Re: Fair and Balanced part 2!

[Marc Maiffret <marc () marcmaiffret com>]

It seems most of these hacks were due to the lack of some basic IT
security principles like not getting owned because of SQL injection,
by attacks where the 0day exploit might succeed but the malware (that
is not proxy aware) should have failed, password re-usage, the lack of
separation or even basic vlaning to help segment internal systems and
processes, etc... or the rest as MZ correctly put it about folks
getting owned through rather common security issues. Now there are
probably times when security did not slow down or stop a business
initiative before trying to audit these things but that is probably
part of a bigger issue. And of course there are going to be times
where you just simply miss something even if you are well intentioned,
just hopefully your not missing it over, and over, and over.

There is a balance to work towards security while also not being a
hindrance to a businesses ability to be competitive and grow. Surely
there are plenty of times where cool things are added that do not help
the business but simply increase your attack surface. I think taking
what you said and tweaking it a bit the fact is these companies are
failing not just because security is keeping different initiatives
from happening but because security is not a part of these companies
culture.

You can be sure, or hope, that after the dust settles with Sony that
security will be a part of its culture just like it became a part of
Microsoft's (product, cant speak for IT) culture. It seems there is
something probably more ingrained in human nature that requires us to
get our asses handed to us before we care to do things that we do not
deem to have a *direct* positive benefit to us.

It seems we fail not at technology as much as at motivating people to
proactively give a shit. I often talk to doctors about how they
motivate their patients to care before it is to late.

There is a great corollary in a doctor telling a morbidly obese
person, whom just had a heart attack, that he warned them to put down
the doughnut box just as there is the commentary of what is typically
said after these organizations are breached.

How do you tell Sony to put down the box of Krispy Kreme?

Or maybe a less cheeky way of putting a litmus test, along the lines
of yours, I would ask:
* Has your CEO ever sent, hopefully regularly, a company wide
communication about security that helps build security into the
culture? In the way that we saw Bill Gates do so effectively.
* Follow up question, did your CEO do that then follow up by asking IT
to be an exception to no HTML email and outbound port filtering that
allows him/her watch ESPN web television?

With that I return you to our interesting world where the currency of
governments is no longer whom has the better stealth fight or the
bigger bomb but whom has the technical capabilities to steal the
intellectual property that leads to economic growth. And by steal I
mean by hacking, without even needing 0day, corporations whom are not
prepared just technologically but also culturally for this threat all
while trying to make their corporations technology usage mirror more
of that of a consumer than an employee employed to do a job.

-Marc


On Wed, Jun 8, 2011 at 12:13 PM, Dave Aitel <dave.aitel () gmail com> wrote:
> I did a foxnews.com interview today at 10:30 about Lockheed Martin,
> Sony, LulzSec, etc. But I can't find a link to the video, so instead
> you should watch this video of Mark demonstrating SILICA's new
> features -
> http://www.immunityinc.com/movies/SILICA_7.3-release.mov.(SILICA is
> back up to its normal price of 2500 or so, but if you've only ever
> used Aircrack or Netstumbler or one of the other open source wireless
> hacking tools, then you're in for a treat...)
>
> My main theme on the foxnews thing was that you can learn almost
> everything you'll need to know about a corporation's security just by
> looking at their corporate structure. On one, very far, side of the
> bell curve you have companies who's CISO position only appears when
> they're headlining Fox News and CNBC for getting hacked.  Most
> companies, however, range somewhere more normal. The question I like
> to ask is: "How often does your security group kill or slow down a
> business initiative from a business unit?" If the answer is "Very very
> rarely" then you're looking at a very insecure company. Or a company
> with lots of "security opportunities", as they say. :>
>
> I know Cigital went around doing a thousand page questionare to
> determine how security was built at various software companies. But
> you really can boil all that down to "what cool features did security
> kill".
>
> Ah, and feel free to comment here as well:
> http://council.smallwarsjournal.com/showthread.php?t=13434
>
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave