06.23.2009

marineoneWho isn’t intrigued by what is going on in Iran?  In the last 10 days Iran has held presidential elections, which saw incumbent President Mahmoud Ahmadinejad, defeat Mir-Hossein Mousavi and two other rivals leading to a state of outrage and civil unrest.  Protests began on June 13 and were met with violence. This is not terribly surprising given Iran’s history of dealing forcefully with those who oppose the will of the regime though I wonder for how long they can maintain this archaic attitude and to what end?  The people (or at least a noticeably large percent of them), believe Mir-Hossein Mousavi is the President of Iran.   So does Mr.Mousavi.  In fact, he has recently gone for as to suggest his willingness to accept martyrdom in order to see the election and its results annulled. That is a powerful statement to make given in his part of the world martyrdom still carries the weight of its origins.  Were there irregularties in the Iranian election?   I don’t know however what I do know is that the people feel there were and as such are demonstrating their angst and dissatisfaction strongly. I wouldn’t be surprised if there were “irregularities” found upon further investigation of the election; I believe much will come to light.

I am thankful that people were able to utilize Web 2.0 technologies on a global scale with data points coming directly from the streets of Tehran.  I find it intriguing and to a degree humorous that  these technologies have been vilified and condemned as part of some western sponsored cyber warfare plot against Iran. The Foreign Ministry’s representative Hasan Qashqavi had delivered allegations suggesting that the West, in conspiratorial fashion, had worked to “meddle” in the affairs of the Iranian government, its political system and its people.   He went to share with the world that it was the opinion of the current Iranian regime that the West in its entirety, is guilty of encouraging and supporting media outlets in condemning the Iranian government and encouraging cyber war against it.   I am not sure what I find more asinine.  That the Iranian government has condemned the entire Western world of conspiring against it due to having been exposed in rigging the outcome of the election, or  accusing the West of encouraging targeted cyber warfare against it.  There have been some incidents verified of old fashioned DDoSing without the aid of botnets. however this it again seems absurd on the whole.  In a manner common with dictatorial, theocratic, semi-autocratic regimes questioning the state is bad and someone needs to be indicted for having done so.  The someone in this case however is the Internet, Web 2.0 applications, people around the world and the ever looming phantom-esque figure of the West. It seems a rather convenient and familiar course of action given the Iranian government’s disdain for opposition.  Over the years the Iranian government has threatened to cut off all access to the Internet the Internet in order to control its populace and meet its own agenda.   This is a clear sign that in the modern era, the model which they are levaraging is simply not working.   In fact its failing.  Twitter, Facebook, MySpace, Youtube and a host of other collaborative, social networking sites have been and will likely continue to serve and function as a legitimate media outlet thusly undermining the fabric of what is largely considered an archaic world view. The world has changed.  I’m sure this is troubling to the theocratic leadership in Tehran however it is an irrefutable fact.  Failure to recognize that change with vain attempts trying to supress it in its people will only usher in that change more rapidly and with greater ferver.  The desire for freedom and happiness is something that exists in the core of our beings regardless of our geographic location; this cannot be cut off or surpressed or filtered through a state sponsored proxy.  I say, keep blogging, keep tweeting, and keep the world aware of what’s happening!

Tags: , , , Filed Under Uncategorized | 3 Comments 

06.22.2009

abacus-1-AJHDI believe people fear metrics.   I believe many who manage information security environments large or small; with managing risk, are terrified of metrics.  Unless this is addressed in an intelligent manner, it will be impossible to arrive at a place where security management and metrics are ubiquitous.  What gets measured gets results.  I believe this.  I encourage it and have advised many clients over the years to implement metrics for the express purpose of being able to analyze the results.   How else would my clients or I know whether they have progressed or regressed in some respect or area in their business?   How else could my clients be expected to answer direct lines of questioning pertaining to their situational readiness, the state of their environment, their risk posture without having access to metric driven data?   Metrics enable us to measure our maturity and this is a good thing.  Understanding our organizational risk posture and maturity enables us to ask the tough questions in house, amongst our own as opposed to having to doing so on the front-pages of the Wall Street Journal.  Metrics driven data is paramount to successful security program management.  Yet, if this is the case (and I assert that it is so), than why do we see such disparity amongst enterprises the world over with respect to this?  Some excel in their embracement and use of security driven metrics; others discount their relevance and opt for ‘winging’ it.  But can we afford to ‘wing it’ anywhere?  I assert that we cannot.  The world as Thomas Friedman pointed out, is flat and continues to flatten and an incredible clip.  Can we afford anyone to simply forgo sound business practices such as the adoption of security metrics in today’s world?

