I’m not talking about trick-or-treating, I’m talking about Information Security. (Hooo-hoo-hoo-hoo-hoo-haa-haa-haa-haa-haa)
- Wear a well-fitting outfit – If your costume doesn’t fit, or if it makes you sweat or gives you a rash, you’re going to end up taking parts of it off. Then you’ll spend the rest of the night explaining what you are and possibly forfeiting bounty. There’s no point in getting into something that you’re not going to use, it wastes time, money and energy, and you pretty much get nothing out of it. Your security program should fit like a catsuit. Black.
- If you see something, say something – Too often we’re hesitant to make the call when we see something that’s out of place or just doesn’t feel right. As human beings we are programmed to not get involved, but done appropriately it can help prevent problems from occurring. It might be a ghost, it might be an intruder. Be safe, not sorry.
- Stay away from dark houses – In the best case you’re wasting your time, in the worst case you’ll end up wandering into a bad place. There’s plenty of low-hanging candy out there, don’t get distracted by the latest curiosity. We all know what curiosity did to the cat.
- Use sidewalks and driveways – If you’re cutting across lawns or jumping fences because you think you’re going to make better time, chances are decent that you’ll end up in an open septic tank. Or a drainage ditch. Or getting caught on a pole. Shortcuts rarely are, that’s why we have standards. Stick to lighted streets and pathways. And trust me on the septic tank thing.
- Know your route – Have a plan and stick to it, but remember that your plan should account for change. If the police have closed Lincoln Drive off because someone egged Mr. Goldman’s place, be prepared to take Washington. It may get messy out there and there are no guarantees. Review your plan regularly to maximize your progress.
- Don’t walk those streets alone – Strength comes in numbers. Find people to go with you on this harrowing journey, chances are they’ll know something about the streets you’re walking and they’ll help you avoid traps that you would have fallen into otherwise. It’ll be more fun, too. And don’t be afraid to call for help if you see trouble, there are experts out there that specialize in dealing with problems.
- Check your candy before eating it – This one seems obvious, but when something is given to us we’re usually so excited we just can’t wait to open it up. Once it’s opened it’s too late, and it usually ends up installing a rootkit and stealing our banking credentials. Or giving us a toothache. Don’t judge that candy by its wrapper, and don’t even take it if it’s not coming from a trusted source. The apple from Mrs. McGillicutty is probably fine, but I wouldn’t touch that popcorn-ball-thing you got from Old Man Haversham.
- Don’t talk to strangers – There are a lot of bad people out there, and they do bad things. They’ll take your candy. They’ll even take that popcorn-ball-thing you got from Old Man Haversham. Only get involved with people you trust. If you’re going to be spending time with them, you should know where they come from, what they do for a living and if they’ve had a vendor risk assessment from a trusted security provider.
- Pace yourself – Running from house to house will only wear you out, and chowing a bag full of Reese’s will make you sick. It’s going to be a long night, and the successful will recognize that this is a continuous process. Ring door bell, collect candy, run to next house, repeat. Master your pace, master your success. Stick to your security priorities. Do too much at once and you’ll just end up exhausted and nauseous.
- Enjoy – Too many of us are heads down in the mission and we forget to stop and smell the candy corn. It’s not just about collecting the biggest bag of candy, it’s about the experience. Yes, we all have a serious job to do, but we won’t be able to take it seriously if we don’t love what we do. So love it. Eat it like candy.
This past Saturday I woke up early and suddenly found myself running from bloody, muddy, brain-hungry zombies.
No, the world hadn’t suffered a raging viral infection. And no, I wasn’t a movie extra. It was the first annual Run for Your Lives Zombie 5K race near Baltimore, MD. There were thousands (OK maybe hundreds) of zombies to avoid, a dozen obstacles to overcome and endless fields of mud. There was blood. Whole pools of it. And there were several “teachable moments”.
Now in many ways, I feel like I’m better prepared than the next guy for the impending Zombie Apocalypse – my cardio level is above average, I prefer moving around at night and I love me some good baked beans. I also consider myself a bit of a survivalist, and I keep an ample supply of batteries, bleach and duct tape ready to go for when things get apocalyptic.
All that being said, this weekend’s events reminded me that there’s no way to prepare for everything. Despite the semi-lighthearted nature of the 3.1-mile obstacle course, I found myself surprised – even shocked – on several occasions. Midway through the race I found myself deciding between diving into a muddy lake filled with 55-degree water or being attacked by a crazed horde of killer undead. This particular teachable moment taught me that hypothermia may be for a while, but dead is for ever.
So what does all of this have to do with information security?
Just like the doomsday scenarios that scientists, religious zealots and Al Gore all predict for the human race, there is no way to prepare for everything in information security. In fact, the best preparation may be in preparing to be unprepared.
The harsh reality is, most businesses have already been compromised, whether they know it or not. Yesterday my company met with yet another organization who has been the victim of cybercrime. Not only did this business suffer major losses, but two months later they are still unsure if the money-stealing malware has been eradicated.
Having an Incident Response plan is an important part of running a successful business. Detection of malware and anomalies, containment of incidents and processes for forensics investigations and business resumption should be regular discussions for all management teams. If you haven’t already done so, add a chapter to your plan that accounts for the “unexpected”. Failing to plan is planning to fail.
Hindsight, as they say is 20/20. I’ve already thought of a few things that I’ll do differently to be better prepared for next year’s race. Luckily, it’ll only cost me $57 to learn from my mistakes.
If you’re a business without an Incident Response plan, it may be a little more expensive.
There’s been a lot of chatter over the past week regarding the alleged breach of U.S. Military unmanned aerial vehicles, or at least the networks that they use to transport video streams back to Operation Command Centers in Nevada, or wherever their 19-year old operators and joysticks are positioned.
The media have speculated that a virus, introduced from external media penetrated critical networks and was doing bad things. The Government has done its best to misinform and parry, suggesting (and confirming in some way?) that whatever malware did make its way onto its networks is just a nuisance. It was even suggested that the malware was the military’s own, a weapon that somehow escaped the labs.
Of course, the Department of Defense doesn’t comment on classified networks, so there’s a good chance we’ll never know the real story.
The real question we should be asking is, who cares?
I don’t mean to sound glib, but if Uncle Sam says it’s not a problem, maybe it’s not? After all, even if video streams from Unmanned Aerial Vehicles (UAVs) were intercepted, intended targets likely wouldn’t have time to escape before they were made into Afghani pottery anyway, so what’s the big deal? Perhaps, you say, the enemy is collecting intelligence on UAV flight patterns, so that it can predetermine and thusly avoid detection. Perhaps.
Or perhaps this story is more important to the media than it is to the masses? Not unlike the incessant droning (sorry) on about malware being delivered to Android-based phones these days. It’s a [nearly] proven fact that over 10% of Android applications do things we don’t want them to do, whether they’re harmlessly hijacking GPS coordinates and personal information to push personalized ads to your browser or they’re outright malware stealing online banking credentials. Here’s the thing – people don’t care. Androids – and their applications, stuffed with privacy-violating “features”, are flying off the shelves.
And when will it be time to start vulnerability scanning our cars? We’ve already seen Subaru Outbacks compromised using integrated Wi-Fi, and many vehicles braking systems are vulnerable to attack. And let’s face it – OnStar is a mass botnet just waiting to happen. Don’t look for the “Hardened Security Vehicle” checkbox at your local auto dealer – they don’t care either.
Perhaps the Department of Defense is giving us the cold shoulder because they’re a little embarrassed. Perhaps they’ve declassified this information because it’s helpful for the information security community. Or perhaps it’s because redirection and confusion is all part of their Computer Incident Response Team (CIRT) procedure.
Or perhaps they’re just teaching us a lesson. If we can care so much about a remote control airplane flying over a desert 7,000 miles away that we’ve never seen and will never have any effect whatsoever on us, why can’t we care about the stuff we use every day?
I spent the majority of last week at the Rochester Security Summit. It was an interesting event and a great opportunity to catch up with clients, prospects and partners. GreyCastle Security presented a session called The Top 10 Things You’re Doing to Enable Hackers, which was intended to refocus security folks on fundamentals and risk. We had fun and learned a few things, too.
As I sat listening to the speaker presenting the session just before mine, something peculiar happened. An individual sitting directly in front of me pulled out his laptop, turned it on and hit up the free wireless. Allowing the world to should-surf his password he proceeded to fire up his e-mail and remote desktop into his corporate network. Then, without logging out or securing the laptop in any way, he put it down on the chair next to him and walked out of the room. He was gone for 10 minutes.
We work in a great industry. There are many great sources for learning new security techniques, reinforcing fundamentals or simply getting a fresh perspective on old challenges. Whether you spend time at a conference, read blogs like this, or subscribe to the countless newsletters and Twitter feeds, you can always find effective guidance, opinions and how-tos from experienced professionals who are willing to share their insight.
With these vast resources, there is help for anyone and everyone. Whether you’re sitting on your couch in your pajamas, or you’re sitting in a security conference surrounded by CISSPs, your security doesn’t have to suck.
I’ve always loved haunted hayrides.
I’m not talking about hayrides where you sit freezing your candycorn off listening to some retired third-grade teacher drone on about the history of the early settlers who first farmed that land. I’m talking about the wretched ones, where one moment it’s pitch black and silent, anxiously waiting for the inevitable horror beyond the next graveyard, and the next moment it’s deafening, you’re screaming and choking on chainsaw exhaust, the cold steel of the neutered blade brushing your leg, fake blood spattering hay-strewn victims, only to be whisked away to a heavenly reprieve of cider donuts and hot chocolate.
People love to be scared. Whether it’s witches or zombies, Jason or Michael Myers, everyone loves that super-heightened sense of awareness from feeling like anything could happen.
It’s time we figure out how to bring a little bit of that feeling to our professional and personal lives.
Welcome to October, National CyberSecurity Awareness Month!
For many years now, we’ve known that people have been a major weakness in the cybersecurity chain. Of the significant databreaches that occurred in 2011, over 80% of them started with or incorporated some type of social engineering attack. This means that at some point along the way, people failed.
Interestingly, very few of these cases were situations where people acted in a malicious manner. In fact, nearly all of these cases were situations where there were accidental violations of policy, or where people had good intentions but violated policy to get their jobs done or where people had no idea that they had done anything wrong.
In these cases, the business failed.
Like Michael Myers, Freddie Kruger and other famous movie killers, cybercriminals don’t play by any rule book. They can strike anywhere, at anytime. This fluidity gives them a distinct advantage over the good guys – the bad guys only have to be right one time, the good guys have to be right every time. This imbalance asserts that a heightened sense of awareness is critical if Haddonfield is going to make it through another Halloween.
Luckily, there are a lot more good guys than bad guys, all we have to do is arm them. Jamie Lee Curtis
The beauty of horror movies is, we can turn them off if we want to. Not so for cybercrime. If we’re going to make it through this epic series, we need more good guys armed with sewing needles. We need more good guys with determination.
This October, as you’re shopping for peanut butter cups and Halloween decorations, do your home, business and planet some good and think about the role you play in cybersecurity. This ain’t no movie. The Michael Myers we’re fighting is real. He’s out there and he wants your identity. He wants your bank account.
He’s probably already got your credit card and SSN.
Think about this as your shopping for a costume.
I recommend the Laurie Strode.