The blog's name and location were just a little too close to an established publication, so it was best to change to something else.
The title is the punch line from a joke that I first heard years ago. The version I heard went something like, the were two guys camping in woods. Just after they had crawled into their sleeping bags and nodded off they were awaken by the sound of their campsite being torn apart, punctuated by the frightening roars or an irate and hungry wild animal. Through the tent they could see, cast by the light of the full moon, the shadow of a bear standing upright on its hind legs lumbering towards the tent.
As the bear's claws began ripping through the canvas the first guy throws off his sleeping bag and yells, "It's a bear, run for your life!" The second guy rolls out of his sleeping bag and calmly begins to put on his sneakers. The first guy says, "What are you doing? Are you crazy? Bears can run at 30 mph! Your sneakers won't help you run faster than the bear!" To which the second guy replies, "I don't have to run faster than the bear, I only have to run faster than you."
This is very much like the situation we have right now in the security realm. There are bears out there. Lot's of bears. They run fast. They are hungry. And, very frankly, nothing you read here or anywhere will help you run faster than these bears. If they want to catch you, they eventually will.
It may sound heartless or defeatist or cynical, but the truth is we don't have to outrun these bears, either. We only have to outrun some of the other campers out here. We only have to make getting into our network or our applications or our website or our fileservers a little more difficult than the camper with the IP address adjacent to ours. We only have to make our authentication or our authorization or our access control just a little bit better than the guy who hasn't gotten out of his sleeping bag yet.
And, oh, yes... there is no shortage of campers who feel the same way about us.
Found this very sound advice about in Consumer Reports about avoiding identity theft. The downloadable checklist is a nice touch, too.
http://www.consumerreports.org/cro/money/credit-loan/identity-theft/identity-theft-what-you-can-do-305/overview/index.htm
Wow. Talk about uncomfortable. German Chancellor Angel Merkel is visting China. While there word comes out that the Chinese have been hacking Deutschland's government computers. Chinese Premiere Wen Jiabao said this was a grave concern, and that there was no connection between this incident and the new car from Cherry QQ that looks remarkably like a BMW 745i.
From Spiegelonline:
http://www.spiegel.de/international/world/0,1518,502169,00.html
and Computerworld:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9032898&source=rss_news6
Friday, August 31, 2007
Wednesday, August 29, 2007
a day of contrasts
OK... so according to Bloomburg, the top 20 hedge fund managers made 22,255 times the average wage, brining down $650 million each last year.
http://www.bloomberg.com/apps/news?pid=20601103&sid=a04iBUNutMDM&refer=us
Yikes!
On the other hand, today is the 2nd anniversary of Katrina hitting the Gulf Coast. This I'm a little better acquainted with than people making $650 million a year. Two years ago I was "between opportunities". In order to stop the hemorrhage of self pity that was slowly draining me, I decided to drive down to the Gulf Coast and see if I could help. I was blessed enough to go down to Mandeville, LA, twice, and it is something I will never forget. Pictures from those trips are here:
http://s28.photobucket.com/albums/c234/2daydrive/Louisiana%20Trip%20November%202005/
and here:
http://s28.photobucket.com/albums/c234/2daydrive/Louisiana%20Trip%20October%202005/
Now... on to our unusual topics...
The Computer Security Institute has released the The Computer Crime and Security Survey for 2006. The survey is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. DarkReading has a summary of the Survey here:
http://www.darkreading.com/document.asp?doc_id=99433&WT.svl=tease6_2
You can sign up with CSI and download the report here:
http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml
Searchsecurity.com has an interesting and insightful article on the use of employee profiling to prevent "inside jobs". It's really more of an admonition to PAY ATTENTION to employee behavior... to quote: "Assuming the employee passes the pre-hiring screening, don't ignore on-the-job warning signs. Some of these signs include belligerent, intimidating or threatening behavior toward co-workers, arrogance or being disgruntled over something in the office."
duh.
You might think it obvious, but it's not. There is a story (and I can vouch it is true) that an employer fired a disgruntled employee at 4pm, but the request to shut down the employee's systems access was not submitted until after the company help desk had closed for the day. Oops. The company "thought" there may have been some monkey business but they weren't sure. Right. The article is here:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1250974,00.html?track=sy320&asrc=RSS_RSS-10_320
Oh, thank goodness for the ability to find humor in the mistakes of others.
http://www.bloomberg.com/apps/news?pid=20601103&sid=a04iBUNutMDM&refer=us
Yikes!
On the other hand, today is the 2nd anniversary of Katrina hitting the Gulf Coast. This I'm a little better acquainted with than people making $650 million a year. Two years ago I was "between opportunities". In order to stop the hemorrhage of self pity that was slowly draining me, I decided to drive down to the Gulf Coast and see if I could help. I was blessed enough to go down to Mandeville, LA, twice, and it is something I will never forget. Pictures from those trips are here:
http://s28.photobucket.com/albums/c234/2daydrive/Louisiana%20Trip%20November%202005/
and here:
http://s28.photobucket.com/albums/c234/2daydrive/Louisiana%20Trip%20October%202005/
Now... on to our unusual topics...
The Computer Security Institute has released the The Computer Crime and Security Survey for 2006. The survey is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. DarkReading has a summary of the Survey here:
http://www.darkreading.com/document.asp?doc_id=99433&WT.svl=tease6_2
You can sign up with CSI and download the report here:
http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml
Searchsecurity.com has an interesting and insightful article on the use of employee profiling to prevent "inside jobs". It's really more of an admonition to PAY ATTENTION to employee behavior... to quote: "Assuming the employee passes the pre-hiring screening, don't ignore on-the-job warning signs. Some of these signs include belligerent, intimidating or threatening behavior toward co-workers, arrogance or being disgruntled over something in the office."
duh.
You might think it obvious, but it's not. There is a story (and I can vouch it is true) that an employer fired a disgruntled employee at 4pm, but the request to shut down the employee's systems access was not submitted until after the company help desk had closed for the day. Oops. The company "thought" there may have been some monkey business but they weren't sure. Right. The article is here:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1250974,00.html?track=sy320&asrc=RSS_RSS-10_320
Oh, thank goodness for the ability to find humor in the mistakes of others.
Tuesday, August 28, 2007
Morning Musings
Well, just in case you thought that diseases in the virtual world might be an overwhelming problem, a new report from the World Health Organization sites 39 new pathogens since 1969 - a record number of new diseases that include SARS, HIV/AIDS and Ebola. Now if that doesn't get your blood pumping on a gorgeous Maryland morning, then you ain't livin' my friend. The New York Times has it here:
http://www.nytimes.com/2007/08/27/world/27disease.html?_r=1&oref=slogin
As if looking for a new job without your current boss finding out about it isn't stressful enough, word from Monster regarding 1.6 million stolen records might just ratchet that job-search stress up a notch or two. If you have ever used Monster or its ilk you have probably noticed that on its own it is a little spam factory. The more info you post about yourself the more penis enlargement/ hot stock opportunities/ foreign money laundering proposals you get. But this is really going to the next level, crime wise. From Computerworld via CIO.com:
http://www.cio.com/article/131950/ID_Attack_Widens_With_._M_Records_Stolen_from_Monster.com/1
From business.timesonline.co.uk via Computer Crime Research Center comes information about an innovative program being deployed by banks in the UK in order to reduce on-line bank fraud. Many are making the investment in user tokens and "chip and pin at home" devices. I'm guessing they are talking about credit card readers designed to attach to home computers. Interesting read, especially since its from the UK and the language is entertaining -- maybe not like watching Coupling on BBC America, but close.
http://www.crime-research.org/analytics/Internet-banking-security/
I had the opportunity to see Johnny Long present at ShmooCon in DC this year. Just let me say that we should all be glad this guy's on our side. His presentations, writing and web site are top notch and are as informative as they are entertaining; however, there is more to this fellow. His drive to help others has produced ihackcharities.org. Recruiting hackers to do pro bono work for charitable organizations -- excellent idea. If you have any talent or aspirations in this area you should really look into it. From DarkReading:
http://www.darkreading.com/document.asp?doc_id=132333&WT.svl=news1_1
Thanks for reading... it's off to my day job!
http://www.nytimes.com/2007/08/27/world/27disease.html?_r=1&oref=slogin
As if looking for a new job without your current boss finding out about it isn't stressful enough, word from Monster regarding 1.6 million stolen records might just ratchet that job-search stress up a notch or two. If you have ever used Monster or its ilk you have probably noticed that on its own it is a little spam factory. The more info you post about yourself the more penis enlargement/ hot stock opportunities/ foreign money laundering proposals you get. But this is really going to the next level, crime wise. From Computerworld via CIO.com:
http://www.cio.com/article/131950/ID_Attack_Widens_With_._M_Records_Stolen_from_Monster.com/1
From business.timesonline.co.uk via Computer Crime Research Center comes information about an innovative program being deployed by banks in the UK in order to reduce on-line bank fraud. Many are making the investment in user tokens and "chip and pin at home" devices. I'm guessing they are talking about credit card readers designed to attach to home computers. Interesting read, especially since its from the UK and the language is entertaining -- maybe not like watching Coupling on BBC America, but close.
http://www.crime-research.org/analytics/Internet-banking-security/
I had the opportunity to see Johnny Long present at ShmooCon in DC this year. Just let me say that we should all be glad this guy's on our side. His presentations, writing and web site are top notch and are as informative as they are entertaining; however, there is more to this fellow. His drive to help others has produced ihackcharities.org. Recruiting hackers to do pro bono work for charitable organizations -- excellent idea. If you have any talent or aspirations in this area you should really look into it. From DarkReading:
http://www.darkreading.com/document.asp?doc_id=132333&WT.svl=news1_1
Thanks for reading... it's off to my day job!
Thursday, August 23, 2007
Day One.
I think the little introduction just about says it all. In an effort to stay informed about the risks to my customers I read a lot of stuff over the course of a month. Rather than keep it to my self, I thought this might be a good way to share what I find. Mainly, I want to highlight the risks associated with simply having an on-line presence -- and what business lacks that? Large, high-profile businesses have been aware of the battle taking place on their firewalls and IPSs and servers as they have been the primary battleground. Now, however, medium and small business are in the fray as well -- whether they like it or not, and whether they are aware of it or not. Where do you think all those millions of zombies and bots come from? Do the math. Do you think it's possible that there are millions of compromised computers being used for DDS attacks and none of them reside on the networks of small and medium businesses? HIGHLY unlikely. Education is the key here, friends and customers.
So... let's begin, shall we?
Read this first. From ITSecurity.com, Mafia 2.0: Is the Mob Married to Your Computer? A good summary of who, what why, when, and how of the criminal operations that are behind just about every security event today.
http://www.itsecurity.com/features/mafia-2-security-crime-011807/
Dark Reading is a great newsletter and site. You'll find over the course of our relationship that much of what I post comes from there. I'll take no offense if you decide to subscribe to Dark Reading directly and bypass my inane ramblings.
The Six Dirtiest Tricks of 2006 is a classic. This article is worth reading if for nothing else other than the firsthand description of the flask drive experiment. 20 flash drives left around a business... 15 of them inserted into company machines... doesn't matter how good your firewall is in that scenario, does it?
http://www.darkreading.com/document.asp?doc_id=113460
Again from ITSecurity.com : Ransomeware 101. Over 100,000 computers infected with ransomeware over the past eight months. The main message: pay us money or we will encrypt your files and close down your operations. Ah, yes, the value of having current backups.
http://www.itsecurity.com/features/ransomeware-101-082107/
From NetworkWorld via CIO Magazine: TJX Pegs Data Breach Tab at $118 Million. At least their sales are up.
http://www.networkworld.com/news/2007/081507-tjx-data-breach-cost.html
From CIO Insight: Security Reconsidered. An interview with George Westerman of MIT, co-author of of the new book IT Risk: Turning Business Threats Into Competitive Advantage. Westerman proposes a holistic approach to assessing and mitigating risk. Risk is not just an IT issue, you know, and approaching it in this way can actually provide an advantage in the marketplace.
http://www.cioinsight.com/article2/0,1540,2168713,00.asp
Well, that's a start for now. Let me know what you think.
I think the little introduction just about says it all. In an effort to stay informed about the risks to my customers I read a lot of stuff over the course of a month. Rather than keep it to my self, I thought this might be a good way to share what I find. Mainly, I want to highlight the risks associated with simply having an on-line presence -- and what business lacks that? Large, high-profile businesses have been aware of the battle taking place on their firewalls and IPSs and servers as they have been the primary battleground. Now, however, medium and small business are in the fray as well -- whether they like it or not, and whether they are aware of it or not. Where do you think all those millions of zombies and bots come from? Do the math. Do you think it's possible that there are millions of compromised computers being used for DDS attacks and none of them reside on the networks of small and medium businesses? HIGHLY unlikely. Education is the key here, friends and customers.
So... let's begin, shall we?
Read this first. From ITSecurity.com, Mafia 2.0: Is the Mob Married to Your Computer? A good summary of who, what why, when, and how of the criminal operations that are behind just about every security event today.
http://www.itsecurity.com/features/mafia-2-security-crime-011807/
Dark Reading is a great newsletter and site. You'll find over the course of our relationship that much of what I post comes from there. I'll take no offense if you decide to subscribe to Dark Reading directly and bypass my inane ramblings.
The Six Dirtiest Tricks of 2006 is a classic. This article is worth reading if for nothing else other than the firsthand description of the flask drive experiment. 20 flash drives left around a business... 15 of them inserted into company machines... doesn't matter how good your firewall is in that scenario, does it?
http://www.darkreading.com/document.asp?doc_id=113460
Again from ITSecurity.com : Ransomeware 101. Over 100,000 computers infected with ransomeware over the past eight months. The main message: pay us money or we will encrypt your files and close down your operations. Ah, yes, the value of having current backups.
http://www.itsecurity.com/features/ransomeware-101-082107/
From NetworkWorld via CIO Magazine: TJX Pegs Data Breach Tab at $118 Million. At least their sales are up.
http://www.networkworld.com/news/2007/081507-tjx-data-breach-cost.html
From CIO Insight: Security Reconsidered. An interview with George Westerman of MIT, co-author of of the new book IT Risk: Turning Business Threats Into Competitive Advantage. Westerman proposes a holistic approach to assessing and mitigating risk. Risk is not just an IT issue, you know, and approaching it in this way can actually provide an advantage in the marketplace.
http://www.cioinsight.com/article2/0,1540,2168713,00.asp
Well, that's a start for now. Let me know what you think.
Subscribe to:
Comments (Atom)