http//
Please at least quote something for dissussion, Harlan, thank you (believe me, it makes my job easier).
Jamie
allow me
…what I'm not seeing is a corresponding paradigm shift on the part of the organizations that fall victim to these intrusions and compromises. Intrusions are still going undetected; victims are being notified by external third parties weeks or months after the fact. Systems are still being compromised via SQL injection and the use of poor passwords by administrators.
I'd be impressed to see an organization that hasn't already been notified that they have a problem, move these items up in priority preemptively. Not to be a pessimist, but, that's the reality of it. There isn't a problem until you look for it.
That's like the question, "if a tree falls in the forest, and there's no one around to hear it…does it make a noise?" Experience tells us, yes.
If you bury your head in the sand so that you can neither hear nor see, does that somehow magically keep data from leaving your infrastructure?
That's like the question, "if a tree falls in the forest, and there's no one around to hear it…does it make a noise?" Experience tells us, yes.
Unless someone has put one on this in the forest
http//
mrgreen
If you bury your head in the sand so that you can neither hear nor see, does that somehow magically keep data from leaving your infrastructure?
Yes, if you have memorized 'em all. 😉
Seriously, nice article Harlan. )
I doubt that, given the current (unfortunately) culture standards, your wish
So the take away, for me, from these reports is simply that there needs to be a cultural shift on the part of those who store and process sensitive data, and it has to come from the top down.
may take a loong time to become real.
About this
What should be the CEO's concern…that his email and IM are up and running, or that the sensitive data that his company stores and processes is secure, and his infrastructure monitored?
I have to report that I have seen so many CEO's spending most of their time with email's, IM's and other "technology fun", that I doubt they even know who/how sensitive data are managed in their company, they have hired "experts" and "professionals" for this, it's not seen much as their problem (until disaster strikes).
I have the feeling (and sincerely hope being wrong), that there is a relevant number of "inexpert experts" and "unprofessional professionals" too when it comes to securing data.
I wouldn't trust the top-down approach only, we need a more general "security awareness" by everyone, including the "experts" and the "common" people in the company, white collars at least.
jaclaz
I agree with Jaclaz. There needs to be a better awareness of security and what is at stake. There needs to be constant monitoring and ethical hacking in order to gain a better understanding of what you are defending from.
This sounds oh so cool and new, and how we have fancy charts, and most of all much much more, highly exciting acronyms that no one can remember.
20 years ago this was the problem.
200 years ago this was the problem.
As a matter of fact several thousand years ago was still the problem. (Trojan horse? II. Punic war? )
You will have kings/leaders/CEOs/Board of Directors thinking security is irrelevant until it is needed, but by that time it is often too late.
Security is an insurance expense, that most businesses do not wish to pay.
Just because it seems yesterdays code was not "Advanced by today's standards, it indeed was very advanced! I recall polymorphic self-encrypting TSRs that just boggled my mind how ingenious it was.
Today "Persistent" may take a year or more. So was the hackers that kept trying line after line with a demon dialer, randomized, and night after night waiting for those 'sweet modem tones'. Talk about persistence! The style and content of persistence changed, but the monotonous steps are still required.
"Threat" as the rest has been around, and will always be…
What is new? So we moved our battle tactics to the "cyberspace" (barf). It is still the same. They have infantry, we have infantry. They have heavy armors, so do we. They have snipers, so do we. They have spies, so do we, and so on.
I guess I am just not educated enough to understand the implications . . .
And, I thought I was not so dumb and not so old.
I have the feeling (and sincerely hope being wrong), that there is a relevant number of "inexpert experts" and "unprofessional professionals" too when it comes to securing data.
Yes, we do. I used to work for just such a company…I responded to a number of internal incidents where another part of the company had been responsible for securing and monitoring the systems that had been compromised.
I wouldn't trust the top-down approach only, we need a more general "security awareness" by everyone, including the "experts" and the "common" people in the company, white collars at least.
I don't trust the approach solely…what I'm saying is that there are folks out there in the trenches who have an eye toward security, but the problem is that it is not their primary duty.
If a house or building catches fire, who do you want responding? The guy who responds to fires all the time and has training and experience, or the guy who's never done much more than watch a response in the movies before? How about if it's a warehouse with dangerous chemicals? The same applies here.
When IT folks come in in the morning, their tasking and direction for the day are generally provided by the culture imposed by the C-level suite. If the C-level folks are most interested in having their email and IM running, that's what the IT folks will ensure. However, if the CEO starts asking for network diagrams, wants to know about design and where/how data is protected, and even initiates mock incidents to test the response staff, the culture will be different.
We can see from report after report that the bad guys are dedicated, smart, and that there's a whole economy around what they do. For everything that someone does…find a vulnerability, create an exploit, put together a new, undetectable deployment package, target vulnerable hosts, etc., money changes hands. If someone in the chain fails or disappears, there are dozens or hundreds waiting to take his place.
On the other side of the ring, as it were, the soon-to-be victim organizations are busy making sure that the CEO can get his email and download YouTube videos. This lack of focus ultimately means that once the incident is detected, weeks or months after the fact, there's not going to be very much data of value left (no logs, etc.) to "investigate".
We've even tried to mandate (via PCI and other regulations) and legislate (via state notification laws, etc.) the requirement for securing data, and it's still not working…CEOs are still not "getting it".
jhup is right…this is nothing new. What I'm suggesting is that we now have numbers…facts…to point at to say, "Hey, look…this is what's happening. Wake up!"
[quote="keydet89]
jhup is right…this is nothing new. What I'm suggesting is that we now have numbers…facts…to point at to say, "Hey, look…this is what's happening. Wake up!"
Harlan
We've had these numbers and facts for awhile, as well. It hasn't changed things, much.
For example, since at least 2007, it has been widely known that certain Autonomous Systems belonging to telecoms in Eastern Europe have have been a principle source of malware (without providing anything of appreciable value). So why do ISPs in the US still have peering agreements with these?
The sites mentioned in the SANS documents describing the Russion Business Network in 2007 were still in operation in 2008 where traffic was being redirected to them via DNS hijackings.
The same goes for a lot of bulletproof hosting sites which have been recurring sources of CP, SPAM and malware and even PCI. We know about them but it takes a lot of effort to get anyone to do anything about them.
The problem may be, as in the case of the December 25th attempted bombing of the Northwest flight, that we have too much data but not enough resolve to do anything about it.
We've had these numbers and facts for awhile, as well. It hasn't changed things, much.
For example, since at least 2007, it has been widely known that certain Autonomous Systems belonging to telecoms in Eastern Europe have have been a principle source of malware (without providing anything of appreciable value). So why do ISPs in the US still have peering agreements with these?
According to the "number and facts" of the 7Safe report
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5255
the problem is the U.S. and Vietnam.
(just to underline that maybe number and facts are not as accurate as they could or as I wish they were)
Unless of course all the bad Russian guys managed to grt hold of the U.S. ISP's, but if this is the case, then why getting control of the Vietnam facilities too?
jaclaz