Skip to content ↓ | Skip to navigation ↓

 

Stuxnet update – I recently came across this visually stunning infographical piece on Stuxnet entitled Stuxnet: Anatomy of a Computer Virus produced for Australian television. I had mentioned in a previous blog that Deputy Undersecretary of Defense William Lynn III had escalated cyberspace to the level of a frontier equal in defense worthiness as land, sea, and air in his plea to recruit from the ranks of civilian black, grey and white hatters at the RSA conference in San Francisco. Symantec’s CEO Enrique Salem characterized Stuxnet as the most destructive piece of malware ever aimed at destruction of physical assets, not just information. “Stuxnet was a weapon, the first to be made entirely out of code”, cites the piece broadcast on Australia’s ABC1.

Euripides: “The tongue is mightier than the blade.”

Shakespeare: “… many wearing rapiers are afraid of goose quills.”

Thomas Jefferson: “Go on doing with your pen what in other times was done with the sword.”

The modern equivalent of the pen is the QWERTY keyboard. No wonder Bill Lynn was so fervent with his entreatment.  

Continuous monitoring – It befuddles me that some security conscious corporate entities are content with a risk management framework that doesn’t include a continuous monitoring function. Perhaps it is the perceived cost, complexity, or relative novelty of such a solution? Perhaps CM will follow the adoption curve of such technologies as GPS, where the proving grounds were cultivated and largely funded by federal agencies, with commercial traction gained afterward. In any event, the smoke detector analogy resonates clearly with me. A good smoke detector functions 24/7, is interconnected with other detectors throughout the house, and chirps when the battery gets low. Similarly, as NIST 800-37 Rev 1 points out, “… continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. The objective is to conduct ongoing monitoring of the security of an organization’s networks, information, and systems, and respond by accepting, avoiding/rejecting, transferring/sharing, or mitigating risk as situations change.” 

 A smoke alarm is not a “disaster audit system” that would notify you if evidence of a fire was detected, say, last week in , say, your broom closet. It is designed to mitigate immediate risk of fire to yourself, your family, and your possessions with a piercing tone far more alarming than the microwave oven or the clothes dryer telling you that the cooking or laundry cycle is finished. For more information on CM, take a look at Sean Sherman’s video briefs, or view the entire on-demand webcast, all of which can be found here.

Back to school – Parents of school aged children may find this information from KeepSchoolsSafe.org useful. Here are four simple steps you can take to help secure your children from on line abuse:

  1. Show an interest in what your child does online
  2. Ask them to teach you about the applications they use
  3. Keep the family computer in a common room for easy monitoring
  4. Remind children not to give out personal information

You can’t fix stupid – Working in the security and compliance software industry causes you to look at the world in unconventional ways. While pulling some cash from an ATM today, I noticed that there were no surfaces that were parallel to the ground. This was of particular interest to me in that I was multitasking (read “I was carrying my lunch, texting, and transacting’) and needed somewhere to put my parcels while punching in the PIN. Upon further reflection, I concluded that this was a design feature, perhaps to keep out the elements, but also to inhibit users from leaving items behind. Which reminded me of one of the most embarrassing moments of my professional life:  Years ago I had actually left $40 in the drive through ATM slot in my haste move through the queue and fill out my check register (remember those?) to reflect the withdrawal. The moral to the story is that despite PCI DSS 2.0 compliance policy, there is no mandate (quasi or otherwise) to solve foolishness.

And BTW, if you are the person who honked and brought me the cash I had left, ping me via Twitter @Blenmark…I have a gift for you.

Hacking Point of Sale
  • Blenmark

    A quick follow up on CM and William Lynn's comments at RSA;"Through the process of risk management, leaders must consider risk to U.S. interests fromadversaries using cyberspace to their advantage and from our own efforts to employ the globalnature of cyberspace to achieve objectives in military, intelligence, and business operations…"– THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONSHE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONSOFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE, NIST SP 800-37FFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE, NIST SP 800-37adversaries using cyberspace to their advantage and from our own efforts to employ the globalnature of cyberspace to achieve objectives in military, intelligence, and business operations…"– THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONSHE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONSOFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE, NIST SP 800-37FFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE, NIST SP 800-37

  • Pingback: CAESARS Salad « Cyber Security « IT Security, Compliance and Best Practices()