Thus Begineth a New Chapter in my Career

Tomorrow [1 October 2009], I am embark on a new job and role. I am moving away from the general IT consultant & internal architect role in the big corporate environment to a more focused architect/consultant role for a security software company. I will be more focused on helping customers pull together IdM solutions using the company's product.

This will be an interesting change providing a much more focused activity on one specific subset of security but I hope to carry on exploring the vast and interesting subject that security is. My last position lasted almost 10years and in itself was quite interesting considering the variety of activities and projects I was involved in. This new position will be just as challenging if not more as I will be participating in the growth of this company as it evolves internationally (they are already a major player in the domain in this country and are planning to expand heavily in the rest of Europe, middle-east and the US).

On the other side and for my personal growth, I am still working on a few things including passing my GCIH (that happens next wednesday), doing the CISSP (end of October) and continuing to look at developing for the iPhone & Android platforms. Hopefully, I will also be able to finalize a couple of blog entries I am working on the subject of the real-time web, a micro-blogging feature request and some thoughts on Vanish.

Wish me luck!

A Fun Way to Understand AES!

Constantly on the look out for information on encryption and better understanding of the mechanisms behind algorithms, I was amused to discover this morning the MoserWare's A Stick Figure Guide to the Advanced Encryption Standard (AES).

The information presented is significantly accurate but presented in a humorous plain cartoon format. Quite enjoyable! What was interesting is that it goes back to the history of how AES came about and presents a basic overview of how block ciphers work...

Application Updates Tops Cyber Security Risk, Real World Fix is More Complex

A few days ago, SANS released it's new Top Cyber Security Risks report with a new interesting twist to the usual well-explored risks (such as web server vulnerabilities). The new risk that is highlighted quite effectively is the problem of application vulnerabilities which have had an increase and become much more visible. A good example of this has been the ongoing reports of vulnerabilities in Adobe products such as Flash and Acrobat.

Part of the issue that is highlighted by the report is the slow turn-around to deploy application patches/updates to reduce the risks and fix certain vulnerabilities. This is in fact no surprise! Having spent a number of years in the corporate IT security environment the application update process is a bigger dilemma than one might think. There a number of factors that impede an effective and complete application patching process be it for a few thousand to 10's or 100's of thousands of an installed client base. Some of these issues can be highlighted by the three following concepts:

• Online availability of clients to receive the updates, making it more difficult to get an effective deployment rate;
• Patches for versions that are in-use might not exists and upgrading to new versions presents other challenges such as budgets, compatibility with other applications, continued functionality support for the business solutions;
• Patches (or upgrades) can break or change features that are relied upon by business solutions or process effectively breaking the latter and presenting an impediment on business ability to work effectively.

For a corporate IT security team a balance has to be achieved between the need to carry out effective patching or upgrading versus the need to let the business continue to work as effectively and efficiently as possible. This is the hard truth, patching to mitigate vulnerabilities is not necessarily the best solution for a business if it breaks functionality or impedes the business process!

An effective IT security team will understand this and works towards an acceptable compromise that balances the risks versus the business' ability to carry on efficiently through policies and process that mitigate the risks or control/patch the vulnerabilities. Notably, the report section on best practices for mitigation and control provides a number of effective risk management techniques that start by understanding the applications that present risks and building an effective defense plan...

Related Links:

• SANS www.sans.org
• The Top Cyber Security Risks
• Twenty Critical Controls for Effective Cyber Defense.