The InfoSec Blog

Customers are Ignoring You (Photo credit: ronploof)

http://blogs.hbr.org/cs/2012/05/customers_arent_as_savvy_as_yo.html

Perhaps the reason that Apple is ahead with the iPod, iPhone and iPad is that the competitors are offering too much choice.

That being said, ‘competitive advantage’ can lead to paralysis.

In the auto world, each badge, each product line has an ‘advantage’.
But what many customers want is a blend.

Suppose you had

• the hydropnumatic suspension of Citroen
• the crash survivability of Volvo
•  the fantastic new six speed high efficiency automatic gearbox that Chrysler is soon to release
•  the BOSE sound system of a BMW
•  the capacity of a Dodge minivan
•  the fuel efficiency of a Prius
•  the twin camera automatic following/crash avoidance system of a Subaru

all rolled into one ….

The problem is that you can’t.

For a while, the IBM-style PC chassis offered that kind of ‘blend’.
As the saying went …

Be very glad that your PC is insecure –it means that after you buy it,
you can break into it and install whatever software you want. What YOU
want, not what [content providers] want.
– John Gilmore of the EFF

But the majority of consumers are the “lemmings”. In reality its like the stage magician fanning a pack of cards and saying “pick a card, any card you want”. You don’t really have freedom of choice, you can only pick what’s offered to you, by the stage magician or the vendor.

And sometimes the constraint of choice, as Apple is doing, says “focus, focus, focus” and play to the Big Brother Knows What’s Best For You.
Sometimes it nice not to be stressed by having to make decisions, decisions that might not be optimal (even if the optimization curve is flat and the risk/return ratio is close to zero).

Related articles

• Consumption and Consumer Behavior (thinkingbookworm.typepad.com)

http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html

This is better written than most ‘chicken little’ pieces, but please can we have ‘history’ of how most nations, including the USA, have engages in ‘industrial espionage‘.

I recall a presentation by CSIS that was making the point that Canada’s greatest threat on the Industrial Espionage scene was France, and France had been practising Industrial Espionage against the “English Speaking World” for centuries. And he had evidence to back that up from at lest Napoleonic times.

But then don’t forget that the “English Speaking World” stole such secrets from China as “Tea“:

For centuries, the secret of growing tea was one of China’s
most closely-guarded treasures. Along with silk, tea was an
extremely valuable agricultural commodity, prized as a luxury
item across Asia and into Europe.

In the mid-19th century, however, Briton Robert Fortune
dressed as a Chinese man (complete with queue) and set out
to discover the secret of tea-growing. He located the bushes
that produce tea, and stole seedlings that he transported to
British India. China’s tea monopoly was broken.

Robert Fortune (1812-1880) (Photo credit: Wikipedia)

Fortune’s explorations are detailed in a new book, For All
the Tea in China, by Sarah Rose. She frames this not
simply as a tale of Victorian exploration, but as early
industrial espionage – which, of course, it was.

I’m not saying this justifies anything, any more that the Opium trade or forcing products from the Industrialized West onto Asian markets, also part of or common historic context, justifies any reprisals.

I’m just saying Context is Everything and if you ignore history (especially when dealing with people for whom history is an important context) then you are setting yourself up for a sea of troubles.

Related articles

• For All The Tea In China – Sarah Rose (scottjb.wordpress.com)
• Different Ethical Issues Faced by the Global Software Companies (thinkingbookworm.typepad.com)
• Howes calls for cyber espionage inquiry (news.smh.com.au)
• Corporate Espionage Is Real – Even In The Pharma Industry (bioresearchonline.com)
• “Cyber Czar” wants Homeland Security to patrol America’s Internet borders (blacklistednews.com)
• Former Pentagon Official Says All Chinese Electronics In The US Could Have Built-In Trapdoors (businessinsider.com)
• FBI: Economic Espionage (gloucestercitynews.net)
• Trade Secrets and The Economy (psliplaw.wordpress.com)
• Richard Clarke: China has hacked every major US company (zdnet.com)
• FBI cracks down on economic espionage (wjla.com)
• Peter Thomas Senese’s THE DEN OF THE ASSASSIN Is A Geopolitical Financial Espionage Thriller Thrust In The World Of Cyber, Biological and Chemical Warfare (prweb.com)
• Chinese Economic Espionage: An Overlooked Concern (heritage.org)

Last month, this question came up in a discussion forum I’m involved with:

Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software’s at
the free will and introduce malicious code in the organization.

The short answer is “no”.
The long answer leads to “no” in a roundabout manner.

Unless your developers are developing admin software they should not need admin rights to test it. Read the rest of this entry »

Call me a dinosaur (that’s OK, since its the weekend and dressed down to work in the garden) but …

Surely COMPLIANCE is a binary measure, not a “level of” issue.
You are either in compliance or you are not.
As in you are either deal or alive.

Now it may be that some “standard” (such as ISO27001) has a number of clauses and its possible to be in compliance with some and not with others, and so fall into the delusion that you are “82% compliant” with the standard. This gets back to the silliness of exams where you are not expected to be able to answer all the questions and so the pass mark was 65%. In actuality its a recipe for disaster; if you’re only required to have 65% of the items complaint to “pass” then the standard is a joke.

It brings to mind the advert for the disinfectant that “kills 99% of all known germs“. OK, but that remaining 1% is highly deadly and highly infectious.. And then what about the Rumsfeld Class III germs?

No, really, would you let a military expedition or a group of mountaineers attempting to scale Mt Everest with only the “passing grade” – 65% – of the equipment (be if food, ammunition, ropes, insulated clothing, whatever) that they needed?

So there’s this marriage ceremony and the groom only manages to get 65% of the way to the church; is that a passing grade? Ask the bride what she thinks.

No, compliance is binary.

Compliance Bridge - Broad requirements so that clients are Ready, Willing and Able to comply. (Photo credit: Wikipedia)

Related articles

• Job Description for Quality Assurance Compliance (informationassurence.wordpress.com)
• Perils of Social Media and Compliance (arnoldit.com)
• Is ISO 27001 Worthwhile for Your Business? (deurainfosec.com)
• Leading ISO 27001 Roadmap Refreshed – Takes Guesswork Out of Information Security Certification Process (prweb.com)
• Four key benefits of ISO 27001 implementation (iso27001standard.com)
• Is ISO 27001 Right for Your Company? – New On-Demand Webinar Offers Answers from Pivot Point Security – A Champion of the Information Security Standard (prweb.com)

Someone asked:

If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.

Yes but as RSA demonstrated, it is a moving target.

You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the ‘social engineers’. Fight psychology with psychology! Read the rest of this entry »

http://hdguru.com/is-your-new-hdtv-watching-you/7643/

well 28 years actually …

So, the two-way tv sets of Orwell’s novel have arrived, over a quarter of a century late!

George Orwell in Hampstead On the corner of Pond Street and South End Road, opposite the Royal Free Hospital. The bookshop has long gone. (Photo credit: Wikipedia)

It just goes to show. Science fiction things like the Star Trek communicator (Motorola flip phones) or the tricorder (some of the enhanced versions of the Newton) or the data Pad (the real world version has an extra ‘i’) we do pretty quickly, but if its a mainstream novel, the kind of thing that my old Eng Lit teacher would approve of (he snivelled at SF and cringed at its mention) then it seems three isn’t the same enthusiasm about replicating its technology.

