Tag Archives: IBM

Message queuing insecurity

I met with Maryellen Ariel Evans last week. She was in Israel on vacation and we had coffee on the Bat Yam boardwalk.   Maryellen is a serial entrepreneur; her latest venture is a security product for IBM Websphere MQ Series. She’s passionate about message queue security and I confess to buying into the vision.

She has correctly put her finger on a huge, unmitigated threat surface of transactions that are transported inside the business and between business units using message queuing technology. Message queuing is a cornerstone of B2B commerce and in a highly interconnected system, there are lots of entry points all using similar or same technology – MQ Series or the TIB.

While organizations are busy optimizing their firewalls and load balancers, attackers can tap in, steal the data on the message bus and use it as a springboard to launch new attacks.  It is conceivable that well placed attacks on  message queues in an intermediary player (for example a payment clearing house) could result in the inability of the processor to clear transactions but also serve as an entry point into upstream and downstream systems.  A highly connected stem of networked message queues is a convenient and vulnerable entry point from which to launch attacks; these attacks can and do cascade.

If these attacks cascade, the entire financial system could crash.

Although most customers are still fixated on perimeter security, I believe that Maryellen has a powerful value proposition for message queuing customers in the supply chains of key industries that rely on message interchange: banking, credit cards, health care and energy.

 

 

Tell your friends and colleagues about us. Thanks!
Share this

Imperfect knowledge security

Keeping the organization robust in a highly dynamic threat environment

Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in order to be accepted as scientific it is necessary to achive more. This way lies charlatanism and more. I confess that I prefer true but imperfect knowledge. . .to a pretence of exact knowledge that is likely to be false.

FRIEDRICH A. HAYEK

“The Pretence of Knoweldge,” Nobel Lecture

Modern information security models usually assume a pre-defined defensive structure of  networks, systems, procedures, defenders and attackers – the properties of which usually specified by vendors (i.e. defining the problem by the solution).

The problem with such models is that, in reducing the organization to passive executives of defense rules in their firewalls, they ignore the extreme ways in which attack patterns change over time. Any security policy that is presumed optimal today is likely to be obsolete tomorrow. So – learning about changes is at the heart of day-to-day security management. Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Business process mapping and risk management

Many risk management consultants tell organizations that they must perform a detailed business process mapping and build data flow diagrams of data and users who process data in order to achieve compliance and reduce the operational risk of information security.

This is a very bad idea.

Business process mapping is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why companies like PwC, IBM, EY and KPMG love business process modeling The added value of modeling data flows inside your organization between people doing their job is arguable. There are much better ways to make your organization robust to a major data loss event without writing out a 7 digit check for professional services and a BPM system from Business Objects, Cognos, Kalido, Oracle, Hyperion, Applix, Pilot, SAS or SAP.

There is a simple and effective way of figuring out data value at risk and mitigating data security threats:

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

A strategic inflection point in the security industry

Compliance is like being at all the rehearsals with a sharp pencil and playing your part perfectly – but not showing up to the gig. Being inside a strategic inflection point of change is like waking up during your own murder.

Inside a strategic inflection point of change, the people inside the system are not sure  what is happening and have trouble putting an analysis and a possible solution to their malaise into words. We are seeing a continued rise of data security breaches perpetrated by trusted insiders, competitors and malicious outsiders despite billions being pumpted into compliance and security technology products from companies like McAfee and Symantec. I doubt that during this current recession – we will see many companies look for carpet-bombing technology solutions to their data security issues.

Is the security industry is approaching an SIP – strategic inflection point?

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this