The InfoSec Blog

“Paid to be paranoid”

Posted by Anton Aylward

Read the first four paragraphs of this:

http://hollylisle.com/shoes-and-handbags/

Forget the rest, forget that its about 'creative writing', just answer that question.

Bruce Schneier among other, myself included, have asked questions like that. Are you 'paranoid' enough to be in the security business?

Robert Slade

One of my colleagues, Rob Slade  yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about "The CISSP Experience".
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a "Bah Humbug!" feeling when the class is really a company stuffing its IT department through the course and exam "for the numbers". Rob has some cynical comments to add but don't forget for him it's a days work and a days pay.

I'm also hit on for a variety of reasons by kids (even postgraduates) who "want to break into" -- yes that's the words they use, ironic isn't it? -- the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT.  But that's a subject for another time.

And hence the opening lines to Holly's blog.
No, Holly, you're not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.

  • What is the 'attack surface'?
  • What are the potential threats? How to rate them?
  • How can I position myself to minimise the effect of an attack?
  • What is the 'recovery mode' (aka: line of retreat)?

If you can't do this, then you shouldn't be in "Security".

Identity Management in the extreme!

Posted by Anton Aylward

http://www.abcactionnews.com/dpp/news/region_pasco/fantasy-or-criminal-mind-police-find-stash-of-fake-ids-and-uniforms

Investigators say Antigua tried to pass himself off as an Air Force veteran, a member of NASA's Space Shuttle crew, even a doctor complete with hospital ID's and his own medical bag. He also had blue police-style flashing lights for his black Escalade

"We are going to go to whatever lengths that we need to travel to find out, is he really a threat or is he somebody living a very involved fantasy life," said Chief James Steffens.

Taking Cosplay too seriously?

 

Enhanced by Zemanta

TV kills!

Posted by Anton Aylward

I keep telling everybody that TV is injurious to your (mental) health, but does anyone listen?

Why should they?
They didn't when Gerry Mander presented his Four Arguments for the Elimination of Television, and he was in a position to know.

His Bipolar made him do it

Posted by antonaylward

http://compliancesearch.com/compliancex/current-affairs/his-bipolar-made-him-do-it/

An accused hedge fund fraudster’s mother is showing support, by claiming her son is not to blame for defrauding investors out of over $2.3 million, its his bipolar’s fault.

Well, its better than "The Dog Ate My Homework".

Keep taking the tablets, Mr Klatch!

 

The FBI risk equation

Posted by Anton Aylward

It seems that to make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation:

risk = threat x vulnerability x consequence

rather than solely focusing on threat vectors and actors.

To be honest, I sometimes wonder why people obsess about threat vectors in the first place.  There seems to be a beleive that the more threats you face, the higher your risk, regardless of your controls and regardless of the classification of the threats.

Look at it this way: what do you have control over?

Why do you think that people like auditors refer to the protective and detective mechanisms as "controls"?

Yes, if you're a 600,000 lb gorilla like Microsoft you can take down one - insignificant - botnet, but the rest of us don't have control over the  threat vectors and threat actors.

What do we have control over?

Vulnerabilities, to some extent. We can patch; we can choose to run alternative software; we can mask off access by the threats to the vulnerabilities. We can do things to reduce the the "vulnerability surface" such as partitioning our networks, restricting access, not exposing more than is absolutely necessary to the Internet (why oh why is your SqlServer visible to the net, why isn't it behind the web server, which in turn is behind a firewall).

Asset to a large extent. Document them. Identify who should be using them and implement IAM.

And very import: we have control over RESPONSE.

Did the FBI equation mention response? I suppose you could say that 'awareness' is a part of a response package. Personally I think that response is a very, very important part of this equation, and its the one you have MOST control over.

And response is - or should be - totally independent of the threats
since it focuses on preserving and recovering the assets.

I think they have it very, very confused and this isn't the most productive, most effective way of going about it.  But then the FBI's view of policing is to go after the criminals, and if you consider the criminals to be the threat then that makes sense.

But lest face it, most corporations and are not in the business of policing.  neither are home users.

Which is why I focus on the issue of "what you have control over".

Enhanced by Zemanta

The Glass Half Full

Posted by Anton Aylward

LONDON - AUGUST 05:  A man holds a pint glass ...
Image by Getty Images via @daylife
  • Optimist: The glass is half full
  • Pessimist: The glass is half empty
  • Cost Accountant: The vessel is too large for its purpose
  • Engineer: There is a 100% safety margin.

