Many of you will know that PCI DSS stands for the Payment Card Industry's Data Security Standard and most of the rest of you have probably heard of it and wondered what it was. You may immediately say I'm not interested in the Payment Card Industry and want to navigate away, but just before you do, you should know that many of the 12 recommendations are relevant to all. Actually the PCI DSS recommendations are mostly common sense that we should all be implementing anyway. I'll give a quick overview of the big 12 and how these can be applied to all networks in this blog. According to the PCI Security Standards Council , "The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized." The 12 recommendations that they put forward can be generalized as follows and should be adhered to by all organisations: Install and maintain a firewall configuration to protect private/sensitive data D...

I've been talking about 2-factor authentication and improving authentication mechanisms for a while now and trying to get companies to implement such solutions. One such organisation uses the Novell client for Windows on Windows XP. When a user attempts to log in they are not required to press Ctrl+Alt+Del. Many forums and reviews state that this is an advantage, as users don't like it! The point of pressing Ctrl+Alt+Del (CAD) on Windows is to stop all applications from running and kill Trojans, etc. Novell have replaced the MSGina.dll with NWGina.dll so that they can capture the CAD key combination. This is the standard way to override the built-in login screen and replace it with a custom one. However, Novell have decided to allow administrators to eliminate the need for the CAD key combination. This, obviously reduces the overall security of the system. I know that there are many ways to write a keylogger, some more sophisticated than others, but a lot of these low-level s...

Most firewalls have a 'DMZ' setting, but are they actually a full DMZ firewall? DMZ is a term often used in network security, but it can mean two different things to manufacturers and practitioners. Technically, there is no such thing as a DMZ in a firewall architecture, only a screened-subnet firewall, screened-host firewall or an exposed host, but the term is the industry standard when talking about allowing access to information servers (e.g. web, mail, etc.) from the Internet. So what is a DMZ? DMZ stands for Demilitarized Zone and is, obviously, a military term for the no-go area between two armies where no military activity is allowed. However, in network security terms it is a secure subnet that separates the Internet from the internal machines on your network. This becomes a logical place to implement any Information Servers, as these can be partially opened to the Internet, whilst not allowing direct access to the internal network. So are all DMZ firewalls the same? ...

We all want our systems to be secure and dependable, indeed the two topics are interlinked. Dependability requires high availability management, which has several aspects to it. We can try to achieve Fault Avoidance , with fault prevention and fault removal, but this isn't actually possible in all cases. For example, hard disk drives will have physical wear out due to moving parts, power supplies do not run indefinitely, etc. Therefore, we move towards Fault Acceptance . Fault acceptance relies on fault forecasting, to try to determine the most likely causes of faults, and fault tolerance to enable the system to continue functioning in the event of a fault. With fault tolerance we build redundancy into the system so that faults do not result in system failures. However, there are times when even our most fault tolerant systems will fail. What do we do then? Well, obviously we need to recover as quickly as possible. The 5 restoration phases of a system are as follows: Diagnosti...

I have been tasked with rolling out a trial multi-factor authentication system that must be user-friendly, secure, low-cost and have zero impact on the existing network and users who won't be on the trial. That should be simple! A trawl round the InfoSecurity Europe show always helps, as you can get the latest state of play from all the major vendors. This year there were the obvious keyring tokens, SmartCards, USB tokens, SMS solutions and some innovative software solutions, including GrIDsure. Before making any decisions about the solution to go for, several things need to be decided, among which are: how much security is required? What is considered user-friendly to a normal, non-technical user? What metrics should we use for authentication? To answer these we need to look at what authentication is first: Authentication is the binding of an identity to a subject. The subjects we're talking about in this case are users and we're trying to bind their digital identity, ...

The latest Smart Grid technology promises to reduce energy wastage and save money by enabling your household equipment to 'talk' to central servers and neighbouring equipment about their usage and energy requirements. This allows you to highlight how much equipment is costing you to run and how much you could save by turning it off, getting more efficient equipment, running it off-peak, etc. It also enables micro-generation of power and the ability to sell it to the grid or neighbouring properties. There are many privacy issues surrounding this technology, many of which are highlighted by Susan Lyon in her article 'Privacy challenges could stall smart grid '. Obviously, there are much bigger issues than the consumer part of the solution, e.g. the self-healing nature of the power grid due to failure or attack, but the fact remains that people's equipment and homes will be connected to this. With this in mind, there is another potential issue (or advantage) in my op...