This was from a post I did on another blog at (http://feeds.feedburner.com/~r/Riskanalysis/~3/173775219/):
The lesson I have taken from history is that in the beginning security was real and tangible. Systems were in essence static and well defined boundaries with known inputs and outputs. If you wanted to use a mainframe in the 1970's you pretty much had to be hard wired into the system to access it. (Rare cases of dial-in which we all remember Capt Jack and the War-Dialers; which focused on long distance calling)
We are all stuck with management that grew up in that 1970's Era and who still thinks in those terms that information processing systems can still be defined, managed, and controlled. Let's face facts folks; most of us are subordinate in our organizations and rightfully so. We, the security practitioner, serve the greater good of our respective organizations. So we will always be in some form of conflict to whom we serve because of blissful ignorance, incompetence, and funding.
But let's look at the core driver in all this mess. That being change. Without change security is possible because all the known variables can be accounted for and performance can be tracked and reported with real confidence. Over the past 30 years the rate of change has increased at an exponentially faster rate. The time that a information processing system used to input and output data and the amount of data compared to what is possible today are night and day. Another way to put it would be the transformation of war from static Napoleonic warfare with fixed positions, static lines, and Aristocratic rules of engagement to what we see on the streets of Bagdad (Urban Gorilla Warfare).
So it is impossible, unless we all collectively agree to step back in time, to say that anything is secure. We are not g@ds who can see all things all the time. We are but men (and women folk) who only know what we know and are faced with the daily challenge of managing change. Those changes are forced by people who do not understand themselves, the changes they make, or the very technology they control. What makes this dangerous for us all living in an open and free society (USA) is that we are all connected now in some way and that the culture of indifference to one another and to just being responsible means that most of the management I have been exposed to doesn't want to be enlightened. They want to punch the clock, make the next bonus, and go home to an empty and meaningless life.
I write this with the conviction that if those in power, not us, truly understood even the concept of change/risk management we would not be having this discussion because folks would be taking systems offline faster than a car goes around the Indianapolis 500 track.
Fore these are the folks who ask "What do you mean I can't send company/government data to my Yahoo/Google/Hotmail account?" with the rational that "It's my email account and I have a good password so it's "secure" from other people getting to it" while exposing the organization to loss of confidentiality because the financial expense reports for 3000 employees just got broadcast over the internet (Which BTW breached privacy as bank account information could be included in expense reports for reimbursement.)
I used to believe in technology and had faith that people were essentially "good" but have come to a place where I see time and time again that people aren't "good" (which is not to say they are evil) but that most of the population is blindingly ignorant of even the most basic things and that compounding that blindness is the culture of indifference which dooms us all to a never ending cycle of pain (Hamster wheel of Pain). I also don't believe in technology as the "silver bullet" because who drives technology; Management Marketing type folks who sell, over promise, and under deliver. Always pushing developers and engineers to deliver half baked products because the "vision" is never in line with the reality. No one can honestly say that a single product out of the box can effectively manage the core issue without significant overhead and investment in tuning the product to environment.
Bottom line: There is no silver solution anywhere, just lead shot, and we are using slings when what we really need is semi-automatics. To truly solve the problem of "security" within the information processing world is to say that change stops now; which is impossible. To truly solve the problem of security we don't need to continue to escalate the "logical arms race" with better and better technology because that cycle feeds itself with attack v counter-attack; we need to transform the expectations of the people we serve.
By making the world understand that if you want to continue the culture of instant everything while paying next to nothing, from a dollars and sense perspective, that you choose to give up something far more valuable than mere money; you give up your ability of choice. So unless we slow down, accept less convenience, and choose to understand our world a bit more we are all exposed, vulnerable, and essentially naked to anyone who seeks to do us harm. Hence those of us who ride out (in our office chairs) keeping watch will be forever shackled to the hamster wheel of pain.
V/r PZ
Thursday, October 25, 2007
Wednesday, October 24, 2007
Three Laws Strong - Rules to Live by
Rules that all Information Security practitioners should follow.
1. An Cyber Security Professional (CSP), or anyone one assigned information security responsibilities, may not injure a human being or, through inaction, allow a human being to come to harm.
2. A CSP must obey orders given by customer, client, or senior manager except where such orders would conflict with the First Law.
3. A CSP must protect its own existence as long as such protection does not conflict with the First or Second Law.
If it's good enough for AI then it's good enough for me; eh?
1. An Cyber Security Professional (CSP), or anyone one assigned information security responsibilities, may not injure a human being or, through inaction, allow a human being to come to harm.
2. A CSP must obey orders given by customer, client, or senior manager except where such orders would conflict with the First Law.
3. A CSP must protect its own existence as long as such protection does not conflict with the First or Second Law.
If it's good enough for AI then it's good enough for me; eh?
