emergency preparedness

Consolidate and Dedicate to Eradicate

Pete Silva — Wed, 03 Feb 2010 21:30:16 GMT

Whether it be due to cloud computing, last year’s economic mess, or just the general cyclical nature of the Tech Industry, Consolidation has been a huge focus of IT departments of late. Data Center consolidation, hardware consolidation, staff consolidation and tech sector consolidation to name a few. I remember the days of single purpose boxes that did one thing well. In fact, a decade ago at Exodus, that was one of my positioning points for BIG-IP over such LB units as Alteon, ArrowPoint and LocalDirector since they were switched/hardware-based appliances. I’d say something like, ‘It’s a Floor Wax and a Dessert Topping while the BIG-IP is software based, focused only on Load Balancing.’ Boy, times have changed.

Single purpose appliances, while still big business for their particular specialty, are becoming fewer and fewer – just look at the handheld your using. The printer was one of the first to go that route becoming printer/copier/fax/scanner in an effort to make them more useful and appealing to the customer. Ads tout, ‘No more bulky equipment to buy – it’s all here in this great new thing that you must have!! All for the incredibly low price of…..’ IDS graduated to IPS and now we have IDPS units and UTM (Unified Threat Management) systems or the Next-Gen Firewalls. They have firewall, anti-virus, spam controls, web filter, IDS and more. We are in a multi-task society and expect our devices to behave the same. For a while, adding more and more functionality to a piece of IT equipment would either slow it to a crawl or make it very difficult to troubleshoot. The processing power available today allows multi-function appliances to dedicate resources to ensure all the functions run smoothly.

Having multiple point solutions, interfaces and GUIs also makes it difficult to manage the various entities, especially if it’s a security device. Managing multiple points of entry and enforcing a consistent security policy across the board can be challenging. You got users connecting and requesting application access via VPN, some over the air on Wireless and others hooked right to the LAN. They also are probably using various types of computing devices; from IT issued laptops, to home/personal machines to mobile devices. You might have a specific policy for each type of access method/device or you enforce the same security, no matter what the connection. Why wouldn’t you do a host check on LAN users similar to the scrutiny your remote users must pass? In many cases, that might involve a NAC type controller and I thought we were trying to reduce the number of power suckers in the data center. Today, IT needs a single management interface and policy enforcement point that’s easy to navigate and quick to deploy. During a crisis, like a potential intrusion or breach, you can waste precious time trying to get to all the different appliances to assess the situation.

As consolidation continues, and more functionality is added to these multi-dedicated appliances, management of such an infrastructure especially if it’s part of a cloud, will continue to be an important driver for IT. So, as you consolidate and are able to dedicate, that will enable you to eradicate costs, multiple management interfaces, multiple point products and with the right device, eradicate many of the threats that appear every day, the CDE way!

Related resources:

In 5 Minutes or Less Video: Consolidate Access with BIG-IP Edge Gateway
BIG-IP Version 10.1: An Integrated Application Delivery Architecture [Whitepaper, PDF]
Unified Access and Optimization [Whitepaper, PDF]
F5 Delivers Next-Generation Application Delivery Services Giving Enterprises More Control with Context-Aware Networking [Press release]
BIG-IP v10.1 Now Available

External articles:

Technorati Tags: F5,BIG-IP,v10.1,Edge Gateway,WOM,application delivery,Pete Silva,F5,security,application security,network security

Catch some Zzzzzzzzzzzzz

Pete Silva — Wed, 16 Dec 2009 22:27:07 GMT

It used to be the ‘stuck to our side’ pagers that go off at 3am telling you that a server crashed that would keep you up at night. You’d drag yourself out of bed (or the chair at the data center that you fell asleep in), tippy-toe to the computer in hopes of gaining remote access or wonder to the car, still in your PJs, to drive to the facility. In February 2009, InformationWeek & Dark Reading conducted a survey entitled, ‘What Keeps Infosec Pros Awake at Night.’ They asked more than 400 IT pros, among other things, what are their most serious threats, how are they prioritizing their defense of these and what are they going to do to keep their data safe in 2009 and beyond. At the time, 52% said they were concerned about Internal threats – either employees or partners, accidental or malicious. This makes sense since there were several articles in early 2009 which looked at Laid-off workers turning to Cybercrime. They also feared the loss/theft of a laptop/potable storage device which might contain sensitive information that can lead to a corporate security breach. Their biggest wish was for end users to be smarter about security and understand the risks. Automated technology allowing IT pros to focus on emerging threats rather than day-to-day firefighting came in 2nd. They just wanted to have the time to find ways to make their systems more secure, and compliance was driving it.

