On June 13th I posted about the misteps Apple made regarding iPhone Application Delivery for the enterprise. It got several comments to the tune that I was jumping the gun.
I began reading through the iPhone Enteprise Deployment Guide. Some interesting thoughts here noted in this document that I pulled out while I skimmed through. It says in Chapter 1: “It [iTunes] is also required for downloading and installing software updates for devices and installing your enterprise applications.”
Later on in the same chapter it adds: “If you are planning to deploy enterprise iPhone and iPod touch applications, you install the applications on your devices using iPhone Configuration Utility for Mac OS X or
iTunes for Mac and Windows. Once you deploy an application to user’s devices, updating those applications will be easier if each user has iTunes installed on their Mac or PC.”
One positive that I pulled out from the document is that Apple is documenting some registry changes that can be used to help “lock-down” iTunes and limit functionality such as automatic updates and discovery of AppleTV devices. However, it seems that it does not go on to completely prevent Library sharing using Bonjour/mDNS.
Chapter 5 is all about application deployment. Apple seems to confuse the procedure a bit by first saying: “Your users use iTunes to install applications on their devices. Securely distribute the
application to your users and then have them follow these steps” and then saying “You can use iPhone Configuration Utility for Mac OS X to install applications on connected devices.”
There is a web version for Mac or Windows of this latter utility, but it is limited only to creating config files for mail settings, application certificates, etc., while the Mac desktop version (Windows version not available) additionally allowed the viewing of log files and application installs. These tools are primary used for device configuration by an administrator, not by an end-user.
Hopefully Apple will expand the web version of the iPhone Configuration Utility to provide application delivery such that iTunes can be bypassed OR provides more details on how to lock iTunes down further.
One of the commenters asked what my security concern with iTunes was. GNUCITIZEN did a nice write-up on this some time ago, so I figured its best to link to those:
The lines are still too long for me…but i’ll get there eventually. I am also looking to buy an MBA, but after the last price drop I smell a new version (bigger drive? more memory?) coming. Maybe its wishful thinking.
There have been a lot of discussions on the typical security podcasts lately regarding security related certifications, their worth, and their contribution to career.
Most of the conversation has been around the lack of merit of the CISSP. I heard similar arguments regarding the MCSE in the 1990s. For the most part, those critiques were correct that the MCSE had become a paper certification, largely because of the training centers and their focus on Boot Camps. So in the end, it became a moniker of someone that has at least known most of the marketing pitch from Microsoft at one time. It did however open doors.
Having both these certificates and going through the process to attain them, I wanted to give my perspective on the discussion. I have met a lot of MCSEs through my years (NT4, Win2k, Win2k3) that don’t have a clue how to set up and manage a Microsoft-based corporate infrastructure. The tests and the training, do very little to provide that. I would have to say though that the Windows 2003 certificates were better in that they provided design scenarios and the such. But the tests were a walk in the park.
The CISSP is a non-technical approach to the security domains. If anyone is expecting a test or certification to cover ten domains and be a technical certification, it is a pipe dream. The CISSP provides a broad basis for a security manager. You aren’t going to jump into doing penetration testing, or designing advanced cryptography from the CISSP, however it is important to understand these disciplines to be a good manager of IT Security or CSO. The CISSP is a living certificate. It is not a point-in-time one like the MCSE or others that I will discuss later. It is the responsibility of the holder to continue his education in order to maintain it. Of course this is a system that can be gamed by the dishonest and I would suspect that these folks would be flushed out in due course.
Many people focus on other security certificates such as the ones done by SANS (link through PaulDotCom on purpose). SANS training is technical training. They work to train their students on specific topics that are timely (I am looking forward to taking some SANS training myself down the road). I think they fill a really big gap in security training. There are critics of SANS in that some of their certifications could be gamed. I can’t comment much on that since I haven’t gone through one myself but, like the CISSP continuing education, I think those folks will get flushed out. There are other training organizations other than SANS but I used them as an example. SANS provides the bits under the certification domains. Its more for practitioners rather than managers.
To summarize, they are fundamentally different types of training and certifications:
SANS is your deep technical in specific topics
CISSP is your broad knowledge in all of the security domains
SANS is for practitioners
CISSP is for managers
SANS is there to teach you a new discipline in security
CISSP is there to give you a broad base so that you can discuss security with others and your team
This isn’t sweet lemons or sour grapes. I’m happy with my CISSP and I’m proud that I did it. It gave me the basis. It’s not for the kid out of school in my opinion. I think you need to learn your stripes in IT or risk management before you do it. It is a career framework rather than job training.
The Indian government wants the encryption keys to allow them to read Blackberry messages with Indian subscribers. According to the article from the IDG News Service:
Under India’s Information Technology Act of 2000, the government has the right, under certain circumstances, to intercept electronic communications for security reasons and in the national interest. Security agencies say that terrorists are increasingly using the Internet and applications such as e-mail to communicate with one another.
To be honest, I’m not sure how I feel about this. Is this different than the debates in the U.S. regarding wiretapping or interception?
Partially its different. With RIM/Blackberry you can email people internal to your organization or company assuming that the email is on your own server i.e. Exchange/Lotus Notes. Although the email may travel through the ether it is supposed to be encrypted end to end (it may get decrypted and re-encrypted along the way, I don’t remember). With a subpoena, a “tap” could be attached. Of course I’m interjecting U.S. law (I’m not a lawyer).
If the servers are not within their national boundaries, does the Indian government have a legal way to tap into that?
I think at the end of the day, it’s moot. Terrorists and other evil-doers will go to a platform that doesn’t have a middleman that could undo its encryption like using ActiveSync/Windows Mobile or some other encryption method. I’m sure some underground >insert ex-Soviet country name here< hacker has already figured out a way to run Zfone or Tor on a handheld phone.
Dark Reading reports that the Canadian Government issued a report that stated that insecure Wireless Access Points were the method of entry into TJX from Miami Marshall’s stores (http://www.darkreading.com/document.asp?doc_id=134770)
There are going to be a lot of others who will be lambasting TJX (who haven’t already) for this major oversight. But I wanted to touch on a few quick points and lessons learned for others.
Wireless networks are like open network jacks. The obvious one was the use of WEP which may or may not be a rogue AP. A Rogue access point being one that was plugged in without authorization and provided a back door into the environment. This is akin to leaving the warehouse door open or having a network connection at each light pole in your parking lot for anyone to plug into. I’m not going to harp on this issue any more than already has been done. If it was a “legit” AP, this was just bad form by the IT department. If you can implement an enterprise wireless access system based on identity rather than static passwords.
Compartmentalize your environment. By this I mean, carve out your environment into smaller chunks. For example, each branch office or retail store should be treated as a separate piece. In between each piece should be a means to isolate that environment. A submarine would be the analogy. If a submarine is hit, the crew will shut the doors around that area to prevent the water from flowing throughout the vessel.
Implement least privilege. If your clients at a retail location, or branch, or floor, or whatever do not need to have direct access to your database, don’t allow it. Use simple network ACLs, VLANs, physical segments or internal firewalls. There are many products that allow you to do this and provide visiblilty to the network traffic. If you have the money, look into identity based computing, i.e. tying the network traffic to the person’s ID that is producing it. Such that they can be profiled and then locked to only go to the places they are allowed to.
Control Internet access. This is no longer just a productivity and liability concern as it was in the past. Bad and insecure sites can be avenues to compromise your environment. If your bank tellers are connecting to your online back office systems while they are browsing myspace…bad things happen.
![[del.icio.us]](http://flossyourmind.com/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://flossyourmind.com/wp-content/plugins/bookmarkify/digg.png)
![[Google]](http://flossyourmind.com/wp-content/plugins/bookmarkify/google.png)
![[StumbleUpon]](http://flossyourmind.com/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Windows Live]](http://flossyourmind.com/wp-content/plugins/bookmarkify/windowslive.png)
![[Yahoo!]](http://flossyourmind.com/wp-content/plugins/bookmarkify/yahoo.png)
![[Email]](http://flossyourmind.com/wp-content/plugins/bookmarkify/email.png)