Labels:
Cyber,
Cyber Law,
Ethics,
Information Security,
Law,
Three Laws
Private Patriots or Just Plain Mercs?
While the topic of contracting out the US Army and Marines to former Army personnel and the "others" who join private "security" firms seems to be well established what I find new and interesting is the extent to which these private security firms are being used today by the US Federal Government.
It was the role of the US Marines to provide protection for the State Department but with all but a few good men spoken for patrolling the streets of Bagdad the void had to be filled some how. In Viet Nam that void was filled with a Draft. The simple fact then as is now is the reality of an all volunteer force is we are limited in what we can do from a tactical and strategic perspective because we do not have the man power to support every goal.
If you have an all volunteer, or all recruited, force then it does not become possible to say that we can maintain two fronts (or three, four, five, etc). Military history shows time and time again that no matter how powerful the army without the logistical support being in place to sustain and protect the rear areas of the theater the battle may be won but the war will be lost.
What we have really lost here is sight of what is really going on and I find it distasteful at the least; that being politicians using US Taxpayer money to buy themselves out of a political nightmare. That nightmare simply said is the avoidance of a Draft through the use of private armies.
This brings into the fold a new challenge for DoD and other sensitive systems that support warfighting. While it is well known that contractors provide IT support. (Including myself) There has always been a separation of duties. The clear oversight and practice of least privileged I believe has ensured operational security and mission success.
Outsourcing our core military capabilities is wrong, demoralizing to the warfighter (who is often on food stamps), and dangerous to national security. Limited use of physical security contractors here in the United States is fine but putting Mercenaries on the ground in a hot LZ is a different story all together.
If we can't secure the peace we haven't won the war. The worst part is that why should any 18 year old choose to go into the Army and earn $18000 a year when they can go to a private firm and make $30k to start (Much more if you have experience).
It all comes back to "Trust but Verify" because physical and cyber security are the same thing and depend on one another without the ability to separate either one. So the next time you think about outsourcing think about the additional risk you are accepting before you pop the champaign and celebrate how much you think you just saved. BTW - The latest estimates on the cost of operations in Iraq and Afghanistan are over 2 trillion dollars by 2010. Back in 2002 the total cost was projected at only 500 billion and most of that was going to be paid for by a eager democratic Iraqi government from the oil reserves. Moral of the story there is that nothing, and I mean nothing (Security Tools, Firewalls, Vendors Promises) is what it appears.
Sounds hypocritical coming out of my mouth since I am technically a "vendor" but I do apply the same standard to myself as anyone else. In that I apply the three fundamental laws of AI.
1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
2. A robot must obey orders given to it by human beings except where such orders would conflict with the First Law.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
Vendors in principal follow the same logic. As a business you would not do anything that would harm the business. However we are here to provide service to the customer and as such much obey. But we should not obey orders that would break the first law.
Oh hell this is good for another post.
It was the role of the US Marines to provide protection for the State Department but with all but a few good men spoken for patrolling the streets of Bagdad the void had to be filled some how. In Viet Nam that void was filled with a Draft. The simple fact then as is now is the reality of an all volunteer force is we are limited in what we can do from a tactical and strategic perspective because we do not have the man power to support every goal.
If you have an all volunteer, or all recruited, force then it does not become possible to say that we can maintain two fronts (or three, four, five, etc). Military history shows time and time again that no matter how powerful the army without the logistical support being in place to sustain and protect the rear areas of the theater the battle may be won but the war will be lost.
What we have really lost here is sight of what is really going on and I find it distasteful at the least; that being politicians using US Taxpayer money to buy themselves out of a political nightmare. That nightmare simply said is the avoidance of a Draft through the use of private armies.
This brings into the fold a new challenge for DoD and other sensitive systems that support warfighting. While it is well known that contractors provide IT support. (Including myself) There has always been a separation of duties. The clear oversight and practice of least privileged I believe has ensured operational security and mission success.
Outsourcing our core military capabilities is wrong, demoralizing to the warfighter (who is often on food stamps), and dangerous to national security. Limited use of physical security contractors here in the United States is fine but putting Mercenaries on the ground in a hot LZ is a different story all together.
If we can't secure the peace we haven't won the war. The worst part is that why should any 18 year old choose to go into the Army and earn $18000 a year when they can go to a private firm and make $30k to start (Much more if you have experience).
It all comes back to "Trust but Verify" because physical and cyber security are the same thing and depend on one another without the ability to separate either one. So the next time you think about outsourcing think about the additional risk you are accepting before you pop the champaign and celebrate how much you think you just saved. BTW - The latest estimates on the cost of operations in Iraq and Afghanistan are over 2 trillion dollars by 2010. Back in 2002 the total cost was projected at only 500 billion and most of that was going to be paid for by a eager democratic Iraqi government from the oil reserves. Moral of the story there is that nothing, and I mean nothing (Security Tools, Firewalls, Vendors Promises) is what it appears.
