OK, my grand plans for streaming live yesterday didn’t work, but a lot of Shmoobus antics were fed to http://shmoobus.tumblr.com/, and will be again on Sunday for the trip home.
By the way, this is no way to start a road trip. Shmoocon Snowpocalypse II. As always, thanks to Astaro for sponsoring this mayhem.
That’s right, I’m defending FUD. Yes, I mean Fear, Uncertainty, and Doubt. That kind of FUD. And I’m here to defend it.
FUD is under unjust and unreasonable attack. Not from people who decry its use, but from some vendors, consultants, analysts, politicians, pundits, and regulators. Yes, they use FUD to sell their products, services, ideologies, whatever- but that is only the beginning of the problem. Things really turn ugly with the promises these folks make: if you will just buy what they are selling they will deliver you from FUD and bestow upon you BCC (Bravery, Certainty, and Confidence). And Confidence is the right word, because this is a con game. If you think buying anything, whether physical or metaphysical, can completely relieve you of fear, uncertainty, and doubt, you are naïve. People don’t work that way, and we shouldn’t. Fear, uncertainty, and doubt, at reasonable levels, keep us alive, and alert.
I am not a proponent of crippling fear any more than I am a fan of naïve confidence, but a little bit of discomfort and uncertainty can drive us to question our preparedness, and rethink the challenges we face. And that is healthy. If you find yourself confronted by someone whose promises are absolute, you need to be very careful (I generally either flee, or mess with their tiny little brains, buying is not an option). We want to feel safe and certain, that is why there is a “security” industry- but if we are honest, the real goal is to reduce the chances of something bad happening down to an acceptable level. We are never completely “safe”, and anyone who claims that what they are selling can change this fact is a charlatan.
Some of the most dangerous sources of inflated FUD and unreasonable BCC are organizations and agencies pushing their various certification and compliance agendas. Compliance with a standard, even a professed “security” standard, does not make you secure. A new set of letters after your name doesn’t change the world. These things *might* move you forward, but they won’t *solve* your troubles- keep that in mind when spending time and money on them.
That’s it. I’ll take a manageable dose of FUD over any blind BCC any day. And you should, too.
Jack
Have you heard? It isn’t new, but many seem to have missed it- Mozilla’s plugin check tool now supports multiple browsers, not just Firefox. Just go to the URL,http://www.mozilla.com/en-US/plugincheck/ with each of your browsers and the plugin tool will list installed plugins and give you a status:
Outdated Version gives you a link to update
Up to Date gives a “thumbs up”
Unknown gives a “research button” which launches a search for you.
The value isn’t just in making sure your plugins are up to date, but also in showing you a list of them. As with anything else in security, get rid of any you don’t need. You may have to settle for disabling some items which can’t be uninstalled.
So what’s the bad news? After you have done this with all the browsers you use, stop and think about doing that throughout your network. Mildly annoying to take a few minutes sitting in front of your machine; painful to agonizing, or even impossible throughout a network. It is enough work making sure the browsers themselves are up to date, plug-ins and add-ons are pretty much hopeless. Sure, patch- and systems-management tools get the browser and applications, but the extras are hanging out there exposed- and there isn’t a good answer for that.
There’s your weekend ray of sunshine…
Jack
Shmoocon is only a couple of weeks away. This year, I’ve offered to help with the FireTalks. FireTalks are two-hour sessions of 15 minute talks given in the evenings between the normal course of Shmoocon talks and whatever debauchery is planned for the later hours.
There are still speaking slots open, and we could use a few more sponsors, too.
Head over to the NovaInfosec Portal and see this post for more information.
Thanks
[NOTE: This is a post I originally published on the Security Perspectives blog at Astaro, I am also posting it here to help spread the word.]
I was fortunate enough to attend several Security BSides events last fall, I saw a lot of good talks and engaged in several great conversations. Two talks, one at BSides in Dallas/Ft. Worth and one the following week in Ottawa touched on similar issues that really resonated with me. At the Dallas/Fort Worth event Nick Selby discussed his ideas for “Creating an Abstraction/Translation Layer Between InfoSec and Law Enforcement” (slide deck available here). In Ottawa, Adrien de Beaupré presented a talk on the need for CERTs or CIRTs in Canada (Computer Emergency Response Teams or Computer Incident Response Teams). Both talks spawned great conversations, some of which are still ongoing. While they are two different issues, the talks and discussions had some key similarities, especially around needing to know who to turn to for help, and the need to build relationships and trust before a crisis strikes.
Nick’s focus is on helping organizations communicate effectively with law enforcement when they suffer a breach or have other reasons to turn to law enforcement. Making the leap from traditional police work to investigating and prosecuting computer crime isn’t easy, and both sides of the conversation could often use some help- that is what Nick is trying to facilitate.
Adrien’s objective is more broad, he is trying to drive creation of a Canadian response team or teams to help organizations deal with a variety of computer incidents, and to foster information sharing.
At some level, both of these goals boil down to
“who do you call when things get ugly?”
which in turn really boils down to
“who do you trust?”
The time to ask (and more importantly, answer) these questions is not during a crisis. If you are in a large enterprise, internal security and incident response teams should already have contacts in the corporate legal office as well as in regional and national law enforcement. In smaller organizations, you may not have anyone who knows who to turn to if (when) something bad happens.
Where can you turn to start building your web of trust so you know who to call in a crisis? Every organization and situation may be different, but here are some suggestions.
1) Start with your existing personnel, ask who has resources and recommendations, and share the information. If your organization uses an external incident response company, ask them for advice.
2) Think about the groups and organizations you belong to (or should). Local ISSA, NAISG, InfraGard or other groups are great places to start this discussion. The groups may be Information Security related, or may be specific to your industry. You may also meet people at conferences or other industry events who can help you. Just make sure you solidify contacts before a problem happens, sending an email to a mail list trying to find “that guy I met in Las Vegas- we talked about data breaches” is not the best way to react to a crisis. Keep in mind that your organization’s management and legal counsel should be consulted before you take any action or set policies.
Don’t wait until you have a crisis to think about who you can turn to. And make sure others in your organization have the information, too- because emergencies may happen when you are not available.
Note: if you are interested in either of the projects mentioned above and you would like an introduction to either Nick Selby or Adrien de Beaupre, please send a message to me at jdaniel at astaro.com and I will be happy to connect you.
Jack
