Would You Like to Buy Some Oceanfront Property in West Virginia?
I had a fascinating conversation with a gentleman on an airplane ride back from a recent Hackathon. The topic was security and what steps an organization should go through in order to secure their environment. I was horrified that this individual felt that they could secure their environment without understanding the various threats that the organization may face or without doing a proper risk assessment.
The prevailing thought was to simply buy a firewall and somehow a miracle would just happen and their enterprise would simply be secure. I think this individual may have subscribed to someone’s marchitecture without taking the time to understand what is required to put a security program in place. So I decided to write down a couple of thoughts on the topic based on research that I’m doing for another project.
Break the Problem Down Into Smaller Pieces
Before implementing a Security Management Plan, one must take time to understand the scope and the various systems and activities that will be considered as part of the planning process. This will help identify the parameters and components that are in or out-of-scope for the particular plan. This level of due diligence is necessary because a Security Assessment can be as broad as the entire organization or as narrow as certain procedures or automated task. Taking the time to understand the parameters up-front will provide the Assessment Team with the scope they need to complete the Security Management Plan in a methodical and logical manner.
Why is this important? There is risk associated with most digital and non-digital assets in an organization today. It is unlikely that an organization needs to or can afford to secure every device or system that they manage. Some components may require extensive controls to be put in place while others may simply be designated as out-of-scope or fit within an acceptable risk profile. An organization should understand how to protect any component(s) that drives the business or mission. This is usually driven by numerous factors such as government regulations, the protection of Intellectual Property or simply standard operating procedures for a company to remain a legitimate going concern.
Who Owns The Security Function?
Many individuals view Risk Management as simply a function carried out and maintained by the Information Technology (IT) group. Risk Management is much broader than IT and should have the attention and support from senior management to individual line workers as an on going concern in the organization. This means clear communications of the Security Management Plan and designated owners for each component that has been identified in the plan. It’s important to create a culture where Security Management and Threat Management is viewed in the same light as financial controls and operational excellence. Building a culture that appreciates the importance of the discipline will help in the enforcement of the plan and identify new potential risk that may occur overtime.
Following this approach will help an organization determine the level of security needed and the cost associated with securing an asset. During the Risk Assessment phase, some items may be deemed to have an acceptable risk profile and no new security controls are needed while others may require extensive controls to be put in place to protect the asset. Factors that should be reviewed include a consideration of the organizations business model, specific legal, statutory, regulatory or contractual requirements that may govern the business or requirements dedicated by the organization for the processing of information.
Once an organization understands the factors that are influencing the risk, they will be in a better position to identify, prioritize and estimate the associated adverse consequences that may occur. This includes determining the severity of the situation and if appropriate controls are needed to mitigate or contain the risk in an acceptable manner. Creating and then implementing a Security Management Plan should give an organization better optics into their threat exposure level and allow them to create various mitigation scenarios for the assets deemed to be in scope for the risk plan.
Identifying Threats In My Organization
Understanding and embracing the need to have a complete Security Management Plan is the first step of the journey. Obtaining organizational buy-in and commitment is a critical part of this task. Many organizations are required by law to conduct risk assessments in order to have a better understanding of possible risk and the necessary controls needed to satisfy government regulations (Landoll 2006).
Once commitment is identified and communicated to the organization, a Risk Analysis should be conducted. A Risk Analysis is a technique to identify and assess factors that may jeopardize the success of a project or the ability of the organization to achieve a goal. The Risk Analysis will help define preventative measures to reduce the probability of these factors from occurring and identify various countermeasures to successfully deal with the constraints if they develop (Hamdi and Boudriga 2005).
There are numerous publicly available documents and frameworks that provide organizations with the steps necessary to perform a thorough risk assessment. These documents and frameworks help organizations identify, prioritize and then estimate risk and the associated adverse consequences that may occur without addressing the noted concern(s).
NIST Publication 800-30 section 3.1.2 provides a good overview of the various information-gathering techniques that may be used to gain a better understanding of the components in their organization and the data that should be reviewed within the defined operational boundaries. These techniques involve interviews, questionnaires, document reviews and the use of automated scanning tools that are particularly useful in identifying potential problems with various network resources.
Various quantitative and qualitative tools are also available to assist an organization in understanding not only what is happening but also why a particular problem is occurring. Using these tools and techniques will give an organization a better view of their system characteristics so they can start examining the various components that will be addressed in their plan. Once this level of data has been uncovered, threat identification and the source of the problem can be evaluated to determine possible risk and the controls needed to secure a particular asset.