I spent many years in working as a consultant for a few notable firms.  My forte is and remains rooted in the discipline of information security and risk management.   I have been part of more meetings and interviews where the simple presence of security driven metrics data would’ve saved not only an incalculable amount of time, not to mention discomfort on the parts of those being asked to generate said data by assessors, auditors, legal teams, executives etc.   My feeling is that many organizations simply do not see the value in implementing security metrics because they do not view them as being critical to their businesses which, upon investigation I have always found to be a weak position.    There is no substitute for being well informed.

Tags: , , Filed Under Uncategorized | Leave a Comment 

06.15.2009

Just a short post today for me:  I came across this article earlier today.   It appears that US and Italian police have broken up a telecom fraud ring that seems to have been kind of the “perfect storm” of the underground:  it involved profit-motivated attacks against large enterprises, organized crime, hacktivism, and terrorism.    What struck me here was that this one incident pretty much illustrates just how much we, the “good guys”, are up against when trying to secure enterprises.

Filed Under Uncategorized | 1 Comment 

06.14.2009

The first morning back from Hawaii and I had no plans to post until later in the week.  That was ruined when I read this story from the Associated Press about how weak security allows credit card numbers and personally identifiable information to be stolen.  I have to admit, I wasn’t surprised one bit to read this and here’s why.

First, the PCI standard really has no teeth.  Sure, a retailer can be fined and depending on the size of the retailer’s annual revenue the fine could be quite substantial.  But all they have to do is pay the fine and go on about their business, in fact I’d be willing to bet that for many retailers that are not “PCI compliant” it might be cheaper to pay the fine than implement the necessary components to become fully secure.

Retailers don’t appear to be concerned about losing their privilege of accepting our credit and debit cards as a form of payment.  This is for good reason, there is little motivation for a retailer to spend the time and money necessary if they can continue to accept credit/debit cards for payment.  Imagine if a retail behemoth (insert your own here, but I have one in mind) had their credit card acceptance privileges revoked by Visa, that would be more motivation to institute a real security program that protects credit card numbers.  In the case of some of these retail giants, a $250,000 fine by Visa is almost a rounding error.

In reality, credit card companies have more motivation to allow large retailers to continue to accept credit cards for payment because if they were to suspend a given retailer’s privileges they’d be losing revenue as well.  I’m not saying that the card brands don’t care about protecting customer information, they do and they have departments that monitor and handle fraud, misuse and other activities.  However, I have to wonder if given the choice to suspend a large retailer’s acceptance of their cards and lose that revenue for the period of time it took to become compliant with the standard versus doling out a fine or series of fines, the card company would almost certainly fine the retailer instead.

One other point, every customer I have talked to in the past about PCI compliance has shared with me that their entire motivation for becoming compliant is to avoid the “front page” and avoid fines.  That’s right, avoid fines.  Seldom, if ever, has a retailer shared with me that they were concerned about the prospect of having their acceptance privileges revoked.  Most, after discussing the issues with them, agree that protection of customer information should be paramount (this would actually help them avoid the front page, of course.)  But the reality is that it’s all about their board of directors worrying about their own negative publicity or becoming “the next TJX”, but one must believe that would exist even without the PCI standard.

I realize that with the PCI standard, the major concern is the security of large volumes of information or “bulk credit card numbers” and other information, however the credit card companies themselves are still learning basic “information security.”

I’ll give you a perfect example; a couple of years ago I flew into Chicago for a couple of days of business meetings.  When I landed, I headed straight to the ATM (don’t ever use your credit card for cab fare in Chicago) to withdraw a couple of hundred dollars from a credit card I used for business, after waiting an unusual amount of time I got the notice to call my issuing bank as the transaction was denied.  Curious, I proceeded to call Chase and checked my balance, found I had plenty of room on the card and so I talked to a person.  Before this person would help me they asked for me to repeat my credit card number (I had already entered my CC# and billing zip into the automated system), mind you I’m at an ATM in terminal B at O’Hare on a Monday about 11AM.  Needless to say, the place was teeming with fellow travelers and airport/airline employees.

Anyhow, I told the person on the phone that I wouldn’t give them my card number because there were a number of people around (basic infosec 101) and they replied with “Well, in order to help you I need to confirm your identity so would you mind giving me your social security number instead if you’re uncomfortable with sharing your card number?”  Again, I reminded them that I was around a large number of people and suggested, “Hey, why not ask me one of the three security questions you had me set up when I opened the account since I’ve already entered to authentication factors into the automated system?”  The response was classic, “Well sir, we could but what if you aren’t you and someone else wrote your card number down?”

