Recently in infosec Category

GBN: NAC NAC (Who's There?)

Posted on my Gartner blog...

"We're currently working on an update to the GTP document "Architectural Alternatives for Enforcing Network Access Control Requirements" (Doc# G00227091). As part of this process, we've spoken with vendors, vendor references, and clients about what they're doing with NAC, what sort of technical and social challenges they may be encountering..."

Continue reading here...

GBN: All the World's a Cloud

Posted on my Gartner blog...

"No, not really. But it could be. Consider, if you will, the five essential characteristics of cloud computing (via SP800-145, as well as the CSA Security Guide):

  • On-demand self-service

  • Broad network access

  • Resource pooling

  • Rapid elasticity

  • Measured service

"Keeping these in mind, let's look at three quick scenarios where shifting the mindset to a cloud services approach, even within traditional IT shops, can help reduce cost, improve efficiency, and improve security qualities."

Continue reading here...

Bruce Schneier would have us believe that security awareness training is pointless. People have inadequate incentive to change, and thus why waste the time, money, or energy? And, to a degree, he is certainly correct. The old-fashioned once-per-year computer-based training modules to which many (if not all) of us have been subjected are, in fact, completely worthless. After all, these training modules are a mere blip on the radar of one's life, with no foundation in reality, and making no meaningless impact on how we conduct our jobs.

However, that is not the state of practice in the industry. Or, more specifically, it's not the leading edge state of practice. Moreover, his comments ignore much that we know about approaches, learning styles, incentives, etc., based on research from the past few years.

Unless you were off-planet last week, you've probably heard about President Obama's latest Executive Order, directing various agencies to step up their game on "critical infrastructure" cyber security. As part of this directive, NIST will be building a new framework oriented toward critical infrastructure that will help document processes, standards, best practices, etc, etc, etc. Gah!

The 1980s called and they want their lousy idea back. The 1990s also called, but they just repeated the prior point. The 2000s called and said "What is this, the '80s?!"

If frameworks were going to get the job done, then the job would be done. If securing data and operations was really such a simple task, then we would not be having this conversation, nor would we be reading reports, like Mandiant's big "APT1" blow-out from yesterday (you know, the big shocker that revealed that China is, in fact, hacking everyone... ok, not a shocker... or even really news... since we pretty much already know all that, right?).

Maybe Your "Good Enough" Isn't

A theme I've seen surface lately is this notion that "good enough isn't good enough." My response to this is quite simple: if what you're doing isn't commercially reasonable and legally defensible, then your notion of "good enough" is itself flawed. At the end of the day, businesses should be aiming for "good enough" insomuch as that means doing as much as is reasonable and appropriate without wasting resources.

I would submit that anybody who argues against aiming for "good enough" simply doesn't understand how business operates, nor do they truly understand risk management. Infosec is not some zero-sum game where we can magically defeat all threats, eliminate all vulnerabilities, and go home "winners." Rather, it's a journey, not a destination. Every day we have to account for new threats and new vulnerabilities. However, we should not be focusing exclusively or obsessively on them. Instead, we should be focusing on the business and what it values and has of value.

It's that time of year again, but since I like to buck the mainstream, I figured, why do a "predictions" piece when I could just as easily do an observations/trends piece? So... here ya go...

Three Trends for 2013
1. Human Risk
2. Gamification
3. Increased Federal Activity

Does "Authorization" Matter?

Context is everything. The headline question is, of course, a troll. Authorization definitely matters, and especially within the context of the Computer Fraud and Abuse Act (CFAA), which is the trigger for this post. A fusillade of question around authorization cropped up last week thanks in large part to a blog post by @ErrataRob in which he states that the CFAA is dangerously vague and indeterminate on this question of authorization. In some ways he was right, but in others it was just misleading... to make matters worse, the coverage through the tech industry has been a touch fatalistic, trending toward uninformed and absurd... so, here goes my contribution! (read that as you will;)

Boo! All Aware Now?

It's Halloween, which not only means costumes, parties, candy, and trick-or-treaters, but also the close of the annual Cybersecurity Awareness Month (among other things to be aware of). So... are you more aware today than you were on October 1st? :)

A Little Historical Perspective


In preparation for an upcoming talk, I ended up going down the path of reading up on the recent history of technological advances, highlights of malware and attack evolution, the highlights of infosec innovation, and landmark laws and regulations that have impacted infosec and privacy. Yes, that's a mouthful, but it turned out to be very interesting. And, since I bugged people online and on lists to help with input, I figured the least I could do was to summarize my findings as best as possible here.

An article popped-up on HelpNetSecurity earlier today highlighting an interesting, if not contradictory, survey report released by NCSA and Symantec. In the SMB-oriented survey, about 3/4ths of respondents indicated that they felt cybersecurity is "critical to their success," but at the same time about 2/3rds indicated that they "aren't concerned about cyber threats" (either internal or external). Even more perplexing, the vast majority indicated not having formal written policies, yet at the same time the vast majority were satisfied with their cybersecurity posture.

This, my friends, is an interesting paradox. How is it that businesses can, on the one hand, claim to be aware of the importance of cybersecurity practices, and yet, on the other hand, so completely fail to comprehend what practices are necessary and important? To me, there are three likely components to the answer.

My Other Pages

Support Me

Support EFF

Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10