that they see all the security threat news as nothing more than advertising and marketing gimmicks to buy a product. That and the "news" only mentions big corporations that are attacked.
If the security vendors started to talk about consumers getting attacked and how much individual consumers get stolen from them by hackers and criminals bent on stealing their money, then maybe they won't think the security news is simply advertising gimmicks to sell a product.
Discussion on:
View:
Show:
This article has been one of the most interesting ones I have written in awhile. Your concurring is significant. Thanks.
I have not posted in Usenet for about 24 months now. Last time that I did was in a software forum; I was appalled, when I made some basic, defence in depth recommendations, to read one user's remarks to the effect that he did not need any security packages because he practises safe hex!
We all know that a variety of sites, from Symantec site to Paul McCartney's site, have been worse then vulnerable, presenting a threat profile against which no 'safe hex' is valid, unless safe hex means no hex.
My remarks that these people were adding to the problem born by ISPs and thus the net as a whole? At best laughed at. There truly are people out there either with no brain or no clue, people without whom the net as a whole would be better off.
Just one example that I have in my files:
http://www.theregister.co.uk/2009/04/15/symantec_xss_bugs/
We all know that a variety of sites, from Symantec site to Paul McCartney's site, have been worse then vulnerable, presenting a threat profile against which no 'safe hex' is valid, unless safe hex means no hex.
My remarks that these people were adding to the problem born by ISPs and thus the net as a whole? At best laughed at. There truly are people out there either with no brain or no clue, people without whom the net as a whole would be better off.
Just one example that I have in my files:
http://www.theregister.co.uk/2009/04/15/symantec_xss_bugs/
block "bad" cookies. I've heard no end of guff by IT types about how cookie fear is unsubstantiated.
Thanks for giving me the ammo to make an argument!!
Thanks for giving me the ammo to make an argument!!
Pleasure's all mine. Perhaps this would be a good topic for TechRep to cover.
Here's another one for you:
http://www.scmagazineus.com/Paul-McCartneys-website-hacked-to-distribute-malware/article/130330/
And remember, you don't need no steenkin security, all you need is love. ;->
Here's another one for you:
http://www.scmagazineus.com/Paul-McCartneys-website-hacked-to-distribute-malware/article/130330/
And remember, you don't need no steenkin security, all you need is love. ;->
.. along with the other required protections. if someone is claiming that they don't need such things because they practice good computing habits; they obviously don't understand what they're talking about.
I must agree a paradigm shift is required and this offers excellent fodder to consider, but it almost sounds like throwing in the towel on educating users. It's the same old problem, how to you quantify a negative or a non-event?
How many systems or users have been protected by employing situation awareness. I often relate net security practices to personal security.
In martial arts we teach female (and all) students to be aware of their situation or environment when walking to their car, approaching strangers, or if their instincts tell them something is wrong.Scanning in a preemptive fashion to minimize trouble. This has probably saved countless lives and assaults but we'll never know how many.
User education has to evolve into a better "What's in it for me" model, but if anything we need more of it ASAP. Educating users to move away from the, "Implied Trust" model to "Healthy Skepticism" could be a macro start.
How many systems or users have been protected by employing situation awareness. I often relate net security practices to personal security.
In martial arts we teach female (and all) students to be aware of their situation or environment when walking to their car, approaching strangers, or if their instincts tell them something is wrong.Scanning in a preemptive fashion to minimize trouble. This has probably saved countless lives and assaults but we'll never know how many.
User education has to evolve into a better "What's in it for me" model, but if anything we need more of it ASAP. Educating users to move away from the, "Implied Trust" model to "Healthy Skepticism" could be a macro start.
One of the best training grounds going in both personal and internet security is posting and responding on TR. Survive this and the bad guys are a bad joke.
why did you single out female, then parenthetically add 'all'?
I have taught and studied martial arts for over 22 years and we teach special self defense classes for wives and girlfriends. I am not an advocate of teaching females to confront attackers, other than eye gouges when timing is right, as I have found that with adrenalin they are usually not strong enough to defeat an attacker. Our focus is to teach them situational awareness and avoiding situations that are potentially dangerous more so than the men. Not a slight in any way. Besides the women usually learn this quicker than the boys.
It was an excellent, thought provoking article, too bad semantics distract from the important issues. I hope no one is offended.
Education is key. I did not get that from the paper or try to sound like that was the case.
Education needs to be changed to where it makes sense to the user not the security pundit. That's right in the report.
Education needs to be changed to where it makes sense to the user not the security pundit. That's right in the report.
I'm a fan of your work and I know you advocate education. I guess the article shook my compass at bit and left me wondering which direction is correct. A sign of provocative thinking. Keep it up.
It took me a long time to get my arms around this one. Steve Gibson's podcast helped.
I really need to remember that somewhat tired but true cliche of walking a mile in their shoes. I thought I was, but not so sure now.
Also, I'm definitely going to spend more time at the NSPW Web site. The envelope is getting pushed there.
http://www.nspw.org/
I really need to remember that somewhat tired but true cliche of walking a mile in their shoes. I thought I was, but not so sure now.
Also, I'm definitely going to spend more time at the NSPW Web site. The envelope is getting pushed there.
http://www.nspw.org/
In the interest of full disclosure, I'm a CISSP and an auditor of Information Technology Systems for Casinos, Governments and Health Care Systems, so those of you that have already decided I have a vested interest and whatever I say will be tainted may as well stop reading now.