"Policy: All information stored electronically has value and shall be protected
commensurate with its value."
Corrolary: "If data has no value, it
should not be using storage space."

Reblog this post [with Zemanta]

8 Dirty Secrets of the IT Security Industry – CSO.com

Posted by antonaylward

Bill Brenner  wrote an article that covers some security consulting in general and PCI DSS in particular.

The Information Security triad: CIA. Second ve...

Image via Wikipedia

Do make note of points 1,3, and 6.
I particularly appreciated the subtext of the wording of #1.

Vendors don't need to be ahead of the threat, just the buyer.

We all know the story of the two campers and the bear, but this is an interesting variation. We've just discussed Mr Carr screaming about how he wasn't told by his security staff that there were more threats.

Yes but ... Its not the security staff that set the budget or make the buying decisions. Look: it says "buyer", not "customer".

How often have you had your security advice over-ridden for anyone of a number of reasons? Its not you doing the BUYING is it.

And why do you think that the saleswomen wear suits and talk in that stupid language using terms like "solution" (oh-ho, watch out, here comes Les...) and "bottom line" and other stuff that has nothing to do with InfoSec.

'Cos it isn't YOU doing the buying.

At best they throw you a bone since you might be an 'influencer' - more salesman-speak. (But 'influencer' is too close to 'influenza' which is why they don't get too close to you...)

Mean while, you're talking to your manager about all these nasty things like threats and the possibility of embarrassment in the press and lawsuits, while that nicely dressed saleslady is talking sweetly about nice things such as profit and success and such like.

Marcus J. Ranum

Image via Wikipedia

Lets face it, the game is semantically rigged against us.

Like Marcus Ranum says,

"Given a choice between dancing pigs and security, users will pick dancing pigs every time."

 

"Oh look http://pics4.city-data.com/cpicc/cfiles34082.jpg hey, that's neat, I didn't know they could do that...."

Enhanced by Zemanta

OWASP Top Ten is really the OWASP Top 6.5

Posted by antonaylward

Announcement of changes in company password po...
Image via Wikipedia

http://secureme.blogspot.com/2005/10/owasp-top-ten-is-really-owasp-top-65.html

This is somewhat dated, but so what? Most of the points raised still hold valid.
It opens:

CIO/CSO: "I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!"

... and it goes on with the sad-but-true

Consultant: "Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies?
Sorry, I'm diabetic."

Wasn't there a Dilbert strip about that?   "Invoking the awesome power of certification"?

Speaking of which:

Dilbert "Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?"

How true; how poignant! And we all know the response to that:

Consultant: "I'm sorry that is not on the list! hmm what to do? I will use the consultants Top Ten Scarry Word List!" Sarbanes-Oxley, HIPAA, PCI..."

Seriously, though: a while ago I read an article suggesting that how you title you posts or blogs was very important and used examples from magazines such as Cosmopolitan to illustrate that: "The top 10 ways ...", "10 things you should know" and such like were going to attract more readers.

Well heck, who wants to read an article titled:

"Six and a half ways to secure your web site".

Maybe those into reverse psychology perhaps?
But please, do fix those expired SSL certificates.

Reblog this post [with Zemanta]
Tagged as: No Comments

Yes! It’s the cardboard PC!

Posted by antonaylward


I would hate to have to do a risk analysis on the use of these!

Oh, and then there's Bamboo!

http://www.reghardware.co.uk/2008/12/02/asus_bamboo_laptop/

What's next? Soy? Hemp?

Reblog this post [with Zemanta]

New Words

Posted by Anton Aylward

Its in the Book?

Its in the Book?

A non-native English speaker I was in correspondence with thanked me for helping expand his vocabulary.