Recent data from Verizon’s addendum to its Data Breach Investigations Report actually shows that most (73%) data breaches come from External sources, not insiders. Granted, the InformationWeek data was garnered from a survey (point in time opinion) and the Verizon info was generated by analyzing disclosed/investigated public data breaches (over time) and it doesn’t include undisclosed incidents with internal investigations. Verizon concluded that breaches which warranted public disclosure were primarily done by external sources. I’m sure that many internal incidents that didn't affect a large swath of the public were never disclosed, which could slightly sway the results but interesting nonetheless. So the fear was Insider threats yet the actual data implicates outsiders. I started wondering if this one of those Perception vs. Reality things or as Stephen Covey puts it, “We see the world, not as it is, but as we are.”

In February 2009, when the economic crisis was in full swing, layoffs were a daily occurrence. There were many documented cases in the early 1990’s of crime/fraud that occurred during that recession and many believed it would happen again – but this time with technology's help. Stories started to appear indicating that this scenario might happen again and when the few that did happen were spotlighted (like the current trial of Terry Childs) - folks believed, or feared, that a new wave was coming. The data that came out other end, seems to show that those internal threats were less than expected, except maybe in the financial industry. The other side is that sometimes perception is more important than reality. With the perceived immanent danger of rogue ex-employees, IT departments had a wake up call to reexamine how they handle access termination, a critical piece of data preservation. In life and security, our view of the perceived risk is based on our past experiences/beliefs and that ultimately shapes our reality. My reality and your reality might be very different but we always have the power in how we respond to events, even ones out of your control. So as 2009 winds down and you get some needed rest (maybe), revel in the fact that this challenging year is almost over, you did the best (hopefully) you could and there will be a whole new set of threats, breaches, viruses, vulnerabilities, scams, malware and many other incidents that put security at risk as thieves typically work through the holidays. Plan as best you can and take the new ones in stride as a challenge to all of us to get even better at protecting all our critical assets – including the living, breathing ones.

And there you have it – 26 Short Topics about Security. Yea, we made it! But wait, there’s more. Stay tuned for the Post-blog Report where we look back at the series, pick some favorites and share what I’ve learned about putting together a chain of blogs over the course of 5 months covering a single topic. Should be fun.

#26 out of 26 Short Topics about Security
Previous stories: 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Technorati Tags: Pete Silva,F5,security,application security,network security,virus,

IPv6 and the End of the World

Pete Silva — Fri, 06 Nov 2009 14:13:14 GMT

There’s always been a certain amount of conspiracy theories when security type events happen or instances where there is secrecy. There are those who don’t buy the ‘reported’ reason a security event (like a breach) occurred, those who claim to have inside information or just those who see a story and draw their own conclusions. The following is my take (Satire Alert) on Transmission Control Protocol/Internet Protocol v6 and the end of the world as we know it. That can affect our security, right?!?

Recently there have been more than the usual number of articles about IPv6 and the need to deploy it soon since the v4 blocks are almost gone. Yes we’ve been hearing this for years (RFC2460 was defined in December 1998) but now the hype may be over as indicated in this article. There are many security enhancements in v6 nicely covered here but that’s not where I’m going.

In my first blog post on DevCentral, aptly titled First Post, I introduced psilva’s prophecies. I’ve been in the Internet industry since ’94 and while not a ‘know it all’ I have seen my share of changes and have seen a bunch of ‘ideas’ over time come true. For instance, I had always thought that the Internet would eventually become our entertainment delivery method and some 14 years later, that’s the case. That’s not that wild as I’m sure many of you figured it was only a matter of time once we started to see streaming video and broadband to the home. In that First Post, I offered my prediction of how our nomenclature might change over the next 50-100 years. That now, we no longer give our full name/address for contacting/correspondence as we’ve done in the past – we just give email. The idea was that over time, our current first/last naming convention might dissolve to where we are known as users@domains or a single string of characters. Twitter is enforcing that with their @namingconventions.

