Linux security: KSE over SELinux

By |December 31st, 2015|KSE|

KSE and SELinux comparative (Archive resource)   This post: Is a revisit to a KSE vs SELinux comparative paper from ~2008. KSE is user-friendly and cost effective, but is the protection equivalent, and more, of SELinux. KSE features such as automation of labelled security and elimination of ACLs reduces overhead by roughly 2 orders of

Security trust models: Secrecy and MLS

By |December 20th, 2015|Insider threat, KSE|

The need for MLS   KSE uses algebraic modelling to run trust models such as the secrecy or confidentiality model known as the Bell–LaPadula Model, on common, commercial systems (read untrustworthy). Bell-LaPadula is the basis for multi-level security, or MLS, which focuses on data confidentiality and controlled access to classified information. The confidentially arm of

Security D’oh!-No: VTech-It’s the optics!

By |December 12th, 2015|KSE|

  Even though VTech probably didn't intend any harm for customers, its reputation has received a black eye in the court of popular opinion. It stored images and chat records between kids and parents which has been accessed, along with over 5 million customer records, by a hacker. The optics, - just the perception... of

Security owners speak the language of the business

By |December 6th, 2015|Insider threat, KSE|

Owner-centric security helps alignment   Summary points: It's suggested distributing security staff in business units will help them learn to speak the language of the business, collaboration and alignment. KSE has always used this approach in its model, but is owner-centric as opposed to object- or subject-centric. The security owner, or head of a business

Security vendors: root(ed) of assurance?

By |December 1st, 2015|Insider threat, KSE|

Source code: integrity, assurance guarantees?   In this post: Efforts to produce quality software used in offerings become moot points if attackers can access and tamper with source code, perhaps inserting back doors. Security offering source code invokes integrity and assurance issues. Any breach can lead to multiple others, leading to a breach event chain.