On June 6-7, the National Institute of Standards and Technology (NIST) co-hosted a conference focused on HIPAA, the foundational U.S. health care information law. I attended the conference and came away with the sense that a) health care entities have begun to see clarity in the things they must do from an IT perspective to abide by the law’s requirement to protect patient information and b) they are motivated to do so through Federal moves to enforce the law.
The links between vague laws and concrete technical requirements to support them are usually ambiguous because the laws are written by non-technical lawyers and they often turn over implementation details to government departments.
Read More »
Tags: compliance, HIPAA, security
This month marks the 63rd anniversary of the publishing of the novel Nineteen Eighty-Four, it might be interesting to take a look at what is currently the primary method used for tracking on the Internet, the Browser Cookie. Browser cookies are a subject with almost as much misinformation floating around as there is correct information.
Tags: cookies, privacy, security
In the past few years a number of paradigm shifts have made policy-based networking essential to effective enterprise IT management. Some of these shifts include an increased reliance on virtualization and the cloud; the “consumerization” of business networks that has occurred with the popularity of devices such as tablets and smartphones; and the rapid adoption of video in business communications. By applying appropriate policies within the network, IT managers can do a better job of meeting users’ expectations and become business enablers.
We believe our message of One Policy, One Management and One Network has been recognized in the recent Gartner 2012 Wired and Wireless LAN Infrastructure Magic Quadrant, where Cisco has been positioned as a leader.
Foundational to Cisco’s One Policy strategy is the Cisco Identity Services Engine (ISE), which enables organizations to create and deploy unified policy to address the need for BYOD compliance. ISE enables one consistent policy across the entire enterprise, as well as enforcement by correlating a unique combination of contextual information including user, device, location and time.
Read More »
Tags: bring your own device, byod, Gartner, gartner MQ, one policy, policy, security, unified access, wired and wireless
I recently traveled to the annual Gartner Security & Risk Management Summit in lovely National Harbor, Maryland with over 2,000 IT Security executives. There was a lot of buzz around Secure BYOD (bring your own device), and most of the major security vendors (including Cisco who I represented) had a story of some sort. Amidst this BYOD buzz, during a session, a man rose his hand and said:
“There is SO much talk about BYOD but I have not heard the industry definition, is there one? It seems it has many meanings to organizations struggling with it and to vendors trying to respond to it.”
This is a very fair question and remark. Most see BYOD as people bringing their own personal device to the office with access to all work-related applications while using it for personal life. Some organizations may say they do NOT have a BYOD policy because they only allow corporate sanctioned devices, but one could argue that is a BYOD policy that says “no personal devices”. A significant take-way was email is still the killer application for organizations to be mobile. I’m not sure my teenage daughter will agree with that, but she is not working for anyone yet.
Although all mobile devices are open to threats, it seems some may be more vulnerable than others -- such as Android devices with the OS fragmentation and a more open application store then Apple IOS devices. Further discussions with attendees suggested that there are many stakeholders in crafting the BYOD policy from HR, legal, networking, marketing & sales, and many times IT security is not brought to the table early enough. This can make the BYOD effort even more confusing for the IT security professional. Policy is the common ground for stakeholders to align. Once policy is determined, the network becomes the best vector to set and enforce it with both visibility and control. Russell Rice, Director @ Cisco spoke about the value of a policy-governed network in a standing room only session. You can view his presentation below, and read the white paper on the topic:
Read More »
In the recently posted research paper “Off-Path TCP Sequence Number Inference Attack: How Firewall Middleboxes Reduce Security“, Zhiyun Qian and Z. Morley Mao from the University of Michigan discuss a method to try to infer the sequence numbers in use by a TCP connection -- and if successful, how to try to hijack the connection and inject data on it in order to, as an example, steal credentials to web sites (banking, social networking, etc.)
Before talking further about their research, I would like to talk a bit about the Maginot Line. The Maginot Line was a line of fortifications located in France, established after World War I, and roughly following France’s borders with Germany and Italy. The idea behind it: in case of another war with Germany, the line would hold the enemy attacks, giving the French Army the chance to regroup and counterattack. The problem: the line only extended so far up North. So during World War II, and instead of attacking the line from the East, the German army completely bypassed it – by attacking Belgium first and then flanking the line.
So a lot of resources were allocated to set-up defenses for a very specific attack scenario – but that scenario never happened, as an easier way was found to bypass the defenses. And the mere fact of allocating so many resources to counter a specific threat significantly reduced the number of resources available to protect against other threats.
The method posited by Qian and Mao on their research paper strongly reminds me of the assumptions made by the French while building the Maginot Line.
Read More »
Tags: Attack, research, security, TCP