Dailydave mailing list archives
Re: Fair and Balanced part 2!
From: Marc Maiffret <marc () marcmaiffret com>
Date: Wed, 8 Jun 2011 13:24:19 -0700
It seems most of these hacks were due to the lack of some basic IT security principles like not getting owned because of SQL injection, by attacks where the 0day exploit might succeed but the malware (that is not proxy aware) should have failed, password re-usage, the lack of separation or even basic vlaning to help segment internal systems and processes, etc... or the rest as MZ correctly put it about folks getting owned through rather common security issues. Now there are probably times when security did not slow down or stop a business initiative before trying to audit these things but that is probably part of a bigger issue. And of course there are going to be times where you just simply miss something even if you are well intentioned, just hopefully your not missing it over, and over, and over. There is a balance to work towards security while also not being a hindrance to a businesses ability to be competitive and grow. Surely there are plenty of times where cool things are added that do not help the business but simply increase your attack surface. I think taking what you said and tweaking it a bit the fact is these companies are failing not just because security is keeping different initiatives from happening but because security is not a part of these companies culture. You can be sure, or hope, that after the dust settles with Sony that security will be a part of its culture just like it became a part of Microsoft's (product, cant speak for IT) culture. It seems there is something probably more ingrained in human nature that requires us to get our asses handed to us before we care to do things that we do not deem to have a *direct* positive benefit to us. It seems we fail not at technology as much as at motivating people to proactively give a shit. I often talk to doctors about how they motivate their patients to care before it is to late. There is a great corollary in a doctor telling a morbidly obese person, whom just had a heart attack, that he warned them to put down the doughnut box just as there is the commentary of what is typically said after these organizations are breached. How do you tell Sony to put down the box of Krispy Kreme? Or maybe a less cheeky way of putting a litmus test, along the lines of yours, I would ask: * Has your CEO ever sent, hopefully regularly, a company wide communication about security that helps build security into the culture? In the way that we saw Bill Gates do so effectively. * Follow up question, did your CEO do that then follow up by asking IT to be an exception to no HTML email and outbound port filtering that allows him/her watch ESPN web television? With that I return you to our interesting world where the currency of governments is no longer whom has the better stealth fight or the bigger bomb but whom has the technical capabilities to steal the intellectual property that leads to economic growth. And by steal I mean by hacking, without even needing 0day, corporations whom are not prepared just technologically but also culturally for this threat all while trying to make their corporations technology usage mirror more of that of a consumer than an employee employed to do a job. -Marc On Wed, Jun 8, 2011 at 12:13 PM, Dave Aitel <dave.aitel () gmail com> wrote:
I did a foxnews.com interview today at 10:30 about Lockheed Martin, Sony, LulzSec, etc. But I can't find a link to the video, so instead you should watch this video of Mark demonstrating SILICA's new features - http://www.immunityinc.com/movies/SILICA_7.3-release.mov.(SILICA is back up to its normal price of 2500 or so, but if you've only ever used Aircrack or Netstumbler or one of the other open source wireless hacking tools, then you're in for a treat...) My main theme on the foxnews thing was that you can learn almost everything you'll need to know about a corporation's security just by looking at their corporate structure. On one, very far, side of the bell curve you have companies who's CISO position only appears when they're headlining Fox News and CNBC for getting hacked. Most companies, however, range somewhere more normal. The question I like to ask is: "How often does your security group kill or slow down a business initiative from a business unit?" If the answer is "Very very rarely" then you're looking at a very insecure company. Or a company with lots of "security opportunities", as they say. :> I know Cigital went around doing a thousand page questionare to determine how security was built at various software companies. But you really can boil all that down to "what cool features did security kill". Ah, and feel free to comment here as well: http://council.smallwarsjournal.com/showthread.php?t=13434 -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Fair and Balanced part 2! Dave Aitel (Jun 08)
- Re: Fair and Balanced part 2! Marc Maiffret (Jun 09)
- Re: Fair and Balanced part 2! joe mendez (Jun 10)
- Re: Fair and Balanced part 2! Jeffrey Walton (Jun 11)
- Re: Fair and Balanced part 2! joe mendez (Jun 10)
- Re: Fair and Balanced part 2! Christian Heinrich (Jun 10)
- Re: Fair and Balanced part 2! Christian Heinrich (Jun 11)
- Re: Fair and Balanced part 2! Marc Maiffret (Jun 09)