Related articles

• Books that Changed my Life: 1984 by George Orwell (caracaleo.com)
• Orwell’s Nineteen Eighty-Four forecast for Hollywood remake (guardian.co.uk)
• Near-Future Fiction (madgeniusclub.com)
• Orwell vs. The U.S. House of Representatives (pubcit.typepad.com)
• And the privacy invasion award goes to … (sgtreport.com)
• How to resist Big Brother 2.0 (blogs.reuters.com)
• Microsoft speaks on privacy following ‘NUad’ concerns (thenextweb.com)
• Glancee + Facebook = Orwell’s Big Brother in Spades….. (tishgrier.wordpress.com)

On the ISO27000 Forum list, someone asked:

I’m looking for Risk statement for each ISO 27k control; meaning
“what is the risk of not implementing a control”.

That’s a very ingenious way of looking at it!

One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?

Ingenious aside, I’d be very careful with an approach like this.

Risks and controlsare not, should not, be 1:1.

The Risk Management Process for IT Systems according to ENISA, following ISO 27005 (Photo credit: Wikipedia)

Some controls are there to support other controls. And don’t forget that some controls are detective and a control that ‘detects’ the functioning of another control is perfectly valid.

We’ve often spoken of “baseline controls”, that is controls which should be in place “regardless”. Well OK, context matters. The baseline for a bank and there baseline for a power plant will differ, but they will also have a lot in common. One common branch might be a yes response to ‘are you connected to the Internet?’

A “Yes you are connected to the Internet” will produce a plethora of threats (note: *threats* not risks!) that will keep you busy all month working through to determine the risks, and for almost all of them the control will be “configure the firewall…”.

You do have a firewall as part of your baseline, don’t you?
(And you took it out of the box and installed it at a choke point, didn’t you?)

Another issue that often come up on this forum is that of assets.
Now if it was me, I’d start with the assets. There are a number of reasons for that. First and foremost, this is all about protecting those assets. They are also a lot easier to identify than threats or vulnerabilities

So we get back to “what is the risk of not implementing a control”.
The control objectives are, ultimately, to protect the assets, by various means. So you need to ask that question in terms of the assets.

Another way of looking at it is enumerate the assets and enumerate the controls and establish the relationships. Are there assets that don’t have controls protecting them?

diagram showing threat agents, attack vectors, weakness, controls, IT asset and business impact (Photo credit: Wikipedia)

I admit there is more to it than that; controls may be inadequate or superfluous. There is a tendency to implement easy ones.

Donn Parker has written some excellent papers on selecting controls.
They were published in the ISSA Journal back in 2010.

http://www.google.ca/search?q=parker+%22Security+Control+Selection+Principles%22

Related articles

• Is ISO 27001 Worthwhile for Your Business? (deurainfosec.com)
• Final results of COSO vs ISO risk management survey (normanmarks.wordpress.com)
• ISO 27001: An overview of ISMS implementation process (net-security.org)
• ISO 27001 and BS 25999-2: Why is it better to implement them together? (net-security.org)

http://www.infoworld.com/d/security/the-19-most-maddening-security-questions-187983

An interesting list, since it covers issues of public structural security.

I recall reading that the greatest contribution to the health of individuals came about from good public sanitation and clean water, that is civic changes (presumably enabled by legislation) that affected the public in a structural manner.

What would be on your list?

A poster for drinking water security from the EPA (Photo credit: Wikipedia)

Related articles

• Companies slow to react to mobile security threat – InfoWorld (infoworld.com)

http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/

NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)

The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at “service” when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.

Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.

Yes, if the media industry provided the service that customers want piracy wouldn’t be an issue. As the article says, look at the economics.

It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.

There’s a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn’t cost them any more.

With VHS and DVD there is the cost of production, shipping and retail mark-up. There’s that for every sale. And those are costs that are going up year by year. And if there’s a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.

But with a ‘Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.

Its as if the RIAA have it exactly backwards.

So it costs, what, lets say $20 to buy a movie as a DVD.
That’s my budget. If I got to the store and found the movie I wanted was $5, then I’d be inclined to buy some more. Maybe at $5 a shot I’d spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn’t have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the ‘Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews … you know how it goes, Amazon does it well.

Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.

