<![CDATA[[SecurityRatty] tag: securosis]]> http://securityratty.com/tag/securosis Fri, 01 Aug 2008 20:00:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[The "A"]]> http://securityratty.com/article/1b9ddda67145b0350bba4d9bf6a096a3 http://securityratty.com/article/1b9ddda67145b0350bba4d9bf6a096a3
Generally, most people in Information Security today did not start out as pure Information Security people, they evolved. And where they evolved from gives one a clue as to their mindset and how they see themselves.

Some come from an Audit background and you'll recognise these guys from their love of lists and frameworks - they dream of Cobit controls and little boxes that are waiting for ticks. Somehow they have tons of documentation and they know it all and can find it all. They generally drive Volvo's and like order.

But most InfoSec guys come from an IT background and it shows. I guess that, having said that, most hackers come from an IT background too. And it shows.

Now, lets consider the C-I-A triangle thingum. Quick lesson for those who don't know it - there are three aspects of information that Information Security wishes to preserve - the Confidentiality, the Integrity and the Availability. From my experience, most IT people are governed by Availability - the "A". In fact, when an IT contract is drawn up - there is no SLI or SLC but there will always be an SLA. With very specific terms, measurements and penalties.

If the Firewall crashes and has to be rebuilt. What will the IT manager be most interested in? The A - how fast can you get the traffic moving again?

So we have tools to measure uptime in 99.999999999999999s and such and anything that can cause network downtime (or if the network is up and the services such as mail are down - same difference) is taken care of. Spam, worms, viruses etc.

I guess that hackers (those that define what we do) are also IT background people. They seem to be more concerned with big-bang, widely deployed DoS attacks and stealing IT resources. At least, they used to be, until they discovered that they could make money from stealing information. Actually, I may be naive but I don't believe that the hackers we have today are the same as those we had in the past... I believe that we have a new generation of hackers - criminals who merely use the Internet to steal money because that it where the money is easiest to steal.

The problem is that we were lucky in a way that our old tools worked against the threats that we had - firewalls, antiviruses, etc etc. They don't work against people breaking into our networks and stealing information. For that we need a new generation of Information Security people (or the old generation to update their game)...

Here is a quick poll to see which generation you are in:

1. What is the one piece of information on your network that your competitors would love to see?
2. What is the percentage of mails coming into your network that are spam?
3. What mail is going to competitors?
4. What is the process for someone to order a pencil?
5. What is a blog?
6. Who in your organisation uses facebook for business?
7. How many of your PCs have up-to-date antivirus?
8. What is the worst virus out at the moment?
9. Do you believe that your Firewall is configured correctly?

The answers are as follows:
1. This is ESSENTIAL to know if you want to be in the next generation. And you can't guess this. You may think that it is something financial but most financial information can be guessed by your competitors anyhow. You may think it is a recipe or special way of doing something but any established company has had their recipe ripped off anyhow and can beat any new competitor by competitive pricing. It may be new product information. It may be staff information. It may be the CEO's contact list. Don't guess - find out.

2. Who cares? Certainly not the CEO. Maybe the CIO. "We are saving you x amount of bandwidth and your users x amount of time" is nice but won't save the business from closing down due to data loss. Operationalise this and get on with your job.

3. Good to know. I'm sure that if you told your CEO/CIO "Last week we detected 5 large emails going to our competitors from inside our R&D department" you'd have his full attention.

4. Good to know. Who does the ordering? Who does the okaying? Who does the paying? If you know all of this then you know how business works. And when things go wrong - you'll be able to help.

5. And do you want your staff to use them? And if they do, what can they put on them? What are they puting on them?

6. This is an interesting question because Facebook is usually an issue of "The A" (productivity). But it can be an issue of C and I.

