Showing posts with label Authentication. Show all posts
Showing posts with label Authentication. Show all posts

September 9, 2011

Visualizing IT Security


I thought this infographic on the "8 Levels of IT Security" was worth sharing.

While I don't see each of these as completely distinct, I believe they are all important aspects of enterprise security, as follows:

1) Risk Management - With limited resources, we've got to identify and manage the high probability, high impact risks first and foremost.

2) Security Policy - The security policy sets forth the guidelines for what IT security is and what is considered acceptable and unacceptable user behavior.

3) Logging, Monitoring, and Reporting - This is the eyes, ears, and mouth of the organization in terms of watching over it's security posture.

4) Virtual Perimeter - This provides for the remote authentication of users into the organization's IT domain.

5) Environment and Physical - This addresses the physical protection of IT assets.

6) Platform Security - This provides for the hardening of specific IT systems around aspects of its hardware, software, and connectivity.

7) Information Assurance - This ensures adequate countermeasures are in place to protect the confidentiality, integrity, availability, and privacy of the information.

8) Identification and Access Management - This prevents unauthorized users from getting to information they are not supposed to.

Overall, this IT security infographic is interesting to me, because it's an attempt to capture the various dimensions of the important topic of cyber security in a straightforward, visual presentation.

However, I think an even better presentation of IT security would be using the "defense-in-depth" visualization with concentric circles or something similar showing how IT security products, tools, policies, and procedures are used to secure the enterprise at every level of its vulnerability.

IT security is not just a checklist of do's and don't, but rather it is based on a truly well-designed and comprehensive security architecture and its meticulous implementation for protecting our information assets.

Does anyone else have any other really good visualizations on cyber security?

(Source Photo: here)

Share/Save/Bookmark

August 19, 2011

Supercookies Are Super Invasive


You're alone sitting at the computer surfing the web, you're looking up health, financial, entertainment, shopping, and other personal things.

You feel comfortable doing your thing...you have your privacy and can be yourself without someone looking over your shoulder.

But is the sense of safety real or an illusion?

For the most part, when we are online, we are not safe or in private.

Like at work, where you get the warning that you are being monitored, when you are browsing the Internet, your actions are being tracked site by site (but this is done without warning)--by cookies--or data packets exchanged between web servers and user's browsers.

On the plus side cookies are used for identification, authentication, preferences, and maintaining shopping cart contents; but on the negative side, they are installed on users computers to track your activities online.

The Wall Street Journal (18 August 2011) reports that now there are Supercookies! and "history stealing."

- Supercookies are not cookies with that can fly or lift locatives, but rather they are more difficult to locate and get rid off your computer, so they track your activities, but are hidden in different places such as in the web browsers cache.

- "History stealing" is done when you visit certain websites, and they use software to mine you web browser history to determine where you've visited and then use that to for example, target advertising at you. Imagine though what other profiling can be compiled by categorizing and analyzing your browsing history in aggregate.

Currently, the online ad industry has established self-imposed guidelines to supposedly protect privacy, but they seem wholly inadequate such as "collecting health and financial data about individuals is permissible as long as the data don't contain financial-account numbers, Social Security numbers, pharmaceutical prescriptions or medical records." But knowing people's household finances, credit histories, and personal medical histories is okay--by whose standard?

According to the WSJ, web tracking is not only alive and well, but flourishing with "80% of online display ads are based on tracking data."
Why should anyone have the ability to track our personal web surfing?

We don't need ads targeted at us--we are not targets! We are very capable of searching online for what we what we are interested in and when we are interested in it--thank you!

Session cookies that expire at the end of ones web browsing for session management is one thing; but persistent cookies that collect and mine your personal data--that's should be a definite no-no.

Like with the advertisements that come unwanted in the traditional mailbox and get routinely and speedily placed in the garbage, online advertisements that are based on intrusive website tracking is not only a nuisance, but a violation of our privacy--and should be trashed as a concept and a practice.

Share/Save/Bookmark

April 10, 2010

Knowing Who Your Friends Are

You’re on the Internet doing your business, but who is at the other end and how do you know that you can trust them?

That is what so called Reputation Systems are all about—creating mechanisms to authenticate the identities of partners online and measure just how trustworthy they are or aren’t.

Some familiar examples of reputation systems include everything from scores for vendors on Amazon or eBay to activity statistics on Twitter to recommendation distinctions on LinkedIn to networks on Facebook.

The idea is that we measure people’s trustworthiness through the number of transaction they conduct, reviews and recommendations they receive, and associations they keep.

These are all instances of how we unmask the identities and intent of those we are dealing with online—we obtain 3rd party validation. For example, if a vendor has hundreds or thousands of transactions and a five star rating or 99% positive reviews or is a select member of a power seller” network or other select organization, we use that information of past performance to justify our current or future transactions or associations with them.

MIT Sloan Management Review, Spring 2010, has an article about reputation systems called “Online Reputation Systems: How to Design One That Does What You Need.”

According to the article, reputation systems are “the unsung heroes of the web,” because “they play a crucial role is building trust, promoting quality, improving collaboration and instilling loyalty.”

Without some way of knowing whom we are sending a credit card payment to, friending, or chatting with on the Internet, we would be violating the cardinal rule of safety that our parents and teachers taught us from the earliest time that we could understand that you “don’t talk to strangers.”

I remember a very good video for children produced by Service Corporation International (SCI) called “Escape School,” which taught just such lessons by Bob Stuber a former police officer and child safety expert.

Even as we grow up though the dangers from people criminals and predators still exist; hopefully we are a little older and wiser in recognizing it and dealing with it, but this is not always the case.

For example with online dating networks, people sometimes pretend that they are a rich brain surgeon or the proverbial “tall, dark, and handsome” physique to lure someone on a date, only to be exposed for who they really are upon the first date.

People are inherently driven to connect with others, and online we are able to connect easier then ever before—with people from all over the globe, virtually anytime of the day or night—and it is often tempting to let our heart lead and dismiss any concerns about who we are dealing with. Further, the veil of anonymity online seems to only heighten the opportunities for abuse.

The dangers of people pretending to be something they are not and the need for recognizing whom we are dealing with is an age old problem that society struggled with—from the snake oil salesman of time past to those occasional dishonest vendor on sites like eBay today.

The MIT article states “Small, tightly knit communities arguably do not need central reputation systems, since frequent interactions and gossip ensure that relevant information is known to all. [However,] the need for a central system increases with the size of the community and the lack of frequent interaction among members. In web-based communities with hundred or thousands of members, were most members typically know each other only virtually, some form of reputation system is always essential.”

Predators act out online everyday using social engineering to trick people into divulging personnel or organizational information, getting them to send money (like the fake emails from Nigeria or a lottery) or sending out malware when you click on the link that you know you shouldn’t be doing.

Another example with children is evident on NBC Dateline’s “To Catch A Predator” series where Chris Hansen stakes out the child predators who arrange meetings with kids in chat rooms on the Internet and then make their appearance at their homes or other meeting spots. Child predators prey on the fact that the children online don’t realize who they are dealing with and what their evil intentions are. Thank G-d, law enforcement and NBC has been able to turn the tables on some of these predators when law enforcement is pretending to be the vulnerable kids in order to catch the predators---who are fooled into thinking they are talking to children, only to be caught often literally “with the pants down.”

Whether we are socializing online, surfing the Net, or conducting some form of ecommerce, we must always pay attention to the identification and reputation on those we deal with. As the MIT article points out, with reputation systems, we can use ratings, ranking, and endorsements to build up information on ourselves and on others to build trust, promote quality, and sustain loyalty.

Of course, even with reputation systems, people try to manipulate and game “the system,” so we have to be ever vigilant to ensure that we are not duped by those hiding their true intentions or pretending to be somebody or something they are not.

As social creatures, optimists, and those of faith, we are tempted to just trust, but I prefer the motto of “trust and verify.”


Share/Save/Bookmark