Winn Writes & Wrants

The whole political maelstrom in Washington is entirely too binary for my taste.
Should we have a cyber czar or not?

First of all, this is an old age discussion. Many of us lobbied for national cyber leadership nearly two decades ago, but Congress and the White House said, “it’ll never be an issue.”

Wrong on count one.

Two. This binary thing, from Ms. Hathaway to Obama’s House to the NSA or DHS… this is the modern equivalent of eminent domain, the 19th century national political dynamo that resulted in Native American genocide. This is a political land grab for control… and that is not what we need now.

What we need is Leadership. We need the kind of leadership… not control… that will find realistic, real-politik, global sensibilities and balance them  against our national (Western?) interests. Not to mention, some 3 million geeks (good hackers, please…) will need to be mollified and included in the process.

I sat with some Fed-types at InfowarCon a couple weeks ago and told them they had to get over the fact that the very people they need to work on national cyber security are the least likely they are to hire… under current policies.

For example: What government security clearance goon is going to approve a metal-detecting, pot-smoking, un-educated (formal) smelly character with Asperger’s Syndrome to develop technology to bring the Dubai Tower elevators to a grinding halt… and be assured he won’t attack the Sears Tower in response to a billing error?

Those are the folks we need, and only a major re-think of what we mean by leadership is going to allow us to approach national security in the asymmetrical way we must… if we ever expect to successfully defend our cyber-borders.

Recent studies show that the SMB (Small Medium Business) sector is getting nailed by botnets and hostile code with greater severity than Big Business. They don’t have the budgets, IT staff or security experts on staff and so, well, they get nailed.

In fact, a friend of mine runs a fairly large construction company in British Columbia, Canada. He is the epitome of the SMB market. He called me with ‘Troubles’.

His network was at a standstill. His e-mail was down… and he was freaking out. His IT guy, a friend of mine who is not a security person, wanted me involved.

The answer was comparatively simple, inexpensive and workable.
1.    Keep your internal data and applications server(s).
2.    Keep your existing end-point applications.
3.    Use the usual mess of A/V, spyware detectors and so on at the proper places in the internal network.
4.    Get rid of your own mail server. Outsource it for like – what - $10 month? Let them be responsible. If you want your QoS to be higher, pay $100 month. Just admin the user accounts and use a decent client at the end points.
5.    Get rid of your Sharepoint server, your internal collaberation servers ad nauseum. Write down a set of specifications and features you want. Search for the SaaS Cloud Based product that meets the majority of your needs. (Nothing is perfect.) Outsource it – SaaS – and let them have the headaches.

Dave took my advice. He saved $15,000 on new hardware. He saved dozens of hours of techy time. He lowered his admin time that our friend was handling (to his relief, too). He set up a Cloud based collaborative environment for his back office intranet for $149 month.

He’s happy. And much more secure than ever before.

Boy the media likes being wrong. It’s H1N1 not swine, pork, pig or ham flu. The FUD frenzy caused Egyptians to kill off enough pork to infect all of Afghanistan’s poppy fields for a year. But never mind…

They think the swine… oops… H1N1 might come back in a few months or next season with a potential vengeance, mutated, resistant and the FUD also says that more than a billion people could be caught up in the pandemic.

If this was a computer virus/worm like the Conficker or other hostile code that we know about in advance, we’d start reverse engineering the code and tell folks to behave themselves more than ever.

But H1N1 presents another security issue. Let’s hypothesize that this is all real and that masses of people are going to get sick-sicker-sickest.

How do you, the corporate exec, security guy, or whatever plan for 15-30% of your staff being out with the flu? Some companies use temporal dispersion to avoid having all execs and mission critical folks sitting in one physical location every day.

But will the same rules apply with a pandemic?

I don’t begin to have an answer other than this: every company that has global presence with volumes of on-line people integral to their business continuity had better get a game plan started.

I’ve always called it Graceful Degradation. Technically this means, “how can I conduct business with certain key portions of my infrastructure broken.”

When it comes to H1N1, Graceful Degradation needs to apply to the human Domain of the Integrated Security Triad.

Think about. Or better yet… assign it to HR and make them come up with a plan!

A cop comes to your house. “We need you downtown, now.” And you’re expected to drop everything… even though you have no legal obligation to do so. Authority says to comply.
“Yes, you can afford this mortgage… and we can always refinance in a couple of years…” Expert authority speaks and too damned many people listened. (Someone – a lot of someones need to go to jail for that one.)

Too many people are conditioned to react to authority by cowering to demands, even if they border on or exceed the ridiculous.
“RESPOND TO THIS EMAIL OR YOUR PAYPAL ACCOUNT WILL BE CLOSED.”

