NEW BLOG SITE

Please follow us now at;

http://secsystems.wordpress.com

Ken

Moving This Blog

After becoming the CEO of True North Security Inc. we have decided to shut down this blog and incorporate security discussions on our new website; www.truenorthsecurity.com which is still under construction. We ask that you check back later and watch our progress.
True North Security Inc. is a provider of Network and security solutions while our team of security experts continues to offer security consulting services as part of our products and services.

Thank you and we look forward to doing business with you in the future.

Sincerely,
Ken Pappas
CEO
True North Security

A Little Bit off The Security Path, But,,

AMAZING! Think of all the the people that could have jobs.

Also if I may add, about 6 months ago I was watching a news program on oil and one of the Forbes Bros. was the guest. This is out of context, but this is the actual question as asked. The host said to Forbes, "I am going to ask you a direct question and I would like a direct answer, how much oil does the U.S. have in the ground." Forbes did not miss a beat, he said, "more than all the Middle East put together..." Please read below.

The U. S. Geological Service issued a report in April ('08) that only scientists and oil men knew was coming, but man was it big... It was a revised report (hadn't been updated since '95) on how much oil was in this area of the western 2/3 of North Dakota ; western South Dakota ; and extreme eastern Montana .... check THIS out:

The Bakken is the largest domestic oil discovery since Alaska 's Prudhoe Bay , and has the potential to eliminate all American dependence on foreign oil. The Energy Information Administration (EIA) estimates it at 503 billion barrels. Even if just 10% of the oil is recoverable... at $107 a barrel, we're looking at a resource base worth more than $5.3 trillion.

'When I first briefed legislators on this, you could practically see their jaws hit the floor. They had no idea..' says Terry Johnson, the Montana Legislature's financial analyst.

'This sizable find is now the highest-producing onshore oil field found in the past 56 years' reports, The Pittsburgh Post Gazette. It's a formation known as the Williston Basin , but is more commonly referred to as the 'Bakken.' And it stretches from Northern Montana, through North Dakota and into Canada . For years, U. S. oil exploration has been considered=2 0a dead end. Even the 'Big Oil' companies gave up searching for major oil wells decades ago. However, a recent technological breakthrough has opened up the Bakken's massive reserves.... and we now have access of up to 500 billion barrels. And because this is light, sweet oil, those billions of barrels will cost Americans just $16 PER BARREL!

That's enough crude to fully fuel the American economy for 2041 years straight.

2. And if THAT didn't throw you on the floor, then this next one should - because it's from TWO YEARS AGO!

U. S. Oil Discovery- Largest Reserve in the World!
Stansberry Report Online - 4/20/2006


Hidden 1,000 feet beneath the surface of the Rocky Mountains lies the largest untapped oil reserve in the world. It is more than 2 TRILLION barrels. On August 8, 2005 President Bush mandated its extraction. In three and a half years of high oil prices none has been extracted. With this motherload of oil why are we still fighting over off-shore drilling?

They reported this stunning news: We have more oil inside our borders, than all the other proven reserves on earth. Here are the official estimates:

- 8-times as much oil as Saudi Arabia
- 18-times as much oil as Iraq
- 21-times as much oil as Kuwait
- 22-times as much oil as Iran
- 500-times as much oil as Yemen
- and it's all right here in the Western United States .

HOW can this BE? HOW can we NOT BE extracting this? Because the environmentalists and others have blocked all efforts to help America become independent of foreign oil! Again, we are letting a small group of people dictate our lives and our economy.....WHY?

James Bartis, lead researcher with the study says we've got more oil in this very compact area than the entire Middle East -more than 2 TRILLION barrels untapped. That's more than all the proven oil reserves of crude oil in the world today, reports The Denver Post.

Don't think 'OPEC' will drop its price - even with this find? Think again! It's all about the competitive marketplace, - it has to. Think OPEC just might be funding the environmentalists?
Got your attention/ire up yet? Hope so! Now, while you're thinking about it .... and hopefully P.O'd, do this:

3. Pass this along.

Now I just wonder what would happen in this country if every one of you sent this to every one in your address book.
By the way... this is all true. Check it out at the link below!!!
GOOGLE it or follow this link. It will blow your mind.
http://www.usgs.gov/newsroom/article....asp?ID=1911

Staying Ahead of Network Security Issues

Ken Pappas was interviewed by Enterprise Systems Journal and asked a series of questions regarding new cyber threats and how can security managers stay ahead of it all. Here is the Q & A discussion that we had.