By now I was laughing and you see where this going.  Needless to say, I explained some logic to them and eventually got the issue with card solved.  But the lesson here is, that while the card numbers are no longer asking for a full number (at least mine aren’t) they still have a lot of work to do with their employees to make them aware of basic information security.

Well, this post was a bit longer than I had intended it to be, but I’m convinced that if organizations who handle sensitive or critical information (credit card numbers, social security or other national identification numbers, health records, classified material, product plans, etc) actually implemented quality security programs in the first place, the data owner would be far ahead of the regulatory and legislative requirements when it comes to compliance.

Finally, if there is going to be an industry regulation such as PCI for data security, it needs to have as much bite as it does bark.  I challenge a major credit card issuer to suspend a major retailers card acceptance privileges the next time there is a serious breach or they find that the major retailer is not and has not been in compliance with the PCI standard for the past two quarters in which compliance was required.

Filed Under Uncategorized | 3 Comments 

06.11.2009

I am getting pretty excited about tomorrow.  I haven’t had as many chances as I would have liked to play golf this year (being a sales guy and living in Atlanta, you would think I would find a way somehow).  I am going out to play golf early tomorrow with the security lead for one of my favorite customers.

This got me thinking of course about the famous Mark Twain quote of “Golf is a good walk spoiled“.  With many of my customers, colleagues and friends in the IT security world, a simple walk around the office can be either a positive experience or an all-out train wreck.  I remember back to starting my career at HP, and one of the many management axioms passed down was the idea of “MBWA” or “manage by walking around”.

When security folks walk around, or venture out of their sphere of influence, i.e. into the business world, strange things often happen.  In a world where we are used to talking about threats, malcode, DDoS, etc., we have to suddenly learn new codewords – cost-benefit analysis, risk exposure, business value, brand reputation, and other terms central to running the business.  Back to the golf analogy, you may have a booming tee shot, but if your short game needs help and you can’t drop a 3 foot putt, you are going to have issues.  Same holds true for security teams that continue focusing on areas they already do well, and neglect the hard to tackle projects or areas that could really mitigate risk and even come back to provide positive value to the business.

The strong organizations and security teams I work with have really begun to shift the mindset toward being able to communicate and quantify in business terms exactly what they are doing to help the business and add value.  This goes far beyond simply justifying spend, negotiating with vendors, or soliciting consulting services.  What I am seeing is well-managed security teams proactively learning the culture and language of business to push forward projects that can help the business overall.  This in turn helps move security operations from being simply a need-to-have requirement to being a cooperative, integrated, engaged, involved and necessary entity that can not only aid in helping companies do business, but find ways to optimize their knowledge and involvement.

Now let’s just hope my short game holds up, and I can drop a few putts.

Filed Under Uncategorized | Leave a Comment 

06.09.2009

The Georgia Supreme Court recently threw out the state’s law governing left turns, saying that it was unconstitutionally vague.   There are a couple of things that are interesting here:  first, the sheer improbability of a legal matter as relatively minor as a traffic ticket actually not only being appealed to the State Supreme Court, but being heard by that court, and even overturned.    The other interesting thing here were these words that appeared in their decision:    “A law may be unconstitutionally vague if it fails to provide the kind of notice that will enable ordinary people to conform their conduct to the law or if it fails to provide sufficient guidelines to govern the conduct of law enforcement authorities, thus making the law susceptible to arbitrary and discriminatory enforcement.” I can only imagine the poor prosecutor who’s job it was to go before the Court and try to make sense of the old law – talk about defending the indefensible.

Now, I’m pretty sure that a significant portion of the people reading this are wondering “I thought this was an IT Security website?!”  Well, it is, and here’s how this is interesting for security practitioners:  Think of your organization’s information security policy as the law.    The operations, compliance and audit staff are law enforcement, and the user community are, in this scenario, the citizens.

Which brings me to how a court decision throwing out a traffic law and security policies are related: do your security policies provide clear, unambiguous guidance as to how it is to be implemented and enforced?   Is your organization’s policy written in such a way that both technical and non-technical staff can not only understand it, but also interpret it in the manner you intended?  Can an “ordinary person” understand your security policy, to be able to stay within compliance?  Or, are you in danger of having someone “appeal” to your CIO/CFO/Cxx and get your policy thrown out?   It’s unfortunate, but in my years in IT, I’ve seen more than one organizational policy that read like Vogon poetry at best, and utter gibberish at worst.  Worse yet are policies that are clearly written, but using language that could charitably be described as being “nerd-centric”, and understandable to no one except the IT staff.

