by SOX Jockey on January 30, 2007
in SBN
With the headlong rush to virtualization in most data centers, there is going to be a rash of digital accidents and injuries resulting from loose configuration of VM hosting hardware.
Many of these facilities, IBM P-Series, VMWare, and so forth, have decent interfaces and security capabilities. The problem, as we've seen with other technologies, is the sparkly promise of vastly reduced costs that drives insecure colocation of applications with differing security models on the same hardware. The inevitable cross-connections between these applications, or the inordinate desire to boost utilization can result in profoundly insecure configurations that can threaten every application on the platform.
Firms need to ensure that standards are in place prior to virtualization deployments. And the controls for these deployments need to check for configuration integrity at risk points related to the connections between the virtual machines, and between the virtual machines and the network.
by SOX Jockey on January 27, 2007
in SBN
Sometimes you have to broaden your understanding of technology. From the
New Hampshire Union Leader, on how to install a wireless security system:
- Go to a second-hand store, buy a pair of men's used work boots, a really big pair.
- Put them outside your front door on top of a copy of Guns and Ammo magazine.
- Put a dog dish beside it. A really big dish.
- Leave a note on your front door that says something like 'Bubba, Big Mike and I have gone to get more ammunition -- back in half an hour. Don't disturb the pit bulls, they've just been wormed.'
by Richard Morgan on January 20, 2007
in SBN
Some days we move the platform/product/team/company forward. Some days we tend the garden. Both are needed. My exercise the past two weeks has been the planning and prioritization of the my group's infrastructure projects for the year. I'm lucky in that my boss and I are sympatico, seeing the opportunities and shortcomings in much the same way. Still, it's hard to say what the landscape will look like in October - that's a whole nine months away. Yet, we try. I'm balancing the garden-tending against the big initiatives, trying to not let the weeds overtake us.
This time of year, starting with a fresh list (although with some carryover) emphasizes the personal satisfaction that I find in my position. I'd never plead indispensability, but it's good to be dedicated and focused and know that we'll get support for most of the good projects and finish them. Looking back at what we did in 2006, project-wise, puts a soft-focus on the year and takes the edge off days of host recoveries, difficult on-call weeks, and the occasional pettiness of daily corporate life.
I've thought a lot about how to make a career. I have friends who are attorneys, engineers, doctors, and accountants. Their professional paths are well-defined. Knowledge and skill are prized among them. Bigger cases, projects, and deals are the hallmarks of growing and progressing in those fields. It's human nature probably to compare jobs, so I weigh my days as a system administrator often, and check the progression. In my field, unless you head into management, the careers progress with projects and innovation. Are the projects technically challenging? Do they move us forward or are you tending garden? Are they bold or simply incremental? These are the things I consider.
So what am I doing? I can't very well list my projects here, but the areas of focus are very buzzword-compliant. To wit:
- Privacy and Security
- Integration and Standardization
- Redundancy (with resulting service availability goodness)
- Reporting and Monitoring
Each of these areas has a bunch of verbs, "improve", "upgrade", "migrate", "decomm" (my favorite!), and objects such as mail and DNS. Some of the projects are technical challenges, while others simply need a long span of attention to finish - no wondering off after that next shiny thing.
The interesting part of this whole exercise, beyond moving us forward, is the balancing of company interests and goals with my professional goals, interests, and skills. Somehow it all works out, maybe I'm good with puzzles, and we now have a set of marching orders.
meta-author: Richard
meta-tag: goals
meta-date: 200701201249
by Richard Morgan on January 20, 2007
in SBN
Google has chosen
Lenoir, NC for a new data center. Yahoo Finance
reports:
Search engine giant Google Inc. plans to spend $600 million to build a data center in North Carolina, state officials and the company said Friday.
...
The state will give the company $4.8 million as part of a total incentives package that could reach more than $100 million.
Nothing on the Google site yet about it.
meta-author: Richard
meta-tag: google
meta-date: 200701201149
by Richard Morgan on January 20, 2007
in SBN
Yahoo was a leader in many areas - search, portal, messaging. But as they've aged, their engineering teams are beginning to suffer some of the same problems as the rest of us. Cutting-edge platforms (at one time), often of a proprietary nature, need a hard look and difficult, often expensive, choices need to be made about the continued use of those platforms.
A Yahoo insider comments on their dead-end infrastructure:
And let me tell you this. Yahoo! is now rotten from the inside out. Here's my take of how to fix Yahoo!'s engineering:
...
4) Slowly port all Yahoo! software to linux and phase out FreeBSD. Start supporting and encouraging multi-threading programming. I bet Google is laughing their asses off at us because we are still stuck with FreeBSD, gcc-2.95 and single process model.
...
5) Slowly get rid of all Yahoo-specialized open source software. Why do we have "YApache" (based on Apache 1.3), and why do we have the dreaded yut/ycore++ libraries when we can use STL and boost? And why do we have YPAN when we can just use CPAN??? The platform group is doing the wrong job supporting this dead-end infrastructure.
meta-author: Richard
meta-date:200701201126
meta-tag: engineering
by SOX Jockey on January 18, 2007
in SBN
This
Computerworld article points out the need for open reviews of software as a prerequisite for public trust in services like electronic voting. As a student of politics and information security, this story has fascinated me. The short version is that a statistically improbable undercount (lack of votes by voters for one particular race) has raised significant questions about the validity of electoral results for a US Congress seat in Florida. Though a judge quashed the Democrat (losing) candidate's request to review the code, this issue won't go away until light floods the "black box."
by SOX Jockey on January 10, 2007
in SBN
This interview with
Bruce Schneier in
Dark Reading is interesting. I like his emphasis on the "big picture". In speaking to a reporter after the recent Tacoma, WA
school shooting, he challenged people to rethink metal detectors in schools:
"The goal isn't to stop shootings in schools. It's to stop shootings," he says, by investing in ways to ensure a kid doesn't resort to violence at all. "If a kid shoots another kid in the playground because there's a metal detector in the building," then the physical security was ineffective, he adds.
"That's a tough message for people to hear."
by rG0d (CISSP, GCIH, GEEK) on January 9, 2007
in SBN
One of my pet projects is log management. Yeah, I know - log management doesn't sound like fun - and most of the time it's really not. I became interested in log management when the company I work for wanted to consolidate all the firewall, IPS, etc. logs for easy review and, ideally, correlation. This became a pet project of mine simply because of all the MISINFORMATION many of the vendors were
by SOX Jockey on January 8, 2007
in SBN
Option 4: Manage by Risk
WHAT: Manage your security program by evaluating and responding to risk.
HOW: Measure, evaluate, and respond to risk as defined by your business.
Note that this is not an IT process.
BENEFITS: Your security is best matched to your business.
AM I DOING THIS?: Is your business happy with your contribution?
Do they choose the risks they take or mitigate?
DIFFICULTY: This is hard because of the work, planning and
communication required.
RECOMMENDATION: This is as good as it gets.
by SOX Jockey on January 5, 2007
in SBN
Option 3: Manage by Best Practice
WHAT: Manage your security program by doing "best practices."
HOW: Implement every "best practice" for security known to humankind.
Exceed each practice for a truly comprehensive security program.
BENEFITS: No one can accuse you of being "insecure."
AM I DOING THIS?: Does your business have any revenue? Then you're not.
DIFFICULTY: This is hard because you will be known as the "Ministry of No."
RECOMMENDATION: Managing by Audit may be better.
