Tag Archives: quandary

[ISN] Hacker Drama Mr. Robot Is Scary, Paranoia-Inducing, and Awesome

http://gizmodo.com/hacker-drama-mr-robot-is-scary-paranoia-inducing-and-1713408001 By Bryan Lufkin Gizmodo June 24, 2015 If you could hack into an evil corporation’s bank account and shuffle its wealth to the 99%, would you? That’s the Anonymous-era quandary a young, brilliant hacker grapples with in the new USA drama, Mr. Robot, which premiers tonight at 10 p.m. I got a chance to hang out with the cast as they were filming in New York. The pilot’s been up on YouTube for a few weeks now, though—something unusual and refreshing for a cable show—and if you haven’t watched yet, watch. Here’s the gist: Main character Elliot (Rami Malek) is an antisocial computer genius who works at a cybersecurity firm that protects a sinister, Enron-like megacorp. But he moonlights as a vigilante hacker, busting scum like kiddie porn wranglers for fun. One day, he’s drafted by an underground hacker group that’s led by Mr. Robot, played by a scruffy Christian Slater. He asks Elliot to help him unleash cyber doom on Elliot’s uber-rich client in a digital Robin Hood-like raid of history book proportions. Talking to the cast, it sounds like prepping for their hacker roles scared the crap out of them. They talked about putting tape over their laptop webcams, paranoid that someone could hack into it to look at and listen to them. […]


Is compliance making security more difficult?

I’ve not blogged in quite some time, mostly due to being very busy these days. However I felt I should talk a bit about compliance and how it seems to have changed security from eliminating threats to eliminating compliance gaps.

In the last few years, many regulations have emerged that are now controlling our security initiatives and goals. PCI, SOX, HIPAA, SB1386, Massachusetts Privacy Law, and more on the way. Now, I’m not one to say that regulation does not help in some respects, but often it has undesirable effects that cause many security professionals much discomfort.

What I feel has changed in the security landscape is rather than targeting the latest “threats” we find ourselves doing burdensome business processes which do little or nothing to improve the overall security of our companies. One notable pain point is in an area of PCI that I think drives many of us nuts. The “log review” provision.

In PCI 1.2, the requirement for daily log review in and of itself is well intentioned and something that I cannot argue cause most of us don’t do enough of it. What I find difficult is that we find ourselves reviewing things such as “successful logins” or “failed logins” to comply with these stated controls and I feel there is very little value to doing so. Many companies mandate that system owners review these logs on a daily basis, is our investment really giving us a return? For instance, most companies utilize domain policies that cause account lockout to occur at 5 times and complex passwords to be employed. This represents a compensating control and therefore monitoring and reviewing failed logins is burdensome and unnecessary. That being said, there is still residual value if you receive alerts or reports of extremely high numbers of login failures so it does make sense to monitor for those.

Another issue that I see happening across the industry is when executives  make financial decisions based on whether or not they meet these minimum regulations. Often my friends have told me that their companies are cutting back their budgets once they receive their PCI ROC, or their HIPAA compliance report etc. This causes security professionals to face the daunting task of justifying their budgets to mitigate threats against a management who’s already met the minimum bar. Quite a quandary for many of us. I am very hopeful that PCI will continue to morph so that it addresses threats more directly by requiring harder line approaches such as actual inline IPS’s being mandatory and in a blocking state. Or ensuring that application Firewalls are mandatory. Gone are the days you can expose an application to the dirty internet without all your defenses in an active state.