- Wheel locks barely add any anti-theft "security" - primarily because thieves can get these things quite easily, you don't need any special permissions, validation that you own that particular make and model, or really anything else. If I wanted to steal the wheels off of a high-end Mercedes I'd simply call up the local dealership, ask them for one, and then go off and steal the wheels off the car.
- The inconvenience to losing one of these is immense - if you've ever lost one, or can't find out, you know what I'm talking about. As I was there on the side of the road, getting soaked and cursing up a storm I wondered where I could get one so the rest of my day wasn't spent calling dealers, and trying to get a ride to pick one of these up from a dealer that was less than 25mi away. Very frustrating.
- Wheel locks are expensive! - I'm not one to complain about a $25 part, but when I have to pay the dealership $25 (or more) to replace one of these wheel locks, which is just annoying to me anyway, I'm upset and feel like I'm getting hit when I'm already down. Again, very frustrating.
Down the Security Rabbithole, The Blog. Herein are thoughts, ideas, musings of my own making. I invite you to think freely, respond, or share. Together we move intellectual thought on our industry forward.
Monday, August 26, 2013
Wheel locks - Theft deterrent or mostly annoying?
Saturday, August 24, 2013
Bug Bounties are great but...
As the case with the most recent bug on PayPal one has to ask themselves whether this was a bug found and diligently disclosed to PayPal only, or was it first used by the criminal element and then when it was used up disclosed to PayPal to receive the bounty?
I suppose PayPal could have the data somewhere to support either way, or maybe they don't?
I'm not arguing against bug bounties, I've been converted...but I have to wonder whether they are being abused...or maybe it doesn't matter as long as the vendor gets the heads up they likely wouldn't gerry otherwise? The money isn't massive sums, certainly arguable that it's cheaper than hiring many more security professionals on staff...and likely more effective, but... I'm still left wondering.
Bug bounties are great but, how much are they giving companies a heads up? Do wr even care for the small fees we pay out?
Thoughts?
Thursday, August 22, 2013
The Startup with a Legacy Problem
Imagine a fictitious organization called the ACME Widget Company, which for the last 50 years has been a business unit within a global widget manufacturer - and last year became the result of a successful spin-off into their specific niche - the widget power unit. The power unit they developed was so good that other manufacturers started coming to them to power their widgets - so a spin-off was only natural because the new organization was going to be able to build its own market and generate revenue more readily if it wasn't part of the parent widget maker.
Over the past year the Widget Power Unit Company has been busy creating its own infrastructure, hiring entire new departments which never existed before (they were services provided by the parent until a year ago!) generating sales and manufacturing and shipping those power units all over the world. Business is good and now they're expanding globally to new markets, and scaling up their business.
Now I'm sitting around the table with Bill the CIO, Amy the "security manager", and a few other select people who run operations, architecture, and other critical components. Oh, one more thing is critical to think of here - the Widget Power Unit Company is nearly fully outsourced... each department within IT has a manager but behind them are small armies of contractors. Servers, desktops, networking, applications and other critical pieces including security operations (I use this term loosely here, bear with me) are all contractors. Making this matter even more complex, they're different outsourcing organizations. It's the usual list of IT outsourcing suspects, including a small, local boutique company. Ordinarily you'd take a hard look at this type of arrangement and question how this company gets anything done - but I assure you the arrangement, while not optimal, works.
Over the course of 2 days I had the opportunity to do in-depth discovery with all the leadership of the organization's Information Technology group. What struck me is hearing things like "We've never had to think about that before, that's always been provided by the mothership!" from Bill the CIO. This included things like risk management and legal functions!
As we were talking about strategy and trying to determine what his org structure would look like, services they would offer, and their insource/outsource strategy going forward it occurred to me just how difficult of a job Bill had ahead of him. This is a puzzle Dr. House would find worthy of his time, and I'm certainly thrilled to be engaged here.