In this case, the state of Georgia is going to have to do without a law governing left-hand turns for a while, at least until the Leglslature meets next year and can pass a new law.    Fortunately for all of us, it’s (usually) easier to modify and rewrite an organizational security policy than it is to enact a new law.  On your next regular policy review (and you DO have scheduled reviews, don’t you?!), take a closer look at the language you’re using.  And, while you’re at it, get feedback on your policy language from a cross-section of your user community to make sure it’s followable.

Tags: , , , Filed Under Uncategorized | Leave a Comment 

06.09.2009

All data breaches are serious and should be approached (from an investigation and root cause analysis perspective), as such.  A failure to do so speaks volumes about the attitude of the organization, its maturity from a security program perspective and the attitude held with respect to events of interest regardless of their respective points of origin.   Every day it seems new breaches are reported and disclosed.  You visit any number of websites to check in on who’s been affected, where and to what degree.   In some respects I wonder if the sheer volume of disclosed breaches (can you imagine what the reaction would like if all breaches were reported and disclosed?), is some way having a dulling effect on the populace at large.  Here is an example of what I mean by that.

Yesterday Dark Reading (one of my favorite sites on the Internet http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=217800147), posted an article regarding a recent data breach at T-Mobile.  Within it, several well respected industry experts (some who are former co-workers of mine) were interviewed for comment with respect to the breach and the fact that those responsible were trying to sell the data online.  The breach was real but the content netted as a result of the breach was deemed to be of questionable value and relevance (though as Rob Graham CEO of Errata Security pointed it, it doesn’t mean they didn’t get deeper and actually hit a system of consequence).  T-Mobile commented on their own behalf (I thank you for this in advance as I’m a long time customer :) ),  regarding the matter asserting that their belief is that the nature of the breach (after careful analysis) poses no threat to its customer base or their data.  They further went on to ensure the world and no doubt those waiting to scrutinize their security posture and practices like carrion birds, that were it a case where customer data had been compromised they would make a point of communicating immediately to their customer base in addition to mitigating the threat to their environment.  The importance T-Mobile places on safe guarding the data of their customers in addition to themselves is admirable and noteworthy.  I would expect no less from an organization which as of September 30, 2008, it served approximately 32.1 million mobile customers however it leads me to ask the following question:

“How and why was the data compromised and to what degree does vigilance come into play with respect to operational execution of information security policy and procedure?”

It’s a rhetorical question however I think that in light of this latest addition to list of recognized breaches & compromises we need to ask the hard questions of ourselves and inspect what we expect.  As information security professionals and practioners we have an obligation to do so.  It’s a charter if you will; a mantle passed on from generation to generation with resepct to ensuring confidentiality, integrity, and availability are maintained to the highest degree possible.  We all know that it is impossible to make assertions regarding the complete elimination of risk but it certainly is not impossible to work hard (often over great periods of time depending on the maturity and complexity of the environment), to reach a level of maturity that is defined and measurable.  It’s a wash, rinse, repeat cycle; one that should not be ignored.

As there is no substitute for the diligent execution of a risk based information security strategy and program (and likely never will be), we have to acknowledge that this is only part of the solution.  The most comprehensive risk based framework  (one which accounted people, process, technology, segregation of duties, operational concerns as they pertain to business unit relevance etc.,), is useless if there has not been an organizational ratification (by office, committee, or board), which not only endorses it but subsequently empowers those tasked with its execution to enforce it to be able to do so.   Security programs need to be treated as though they are living, breathing extensions of the organization itself, ubiquitous accross business units and operational elements and articulated to stake holders in such a way as they see them as not only be a concern for the ’security guys’ but an absolutely critical element of the business overall.  One that aids in operational efficiency, revenue generation (we’ll touch on that in a later post), and ensurance of competitive posture.  All good.  Without these entitlements and the associated / necessary empowerments these documents are worthless; the ink on the paper has more overt value.  Businesses and more importantly people within the businesses, need to be woken up to the realities of not acknowledging the potential impact associated with ignoring risks as they are noted and recognized.  These concepts and ideas are not new. They’ve been devoloped, modeled, tweaked, implemented and optimized the world over and yet for as many instances of successful adoption (and to be clear I want to stress that the process of doing so is not without its pain points initially), they seem still be the minority.  Let’s change that.