IPv6, at 128-bits (v4 is 32-bit), gives us the ability to assign an IP address to just about anything – heck, all the portable mobile devices we carry each need one and consumer appliances like TVs, refrigerators, thermostat, DVRs, garage door openers, coffee machines and just about any electronic item could potentially have an IP address. Schedule your toaster via a Web GUI to perfectly brown your bagel when you get home. You can already control your lights and alarm systems over the internet. In addition, each one of us, worldwide, would be able to have our own personal IP address that would follow us anywhere. Hold on, I’m getting a call through my earring but first must authenticate with the chip in my earlobe. That same chip, after checking my print and pulse, would open the garage, unlock the doors, disable the home alarm, turn on the heat and start the microwave for a nice hot meal as soon as I enter. I could chip my child (like the dog) to be able to GPS their behind if they are not at the movies as indicated. Not so farfetched. That doesn’t sound so sinister, psilva, how can that be the beginning of the end?

OK, now the fun begins. While not a Nostradamus follower, although History/Discovery Channels have covered him often, he does have something to say about numbers. You might remember he got a lot of press and was the subject of spam after 9/11 due to this quatrain which his followers say indicates that he predicted that disaster. Conspiracy? He was very much into numbers and also indicated that when we are all identified as numbers, that will be an sign of the impending doom. We do have a numbering system in the states called a Social Security Number, which is our Gov’t identity and very much linked to our own security. With IPv6, now the entire world can be identified by number and thus fulfills psilva’s prophecy #2. The timing is right also. 2012 is getting a lot of play as the end of time. Both the Mayans and Nostradamus feel that 2012 is the end of days and Hollywood has taken notice. Now this does slightly negate my 1st prophecy since I’m giving our name change around 50 years but 2012 does sound about right for a full IPv6 transformation so it does fit nicely with doomsayers – if you’re into conspiracies.

#20 out of 26 Short Topics about Security
previous stories: 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Don’t say a Word

Pete Silva — Thu, 15 Oct 2009 17:33:51 GMT

………………………………………………….….oh, you’re waiting for me? This will probably be a short post since there are not that many security terms that begin with the 17th letter of our alphabet. However, keeping Quiet is a common theme in security. As mentioned numerous times, locking passwords, logins, and other sensitive information in your mouth vault keeps them from leaking to others. Social Engineering has always been about compromising that vault. Recently there was a post by Roger Thompson, AVG’s Chief Research Officer, which actually suggested to Write Down your passwords, especially complex, hard to remember passwords. While this practice has been frowned upon for many years – as in the ever popular post-it’s stuck to laptops – there is some sense in creating (and writing down) difficult passwords that are extremely hard to guess. Just put that paper in a safe location. Our own Alan Murphy offered some advice about passwords just a few months ago.

Keeping Quiet is also what most companies do when they discover a breach, at least initially. A survey from the 2008 RSA conference showed that 89% of security incidents go unreported. More often it’s the insider breaches that say under the covers. Some of that could be due to just being undetected but many companies don’t want the public exposure of a breach. Laws have changed some of that and huge breaches, like the Heartland incident, must be reported so people can protect themselves. Even the Heartland incident wasn’t detected for a couple months, and when it was, it didn’t get reported for yet another month. Granted, sometimes law enforcement does ask victims not to say anything so evidence can be gathered and, as to not tip off the crooks. In any event, keeping quiet about a breach happens more often than you think and it’s often due to the fear of a damaged reputation. Of course there is an opposing view to the damage factor by Larry Walsh where he talks about the multitude of brands who have suffered major breaches and how consumers have either forgotten or forgiven.

While silence can be golden and rests are written into music for effect, when it comes to Data Breaches not saying a word can put your business in jeopardy and in the cross-hairs of the law.

#17 out of 26 Short Topics about Security
previous stories: 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

This time, it’s Personal

Pete Silva — Thu, 08 Oct 2009 17:08:22 GMT

Nearly 80% of companies reported an increase in the number of employees wanting to bring their own devices into the workplace in the last 6-12 months according to ‘The Device Dilemma,’ a report by Vanson Bourne and Good Technology. In addition, two thirds of IT Managers have been under more pressure to increase compatibility with people’s personal handsets in the workplace with 82% saying the most requested device is the iPhone.

Personal devices pose a difficult challenge to IT departments and it’s not just iPhones/personal cell phones; mp3/music players, portable video/game consoles, personal laptops and just about anything with an internet connection or USB hookup can pose a risk. The age of social networks, streaming video, tele-work lifestyle and the basic computing power of mobile devices have made them constant companions in our daily lives since they do more than just make calls. We have grown personally attached to these mini-computers (even customizing them) and don’t want to carry around 3 different mobile devices. Employees now want to use their own devices for work related tasks.

