Saturday, September 3, 2011

Would You Bet Your Life On It? Or Your Company?

It has been said that Information Security is Risk Management, and I agree with that. For any given situation, you have to identify vulnerabilities, threats (ie, "risk"), determine ways to mitigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se, and assign some value to that final level of risk. If that value is gauged to be acceptable to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization (even if it's your family) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you move forward. But this isn't (or shouldn't be) limited just to Information Security groups - as I mentioned above, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same principle applies at home, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 road, and should also be in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 minds of those not actively engaged in InfoSec positions. We live in a time and place in which threats abound, and Information Security is also not about saying "No" to everything; it's about figuring out how to say "Yes" where it's appropriate, and figuring out ways to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk (this also applies at home, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 road, with our kids, etc).

To keep this from being a totally pensive piece, I'm going to bring it back into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 context of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work we do daily. As many of you are aware, a few months ago I experienced an abrupt change in job status, while working in digital forensics consulting. I'm still in a bit of a limbo situation (no, not dancing), but am working a contract gig doing information security. While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are business types that are defined as more at risk of cyber attacks due to industry, I think it should be obvious to everyone by this point that we're ALL under attack. I hear people say things like, "Well, we've never been breached, why do you think it would happen to us?" To that I respond, "You've never been breached? How do you know? Can you prove it?" I personally refer back to Dmitri Alperovitch's statement when talking about Shady Rat that in general he divides companies up as those that know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've been breached, and those that don't yet know.

So what's my point? Well, I'm getting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, albeit a little slowly. My point is that I think people today should have a general awareness of security risks, and that this should occur organically (ie, without having to be told). Even granted that mainstream media doesn't talk about APT, and only mentions cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 smallest percentages of places that are breached and lose integral control of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir data, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 info that does get out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re should be sufficient. And yet, time and again, people buy cardboard iPads and MacBooks from criminals in gas station parking lots, fall prey to Nigerian email scams, and even fake IRS emails to install malware. But, even if common folk aren't hip to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat, those in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IT industry will be, right? After all, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've all had to clean up after someone, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y follow "geek" news not just mainstream, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y at least will get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are very real threats out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. Sadly, no.

I was at a presentation recently where a guy who's been working in InfoSec for 20 years told a story about his wife opening one of those IRS emails and following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link. She even put in her social security number when prompted. Then she complained of her computer acting strangely, and told him what happened. He "cleaned" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system by running a scan with an off-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-shelf antivirus/antimalware product, and went on, embarrassed that his wife had fallen prey to a scam. His opinion was that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation was remediated. Really? You ran an AV scan and that's it? Did you analyze RAM, check network traffic, credit report activity, or do any investigation at all? Nope, just ran an AV scan and called it a day. Wow.

And recently at work we had an internal server that allows certain users to perform certain tasks, return odd results for one user. It was on a Monday morning, and results for that one user all appeared to be in Chinese. Do what? Yep, and just for that one user. We approached cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 admin about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation, and as it turns out, on Thursday afternoon of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prior week, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 admin for that server had installed some new patch rollups. Patch rollups, not fruit rollups. He felt it was probably related to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 patches, as opposed to a compromise. Ok, sounds reasonable, but we still needed to play it safe. We pulled volatile data from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 machine and started going through that while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 admin investigated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 patch scenario. We were quickly informed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 patches were to blame; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 admin uninstalled and reinstalled (along with a few more), and said everything was good to go (yes, I realize evidence could've just been stomped on). And indeed, it appeared to be fine, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 explanation made sense. But we asked some followup questions nonecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less, and were greeted with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following response (not an exact quote): "I understand you think you're doing your job, but it was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 patches, and it's been fixed. I have a lot of things to do, and don't have time to continue wasting on something that's been resolved." Wow, really? Our boss got involved, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were some additional conversations...

My question when we received that response was, "Sure, it looks like that's what happened, but can you prove it 100%? Would you bet your life on it? Would you bet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company on it?" Because in essence that's what you're doing by turning and walking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way, and if you're not willing to bet it all, it's probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong answer. No root cause analysis, and with all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 companies falling victim to basic compromises, and allowed to bleed data for who knows how long, and you're willing - as an intelligent IT admin - to say that a system which was serving up Chinese characters is good to go, because of a patch? That seems like a bit of a blind risk. It would have taken so little time to go through our followup questions and answer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, and that would have helped shed great light on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation, to give us all more peace of mind. I guess I shouldn't be surprised, though. And even if I become so jaded that I'm no longer surprised, I think I still get to be disappointed. ;)

Do I have a solution? I wish I did, but I don't. I understand that education is paramount, but I think it takes more than that. I think it takes an awareness and understanding that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a clear and present danger (er, threat), and a desire to be part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solution, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem. And that's what I think is lacking - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desire. The IT guy should already have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 knowledge, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 InfoSec guy should have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 knowledge. And those are just two examples; I could also talk about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR guy who has no problem - doesn't even give it a second thought - connecting his laptop up to public wireless. Do we just get complacent and lazy as humans? Or is it that some of us aren't driven and determined to make a difference, and are just trying to get by until it's time to go?

Well, I think that's about all I have. I do want to take a moment to say that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are a lot of folks out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re who are driven and determined to make a difference. Just take a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blogs I read, for a very small selection. I don't really do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 #FF thing on twitter, but I'll give a shout out to Lenny Zeltser as I find his blog extremely practical and helpful. I don't think a post goes by that I don't get something very useful out of it. Thanks for sharing!

For those in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US, have a wonderful Labor Day weekend! For everyone else, get back to work! :) And since our attackers don't honor holiday weekends, be alert; we obviously need more good lerts! :D

No comments:

Post a Comment