The InfoSec Blog

“Paid to be paranoid”

Posted by Anton Aylward

Read the first four paragraphs of this:

http://hollylisle.com/shoes-and-handbags/

Forget the rest, forget that its about 'creative writing', just answer that question.

Bruce Schneier among other, myself included, have asked questions like that. Are you 'paranoid' enough to be in the security business?

Robert Slade

One of my colleagues, Rob Slade  yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about "The CISSP Experience".
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a "Bah Humbug!" feeling when the class is really a company stuffing its IT department through the course and exam "for the numbers". Rob has some cynical comments to add but don't forget for him it's a days work and a days pay.

I'm also hit on for a variety of reasons by kids (even postgraduates) who "want to break into" -- yes that's the words they use, ironic isn't it? -- the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT.  But that's a subject for another time.

And hence the opening lines to Holly's blog.
No, Holly, you're not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.

  • What is the 'attack surface'?
  • What are the potential threats? How to rate them?
  • How can I position myself to minimise the effect of an attack?
  • What is the 'recovery mode' (aka: line of retreat)?

If you can't do this, then you shouldn't be in "Security".

Cell phone risks

Posted by Anton Aylward

ISRAELI-GAZA BORDER, ISRAEL - JANUARY 07: An I...
Image by Getty Images via @daylife

I hope somebody's thinking seriously about the implications of this:

http://www.theregister.co.uk/2010/12/14/us_army_smartphones_4_all/

Israel has already seen some consequences of soldiers with cellphones.

Here in Toronto we have a law against driving and using a hand-held cell phone. I note that researchers are reporting that even hands-free pones are distracting enough to be a major risk. never the less, I have stood back fro the kerb at an uptown intersection and seen drivers turn against the lights and narrowly miss pedestrians because they were on the phone. The drivers, that is.  (I'm still on the look out for pedestrians using phones and being oblivious to their surroundings causing accidents.)  Perhaps I need to use my own phone and make videos of this and upload the to YouTube 🙂

So I'm very cynical about the use of distracting technology in the battlefield. Use of the smartphones 'in barracks' is one thing; using them in the field is another.

There seems to be a big mental hole here.
The idea of a coms system that has a central control or the cell/tower model is inherently vulnerable; no less so than GPS if you think about it, and probably more so; you don't need a rocket launch and EMP capability to take out cell phone towers and the phone system.

But the kind of Wifi system that allows the nodes to mesh and forward and heal (WiMax) is just the kind of thing the cell phone companies don't want.

WiMax - http://www.open-mesh.com/ - may assume an internet backbone
connecting the various meshes, but in a battlefield scenario the local mesh would be adequate. Its simply uses different "smartphones" and software. Maybe there is a back haul WAN, maybe it can download satellite or surveillance images or the front-line commanders.

But OTS cellphones ... I can see too many high risk scenarios in a military setting.

Enhanced by Zemanta
Tagged as: No Comments

Why don’t companies apply more risk analysis – Part 2

Posted by Anton Aylward

And while on that subject ...

"Consult Human Resources when making disaster recovery plans"

Every DR plan I've seen has failed to take into account human factors.
The most basic of which is that if there is any one of a large number of disaster scenarios, how are staff going to get in to the DR site?

360-degree panorama of Toronto, Canada, as see...
Image via Wikipedia

So: here we are in Toronto and the DR site is in Arizona ...
what sort of disaster will take out Toronto and let all the staff here track down to Arizona in order to run the IT services to support the customers in, guess where?
Right: Toronto