The RIAA are not just stupid, they are extremely stupid.

A stereotypical caricature of a pirate. (Photo credit: Wikipedia)

Related articles

• A Peek at a Few Trends (laf.ee)
• Software piracy in Canada exceeded $1.1B in 2011 (ctv.ca)
• What’s the true cost of piracy? (infographic) (venturebeat.com)
• US mistakenly seizes a music domain – and holds it for 18 months (art2science.org)
• Study: BitTorrent music piracy increases album sales (electronista.com)

http://compliancesearch.com/compliancex/insider-trading/senate-votes-to-ban-insider-trading-by-its-members/

And this doesn’t actually stop them form making use of ‘insider information’ they just have to declare it within 30 days.

No, wait, sorry … you mean that the legislators are saying that legislators shouldn’t do something that is illegal anyway? Or that, if they do something that
is already illegal, it is OK as long as they declare it within 30 days? …

It gets worse:

http://compliancesearch.com/compliancex/insider-trading/house-republicans%E2%80%99-insider-trading-bill-accused-of-catering-to-insiders/

I’d like to claim the system is rigged so ‘the rich get richer’ but if I did that some people who claim they are right wing would accuse me of being left wing. Indeed, this tells me that their political outlook has not progressed since 20 June 1789. This one-dimensional view fails to
describe the rich variety of political attitudes in the Washington, never mind the rest of the USA and points elsewhere on the physical compass.

http://en.wikipedia.org/wiki/Pournelle_chart
http://en.wikipedia.org/wiki/Nolan_Chart

Just those two show we need more that 4 axes to describe a political stance. But as I mentioned in a previous post, journalists are simple-minded and expect the rest of the world to be as limited in outlook and understanding.

http://en.wikipedia.org/wiki/Political_spectrum

Try this test:
http://www.politicalcompass.org/

How does this all relate to InfoSec, you ask.
Well part of that Political Compass is a view of ‘how authoritarian’.
And that gets back to issues we have to deal with such as Policy and Enforcement, Do We Let Employees have Access to the Internet, and the like.

Hans Eysenk pointed out that the right wing (e.g. Fascism and Nazism) had a lot in common with the left wing (communism). Both are repressive, undemocratic and anti-Semitic. So on these issues, at least, the left-right distinction is meaningless.

How many more such simplistic distinctions such as those foisted on us by journalists are equally meaningless.

Some while ago my Australian fellow ex-pat Les Bell, who apart from being a CISSP is also a pilot, pointed out to me that the method of ‘root cause analysis‘ is no longer used in analysing plane crashes. The reality is that “its not just one thing”, its many factors. We all know that applies in most areas of life.

I suspect most people know that too; its not restricted to the digerati.
There is the old ditty that explains how because of a nail an empire was lost, but no-one is proposing that we fix the failing of the “American Empire” by manufacturing more nails.

Except possibly Journalists.

Related articles

• Is your political compass OK post the election? (greenwichlib.wordpress.com)
• Political Compass: May (spinelessliberal.wordpress.com)
• The downsides of experience (cdevroe.com)
• The US Election – 2012 (www.politicalcompass.org)

http://www.techsecuritytoday.com/index.php/our-contributors/michael-vizard/entry/lifting-the-veil-on-cybercrime

This says it all:

At the end of the day, cybercriminal activity is not all that different
from more traditional forms of organized crime. Obviously, the way the
crime is perpetrated is new, but the ways in which cybercriminals
operate is not all that different from anything that has gone on before.

Heck, once upon a time there was no telegraph, no “Royal Mail” (or whatever the equivalent in your state/nation). But when those came along they offered new opportunities for fraud. Most places have laws in place again fraud perpetrated by mail or telegraph and telegraph
includes the telephone.

And this is where I get to wonder at how our politicians work, the knee-jerk “something must be done NOW” attitude.

