Security took top prize.
ESG 2010 survey

Health care, financial services and federal government all indicated that they will be spending more on network hardware with 82% of financial services organizations saying they will increase network hardware spending in 2010.  What is also interesting about the ESG survey is of the Education respondents, only 38% will be increasing Network Security spending but 70% of them will be investing in Wireless LAN equipment.  To me, securing your WLAN should be part of the overall Network Security plan.  Hopefully folks remember that when all those SSID’s suddenly start broadcasting.

Security is something we strive for in many areas of our lives and at least on the corporate IT front, it looks to be a major area of focus this year.
ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, banking, education, economy, technology
Digg This

Wednesday, February 3, 2010

Consolidate and Dedicate to Eradicate

Whether it be due to cloud computing, last year’s economic mess, or just the general cyclical nature of the Tech Industry, Consolidation has been a huge focus of IT departments of late.  Data Center consolidation, hardware consolidation, staff consolidation and tech sector consolidation to name a few.  I remember the days of single purpose boxes that did one thing well.  In fact, a decade ago at Exodus, that was one of my positioning points for BIG-IP over such LB units as Alteon, ArrowPoint and LocalDirector since they were switched/hardware-based appliances.  I’d say something like, ‘It’s a Floor Wax and a Dessert Topping while the BIG-IP is software based, focused only on Load Balancing.’  Boy, times have changed.

Single purpose appliances, while still big business for their particular specialty,  are becoming fewer and fewer – just look at the handheld your using.  The printer was one of the first to go that route becoming printer/copier/fax/scanner in an effort to make them more useful and appealing to the customer.  Ads tout, ‘No more bulky equipment to buy – it’s all here in this great new thing that you must have!!  All for the incredibly low price of…..’  IDS graduated to IPS and now we have IDPS units and UTM (Unified Threat Management) systems or the Next-Gen Firewalls.  They have firewall, anti-virus, spam controls, web filter, IDS and more.  We are in a multi-task society and expect our devices to behave the same.  For a while, adding more and more functionality to a piece of IT equipment would either slow it to a crawl or make it very difficult to troubleshoot.  The processing power available today allows multi-function appliances to dedicate resources to ensure all the functions run smoothly.

dashboard Having multiple point solutions, interfaces and GUIs also makes it difficult to manage the various entities, especially if it’s a security device.  Managing multiple points of entry and enforcing a consistent security policy across the board can be challenging.  You got users connecting and requesting application access via VPN, some over the air on Wireless and others hooked right to the LAN.  They also are probably using various types of computing devices; from IT issued laptops, to home/personal machines to mobile devices.  You might have a specific policy for each type of access method/device or you enforce the same security, no matter what the connection.  Why wouldn’t you do a host check on LAN users similar to the scrutiny your remote users must pass?  In many cases, that might involve a NAC type controller and I thought we were trying to reduce the number of power suckers in the data center.  Today, IT needs a single management interface and policy enforcement point that’s easy to navigate and quick to deploy.  During a crisis, like a potential intrusion or breach, you can waste precious time trying to get to all the different appliances to assess the situation.

As consolidation continues, and more functionality is added to these multi-dedicated appliances, management of such an infrastructure especially if it’s part of a cloud, will continue to be an important driver for IT.  So, as you consolidate and are able to dedicate, that will enable you to eradicate costs, multiple management interfaces, multiple point products and with the right device, eradicate many of the threats that appear every day, the CDE way!

ps

Related resources:

External articles:

 

Technorati Tags: F5,BIG-IP,v10.1,Edge Gateway,WOM,application delivery,Pete Silva,F5,security,application security,network security

Digg This