Filed Under Uncategorized | 2 Comments 

06.09.2009

Tradition dictates that when Willie Sutton was arrested and asked why he robbed banks, he paused and answered “Because that’s where the money is”.  Whether or not you believe that Mr.Sutton actually said this (he denied it later in life in his autobiography but suggested that were he asked he would’ve said that and more), it’s important to note the underlying sentiment of the statement.  Why do criminals do what they do? Because ultimately, whether its robbing banks or undermining economies via subversive technological activity, there is money (profits), to be made.  In our industry buzz words and pablum are fed to the masses in gross fashion.  Much of this is meant to appease and satisfy in the hopes of causing as little discomfort as possible as no one (vendor, industry expert etc.) wants to be seen as being anything other than Stepfordesque in both delivery and content messaging.  Ours is a real world.  It is not for the faint of heart.  It is not explicitly good nor is it explicitly bad it is a mixture of the two; an amalgamation, a world of shades of gray….or is it?

In many respects one can argue that this is the case.  That in fact, there are really only shades of grey and very rarely if ever at all, blacks or white.  But what about in our world?  The world of the Information Security Practioner.  Does this argument hold true?  I believe it does not.  In fact, I would argue that nothing could be further from the truth and that there is ample historical and recent evidence to support this point.  Furthermore, there is an entire area of study devoted to the study of that which is implicitly ‘black’ within our discipline, the study of cyber-criminology.  Often referenced yet rarely detailed, this area of study is both fascinating and freightening; it is invigorating to researchers and analysts such as my peers and Iwhile at the same time crippling to others.  It is an area of study which influences research and development, tactics, techniques and tools while at the same time exposes the darker elements of the Information SuperHighway in ways which many might traditionally believe belong in Hollywood feature films.  Research and study here entails exposure to voluminous amounts of data pertaining to active investigations, closed cases, cold cases, legal arguments, geopolitical ammendments, law enforcement tactics, in addition to a myriad of data and scenarios of questionable nature.  It demands and acute sense of good and evil; right and wrong regardless of the perspective espoused by those elements & subjects which come under scrutiny.  It requires comprehension of the tactics, techniques and lengths to which cyber-criminals and cyber-syndicates are willing to go in order to ensure their business interests remain profitable, consistent and unfettered by security researchers and / or law enforcement.  Additionally, it requires dedication, strength, vigilance and the courage of ones convictions to leverage the intelligence gathered and gained for the greater good in the hopes of mitigating the risks posed by cyber-criminals the world over.  It focuses on a fluid almost intangible focal point; ever changing and dynamic; well established, informed and trained ready to act out singularly or in concert.   It is not for the faint of heart nor the unprepared mind.  This area of Information Security Study (which of course is also part of the greater body of knowledge and research dedicated to criminology), deals with subject matter and activity to yet not limited to the following:

When taking into consideration the illicit cyber-criminal activities listed previously, it should come as no surprise to anyone that there is a vast amount of money to be made (recent estimates suggest that the cyber-crime on a global scale is a $105 billion USD industry, far exceding the revenues associated with the global drug trade), and that profitability is the key motivator associated with this space.

You might be asking yourself how this will help you secure your enterprise or yourself and why you should spend more time exploring this topic than say those associated with the compliance = security motif so popular in todays security talks.  If so I’m glad you are as I believe these points underscore the importance clearly:

With respect to this points I have one question to pose before closing: “In the 21st Century, what has the potential to do more harm?  Bombs, Bullets or Bits?”

The above comments are strictly mine and mine only, they in now way reflect the position of my employer, management or any other organization with which I’m associated.

Tags: , , , Filed Under Uncategorized | 2 Comments 

06.08.2009

So the President has decided to create an office in the White House to be staffed by the “Cyber Czar” and this person will have responsibility for determining how to secure America’s critical infrastructure and critical systems from attack by other governments, military organizations and terrorist factions.

So why do we need this?  Very likely because nobody, other than a subset of us in the information security industry, had the foresight that connecting these systems to the PUBLIC INTERNET was a bad idea in first place?

Imagine my surprise (or not) when the WSJ reported on April 8 that foreign spies had access to parts of the United States’ electricity grid.

Didn’t the government get the idea that our systems are not sufficiently protected from Titan Rain in 2005/2006 and numerous other incidents before and since?  How about the incident in 1991 where Dutch hackers penetrated Pentagon computers and offered to sell back the information containing details of troop movements in Desert Storm?

If that doesn’t work for you, how about the 2007 incident where Department of Homeland Security computers that were penetrated by hackers.  Interestingly enough, there have been a few other incidents of the compromise of government systems and data since this announcement by the Obama Administration.

My point is this, if organizations actually took information security (meant to be all encompassing of computers, networks and data security) seriously, much of this could be prevented.

I have a few questions that I’ve asked for years and interestingly enough the questions below are directly related to the above announcement and incidents.

What is so hard to understand that by connecting an information system that processes national security information or keeps lights on and water running that system is put at risk?

What is so hard to understand that by not training your employees in the proper use and handling of critical, sensitive or confidential information puts that information at risk?

What is so hard to understand that handling information and sharing that information across a computer network or phone system requires a degree of protection appropriate to the level of sensitivity of that data?

Had these questions been properly addressed years ago, would appointments of these types be necessary? Maybe, but they might be done in a different light, that being that the person is tasked with ensuring the “continued security of critical infrastructure and information” rather than presumably trying to figure out how to institute that security.

Once we decide it’s time to include security as part of an infrastructure or systems build out and awareness training as part of regular and required employee training and certification, we should expect to see a reduction in the number of incidents like the above. Until then, expect more because as long as any organization responsible for the information shows that they truly care and take their responsibility seriously, they can not possibly expect their employees to do the same.

Now back to the Presidential appointment of the “Cyber Czar”, does that job come wrapped in a red bow to illustrate the amount of red tape that the nominated individual will face?

Anyhow, more to come on this topic later, but for now I’m going back on vacation…

The above comments are strictly mine and mine only, they in now way reflect the position of my employer, management or any other organization with which I’m associated.

Filed Under Uncategorized | Leave a Comment 

06.07.2009

Being security professionals, the majority of our work can be summed up by the simple phrase “react faster”.  Information security, at its core, is largely a reactive and often times a forensic function.  Sure, you can put a whole host of products and solutions in place to secure anything and call it “proactive”, but in reality, you are merely watching and waiting for something interesting to happen.  No matter how much you spend on marketing, this is clearly a defensive or reactive posture.

I have been doing a lot of thinking about the psychology of IT security professionals, focusing on how they react when something abnormal happens (note I did not say exclusively bad, i.e. false positives, process breakdowns, mis-configurations and mis-communications).  If a customer, user or company is attacked and knows who did it, should they retaliate or fire off a counter-offensive?  What is the thought process that would lead up to such a thing?  Is this even foolish or heretical to propose?

The point of this post is not to justify cyber-vigilantism, but instead to get us thinking about how a counter-offensive security system could benefit the IT security space, if at all.  Why are we as an indstry and profession always so reactionary in nature?  What can be done on a macro and micro scale to go on the offensive against threats, exploits, data theft schemes or other issues?  Is there an ethical barrier to launching counter-offensives or counter-attacks against a verified and proven attacker?

I would contend that the Internet (or any critical network) is key infrastructure, or at the least a utility (like water, natural gas, electricity).  If someone were to attack this key infrastructure in any country, the process that followed would probably look something like this:  Chaos, Cleanup, Identification of attacker, Legal Procedure to take offensive action against the attacker, and finally action.  The farthest IT security usually gets in the action department is to block further attacks (via firewall rules, reputation services, inline network protection or similar reactive systems).  Unfortunately, unlike Wake-on-LAN, there is no Magic Packet you can send to an attacker or their infrastructure to shut them down.  If only threats like Conficker or McColo were so simple.

Take another example of one country heavily manipulating another country’s currency or monetary scale/system.  Under international law, such nefarious actions could very quickly escalate and lead to all out war, if documented and proven.  At a minimum, the attacked economy would take some direct action, and I would guess it would be a little harsher than not accepting the responsible country’s currency or simple economic sanctions.

The concern with the counter-offensive mindset is that taking such a vigilante-style approach could do more harm than good.  Very true and valid point.  The situation could escalate to the point of both the attacker and defender depleting each other’s confidentiality, integrity and availability, but not before taking down 20 hops of Internet routers with overloaded bandwidth, and affecting innocent bystanders.

So what can we do?  Like a lot of things, the key is raising the awareness and education.  Digital information is getting to the level of a “natural resource” and ubiquitous availability is expected, if not demanded, by many.  Simple reactive protection is always going to keep security professionals chasing their tails.  I would contend that without at least the possibility of launching a counter-offensive, the security space will stagnate and we will have more of what we see today – threats and attackers winning more and more.

Tags: , , Filed Under Uncategorized | 1 Comment 

Next Page »