Monthly Archives: February 2017

Feb 24 2017
Leave a comment
Blog Posts

Chicken Little Security

It’s been one of those weeks in information security. The kind that makes me think about raising sheep in New Zealand, because they won’t argue with me about APTs and attribution. In addition to the Java/SMTP/FTP vulnerability that has vendors scrambling, I’ve suffered through trying to explain the following:

While I could probably break each of these down and explain how the sky really isn’t falling, I think Val Smith said it best recently:

Are you able to get an accurate inventory of your network?
Can you rebuild any system, anywhere, in less than a day?
Can you push software and configuration changes, including patches, remotely?
Do you have tested backups?
Do you have enough IT/DevOps to keep your environment stable?
Do you have a tested IR plan?
Do you have proven data sources (logs, netflow, full pcap, endpoint telemetry)?

If you answered no to any of those questions, you probably shouldn’t be too worried about SHA collisions. 

Here endeth the rant.

sha-asif

Tagged , ,
Feb 22 2017
Leave a comment
Blog Posts

Fear and Loathing in DC

Lately it takes a very compelling request to get Mrs. Y to leave the Sanctum Sanctorum and give a talk, but what better topic is there than digital defense? I love the smell of FUD in the morning, whipping people up into a frenzied paranoia, then watching them rush out of the room to get prepaid cell phones and put duct tape over their web cams.

In all seriousness, no matter which side of the political fence you inhabit, no one can argue that government surveillance is at an all-time high. I can’t even get the Security SOC Puppets together in the same room anymore, because they’re demanding a Faraday cage on their contract rider. So I’m happy to offer my perspective and some guidance to help the general public (i.e. nerd-challenged) protect themselves from snooping and digital attacks.

Special thanks to the the former (recovering) attorney and activist who organized the event.

If you don’t trust Slideshare, you can download the presentation here.

Tagged , , ,
%d bloggers like this: