Subscribe to this blog's feed

Amazon

Recent Posts

Bio

  • David Rice is an internationally recognized information security professional and an accomplished educator and visionary. For a decade he has advised, counseled, and defended global IT networks for government and private industry.

    David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. Additionally, David has authored numerous IT security courses and publications, teaches for the prestigious SANS Institute, and has served as adjunct faculty at James Madison University. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.

Archives

More...

Links

Blog powered by TypePad

The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.

« October 2008 | Main | December 2008 »

November 2008

November 19, 2008

Promises, Promises

Dennis Fisher posted an excellent article on his blog:

Will Barack Obama keep his promises on cybersecurity?

A highlight:

[Obama's recommendations] are all points that were laid out in the National Strategy to Secure Cyber Space, the document that the Bush administration commissioned nearly six years ago. The plan was developed with the input of a long list of security experts, industry executives and academics and it had a wealth of good ideas in it, almost none of which were ever implemented. The national strategy became a punch line in the industry within days of its release, and within a few months the office in the White House that was dedicated to cybersecurity issues was dissolved, and that function was shipped off to the Department of Homeland Security where it has been ignored ever since...

So it’s come to this: Our expectations for federal cybersecurity efforts are so low that the mere mention of it by the president-elect has people giddy. There’s no way to know at this point whether Obama will follow through on his promises...

Indeed. Now the most difficult part of any presidency starts: President-elect Obama must start to decide whom to disappoint. For those who voted with eyes-wide-open for Obama, we know that all promises of a campaigning president cannot be responsibly kept, eventhough we voted as such. I have hope. But it is measured.

Posted on November 19, 2008 | | Comments (0) | TrackBack (0)

November 06, 2008

A Problem Way Bigger Than You Understand

According to Newsweek and ComputerWorld:

Computer systems used by the election campaigns of both President-elect Barack Obama and his Republican rival Sen. John McCain were broken into earlier this year, and a large number of files related to the evolving policy positions of the two candidates were stolen, according to a story posted online today by Newsweek magazine.

The attacks appear to have been perpetrated by an unidentified "foreign entity" looking to steal information that might be useful in future negotiations with the next U.S. president, Newsweek reported, quoting several unnamed sources...

According to the Newsweek story, a federal agent told Obama campaign officials that they had an IT security problem "way bigger than what you understand. You have been compromised, and a serious amount of files have been loaded off your system."

This compromise is a small taste of a very large national security issue. Let us hope in fact President-elect Obama does understand the significance, scope, and breadth of cyber security or that he surrounds himself with advisors that do. The ball is already in play...

Posted on November 06, 2008 | | Comments (0) | TrackBack (0)

November 03, 2008

When Everyone Achieves 90% Market Share

The Disturbing Precedent of Microsoft

Microsoft is doing much to improve the resilience of its software against cyber attacks. The company should be applauded. Its history should not be emulated.

A recent InformationWeek article states:

...vulnerability disclosures in Microsoft software during the first half of 2008 "continued a multi-period downward trend, both in terms of all disclosures and relative to total industry disclosures." ...

"Because the operating system now has fewer opportunities for vulnerabilities, researchers and malware authors are looking elsewhere," said Jimmy Kuo, principal architect with Microsoft Malware Protection Center. "Vista is a lot harder to attack."

After at least four major iterations of Microsoft's flagship operating system (Windows), one would hope this to be the case. Vista is more secure than its predecessors. Finally.

But therein lays the issue. It is only after Microsoft achieved market dominance that it began to focus on the security of its software. A tad late, by any measure. And a disturbing precedent. Competitive software companies emulate Microsoft's success by releasing software with as many "killer" features as possible in a frenetic attempt to gain market share; security, if any, is an afterthought. It is no wonder that researchers and malware authors are looking beyond Vista. The software market rewards carelessness (or at minimum, lack of forethought) thus promising an un-ending supply of vulnerabilities to eager attackers.

While Microsoft might certainly revel in a promising trend for the company, it does so only after leaving a field of wreckage in its wake. It also answers an important question about the ability of the software market to self-regulate: consumers will indeed get secure software...once every software manufacturer enjoys 90% market share.

Posted on November 03, 2008 | | Comments (0) | TrackBack (0)