7. Who cares? Again, this is an operational issue. Viruses that jump onto your radar are usually ones that attack "the A" but its the ones that are pushing information out of your organisation that are sneaky enough not to have sgnatures and not to be discovered. You will have PCs without up-to-date antivirus and you will have viruses. The trick is not to let your information be stolen by viruses. Also, keep backups so if a PC does get wiped out - you can get the information back again (but this is an operational issue again).

8. Trick question - the answer is - the one you don't know about. Old generation InfoSec guys can rattle off names of viruses that are all in the top 10 at the moment.. New generation viruses are targetted and usually do their worst before a pattern is out.

9. Old generation answer - yes. New generation answer - who cares? Information flows all over including in and out of the Firewall. Firewalls also usually rely on port security but most everything runs on port 80 anyhow so the Firewall should be configured but it doesn't kep us safe - more work needs to be done for that.

I find that it is not very easy to move from old generation to new generation InfoSec. The main difference is that old generation was very technical and appealed to the technical nature of computer geeks. The new generation is business oriented and requires more interaction with people, more meetings, more time with people. Ouch.

There will always be a place for technical people in Information Security but as the tools mature and "just work" there is less demand. And a background in technology is very useful when the technical guys try to "BS" you.

And "the A" is very important too. Protecting your network from being brought down. Protecting information from disappearing. Stopping viruses. Etc. But the new generation will need to consider "the I" and "the C" as well because the attacks against these and the importance of protecting information against disclosure or manipulation will increase.

This post was done to add my voice to what Rich says so quickly and concisely in the securosis blog.]]> Mon, 01 Dec 2008 10:57:00 +0000 financial information information information security generation infosec guys infosec guys information security people guys staff information technical guys The "A" <![CDATA[Links for 2008-11-25 [del.icio.us]]]> http://securityratty.com/article/5f45c605eed2ff767afb830215eb7e3a http://securityratty.com/article/5f45c605eed2ff767afb830215eb7e3a
  • The Myth of Software Support « Chris Swan’s Weblog
  • More On Why I Think Free Microsoft AV Will Be Good For Consumers | securosis.com
    My belief is that we essentially have both conditions today (low innovation, easy evasion), and the nature of attacks will continue to change rapidly enough to exceed the current capabilities of AV.
  • Idiocy | securosis.com
  • The Impact Of Free Antivirus From Microsoft | securosis.com
    This gives them enough time to avoid suddenly losing 40% (don’t quote me on that, I’m on an airplane and just guessing) of profits over 12 months. The real losers will be the consumer-only AV companies without diversified portfolios or a larger enterprise base.
  • Rich Mogull: 7 Infosec Trends for 2009 - CSO Online - Security and Risk
  • Safe bets for IT spending in '09 | Business Tech - CNET News
    Second, security management will merge with log management. That works for ArcSight, RSA, LogLogic, and LogRhythm.
  • Dark Matters: Land of Confusion
  • InternetNews Realtime IT News - Enterprise SaaS Buyers Want More Than Uptime
  • High Tower Software Shuts Down | socalTECH.com
    Aliso Viejo-based High Tower Software, a venture-backed developer of security, compliance, and log management software, has shut down.
    • ]]>     Tue, 25 Nov 2008 21:00:00 +0000 tower software shuts log management software log management tower software security security management larger enterprise base enterprise saas buyers cnet news Links for 2008-11-25 [del.icio.us]     <![CDATA[Links for 2008-11-20 [del.icio.us]]]> http://securityratty.com/article/f0421d3d712a177576a6940fd9181128 http://securityratty.com/article/f0421d3d712a177576a6940fd9181128
  • Got SIEM? - Part IV « eIQviews
    Customers tend to use SIEM technologies for more reactive efforts, such as post-event forensics, rather than as a true correlation solution to determine unusual behavior or policy violations before they have a chance to affect systems and data.
  • SIEM Blog » Unrestricted Data Collection for Maximum Compliance and Forensic Visibility
  • Beast Or Buddha » Blog Archive » So we own your client database and everything important to you…
    Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!” SG dude: “Well more than likely, others have….we didn’t do anything fancy…”. Web Developer: “Well nothing has ever happened so it’s just you guys!” SG dude: “You have no logging”. Web Developer: “We’ve never been hacked!”
  • On Data Loss Prevention (DLP) » My Wife Finally Knows What I Do
  • The Two Kinds Of Security Threats, And How They Affect Your Life | securosis.com
    We get money for noisy threats, and get called paranoid freaks for trying to prevent quiet threats (which can still lose our organizations a boatload of money, but don’t interfere with the married CEO’s ability to flirt with the new girl in marketing over email).
  • Marcus Ranum on Network Security - CSO Online - Security and Risk
    The real best practices have been the same since the 1970s: know where your data is, who has access to what, read your logs, guard your perimeter, minimize complexity, reduce access to "need only" and segment your networks.
    • ]]>     Thu, 20 Nov 2008 21:00:00 +0000 data data collection web developer siem data loss prevention security siem blog security threats network security Links for 2008-11-20 [del.icio.us]     <![CDATA[Talking Engagement]]> http://securityratty.com/article/b1376fcaf83b962af2522fd39ae76937 http://securityratty.com/article/b1376fcaf83b962af2522fd39ae76937
    My talk was about the risks of information leaving the organisation but I decided to add in the risks of information not leaving the organisation.