It occurs to me that understanding English grammar and the use of prefixes and suffixes cn also help expnad your vocabulary.  Here are some words not often found IN dictionaries. (Of course this is British English spelling, American English may differ)

  • somnia - the ability to fall asleep
  • sidious - unlikely to provoke envy
  • voice - a random list of items for which there is no charge
  • volve - to unwrap
  • vert - to put the right way up
  • vective - a reasoned and politely delivered congratulation
  • valid - someone in the best of health
  • tromit - to keep out, to expunge
  • tuition - to be confused despite long and detailed explanations
  • sulin - someone help me with this one, as a Canukistani I ought to know better than to banter about it.
  • spire - to draw out of, be it breath or feeling
  • nuendo - clear speaking
  • quite - to make definitive statements
  • sert - to take out of
  • sist - to dawdle or fail to give serous consideration
  • hume - to dig up
  • hale - to breath out
  • gress - an exit
  • fanta - a prince or royal son
  • fer - to guess or make up an answer
  • ert - moving, often rapidly and without the likelihood of stopping
  • famy - a good reputation
  • deed - an interjection that Anton doesn't use
  • deminfy - to run up a debt
  • dex - a sign, for example at a British main-line railways station or country road junction that justs adds to your confusion as to where you should be going
  • dian - not part of Asia
  • ca - Immigrants to south America
  • ch - a large body of water
  • cline - (verb) to stay on course despite misleading dex (noun) to stay on the level or be level headed even when misdirected by dex
  • crement - a decrease, to decrease
  • cubus - a pleasant dream or positive influence
  • cunabula - books with their covers torn off. This normally indicates that they have been 'returned, unsold' to the publisher and so the books themselves should not be sold.
  • ane - a sensible attitude or remark
  • augerate - to throw out of office, often for corruption

I'm sure you'll find these words tremely -ing useful.

Reblog this post [with Zemanta]
Tagged as: No Comments

Best spam *ever* …

Posted by Anton Aylward

Maybe I'm just punchy from dealing with too much real spam, but I found this hilarious.

Introducing--Penis Reduction Pills!

Shipped to you, not in the stereotypical plain brown wrapper, but in a
large box proudly labeled on all six sides. Because you wouldn't be
ordering them if you didn't need them, right? Just leave the bottle
around the house where the girl you are interested in can find them.

http://www.penisreductionpills.com/

(Note: placebos may have unintended side effects. Depending on the
context ...)

Thanks to Rob Slade for bringing this to my attention - http://victoria.tc.ca/techrev/rms.htm

Zemanta Pixie
Filed under: Humour No Comments

Visio in Ascii

Posted by Anton Aylward

http://search.cpan.org/dist/App-Asciio/lib/App/Asciio.pm

This gtk2-perl application allows you to draw ASCII diagrams in a modern
(but simple) graphical application. The ASCII graphs can be saved as
ASCII or in a format that allows you to modify them later

So what does this have to do with security?

Well, one of the security risks we face is that Microsoft Office applications (among others) have embedded Visual Basic, often with extensions. These have been susceptible to macro viruses.

Yes, I'm aware that there are mechanisms for defending against this, but they are software, and we know that in the long run errors will be introduced in upgrades or patches and the bad guys will find alternative avenues of attack. The real problem is that VB is embedded in the application.

So this is a solution. We go back to the "data is data" era, when data was not executable. See also all the "why HTML mail is evil" articles - go Google for them.

Happy Friday.

Filed under: Humour, Risk No Comments

Trojan horse Penetration Testing

Posted by Anton Aylward

I'm no fan of Pen-testing, but its remarkable how people fail to learn from the past experience of others, even when that experience is so heavily publicised for such a long period of time that it is part of our cultural baseline.

Technorati Tags: ,

Filed under: Failures, Humour, Risk No Comments

Dangerous … Nothing

Posted by Anton Aylward

Scott Adams, the creator of the Dilbert cartoon, recounts in his blog his recent experiences with airport security and its oddities in "Dangerous Containers". He tells of how a transparent 4-ounce container of shampoo that held only one ounce of fluid was confiscated becuase it could hold more than three ounces. In his typical manner he explores the threat that those three ounces of 'nothing', along with the larger quantity of 'nothing' in his not-full bag could be a threat.

The blog posting is not that funny. What is outrageous are the comments. Some people need to take life a lot less seriously.

Technorati Tags: , , ,

Filed under: Humour, Security No Comments

Engineering Definitions

Posted by Anton Aylward

With Thanks to Gary Hinson and Michael Gerdes who found this on the web and extended it ...

  1. Project Manager is a Person who thinks nine women can deliver a baby in one month.
  2. Construction manager is one who thinks single woman can deliver nine babies in one month.
  3. Controls manager is one who asks if the baby is in the budget (and if it saves money to adopt).
  4. Project Engineer is a person who thinks he can deliver a baby even if no man and woman are available.