I recently attended a threat intelligence briefing in Atlanta to get some last-minute CPEs, have a free lunch, hobnob with my colleagues in the area, and learn a thing or two from those who spend time in the company of hackers. The presentations at the briefing were given by various research staff from the vendor and covered topics like advances in Advanced Persistent Threat detection and eradication, low-level training materials created and used by the Anonymous collective, and other trends from the dark side of the internet. Surprisingly, the most interesting part of the afternoon was not focused on the hackers or hacks themselves, but on news reporters who uncritically cover unconfirmed and unsubstantiated reports of compromise, hacks, and vulnerabilities. These reporters appear to stumble upon claims that flash the magic keywords that strike fear in the public and, in what I can only assume is the best interest of public awareness, hurriedly rush to press with incomplete and uncritical parroting of the claims made by the source. The generation of Fear, Uncertainty, and Doubt (FUD) adds noise to an already noisy landscape of threats, countermeasures and compromise.
At work today, I found myself fighting he same battle again – The battle I have faced at this job more than I have seen in past roles. The battle is between being “Compliant” and being “Secure”.
In 2009, Heartland Data Systems reported that they had been breached to the tune of greater than 130 Million credit card records. The company had all of the appropriate certifications and attestations to state that they were compliant with the PCI DSS and other security controls tests, however their defenses were so weak that even with the controls associated with the DSS, they were breached.
In scientific circles, papers are published and released in peer-reviewed journals. Scientists write up their latest research, and those papers are made available for others in the field to read, comment upon, and validate. You can find papers on many subjects in the Google Scholar search tool. Since my wife is on a health food kick (and kicking and screaming, so am I), I typed in “tofu” and sorted by date to find:
In a word: “Yuck”. Continue reading
In my youth, passwords were a requirement to gain access to the clubhouse, and were regularly changed to prevent access to members who fell out of favor from the group. This type of access management is based on a shared secret but suffers in that the end user has no ability to change of modify the secret. The one who is the position of power (the administrator) may change the secret at will, thereby denying availability to the resource in question (in this scenario: the clubhouse.) Bang on the door, shout, curse, throw rocks…the end user has little recourse, except to bribe or otherwise cajole the administrator to allow access.