The truth is I see a LOT of stuff that would make most people shake their heads. I believe most people want to implement basic protections so their systems won't be simple to breach. Individual users make a decent attempt at this for the most part. You probably are not going to be hacked for your financial information unless you actively go to a website and offer the information to someone, probably from an email campaign (phishing). The predatory people are going to go after the big guys (such as Heartland Payment Systems) Have a look at datalossdb.org to take a look at what can happen.
The thieves are going to go where the money is, different from a few years back when the term 'Hacker' was subverted from a guy cobbling together cool computer stuff to an underground individual breaking into systems for fun (or relatively minor profit, with a few exceptions). Today, the thieves are after bigger bucks...keep in mind that big bucks in West Africa are different than in the US.
I see all kinds of things, from rogue Wireless Access Points put in an environment by the user so they could move their laptop around within the office to the sysadmin using default passwords for administration tasks. I see servers sitting in public areas with no one bothering to monitor them, I also see physical security issues such as doors left open to server rooms right next to an outside exit, firewalls and security appliances that have cables run by them by IT folks so they can 'test' things. I still see passwords written on yellow sticky notes on the bottom of keyboards, behind monitors, in drawers or under mousepads. In these cases and hundreds more I see there is real potential for hacking and fraud. I get the drift of your article, but believe me, the things I've mentioned (and others) have had real security repercussions for the company involved costing them hard cash and lost reputations.
I've seen individuals hacked (the gaming world seems to be under the gun by hackers right now). People have lost their online personas by resellers who subsequently sold parts of the account off. Most users got back most of what was hacked, but it was a difficult process to do so.
The upshot of it is we can't let our guard down, so you need to do basic security, back up your data, harden your systems and be somewhat savvy. There are a lot of people and companies out there that are not doing enough and have either lost information or will likely be on the receiving end of some kind of attack. Some may be lucky and never get hit, but I would much rather be the one that took precaustions and avoided it.
On passwords, you mention the only reason you see for changing them is so a hacker can't use them for a long period. Some other very important reasons are lazy users who end up using the same password for multiple sysems (both personal and business) and the fact that they will eventually share it with someone else. That means the person who has their overarching password can use it on several systems....not a good situation. Forcing changes on business systems means that users can leave their home password to be hacked, but their business password will be different after the first two or three forced changes.
You can go overboard and implement too much security, making it hard to get your job done. It's the job of the IT and Security people involved to decide what they feel the right amount of security for their situation is, then help management understand their reasoning. Management then needs to decide what kind of money they want to spend to protect their informatino. The article made light of risk/reward, but the truth is that it works if done properly with synergy between IT and Management.
This is already overlong, and yet is too short to deal with a complex problem especially from a business perspective. I'm sure I'll get a lot of dissent, especially from the 'Information wants to be free!' crowd.
The truth is I see a LOT of stuff that would make most people shake their heads. I believe most people want to implement basic protections so their systems won't be simple to breach. Individual users make a decent attempt at this for the most part. You probably are not going to be hacked for your financial information unless you actively go to a website and offer the information to someone, probably from an email campaign (phishing). The predatory people are going to go after the big guys (such as Heartland Payment Systems) Have a look at datalossdb.org to take a look at what can happen.
The thieves are going to go where the money is, different from a few years back when the term 'Hacker' was subverted from a guy cobbling together cool computer stuff to an underground individual breaking into systems for fun (or relatively minor profit, with a few exceptions). Today, the thieves are after bigger bucks...keep in mind that big bucks in West Africa are different than in the US.
I see all kinds of things, from rogue Wireless Access Points put in an environment by the user so they could move their laptop around within the office to the sysadmin using default passwords for administration tasks. I see servers sitting in public areas with no one bothering to monitor them, I also see physical security issues such as doors left open to server rooms right next to an outside exit, firewalls and security appliances that have cables run by them by IT folks so they can 'test' things. I still see passwords written on yellow sticky notes on the bottom of keyboards, behind monitors, in drawers or under mousepads. In these cases and hundreds more I see there is real potential for hacking and fraud. I get the drift of your article, but believe me, the things I've mentioned (and others) have had real security repercussions for the company involved costing them hard cash and lost reputations.
I've seen individuals hacked (the gaming world seems to be under the gun by hackers right now). People have lost their online personas by resellers who subsequently sold parts of the account off. Most users got back most of what was hacked, but it was a difficult process to do so.
The upshot of it is we can't let our guard down, so you need to do basic security, back up your data, harden your systems and be somewhat savvy. There are a lot of people and companies out there that are not doing enough and have either lost information or will likely be on the receiving end of some kind of attack. Some may be lucky and never get hit, but I would much rather be the one that took precaustions and avoided it.
On passwords, you mention the only reason you see for changing them is so a hacker can't use them for a long period. Some other very important reasons are lazy users who end up using the same password for multiple sysems (both personal and business) and the fact that they will eventually share it with someone else. That means the person who has their overarching password can use it on several systems....not a good situation. Forcing changes on business systems means that users can leave their home password to be hacked, but their business password will be different after the first two or three forced changes.
You can go overboard and implement too much security, making it hard to get your job done. It's the job of the IT and Security people involved to decide what they feel the right amount of security for their situation is, then help management understand their reasoning. Management then needs to decide what kind of money they want to spend to protect their informatino. The article made light of risk/reward, but the truth is that it works if done properly with synergy between IT and Management.
This is already overlong, and yet is too short to deal with a complex problem especially from a business perspective. I'm sure I'll get a lot of dissent, especially from the 'Information wants to be free!' crowd.
merchants that email customer financial date and/or "forget" to use VPN in between servers with the same information.