Where should IT focus its attention in protecting network assets, what investments offer the best return, and how can IT to avoid common mistakes when developing its security strategy?

With IT budgets under pressure, it's difficult to adopt innovative security solutions. We look at where IT should focus its attention, where to make investments, and how to avoid the biggest mistakes IT often makes in developing its security strategy.

For insight and perspective, we turned to Ken Pappas, President and security strategist at True North Security www.TrueNorthSecurity.com

Enterprise Strategies: Thus far in 2009, we’ve seen the outbreak of the Conficker worm, continued attacks on Web sites (particularly social networks), and continued network breaches across industries. What do you each see as the top threats to network security for the remainder of the year?

Ken Pappas: More of the same, but more creative and stealthier. Hackers are bright people, they study human behavior and adapt to it. You will see more IP enabled devices that hackers will attempt to break into, not just for data theft but also to disrupt our quality of life.

A recent study from Verizon Business found that more electronic records were breached in 2008 than in the previous four years combined, yet new stimulus legislation is pushing health care organizations to upgrade their medical records to electronic form. How will this affect the security of the health care industry and specifically of the medical records? Won't this result in increased hacking against hospitals and medical offices?

The finding of more records breached I feel is false. Laws today require companies to disclose breaches; in the past, this was not the case. Nobody knows for sure how many records earlier were breached because nobody was counting. Today our laws mandate they be disclosed, and keep in mind not all records breached need to be disclosed. You need to be over a certain threshold as I understand it.

Will the movement to electronic health-care records increase the likelihood of a record breach? Sure. New regulations are requiring that any network that is connected to or accessing health-care facilities must also have the same level of security within its network. This is a step beyond what we previously had. Although I feel we are on the right track, we are not out of the woods on electronic record breaches. They will still occur.

We’ve seen increased attention geared toward the utilities industry and the new Smart Grid. What are some of the potential outcomes threats pose and how does this affect the larger scheme of things -- power outages, government regulations?

I can tell you that the reports of power facilities being breached is news that happened a while ago and that our power grids and the networks today running them are very different. I can’t say more, but I am confident that we are not going to see any major widespread power outages in our future. New government regulations have changed the way our power suppliers run and manage their networks, and we have a lot of smart people managing them.

Threats are coming at IT from all directions.

Yes, they are. An argument exists today around inside versus outside threats. Where are most of the threats coming from? Who cares! The fact of the matter is that threats originate both internally and externally. Security needs to address both.

What should IT's strategy be to stay ahead of hackers' next moves and combat all these different entry points, especially given that IT budgets are under extreme pressure lately?

It’s difficult to adopt innovative security solutions when your IT budget is under pressure or when regulations and even your business partners are demanding you have viable security technology in your network.

We understand that older firewall and first-generation IPS [intrusion prevention system] technologies will not protect your networks from tomorrow’s threats. You need to stay current with the newer technologies that are being made available to protect you from tomorrow's threats today.

Where should IT focus its attention, and what tools are "nice to haves"?

I must admit, IT has a tough job and security needs to be considered at all points in the network, tethered and un-tethered. The "end point" is a blur to many of us. Many devices today connect and access data on our corporate networks. Cell/smart phones are part of the network and IT must consider security in any device to protect its network and its data. Although IPS has been around for about seven years, it surprises me that so many enterprise companies either don’t have one or are still using IDS [intrusion detection system] for security. I honestly can’t talk about any security device or technology that I would consider a "nice to have." That decision needs to be made by the CSO in the organization.

It has been struggling having to manage a variety of security tools and technologies, but it is tough (if not impossible) to integrate these tools. Can you suggest a few best practices, along with a tangible real world example, of how organizations can successfully integrate these elements to improve security and effectively maximize their investments?

I could not agree more. I have seen a lot of smart security solutions on the market, but they are all stove-piped and none is sharing the information or learning from one another.

I think sharing information is the direction we need to move. The industry needs a Security Eco-System, which is a group of vendors willing to share their logs, alerts and other vitial information with other security platforms in an open format so that one security appliance can learn what another security appliance just learned and possibly take action.

How can IT know it's getting the most for its money or has made the right investments? Is it possible to over-invest in security?

It’s always possible to over-invest in security the same way it’s possible to over-invest in a car or personal insurance. It boils down to what you are comfortable with and what "risk-avoidance" level are you willing to accept. You can also under-invest and leave yourself open to attacks, business disruption and possible fines.

What are the biggest mistakes IT makes in developing its security strategy?

The biggest mistake I believe IT makes is looking at what it presently has in its networks rather than first identifying what they are trying to protect, then going back and determining if what they presently have in their network for security provides the best level of protection. Back in the early 2000s, the big challenge networks were facing was DDOS [distributed denial of service] attacks. Enterprises went out and bought DDOS appliances. Some companies today still believe their networks are protected because they have this DDOS appliance when, in fact, many new threats have entered the market that a DDOS appliance doesn't guard against.

Another area I see within enterprises is their security policy and when it gets reviewed. When I am invited to deliver a security presentation, I ask the audience: “When do you update or review your security policy?” Some say annually, others say quarterly. I tell them that’s the wrong approach and that a security policy needs to be reviewed when they read the media about a breach and ask “Can this happen to us? Are we protected? Do we need to modify our policy?”

The other approach is to watch for new products or technologies entering the market. Ask yourself, “Does our current security policy cover this? Will this introduce new threats or ways to gain access that we have not addressed?” This is why assigning a date to reviewing your security policy will not work in today’s market.

What best practices can you suggest to avoid these mistakes?

Talk to your peers in the industry. Get educated on what technologies are working and are not. Firewalls were good in their day, but let’s face it -- the hackers have figured it all out and now viruses, Trojans, and malicious content are just flowing in. You need more than firewalls today. If you don’t have security specialist on staff, hire one. The days of anointing someone who has worked in IT and whom you now consider your security expert are over.

I’ve spent time with a number of very intelligent IT staff individuals, and I frequently ask: “How do you know you have not been breached?” These individuals have a false sense of network and data security, relying on a firewall, IDS, or older IPS they may have. Since none of these devices has picked up any malicious content, they think they are covered.

I would caution all IT: don’t get comfortable with what you have. Take a look at newer, innovative technology and refresh your security as often and cost effectively as you can. We know costs are important, and we know that IT’s mantra is (or should be) “Protect Corporate Assets and Data,” but that's difficult and daunting task when funding is limited.

IT should also not be lulled into thinking they are protected just because they may have received PCI compliance and certification. Look what happened to Hannaford Food Chain! IT needs to be diligent with data security, educating CxO-level management to understand the risk levels if technology is not adopted or implemented in their enterprise.

That was the end of the interview. We at True North Security can assist you with your security challenges. Drop us an email to start building a secure network for tomorrow's threats today at info@truenorthsecurity.com

TippingPoint Gets Aquired, AGAIN!

I am sure you have all seen the news today about how H.P. has acquired 3Com and along with that, TippingPoint. Although since the acquisition of TippingPoint by 3Com back in January 2005 (I know this date because I was on the 3Com due-diligence and acquisition team back then), TippingPoint has repeatedly attempted to fool customers and prospects that they were not part of 3Com and that they were a separate company. That's strange because I could never find a 10k or any other financial data on a company called TippingPoint.
As a matter of fact, the "company" called TippingPoint ceased to exist after the acquisition by 3Com.
Here comes H.P. to save what is left of 3Com. I felt it was a poor strategy for 3Com to partner when a Chinese company when most of what I believed 3Com's business was in the enterprise and government accounts. You can't convince those guys your a U.S. company anymore when you are in bed with the Chinese. AND, it gets even more difficult when you start to sell Chinese made networking gear.
Is anyone paying attention to the news lately about all the data breaches here in the United States? Yup, that's right, most of them are coming from the Chinese. And you think we want to buy our networking and SECURITY gear from them? Hell no!
I felt TippingPoint started to lose its market lead after the 3Com acquisition and now I predict that H.P. will make TippingPoint more an engineering shop than a full fledged business unit.
It was poor enough that Gartner continued to show TippingPoint as a company on the in-famous Gartner "Magic Quardrant", when in fact TippingPoint was no longer a company after January 2005. What was Gartner thinking? They don't.
A trend is clear with the networking vendors of the world. Integrate core added value features into their switches, routers and other network infrastructure so that they can cycle out the older networking grear and convince customers that having it all in one box is the way to go.
I don't agree. And let me share my views on this.
While in some environments (Small offices, remote locations) it does make sense for what is termed a Unified platform. The All-In-One. However for the medium to large enterprises, networks and its data are more efficient and better protected when security elements become a wrapper around the network infrastructure.
Some suppliers will say you need to protect your network from attacks. This comes mostly from the IPS Intrusion Prevention System vendors, while others say you need to protect your data because after all, isn't that what we are trying to protect anyways? Not really.
It's BOTH.....
We need our networks protected from malicious content and rate based attacks. What good is protecting your data when nobody can get legal or legitimate access to it. You need to protect your data from being accessed by unauthorized users or being emailed or FTPed to someone that should not be viewing the documents. Some vendors call this Data Leakage Protection.
So these go hand-in-hand as they say. I am a big supporter of IPS and DLP and feel that EVERY network needs to add these technologies to their networks.
The days of depending on your Firewall to protect your network and your data are OVER. The hackers have figured firewalls all out and today I feel they are in-effective.
Gartner touts about a Next Generation Firewall and the great frontier. I don't think its going to be anything close to a 'firewall' per say, I predict what we are going to see as the next great security platform is something that provides network, data and application protection. You won't get this in a switch or router, it will be an appliance and will start by providing throughput speeds at 10Gig. The next hop will not be 20 or 30Gig. With bandwidth demands going up at a rapid rate and media rich applications drive this need, it won't be long that we will require security appliance that hit the 100Gig point.
Will H.P. deliver on any of this? I feel they will be well suited to deliver the all-in-one solutions for the small business users but wont' be in a position to hit the higher end or the next-generation security appliance as I have outlined.

Ken Pappas Leaves Top Layer Security

After what seems a few short years I have decided to leave my full time position as Vice President of Marketing with Top Layer Security.

During my travels and meeting many individuals that are now responsible for their company wide security, I've determined that I can possibly have a greater impact on our countries security if I left Top Layer and started my own Security firm.

I am pleased to announce that I have formed True North Security on October 10, 2009. True North Security provides various security services to companies with the need for outside resources. I have found that many companies realize that today more than ever they require better security of their data and customer assets but can't afford to hire these resources on a full time basis.

True North Security is the solution. Our value add is realized in how we evaluate your networks vulnerability and because of our deep understanding of various security technologies available to you, we provide the highest degree of product and vendor recommendations. Nobody else can provide this type of service. Why? Because we at True North Security come from security vendors that have been selling security technologies. We can tell you what works, where and most importantly what not to waste your money on.

I have seen many companies invest in technology and deploy it in the wrong fashion or invest in technology that I feel would not give you a positive ROI.

Contact True North Security. Give us the opportunity to show you how we can better assess your network and make the right recommendations on how to best protect your network and corporate assets.

Be watching for our website www.truenorthsecurity.com to come on line in the following weeks.

In the meantime please contact us at 978.846.1175 or kenpappas@truenorthsecurity.com

My friends at Top Layer, I wish them the best and I am sure I will not be forgotten.

DOD's Creation of Cyber Command

Hey I got some input as to what the DoD should be thinking about as they attempt to build out the new Cyber Command. Here are a few suggestions.

First of all what should be the most important initiatives the Cyber Command should look to accomplish by this Fall?

I feel the most difficult to achieve is not the security but rather gaining support and trust of all agencies that will be affected by this. I would aim to first win the support of all agencies and have them become stakeholders in the plan, execution, monitoring and success of the new command.

Do we feel that the Government's overall cyber security plan is becoming fractured with all of the different agencies (and leaders) with disparate goals or is there harmony between all of the moving pieces?

Hey it's our government of course! If this is how it's starting out then each agency is going to have its own mini cyber command and disparate systems once more. This is common within US govt agencies. One of the good things that comes out of this however is that the hackers cannot use the same tactics to gain access to ALL agencies. So following a 'standard' for all agencies might not be a bad strategy.

In the end of it all what should be the most important element to the success of Cyber Command? Funding? Clear vision? Resources? People?

I think they are all important but the priority and sequence is most important. First selecting the right people to undertake this task should come before anything else. Then comes the vision, then strategy how to execute then funding.

"Cyber attacks" has been a subject brought up with the Cyber Command and also by the UK's cyber security head; do we think this should be a prominent and public goal of any government cyber initiative?

Duh what is the Goal? I don't think anyone has figured this out yet. Hence a vision needs to be made and bought in. What are we protecting and from who? Does data loss not fall under cyber attack? Is the Cyber Command so short minded that they are only thinking of bad guys from the outside? Maybe I am needed in Washington. Obama please call me ;-)

And where and what is the most pertinent cyber threat to the United States today?

Depends if you are asking about the ones we hear about or the ones they don't want use to know about? I' ve presented at many different forums around the world and my biggest fear is not that a hacker or someone with computer skills is going to steal data, it's those individuals that can possibly come together, target a country, and take down it's infrastructure that we have become so dependent on.

The Dod Cyber Command is something I truly believe needs to come together and I am glad that we have a President that is thinking ahead on this threat.