Engagement Zen: Transforming IT & the Business through Security for Fun + Profit

Recently I presented a talk at BSides Detroit 2014. It was a fantastic experience. The organizers were excellent. The audience was great. I loved standing up on stage in front of people for the first time in almost two years. The feedback was constructive and wonderful. I look forward to continuing the conversation and presenting this talk at other events.

What’s the talk about? It’s about how Security is a different entity inside of any business, assuming Security’s role persists in-house and not out-sourced. Security Professionals cross all the silos that a traditional IT organization creates and isolates themselves with (DBAs, AppDev, Linux SysAdmins, Windows SysAdmins, Network, etc.). Security Professionals see and interact with parts of the business that IT typically doesn’t (HR, Legal, Finance, R&D, etc.). This provides Security with a unique perspective.

Security must leverage their unique position to make a positive and memorable impact with IT and the business. Spreading Fear, Uncertainty & Doubt (FUD) isn’t the way. Conveying the message that the sky is falling isn’t the way. Constantly saying “no” isn’t the way.

What is the way? Talk with IT & the Business. But don’t talk with them about what you want, which is Security. Talk with them about what they want. Ask them about their fears and concerns and problems and what they wish they could do but don’t know how to do.

I wanted to come up with an approach that wouldn’t need approval or bureaucracy or some management intervention. I wanted something anyone could do at zero cost at any time with little to no gear needed.

And thus: Interview them. See the slide deck for how to go about this.

If you can solve a problem of IT &| the Business, one that leverages Security’s unique view inside of the organization, then they will want to engage with Security in the future. If done properly they will seek you out, accept when you engage, and consider you a trusted advisor.

It also has the benefit of action. That is much preferred versus waiting for someone to realize that security is important.

Several people have asked where to get my slide deck for the talk. You can get it from Dropbox here.

Facebook Pushes Passwords One Step Closer to Death | Wired Enterprise | Wired.com

October has always been John Flynn’s favorite time of year, but this year, it’s even better. He gets to spend the month trying to hack into a fleet of Facebook computers equipped with a new kind of security tool — a tool that takes computer security beyond the password.

Since jumping to Facebook from his job at Google a few years ago, Flynn has been part of the Facebook security team that masquerades as bad guys during the month of October, doing their best to bust into the corporate network that underpins the social networking giant. They call it “Hacktober,” and the idea is to find the holes where the real bad guys might attack the company. Last year, Flynn and other Facebook security engineers created a fake news story designed to spread a computer worm around the network.

Flynn — who goes by the nickname “Four” — won’t say what’s in store for Facebook’s employees this October, but one thing seems certain: Hacking them is going to be that much more of a challenge. Over the past year, the company has equipped many employee systems with Yubikeys, a little pieces of hardware that let employees securely log into machines with the tap of a finger. This nifty tool can make it that much harder for hackers to bust into a corporate network and do whatever they want — even if the hacker manages to take command of an authorized network machine.

via Facebook Pushes Passwords One Step Closer to Death | Wired Enterprise | Wired.com.

Hackers target high profile domains – Securelist

During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.

When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a “new” trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.

via Hackers target high profile domains – Securelist.

Read on for the details and the two interesting indicators.

Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions | FireEye Blog

FireEye researchers have discovered a rapidly-growing class of mobile threats represented by a popular ad library affecting apps with over 200 million downloads in total. This ad library, anonymized as “Vulna,” is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. Vulna is also plagued with various classes of vulnerabilities that enable attackers to turn Vulna’s aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. Most vulnaggresive libraries are proprietary and it is hard for app developers to know their underlying security issues. Legitimate apps using vulnaggresive libraries present serious threats for enterprise customers. FireEye has informed both Google and the vendor of Vulna about the security issues and they are actively addressing it.

Recently FireEye discovered a new mobile threat from a popular ad library that no other antivirus or security vendor has reported publicly before. Mobile ad libraries are third-party software included by host apps in order to display ads. Because this library’s functionality and vulnerabilities can be used to conduct large-scale attacks on millions of users, we refer to it anonymously by the code name “Vulna” rather than revealing its identity in this blog.

via Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions | FireEye Blog.

I’m just starting to read up on this. Does anyone know of reliable secondary sources?