I think that is how I was cracked, as I'm sure it wasn't me,(barring a brain fart I forgot about).
Mercantile businesses are getting cracked for data that is only worth $20 to the cracker.
It's called automation - they make billions one dollar at a time in vast volume. I'm not a 'rich big-timer' and even I was compromised last week. What makes me angry, is the cracker web-site that ripped me off is still setting there on the web. Probably servicing bot-herders, with my money!!!
I've alerted all authorities, but by the time they do something, they will have moved, of course!
I think that is how I was cracked, as I'm sure it wasn't me,(barring a brain fart I forgot about).
Mercantile businesses are getting cracked for data that is only worth $20 to the cracker.
It's called automation - they make billions one dollar at a time in vast volume. I'm not a 'rich big-timer' and even I was compromised last week. What makes me angry, is the cracker web-site that ripped me off is still setting there on the web. Probably servicing bot-herders, with my money!!!
I've alerted all authorities, but by the time they do something, they will have moved, of course!
I certainly appreciate your post and insight. I am sure you have seen more than most. Your sharing it means a lot.
I have a question though. Could you explain what you meant by this:
"The article made light of risk/reward, but the truth is that it works if done properly with synergy between IT and Management."
I am not following what you mean. Thanks.
I have a question though. Could you explain what you meant by this:
"The article made light of risk/reward, but the truth is that it works if done properly with synergy between IT and Management."
I am not following what you mean. Thanks.
Michael...sure will. In the article you stated 'All the advice, policies, directives, and what not offered in the name of IT security only promotes reduced risk. Could changing that be the paradigm shift needed to get information security on track?'
I interpreted that to mean the Risk/Reward model used by most Security implementers should be traded for the paradigm shift discussed in the article. While I am definitely all for a holistic approach to security (lots of silos exist in most organizations which leave gaps in some areas), basic security, advanced applications, security and operating system software, street smarts and periodic checks of security practices and perimeters will go a long way to make most organizations fairly safe.
Will it be perfect? No.
Can better software, systems and practices ever make it perfect? Not in my opinion.
As long as there are people who leave papers on desks, share passwords, take work home they shouldn't, leave doors unlocked that should not be, and are generally careless or doing what is expedient to get their job done, regardless of the consequences, and finally, the really bad guy, the insider who sells/trades/uses info for personal profit, we will not be able to protect everything. We can and do try to make it better, but it all takes time and treasure.
It comes down to an analysis of the business case for most organization...do we spend $10,000 to protect information that cost us $5000 to create?, what about damage to reputation, cost to recreate, lost sales, competitive edge, etc.... For some organizations, those are real costs. Innovative ideas are worth a lot, names and addresses of a client base not so much, unless there is a risk of personal information being released.
The Casinos would probably not want info to get out about which machines are hitting the best or worst, most organizations wouldn't want salary info to get distributed to the public, health care organizations don't want patient info release, nor do the patients, etc...
When the risk is measured, how much will you spend to protect data from hackers, and how much time and trouble will they spend to get your info? You'd be amazed to hear how many organizations are reluctant to implement firewalls or anti-virus software. Can an IT guy live on the Internet without it? Probably. Can your average user? No way.
I interpreted that to mean the Risk/Reward model used by most Security implementers should be traded for the paradigm shift discussed in the article. While I am definitely all for a holistic approach to security (lots of silos exist in most organizations which leave gaps in some areas), basic security, advanced applications, security and operating system software, street smarts and periodic checks of security practices and perimeters will go a long way to make most organizations fairly safe.
Will it be perfect? No.
Can better software, systems and practices ever make it perfect? Not in my opinion.
As long as there are people who leave papers on desks, share passwords, take work home they shouldn't, leave doors unlocked that should not be, and are generally careless or doing what is expedient to get their job done, regardless of the consequences, and finally, the really bad guy, the insider who sells/trades/uses info for personal profit, we will not be able to protect everything. We can and do try to make it better, but it all takes time and treasure.
It comes down to an analysis of the business case for most organization...do we spend $10,000 to protect information that cost us $5000 to create?, what about damage to reputation, cost to recreate, lost sales, competitive edge, etc.... For some organizations, those are real costs. Innovative ideas are worth a lot, names and addresses of a client base not so much, unless there is a risk of personal information being released.
The Casinos would probably not want info to get out about which machines are hitting the best or worst, most organizations wouldn't want salary info to get distributed to the public, health care organizations don't want patient info release, nor do the patients, etc...
When the risk is measured, how much will you spend to protect data from hackers, and how much time and trouble will they spend to get your info? You'd be amazed to hear how many organizations are reluctant to implement firewalls or anti-virus software. Can an IT guy live on the Internet without it? Probably. Can your average user? No way.
is right on the mark. Steve Gibson, the "security guru" of the Security Now! podcast, is a veteran "IT guy" who has publicly admitted that he does not use any anti-malware software on any computer system that he owns, including those of his firm, Gibson Research Corporation.
However, he does use firewalls and "other defenses" which he does not disclose. He obviously knows Internet protocols and practices in intricate detail, and is quite expert on how all components of the Internet work.
His mother, though, as he depicts her, is certainly an "average user", or maybe even less experienced and certainly less knowledgeable about computers and the Internet than most adults who use it regularly. Basically, she has learned how to use it to get the goods and services that she wants to obtain from using it, and has no interest in how the Internet operates.
My conclusion is that you don't have to be an auto mechanic to drive a car, but you also don't have to be an auto mechanic to learn how to drive one safely. So, people should not be expected to know how the Internet works, but they should learn how to use the Internet safely to protect themselves from financial loss, if for no other reason.
I have enjoyed reading your remarks, by the way. It is a bit surprising, though, to find out that people have not learned much about information systems security since computers began to be introduced into businesses and other organizations beginning around 1960.
It seems to me that the basic way to educate users is not to give them a list of instructions to follow. You have to give them concrete motivations to adopt the practices that you want them to use. If their company loses $1,500,000 because they have been careless with passwords that secure access to information, for example, then that could threaten the continued existence of their company, and everyone would be forced to find another job.
As I once concluded in a presentation about insider risk to my classmates, the best security that a company can have is employees who enjoy the work that they do, and who enjoy working for their employer. The second does not necessarily follow from the first, but it is the responsibility of management to make it so.
However, he does use firewalls and "other defenses" which he does not disclose. He obviously knows Internet protocols and practices in intricate detail, and is quite expert on how all components of the Internet work.
His mother, though, as he depicts her, is certainly an "average user", or maybe even less experienced and certainly less knowledgeable about computers and the Internet than most adults who use it regularly. Basically, she has learned how to use it to get the goods and services that she wants to obtain from using it, and has no interest in how the Internet operates.
My conclusion is that you don't have to be an auto mechanic to drive a car, but you also don't have to be an auto mechanic to learn how to drive one safely. So, people should not be expected to know how the Internet works, but they should learn how to use the Internet safely to protect themselves from financial loss, if for no other reason.
I have enjoyed reading your remarks, by the way. It is a bit surprising, though, to find out that people have not learned much about information systems security since computers began to be introduced into businesses and other organizations beginning around 1960.
It seems to me that the basic way to educate users is not to give them a list of instructions to follow. You have to give them concrete motivations to adopt the practices that you want them to use. If their company loses $1,500,000 because they have been careless with passwords that secure access to information, for example, then that could threaten the continued existence of their company, and everyone would be forced to find another job.
As I once concluded in a presentation about insider risk to my classmates, the best security that a company can have is employees who enjoy the work that they do, and who enjoy working for their employer. The second does not necessarily follow from the first, but it is the responsibility of management to make it so.
Once I give my new clients the run down on security online, about one third of them give up on the online banking and shopping idea.
The only problem is, you still aren't safe, even if you call and order it. Too many vendors and stores are being compromised; even the brick and mortar stores are been compromised by insiders, or criminal crackers!
I hate credit cards, but I have to admit, they are the only option for the hope of getting your money back as a consumer. Hopefully better cooperation between banks and customers, and new 2 factor authentication will improve this.
For SMBs, especially, I got to feel sorry for them, really - it is a dog eat dog world out there!
The only problem is, you still aren't safe, even if you call and order it. Too many vendors and stores are being compromised; even the brick and mortar stores are been compromised by insiders, or criminal crackers!
I hate credit cards, but I have to admit, they are the only option for the hope of getting your money back as a consumer. Hopefully better cooperation between banks and customers, and new 2 factor authentication will improve this.
For SMBs, especially, I got to feel sorry for them, really - it is a dog eat dog world out there!
I was given a laptop bag today which belonged to a salesperson who had just left. Contained within was a laptop and 3g broadband modem which had access to our domain; shared drives and exchange.
I also found in the bag a printed email which had no less than 10 of the person's usernames and passwords including AD account, all of our main systems and the pin code to the VPN. It's crazy how much damage could have been done if this fell into the wrong hands.
Although this was incredibly stupid of him\her it was the IT dept who had emailed this "key to the city" made into a nice little list to be conveniently printed out and kept handy just in case.
I also found in the bag a printed email which had no less than 10 of the person's usernames and passwords including AD account, all of our main systems and the pin code to the VPN. It's crazy how much damage could have been done if this fell into the wrong hands.
Although this was incredibly stupid of him\her it was the IT dept who had emailed this "key to the city" made into a nice little list to be conveniently printed out and kept handy just in case.
I can definitely see how news reports have just become background noise. There was a problem with "Microsoft's Browser" last week, there's a new one this week.. woopti.. just normal infotainment out of the media talking heads again.
It's also not news when a thousand people loose 20$ each out of there bank account or visa limits even though that's $20,000 in some criminal's pocket. A brand name gets broken into and it's suddenly important to news outlets - especially if it can be linked to the latest great political threat.
I'd also add that the constant miss-use of Hacker in the media compounds the problem. Your very example even "hackers and criminals".. why not simply "criminals".. why include both titles as if "malicious hacker" is somehow special compared to a criminal. Actually, it would be more accurate if the media at least specified "malicious hacker" as "ethical hacker" is the majority of the subculture and a redundant term at best.
This isn't just a rant about miss-used words; it romanticizes criminal intent. If anyone broke into your home and stole your TV they'd be a criminal. Nothing new, just another break in. Include any type of networking device and suddenly it's magical like there was a freaking unicorn involved or something. Why do we need to romanticizes the act and make it special simply because the criminal used a keyboard instead of a crowbar?
The result of this marketing spin is an irrational fear of any ethical person who demonstrates hacker mental approach to learning (the majority) while making those with criminal intent (the minority) some kind of nebulous concept that only every effects big businesses rather than individuals.
Even with the news about botnets becoming more popular; it's never "my computer" that could be a part of a botnet, it's always someone elses problem because the nebulous eveeil hackers only ever attack other people.
I think educating the public would go much further if we simply used the correct term "criminal" along with existing laws that already address the criminal acts. As you say, focus on news reports that effect the individual viewers rather than some big business they have no attachment too. I'd also add that if security product vendors really wanted to help the public, they'd work towards things like a unified malware naming scheme and databases rather than making the malware name and signatures a "competitive advantage" for there single crappie product. They'd stop making it a fear-sell to push a gimic product and focus on making it a greed-sell.
(for fear and greed sells, see Mr Schneier's OWASP presentation)
It's also not news when a thousand people loose 20$ each out of there bank account or visa limits even though that's $20,000 in some criminal's pocket. A brand name gets broken into and it's suddenly important to news outlets - especially if it can be linked to the latest great political threat.
I'd also add that the constant miss-use of Hacker in the media compounds the problem. Your very example even "hackers and criminals".. why not simply "criminals".. why include both titles as if "malicious hacker" is somehow special compared to a criminal. Actually, it would be more accurate if the media at least specified "malicious hacker" as "ethical hacker" is the majority of the subculture and a redundant term at best.
This isn't just a rant about miss-used words; it romanticizes criminal intent. If anyone broke into your home and stole your TV they'd be a criminal. Nothing new, just another break in. Include any type of networking device and suddenly it's magical like there was a freaking unicorn involved or something. Why do we need to romanticizes the act and make it special simply because the criminal used a keyboard instead of a crowbar?
The result of this marketing spin is an irrational fear of any ethical person who demonstrates hacker mental approach to learning (the majority) while making those with criminal intent (the minority) some kind of nebulous concept that only every effects big businesses rather than individuals.
Even with the news about botnets becoming more popular; it's never "my computer" that could be a part of a botnet, it's always someone elses problem because the nebulous eveeil hackers only ever attack other people.
I think educating the public would go much further if we simply used the correct term "criminal" along with existing laws that already address the criminal acts. As you say, focus on news reports that effect the individual viewers rather than some big business they have no attachment too. I'd also add that if security product vendors really wanted to help the public, they'd work towards things like a unified malware naming scheme and databases rather than making the malware name and signatures a "competitive advantage" for there single crappie product. They'd stop making it a fear-sell to push a gimic product and focus on making it a greed-sell.
(for fear and greed sells, see Mr Schneier's OWASP presentation)
when I can think of it. Cracker - of course I may get accused of racism some day, especially if used with OWASP! HA! 
Actually my understanding is that cracker is derived from "safe cracker" but also chosen because it does hold negative connotations in the US.
Now, I wouldn't recommend going around saying "wassup cracka".. your meaning may be taken differently.
Now, I wouldn't recommend going around saying "wassup cracka".. your meaning may be taken differently.
but as a joke between friends we do exactly that. Just like the brothers that use the dreaded "N" word.
It is all in good fun between me and my friends!
Some of my African American friends would look at me quizzically I'm sure if they heard our greetings! It is my way of thumbing my nose at the hate; I don't tolerate racism if I can help it.
It is all in good fun between me and my friends!
Some of my African American friends would look at me quizzically I'm sure if they heard our greetings! It is my way of thumbing my nose at the hate; I don't tolerate racism if I can help it.
As it should be. Maybe one day physical differences in people will simply be interesting if noticed at all.
but is the "average user" the right person to be having the discussion with?
How can you have a meaningful discussion with someone who doesn't understand all of the issues.
Sure costs/benefits analysis is necessary, but for it to be valid you have to take into account all of the relevant costs and benefits. What is the value of a successfully blocked malware attack that you are not even aware was blocked because the anti-malware software worked? Most people value it at zero. If you have a password locked PC, again, what is the value to you if a stranger tries to get in and can't. Again you don't know that it worked, so assigned value is zero, again.
Yes, businesses have to do risk assessments and cost/benefit analysis. But the analysis still has to be left to the experts and the final decision about the cost/benefit left to business based on the risk analysis made by their experts.
Spending money on "Security" is very much like spending money on insurance. How often do you make claims on your home or auto insurance? Once in a lifetime? But you still pay the premiums every year. Sometimes you don't have an option. You can't get mortgage without home insurance. You can't drive car without insurance (in some places).
When we have this discussion I think it is very important to separate home and business users. There are very different frames of reference. Businesses have legal responsibility to their customers and owners/shareholders. Personal users are responsible to themselves.
Side note: how long before the credit card companies come up with a "PCI-DSS" for home computer users.
"...Gee sorry, you are stuck for the whole fraudulent credit card charge since your computer was hacked and you didn't 'compliant' home computer security in place..."
How can you have a meaningful discussion with someone who doesn't understand all of the issues.
Sure costs/benefits analysis is necessary, but for it to be valid you have to take into account all of the relevant costs and benefits. What is the value of a successfully blocked malware attack that you are not even aware was blocked because the anti-malware software worked? Most people value it at zero. If you have a password locked PC, again, what is the value to you if a stranger tries to get in and can't. Again you don't know that it worked, so assigned value is zero, again.
Yes, businesses have to do risk assessments and cost/benefit analysis. But the analysis still has to be left to the experts and the final decision about the cost/benefit left to business based on the risk analysis made by their experts.
Spending money on "Security" is very much like spending money on insurance. How often do you make claims on your home or auto insurance? Once in a lifetime? But you still pay the premiums every year. Sometimes you don't have an option. You can't get mortgage without home insurance. You can't drive car without insurance (in some places).
When we have this discussion I think it is very important to separate home and business users. There are very different frames of reference. Businesses have legal responsibility to their customers and owners/shareholders. Personal users are responsible to themselves.
Side note: how long before the credit card companies come up with a "PCI-DSS" for home computer users.
"...Gee sorry, you are stuck for the whole fraudulent credit card charge since your computer was hacked and you didn't 'compliant' home computer security in place..."
The world wide public network is like gambling. There are risks.
I see you are in Canada and you are going through that whole blame game with credit cards. I did a post on Pin and Chip and many of your fellow country men/ladies were talking about it:
http://blogs.techrepublic.com.com/security/?p=3153
As for not placing a value on the positive events, there is no data available. Dr. Herley talks about that and you are correct, some measurement technique needs to be developed to include that aspect.
http://blogs.techrepublic.com.com/security/?p=3153
As for not placing a value on the positive events, there is no data available. Dr. Herley talks about that and you are correct, some measurement technique needs to be developed to include that aspect.
To be sharp and plain, in an organization, if IT has policies that say "You must have at least 8 characters and one of each character type" then they should darn right do it and not complain.
Prevention of possibility is far greater than possibility of loss and yes, they are preventative measures. If a user gives someone a username and password and miraculously some data gets stolen then no preventative measures that IT can put in place will stop that.
This is why I also believe that social engineering is one of the most effective hacking methods.
But to restate what I said earlier and to reply directly to CG's comment, you're right and users should do all they can to prevent security risks for themselves as private users and on behalf of their organizations.
The more relevant and typical education, the better.
Prevention of possibility is far greater than possibility of loss and yes, they are preventative measures. If a user gives someone a username and password and miraculously some data gets stolen then no preventative measures that IT can put in place will stop that.
This is why I also believe that social engineering is one of the most effective hacking methods.
But to restate what I said earlier and to reply directly to CG's comment, you're right and users should do all they can to prevent security risks for themselves as private users and on behalf of their organizations.
The more relevant and typical education, the better.
1. MOST users should convert all their password schemes to http://www.keepassx.org/ . They then have to Maintain the database on a USB or CD or some backup. This is a process that can take a month to get rolling correctly. (I Had to transcribe a black book and tons of notes from YEARS of saving) but at the end, you no longer have passwords stored in browsers or text files, or scribbles; you can also generate strong passwords, so changing things isn't a problem. Such a scheme can be rolled out to routers, unmanaged servers, blogs, patient hospital logins, telephone numbers, telnet bbs's, ftp, forums, cms's, etc. and do it all cross platform. Yes there's others besides keepassx. That's fine. Pick one
The only KEY here is the backup plan. The user can NO longer fail to back up the database. Everything else doesn't matter, but that one little file and it's password. A backup plan is going to be limited by financial ability. For example I clone my drive with the OS and programs, and if I get hit with something which destroys everything, I simply roll back, patch any exploits from getting in the same way, re-copy and change my Passwords ASAP. If hardware is ruined (I dunno how that's gonna happen) you could also use another workstation to deal with those primary important passwords. In a distributed attack, I have a good chance of getting my eBay, Paypal, banking and server passwords updated within minutes, well before such vast attacks actually get to exploit my stolen data. Secondary passwords can then be changed. e.g. the blogs, cms's, /. etc next.
The second thing is for a Crash course in TCPIP. Maybe etherape could help here with some visualization. It helped me. raw dumps can be impressive but if people never look at binary files it all looks like garbage to them.
Therefore, a little basic DOS batch file, and linux Bash file programming is in order. They should also be familiar process viewers and the process's they SHOULD have running . Ability to use the taskmanager, kill the shell fireup mc and ztree to track down malware by hand should be a skillset!!! Startup files GUI shells like startup.cpl can save time. Furthermore anyone using windows ought to TRY to learn the registry, and read the event logs.
Monetary choices are going to limit what can be done, a user might not be able to have a whole self standing hardware firewall between their workstation and the wild web, in that case, they should at least become familiar with a software firewall. Some of these bundled deals where you get firewall, and file monitoring, anti viruse, etc. are not bad, but they can cost money. Same thing with doing hardware cloning--it costs money.
While such a system is not perfect, it does put the user in a position of recovering quickly from the worst case, so at least their bank isn't emptied by the attack.
As if we didn't have enough problems with banks already.
I almost forgot, liberal use of VM's also should be rolled out. Perhaps this should be step two after you have converted all your passwords to a database.
While personally I Have quite a few different VM client OS's I use three specifically for banking. There was a killer article on slashdot which suggested it. Basically what you have is a VM for reading techrepublic, a VM for shopping, and a VM for banking. Obviously this can be expanded. And again your keepassx simply can run in your HOST os so not even the database is on the VM, in fact you should have it so the VM resets.
Oh yes, one last thing. Secunia PSI. Get patchin!
Part of this type of training has to start in the schools also. We all need to wake up.
I just thought of one more way to make it happen, a spy agency in conjunction with a dictatorship could crack down on everything, I hope this isn't the future strategy e.g. remove more liberty. There's a need to be anonymous just the same as to be recognized.
The anonymous person can whistle-blow, the ID man can't. In this current unconstitutional environment it would be wise not to give up such liberty without a fight, because as we have seen once it's gone you don't get it back.
Whatever solutions moving forward are going to have to not be corporate media hyped snap judgment half-measured litigation they always seem to push. I'd also insist any remedy respect my nations constitution and sovereignty. However it seem you must be careful when you say this now, as media is labeling and attacking such talk as potential homegrown terrorists. It's not fun to have to bite your tongue. The leg crossers and smiling faces on tout tv don't even maintain their own networks so they don't even know what their talking about when it comes to this stuff.
(Last edit 4:45AM) Have a nice night everyone!
