Uncategorized

Sydney Harris quote

“In every field of inquiry, it is true that all things should be made as simple as possible – but no simpler. (And for every problem that is muddled by over-complexity, a dozen are muddled by over-simplifying).”

Architecture, E-mail, Enterprise Security Architecture, Risk, Security, Technology, Trust

Domain name security – part one

Purchasing a domain name has never been easier but maintaining control and ownership over the long term are often overlooked.

While inexpensive purchase costs are very enticing if you’re serious about the long term you need to look beyond the initial cost and consider your on-going requirements. Thinking holistically about the service may cost you a little extra, but pays dividends in terms of peace of mind.

Owners can take measures to protect their domain names against theft and loss, but many measures are not generally known.

Why should I really care about this?

Losing control of your domain name is not an obvious danger when compared to malware, spam or botnets, but it can be just as disruptive, if not more so; in extreme cases the impact can be permanent and fatal for your online presence.

You might think it implausible that the damage could be so severe, but if you’ve purchased a domain then you’ll attribute value to that name, both tangible and intangible. Tangible value increases when people associate brand with a domain name. Intangible value increases in proportion to the reputation of a domain name. The threats are very real, and can include denial and theft of service, identity or brand theft, loss of revenue and even irrecoverable loss of online business operations.

Still think it doesn’t happen?

Imagine this scenario… your incoming email suddenly grinds to a halt. You discover someone’s transferred your domain name to another registrar without your notice or approval. Your DNS configuration has been modified and your email is being delivered to someone else’s mail server. Days later, your registration is restored, but only after an exhausting, frustrating, uncoordinated and costly incident response effort. Preposterous? It happened to PANIX.COM on 17 January 2005.

Architecture, Change, Communication, Enterprise Security Architecture, Risk, Security

Enterprise Security Architect – the start of a meaningful security conversation

One way an Enterprise Security Architect can add real value is by having a more meaningful conversation about security and it’s role and purpose. More often than not securing an enterprise is not discussed in a meaningful way with those senior executives who can choose to commission and invest in security transformation.

It seems to me that we’ve forgotten that a meaningful conversation starts with a focus on what ultimately we’re trying to achieve. In the context of Enterprise Security effective security risk management happens when relevant security objectives are continually and consistently with their agreed tolerances even in the face of threats within an enterprises’ operating environment.

With this as a foundational view progress towards a mature security posture becomes measurable in terms of increasing the predictability of consistently achieving the agreed security objectives. Success then becomes defined as the on-going achievement of the security target relating to that objective, and not whether an incident has or has not occurred.

In setting contextual security objectives there’s the introduction of the recognition that security is not total invulnerability to all attacks, but rather is a consciously risk managed and economically efficient level of vulnerability given competing claims upon business resources. In this sense security objectives show what the enterprise expects for its information security investment. Or, put a different way, the act of defining security targets also specifies the risk appetite, or the variance tolerance against the objectives.

As a result of such an approach the enterprise security strategy is then driven by a desired set of outcomes, rather than being driven by the latest technologies, most recent incidents or media hyped attacks.