Mubix posted a short bit titled “Simplicity is Security” and I wanted to add my $.02 to the idea. I think this statement is actually a good thing for people to consider. The premise of the article, as I saw it, was that the simpler a system is or the simpler a civilization lives, the more secure it becomes. This is somewhat based on the difficulty of subverting the security measures built into simple societies and also based on the idea that a simple life has little value if compromised to the public at large.
Read more…
In our jobs as security professionals we are asked to do two things which are often looked at as one in the same – “secure the organization” and “reduce risk”. I think a lot of security folks think of what they do as “making the organization more secure” but I’d like to take a second look at that and argue that if you are doing only this, you might not be actually reducing risk.
Read more…
There are a million ways to create a malicious USB key – here is one more which may or may not already be out there. In recent tests, this worked pretty well on PC’s running XP – Vista & Windows 7 appear more dicey.
In conducting some recent tests I needed something that was a bit more likely to get the data I need and less likely to get picked up by Virus Scanners. This article describes a combination of techniques to achieve a USB key that operates silently & remotely so that key recovery is not required to know who inserted the key or to gather data from their system. The attack focused on Windows as the easiest platform to attack and leverages the capabilities of the Sandisk U3 USB key and a meterpreter binary.
I’m using this for awareness training but you can use your imagination to come up with other options you can try out with permission.
Read more…
For the last year I’ve had a full time gig to build the InfoSec program at a small company. This is a company who had no prior security program and needed to have one built. Looking back on the last year there were a few things I did right, but plenty of things that didn’t go as expected. At the risk of putting my annual review out here for public scrutiny, lets talk about what I’ve learned and make some fun of us security professionals… at my expense.
Read more…
A very thorough and informative post from Patrick Meier about steps to take in protecting sensitive data in repressive environments. This information isn’t only applicable if you are operating under a repressive regime though, much of it is good to consider for any highly confidential data.
How to Communicate Securely in Repressive Environments
InformIT just published an article from Chris Nickerson which describes some of the training we inherently receive in life. You are taught things like “If you don’t have anything nice to say, don’t say anything at all” which are intended to make society as a whole function better and make everyone nicer to each other. This works great until someone chooses to exploit your concern for being rude and puts you in a position where you should question them, but are not likely to do so. Read the article, it’s 5-10 minutes and gives a great perspective on the risk associated with these mindsets. Chris makes the point that while Disney films have had a large impact on telling life lessons which promote better relationships between people, those same lessons weaken our ability to question that which doesn’t seem quite right. The maintenance guy you have never seen before, the phonecall that doesn’t sound quite like the CEO, or that email that looks legitimate but has something wrong. You want to question these things – but do you?
This article at DarkReading points out that a report from BT on ethical hacking, planned to be released later this week, provides some interesting statistics on corporate spending on penetration testing. This all looks like good news to me – there were a few statistics that stood out:
Call it realism, or call it pessimism, but most organizations today are resigned to getting hacked. In fact, a full 94 percent expect to suffer a successful breach in the next 12 months, according to a new study on ethical hacking to be released by British Telecom (BT) later this week.
This is not good on the surface, because clearly we aren’t doing a very good job at security if that many organizations expect to get hacked. On the other hand, it is great to hear that so many organizations acknowledge the threat exists and are being more realistic about the high probability of an attack.
The first step is to acknowledge you have a problem.
Also this bit:
Around 60 percent of organizations have budgeted for pen testing, while around 38 percent have not, the study found. Nearly 70 percent allocate 1 to 5 percent of their security budgets for pen testing, 17 percent allocated 6 to 10 percent, and 2 percent set aside 20 percent.
So it’s making it into the budget and is becoming part of the standard security regiment.
The remaining question that I didn’t see addressed in this article is how many organizations have developed remediation plans, prioritize the problems found in the pentest, and actually get things fixed. It’s great to know your vulnerabilities but if we want to move that statistic from 94 percent down south of 50 percent we need to start fixing those problems and keeping new ones under control.
Sounds like some good progress is being made.
If you haven’t already, check out the new batch of podcasts over at ExoticLiability. Chris Nickerson, Ryan Jones and DJ Jackelope are putting on what is currently the most down to earth security podcast in existence. The latest, Episode 12, includes an interview about the upcoming version of Kismet with Mike Kershaw.
Topics include everything including current events & trends, new tools, social engineering and even a manhunt or two. They normally have a guest and then discuss other topics that are relevant at the time. It’s a good show & they’re fun folks to listen to. Take a break and hang out with these folks – if only virtually.
According to this BBC article some swine flu victims have shown “zombism” type behaviors post-mortem. From the article:
After death, this virus is able to restart the heart of it’s victim for up to two hours after the initial demise of the person where the individual behaves in extremely violent ways from what is believe to be a combination of brain damage and a chemical released into blood during “resurrection.
I particularly like the 4th bullet under the “Symptoms – what to do” section:
If you feel yourself passing away, then notice your strength and vigor returning at an alarming rate, please attempt to restrain yourself to prevent infection and harm to others.
Remember, if you are going to turn into a zombie – do try to restrain yourself.
btw folks – this is silliness
This year at the RSA Conference a few things showed up for me. First was the real lack of value the conference brings to anyone who is truly interested in security for the sake of making things secure. RSA is jam packed with vendor presentations, flashy displays, and watered down keynotes. I walked away wishing I could get my money back. The networking opportunities are ok but you never know what you are going to get – could be someone who does security, could be a sales executive – could be Joe Sixpack. I’m seriously looking at where else I can invest my own and my companies money for those few events we attend each year.
The second thing that showed up for me was how many vendors advertize that their product will make compliance easy. Do people really buy this stuff? Coming from my perspective, a relatively new InfoSec guy in a smaller organization who has never had formal security organization, there is nothing easy about compliance. I’m sure all these products do their part to make the laborious task of collecting data, auditing data, and enforcing controls a little easier – but do they make the entirety of compliance with something like PCI or SOX easy? You know the answer. What about making things secure!? Is that any easier?
What I saw very little of at RSA was companies who make testing easier. Testing and education are such a small part of these shows but such a huge part of making security successful. I say this because it makes sense to me, not because it makes anything easier. Testing and training and planning are all challenging things and not always all that exciting. It’s hard to have a 50′ booth with 1000 square feet of carpet dedicated to testing and education programs. People don’t buy that – but they should. At the end of the day, it’s your receptionist, your engineers and your janitor who have a better chance of keeping your secrets from walking out the door than your firewall. There are definitely tech solutions which are important and do good things. Defense in depth is important – but don’t forget about the decision makers. The folks who can ask “Who are you? Why are you here?” when someone is where they shouldn’t be. The ones who can question that phonecall they just got and look for additional validation.
Checking a box saying you’ve done the right thing and an auditor has observed evidence to that fact is a good thing, but it’s not all there is – you aren’t done! I just hope people see through the hype of a show like RSA and realize security is about more than managing a massive infrastructure of tech tools.
