Interested in risk metrics in IT security? Matthew Rosenquist on the sad story.
Having looked into this (in a cursory manner) for Job Stuff, I can relate to the multiple bodies with different, competing metrics.
Article: “Why security and usability don’t go hand in hand.”
Wrong. In fact, so wrong I’ll say it several more times. Wrong wrong wrong wrong wrong wrong. The most succinct way to say why is this:
If it isn’t usable, it’s not secure. If it’s not secure, it isn’t usable.
Not only do they go hand in hand, they absolutely must go hand in hand. These are not two axes that must be constantly balanced against one another. That view is outmoded and grounded in the idea that we make something secure by making it less usable, and you make it more usable by making it less secure. Why must that be?
Consider this: if something is “secure” but not “usable,” what will those who need to use it do? Figure out a way to make it usable, which will almost certainly obviate whatever security measures were put into place. If something is “usable” but not “secure,” well, that speaks for itself. Expect to see articles on pogowasright and security mags lambasting your laxness.
I’d say I can’t believe this is even a question, but obviously it is, ergo I must believe. But I don’t have to be happy about it.
I’d like your opinion on whether we need to be doing anything in particular in relation to the Conficker worm. Is it anything you guys are concerning yourself with?
— my former manager in an email
I am honestly surprised at the coverage that the Conficker worm (aka Downadup or a few other names) is receiving.
It is a serious problem, and worthy of attention. So is any other worm. Its original form exploited a brutal vulnerability in Windows, one of those “here, kind sir attacker, I place all my resources at your disposal, please treat me gently” sorts of problems, and it exploited the problem fairly well, generating millions of infections.
But that vulnerability was fixed in October 2008. On our campus it could have been bad; in January I found nearly 200 machines lacking the MS08-67 patch. With some aggressive scanning and network disconnects, we had that number down to a handful of isolated machines by the time MS09-01 came out. We saw 0 Conficker infections, despite security policies and management attitudes that a pessimist would say haven’t changed much after we got absolutely hammered by Code Red and Slammer. Two years ago, Storm was a genuine problem on campus, and every day we get dozens of notifications of one security issue or another.
This is not to say that our experiences with Conficker mirror those of the entire outside world. China’s apparent infection numbers are a full order of magnitude greater than any North American or European country. Brazil and Russia have been vulnerable as well. But the North American press is approaching this as an apocalypse, when the figures just aren’t there to back this up: total US, Canadian, and Mexican infections are less than half of Russia’s.
Worldwide problem? Yes.
Serious issue? Yes. It’s a worm, but one whose spread is mitigated by proper patching.
Problem for my co-workers? Not really. Keep pushing and improving your security policies, and you’ll be all right.
References, in increasing order of technical complexity:
Verizon Business Security
SRI International writeup
An essential part of computer forensics is talking to the user. I talk about this in the presentation I gave to the campus technology conference last December and will probably be re-addressing that this year.
A key thing to remember is that talking to the user is the beginning of your forensic process, not the end. Too many people are willing to take what our users say at face value – “no, I don’t run P2P software,” ok, so it must be something else. Sometimes it turns out that the something else was Skype or some television viewing software. Both of those are (or can be) p2p as well, but since they’re not BitTorrent, people forget about them.
This is not to say that we need to approach our users in a hostile manner, as some do – that is counterproductive. Rather, we need to take our time and doublecheck: “ok, so you don’t use p2p, but this behaviour just started – what have you installed lately?” Sometimes that approach yields the answer you need. Other times, it’s more digging.
This post was brought about because we’ve been seeing a lot of alerts on possible Kraken activity on our network courtesy of our Snort sensor, but in the one response I’ve received, it was to say “oh, I reinstalled the workstation, so no problem.” I’d even asked specifically if the admin could check to see if there was a problem, since I don’t know how well this rule is working for us.
Another admin did actually dig down, and the user’s response was essentially nope, no p2p, but I just started using this software called UUSee to watch soccer games. Turns out there was a game on the same time we were receiving the alerts. I never claimed to be the sharpest crayon in the box, but I can connect two dots if they’re put down for me.
This is as much for my own edification and future self as anything else. Three system / health monitoring tools of which I’m aware are:
Nagios and the unfortunately-named but always excellent companion nagiosexchange.
Lighter-weight tools are monit and mon. A friend of mine tried the latter and proclaimed it Good, although the names for both of those are pretty crap, especially mon. At least give it a cute tagline or something. Software authors should always google the names they’re considering; think of somebody who sort of remembers the name but maybe not quite, but wants to find it again. If the mighty GOOG returns 10,000 hits, maybe your name isn’t so good after all.