Here in Canada we have a criminal code. It covers fraud. We don’t need new laws to deal with cybercrime because the ways our laws are written they are general and not reductionist. They specify the crime, not the technology used.

I get the impression that in the USA (and possibly other places) its the other way round. That’s why they need lots of new laws to address every fine-grained detail as the technology advances. Personally I don’t think this is a good way of working since it piles laws upon laws.

In science we was that in astronomy before Newton. The classical “Ptolemaic” system piled epicycles upon epicycles as corrections because the underlying model based on a geocentric approach and the idea of ‘perfect spheres’ was fundamentally flawed. Piling human laws upon human laws to deal with special cases of what is really a general
situation is no less flawed in approach.

Fraud is fraud is fraud. It doesn’t matter if its perpetrated by a hustler in person as in the scenes in “Paper Moon“, by mail, over the phone or using the Internet. Fraud is fraud is fraud.

We don’t need new laws; we just need a better understanding of how criminals use technology. We perhaps we security droids don’t, perhaps the public, the police, the legislators and the managers of the firms and organizations impacted by such criminals need that understanding.

But that’s not what detailed, reductionist legislation is going to achieve, is it?

Related articles

• Guarding your business against cybercrime (premierlinedirect.co.uk)
• Interpol Promises New Center to Fight the E-Mob (spectrum.ieee.org)
• Russian Cybercrime pays! (toinformistoinfluence.com)
• Cybercrime ‘cannot be stopped entirely’ (premierlinedirect.co.uk)
• Former National Cyber Czar Creates Cybercrime TV (prweb.com)
• There’s no business like Cybercrime business! (blog.bt.com)
• Impact of cybercrime underestimated as most crimes go unreported|Network security (c24.co.uk)
• European Commission wants a cybercrime centre (h-online.com)
• Everything you thought you knew about cybercrims is WRONG (go.theregister.com)
• FBI finds scammers impersonating the FBI now one of worst online threats (theneteconomy.wordpress.com)
• Educate Customers on Mass Marketing Fraud (ibaeducationblog.com)
• Cybercriminals offer bogus fraud insurance services (zdnet.com)

http://www.infosecisland.com/blogview/19386-The-Death-of-Antivirus-Software.html

The real issue here isn’t Ubuntu, or any other form of Linux.
Its that AV software doesn’t work.
PERIOD.

There are over 50,000 new piece of malware developed and released daily. The very nature of the AV software models that John McAfee foisted on the industry simply can’t cope.

This isn’t news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.

What’s that you say? Other types of AV? Like what?

Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use … and so on.

Many people in the industry – myself included – have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.

Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor – which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.

The local signature makes things unique to each machine so there is no “master key” out there. If your private key is compromised then do what you’d do with PGP – cancel the old one, generate a new one and sign all your software with the new one.

The real problem, though, is not in having the key compromised but is the problem that has always existed – its the user. Right now, we have many remote code execution blockers. Your browser might be able to block the execution of Java or JavaScript, but does it? Most people either don’t bother setting their defaults to “no execution” or just say “yes” to the pop-up asking them to permit execution.

No technical measure can overcome human frailty in this regard.

Related articles

• Avira antivirus upgrade wreaks ‘catastrophic’ havoc on Windows PCs (techworld.com.au)
• How can We Detect Viruses Without Antivirus Software? Built In Antivirus in your Browser (shanicomputers.wordpress.com)
• Intel and McAfee unveil plans for unified security future (go.theregister.com)
• John McAfee, antivirus pioneer, arrested by Belize police (networkworld.com)
• GlobalSign Develops Free Tool to Simplify Code Signing Process (prweb.com)
• A Modest Proposal: Please Don’t Learn to Code Because It Will Damage Your Tiny Brain (inventwithpython.com)
• Why Authenticity Is Not Security (leviathansecurity.com)
• Certs 4 Less Announces Support For Individual Code Signing Certificates (prweb.com)
• ‘Catastrophic’ Avira antivirus update bricks Windows PCs (go.theregister.com)
• Avira fixes antivirus update that crippled many PCs (neowin.net)
• Free Anti-Virus Software Fails To Charm Enterprises (informationweek.com)
• Backpack Algorithms And Public-Key Cryptography Made Easy (coding.smashingmagazine.com)
• Cryptography pioneer: We need good code (infoworld.com)
• Contrary to Popular Opinion, Encryption IS the Hard Part (blogs.gartner.com)
• Public Key Cryptography Explained (q-ontech.blogspot.com)

