My new blog at sbin.cn

Due to the publicly known reasons, this blog at wordpress.com has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

• New site URL: Http://sbin.cn/blog
• New site RSS: Http://feeds.feedburner.com/sbindotcn

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.

Security 2.0, Security 1.0 SP2 … Web 3.0 …

Feld expressed his dislike to those fashion words in his famous blog:

 I’m personally going to boycott the phrase “Web 3.0” since “Web 2.0” makes me tired enough.  There have been some great quips going around the system about this, including Gordon Weakliem’s “I haven’t even gotten around to upgrading to Web 1.0 Service Pack 2”, Michael Parekh’s “Web 2007 versions”, Peter Rip’s “Web 2.0 + 1”, and Nick Bradbury’s “Web 3.0 Does Not Validate.”  While I recognize the inevitability of the newest increment of the Web x.0 label, I don’t have to like it.

My points is that they are interesting stuff. Some guys like to use fashion words to attract eyeballs. As long as they can illustrate the essential points, just let it be.

I use Security 2.0 to describe the new trends in network security area, e.g. internal control, identity and access management, and etc. That differentiate themselves from the original anti-virus plus firewall plus IDS. No matter what you call them, they just exist there. right?

SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. It was listed as N1:

 N1.1 Description

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

See more comments and report at VoIPsa blog.

The pain of patch management

There are always more and more vulnerabilities and patches in our IT life. It has become one part of our job. Isn’t it? What’s the biggest pain in your mind?

If you said “why patch management? just go ‘windows update'”, then you must be a individual computer user, not an administrator. 😉

The hardest is to balance the risk of hacking due to not to patch and system unstability or even crash due to new patch. According to common practice, security manager should have a process in place to test patches, with the help from system and application managers. The balance point is decided together. [My comment in Chinese]. See the below report by Roger… Read the rest of this entry »

In 2006, China has issued 15 national security standards

In China, network and information security have been getting rising attention in these years, not only from the government and those large enterprises, but also from whole society. More and more relevant standards are issued, and internal control manuals are made and executed in FSI (Financing, Securities and Insurance) and telecom enterprises as well to strengthen their compliance management.

Since the beginning of 2006, 15 standards have been published in security domain by the technical committee TC260 (http://www.tc260.org.cn), which is responsible for the information security related standards under the government standardization organization (http://www.sac.gov.cn/), the counterpart of NIST, USA. Some of them cover the detailed management and technical requirements for classify security protection, while some of them are updates of the previous GB/T18336, which is the localized version of ISO15408 (CC). Additionally, ISO17799:2000 has been adopted as GB/T19716-2005 in 2005.

For the original publish page, check: http://www.tc260.org.cn/sy/xwzt/htmls/20060720000002.html

Click here to see my chinese comment.

12345678! Pyramid Framework

Yesterday afternoon, WHY and I worked out a holistic enterprise internal control framework. We named it as 12345678! Pyramid Framework. It help integrate the enterprise execution, IT control and security control methodologies and countermeasures.

1. One Priority: Execution
2. Two Hands: Technology and Management
3. Three Layers: Decision Makers, Managers, and Execution
4. Four Phases: Plan, Do, Check, Act
5. Five Layer Controls: Control Environment, Risk Assessment, Control Activities, Information and Communications, Monitoring
6. Six Risk Elements: Assets, Threats, Vulnerabilities, Safeguards, Risks and Opportunities
7. Seven Information Criteria: Confidentiality, Integrity, Availability, Efficiency, Effectiveness, Compliance, Reliability
8. Eight IT Processes: Planning and Organization, Acquisition & Implementation, Delivery and Support, Monitoring and Evaluation

Do you like it? We know there has been much space left for it to be perfect. But it help guide your thinking ways when you prepare proposals or do planning. Its original form is in Chinese. Click here for more.

If you think it helpful or have any suggestions, just leave me a comment.

Go Security 2.0

When I try to dig "Security 2.0" via Google, only one noticeable hit was found from CSOonline by Sarah. Sarah summarized the convergence at security area, and regarded "Security 2.0" as integration, convergence, holistic security and so on. Sarah reported a case study from Constellation Energy Group on convergence of physical security and IT security, where they assigned a new role named Chief Risk Officer, directly under CEO, who is responsible for control of what ever risks which might hurt the enterprise to an acceptable level. That's very interesting and with deep insight. However, my vision of "Security 2.0" is somewhat different.

At least in China, based on the about ten years of security practice, I would like to define the following two stages of security management and technology we are living with so far.

• Security 0.1: security came from anti-virus capability
• Security 1.0: security is PDR (Protection -> Detection -> Response), where in most cases at China, PDR was explained as firewall (protection), IDS (detection) and security emergency response services (Response)

But I begin to feel the emerging of a new pulse and inspiration at the industry, which I didn't hasitate to call it "Security 2.0", where I hope to borrow some concepts and feelings from Web2.0. The representative and definitive features of "Security 2.0" include:

• Security 2.0.1: focus changed to internal control and security protection of applications and data, rather than simple virus/intrusion detection and attacks.
• Security 2.0.2: "holistic security" synergizing the AAAA(Account, Authentication, Authorization, and Audit), from just stack/heap of firewalls, IDSs and other single point stuff.
• Security 2.0.3: emphasizing the perception and experience of those security managers and administrators, ie. the real effectiveness and efficiency. along with the implementation of technologies of data mining and correlation.

The key difference between Security 2.0 and previous stages lies at that the later focuses on the security information production and corresponding accuracy from those single point security elements, while the former turns to effective and efficient usage of those information to direct the real operations. Security 2.0 just develops itself on the shoulder of Security 1.0, instead of replacing them.

BTW, I am sorry I don't have time to translate other parts of this post from Chinese to English. If you are interested, please check the full version in Chinese.