    This may sound counter productive but in these though times your IT department should really be looking at using services such as GMail, your Marketing department should be looking at using Facebook, Twitter, Blogs etc. Your HR department should be looking through LinkedIn for new staff.

    If your Security Department is too tough on information leaving the organisation then you are missing out on opportunities. Of course, if you are too lax then information will make its way out and that can't be good for the company either.

    Information Classification is key. As is awareness.

    My speech was very well received, achieving over 8/10 for the different areas and I have been invited back to speak again.

    I must admit that my speech was aimed at business decision makers and not technical people and yet the people who showed up were more technical people. There are very few companies in South Africa (with my employer being a noted exception) that treat Information Security as a business issue and not (only) a technical issue.

    I'm not really one to tooth my own horn but I wrote this blog entry to thank a number of people who made my speech possible.

    Firstly thank you to the two blogs that I feel are on the forefront of Information-centric Security - Securosis and Rational Survivability. I used some material from both sites and some that was sent to me by Richard Mogull from Securosis.

    I used some speaking tips that I got from Presentation Zen so I didn't put everyone to sleep (even though my speech was at the danger time of 3:30pm when everyone is tired and wants to go home) and I used some (free!) graphics from Stock Exchange.

    When I was preparing for the speech, I revisited some of my old Blog posts which I think I need to repost as I have some more ideas about them.]]>     Fri, 14 Nov 2008 06:46:00 +0000 treat information security information security information classification security department information security conference technical people people department Talking Engagement     <![CDATA[Links for 2008-11-03 [del.icio.us]]]> http://securityratty.com/article/09a233e5ec7f4cb99c4cff9bd428d909 http://securityratty.com/article/09a233e5ec7f4cb99c4cff9bd428d909
  • Tenable Network Security: Log Correlation Engine 3.0 Released
  • More McAfee Snakeoil Ranting ha.ckers.org web application security lab
  • Spire Security Viewpoint: Symantec M&A Retrospective
  • Why Risk Management Doesn't Work - Security/Management - DarkReading
  • Apocalyptic Vulnerability Percentages - FUD 101 ha.ckers.org web application security lab
  • Database Activity Monitoring & Event Collection Options | securosis.com
    • ]]>     Mon, 03 Nov 2008 21:00:00 +0000 event collection options apocalyptic vulnerability percentages log correlation engine spire security viewpoint tenable network security risk management mcafee snakeoil ckers database activity Links for 2008-11-03 [del.icio.us]     <![CDATA[Links for 2008-10-09 [del.icio.us]]]> http://securityratty.com/article/3f5041f2ca487cf209923936d4e1ac1b http://securityratty.com/article/3f5041f2ca487cf209923936d4e1ac1b
  • Policies vs. Plans vs. Procedures vs. Standards | securosis.com
