Want a THREATtoon on your blog or website? Great! Simply cite the cartoons original Threat Geek URL under the image and you’re good to go.
Last week I offered up 10 (±1) questions to ask your security vendors. Today let’s talk about what you should be asking yourself...to stop doing.
Quit investing in security technology over security people.
Every time we get together at one or another conference we hear it again: “security comes from people, process and technology.” There’s a reason—beyond an alphabetizing coincidence—that technology comes last; people and process are the sine qua non of your security program. So make sure your people have the training and support they need to become (and remain) Advanced Persistent Defenders.
Quit leaving security to “just happen.”
I’ve visited a lot of companies, and I’ve met a lot of smart security folks. They’re passionate about security and about protecting their networks. They almost all intuitively know the right things to do, and the right times and reasons to say “no” to one thing or another. Yet they’re often left to do their work in isolation, without the support (or knowledge) of their executives. Sound familiar? Then a crisis hits and this disconnect becomes a big part of your overall risk. Get ahead of it. Learn from your security practitioners and what they’re doing—or wish they were doing—that isn’t necessarily in their job descriptions or policy directives, and then absorb that knowledge into sensible policies that work for the C-suites and the cube farm alike.
Quit selecting vendors without taking independent testing into account.
Where I work we’re all pretty excited about third party independent testing lately. While it’s true that not all of the very latest whiz-bang tech can be put in a well-defined category and subjected to apples-to-apples comparison, third party analysts and testers are almost certainly thinking harder about these new technologies than you are, and they’re equipped with more data than you have time to accumulate, process and understand. Even if your inclination is to take their findings with a grain of salt, find out what they have to say about the companies and products you’re thinking about investing in.
Quit adding security "after."
It's 2014. And we’re still designing products, applications, data centers, companies and all kinds of other stuff without weaving security into their very fabric. The only way to do more good than harm, and to maximize security ROI in the bargain, is to start with security in mind. As a vague vision for an “Internet of things” begins to take shape before our eyes, security becomes less abstract and more about personal (i.e., bodily) safety. Are you part of the solution or part of the problem? If you’re not sure, at least be part of the discussion.
Quit letting Aunt Susie fend for herself.
Remember Aunt Susie? She’s the one we’re actually trying to protect. She’s the family member who doesn’t happen to be part of the information security community. She works in the front office. She manages finances. She invents stuff. She sees to the actual business of your business. She doesn’t want to be inconvenienced by seemingly pointless security measures, but she also doesn’t want her department to lose a week of productivity due to a breach, and she definitely doesn’t want her bank accounts hijacked by a shadowy mobster somewhere.
To normal human beings, all this hacker/breach/APT/malware stuff is at best an unwelcome distraction, but under the surface it makes the world of technology, computers and the Internet seem less friendly and accessible than it needs to be. So let’s be sure we remember whom we’re fighting for when we make security policy or technology decisions.
What bad habits are you trying to quit in your organization? Let’s discuss it in the comments.
This blog post has been updated (4/15/14) to share our advised next steps for Fidelis XPS users. If you are not a Fidelis XPS user but you have questions on what your next steps should be regarding the Heartbleed threat, please leave a comment and our geeks will do their best to help.
Unless you’re hiding under a rock, there’s no doubt you’ve seen all of the panic and flurry surrounding Heartbleed. There are loads of reports and technical details available with a simple search, here are the highlights along with some helpful resources surrounding the issue.
Heartbleed was reported Monday evening as a major vulnerability (CVE-2014-0160) in OpenSSL versions 1.0.1 – 1.0.1f, one that has been around for some time. A patch has been released (OpenSSL 1.0.1g) and you can find more information about that here. OpenSSL is an implementation of the encryption technology Secure Sockets Layer (SSL) or Transport Security Layer (TSL). It implements basic cryptography functions and utilities whose main job is to keep communications between a web browser and server secure. There are other applications that also utilize the technology such as any that would need to encrypt the data they send back and forth.
The gory details surrounding the bug show an attacker has the ability to read the private memory of the remote system in 64kb chunks. Without having any credentials the attacker could gain access to privileged data such as certificates, usernames, and passwords just to name a few. This data could be leveraged for larger future attacks. To make matters worse, the attacker can do all this and go undetected in logs. We may never know the full impact of Heartbleed. This isn’t going to be an easy fix. While a patch does exist, vulnerable systems will have to regenerate key data such as: encryption keys, usernames, and passwords. Only then can trust be restored in future use of the sites’ services.