What is the Relationship between a Threat and Risk?
So far we have discussed risk but what is risk and how is it associated with a threat? A risk is a known or unknown factor that may jeopardize the success of a project or the ability of an organization to achieve a goal. When an organization performs a risk analysis, they are using techniques that will help them identify and define preventative measures to reduce the probability of these factors from occurring using various controls or countermeasures (Landoll 2006). This process helps an organization gain a better understanding of potential problems in their physical and non-physical infrastructure.
A threat on the other hand is the potential for a particular risk to be exploited. This can be malicious or purely accidental in nature. This means that it is important for an organization to consider many factors when conducting a risk assessment and not assume that all problems will occur solely from questionable individuals attempting to manipulate the organization. Threats can be environmental in nature or come from a disgruntled employee, hacker, anarchist or cyber-terrorist attempting to gain access to, steal, destroy or manipulate assets. By having a good understanding of your assets and their associated risk, one can help an organization determine the various controls needed to mitigate threats from various internal and external entities.
Leveraging Existing Guidance
Publications like ISO/IEC 27002 and NIST Publication 800-30 go one step further to remind organizations that a threat-source does not necessarily present a risk when there is no vulnerability that can be exploited (ISO/IEC 2005). This is a very broad statement meaning that not every component is at risk but one should ensure that the proper due diligence is conducted on any assets deemed to be mission or business critical. While something may not be vulnerable today, we live in a very dynamic and quickly changing world. Before one can make a determination in regards to an organization’s assets, it’s critical to start by understanding the environment to get executive buy-in, conduct the necessary research to identify components that may be at risk and then determine the controls necessary to isolate the situation.
Finally remember that a Security Management Plan is a living document. Periodic updates and assessment should be conducted to ensure the plan remains in a high state of readiness. Next week I’ll provide a couple of thoughts of Security Administration.
Hamdi, M. and N. Boudriga (2005). Computer and network security risk management: theory, challenges, and countermeasures. International Journal of Communication Systems 18(8): 30.
ISO/IEC (2005). Information technology : Security techniques : Code of practice for information security management. Geneva, ISO.
Landoll, D. J. (2006). The Security Risk Handbook: A Complete Guide for Performing Security Risk Assessments. Boca Raton, FL, Taylor & Francis Group.
The AT&T Foundry, UT Dallas and Juniper OpenLab Hackathon Update
We are off to a roaring start at the AT&T Foundry and Juniper OpenLabs Hackathon in conjunction with the Institute for Innovation and Entrepreneurship at the University of Texas in Dallas. Yesterday the students attended a session on Entrepreneurship and today they are diving into an overview of Software Defined Networks and the Junos Developer Network. It’s events like this that give students the opportunity to demonstrate their skills as developers, future business leaders and entrepreneurs.
Later today the students will start building applications using the Junos Space SDK to monitor real-time traffic, aggregate data for operators and dynamically provision network elements based on what they have learned. These are real life examples of problems and opportunities that customers face daily.
I’m always amazed at what these students come-up with and their ability to think outside of the box. Hal summed it up correctly yesterday when he alluded to the magic that occurs when a student goes to the whiteboard and starts the discussion with the simple phrase “what if.” My hope is that these students walk away from this event with new insights on what is possible.
Who knows we may have the next AT&T or Juniper Distinguished Engineer in the crowd or better yet maybe the next Pradeep Sindhu or Alexander Graham Bell participating this week.
Keep checking back throughout the week for more updates on what is happening at the event.
Juniper Networks along with the AT&T Foundry, are holding a university workshop and software development hackathon being offered through the AT&T Foundry® and Juniper’s OpenLab – The Junos® Center for Innovation. The week-long event will be hosted at the AT&T Foundry® in Texas, in conjunction with the Institute for Innovation and Entrepreneurship at the University of Texas at Dallas starting on August 13, 2012.
The workshop and competitive challenge is designed to provide next-generation software developers access to the tools and guidance needed to design new innovations for programmable networks. The workshop will give university students hands-on experience with concepts around software defined networking (SDN) and channel their interest in technology to help solve real-world challenges in the networking industry and unlock new opportunities.