  • Cyber Attack Data-Sharing Is Lacking, Congress Told - washingtonpost.com
    • ]]>     Thu, 09 Oct 2008 20:00:00 +0000 cyber attack procedures plans congress standards securosis policies washingtonpost Links for 2008-10-09 [del.icio.us]     <![CDATA[Links for 2008-10-08 [del.icio.us]]]> http://securityratty.com/article/d45a6a86a62f0327b9849ed06c8c9316 http://securityratty.com/article/d45a6a86a62f0327b9849ed06c8c9316
  • Job Security Is a Dumb Goal (And a Survey with Some Cool Prizes) | Employee Evolution
  • Symantec Buys MessageLabs | securosis.com
  • Career Advice from the POPE | Security Incite: Analysis on Information Security
    • ]]>     Wed, 08 Oct 2008 20:00:00 +0000 symantec buys messagelabs security incite career advice job security dumb goal employee evolution information security cool analysis Links for 2008-10-08 [del.icio.us]     <![CDATA[Links for 2008-10-01 [del.icio.us]]]> http://securityratty.com/article/2e61bbf8f65cea7668e676362729b6b6 http://securityratty.com/article/2e61bbf8f65cea7668e676362729b6b6
  • Behavioral Monitoring | securosis.com
  • Dana Gardner's BriefingsDirect: Improved insights and analysis from IT systems logs helps reduce complexity risks from virtualization
  • E-Commerce News: ID Security: New PCI Security Standard Falls Short
  • Enterprise Architecture: From Incite comes Insight...: How many fingers are required to count the number of clueless IT Security Professionals?
  • IT Security: Can We Be Compliant and Yet Insecure?
  • Get Rich Quick With Network Security
  • Rational Survivability: IDS: Vitamins Or Prophylactic?
  • PCI DSS News and Information » Great Expectations?
  • GFOA Treasury Management
  • SANS - Computer Forensics - Top 7 New IR/Forensic Trends In 2008
    SANS Top 7 New IR/Forensic Trends In 2008
  • You Might be a PM if… « Mark Curphey - SecurityBuddha.com
  • Security is not a solution | Computerworld Blogs
    Security is not a solution
  • Andrew Hay » Blog Archive » Secure Life Ep 3
    • ]]>     Wed, 01 Oct 2008 20:00:00 +0000 security security professionals computerworld blogs security network security sans top irforensic trends sans top pci dss news Links for 2008-10-01 [del.icio.us]     <![CDATA[DRM In The Cloud]]> http://securityratty.com/article/417f3d7b09bf5a1e25047ab2bb4745ea http://securityratty.com/article/417f3d7b09bf5a1e25047ab2bb4745ea Tue, 16 Sep 2008 03:52:18 +0000 digital rights management fail outright drm remain solve cross-post opinion securosisi security DRM In The Cloud <![CDATA[Links for 2008-08-01 [del.icio.us]]]> http://securityratty.com/article/d521dda2d72e4a111babb72f69717d54 http://securityratty.com/article/d521dda2d72e4a111babb72f69717d54
  • 7 Reasons Why You Won’t be Getting a Raise this Year and What You Can Do About it | Employee Evolution
  • The Art of Dysfunction | securosis.com
    * “Early Funnel Cheerleading”: how to use a “parade of suspects” as a smokescreen * “ABB”: always be blaming * Layering dysfunction behaviors * “It is OK to NOT sell”: building a culture of failure * The “Gatling gun of blame”: the art
    • ]]>     Fri, 01 Aug 2008 20:00:00 +0000 dysfunction dysfunction behaviors art employee evolution funnel abb reasons gun raise Links for 2008-08-01 [del.icio.us]