9 Common Mistakes in Building A Security Operations Center (Chinese)

October 25, 2005

This post was published at cww.com.cn , 2004, where I summarized the 9 common mistakes at a Security Operations Center(SOC) project, which was becoming hotter and hotter at China.  In brief, they are:

  1. unbalanced resource investment on security elements and management
  2. unmatched organization structure
  3. misunderstanding of SOC as a pure product. It’s a project on management
  4. without consideration of IT infrastructure accordingly
  5. wrong project goal
  6. not enough support from the software vendors and/or system integrators
  7. without thorough understanding of the SOC products under implementation
  8. withoug corresponding management processes, such as monitoring and incidents management
  9. regarding the finish of the product implemantation as the end of the SOC construction.

Read the rest of this entry »


Skype published a security whitepaper

October 23, 2005

As everybody know, security is the most concern point to choose a IM/P2P application. Refer to my post of Top Ten Concerns to Skpye, many uncertainties make a number of enterprise IT managers and professionals hesitate to use Skype. Two days ago, Skype published a security whitepaper to explain the security concerns, for full version, click here.

The designers of Skype did not hesitate to employ cryptography widely and well in order to establish a foundation of trust, authenticity, and confidentiality for their peer-to-peer services. The implementers of Skype implemented the cryptographic functions correctly and efficiently. As a result, the confidentiality of a Skype session is far greater than that offered by a wired or wireless telephone call or by email and email attachments.

Beyond errors in the cryptosystem, I have also looked for back doors, Trojans, overreaching “debugging” facilities, etc. I did not find any hints of malware in the portions of the Skype code I reviewed.

The whitepaper seems to be published not officially, rather, published from a free investigator/researcher perspective. It covers mainly what cryptographic algorithm used in Skype, and how to exchange private/public keys between communication parties, and how to defend against cryptographic attack, while it doesn’t address other concerns from telecom operators and enterprise IT managers, for an instance, how to identify/control/audit the Skype clients and their usage. I am afraid that it only help assure those personal professionals to believe Skype. 

Other important papers on skype security include:

  • “An Analysis of the Skype Peer-to-Peer Internet Telephony protocol”,  by Salman A. Baset and Henning Schulzrinne, click to download.
  • “VoIP and Skype Security”, by Simson L. Garfinkel, click to download.

“Import” disappears

October 23, 2005

Today It seems the “import” link disappears! I don’t know why the admin removed that.

After I imported my posts and comments from my blog at blogger.com, I found that blog’s template was changed to a flat text with a link to “wordpress.org”. -:( maybe there were some hints during the import processes, but i overlooked that. any way, i hope that blog work too. Thus, i re-configured the template. see: http://telecomsecurity.blogspot.com.

SOX Compliance Oriented Architecture (COA)

October 21, 2005

“SOX compliance” and “section 404” are buzz words recently, not only at USA, but also at China, for those companies listed at Nasdaq. They set up special team to build compliance controls for the enterprise, commonly named “Team 404”. For an instance, China Mobile, the largest mobile carrier at China, has assigned a 404 team to be responsible and boost the whole compliance affairs. At the same time, CMCC group assigned 4 trial  province  sites at  Fujian, Tianjin,  Shanxi, Hubei respectively. 

China Telecom, the largest fix line operator at China, has been working on their COTS (Commercially Off-The Shelf) ERP and CRM for around two years to advance the compliance journey. Kunming (by IBM) and Suzhou (by BearingPoint and BEA) are two trial sites for the BPR (Business Process Re-Engineering) approaches.

China Netcom (CNC) has invested a lot of resources to get their ERP online at the earliest time to comply the compliance.

SOX compliance, while generating a gold mine for the “big four”, will disclose financial information of public list companies more trustworthy and stablish the financial and security market.

During recent study and investigation of SOX compliance methodology and architecture, a lot of good documents are found via the Internet. At this moment, here is a good paper by Redmonk.com, click to donwload it to your harddisk.

At the risk of reading like a cliché, compliance is a journey not a destination. Rarely is anything completed. Rather, compliance calls for constant attention, tweaking and vigilance combined with a balancing of cost, risk and transparency. Sarbanes Oxley, for example, is very much a living regulation. Upfront costs can be conceived of as similar to corporate year 2000 (Y2K) projects for some organizations, but unlike Y2K, Sarbanes requires ongoing improvements in process controls and reporting.

What is Compliance?
Simply put, compliance is the process of adhering to a set of established guidelines or rules established by external bodies such as government agencies or by internal corporate policies.

Hi2005 Google PageRank=3!

October 21, 2005

This is an exciting milestone to my blog. This morning the google toolbar shew the pagerank jumped to 3 from 0!

Import your blogger posts and comments now. Great!

October 19, 2005

It’s a great news to find that wordpress.com has provided a “import” function so that you can import your posts and comments at blogspot.com into wordpress.com. It will be a great move to lock down wordpress.com users. It does work! Really.

BS7799, ISO17799, ISO27000 Series

October 19, 2005

Refer to the post at 17799.com forum by Calvin, the following information about BS7799 and relevant standards is summarized “as is”:

  • ISO27001 is to be the replacement for BS7799-2 by the end of year 2005
  • ISO 17799:2005 will be renamed in year 2006 or 2007 as ISO/IEC 27002

A new standard for BS7799 series:

  • BS 7799-3:2005 – information security management systems – guidelines for information security risk management” is a new British Standard due for release in December 2005

The new ISO27000 series will have five parts:

  • ISO 27000 will formally define the specific technical vocabulary used in these standards;
  • ISO 27001 will be the ISO version of BS 7799-2, the certification standard (due for full release in November 2005, already available as a final draft);
  • ISO 27002 will be the renamed and updated version of ISO 17799:2005 (to be released in 2006 or 2007);
  • ISO 27003 will contain guidance for those implementing the ISO 27000-series standards;
  • ISO 27004 will be a new Information Security Management Metrics and Measurement standard to help measure the effectiveness of information security management system implementations (currently in draft);
  • ISO 27005 will be the ISO version of BS 7799-3