Wednesday, June 27, 2007

Worrying is productive

You are overwhelmed and so am I. This is the state of IT, especially in one-person shops. So, how do we begin to address the dozens of things we know we should?

And as far as security, making progress often seems impossible. One of the key problems is that in small businesses we don't have dedicated security personnel, we do it all- but we are judged almost exclusively by the overly simply question "does it work?". Not "is it secure?", nor "is it compliant?", just "does it work?". This makes spending the time to plug holes and getting the resources to address security issues difficult (at best).

So, what can we do about security? Worry about it. Do not obsess about it, just worry a little, it is a great first step. Go to seminars; read books, papers and blogs; listen to podcasts or whatever you can fit into your schedule- and learn what to worry about. This will not magically make the Spare Time Fairy appear in your life and grant your wishes, but it should start to make you think before you act. And that is the point, to start factoring security into your decisions before you make them so there is less cleaning up to do later.

If a little worrying helps you get there, so be it.

Jack

Tuesday, June 26, 2007

The Ghost in the Browser

This one is not new, but it is worth repeating. A team of researchers from Google (Google researchers? Doesn't Google already know everything?) released a paper on their study of web-based malware. Read it. It is OK if it takes a few passes to digest bits of it, it appears to be written by smart people. (See my first post if you wonder what that means).

Link here to the nine page (440KB) PDF

Out of the billions of URLs scanned, Google found 4.5 million of interest. 10% of those were demonstrably bad, pushing code to client machines- and another 16% were questionable. That is 450,000 "evil" URLs and 700,000 questionable ones. How many have your users visited this week?

This is why web filtering is important, keeping malware off your network. Keeping employees away from bad things is just a bonus.

Jack

Monday, June 25, 2007

Security Anecdote Theater, episode 1

I frequently travel from Cape Cod to Rhode Island, which means I drive Interstate 195 regularly. On I-195, shortly after you enter RI from Massachusetts, there is a nondescript, single-story block building on the right, near an overpass. It was pretty small, but they added on a couple of times- building out each time, not up. After decades in the same location, the company recently moved to a larger facility. Odd that they gave up a convenient and high-visibility location instead of just building a second floor. Especially considering that they are an elevator company.

Actually, it isn't odd at all. Elevator parts tend to be large and heavy, carting them around on a single level makes much more sense than moving them up and down- even if you happen to be in the elevator business.

So maybe the answer that appears obvious, the answer that you are familiar with- is not the best answer.

Jack

Non Sequitur


This one-panel comic does a better job of summarizing the nature of security than anything I have seen. The distilled essence of real-world security.



It has been suggested that the cat door is a metaphor for port 80...

Jack

Getting Started

Well, you're here, so I guess I should write something profound and/or witty.

Instead, I'll write this- If you want to move forward, be wary of smart people. Don't ignore them, but don't try to follow them, either. Gather what you can from them and move on.


Me? I want to see and learn from
clever people, the people who get things done, often in less than ideal circumstances. These are the people I want to learn from and emulate.

Jack