Another reason to have a policy not to eat at your operations

I’ve worked in places where the policy was that you’re not allowed to bring a camera in; that was before cell phones, I admit, but I imagine there are places where such is enforced today. My current cell phone doesn’t have the resolution of a spy-era Minox, but there are better available, and a phone has a lot more storage and fair bit of image processing power.

Continue reading Another reason to have a policy not to eat at your operations

“Paid to be paranoid”

Read the first four paragraphs of this:

http://hollylisle.com/shoes-and-handbags/

Forget the rest, forget that its about ‘creative writing’, just answer that question.

Bruce Schneier among other, myself included, have asked questions like that. Are you ‘paranoid’ enough to be in the security business?

Robert Slade

One of my colleagues, Rob Slade  yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about “The CISSP Experience“.
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a “Bah Humbug!” feeling when the class is really a company stuffing its IT department through the course and exam “for the numbers”. Rob has some cynical comments to add but don’t forget for him it’s a days work and a days pay.

I’m also hit on for a variety of reasons by kids (even postgraduates) who “want to break into” — yes that’s the words they use, ironic isn’t it? — the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT.  But that’s a subject for another time.

And hence the opening lines to Holly’s blog.
No, Holly, you’re not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.

  • What is the ‘attack surface‘?
  • What are the potential threats? How to rate them?
  • How can I position myself to minimise the effect of an attack?
  • What is the ‘recovery mode’ (aka: line of retreat)?

If you can’t do this, then you shouldn’t be in “Security”. Continue reading “Paid to be paranoid”

Tight budgets no excuse for SMBs’ poor security readiness

http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/

From the left hand doesn’t know what the right hands is doing department:

Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be “hard-pressed” to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.

Well, lets leave the vested interests of security sales aside for a moment.

Security Operations Center

I read recently an article about the “IT Doesn’t matter” thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don’t fully utilise their resources, don’t fully understand the capabilities of the technology they have, don’t follow good practices (never mind good security), this is all a moot point. Continue reading Tight budgets no excuse for SMBs’ poor security readiness

How to decide on what DVD backup software to use

You do do backups don’t you?  Backups to DVD is easy, but what software to use?

Backup and Restore

  • Do you want the DVD backup ‘mountable’?
    If it is then you can see each file and selectively restore using the normal file management tools (cp, rsync etc)
    If you use some sort of ‘dump’ format (tar, cpio, zip or proprietary) then you will need the corresponding tool to access the backup
  • Why not simply k3b?But if it some down to it, there’s a decision tree you can and should work though.

My choice, based upon both K.I.S.S. and bitter experience is to go with the mountable.

  • – How are you ‘snapshoting’ your files?
    If you are backing up a live system[1] then there is the risk that the backup is out of phase with itself as files get changed during the time it takes to make the backup.

My solution to this is to use the snapshot mechanism of LVM.

English: Linux Logical Volume Management (LVM)...
Logical Volume Management
  • – How are you managing the backup archives?
    Do you need a specific dated version of a file or directory?
    Would a VCS be more appropriate than a backup system?

Sometimes you need both. I maintain changes to config (mainly in /etc/) with a VCS – AND take periodic snapshots.

  • Ultimately its not about making backups, even if that seems to be the
    most of the work, but the ability to restore.

A client found it easier to take whole image backups but once when having to restore a single file there was a finger-slip and he restored the complete machine state of three years previously, loosing all that days work plus the next day when the machine was out of service being restored to the last (previous) backup. The moral here is that your RESTORE strategy, as determined by your normal business functions and NOT by the convenience of the IT department, should determine your backup strategy.

  • – How “automated” do you want this backup to be?
    Sometimes you’ll find the automation tail wags the normal operation dog.

My use of K3B means I do disk-to-disk-to-DVD. (Using LVM’s snapshots)
It also means I structure my file systems so that they can be imaged onto a DVD. It means I can retrieve single files or mount the DVD and use it in place of the file system. It also means that I can create arbitrary backups, cherry-picking the files and folders to backup.

I realise this is going to be inappropriate for many sites and business functions.

This is why I STRONGLY suggest that instead of simply asking for suggestions you work through what are the key, the critical and the nice-to-have features of your backup AND RESTORE functionality.

Any package you might choose is going to have constraints and assumptions about The Way Things Are. You need to be aware of those and need to consider if they fit in with The Way You Work. A backup system that works well for a data center of ISP might be totally inappropriate and troublesome for a SMB.

[1] Once upon a long time ago systems were shutdown or all jobs
suspended for the backup. This has disrupted projects for me a number
of times.

Enhanced by Zemanta