Sounds hypocritical coming out of my mouth since I am technically a "vendor" but I do apply the same standard to myself as anyone else. In that I apply the three fundamental laws of AI.
1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
2. A robot must obey orders given to it by human beings except where such orders would conflict with the First Law.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
Vendors in principal follow the same logic. As a business you would not do anything that would harm the business. However we are here to provide service to the customer and as such much obey. But we should not obey orders that would break the first law.
Oh hell this is good for another post.
The new Iron Curtain...
Wars have been started for less; eh? Could the breakdown of political and other institutional support for interconnected systems mean a regression back to the stand-a-lone systems if governments do not enforce some moniquire of civility and common sense with regards to companies and individuals that operate within their borders?
Shadowy Russian Firm Seen as Conduit for Cybercrime
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html
http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
By Brian Krebs
washingtonpost.com Staff Writer
Saturday, October 13, 2007; A15
An Internet business based in St. Petersburg has become a world hub for
Web sites devoted to child pornography, spamming and identity theft,
according to computer security experts. They say Russian authorities
have provided little help in efforts to shut down the company.
The Russian Business Network sells Web site hosting to people engaged in
criminal activity, the security experts say.
Groups operating through the company's computers are thought to be
responsible for about half of last year's incidents of "phishing" --
ID-theft scams in which cybercrooks use e-mail to lure people into
entering personal and financial data at fake commerce and banking
sites......
Shadowy Russian Firm Seen as Conduit for Cybercrime
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html
http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
By Brian Krebs
washingtonpost.com Staff Writer
Saturday, October 13, 2007; A15
An Internet business based in St. Petersburg has become a world hub for
Web sites devoted to child pornography, spamming and identity theft,
according to computer security experts. They say Russian authorities
have provided little help in efforts to shut down the company.
The Russian Business Network sells Web site hosting to people engaged in
criminal activity, the security experts say.
Groups operating through the company's computers are thought to be
responsible for about half of last year's incidents of "phishing" --
ID-theft scams in which cybercrooks use e-mail to lure people into
entering personal and financial data at fake commerce and banking
sites......
Sunday, October 14, 2007
Apple's time to take the spot light... may not be so bright.
I was browsing the net for intel on the Iphone, I want one, and it struck me that there is a hidden issue here for Apple and one that I hope to g@d that they have considered; security.
Information security has been touted amongst the Apple set as one of the corner stones of the product lines. After all “get a Mac” means not having to deal with the viruses and problems PC’s have to deal with every single day. Right? We all know that OS X is based on a flavor of BSD-UNIX and that the Iphone has been reported to be based of OS X. I’m confidant that the folks at Apple changed the core kernel and locked it down enough to withstand the casual attack. Here’s the rub though. Apple for as long as I can remember, or since Microsoft stole the GUI from them, has been in a “niche” of the IT world.
Creative folks love Apple and won’t use PCs. People with more money than they know what to do with and want something in there home office or living room that looks drop dead gorgeous get Apples. Until this point in time I would say it is safe to call Apple the Porsche of the IT world. Sure the Ipod enjoys a market share of the portable music world but now we are getting into something entirely different with the introduction of the Iphone. Until now our Ipods were essentially stand alone systems with the overarching security controls of our PCs and Macs offering some protections. (I say this in all optimism that folks that use PCs actually do some form of security even though I know this not to be true, and am in all forms, in a complete state of denial, as to the pure insanity and ignorance that is the general computing population, with regards to the absurd idea that computing without a firewall and antivirus program is “ok”.)
Now that I have that off my shoulders. Back to the issue at hand. Until today Apple has not had the market footprint that PCs and their peripherals have enjoyed (including smart phones). If Apple is as successful as predicted with regards to the Iphone, and they most likely will be, what are the consequences of an Apple OS having the same profile and therefore the same market footprint as its windows nemesis?
I put forth that Apple is now fair game for Malware, viruses, and any other threat agent out there that can take advantage of the Mac OS running on the Iphone. Imagine millions of Iphones infected and performing “drunk dialing” of fee based porn sites or phone spoofing. Any time you tie a possible revenue stream to a device that is interconnected with the cloud you invite the current generation of organized crime based crackers to get cranked up and figure out how to milk this cow for every dollar possible.
And boy there could be millions made from exploitation of Iphone. Consider this theoretical model.
1) Hack a week server at a data hosting or web hosting company and setup a pay porn, or any other fee based site, with PayPal as the money channel to an offshore account.
2) Buy three Iphones. One for destructive testing, One for regression testing, and one for final testing. (Cost $1600 bucks)
3) Either you are the mind bending cracker or you find one and get to work on finding the exploit. Lets say for this deal your going all out and don’t want to get caught. You go to a local computer shop, pay cash, and buy three decent laptops with enough horsepower to get the job done. (Cost about $2000 avg.)
4) Load them up with your favorite flavor of BSD-UNIX and some VM ware that you cracked.
5) Destroy one Iphone to figure out how the thing is built and where the “guts” of the box are.
6) Extract the OS, date files, etc and start regression testing. Figure our how they interoperate with the data network. (What ports and protocols are used.)
7) Find the exploits (Everyone has them and if any one tells me that Apple has closed all the holes in a “just works” environment I have some land to sell you.)
8) This is where the real fun begins. Let’s say it takes you four months to crack the box and devise a way to get all the Iphones in the world to go to your website. Or better yet dial your international 900 number in a country with no extradition treaty. (Better yet a country that just doesn’t have the resources to find you or track you down.) Cost of living in a third world country per month 300 bucks if you don’t want to attract attention to yourself. I hear Africa is dirt cheap and they have bandwidth.
9) Finally you have you ingenious crack and your ready to unleash it on the world. Buy one round trip ticket to Asia, you know there going to eat this Iphone alive, and deploy your malware. So if you deploy 1 year after the release of the Iphone and there are an optimistic 2 million Iphones sold, all interconnected to the cloud, going to your site, or dialing your numbers, at an conservatively imaginary .25 cents (US) an hour and you are able to run for 24 hours before Apple figures out the game is afoot and closes you down how much do you think you could make?
(2 Million Iphones) X (.25 cents an hour) X (24 hours) = $12,000,000 !
Not bad for an investment of a few months time and just under $5000.00 (US). What’s your price? We all have one and 12 million is a lot of reasons to bring everyone that has been working on the Microsoft world to come over the fence and play. One of the reasons Apple has been, well secure is that their hasn’t been the critical mass of targets needed to justify the risk, time, and cost. Iphone has the potential to shift the paradigm and offer a target rich environment that could yield the kind of monetary incentives we are seeing as the principle motivating trend in the cracker community.
I hope apple is ready for the spotlight because if Iphone and Macs share the same platform any security flaw that is exposed on Iphone could be applied to the Mac and the population that depends on it.
Finally I shudder to think what will happen when these devices make it into the US Government space. I am not aware of any single policy that deals with a device that has this level of connectivity in a single unit. Governments around the world are going to have to meet this new level of integration head on if they are to understand and mitigate the risks that this devices posses to their information data processing environments.
Sleep well knowing that somewhere out there are folks who have already dreamed this up and can't wait to get there hands on the Iphone not because it is shinny and cool but because they see a ton of money waiting to be taken.
Information security has been touted amongst the Apple set as one of the corner stones of the product lines. After all “get a Mac” means not having to deal with the viruses and problems PC’s have to deal with every single day. Right? We all know that OS X is based on a flavor of BSD-UNIX and that the Iphone has been reported to be based of OS X. I’m confidant that the folks at Apple changed the core kernel and locked it down enough to withstand the casual attack. Here’s the rub though. Apple for as long as I can remember, or since Microsoft stole the GUI from them, has been in a “niche” of the IT world.
Creative folks love Apple and won’t use PCs. People with more money than they know what to do with and want something in there home office or living room that looks drop dead gorgeous get Apples. Until this point in time I would say it is safe to call Apple the Porsche of the IT world. Sure the Ipod enjoys a market share of the portable music world but now we are getting into something entirely different with the introduction of the Iphone. Until now our Ipods were essentially stand alone systems with the overarching security controls of our PCs and Macs offering some protections. (I say this in all optimism that folks that use PCs actually do some form of security even though I know this not to be true, and am in all forms, in a complete state of denial, as to the pure insanity and ignorance that is the general computing population, with regards to the absurd idea that computing without a firewall and antivirus program is “ok”.)
Now that I have that off my shoulders. Back to the issue at hand. Until today Apple has not had the market footprint that PCs and their peripherals have enjoyed (including smart phones). If Apple is as successful as predicted with regards to the Iphone, and they most likely will be, what are the consequences of an Apple OS having the same profile and therefore the same market footprint as its windows nemesis?
I put forth that Apple is now fair game for Malware, viruses, and any other threat agent out there that can take advantage of the Mac OS running on the Iphone. Imagine millions of Iphones infected and performing “drunk dialing” of fee based porn sites or phone spoofing. Any time you tie a possible revenue stream to a device that is interconnected with the cloud you invite the current generation of organized crime based crackers to get cranked up and figure out how to milk this cow for every dollar possible.
And boy there could be millions made from exploitation of Iphone. Consider this theoretical model.
1) Hack a week server at a data hosting or web hosting company and setup a pay porn, or any other fee based site, with PayPal as the money channel to an offshore account.
2) Buy three Iphones. One for destructive testing, One for regression testing, and one for final testing. (Cost $1600 bucks)
3) Either you are the mind bending cracker or you find one and get to work on finding the exploit. Lets say for this deal your going all out and don’t want to get caught. You go to a local computer shop, pay cash, and buy three decent laptops with enough horsepower to get the job done. (Cost about $2000 avg.)
4) Load them up with your favorite flavor of BSD-UNIX and some VM ware that you cracked.
5) Destroy one Iphone to figure out how the thing is built and where the “guts” of the box are.
6) Extract the OS, date files, etc and start regression testing. Figure our how they interoperate with the data network. (What ports and protocols are used.)
7) Find the exploits (Everyone has them and if any one tells me that Apple has closed all the holes in a “just works” environment I have some land to sell you.)
8) This is where the real fun begins. Let’s say it takes you four months to crack the box and devise a way to get all the Iphones in the world to go to your website. Or better yet dial your international 900 number in a country with no extradition treaty. (Better yet a country that just doesn’t have the resources to find you or track you down.) Cost of living in a third world country per month 300 bucks if you don’t want to attract attention to yourself. I hear Africa is dirt cheap and they have bandwidth.
9) Finally you have you ingenious crack and your ready to unleash it on the world. Buy one round trip ticket to Asia, you know there going to eat this Iphone alive, and deploy your malware. So if you deploy 1 year after the release of the Iphone and there are an optimistic 2 million Iphones sold, all interconnected to the cloud, going to your site, or dialing your numbers, at an conservatively imaginary .25 cents (US) an hour and you are able to run for 24 hours before Apple figures out the game is afoot and closes you down how much do you think you could make?
(2 Million Iphones) X (.25 cents an hour) X (24 hours) = $12,000,000 !
Not bad for an investment of a few months time and just under $5000.00 (US). What’s your price? We all have one and 12 million is a lot of reasons to bring everyone that has been working on the Microsoft world to come over the fence and play. One of the reasons Apple has been, well secure is that their hasn’t been the critical mass of targets needed to justify the risk, time, and cost. Iphone has the potential to shift the paradigm and offer a target rich environment that could yield the kind of monetary incentives we are seeing as the principle motivating trend in the cracker community.
I hope apple is ready for the spotlight because if Iphone and Macs share the same platform any security flaw that is exposed on Iphone could be applied to the Mac and the population that depends on it.
Finally I shudder to think what will happen when these devices make it into the US Government space. I am not aware of any single policy that deals with a device that has this level of connectivity in a single unit. Governments around the world are going to have to meet this new level of integration head on if they are to understand and mitigate the risks that this devices posses to their information data processing environments.
Sleep well knowing that somewhere out there are folks who have already dreamed this up and can't wait to get there hands on the Iphone not because it is shinny and cool but because they see a ton of money waiting to be taken.
Friday, October 12, 2007
Seperate but equal?
I delivered a paper this week to help define the
relationship between operational security and our friends in the IA
security world. I believe because my "gut" tells me that the truthiness
(http://en.wikipedia.org/wiki/Truthiness) that we as information
security practitioners are growing in the way of doctors and lawyers.
After all you don't send a Trial Lawyer to sort out the settlement of an
estate and you don't send a Proctologist to deliver a baby; eh? We have
specialists and generalist, coders and admins, and yes the dark side
wonkers.
In my paper I proposed that information security should be a synergy
between three components; security engineering, information assurance
(policy & procedures), and security operations (NOC/SOC/CSIRC). Just as
the space shuttle has multiple redundant systems organizations should
have checks and balances (speed bumps) to ensure that technology isn't
put into production until the risks that the technology will induce are
mitigated. I'm wondering if this approach is too theoretical or am I
stretching the concept of least privilege and separation of duties too
far? I contend that those principals are applicable to not only systems
and individuals but on an organizational level as well. Integration is
a great thing but isn't it possible to take integration too far to the
point where the lack of complexity becomes a vulnerability unto itself?
relationship between operational security and our friends in the IA
security world. I believe because my "gut" tells me that the truthiness
(http://en.wikipedia.org/wiki/Truthiness) that we as information
security practitioners are growing in the way of doctors and lawyers.
After all you don't send a Trial Lawyer to sort out the settlement of an
estate and you don't send a Proctologist to deliver a baby; eh? We have
specialists and generalist, coders and admins, and yes the dark side
wonkers.
