Over the next few weeks or so I will be focusing on issues of trust, these blog posting will cover the following sub topics:
- What is trust?
- Trust in Relationships
- How is trust different in computing?
- Trust based technologies
- Behavioral analysis
- Future thoughts on behavioral analysis
rm -r bin/laden
# cd Iraq/Al_Qaeda
Al_Qaeda: does not exist
I was searching for a new iGoogle gadgets to add to my iGoogle dashboard for my security research and came across something quite interesting. If you search the iGoogle gadget directory for “mcafee security” you come up with some interesting spam gadgets that are using the images to advertise within the directory’s search results titled “Do you know?”. I’ve not been brave enough on my production machine to click to add them but I imagine there’s some nice malware linked if a user were to add them to their iGoogle and click on the links the iGoogle gadget creates.
Check this screenshot:
Try the iGoogle Directory search by clicking here
.
In a surprise move by AT&T Kevin Mitnick (famous social engineering hacker) was told he was too difficult to protect by AT&T and his accounts terminated. Its funny that a corporation with so many customers would do such a thing to such a widly syndicated person. If I were AT&T I would take the oppprtunity to use Mitnick’s accounts as a honeypot adding extra monitoring so I could boost security, but instead it appears AT&T decided it was easier to boot him out. Makes me wary of using AT&T because it says to me they lack dedication and proper infosec strategy. Who am I though? I am only one voice in a very large crowd.
Story source:infosecnews.org
Recently I made the statement to a colleague that compliance is not security and he got all up tight and disagreed with me. But even after our little debate it’s still truely my belief that although security and compliance are intertwined and compliance has driven companies to do much more security than they would have without it, compliance does not equal security. Here is how I explain the separation and what I would encourage you do at your own company.
How do we define security?
Security is an ever changing and unattainable goal that probably began when humans first battled for the availability to keep and retain life supporting resources such as food and water. Back then I imagine a big hairy man and woman guarding over the food they gathered the day before or the land with water on it. Today what we protect is more complex and consist of such things as money, intellectual property, goods, services etc. One thing that many of us tend to forget is that things we do in our lives and the jobs we have still equate to protecting our basic staples from the threat of having them taken away.
What is Compliance?
Compliance in the past was a simple process of checking that a family member were stationed appropriately to keep watch over our valuable goods. They would simply ensure that the person had the right amount of sleep, coffee or tea to keep them up if they had night duty, or the family would ensure they had something to wake them in the event one of the barn doors were to open or a host of other small things done to ensure we’d trigger a response. Compliance is basically a process of “checking” to see that we are doing what we know we ought to do.
Why is security not compliance?
The fact is the family could ensure that all the protections were in place and that the right person were out guarding the fort but meanwhile someone could be digging under the ground right past the guard or hiding behind a bush and moving it closer to the food each time the guard looked away. Compliance sets the BASIC known mechanisms of protection, what compliance does not do is protect against the unknown or the “being discovered” through active research. So my advice to all the security practitioners out there is sure comply…. but then focus on security and create for yourself what I call “natural compliance”, the act of being ahead of the game. Cutting edge security requires that you go beyond the known and invest in technologies that will protect you even if not required by a law or regulation or policy. That my friends is how I make the distinction between security and compliance.
Peace!
Something interesting you may want to check out is the Symantec website that shows stats on the websites with the most threats detected. It is astounding the number of threats some sites have. Some have had threats for over 5 months. Now I have to be critical here that Symantec should be a good netizen and follow up with the ISP’s that host these to remove these sites, at the very least it should be attempting it and showing that in their reports.
Check out the report website here
Saw a report today at CNET by Trend Micro that talks about how facebook apps are being loaded that spread malware across their network. I would venture to say that anyone that allows applications to be uploaded into a modular architecture such as facebook without a complete security review before deployment to users is asking for these issues to exist. I call upon facebook to implement code review and code scanning technologies in the process of their apps submission. It comes back to proper SDLC like always.
The CNET article is here
Join Silicon Valley and San Francisco ISSA and the Bay Area InfraGard for our annual Cornerstones of Trust 2009 security conference in Foster City, CA on October 14, 2009. The theme of this year’s conference is “Meeting Security Challenges in Changing Times”.
If you are in the San Francisco Bay/Silicon Valley area security community, Cornerstones of Trust 2009 is the place to meet top security experts from the business and technology communities and learn about real world solutions. Come and find out how other companies are effectively and successfully managing their security postures in these changing and challenging times.
Featuring Two Keynote Speakers:
Morning:
Mark Weatherford, Executive Officer and CISO of California Office of Information Security and Privacy Protection
“Security: From the Left Side of the Equation” Future threats, much ado about SOMETHING
Afternoon:
Pascal Levensohn, Founder and Managing Partner of Levensohn Venture Partners
“Why We Must Develop a New Model for Collaboration in Cyber Security: A Perspective on America’s Innovation Crisis”
Featuring Four Parallel Tracks (including both panels and individual presentations)
CPE credit
Earn 8 CPE credits when you attend
Exhibitors
Food and Entertainment
Vendor Raffle Prizes
Who should attend?
Registration Costs
|
Level |
Pre-Pay |
Day of Pay |
Type |
| Member | $60.00 | $70.00 | ISSA & InfraGard |
| Associate Member | $90.00 | $100.00 | ISACA, ASIS, ISC2, OWASP |
| Non-Member | $120.00 | $130.00 | Any |
-
In a very interesting development both McAfee and Symantec seem to be way behind the curve in terms of Malware detection in their On-Demand scanning technology. The funniest development in my opinion is that of all companies Microsoft has taken the number 2 spot. It appears that Microsoft is getting serious and the smaller vendors are really taking names.
Check out the latest May 2009 AV-Comparatives test located at the URL below:
http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf
Microsoft announced their patches for “Patch Tuesday” with some pretty big vulnerabilities. A summary of the things these patches fix are as follows:
The patches are available from Microsoft here
