Miscellaneous Security

Knowledge is Power.

Sun Tzu stated in the Art of War, “So it is said that if you know your enemies and know yourself, you will fight without danger in battles.” Having intelligence on your enemy is a key to winning military battles. In business having any competitive edge, including intelligence, can be the difference between winning and losing a key-project, beating an advisory colleague, and getting a raise or promotion.

Google, a small start-up out of Mountain View, has a feature called Google Alerts that will help keep your enemies informed. Google Alerts is a way for people (or attackers) to stay informed of new pages that have been indexed by Google. When Google’s bots are scanning/indexing the Internet, they will look for specific keywords that the user sets up before hand, just like issuing a Google query. When Google’s bots identify these keywords they will email you a link to the page the keywords were found on.

This is a great feature that can be used to stay informed on all sorts of things. Say, you would like to stay informed of Gavin Newsom, the mayor of San Francisco, running for Governor of California. You could set up a Google Alert with “Gavin newsom” and “governor” as the keywords and be emailed any new pages that Google identifies.

It seems that Sun Tzu was correct. Knowing your enemy, and knowing what he knows, is the key to winning battles.

What is the word most likely to be heard at a non-technical security conference? If you said, “Managed Services,” “Managed Information technology services,” “Managed Solutions” or some variant of it, then you have been spending too much time at security conferences.

Managed Services is the idea that you take some piece of your company and have someone else do it. Companies typically take something that is expensive for them to do and then outsource it. For instance, most large companies pay an accounting firm, such as a Big 4,  to do their taxes instead of having a dedicated tax department. This of course is an analog managed service, and is sometimes regulated by compliance. Another analog managed service would be a law firm.

The type of managed service this article is referring to is a digital one. The idea that you can pay someone to outsource some piece of your general solution. That could be web hosting services or security services.

Although managed services is not a new idea, it is gaining snow-ball style momentum. There are, of course, companies who have built their entire model on Managed Services such as Savvis and Akamai. More recently, larger companies are jumping on the band wagon to also offer managed solutions. These companies include, AT&T, BT, and an unlikely candidate Amazon with their S3 cloud/EC2.

So, if you want to make sure your company can play with the big boys, make sure you have a managed service solution.

Note: Totally off topic from the Buzzword itself is the site, www.managedsoultion.com. They cashed in on the buzzword and actually named the company after the buzzword. I am going to start making a note on each buzzword to see if any other companies have done the same. Great Marketing!

Note to IT people. If you don’t know about a subject, don’t blog about it like you do.

Case in point, Fortify recently posted this blog entry about XSS (cross-site scripting).

Fortify states, “In short, XSS vulnerabilities can enable an attack to alter the price of an item displayed on a reputable website. At first glance this appears harmless since the attacker can’t actually purchase the item at the modified price. However, by printing out the page showing the modified price and requesting a price match at a competing store, the attacker can leverage this technique to acquire goods at radically discounted prices”

WHAT?!?

Why doesn’t the attacker just save the content of the website locally and then just modify it? This article is ridicioulous and should discredit “mmadou”, the author of the article, as a security expert. Ridiculous.