Tag Archives: threats

Feb 24 2017
Leave a comment
Blog Posts

Chicken Little Security

It’s been one of those weeks in information security. The kind that makes me think about raising sheep in New Zealand, because they won’t argue with me about APTs and attribution. In addition to the Java/SMTP/FTP vulnerability that has vendors scrambling, I’ve suffered through trying to explain the following:

While I could probably break each of these down and explain how the sky really isn’t falling, I think Val Smith said it best recently:

Are you able to get an accurate inventory of your network?
Can you rebuild any system, anywhere, in less than a day?
Can you push software and configuration changes, including patches, remotely?
Do you have tested backups?
Do you have enough IT/DevOps to keep your environment stable?
Do you have a tested IR plan?
Do you have proven data sources (logs, netflow, full pcap, endpoint telemetry)?

If you answered no to any of those questions, you probably shouldn’t be too worried about SHA collisions. 

Here endeth the rant.

sha-asif

Tagged , ,
Dec 21 2015
Leave a comment
Blog Posts

Security Threat Levels with a Side of FUD

Today the SANS Internet Storm Center raised it’s Infocon Threat Level to “yellow” due to the recently announced backdoor in Juniper devices. I wouldn’t have even known this if someone hadn’t pointed it out to me and then I felt like I was in an episode of Star Trek. I kept waiting for the ship’s computer to make an announcement so I could strap myself into my chair.

While the level names are different, the colors seem to mirror the old Homeland Security color-coded advisory system, which was eliminated in 2011 due to questions over it’s usefulness.

2000px-Hsas-chart_with_header.svg

According to a story on CNN.com:

“The old color coded system taught Americans to be scared, not prepared,” said ranking member Rep. Bennie Thompson, D-Mississippi. “Each and every time the threat level was raised, very rarely did the public know the reason, how to proceed, or for how long to be on alert. I have raised concerns for years about the effectiveness of the system and have cited the need for improvements and transparency. Many in Congress felt the system was being used as a political scare tactic — raising and lowering the threat levels when it best suited the Bush administration.”

I have a similar experience with SANS’ Infocon and the reactions from management.

Pointy-haired Fearless Leader: OMG, the SANS Infocon is at YELLOW!!! The end of the Internet is nigh!

Much Put-Upon Security Architect: Please calm down and take a Xanax. It’s just a color.

I’d like to propose a simpler and more useful set of threat levels with recommended actions. Let’s call it the Postmodern Security Threat Action Matrix:

Level Description Action
Tin Foil Hat Normal levels of healthy paranoia You can still check your email and watch Netflix. But remember they’re always watching….
Adult Diaper It’s damn scary out there. Trust no one. Remember to update your Tor browser. Have your “go bag” ready.
Fetal Position Holy underwear Batman, it’s the end. Destroy all electronic devices and move into a bomb shelter. The Zombie Apocalypse is imminent.
Tagged , , , , ,
%d bloggers like this: