You can't secure what you don't acknowledge.SM

Friday, January 27, 2012

You cannot multiple security by dividing it - Infosec's relationship with Socialism

I'm not much into urban legends and the like but came across this bit the other day and it really made me think. What a great analogy that impacts all of us both personally and professionally with some interesting information security and compliance tie-ins that I see all the time:

An economics professor at a local college made a statement that he had never failed a single student before, but had recently failed an entire class. That class had insisted that Obama's Socialism worked and that no one would be poor and no one would be rich, a great equalizer. 

The professor then said, "OK, we will have an experiment in this class on Obama's plan". All grades will be averaged and everyone will receive the same grade so no one will fail and no one will receive an A.... (substituting grades for dollars - something closer to home and more readily understood by all). After the first test, the grades were averaged and everyone got a B. The students who studied hard were upset and the students who studied little were happy. As the second test rolled around, the students who studied little had studied even less and the ones who studied hard decided they wanted a free ride too so they studied little..The second test average was a D! No one was happy. When the 3rd test rolled around, the average was an F. 

As the tests proceeded, the scores never increased as bickering, blame and name-calling all resulted in hard feelings and no one would study for the benefit of anyone else. To their great surprise, ALL FAILED and the professor told them that Socialism would also ultimately fail because when the reward is great, the effort to succeed is great, but when government takes all the reward away, no one will try or want to succeed. It could not be any simpler than that. Remember, there IS a test coming up. The 2012 elections. 

These are possibly the 5 best sentences you'll ever read and all applicable to this experiment: 
  1. You cannot legislate the poor into prosperity by legislating the wealthy out of prosperity. 
  2. What one person receives without working for, another person must work for without receiving. 
  3. The government cannot give to anybody anything that the government does not first take from somebody else. 
  4. You cannot multiply wealth by dividing it! 
  5. When half of the people get the idea that they do not have to work because the other half is going to take care of them, and when the other half gets the idea that it does no good to work because somebody else is going to get what they work for, that is the beginning of the end of any nation. 

Not that the big government Republicans are a lot better...The reality is we Americans had better wake up, smell the "change" we're stepping in and learn that no politician, Democrat OR Republican, can make our lives better...only WE can make that happen.

Be it information security, compliance or your personal Og Mandino once said (favorite quote of all time): "Use wisely your power of choice."

Thursday, January 26, 2012

Evanta CISO event and why St. Jude's has it right

This week I had the opportunity and privilege to serve as a panelist on mobile security at the Evanta CISO Executive Summit in Atlanta. What a neat wasn't just another infosec show. It was unique in its focus and well run by Corrine Buchanan and Mitch Evans who always seemed to have a smile on their faces - something we don't see enough of at these types of shows.

Another thing was a St. Jude's Children's Hospital video they played featuring Marlo Thomas talking about her father's work with the hospital. She said something about the hospital regarding its mission that stuck in my mind: "Don't just treat kids. Let's try to figure out what makes them sick."

Great approach with an interesting information security tie-in: Don't just throw technologies and policies at security...find out what's actually at risk. Indeed, we have to be smart in using the resources we're given.

Wednesday, January 25, 2012

Complacency, meet APT – How basic oversights lead to complex malware infections

Low-hanging fruit – that is, the missing patches, default passwords, lack of full disk encryption and so on present in practically every environment – is something I’ve ranted about time and again because there’s no reason to have it on your network. Why? Well, for one thing, rogue insiders may just exploit it for ill-gotten gains. But even worse, low-hanging fruit can be the target of malware exploitations that you’re not prepared to take on. You see a few missing patches and unhardened endpoints combined with users gullible enough to click whatever’s placed on their screens and you’ve got yourself the recipe for disaster.

Low-hanging fruit can turn from “Yeah, I need to get to that stuff…” to “Oh crap, all of our workstations are being controlled by someone on the other side of the world”.

Recent shifts in IT like consumerization, mobility and the desire for instant gratification when it comes to computer and Internet access have made these threats even more formidable. Users are indeed going to do what they want to do. In many cases, management will proudly back them up – even if they have no clue about the long-term impact to the very business they’re responsible for running.

Built-in security controls provide an opportunity for us to save time, effort and money keeping our systems in check without having to spend a dime more than we need to. That said there are certain security controls that operating system and hardware vendors haven’t mastered. One in particular is security controls designed to help with APTs and advanced malware. It’s just not possible to get the specialized protection out of the box from the mainstream vendors that you’re going to get with a the niche technologies I talked about my recent paper The Malware Threat Businesses are Ignoring and How Damballa Failsafe Fits In.

It’s no different than how I buy special tires and brake pads for my race car. When there’s a specific need, odds are the stock equipment just won’t cut it.

One of the most damaging misconceptions about malware is that the big anti-virus vendors are going to keep endpoints safe. It’s this very mindset that’s gotten businesses into hot water recently. I saw it when working on an incident response project that falls under the Operation Shady RAT umbrella. I think it’s safe to say that traditional anti-virus vendors come nowhere close to protecting your network – especially if such an attack is targeted. In fact, the entire concept of APTs and advanced malware is not very well understood by the IT and information security community as a whole.

How are you supposed to protect against something like this? It's not simple. You’ve got to have the right tools, the necessary documentation and, perhaps most importantly, management that gets it.

Monday, January 23, 2012

Are your high-tech devices enslaving you?

The late Richard Carlson, author of Don't Sweat the Small Stuff, said:

"It's important to see when your high-tech communication devices actually limit your freedom, enslaving you instead of providing new opportunities for growth."

Wow...How true that is!

Have you ever tried to not look at your emails or answer phone calls when you're out and about with  your family or taking some time to yourself? It's pretty darned difficult but it can be done, if you make it so.

Try it out over the next couple of weeks and you'll see what Dr. Carlson was talking about. You'll give your mind a break and be able to focus on the things that truly matter in life.