At the recent Hackinthebox security conference in Amsterdam, Dutch duo Stephen Kho and Rob Kuiters – who work for the Chief Information Security Office (CISO) team within the Netherlands largest telecommunications provider KPN – revealed that a significant percentage of nodes within the global set of GRX hub networks were accessible from the internet, and some of those were found to have applications running which exposed critical vulnerabilities.Read more...
We are in the midst of major 4G rollouts and more than half of the world population have not even tasted the supersonic LTE networks, yet we see a lot of industry talks on the topic of 5G networks. So let us shine our crystal balls and see what 5G networks are all about all the while addressing some of the burning questions related to this topic.
According to Gartner Group, by 2015 20% of overall VPN / Firewall market will be deployed using virtual infrastructure and 100% of overall IT security product capabilities will be delivered from the cloud. Virtual Security clearly represents a new opportunity for Service Providers.
Your security is only as good as its weakest link. Auditing security means ensuring that you have the appropriate policies in place, and that you have confidence those policies are being followed. An external partner can help create both policies and the audit that supports them. Check out the 10 point Auditing Security in the Data Centre infographic, this offers you a framework to work with to ensure you have a comprehensive Data Centre Security Audit.Read more...
Guest blog by Paul Bonner, Head of Technical Services, Hardware.com
When companies reorganise or are brought closer together through merger or acquisition, questions over security are pretty low down the list of priorities to deal with. We assume security will adapt when moves and changes take place.
But anyone familiar with the huge range of headaches that can occur, and the increased potential for catastrophic data loss or theft, will tread carefully and seek to put security near the top of the agenda.
What can be done?
Rather like ensuring that your home will cope with all weathers, there is a need to start with the foundations – check they are secure and check them regularly.
So for data security it is all about knowing what data you have, classifying it into tiers, and creating a clear policy for each tier. Once such a policy is in place it needs to be regularly reviewed and certain data re-classified, which will mean that its access rights must be amended.
With a policy in place, all levels of reorganisation can be handled with appropriate care – or at least far more effectively than normally occurs.
A single staff reassignment seems insignificant, but it must be handled with care. At the most basic level staff are constantly moving within an organisation. The policy needs to cope with such changes so that an individual’s need for data is reassessed and changed appropriately.Read more...
Guest blog by Paul Bonner, Head of Technical Services, Hardware.com
There is little doubt that the cloud and virtualisation is playing a big part in all our futures. Despite the odd horror story, virtualisation is ever-present in every area of commercial life.
But like all white knuckle rides, there is a time when we have to come to earth and face up to the implications. It’s a time to realise that our old-world view of security is not best suited to the world we now inhabit.
Companies have been attracted to such services for a range of very good reasons, but most have not redrawn their security policies to reflect the new risks posed by the combination of cloud and virtualised environments.
So what are these risks?
One of the key concerns for your data centre security strategy is coping with an increased attack surface due to vulnerabilities in virtualised environments.
While many providers can demonstrate high levels of physical security there are many more weaknesses evident within a virtualised environment, whether in-house or in a provider's location. A key area of weakness is in server virtualisation.Read more...
Guest blog by Mario Socarras, Presales Consultant, Logicalis UK
Cloud services have provided a solid alternative for enterprises to consume IT services, but most organisations use a hybrid cloud that combines private infrastructure with specific external cloud services.
There are still availability and security concerns about cloud services. Availability has proved not to be a problem when proper redundancy mechanisms are put in place such as links, bandwidth and DNS and VPN termination.
On the other hand, achieving proper security for a hybrid cloud requires a comprehensive set of processes, technology and people. When security is addressed as a practice with defined steps, it can to be both manageable and effective. Here is a summary of how to address hybrid cloud security:
Know yourself: It is fundamental to have visibility of assets, and properly assess risk. This means understanding the application's data flow, where the data is, who accesses the data, and when it is accessed. Identifying where the valuable or sensitive information resides means you can apply specific security measures through the whole infrastructure, from end users or devices to the data.
Scan, test and evaluate: Scan applications, server and network devices to discover vulnerabilities. Scanning should be a customised process in which each asset is analysed differently in the context of its use. Web applications, for example, will be exposed to different threats than routers and switches. Scanning can, and must, also be done for applications and infrastructure that are in a public cloud.
Asset protection is nothing new; but the thorny issue of guest access remains.