The only KEY here is the backup plan. The user can NO longer fail to back up the database. Everything else doesn't matter, but that one little file and it's password. A backup plan is going to be limited by financial ability. For example I clone my drive with the OS and programs, and if I get hit with something which destroys everything, I simply roll back, patch any exploits from getting in the same way, re-copy and change my Passwords ASAP. If hardware is ruined (I dunno how that's gonna happen) you could also use another workstation to deal with those primary important passwords. In a distributed attack, I have a good chance of getting my eBay, Paypal, banking and server passwords updated within minutes, well before such vast attacks actually get to exploit my stolen data. Secondary passwords can then be changed. e.g. the blogs, cms's, /. etc next.
The second thing is for a Crash course in TCPIP. Maybe etherape could help here with some visualization. It helped me. raw dumps can be impressive but if people never look at binary files it all looks like garbage to them.
Therefore, a little basic DOS batch file, and linux Bash file programming is in order. They should also be familiar process viewers and the process's they SHOULD have running . Ability to use the taskmanager, kill the shell fireup mc and ztree to track down malware by hand should be a skillset!!! Startup files GUI shells like startup.cpl can save time. Furthermore anyone using windows ought to TRY to learn the registry, and read the event logs.
Monetary choices are going to limit what can be done, a user might not be able to have a whole self standing hardware firewall between their workstation and the wild web, in that case, they should at least become familiar with a software firewall. Some of these bundled deals where you get firewall, and file monitoring, anti viruse, etc. are not bad, but they can cost money. Same thing with doing hardware cloning--it costs money.
While such a system is not perfect, it does put the user in a position of recovering quickly from the worst case, so at least their bank isn't emptied by the attack.
As if we didn't have enough problems with banks already.
I almost forgot, liberal use of VM's also should be rolled out. Perhaps this should be step two after you have converted all your passwords to a database.
While personally I Have quite a few different VM client OS's I use three specifically for banking. There was a killer article on slashdot which suggested it. Basically what you have is a VM for reading techrepublic, a VM for shopping, and a VM for banking. Obviously this can be expanded. And again your keepassx simply can run in your HOST os so not even the database is on the VM, in fact you should have it so the VM resets.
Oh yes, one last thing. Secunia PSI. Get patchin!
Part of this type of training has to start in the schools also. We all need to wake up.
I just thought of one more way to make it happen, a spy agency in conjunction with a dictatorship could crack down on everything, I hope this isn't the future strategy e.g. remove more liberty. There's a need to be anonymous just the same as to be recognized.
The anonymous person can whistle-blow, the ID man can't. In this current unconstitutional environment it would be wise not to give up such liberty without a fight, because as we have seen once it's gone you don't get it back.
Whatever solutions moving forward are going to have to not be corporate media hyped snap judgment half-measured litigation they always seem to push. I'd also insist any remedy respect my nations constitution and sovereignty. However it seem you must be careful when you say this now, as media is labeling and attacking such talk as potential homegrown terrorists. It's not fun to have to bite your tongue. The leg crossers and smiling faces on tout tv don't even maintain their own networks so they don't even know what their talking about when it comes to this stuff.
(Last edit 4:45AM) Have a nice night everyone!
in the cloud, my passwords don't even enter the keyboard, except to logon to the console, and repeat depending on importance of the site.
Of course I couldn't recommend that for companies, who must manage their own. But I really like the freedom. I can take any PC with the plug-in installed and go anywhere in relative safety; nothing is stored on the machine.
Of course I'd feel better if Prevx was installed on the local machine also.
Of course I couldn't recommend that for companies, who must manage their own. But I really like the freedom. I can take any PC with the plug-in installed and go anywhere in relative safety; nothing is stored on the machine.
Of course I'd feel better if Prevx was installed on the local machine also.
Interesting perspective... rings true on the face of it. Like I mentioned below it's those who have been stung that think straight about all this. Until then it is like watching television to them; it's some unknown 'somebody else' that gets hit, and it may well all be overly-hype fiction anyway...
Now, who gets to pick up these apples all over the ground, you having upended the cart?
Waiting out the traffic before I leave. But I do have a yard video I'm trying to cut to size. I haven't messed at all with video editing and it shows.
so that only you (and a sysadmin) can use your computer workstation, then you also do not need a lock on the front door to your domicile, or locks on the door(s) and on the "trunk" ("boot") of your automobile. Do you?
After all, a determined thief probably can either find a way to defeat a lock, or find another avenue of intrusion. The same can be said for information system passwords.
Neither locks nor passwords are convenient and all of them require some time and effort to use and to maintain. The only time that we appreciate the need for any security measure(s) is after someone has gained access without our authorization -- in the absence of anything to deter them effectively -- and has taken something which is of value to us, whether it is jewelry, a leather jacket, a computer, our data and/or our privacy.
When someone tells me (as they have) that we don't need an anti-virus program and/or a firewall, let alone a router, between our computer and the Internet, I tell them to just go ahead and use their computer without them. Plug it directly into the broadband "modem". Just don't ask me for free assistance after their computer has been enlisted into a 'botnet or taken over by fake anti-malware (AKA rogue anti-malware). There's nothing like experience to make someone realize the value of security.
In Security Now! Episode 229 Steve Gibson relates an occasion on which an employee of a business describes to his co-workers how he has learned to "work around" the security rule of his employer that requires every worker to change his or her password each month. Since he discovered that the system remembers only the previous four passwords that he has used, he only has to remember the current password and each of the other four. I doubt that his discovery was by accident, and probably required at least a year or more of observation and experiment. That is, he deliberately decided to determine whether he could "beat the system".
There is one in every bunch. For a few years, I was the resident manager of a 24-unit apartment house (three floors, no elevator). In addition to the key to the lock on the front door of the building, each tenant also had, of course, a key for the deadbolt locks on the front and rear doors of their apartment. The lock on the front door of the building was also electromagnetic, and it could be opened either (1) by entering a unique 4-digit number via the keypad on the "security panel" near the front door, or (2) by a tenant dialing their unique 4-digit number on the keypad of their own telephone, after talking to a visitor who used the telephone handset on the "security panel" to contact them by entering their apartment number.
There was always someone, not necessarily a tenant, who actively endeavored to disable or "work around" the security system if only "just because". One day I heard the buzzing (signal) of the front door lock opening, and saw a young man hang-up the telephone on the security panel, then open the door, remove a large wad of chewing gum from his mouth, and use it to jam the bolt of the lock, thus preventing it from locking the door. I asked him politely as to whom he was visiting and he told me, apparently unaware that I had seen him jam the lock. When I told her about it later, she said that she had been having some doubts about his character, and would not be seeing him any more.
Which is to say that, in my experience, about 90% of the tenants had no particular objections to the security measures, and felt that they increased the safety of their person and possessions. About 5% of the tenants did not like the inconvenience of the system but tolerated it, while about 3% declined to offer an opinion. About 2% of the tenants did not like the system and some of them did things to compromise it, such as by having copies of the front door key made that they could give to their girlfriends, relatives, etc. Then I pointed out to one of them that it was a lot cheaper to just give their 4-digit code, which would unlock the door, to everyone they knew. It would also be a lot less expensive for me to rectify after they found another place to live, and I recommended that they not rent a unit in an apartment house that had a front door. There are plenty of "garden apartments" (for which the door(s) open directly outside of the building).
No problem.
By the way, I've had one car stolen from me despite the locks, so what was the point? And I've had an "undetectable" rootkit installed on my computer despite various and sundry precautions, too!
After all, a determined thief probably can either find a way to defeat a lock, or find another avenue of intrusion. The same can be said for information system passwords.
Neither locks nor passwords are convenient and all of them require some time and effort to use and to maintain. The only time that we appreciate the need for any security measure(s) is after someone has gained access without our authorization -- in the absence of anything to deter them effectively -- and has taken something which is of value to us, whether it is jewelry, a leather jacket, a computer, our data and/or our privacy.
When someone tells me (as they have) that we don't need an anti-virus program and/or a firewall, let alone a router, between our computer and the Internet, I tell them to just go ahead and use their computer without them. Plug it directly into the broadband "modem". Just don't ask me for free assistance after their computer has been enlisted into a 'botnet or taken over by fake anti-malware (AKA rogue anti-malware). There's nothing like experience to make someone realize the value of security.
In Security Now! Episode 229 Steve Gibson relates an occasion on which an employee of a business describes to his co-workers how he has learned to "work around" the security rule of his employer that requires every worker to change his or her password each month. Since he discovered that the system remembers only the previous four passwords that he has used, he only has to remember the current password and each of the other four. I doubt that his discovery was by accident, and probably required at least a year or more of observation and experiment. That is, he deliberately decided to determine whether he could "beat the system".
There is one in every bunch. For a few years, I was the resident manager of a 24-unit apartment house (three floors, no elevator). In addition to the key to the lock on the front door of the building, each tenant also had, of course, a key for the deadbolt locks on the front and rear doors of their apartment. The lock on the front door of the building was also electromagnetic, and it could be opened either (1) by entering a unique 4-digit number via the keypad on the "security panel" near the front door, or (2) by a tenant dialing their unique 4-digit number on the keypad of their own telephone, after talking to a visitor who used the telephone handset on the "security panel" to contact them by entering their apartment number.
There was always someone, not necessarily a tenant, who actively endeavored to disable or "work around" the security system if only "just because". One day I heard the buzzing (signal) of the front door lock opening, and saw a young man hang-up the telephone on the security panel, then open the door, remove a large wad of chewing gum from his mouth, and use it to jam the bolt of the lock, thus preventing it from locking the door. I asked him politely as to whom he was visiting and he told me, apparently unaware that I had seen him jam the lock. When I told her about it later, she said that she had been having some doubts about his character, and would not be seeing him any more.
Which is to say that, in my experience, about 90% of the tenants had no particular objections to the security measures, and felt that they increased the safety of their person and possessions. About 5% of the tenants did not like the inconvenience of the system but tolerated it, while about 3% declined to offer an opinion. About 2% of the tenants did not like the system and some of them did things to compromise it, such as by having copies of the front door key made that they could give to their girlfriends, relatives, etc. Then I pointed out to one of them that it was a lot cheaper to just give their 4-digit code, which would unlock the door, to everyone they knew. It would also be a lot less expensive for me to rectify after they found another place to live, and I recommended that they not rent a unit in an apartment house that had a front door. There are plenty of "garden apartments" (for which the door(s) open directly outside of the building).
No problem.
By the way, I've had one car stolen from me despite the locks, so what was the point? And I've had an "undetectable" rootkit installed on my computer despite various and sundry precautions, too!
You missed the point of the article. Your experiences are similar to what Dr. Herley expresses. He offers up a few thoughts as to how to fix it as well. Which I mentioned at the end.
I don't believe I said that passwords weren't needed. As for determining how many password changes are required to get back to the one you want, that takes one question to a system admin. The information is offered freely.
Edit: Spelling
I don't believe I said that passwords weren't needed. As for determining how many password changes are required to get back to the one you want, that takes one question to a system admin. The information is offered freely.
Edit: Spelling
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
