Tuesday, July 28, 2009

A good primer on Social Networking and Security Risks

A Tuesday morning tidbit for you-

Brad Dinerman has a great primer on social networking on his site- this is a good one to share with friends and family who need a clue about protecting themselves online, and a good refresher for those of us who claim to know what we are doing.  Share this, then you will either save yourself cleaning up a mess later, or you will at least get to say "I told you so" while you are cleaning up.



Monday, July 27, 2009

On the road to Vegas

I'm headed for Las Vegas on Tuesday, I'll be at Security B-Sides, BlackHat, NeighborCon, DefCon, and wherever nefarious people lead me (or I lead them).

Once again this year I expect Twitter to be a key tool in navigating the city during the various events.  If you are really bored you can keep tabs on me by following along at twitter.com/jack_daniel- that's probably the best way to catch up with me for the next week or so.  But it is Twitter, so, well, you know- think about what you tweet and expect to see the Fail Whale.

I will be spending most of Wednesday and Thursday at the Neighborcon/B-Sides venue (Astaro, aka my corporate overlord, is one of the sponsors of B-Sides), and I'll be at the Security Podcaster's Meetup at DefCon (also sponsored by Astaro).



Friday, July 24, 2009

Not that we need another acronym

But I have one for you: ALC, the Acceptable Level of Compromise. This is the level of system compromise people and enterprises are willing to live with. If you think the universal value of ALC is "none", you are badly mistaken. (Note- "is", not "should be"). I believe there are two primary reasons for this:

First possibility (the "good" one), If the pain and expense of resolution equals or exceeds the pain and expense of the compromise, logic dictates (or can be easily convoluted to dictate) that repair is the wrong answer. You can sprinkle words like potential and perceived in there if it makes you feel better (perceived expense, potential pain, etc.). Think about that before responding. As bad as living with compromise is, this at least means some thought (flawed or otherwise) goes into the decision and maybe we stand a chance of educating people in this category.

Second possibility (the bad one), the level of compromise is acceptable if you don't know you have been compromised. If they feel no pain, they are oblivious. Maybe they trust their anti-virus to protect them from everything, maybe they have unpatched systems, who knows- they certainly don't. Not much I can add, and this one is very common.

I bring this up because I have just run into another enterprise where they refused to re-image compromised systems and claimed that they never did. I have seen many who only check their systems when they have performance issues, and then don't care if they don't get all of the malware removed as long as system performance recovers to an acceptable level. The time and effort it takes to possibly clean (you never know what's left) a system is rarely worth the effort, I learned that years ago and now I just sing the song when I need to. What song is that? C'mon, you know it, sing with me:

F-Disk, Format, Re-In-Stall, Do-Dah, Do-Dah...

So, yes, there is an ALC, Acceptable Level of Compromise for many people. I don't like it, and neither should you, but we need to admit it.


Tuesday, July 21, 2009

Hunter S Thompson and Security

Don't ask how we got here, but...

There is a great post over on Gunnar Peterson's blog (OK, there are a boatload of great posts over there, but for now I would like to focus on a single, unexpected one, mkay?)  It turns out that Gunnar was Hunter S. Thompson's webmaster (and you think you have special clients) and the post I mention is about HST's passing.

Thompson's piece on security quoted at the end of the post is pretty interesting; it is easy to write it off as irrelevant to our day jobs, though- he is talking about personal security, adventure, and risk after all, not information security risk in a business environment.  Dismissing that attitude from the way you approach security would be a big mistake, however.  First, because we need to look at new ways to do things because our environment is constantly evolving- but that is "adventure" and "risk" we can manage (or, at least we tell ourselves we can).

There is a much more important reason to consider Thompson's words on security, especially in opposition to "accomplishment", because of one special group of people- entrepreneurs.  You know, the folks who start and grow businesses which then hire us.  There is a real risk/reward mindset with many entrepreneurs, and if they didn't gamble a bit, they wouldn't get where they are.  Think about that when dealing with them, and trying to sell security to them.  It is another case where the way we market security needs to be aligned with the audience. 

"You can't do that because it is dangerous"

is not going to get the reception you want.  Even

"You can't do that unless you do this to protect yourself"

probably won't do it, either.  On the other hand,

"We can provide protection for you so that you can do what you want, but with less risk"

should get their attention.  Just don't say it if it isn't true, sometimes you do have to be the voice of reason, or at least caution- and accept that some decisions are not yours to make.



Wednesday, July 8, 2009

B-Sides and Neighborcon, too

Just a quick note for those headed to Las Vegas for BlackHat and/or DefCon- Not only will there be the Security B-Sides conference along with the big shows, there will also be a Neighborcon, too.

"Speakers will include Sandy “Mouse” Clark, Joshua “Belt Buckle” Gourneau, and Dan Kaminsky’s “Outie” Belly-button, and Josh “Buttery Nipple” Marlow. Games will include the SCADA Conference Drinking Game, Mystery Black Hat Theater 3000, and a few other neighborly things."

More reasons to go to the desert in the middle of summer.