Visit a British castle, such as the magnificent Leeds Castle in Kent, and you will see a supreme example of medieval enterprise security. High walls, wide moats, buttresses, arrow loops and numerous surveillance points; all contributing to the desired effect. If the outward appearance didn’t put invaders off, the thought of boiling water thrown at them if they came too close to the drawbridge was a pretty good secondary deterrent. Such protective measures served a vital function; but as with today’s corporate networks, the best laid plans and fortifications were little protection against visitors or guest workers with ill intentions.
The question asked then and now is still: When is a visitor or contractor a threat, and what can be done to mitigate that threat?
It has become expected that organisations provide wireless networks for visitors and staff but increasingly questions are being asked about the threats posed by outsiders given access to wireless services and allowed beyond into an organisation’s network. Aside from combating the obvious rogue element it is also important to remember that such users can have malicious effects without intending it, due to malware existing, unknown to them, on their machines.Read more...
No one would pretend that an organisation's threats and the effectiveness of its security policy should not be measured and quantified. But what does that mean in reality? In the aftermath of the discovery of the Heartbleed vulnerability Jodie Sikkel, Sales Manager and David Peters, Technical Director, from Juniper Networks’ Elite Partner Advanced Network Security and Gavin Thirlwall, Systems Engineer at Juniper Networks, debate the problem of discovering your risks, and then measuring your effectiveness at dealing with them. Read on to find out more from this insightful interview I commissioned with them:
Zoe: How should a business measure its vulnerabilities?
Jodie: There is no exact rule to measure this as every business has different goals and objectives, which are closely followed by the vulnerabilities and exposure that come with success. With the continual evolution of the threat landscape, often the security solutions put in place to protect an organisation are not dynamic enough or have the flexibility and scalability to keep up. Really, the best way to measure vulnerabilities is visibility. For an IT team to have the ability to see the business vulnerabilities at a glance is incredibly powerful and is something we often support our clients with.
Gavin: There are tools we provide such as Firefly Host that can do introspection, for example, we can identify how many of your virtual machines are missing a critical patch. But many non-technical managers naturally don't understand the threat landscape in detail.
Maybe we should go back to the basics of information security; what are the assets we are protecting? Who are the attackers? And what the threat vectors are? The problem is how many enterprises can pin-point who is attacking them? Are you being attacked by script kiddies and automated attacks looking for the “low-hanging fruit”? Or is it something more serious? We have a product called Junos WebApp Secure that can answer these questions. Few enterprises know who is attacking them, how serious a threat it is and how determined and well-resourced attackers are.Read more...
Celebrations, lists and predictions are all to be indulged in as we approach the festivities and a new year. I’m no exception so here are a few of my predictions for the world of LTE as we go into 2014.Read more...
Over the last few decades a great deal of research has gone into ensuring that the integration of IT systems turns into business value.
There is a famous IT textbook that has been used on many IT degree courses over the years called 'The Mythical Man Month'. Written by Frederick Brooks who worked for IBM as a project manager for the System/360 project in the 1960s, it was all about ensuring that complex IT projects were managed well and delivered on-time. Since its original publication in the mid 70s (there was a second updated edition in 1995) the IT revolution has continued at a terrific speed and it is now recognised that whilst delivering an IT system to time and budget is important, its ability to integrate smoothly into an organisation and add significant value is even more so.Read more...
I contend that MSPs, consumers and third party services providers such as banks take mobile network security for granted. I really don’t think any segment has fully thought through the implications for them, their brand, their ability to win new business, or the safety of personal information and all that implies. A new white paper by the Juniper team takes a look at some of the underlying causes and effect. My blog calls out some of the highlights and also gives you a link to download the white paper.Read more...
Your mission, should you choose to accept it, is to explain the benefits of SDN and NFV is less than sixteen minutes. Brian Levy (CTO, Service Provider, EMEA) accepted the challenge and we recorded the results for you to watch. This blog outlines what he speaks about and also has a direct link to view the recording.Read more...
LTE offers mobile operators a chance to fight back against the “cost-per-bit” culture that has come to dominate a market with falling ARPU. But Patrick Donegan, writing in a paper by Heavy Reading, feels there will be a close correlation between financial performance and the adoption of end-to-end IP Security. Why then, do many operators find it an acceptable risk not to adopt end-to-end IPSec?Read more...
Imagine if you would the following conversation between the Captain and Co-Pilot of a commercial airliner as they prepare the plane for take off
Captain: “Fuel”? Co-Pilot: “Check”
Captain: “Flaps set”? Co-Pilot: “Check”
Captain: “Doors secured”? Co-Pilot: “err no”
Clearly no airline crew would progress the check any further, the doors would be secured before the check was run again to ensure the plane was in the right condition to fly.Read more...