It can be a Catch-22; IT might save a little money by not having to procure new corporate hardware but could spend significant time dealing with all the variants and security risks unauthorized personal devices pose. With all the different types of models, manufactures, operating systems and capacity, configuring and securing each device is not an easy task. Even if IT is able to apply a policy to individual devices, there still is no real guarantee that each device will support/enforce it. Management and control of those is a huge concern. The report also noted, ‘IT Managers don’t want to prevent people from using their own devices, almost half (44%) said they would let people choose if they were assured of security and configuration. Even then, 74% of IT Directors think that employees will still use their own devices even if IT doesn’t support it and more than 25% have experienced a security breach due to an employee using an unauthorized device.

Work Styles have changed also. Employees are now more dispersed: Different time/different location, Same time/different location, Same time/same location or working alone. While this model has enabled employees to work from anywhere, the need for collaboration has become critical especially with a global enterprise. What can you do? Don’t panic, as indicated in this article by Kim Boatman (hope I Linkedin the correct journalist) called Personal Tech Checklist for the Workplace. She has a checklist of steps IT can take when dealing with personal tech issues:

Establish or re-evaluate usage policies. Many businesses wrote Internet usage policies a decade or so ago and haven’t revisited them.

Evaluate how you expect employees to use – or not use – social networking. After all, there can be a business benefit to your employees’ presence on Facebook or Twitter.

Inventory employees and equipment. Keep track of the level of access granted to each employee.

Understand the security implications of your policy. For instance, says Storms, allowing employees to install proprietary information on their personal devices is a high-risk proposition, while permitting access to social networking sites at work is less risky.

Educate users. It’s not enough simply to establish plain-language guidelines. If you want employee buy-in, explain why certain actions are limited and what the consequences could be.

Involve IT. It makes good sense to vet policies and practices through the people that keep your systems going.

Give yourself wiggle room. Create that clear usage policy, explain it, and publicize it. But give yourself leeway.

#16 out of 26 Short Topics about Security
previous stories: 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Our H1N1 Preparedness Plan

Pete Silva — Fri, 25 Sep 2009 18:48:59 GMT

On a couple occasions, I have have offered advice on how to deal with disasters and just yesterday I wrote about Mitigating risks. Today, I’m deviating slightly from 26 Short – make this #13.5 – to share some of F5’s Emergency Preparedness plans for the possible resurgence of H1N1. While we often try to give interesting tips, ideas and suggestions to help you and since many of you might be going thru the same exercise, I though I’d share how we are preparing ourselves. Per usual, this is not to flame the fears already in the media but offer calming assurance that there is no reason to panic.

F5’s main objectives for Emergency Preparedness for Employees is to provide a safe and healthy working environment and to ensure business continuity. All of us received an email outlining our policies along with a link to an internal portal page dedicated to Emergency Preparedness. It contains several governmental and informational resources pertaining to H1N1 along with Emergency Hotline Phone Numbers and a short video from HR so we all can clearly understand this particular flu strain and what to do if we contract it. Each region around the world has a page specific to their needs. We have also put together a cross functional pandemic planning team that has identified critical business activities, resources and responsibilities to support a pandemic mission along with taking precautions within our own facilities – like simply providing hand sanitizers among other supplies.

Following tips offered by the Centers for Disease Control, if any of us do get symptoms, one of the primary actions we can take as employees is stay home since the virus appears to be easily transmitted from person to person. This is to protect all employees. The great thing is that there are also Work from Home instructions on how to connect remotely using our own FirePass SSL VPN. We’re already prepared for any increase in needed capacity and have policies in place to check any connecting device, even un-trusted home computers, to ensure internal security compliance.

It’s a comfort to me knowing that my employer is ready for H1N1 and any other emergency that suddenly appears and hopefully a comfort to you knowing that F5 is prepared to still support you even if you experience a crisis.

#13.5 out of 26 Short Topics about Security
previous stories: 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Additional note added after posting:
One thing I forgot to mention about Work at Home strategies - Do keep in mind that with the additional workforce potentially using home broadband for work, there might be some capacity constraints on carriers in certain areas of the country. There might also be some Acceleration solutions, like a WAN Optimization or Web Acceleration that can help with bandwidth reduction.