In my paper I proposed that information security should be a synergy
between three components; security engineering, information assurance
(policy & procedures), and security operations (NOC/SOC/CSIRC). Just as
the space shuttle has multiple redundant systems organizations should
have checks and balances (speed bumps) to ensure that technology isn't
put into production until the risks that the technology will induce are
mitigated. I'm wondering if this approach is too theoretical or am I
stretching the concept of least privilege and separation of duties too
far? I contend that those principals are applicable to not only systems
and individuals but on an organizational level as well. Integration is
a great thing but isn't it possible to take integration too far to the
point where the lack of complexity becomes a vulnerability unto itself?
Labels:
CSIRC,
Information Security,
least privilage,
NOC,
segragation,
seperation,
SOC
SYOP Malware?
Here is a thought: Put some code on your company laptops that fires up in the middle of the night and plays an mp3 or wav file with what ever message you like? You could "program" you employees to be more security aware and hopefully not expose your network, company assets, or personal records to malicious attackers.
A dark side application could be the infection of your competions computers such that subtle but disturbing sounds are played during the night so as to disrupt normal sleep but not awaken the target fully. Thus over a short period of time the target company would grow fatigued from sleep deprivation and thus your team would have the advantage of being better rested.
I wonder if this has been done?
A dark side application could be the infection of your competions computers such that subtle but disturbing sounds are played during the night so as to disrupt normal sleep but not awaken the target fully. Thus over a short period of time the target company would grow fatigued from sleep deprivation and thus your team would have the advantage of being better rested.
I wonder if this has been done?
Labels:
anti-virus,
Information Security,
malware,
sycological warfare
Think before you click G@D dammit...
I recently saw an incident where an employee at an agency component told her staff to send emails to her at home. No big deal if she was using government equipment all the way. Trouble is that this person was responsible for buying things and reimbursing people so she had names, credit cards, etc. What made it an incident was that she directed these folks to send the information to her Yahoo account. "It's MY email account and no one else can get to it because I use a good password". I can't say what happened to her but in my opinion it wasn't harsh enough.
We can have the best written policies, outstanding detection and prevention technology, and leaders who understand that risk management is the way forward but if we don't have tangible disciplinary discretion how can we wake people up to the fact that we are only one click away from undoing every security measure that we put in place?
It's not like we don't design training programs to get the word out. My feeling is that 90% of the people that come to work are borderline zombies. For them it's just a matter of showing up getting the bare minimum done to collect a paycheck so they can sit in traffic for 3 hours only to go indoors, sit more, watching television with mindless drool flowing out of the screen and completing more chores. Followed by wash, rinse, repeat. An endless cycle of routine and work. I think I heard on the HBO fictional show "Oz" one of the characters talking very much in the same way about prison life.
I look into the eyes of the people I see on the street and what I see is blinding ignorance. I was at one of the better pizza places here in Denver and was chatting up the hostess. (yes with the mostest and I was wearing my ring) She asked me what I did and got into a discussion on my favorite topic "personal security" to which she replied as I have heard a hundred times before "I don't care" and "what would anyone want with my information" going on she said "what's the difference anyways I'm broke they can take it all."
I don' know how long this has been going on but I am certain that we live in a culture of indifference. Indifference to one another and to ourselves. American's don't seem to care about the "how" just the "now". Living for the next "Mocha - Latte - frothy - soy - Ventti" sugar buzz to the next instant download followed by hours of mindless cr@p instantly accessible on a DVR while continuing the ongoing festival of gluttony consuming the latest iteration of the deep fried "corn chip" that unto itself is the same corn chip that was consumed a year ago but has a "new and exciting" packaging that makes it easier to inhale these chips with one hand only while in the other hand wash all of those chemicals and preservatives down with a high fructose corn syrpe beverage loaded with enough caffeine to kill a small cow which incidentally is the next generation of slaughter house product.
So before you click and send that next email or click on the next ballet please for the love of all that is still good in this world think about it. Are you just buying some repackaged, rebranded, piece of c#ap? Are you about to expose your entire organization or even your family to risks that you don't even fully understand yourself? So please people think, I know it's hard and all you want to do is curl up on the couch and "relax" but don't do it. Don't give up and choose to spend the rest of your life as the walking dead. Don't do it for me, don't do it for your family, don't even do it because living a full life is better than living an empty one, choose to think because if you don't you might as well be dead now and you're not helping anyone else by choosing that.
We can have the best written policies, outstanding detection and prevention technology, and leaders who understand that risk management is the way forward but if we don't have tangible disciplinary discretion how can we wake people up to the fact that we are only one click away from undoing every security measure that we put in place?