- The SDN-themed workshop, utilizing elements from Juniper Networks’ Academic Alliances (JNAA) Program, will be the first of two workshops that will focus on giving students an overview of the AT&T Foundry® and a corporate overview of Juniper Networks in addition to providing them with several days of training on Juniper’s programmable network assets such as the Junos SDK and Junos Space Platform.
- During the workshop students will build an application on top of the Juniper Networks® Junos Space SDK to monitor real-time traffic, aggregate and produce data for operator reports, in addition to dynamically provision network elements based on the mined data.
- At the end of the workshop, students will compete in a hackathon, presenting and demonstrating their application to AT&T and Juniper representatives. Prizes will be awarded to the students based on solution innovation.
- The University of Texas at Dallas will play a prominent role via the delivery of entrepreneurial content with the objective of fostering the spirit of innovation among students and promoting an entrepreneurial culture.
- A second workshop and competitive challenge with a similar agenda will be held at Juniper’s OpenLab facility in New Jersey in the fall.
I will be on hand later this week to judge the final submissions.
The Junos overview class is a half day (12-5pm) that covers the Juniper developer technologies and network programmability initiatives such as the Juniper Developer Network, the Junos SDK and the Junos Space SDK. Special attention is given to the Junos SDK product, roadmap, demos, and real-world application examples. These sessions are suitable introductions for all audiences. We welcome executives, managers, salespeople, software architects and developers from your organization to attend a session.
The Junos SDK Developer Training course is 3 full days beginning with some review from the online training and some lecture on our latest enhancements. We quickly progress to hands-on code walk-thrus, demos, and tutorial coding, testing and debugging exercises. Please notice that these courses are only suitable for developers having completed the prerequisites and having C coding and some networking systems expereience with Junos.
The Junos Space SDK Developer Training course is 2 full days beginning with some review from the online training, tools setup, and some lecture to complement your online learning. Interspersed in the lecture we involve developers in hands-on code walk-thrus, demos, and tutorial coding exercises. Please notice that these courses are only suitable for developers with Java coding experience and some networking systems expereience with Junos.
Juniper’s first OpenLab, based in central New Jersey, is a center for software excellence to drive new network innovation across an entrepreneurial IP networking ecosystem embracing our customers, partners, universities and other industry organizations. We’ve been testing out the new facility for a couple of months now and will be holding the official grand opening in June.
OpenLab ‘s focus is on igniting the development of new network-integrated software applications as enabled by our suite of programmable software platforms. In concert with our progressive software mission, OpenLab will serve as a key instrument in enhancing the network’s value as a strategic and competitive asset for our customers.
If you would like to learn more about this incredible resource visit our website at https://developer.juniper.net/content/jdn/en/community/openlab.html.
A study of car accidents by the Virginia Tech Transportation Institute put cameras in cars to see what happens right before an accident. They found that in 80% of crashes the driver was distracted during the three seconds preceding the incident.
Web applications are among the largest unprotected attack surfaces, and the frequency of attack is increasing. To address this growing area of concern, Juniper is acquiring Mykonos Software.
Read more below.Web applications are among the largest unprotected attack surfaces, and the frequency of attack is increasing. To address this growing area of concern, Juniper is acquiring Mykonos Software.
Read more at http://bit.ly/wgWKQB
Juniper Networks Acquires Rights to Service Management Layer of BitGravity’s Content Delivery Technology
Juniper announced they have signed a definitive agreement under which Juniper will acquire rights to the service management layer of BitGravity’s CDN technology.
Juniper plans to complement its award-winning Juniper Networks® Media Flow Solution with the service management layer of BitGravity’s technology to enable service providers, online media companies and content delivery networks (CDNs) to deliver online content more cost-effectively while simultaneously improving the end-user experience and driving new revenue.
Juniper anticipates delivering an integrated solution later this year.
BitGravity has already been integrating Juniper’s Media Flow Solution into its service management technology.
By incorporating BitGravity’s technologies, Juniper is well-positioned to deliver a comprehensive, industry-leading CDN infrastructure solution to its customers.
Today’s announcement reinforces Juniper’s ongoing commitment to, and investment in, solutions that create value for customers looking to deliver rich media and Internet video content on-demand with maximum performance, efficiency and scale.
Tata Communications continues to expand and strengthen its content delivery capabilities and streaming capabilities to address the needs of its media and enterprise customers.
As video consumption continues to migrate toward online and mobile devices, innovative solutions are critical to delivering this content cost-effectively while providing a path to monetizing the delivery.