http://www.zdnet.com/blog/identity/darpa-authentication-project-focuses-on-humans-as-secrets/157

So do my cats. But so what?

Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in “Minority Report“.

And I’m sure there are _other_ ways to hack that than the one mentioned in the movie.

Related articles

• SSL governance and implementation across the Internet (net-security.org)
• Why change VMware default self-signed SSL certs? (longwhiteclouds.com)
• Biometric apps for Kinect: Microsoft wants to avoid creeping everybody out (geekwire.com)

You do do backups don’t you?  Backups to DVD is easy, but what software to use?

Why not simply k3b ?

But if it some down to it, there’s a decision tree you can and should work though.

• Do you want the DVD backup ‘mountable’?
  If it is then you can see each file and selectively restore using the normal file management tools (cp, rsync etc)
  If you use some sort of ‘dump’ format (tar, cpio, zip or proprietary) then you will need the corresponding tool to access the backup

My choice, based upon both K.I.S.S. and bitter experience is to go with the mountable.

• - How are you ‘snapshoting’ your files?
  If you are backing up a live system[1] then there is the risk that the backup is out of phase with itself as files get changed during the time it takes to make the backup.

My solution to this is to use the snapshot mechanism of LVM.

• - How are you managing the backup archives?
  Do you need a specific dated version of a file or directory?
  Would a VCS be more appropriate than a backup system?

Sometimes you need both. I maintain changes to config (mainly in /etc/) with a VCS – AND take periodic snapshots.

• Ultimately its not about making backups, even if that seems to be the
  most of the work, but the ability to restore.

A client found it easier to take whole image backups but once when having to restore a single file there was a finger-slip and he restored the complete machine state of three years previously, loosing all that days work plus the next day when the machine was out of service being restored to the last (previous) backup. The moral here is that your RESTORE strategy, as determined by your normal business functions and NOT by the convenience of the IT department, should determine your backup strategy.

• - How “automated” do you want this backup to be?
  Sometimes you’ll find the automation tail wags the normal operation dog.

My use of K3B means I do disk-to-disk-to-DVD. (Using LVM’s snapshots)
It also means I structure my file systems so that they can be imaged onto a DVD. It means I can retrieve single files or mount the DVD and use it in place of the file system. It also means that I can create arbitrary backups, cherry-picking the files and folders to backup.

I realise this is going to be inappropriate for many sites and business functions.

This is why I STRONGLY suggest that instead of simply asking for suggestions you work through what are the key, the critical and the nice-to-have features of your backup AND RESTORE functionality.

Any package you might choose is going to have constraints and assumptions about The Way Things Are. You need to be aware of those and need to consider if they fit in with The Way You Work. A backup system that works well for a data center of ISP might be totally inappropriate and troublesome for a SMB.

[1] Once upon a long time ago systems were shutdown or all jobs
suspended for the backup. This has disrupted projects for me a number
of times.

 So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede a  direct attack).

I have doubts about “defence in depth” analogies with the military that many people in InfoSec use.

Read what they are really talking about in those military examples: its “ablation”: that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2).  They try to slow down a direct and linear attack, hopefully to a standstill.

As the Blitzkrieg showed in dealing with the Maginot Line, if you “go around it” the defence isn’t a lot of use.

Through the ages of war and politics and empire-hood and nation-hood and tribalism we’ve seen many threats and attacks and subversions used.

The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form.  What’s needed is more like an all-enclosing “bubble” rather than something linear with the ‘defence in depth’ model.  But that gets back to the problem of the perimeter.

Many wifi enabled devices are really “spies inside the defensive perimeter”.

There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them.  No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public — its form of showing that “its doing something”.

But how can we tell? The reality is that “security specialists” are finding errors – never mind deliberately malicious code – in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find “errors” that allow subversion in mainstream IT deceives like home wifi routers (aka the next generation of spambots), home PC software (that’s a no-brainer isn’t it!) never mind commercial databases.

I dedicate this to the memory of Ken Thompson
http://cm.bell-labs.com/who/ken/trust.html

The hack to make the HP printers burn was interesting, but lets face it, a printer today is a  special purpose computer and a computer almost always has a flaw which can be exploited.
In his book on UI design “The Inmates are Running the Asylum”, Alan Cooper makes the point that just about everything these days, cameras, cars, phones, hearing aids, pacemakers, aircraft, traffic lights … have computers  running them and so what we interface with is the computer not the natural mechanics of the device any more.

Applying this observation makes this a very scary world. More like Skynet in the Terminator movies now that cars have Navi*Star and that in some countries the SmartStreets traffic systems have the traffic lights telling each other about their traffic flow. Cameras already have wifi so they can upload to the ‘Net-of-a-Thousand-Lies.

Some printers have many more functions; some being fax, repro, and scanning as well as printing a document.   And look at firewalls. Look at all the additional functions being
poured into them because of the “excess computing facility” – DNS, Squid-like caching, authentication …

I recently bought a LinkSys for VoIP, and got the simplest one I could find. I saw models that were also wifi routers, printer servers and more all bundled onto the “gateway” with the “firewall” function. And the firewall was a lot less capable than in my old SMC Barricade-9 home router.

I’m dreading what the home market will have come IP6

I recall the Chinese curse: yes we live in “interesting security issue” times!

But in the long run of things the HP Printer Hack isn’t that serious.   After all, how many printers are exposed to the Internet.    We have to ask “how likely is that?”.
Too many places (and people) put undue emphasis on Risk Analysis and ask “show me the numbers” questions. As if everyone who has been hacked (a) even knows abut it and (b) is willing to admit to the details.

No, I agree with Donn Parker; there are many things we can do that are in the realm of “common sense” once you get to stop and think about it. Many protective controls are “umbrellas”, that its about how you configure your already paid-for-and-installed (you did install it, didn’t you, its not sitting in the box in the wiring closet) firewall; by spending the money you would have spent anyway for the model that has better control/protection — you do this with your car: air-bags, ABS and so on so why not with IT equipment? The “Baseline” is more often about proper decisions and proper configuration than “throwing money at it” the way governments and government agencies do.

McAfee has released a new study on malware in cars:
http://www.mcafee.com/autoreport

Now you may think that this is scaremongering on the part of McAfee because their traditional market is drying up. Not so, this is actually a threat we have been aware of or nearly half a century:

http://www.amazon.com/four-weekend-Belmont-Science-Fiction/dp/B0007FCDJY/ref=sr_1_8?s=books&ie=UTF8&qid=1315499979&sr=1-8

he documentation required and/or needed by ISO-2700x is a perenial source of dispute in the various forums I subscribe to.

Of course management has to define matters such as scope and applicability and the policies, but how much of the detail of getting there needs to be recorded?  How much of the justification for the decisions?

Yes, you could have reviews and summaries of all meetings and email exchanges ..

But that is not and has nothing to do with the standard or its requirements.

The standard does NOT require a management review meeting.
Read the rest of this entry »

Read the rest of this entry »

I keep telling everybody that TV is injurious to your (mental) health, but does anyone listen?

Why should they?
They didn’t when Gerry Mander presented his Four Arguments for the Elimination of Television, and he was in a position to know. Read the rest of this entry »