Archive | February 2013

You’re the Next President

Sounds awesome, doesn’t it?

Unfortunately, I’m not talking about getting you elected to the highest, most powerful office in the world.

No, sadly I’m talking about the likelihood that your e-mail will get hacked and pictures of you in the shower will show up on the Interwebz.

Ask yourself when was the last time you sent an e-mail that you didn’t want anyone else to see? It may have been complaints about your boss, or sweet nothings to your girlfriend. It could have been tax or financial information, or perhaps something about a medical issue.Bush

And you probably keep e-mail around forever, right?

I’ve seen people with thousands of e-mails still in their Inbox. They didn’t think to move them to another folder or delete them after they read them.

Receipts from online purchases. New account registrations and password changes. They just sit there like little gold nuggets, waiting for a miner.

The reality is, we all do it. Just like Ashton Kutcher, Sarah Palin and Lindsay Lohan, we normal people use e-mail for just about everything. And few truly think about or understand just how sensitive, or critical e-mail has become.

Until their undergiblets show up in a Google images search.

So take a moment today to manage that risk down a little. If your e-mail is compromised it probably exposes a whole pile of other things.

Make sure you have a good password. If your e-mail service offers multi-factor authentication (SMS, token, etc.), consider it. Delete e-mail that you don’t need anymore. Think about the things that you send through e-mail before you send them – if they ended up in the wrong hands would you be OK with it?

Because it may sound awesome, but you don’t want to be the next President.

Advertisements

Rethinking Security – Part 1

Two weeks ago travelers in the Austin, TX Amtrak station got a big surprise – a squad of anti-terrorism forces armed with assault rifles and specialized inspection equipment. It was just one of hundreds of [probably not so] random appearances being made by the Transportation Security Administration’s (TSA) VIPR Team all across America.

The VIPR (Visible Intermodal Prevention and Response) team is not new, in fact it was launched in 2005 after the train bombings in Madrid. Its tactics, however have been changing over time. Random appearances are part of their “new strategy”.

Since September 11, law enforcement and counter-terrorism agencies have been focusing on the areas that, at the time, appeared to have the greatest exposure. Airlines, densely populated urban areas and critical infrastructure all made the list.

Unfortunately our enemies are smart enough to strike where we our defenses are least fortified.

Enter the VIPR Team.

TSA VIPR Team Inspects Amtrak Station

TSA VIPR Team Inspects Amtrak Station

The bombing in Madrid ushered in a new phase of terrorism, and subsequently a new phase of security. Our enemies began attacking softer targets, becoming more unpredictable. It was the definition of terror. We could take a few lessons from this new thinking.

During a half-day conference in Albany, NY recently we had the opportunity to speak to over one-hundred security professionals about the current state of information security. We discussed current trends, new threats and some recently targeted organizations. When it was over, we passed around a pocketknife and about a hundred audience members joined our wolfpack.

Perhaps most important of all the topics we discussed was the failure of the things we trust most in information security today. Cornerstones like defense in-depth, antivirus and least privilege. They all sound great, but the problem is, they’re not working.

Maybe it’s because we don’t have the resources. Maybe it’s because security still isn’t a priority for many organizations. Maybe it’s because we’re not measuring performance.

Or maybe, just maybe, these things are so predictable that our enemies know exactly how to get around them.

If I were an Internet criminal operating out of unsaid country in Eastern Europe, I would have a pretty good idea of where to start. I’d know which rootkits and payloads I’d need to deliver, and how to get them to their intended targets.

I’d know pretty much what to expect once my backdoor was operational, and I’d have a pretty good idea of how to pivot around my subject’s network. I’d know how to exfiltrate my objective and which tracks to cover.

And this goes for any organization.

How could this be? It’s not because I’m that smart or have intel on every company out there. It’s because most organizations [don’t] defend themselves in the same way.

So here’s an idea; the next time an uninvited intruder shows up on your network, surprise them. Utilize a control in a different way or implement it somewhere it normally isn’t found. Take a look at all of the things you’re doing, turn them 90 degrees, spin them once and give them a kick and see where they land. If they could be effective there in a different way, consider making the change.

Predictability is a vulnerability in itself. The VIPR Team has figured this out and so can we.

%d bloggers like this: