Tag Archives: Knowledge sharing

A Program in a Program in a Program

2 May 2015

In the past weeks I did a lot security assessments for complex applications. I always use the Socratic Method – i.e. dialogues in small groups with subject matter experts (SME) and support from infrastructure specialists where required. No rocket science! The only but important thing new is, that we look at the applications from the malicious insider’s view.

And, for sure we do a 360-degree assessment which includes

  • People, Processes, Technology,
  • Servers, Middleware, Databases,
  • Interfaces to other Applications and to Infrastructure systems.

Our talks were very fruitful. And it was amazing to see, how fast people have become familiar to the malicious insider’s view.

When it comes to secure operation of databases lots of experts from various disciplines are involved because the database is a complex application for itself. Hardening of a database without hardening the underlying operating system, the application and the middleware makes no sense. Security standards have to be defined and implemented for servers, databases and application components to achieve a good overall security level. Moreover security standards must undergo continuous development because the threat situation is fast developing.

Thus an application security program comprises nested programs for the building blocks of applications.

For each building block security baselines have to be defined in interdisciplinary teams.

In addition a team of innovators is required for continuous development of the baselines.

And a knowledge management team to make sure that all teams share their knowledge of threats, lessons learned from major data breaches and mitigation best practice.

In particular knowledge management is the one of the weak points of many security programs…

Have a good weekend!

Some thoughts about: People and process remain the soft underbelly of banks

25 April 2015

In post ‘Security Think Tank: People and process remain the soft underbelly of banks’, John Colley discusses on the example of the Carbanak attack some new concepts for surviving the cyber war.

I like the idea of sharing knowledge about attack vectors and best practice for the defense against cyber-attacks across industries. But what is the proper scope for action?

John Colley writes:

‘Even worse, the persistence of bad cyber security practices is driving banks to try to protect badly designed systems by hiding them from view. Many banks try to prevent attackers discovering what internal programs they use; yet it shouldn’t matter if outsiders know what software a bank uses for its internal systems, if that software is secured properly in the first place.’

I am discussing such issues for months now. My advice is crystal clear:

Before you start sharing information about your internal systems with whatever partner, carefully consider

  • what information and what level of detail is required, and
  • how the information must be protected.

Every available information about your internal systems will support attackers in finding vulnerabilities in your systems. Remember: It’s merely a matter of time before cyber criminals break into your company network…

Too many details increase the attack surface of your company!

Have a good weekend!