It’s almost an inevitability at IT security conferences that some speaker will break out the Sun Tzu quote about knowing your enemy and yourself to avoid disaster in battle. But in this day of threat intelligence feeds and cyberawareness, all too often the emphasis is put on intelligence-gathering about the adversary. Meanwhile, the more obvious and often more available data about oneself remains unharvested.
At the recent UNITED Security Summit, two banking executives from a top 25 U.S. financial institution (who shared best practices on the condition of not naming their employer) challenged that lack of self-awareness, advising fellow practitioners to take a deeper dive into readily available data about their systems, users, and patterns in their environments to improve their risk management strategies with meaningful action. That process starts and ends with what Kelly White, vice president and information security manager, called a security Q&A for an organization.
via Know Thyself Through Data-Driven Security Q&A — Dark Reading.
A new Harris Interactive study provides a valuable barometer on current consumer perceptions and mobile privacy trends by examining issues, such as data collection, geo-location tracking, mobile advertising and privacy management responsibility.
Among the top findings: many smartphone users are more concerned about mobile privacy than a phone’s brand, screen size, camera resolution or weight; more than three-quarters of smartphone users won’t download an app they don’t trust; and although the majority of those surveyed don’t like the concept of tracking, nearly half (46%) of smartphone users are still unaware it even happens.
Evernote reported a Security Incident. When there’s an event like this there are many ways a company can mishandle notification.
Scott Fendley, the ISC Handler who posted the note, did a nice job of speaking to the Incident Handling procedure Evernote employed:
From an incident response point of view, I will have to commend Evernote for how they are handling the situation.
It appears that their security operations was able to detect the incident in a reasonable period of time (within a day). In addition, their communications/PR arm responded with good initial recommendations in the news article. And while there is not much technical information yet, they were able to limit some of the questions about how they stored passwords (one way hash with salting). It is my guess that Evernote has been preparing for the eventuality that a security breach would occur, and prepared all of the appropriate parties to respond.
Protect, Detect, Respond, Recover. Remember to not just focus on one or two of these within the continuum.
The part I want to highlight is how the Evernote team and not just their Security Operations dealt with this. Too often companies will expect their InfoSec specialists to do it all: the normal Incident Handling cycle (identify, contain, eradicate, recover, and lessons learned) plus handle the notification and communications. When dealing with a Security Incident it is critically important that the InfoSec and other technical teams are focused on handling the event. Management, help desk, and in this case the PR team can best help by levering their skills communicating and running interference.
I look forward to Evernote proving us with a detailed report of what happened and how they handled things.
Of course, don’t forget:
And if you use Evernote, change your credentials soon to limit your personal exposure.
I’m a huge Evernote fan and user. This just reinforces for me why it’s a service I’ll continue to patronize.
Mathew Ingram at GigaOm wrote an article on Yahoo’s new policy on remote workers:
Not long after her arrival at Yahoo, new CEO Marissa Mayer started handing out carrots to her new employees, including new smartphones, free food and other Google-style amenities. Now she has brought out the stick: namely, a directive that employees are no longer allowed to work from home, something that is expected to affect as many as 500 Yahoos. Mayer’s move has its supporters, who argue that she is trying to repair Yahoo’s culture — but in doing so, she could be sending exactly the wrong message for a company that is trying to spur innovation after a decade of spinning its wheels.
The moment I first heard Yahoo proclaimed this policy I became angry. It does not impact me directly, but as a highly skilled and experienced IT Security and Networking professional now on the market I can say that Yahoo is no longer on my list of companies I’d care to work for. Here’s why.
About 15 years ago while I worked for EDS as a Network Security Administrator my marriage fell apart. Up until then I rarely if ever worked from home. With divorce looming I had sole custody of my two young kids. I had to work from home when they were sick or were off of school. At the same time my role at EDS changed to include firewall administration, demanding more of my time to cover on-call and odd support hours.
I was fortunate to report to managers that understood my situation and worked to help me. I worked with a great group of professionals who didn’t complain about my flexible work schedule. In fact we all worked together so everyone could have the same flexibility I had. How did I handle things? I became infamous for keeping sleeping bags, pillows, snacks, and toys for my kids in my cube. I don’t know how many nights I carried the two of them into the data center in the middle of the night, each slumped over a shoulder while I badged through the security doors. They slept on the floor swaddled in their sleeping bags and little heads resting on Disney-themed pillows, lullabied by the white noise.
When I interviewed with Magna I was very upfront about what I needed to do to take care of my kids and what I would to do in return. They took me on without hesitation, and I always appreciated and respected the trust they placed in me. Similar to my days at EDS, the team at Magna embraced me and the flexibility I needed. I repaid my boss’ and team’s trust in many of the same ways I did for EDS, but there was one case that was above and beyond.
For reasons that escape my memory the IT staff in Europe all quit on the same day. The organization I worked for was very lean. There were no extra people around to help fill in while they hired new staff. I stepped up, waking between 03:00 and 04:00 Eastern time to support Europe until I had to get my kids ready for school. I’d drop them off (no bus service) and return to cover the rest of the European day and my normal work. I was caretaker of servers and services in addition to the network and security. I did this for almost 6 months from my basement, buying the European IT director time to hire some great team members.
When I moved into management my team earned with me the same opportunities and respect that I earned. With instant messaging and email, IP telephony and video conferencing, and cheap Internet-based VPNs back to the company they could do everything they needed to do from home that they could do from work. Yes, you cannot replace face-to-face interaction. But by the same token how much hallway and water cooler talk is mere friendly trivia?
I’ll leave how companies chose to handle working from home to what makes sense for them and their business. But I want the conversation rephrased to talk about working from home as a tool and not a benefit. It can help both the employer and the employee, and that can’t be taken lightly.
I sincerely hope Marissa Mayer reconsiders her decision. She’s closing a door on quality hard-working talent that will go elsewhere just at the time when she needs them in Yahoo.
via Why Marissa Mayer’s ban on remote working at Yahoo could backfire badly — Tech News and Analysis.
Advanced Volatile Threat (AVT) is an attack on RAM, not on data or programs stored on the system. It’s fast, ephemeral, & hard to detect, according to the article:
And that concern, (John) Prisco (CEO of Triumfant) says, could drive more attackers to drop their APT strategies and turn to AVTs instead. “The AVT is going to be attractive to sophisticated attackers because it’s there, and it’s gone,” he says. AVTs take a bit more effort, Prisco observes, because they only work once, but attackers who are highly concerned about attribution will likely be willing to do the extra work.
Using an AVT is no guarantee against detection, DeMesy says. “Detection of advanced volatile attacks is extremely difficult, even when best practices are followed,” he says. “However, you may be able to detect what the attackers are trying to do. Internal honeypots are an excellent way to entice attackers to reveal their presence. Attackers employing advanced volatile attacks are looking to get in and out of a network quickly, bringing with them as much information as possible, so seemly vulnerable targets, such as a honeypot, are a prime target.”
via Move Over, APTs — The RAM-Based Advanced Volatile Threat Is Spinning Up Fast – Dark Reading.
Malicious software unintentionally downloaded by offshore oil workers has incapacitated computer networks on some rigs and platforms, exposing gaps in security that could pose serious risks to people and the environment, cybersecurity professionals told the Houston Chronicle.
The worst-case scenario could be catastrophic: A malfunctioning rig and safety systems could cause a well blowout, explosion, oil spill and lost human lives, experts said.
The way the article reads it seems like these platforms have large flat LANs, where employees’ personal equipment is on the same network as the production equipment. I’m a fan of placing SCADA systems in their own VLAN with non-routable IP addressing – Internet and the rest of your local network. Place a physical firewall device between the SCADA LAN and the regular LAN, but lock that firewall down. Selectively open ports for maintenance and restrict when done. Monitor the heck out of the thing.
InfoSec professionals, how would you handle this type of situation?
via Malware on oil rig computers raises security fears – Houston Chronicle.
It is hard to impossible to stop a determined idiot.
This axiom came to mind as I read the story of the man who leapt from a zoo’s train. His athletic jump cleared a sixteen foot tall protective fence and landed right in the pen of a Siberian tiger. The tiger attacked the man severely.
I’ve been trying to think of valid reasons why the man would do that. From the reports I read the man seemed intent upon clearing the safety fence, so this was no accident. He wasn’t trying to escape a giant space scorpion or an icky bug or a girlfriend he was trying to break up with. Even if he was trying to commit suicide I imagine there are ample other avenues available, avenues less elaborate and ultimately more effective. This seems to me more in the field of a frat prank or a dare or drunken misplaced determination or a desperate ploy to get famous.
I think the guy is an idiot. If one applies Hanlon’s Razor, i.e. “never attribute to malice that which is adequately explained by stupidity”, he’s an idiot. Even if he’s not, even if there’s a valid reason for this bizarre chain of events, let’s assume for the sake of this post that he is an idiot.
We’re left with an idiot that did, deliberately and with malice of forethought, jump into a Siberian tiger’s pen. The tiger did what tigers do: the man was mauled. The man was rescued by zoo staff.
I’m sure that some people read the stories and were appalled that a tiger would do such a thing. They might demand the animal’s destruction for daring to harm homo sapien in such a blatant way.
Others might read that story and say, “How can we let people jump from a moving train over a 16-foot fence into a wild animal’s pen? We must implement laws and elaborate security systems to prevent this.”
The zoo did neither. The zoo’s director, Jim Breheny, handled the situation, in my humble opinion, appropriately based on the actual risk.
The Associated Press quoted Breheny as saying, “When someone is determined to do something harmful to themselves, it’s very hard to stop that. … The tiger did nothing wrong in this episode”.
The most telling part from both a risk management and incident handling perspective is the other statement from the Associated Press article I read: “Zoo officials said they would review safety procedures but stressed that the situation was unusual.” By the way, they’re not going to euthanize the tiger.
“We review everything, but we honestly think we provide a safe experience,” Breheny said in the Associated Press article. “And this is just an extraordinary occurrence. … Somebody was deliberately trying to endanger themselves.”
The lesson: don’t make more out of an isolated incident than is there. If the particular ingredients to a problem are all unlikely to rare, then the response should be proportional. This isn’t to say that there aren’t lessons to be learned from every event. Rather, a rational and judicial
The corollary: given enough resources a determined person can defeat security measures. As my Dad said to me after my childhood home was broken into, “If someone wants to get in bad enough they’ll find a way”.
The same is true for determined idiots.
The other day I took 100 bottles and cans to the local liquor store for a refund. Here in Michigan we pay a ten cent deposit on every soda pop, beer, and other beverage containers. It has been this way for as long as I can remember. The deposit makes a difference. After having spent 5+ years in a no deposit state (Oklahoma), a $0.05 state (Connecticut), and the afore mentioned ten cent Michigan, I follow the deposit refund options far more religiously in the Great Lakes State.
But that’s not the point of this post, either.
The point is that the other day I took 100 bottles and cans, some beer and some soda pop, to the local liquor store for a refund. That is $10 in a refund that I invariably spend on more soda pop and beer. I like high quality local breweries, so $10 will often not quite cover a six pack just in that. After having dropped the containers off the store employee in charge of returns, Robert, chased me down to admonish me for my containers.
The way the MI law is written, stores only have to accept containers that they sell. The stores with automatic return machines enforce this. That’s why I take mine back to this store – no machines policing the returns. The store itself offers a decent beer selection, albeit smaller and a little more expensive than the other stores where I shop. I always end up spending more in the store after a return run than the refund.
When Robert flagged me down and lectured me loudly in the store on how hard it is for him to get $0.10 on a bottle they don’t carry from the store’s distributor, I argued. Uninterested, he dug through every neatly packed bag (and I do rinse and orderly arrange things). After everything was reviewed only 12 bottles out of the 100 were questionable. Since I had in my hands two six packs of beer and one 12 pack of pop worth $23 before tax and deposit, Robert was arguing about 5% of my total spend with them on that trip, $1.20.
Again, Robert was not wrong. A store’s obligations under the program are laid out. While I argue that such limitations negatively impact the effectiveness of the law, the law is plainly written.
Nevertheless I put the $23 of stuff back on the shelf and walked out with $8.80 in deposits. I let Robert keep the extra bottles. I spent that $8.80 plus more at another store. That was a loss of $31.80 (the $23 I was going to buy plus the deposit I was entitled to) instead of a $21.80 in sales (presuming the store had to eat the $1.20).
Since I was treated so poorly I later returned another 27 containers for cash at that store on my way to another store where I spent $23 in more of the same. That’s over $50 dollars lost for the sake of $1.20. Once I exceed $120 dollars I will talk with the owners.
For me I spent next to nothing on the extra fuel since the other options are less than a mile away. I saved about $1.50 on my purchases.
This illustrates “Penny Wise & Pound Foolish” very well.
I would be a fool if I didn’t cast a critical eye on myself. What have I done that, in retrospect, was penny wise & pound foolish?
At work the big thing that leapt out at me, fit for public consumption, was being so far behind on my expense reports. It always takes more time to complete them the longer it takes me to do them. It takes money out of my pocket both in covering the expense in a timely fashion as well as in any late charges that I have to absorb.
At home I just went through a big refresh in various parts of my life, so it is too early to tell there.
“Penny Wise & Pound Foolish” is another way of describing the Law of Unintended Consequences. How much time and effort would it cost to ask “What happens if …?” before making a decision?
My professional career started in retail. Specifically, I started in food service. I was a fill in for three weeks, then discarded.
I then went to Best Buy. I quickly climbed the ladder there in the computer department from part time sales associate to department manager.
I left Best Buy for personal reasons, then found myself back at the same store one year later. I was hired back in as a sales associate. Two weeks later I was promoted to assistant supervisor. Two months later I was promoted to supervisor. I was moved from department to department where I was needed. Eight months later I was promoted to manager.
I did the manager thing until I found myself at the top of a step ladder during the Christmas shopping season directing people to the 14 or so checkout lanes we had running. My department, the cashiers and customer service, processed well over a million dollars worth of transactions that December of ‘96. From atop my perch I herded the customers like cattle, each into their own financial abattoir. I dealt with people returning new-from-the-factory computers with bricks in them, people with electronics infested with insects and vermin, people with equipment we never sold demanding us provide them with satisfaction.
By January, the return season, I had quit and moved my family to Michigan. That story is one for another day.
Sitting in the Apple store in Troy, Michigan today I was reminded why I hated working in retail. It’s loud. It’s crowded. Customers are crazy. At least Apple has incredible margins that PCs don’t have.
The retail plus was the immediacy of the numbers. You didn’t have to wait for month’s end to see how you were doing. You didn’t have to wait for the end of the week. Every morning a fresh set of numbers were ready to great you on your previous day’s performance. You knew about that day in the week’s context, the month’s, the year’s, and the previous year’s day.
As a supervisor or manager, it meant that you could immediately adjust your approach, and your team’s, to the numbers. That was also the drawback if you only relied on the numbers.
The numbers wouldn’t tell you that the University of Oklahoma was in a crucial game, keeping attendance down. The numbers wouldn’t tell you there was an ice storm last year. The numbers wouldn’t accommodate for half the staff laid up with the flu.
The numbers certainly weren’t forgiving in cases of fraud or outright theft. That was what the twice-annual inventory audits were for. Back in the day there was a department supervisor taking tens of thousands of dollars of gear out the back door. As is often the case with thieves, the supervisor got greedy and took enough to get noticed. Even though that person was prosecuted to the full extent of the law, store management was held responsible for the loss, or shrinkage.
There are things that I miss from my retail days, but they are few. I am still extremely happy not to be in that space any more.
Have you worked in retail or still do? What do you like or miss about retail?