Blog

Bonus Incite 3/19/2010: Don’t be LHF

By Mike Rothman

I got a little motivated this AM (it might have something to do with blowing off this afternoon to watch NCAA tourney games) and decided to double up on the Incite this week.

I read Adrian’s Friday Summary intro this and it kind of bothered me. Mostly because I don’t know the answers either, and I find questions that I can’t answer cause me stress and angst. Maybe it’s because I like to be a know-it-all and it sucks when your own limitations smack you upside the head.

Just because it's low hanging doesn't mean it's tasty... Anyhow, what do we do about this whole information sharing culture we’ve created – and more importantly, how do we make sure the next generation is protected from the new age scam artists who prey on over-sharers? I came across this coverage from RSA of Hugh Thompson’s interviews of Craigslist and the Woz. Both Newmark and Wozniak believe education is the answer.

Truth be told, I have mixed feelings. I know the futility of widespread education because you can’t possibly keep up with the attackers, not within a mass market context. Yet my plan is still to use education as one of a few tactics that I’ll use to keep my kids (and the Boss) safe online.

The reality is that because my kids will be trained on how to recognize fraud and what not to do online, they will be ahead of 95% of the other folks out there. And remember, most attackers prey on the lowest hanging fruit. As long as my kids aren’t that, I think things will work out OK.

But I also maintain pretty tight controls on the machines they use and the network they connect to. As they get more sophisticated, so will the defenses. I’ll implement a kids’ browsing network, and segment out my business machines and sensitive data). I already lock down their devices so they can’t install software (unless I know about it). At some point, they’ll get their own machines and I’ll centralize the file storage (both for backup and oversight), so I can easily rebuild their machines every couple months.

And we’ve got a lot of controls to protect our finances as well. We check the credit cards frequently (to ensure unauthorized transactions get caught quickly) and have a home incident response plan in the event one of my devices does get pwned.

Of course, that doesn’t answer the question of how to solve the macro problem, but honestly I’m not sure we can. Fraud has been happening since the beginning of time, and it’s a bit crazy to think we could stop it entirely.

But I can work my ass off to minimize the impact of the bad guys on my own situation, which is a pretty good objective – both at home and at work.

Have a great weekend.

– Mike.

Photo credit: “that low-hanging fruit they keep talking about in meetings” originally uploaded by travelskerricks


Bonus Incite 4 U

  1. Getting screwed by the back channel – I read a recent post from the security career counselors (Mike Murray and Lee Kushner) and it got my goat a bit. The post was about how to deal with negative references, and I’m sensitive to this. I’ve been in a situation where a former boss sent a torpedo through my engine room as I had a new job lined up and closed. It was during a back channel conversation so I had no recourse (even though there was a non-disparagement clause in my exit agreement). Mike and Lee suggest first assembling a list of positive references that can offset a negative reference, as well as being candid with your prospective employer about the issues. This is great advice, since that’s exactly how I dealt with the situation. I did my own backchannel work and got folks inside the company to talk about me (on deep background), as well as confronting the situation head on. It worked out for me, but everyone needs to have contingency plans for everything, and a negative reference is certainly one of them. – MR

  2. Isn’t UTM a hopping market? – From all the market share projections and growth numbers, the UTM (unified threat management) market is growing like gangbusters. Yet you see companies like Symantec (a few years ago) and McAfee (who recently shut down their SnapGear offering) getting out of the business. The reality is there are multiple market segments in network security and they require different solutions. UTM can be applicable to large enterprises, but they don’t buy combined solutions. They evaluate the products on a function-by-function basis. So they will compare the UTM-based IPS to the stand-alone IPS and so on, before they decide whether to embrace an integrated solution. Whereas the mid-market wants a toaster to make their problems go away. So hats off to McAfee for deciding they didn’t have a competitive offering or leveraged path to market, and getting out of the business. One of the hardest things to do is kill a product, no matter how competitive it is. Strong companies need to kill things, or they become overpopulated and operate sub-optimally. – MR

  3. Stupid is as stupid does – I recently watched Forrest Gump again, and it’s a treasure trove of little saying that really apply to our daily existence. We are security professionals, which mean we should understand risks and act accordingly. How can you tell your internal users to do something if you don’t do it yourself? I guess you can, but come back into the shop after having your own machine pwned and see how much credibility you have left. So when I see the inevitable reports from security conferences about how stupid our own professionals are, it makes me nuts. At the RSA show, Motorola AirDefense found all sorts of wireless stupidity from the attendees, and it’s really nutty. If you don’t have a 3G card, then just make due without connecting for a few hours while you are at the show. You have a mobile device and if it’s that important, go back to your hotel. At a security show they are always watching, even if not trying to put you on the wall of sheep. Get your head in the game, folks. – MR

  4. Seeing the Hydra in action – We talk about the need for redundancy and contingency plans to keep our networks operational. Well, the bad guys do too. Krebs digs into some of the things the folks running the big botnets have done to keep operating even when one of their network connectivity points (Troyak) gets taken down. It’s fascinating stuff and just goes to show that our adversaries have well-thought-out business plans in place. Not sure you can put “Director of Network Resiliance, Zeus Botnet” on a business card, but I assure you someone has that title, somewhere. And be sure to put Brian Krebs on your holiday card list. The work he does is consistently outstanding. – MR

  5. PCI a success? Why do we bitch about it so much? – CSOAndy makes a good point in covering the PCI panel that happened at Security BSides at RSA. To be clear, PCI has done more for security folks than any other standard to date. Hands down. The real issue is that we in the echo chamber know how much more needs to be done. But referring back to RSnake’s conversations with black hat hackers, we are making progress because the bad guys have to work harder. PCI is partially responsible for making sure people are closing the windows and locking the doors. Of course, there are still ways in, and any standard will always be behind the current attack space, but let’s take a step back and remember how things were a few years ago. Tick tock tick tock. OK, enough reflection. The PCI folks need to figure out how to reduce the cycle time of their updates, or at least put tiered guidance in place for folks where not hitting a low bar results in fines, where a set of advanced practices would more accurately address the current attack patterns. – MR

No Related Posts
Comments

The way I like to view security education actually fits exactly with your descriptions above. I believe education does help those who know nothing otherwise.

But most importantly, it helps explain and justify why you lock down their systems to not allow installation of software, why you monitor their network, why you segregate your business systems from the rest, and why you keep an eye on your credit card statements.

Education…but technology (and actual practice, i.e. process) is the baseline.

By LonerVamp


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.