It's not like we don't design training programs to get the word out. My feeling is that 90% of the people that come to work are borderline zombies. For them it's just a matter of showing up getting the bare minimum done to collect a paycheck so they can sit in traffic for 3 hours only to go indoors, sit more, watching television with mindless drool flowing out of the screen and completing more chores. Followed by wash, rinse, repeat. An endless cycle of routine and work. I think I heard on the HBO fictional show "Oz" one of the characters talking very much in the same way about prison life.
I look into the eyes of the people I see on the street and what I see is blinding ignorance. I was at one of the better pizza places here in Denver and was chatting up the hostess. (yes with the mostest and I was wearing my ring) She asked me what I did and got into a discussion on my favorite topic "personal security" to which she replied as I have heard a hundred times before "I don't care" and "what would anyone want with my information" going on she said "what's the difference anyways I'm broke they can take it all."
I don' know how long this has been going on but I am certain that we live in a culture of indifference. Indifference to one another and to ourselves. American's don't seem to care about the "how" just the "now". Living for the next "Mocha - Latte - frothy - soy - Ventti" sugar buzz to the next instant download followed by hours of mindless cr@p instantly accessible on a DVR while continuing the ongoing festival of gluttony consuming the latest iteration of the deep fried "corn chip" that unto itself is the same corn chip that was consumed a year ago but has a "new and exciting" packaging that makes it easier to inhale these chips with one hand only while in the other hand wash all of those chemicals and preservatives down with a high fructose corn syrpe beverage loaded with enough caffeine to kill a small cow which incidentally is the next generation of slaughter house product.
So before you click and send that next email or click on the next ballet please for the love of all that is still good in this world think about it. Are you just buying some repackaged, rebranded, piece of c#ap? Are you about to expose your entire organization or even your family to risks that you don't even fully understand yourself? So please people think, I know it's hard and all you want to do is curl up on the couch and "relax" but don't do it. Don't give up and choose to spend the rest of your life as the walking dead. Don't do it for me, don't do it for your family, don't even do it because living a full life is better than living an empty one, choose to think because if you don't you might as well be dead now and you're not helping anyone else by choosing that.
Friday, October 05, 2007
New Home
A lot happened over the summer and the biggest thing was my moving to a new job much closer to home. The new job is working out very nicely and I am very happy!
I'd like to pimp my new company any chance I can because out of all the companies I have worked for SAIC is by far the best one! If you are looking for a leader in IT security look no further than SAIC.
- Z
I'd like to pimp my new company any chance I can because out of all the companies I have worked for SAIC is by far the best one! If you are looking for a leader in IT security look no further than SAIC.
- Z
BTW - I'm Back~!
After a long summer break I'm back at the keyboard and fired up and ready to go!
I'll be posting about my involvement in the Barack Oboma campaign and expanding my writing beyond information security. I noted from other bloggers that there is an eb and flow to the tide of information that passes across the screen and that information isn't always information security related.
However one of the most pressing issues of our day from a security perspective is privacy and control of data. What data looks like and the forms it takes manifest a host of issues ranging from ID theft to state sponsored cyber war.
It is clear to those that I speak to and myself that data isn't just bits and bytes anymore the binary code of our world represents far more than we imagine and has transformed, very silently, into raw power. The power to control, the power to destroy, and yes the power to kill.
Those that have the power of sight that is enabled by data awareness have more control and power over the rest of the population. With a single click of a mouse or keystroke millions of people can be affected in any aspect of life.
This is significant in that before the transformation and level of integration we have today paper based systems limited the power that an individual could have over a population. The human factor of checks and balances was unto itself a control that with the maturation of the digital age was traded off without even the idea of raising the question of cost to mankind as a whole and the individual.
Individualism is one of the cornerstones of what it means to be a United States citizen. Have we completely given that up in favor for convenience, fast food, and having our every whim met with a super corporate spoon feeding.
The spoon feeding of American goes way beyond the food we eat or the car we drive. The shape of the American mind seems to be spoon feed with controlled information that is neatly packaged into sound bytes. So the next time you watch fox or any nightly news cast don't listen to the person sitting there spoon feeding you the "newertainment" watch how they "act" the part and look for the ab-libbing. For me information is naked and cold and any meaning that is given is done so by people who want to shape, dress, and package the information to meet an agenda that is not your own.
I'll be posting about my involvement in the Barack Oboma campaign and expanding my writing beyond information security. I noted from other bloggers that there is an eb and flow to the tide of information that passes across the screen and that information isn't always information security related.
However one of the most pressing issues of our day from a security perspective is privacy and control of data. What data looks like and the forms it takes manifest a host of issues ranging from ID theft to state sponsored cyber war.