“IF YOU DON’T ANSWER THIS RIGHT AWAY YOUR BANK ACCOUNT WILL BE SEIZED.”

The sheep or lemming mentality – whatever you call it, is responsible for the astounding findings that 23% of corporate workers will fall to spear phishing attacks. So, I, as the bad guy, target “YourBank.Com” with 20,000 workers. Statistically, 4,600 of them will fall for my scam.

They might provide personal data; they might respond to the e-mail or click through to the hostile web site.

Worse, they will <Click> on some unknown “REPLY URGENTLY” link and download and install a hunk of nasty software that becomes the beachhead for a massive data breach.

The Intrepidus Group’s study showed a few things quite clearly:

• Intimidation and authority in e-mails work. 23% positive response is insanely unacceptable.
• Current corporate user training is not effective.
• Companies are not practicing penetration studies against people; just technology. Stupid, stupid, stupid.
• People are sheep, and we give them incredible access to information and technology when they are not skilled enough to use it.

What to do?
I’ve done social (human) penetration testing in many forms. I have also gotten my clients to agree to fire at least 10% of the people who fail. Extreme? Yes. Effective? You bet.

I am a phisher and scammer.
I had put up a couple of my laptops for sale on my local Craigs List. Sold ‘em that PM.

I soon received a couple of “I want to buy” from a couple of guys in Nigeria. They offered more than I asked to include shipping to Sub-Saharan Africa. They wanted my PayPal account which is fine, cause it’s just an e-mail address.

Then I get these emails from  ‘PayPal’ to an address I do not use with PayPal itself, about “It’s paid” “Ship Now” and so I am having gobs of fun winding these ***holes up. They are threatening legal action from PayPal, and acting all tough. The cool part is that I am able to document it all. I’ll post it when I get through this game and you can distribute it to your users, and family nubes to help buy them a clue.

This is fun!

I really like being un-PC. It is a self protection mechanism, and besides after 25 years of security and infowar, I have a right to be somewhat paranoid.
Cisco says there are 4 classic user mistakes. I beg to differ. They say:

• Tailgating or letting people in to offices or past security ID card checks is rampant. Screw polite. “Yo, dude. I am paranoid. I’m gonna shut the door in your face and you can use your own badge to get it.” (OK, that’s after a few drinks, or when I am losing a football bet, but point made. Be polite if you have to.
• Wireless access points being installed by users. I mean, WTF, mate? C’mon already. This occurs because companies don’t offer a DMZ or a safe route to the Internet for visitors. Simple answer: Install your own wireless network, provide employees with the WPA code and be done with it. Anyone who sets up a wireless network without security or IT approval should be forced to eat nothing but beets and rutabaga for a month.
• Sharing private company data with unauthorized people is the result of poor training… and I daresay, the feeble minded HR-wonks and legal types who are afraid to actually enforce policy. Fire ‘em. Prosecute them.
• Mishandling corp data… like putting in on a USB stick or mobile PDA.

My list is a lot longer. Have you seen the irresponsible passwords allowed to pass muster in many companies? How about letting Microsoft documents to leave a company in native format, not sanitized? Adobe was made for a reason.
I could go on… and I am sure Cisco and I would agree on a lot more problems… I just hated seeing it limited to four.

German authorities today made this grand announcement: “The Internet is full of security holes.”

Where the hell have they been for the last two decades?

Some big announcement from the German government’s Federal Office for Information Security. Crime is on the increase. More viruses, worms and malware.

Have they not had the opportunity to participate in this discussion, offer solutions or otherwise help?

We don’t need more FUD or repetition of the obvious. “Hackers can also exploit security breaches on popular web sites…” is not constructive.

Their own studies support that users are clueless, with no A/V, firewall or other reasonable security practices. Then again, they are all probably using Windows.

I just watched a moving film about a fallen Marine who died in Iraq.

Upon his return to the States, a Marine Colonel volunteered to take him home, to his final resting place. The Colonel never let the casket out of his sight. He saw Chance loaded onto the hearse and then into the cargo area of the airport. He supervised the loading onto the first flight, and then spent the night with the casket in a Minneapolis airport holding facility. The following day he saw that the body was properly loaded on the connecting flight, off of that flight and into the receiving hearse.

The Colonel made sure that every honor and dignity was shown to his fellow Marine, and stood with him until he was finally placed in the ground.

This was the ultimate in respect and security due the most precious asset we can conceive of.

Watching this film is worth every bit of the seventy minutes of your time.