The InfoSec Blog

Another Java bug: Disable the java setting in your browser

Posted by Anton Aylward

http://www.kb.cert.org/vuls/id/625617

Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.

Well, yes .... but.

Image representing XMind as depicted in CrunchBase

Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.

Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …

Posted by Anton Aylward

What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level?  I'm asking about a true risk assessment framework not merely a checklist.


Yes, this is a bit of a META-Question. But then its Sunday, a day for contemplation.

When does something like these stop being a check-list and become a framework?

COBIT is very clearly a framework, but not for risk analysis and even the section on risk analysis fits in to a business model rather than a technology model.

ISO-27K is arguably more technology (or at least InfoSec) focused that COBIT, but again risk analysis is only part of what its about. ISO-27K calls itself a standard[1] but in reality its a framework.

The message that these two frameworks send about risk analysis is

Context is Everything

(You expected me to say that, didn't you?)

I'm not sure any RA method works at layer 8 or above. We all know that managers can read our reports and recommendations and ignore them. Or perhaps not read them, since being aware of the risk makes them liable.

Ah. Good point.
On LinkedIn there was a thread asking why banks seem to ignore risk analysis .. presumably because their doing so has brought us to the international financial crisis we're in (though I don't think its that simple).

The trouble is that RA is a bit of a 'hypothetical' exercise.

“Impact” is not a Metric

Posted by Anton Aylward

I never like to see the term 'impact'.
Its not a metric.

I discuss how length, temperature, weight, are metrics whereas speed, acceleration, entropy are derived values. In the same sense, 'impact' is a derived value - "the cost of the harm to an asset". The value of an asset can be treated as a primary metric, but how much it is "impacted" is a derived value.

This is the same kind of sloppy thinking, the same failure to identify tangible metrics as we see when people treating 'risk' as if it were something tangible, never mind a metric!

Where do they get these numbers?

Posted by antonaylward

From the Journalistic Approach to Statistics Department ...
The source of this warmongering is
http://www.darkreading.com/security/intrusion-prevention/showArticle.jhtml?articleID=219401410

and Kelly Jackson Higgins uses the dramatic title

"Message From Hackers: Enjoy The Summer Break Because Winter Attacks Will Be Harsh"

Right.

Well he claims a survey of "hackers" (whatever that means) at DefCon17 carried out by Tufin Technologies leads him to believe that only one fourth of all hackers are malicious. This is according to 70% of of the unknown number of respondents, who in turn make up an unknown proportion
of the groups of people who may be called, by themselves or others, "hackers".

In case you're worried about taking that last-minute summer vacation and
leaving your IT staff a little short, relax (for now, anyway): Most
hackers are taking a break now, as well, as they gear up for a busy
winter season, according to a survey of hackers attending Defcon17 in
Las Vegas this month.

Malicious hackers make up less than one-fourth of the overall hacker
community, according to 70 percent of the respondents, who were surveyed
by Tufin Technologies at the world's largest hacker conference.

Nor are we given a definition of what "malicious" means. Does this have to be unremitting evil of a fictional character like the leaders of SMERSH in the James Bond stories or the Evil Witch in "The Wizard of Oz"? How about a historically evil character like Genghis Kahn, Nero, or dare I say it, Stalin, Hitler or Saddam Hussein?

But "malicious"? Could that mean purposeful vengeance for some real or imagined (think: Fat Fredy and his cat); getting back at "The Man", Big Government, or Big Business for some ill defined political or conspiracy theory riven reason. Or perhaps "collateral damage" arising from lack of care, lack of professionalism or simple incompetence
(http://www.theregister.co.uk/2009/08/25/rsa_accidental_security_breach_survey/#).

I'm getting sick of marketeers making use of journalists like this, for that's the real reason for this. Read the rest of the article and you'll see its about Michael Hamelin, chief security architect at Tufin,
advocating what we all know: that compliance doesn't mean security. If that's your message, then say that, don't dress it up in nonsense that makes use of meaningless statistics.

Reblog this post [with Zemanta]

One In Two Security Pros Unhappy In Their Jobs

Posted by Anton Aylward

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=218600434

Well? Are you?

You'd think most professionals in a hot industry like IT security would
feel content and challenged technically and creatively in their jobs --
but not so much. According to the results of a new survey that will go
public next week at Defcon in Las Vegas, half of security pros aren't
satisfied with their current jobs, and 57 percent say their jobs are
neither challenging nor fully tapping their skills.

Like most reports on survey, this is journalism at it worse.