It is clear to those that I speak to and myself that data isn't just bits and bytes anymore the binary code of our world represents far more than we imagine and has transformed, very silently, into raw power. The power to control, the power to destroy, and yes the power to kill.
Those that have the power of sight that is enabled by data awareness have more control and power over the rest of the population. With a single click of a mouse or keystroke millions of people can be affected in any aspect of life.
This is significant in that before the transformation and level of integration we have today paper based systems limited the power that an individual could have over a population. The human factor of checks and balances was unto itself a control that with the maturation of the digital age was traded off without even the idea of raising the question of cost to mankind as a whole and the individual.
Individualism is one of the cornerstones of what it means to be a United States citizen. Have we completely given that up in favor for convenience, fast food, and having our every whim met with a super corporate spoon feeding.
The spoon feeding of American goes way beyond the food we eat or the car we drive. The shape of the American mind seems to be spoon feed with controlled information that is neatly packaged into sound bytes. So the next time you watch fox or any nightly news cast don't listen to the person sitting there spoon feeding you the "newertainment" watch how they "act" the part and look for the ab-libbing. For me information is naked and cold and any meaning that is given is done so by people who want to shape, dress, and package the information to meet an agenda that is not your own.
"The best laid plans of mice and men"
Standards are great. They are how we got the automotive assembly line, aircraft, and most ever form of modern technology.
As far as I am concerned privacy died many years ago when the transformation of our society, culture, and economy warped into interconnected systems. Looking back I pause to think if all the integration and connecting of systems that for decades were "stand alone" was truly a good thing. The classic paradigm of easier access, greater efficiency, and lower cost with little concern for the long term impact to the individual.
The question that I have been considering is "What makes you and individual in the new paradigm of the digital world?" Individualism in the classic sense has vaporized and replaced with information about you freely available to anyone who makes the effort to obtain and capitalize on your data. Which leads into "What is your data" and "Do you own data about yourself"?
I believe it is safe to say that today I do not control nor do I have hope of controlling my data. The cow left the barn a long time ago.
The worst part of it is; I don't even know what the cow looks like so there is no hope of finding it and getting it back.
Microsoft and all the big data giants want to get as much data about us as possible to directly correlate that data into market power. It would be naive to think that Google, MS, or any other entity with so much data would not use that medical data for "other" purposes such as population health trending. Individual health tracking with outputs such as higher premiums if a persons health records indicate a down slide. After all folks who are sick are the ones who drain insurance systems and cost the most; eh?
I believe one of the main challenge for us as security practitioners is to set the standard for what it means to be a digital human. What rights are incurred as a digital human and what controls should be in place to protect those rights? The laws of the United States may never catch up to the ever changing technology which creates a security void that must be filled if we are to assure the basic rights assured under the US constitution and US Bill of Rights. To an extreme it could be argued that today we have all blindly forsaken our rights in the name of convenience and assumed the risks without fully understanding the full value of what was given up so freely in the first place.
Could any of us have imagined that data mining on a global scale would directly translate into such power controlled by so few and even worse those that seek to do us all harm?
As far as I am concerned privacy died many years ago when the transformation of our society, culture, and economy warped into interconnected systems. Looking back I pause to think if all the integration and connecting of systems that for decades were "stand alone" was truly a good thing. The classic paradigm of easier access, greater efficiency, and lower cost with little concern for the long term impact to the individual.
The question that I have been considering is "What makes you and individual in the new paradigm of the digital world?" Individualism in the classic sense has vaporized and replaced with information about you freely available to anyone who makes the effort to obtain and capitalize on your data. Which leads into "What is your data" and "Do you own data about yourself"?
I believe it is safe to say that today I do not control nor do I have hope of controlling my data. The cow left the barn a long time ago.
The worst part of it is; I don't even know what the cow looks like so there is no hope of finding it and getting it back.
Microsoft and all the big data giants want to get as much data about us as possible to directly correlate that data into market power. It would be naive to think that Google, MS, or any other entity with so much data would not use that medical data for "other" purposes such as population health trending. Individual health tracking with outputs such as higher premiums if a persons health records indicate a down slide. After all folks who are sick are the ones who drain insurance systems and cost the most; eh?
I believe one of the main challenge for us as security practitioners is to set the standard for what it means to be a digital human. What rights are incurred as a digital human and what controls should be in place to protect those rights? The laws of the United States may never catch up to the ever changing technology which creates a security void that must be filled if we are to assure the basic rights assured under the US constitution and US Bill of Rights. To an extreme it could be argued that today we have all blindly forsaken our rights in the name of convenience and assumed the risks without fully understanding the full value of what was given up so freely in the first place.
Could any of us have imagined that data mining on a global scale would directly translate into such power controlled by so few and even worse those that seek to do us all harm?
Subscribe to:
Posts (Atom)