Run for hills, run for the hills! :-) A blogging frenzy commences...
First, as everybody rejoices about the fate of MediaDefender, "the new SCO of hatred," one need to compare and contrast this story with the "old" WJS saga (e.g. see it all here).
Specifically, see this bit from WSJ-gate: "The Trick: You, too, can stay up to date on work email, using any number of consumer-oriented hand-held devices. Just set up your work email so that all your emails get forwarded to your personal email account."
and this MediaDefender-gate bit: "The emails contains information about the various tactics and technical solutions for tracking p2p users, and disrupt p2p services,” and “A special thanks to Jay Maris, for circumventing there entire email-security by forwarding all your emails to your gmail account”"
So, can the douchebags sue the WSJ and increase the level of hilarity for everyone?
Showing posts with label awareness. Show all posts
Showing posts with label awareness. Show all posts
Tuesday, September 18, 2007
Thursday, August 30, 2007
Where DO You Draw The Line: Security Responsibility
Warning! Warning! Blogging frenzy ALERT :-)
So, this piece from AndyIT blog and his quote of SANS's Dr Ullrich, touch upon something deceptively obvious: just WHERE do we draw the lines between user vs IT/IS responsibility for security? In fact, the situation is event more complex: it is user vs IT vs infosec team! (and there is also a software vendor responsibility somewhere here....)
Let's go thru some scenarios:
UPDATE: AndyIT answers it - "Probably something like Security=85%, IT=10% and Users=5%." See more of his follow-up post here.
So, this piece from AndyIT blog and his quote of SANS's Dr Ullrich, touch upon something deceptively obvious: just WHERE do we draw the lines between user vs IT/IS responsibility for security? In fact, the situation is event more complex: it is user vs IT vs infosec team! (and there is also a software vendor responsibility somewhere here....)
Let's go thru some scenarios:
- User and IT=0%, infosec=100% Result: failure of security due to technology limitations, lack of control over the environment as well as social engineering
- User=100%, IT, infosec=0% Result: trivial case, obvious failure
- Then it gets real complex real fast for the cases of shared responsibility ...
UPDATE: AndyIT answers it - "Probably something like Security=85%, IT=10% and Users=5%." See more of his follow-up post here.
Tuesday, August 21, 2007
Fun "Most ..." List from A "Secret" Gartner Blog
"12 Security Features and Rules Most Likely to Mess Up" from a "secret" Gartner blog. Examples
"1. Most likely to be written down
2. Most likely to be left active
3. Most likely to be ignored
4. Most likely to already be in use, without most users' knowledge"
"1. Most likely to be written down
2. Most likely to be left active
3. Most likely to be ignored
4. Most likely to already be in use, without most users' knowledge"
Wednesday, August 08, 2007
WSJ-inspired Poll Results In
Poll results are in - no surprises for me here (you can till take the poll here).
What it means - to me - is that security people are people too :-) This pretty much rhymes with what I said in my first WSJ post here: if users feel that they need (and CAN!) bypass security to do their work, they will ...
UPDATE: the entire WSJ "blood trail" is tagged here. Especially fun bits are here, here and here.
| Will you break a security policy if you know it is neither enforced nor monitored AND that there can be no repercussions whatsoever (and YOU personally don't think it is sensible)? | ||
  | | Yes, if I REALLY need to do something (53%) |
| | Yes, sure! No enforcement - no compliance. (17%) |
| | No (17%) |
| | No, not if I created the policy (7%) |
| | Other - leave comments (3%) |
| ||
| | 28 total votes |
What it means - to me - is that security people are people too :-) This pretty much rhymes with what I said in my first WSJ post here: if users feel that they need (and CAN!) bypass security to do their work, they will ...
UPDATE: the entire WSJ "blood trail" is tagged here. Especially fun bits are here, here and here.
Friday, August 03, 2007
A "Deep" Thought on WSJ Debacle
Remember this poll I did a while ago? I asked about the willingness to break various security policies. And the results were indeed fun! So, this WSJ debacle made me think about policies and enforcement; thus a new poll:
Will you break a security policy if you know it is neither enforced nor monitored AND that there can be no repercussions whatsoever (and YOU personally don't think it is sensible - EVEN THOUGH you might not be an authority on all risks ...)?
Here is the poll on that! Vote away!!!
Will you break a security policy if you know it is neither enforced nor monitored AND that there can be no repercussions whatsoever (and YOU personally don't think it is sensible - EVEN THOUGH you might not be an authority on all risks ...)?
Here is the poll on that! Vote away!!!
Wednesday, August 01, 2007
Hello, Mr Darwin!
"Hello, Mr Darwin!" - "Hi there."
IT user "gene pool" will probably lose some of its stupidest critters as a result of reading this WSJ article, which is making round in the security community: "Ten Things Your IT Department Won't Tell You."
It starts like fun for some and like utter nightmare for others: "we use our office PCs to keep up with our lives. We do birthday shopping, check out funny clips on YouTube and catch up with friends by email or instant message."
Niiiice. It gets better:
"There's only one problem with what we're doing: Our employers sometimes don't like it." :-) Geee, I guess "some-other-times" they do :-)
OK, great, now what? This:
"To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. [...] How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software."
And then it all rolls neatly downhill from there; check out such fun items as "6. HOW TO STORE WORK FILES ONLINE" (A "no-brainer" (indeed you are...): "Use an online-storage service") and "8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY" (Wonder how? Eeeeeasy: "Just set up your work email so that all your emails get forwarded to your personal email account." :-)). Even such gems as "7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL" (answer: encrypt it!) are there.
But you know what? There is nothing wrong with publishing this; such violations are clearly not rocket science. In fact, there are three possible outcomes:
IT user "gene pool" will probably lose some of its stupidest critters as a result of reading this WSJ article, which is making round in the security community: "Ten Things Your IT Department Won't Tell You."
It starts like fun for some and like utter nightmare for others: "we use our office PCs to keep up with our lives. We do birthday shopping, check out funny clips on YouTube and catch up with friends by email or instant message."
Niiiice. It gets better:
"There's only one problem with what we're doing: Our employers sometimes don't like it." :-) Geee, I guess "some-other-times" they do :-)
OK, great, now what? This:
"To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. [...] How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software."
And then it all rolls neatly downhill from there; check out such fun items as "6. HOW TO STORE WORK FILES ONLINE" (A "no-brainer" (indeed you are...): "Use an online-storage service") and "8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY" (Wonder how? Eeeeeasy: "Just set up your work email so that all your emails get forwarded to your personal email account." :-)). Even such gems as "7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL" (answer: encrypt it!) are there.
But you know what? There is nothing wrong with publishing this; such violations are clearly not rocket science. In fact, there are three possible outcomes:
- Users do this and are caught, then fined, fired, tortured, shot and otherwise abused. Awesome! :-)
- Users do this and are NOT caught since you don't really enforce your policy banning such activities. In fact, you - the security pro - don't even know that they are breaking the rules. Sorry, you suck! You need to get another job before your company is sued ...
- Users do this and are NOT caught since they manage to bypass the deployed security controls. Ah, this is a fun one; that is what makes security a "calling, not just a job" for so many. Go back and deploy, tune, log (yes, logging all such activities is important, especially when HR wakes up and swings the ax...) and have fun. 0days and mafia hackers might be more challenging to fight, but users are surely more numerous :-)
Monday, February 19, 2007
A Good "Final" Word on Security Awareness
Good article on security awareness. One sentence summary: build your security awareness program, educate the users AND prepare that it WILL fail miserably.
"Some end users may help, but you can't rely on all of your users to do anything. End users are hopeless. If you use that as your first premise, you've got a better chance of building a truly secure environment."
"Some end users may help, but you can't rely on all of your users to do anything. End users are hopeless. If you use that as your first premise, you've got a better chance of building a truly secure environment."
Subscribe to:
Posts (Atom)
Dr Anton Chuvakin
