If that title doesn’t get your attention, I doubt much else will. And yes, of course there’s no such thing.
So rather than inviting the wrath of the cybergods, which will certainly fall heavily upon anyone claiming “hackerproof,” let’s talk a little about building a more hacker-resistant enterprise.
I get to see lots of different approaches to the information security problem. Most work a little, some not at all; but a few, just a few, work really well. I’d like to share what I think makes the difference between going through the motions and actually getting the job done.
First off, the successful enterprises understand that “secure” isn’t a state you can actually get to. In fact, it’s a vague concept and arguably more an illusion than anything else. You’re never actually “secure.” Sitting where you are right now, any number of bizarre things could happen to you. An airplane could come crashing down on you, a gas main under you could explode, or a heated exchange at the office could trigger that aneurism you didn’t know you had. The point is, we are surrounded by risks every day, lots of them, but we can’t be aware of them all, let alone manage the lot.
The successful approach is to understand what vulnerabilities exist, what is the likelihood of a threat successfully exploiting a specific vulnerability, and what would be the cost of the resulting consequences. This is the basis of risk management in general, and it’s not often demonstrated in day-to-day information security practice.
The second trait I think all the successful programs share is a deep understanding of exactly what is worth protecting, who might want to steal it, and how they might go about getting at it. This requires a practitioner to understand cybercrime statistics and trends as well as the street value of various types of data. (Stolen data ranges from inexpensive email lists up to full credit card swipe data.)
Other more subjective effects include loss of competitive advantage due to intellectual property theft and brand damage caused by publicity surrounding a breach. Once you have a grip on potential costs, it’s actually easy to determine how much you should spend and which controls you should implement to protect those assets. Again, it comes down to actually understanding and managing your risk, not just throwing the latest trade show security solution at it.
The third thing I’ve noticed about successful enterprises is that they actually know what traffic is traveling across their networks. There’s no one best way to do this -- and it’s not a technology we’re talking about here. It’s a habit of needing to see and confirm that controls are working.
The bigger your network is, the harder this particular part is to achieve. The good network managers actually see every binary download, every outbound connection reset by the firewall, every login failure, and even every domain name resolution to known bad places on the Internet. A well-set-up network knows whether someone plugged an unknown device into an Ethernet jack or tried to connect it to a WiFi access point.
Without good visibility into network activity, you can’t know that your controls are working or, even more importantly, whether they’ve failed. This visibility doesn’t necessarily have to be real time; high-frequency batch auditing can be just as effective, especially in a smaller network environment.
The fourth and last trait of successful enterprises is not which technology is used, but how that technology is selected. It’s no accident that technology is the last thing I mention in this post. That’s because it’s absolutely the least significant factor in information security management.
Go ahead read that again, and let the flames fly; but I really don’t care what brand of hammer a carpenter uses to build my house. I care how well the house is made. You can have all the best and still have a lousy security posture because you just don’t know what you should be protecting, how much it’ll cost you to lose, and how it’s likely to be stolen.
I’ve seen excellent security programs put together on a low budget and using simple, sometimes even free tools. More often, I see the opposite of that, though. The successful practitioners start from a position of identifying a problem, such as, “We need to prevent unpatched and unprotected machines from connecting to our network.” Then they find a solution that best meets the need.
This approach is substantially different from seeing the same product at a trade show and then implementing it because it sounds like a good idea. I wish I had a fraction of the security tools I’ve seen purchased and abandoned, and often never even implemented, at organizations with more budget than brains. We have a word for such entities: They’re called victims.
The article deals with polymorphic virus attacks, delivered via Advanced\Persistent Threat or Targeted e\mail or message methods
There was this:
Attackers also sent more personalized malware, via malicious links or attachments in emails, in greater numbers.
These were more sophisticated in nature than other socially engineered malware, and targeted people in specific job functions, most commonly executives, senior managers and people who work in research and development.
I'm including this on this thread this morning as both the use of polymorphic virus attacks as well as advanced\targeted attacks seem to be on the rise of late
a polymorphic virs is one which changes itself constantly so as to avoid detection by anti-virus scanners
advanced\targeted attacks are usually e\mail or other messages addressed as forgeries, i.e. made to look to you like a message from someone you know...
(this is how the RSA hack was accomplished)
Computer systems should provide two defenses:
First: detection of the e/mail or message forgery. This is where digital keys come into play. MSFT has been using these recently; here's a sample:
an attacker can produce an e/mail that looks like it's from someone you know but he cannot forge a digital signature unless you have not properly protected your digital keys.
Using digital signatures "raises the bar":
You may recall this clip:
Michael Barrett, chief information security officer at online payment processor PayPal, (REFERENCE) A few years ago we started digitally signing all our outbound e-mail and we worked with Yahoo and Google so if they saw e-mail that purported to come from us but wasn't signed they would block it. That has been stunningly successful. Now we're trying to get the whole industry to take up that type of approach. But it will take several more years of pushing to get the rest of the industry to do that.
That's dated April 9, 2011 -- a year ago
The second level of defense is of course monitoring program behavior: when a spreadsheet tries to update your O/S the answer is "Sorry pal, we don't let spreadsheets do updates here"
the key is: we don't care what a program looks like; we are interested in what it wants to do.
this is where User Account Control and Applocker come into play.
See if you can forge my signature -- if I use a graphic, like this:
hint: right click on my signature and select 'save image as'. some web pages will block this method; in that case use a screen shot program such as IRFANVIEW which is available for a free download.
That would be of interest to me to go through with you. It has been a long time since I've had to personally focus on encryption, but I still like to stay up to date with the latest security issues as time allows for it. So if a session gets setup for all IE'ers then count me in. Otherwise, maybe I can find time to go through it one on one with you some day.
hh:="It is certain that you can't predict all the threats your systems may be exposed to."
careful: we do not want to adopt a defeatist position. like the coach, who, before the Friday night game who complains "ain't no way we can beat these guys"
you would fire him on the spot
~~
that aside we do need to change our plan for defense: move the perimiter in so that we have a smaller "attack surface" to defend
this is what "sandboxing" is all about: we defend the O/S and sandbox the applications
just like it was 1965 and we just learned how to do multi-programming on a System\360
Exept now we need to learn security ( e.g. RACF ) as well. It is in the Security Software that we determine what an application is allowed to update
keep it tight
but, for consideration: our biggest problem now is executable documents. all modern documents, web pages, spread sheets. pdfs, -- what have you -- may contain executable scripts such as JAVA or Visual Basic ...
as a result we must be careful when we allow such documents to be moved from one directory to another, and partucularly where they may be picked up by a user or process that has sensitive update privileges
this is the toughest problem area on the table now
I repeat my offer here: anyone who is a regular on IEv who wishes to learn more about Public Keys: I'm willing to help you learn.
what you need:
Thunderbird, with ENIGMAIL and GnuPG ( all free/open source softwatre ) (Windows, or UBUNTU) -- or --
Outlook with PGP\Desktop. I use Thunderbird\ENIGMAIL\GnuPG myself so if you are going to use Outlook\PGP we'll have to work thru it. but it should not be difficult.
Perhaps one day Nicole will allow us to have a Digital Authentication section online
As always you present the most useful information and references. I like that Zimmerman actually illustrated/quoted that compromised computers with encryption are no better than one without it (summary in my words).
It does go to show that no matter how well a technology may be illustrated, if it is not followed and implemented correctly then it matters nothing as an end result.
CV:="And as with all authentication, the community needs to also realize where and what they are dealing with. "
yes
Phil Zimmerman discusses the question of "Protecting Public Keys from Tampering" in his original essay on PGP see http://www.pa.msu.edu/reference/pgpdoc1.html#section-7.7
did the people who developed x.509 adhere to this ?
no.
they just said 'we'll do it for you'
what's the result? because the computing public generally doesn't understand public keys or how to care for them the subject is not well attended. as a result there have been a few monumental slips and now the whole idea is generally not trusted although it is the handlers who are at fault not the actual key processes.
one of the important notes in Zimmerman's essay is that encryption is not reliable in a compromised computer
It is certain that you can't predict all the threats your systems may be exposed to. Even if you do you may not be able to fix them before an attack happens.
Your statement is so very true. "in my view the whole IT community needs to study and learn to use digital authentication" And as with all authentication, the community needs to also realize where and what they are dealing with.
You have stated many times over in several articles about how the various encryption methods can be utilized (either individually or combined) and that plays an huge part in the aspect of digital authentication. Spoofing a site or more over a site key is possible if the people that are looking to "hack" a system or personal information understand what they are doing. The average end user would be none the wiser. So the responsibility falls back onto the IT Community to have a better understanding and ensure the digital safety to the user base.
What do you think is the hardest? I think the first trait is really hard, because it involves predicting vulnerabilities that you don't know about but what do you think?
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Your company’s employees use the Internet for all sorts of super-cool, productivity-enhancing things, like... well... doing their jobs, mostly. With a little bit of socializing and entertainment mixed in for good measure, of course.
Twenty years ago, departing employees may have packed up a stapler or a lifetime supply of paperclips on their way out. These days, they may take something more valuable and a lot easier to pocket: digital data. In most cases, it's likely to be the innocuous email inbox containing nothing more than cute kitten photos, bad jokes, and drink recipes (which is probably what got them fired in the first place). At the other end of the spectrum is the employee who makes off with your customer list, design documents, or source code and uses it to get a better position with one of your competitors.
While I didn’t attend Defcon this year, I was as pleased as I was surprised by the amount of attention and press coverage given there to social engineering.
3,722: That's the average volume of attacks on Boeing's network in a typical hour, according to this report. If this sounds like a lot to deal with, I can assure you that it is. But the hardest part is that the vast majority of the attacks are actually false alarms.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
50 billion household devices will be on the Internet by 2020, according to Cisco. And we're hearing foreign governments are hacking our infrastructure. Surely our refrigerators are next!
ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
Cisco's rumored sale of Linksys suggests we may have problem with innovation and profit at the edge of our Internet, and that could be critical to the evolution of many Internet-delivered services.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