The big challenge with this type of organizational profile is the presence of what we commonly refer to as legacy systems (systems and applications) that fall into the outdated bucket. Ordinarily start-ups don't face these issues since they're starting with a clean slate - but organizations that are spin-offs often face the worst of both worlds. They struggle with supporting outdated systems and applications which are vital to their mission, but at the same time are often strained to find the people necessary to keep these dinosaurs running.
- People - Organizations that fit in this profile have a major issue. You're hiring people who can tend to the dinosaurs, while trying to hire people who can make sure you're technologically competitive and able to innovate in today's market. Now consider that you are a start-up and hiring is a priority but your pool of cash isn't endless. Good luck finding an employee that has the skills to maintain your Cobol systems, while trying to help your organization be cloud-ready. Now if you find one of these folks - good luck affording them.
- Process - Business processes that were largely supported (at scale, as a shared service) by the parent company now have to be replicated, and you need to hopefully replicate ancient processes using modern technology - this is a lot more difficult than it sounds if you haven't tried it.
- Technology - You may carry some of the legacy systems and platforms with you from your old situation into the new independent business - but you'll likely not have all the resources since you didn't manage them yourself. Things like machine management tech (HMI, ICS systems) may come with the plant or factory or office - but other things like that SAP platform you depend on or the materials ordering system probably will need to be developed ... and your workforce knows that old system not some new replacement you put in place. Choosing your technology is a delicate dance of death on a high-wire. You also have to get things to inter-operate. You will likely have some dinosaurs talking to some new systems that are just shedding their shrink-wrap.
Thursday, August 15, 2013
Unmasking th3 J35t3r ... or not
Wednesday, August 14, 2013
Orange is the New Green
Sunday, August 11, 2013
US cyber defense versus the world...and ourselves.
The aforementioned article calls to light a recent publication called "Iran: How a Third Tier Cyber Power Can Still Threaten the United States" from an organization called the Atlantic Council. Interestingly enough, without even having to read the publication or attend the event they hosted, if you've been paying attention to the 'cyber' aspect of our daily lives you can start to see how even a "tier 3" country like Iran can and may likely cause substantial damage - financial, political and maybe in terms of human lives - to a "tier 1" country like the United States.
I'd like to take a slightly different perspective here, as you all already know me for doing. I'd like to point out a painful fact that the United States government is causing a large portion of its own demise. Allow me to explain...
What do countries like Iran, Syria and perhaps even China have in common? Once you get past the rebellious faction of the population you quickly come to the nationalists. To an outside observer, countries like Syria, Iran and China are burrowing deep within the United States, and other countries too, infrastructure largely being supported by their government. These attacks driven by nationalism to a degree - for example look at the Syrian Electronic Army (SEA) - and fueled by the brainwashed hate of western society and the US.
Now, by itself this would all appear to be standard operating procedure and something the United States will simply have to deal with. But judging by the global news - and this very well may be because countries like China, Iran and Syria have tight control on their news outlets - while the nationalists from these countries are fighting the United States, the United States is fighting not only them but internal battles as well with their own citizens. This I blame largely on the corruption inside the US which has reached a fever pitch. It's not like this kind of unrest didn't exist before - only now we have the Internet and connected systems which can potentially open a dam and flood a town mistakenly connected to the open Internet.
If you're in the business of protecting United States critical infrastructure, you have an interesting adversary model to build. On the inside threat you have groups like Anonymous (which by now we all know) and other hacktivists, and on the outside you have organizations like the Syrian Electronic Army and APT1. That is not an enviable position to be in.
One has to wonder whether the lack of a catastrophic incident involving a cyber aspect inside the United States is due to the tremendous skills of the defenders, the enemy biding their time, or simply incompetence and dumb luck... whatever the real cause this is not a good position for us to be in.
I can tell you this with reasonable certainty - adversary models would be a whole lot less complex if we didn't have an ever-expanding internal threat at level or greater than the external threat. Maybe it's time to rethink US internal and foreign policy ... and maybe that is the lesson of cyber?