What's the point to do ...

Ctrl Alt Del · 17-03-2015 12:36am #1

Hi All,

A quick "sarcastic" question.
I was chatting with a client (with very little IT awareness) about the security issues,threads,exploits,antivirus,protection ,hacking and our "friends" and so on...
At the end of the coffee chat,he asked me ...what's the point to run all these policies and protection and so on if the security of my network is not guaranteed 100%,my data is been backed-up on some "third party server" and I will get hacked by some unknown known methods !?

To be honest...i've been left speechless!

help... !?

BoB_BoT · 17-03-2015 1:39am

There's an analogy I keep hearing in relation to data security, it compares using security to having a lock on your front door. Sure, someone will try to find a way to pick the lock, find a spare key, hell even break down the door... but your intent is to keep your house secure. If you leave the door wide open, you're practically welcoming strangers into your house at all hours of the day.

At least with security (or the door lock in this case), you can tell if someone has kicked down the door or there's scratches on the lock where someone tried to fiddle with it.

You have a duty to protect your data, if you leave it open to the world without any protection, it's fair game in my eyes. Might not be legal in taking it, but you didn't put up much of a fight.

Data security when there's human interaction will never be 100% secure.

Also with data protection, if you want to be sure it's going to be safe as possible, run your own server, with your own encryption, with point to point encryption. If you want super paranoid total control of your data in a cloud environment, you'll have to do the frontend, backend and transmission protocols all by yourself and that won't be cheap :P

At the end of the day, if you have staff who have access to the data there's always a risk of them having their accounts breached. In your case, your client who has very little IT awareness, will want full access and control of his companies data, in all likelihood he'll be the one to be breached.

Kinet1c · 17-03-2015 12:03pm

I'd imagine it's rare that one of your clients would be specifically targeted, that stuff is generally left to Fortune 500 companies who won't quite meet the same morals as the hackers.

When it comes to small companies being "targeted", I'd imagine it's down to path of least resistance. If someone is scanning IPs and comes across a couple with some security and some without, they're more than likely going to attack those without as it's more than likely going to be easier.

dbit · 17-03-2015 12:18pm

Solutions can only enable you to aid in the protection of any environment , No one solution will do that , its a tricky thing to do but you must employ a platform of multiple solutions or and all in one effort - as per earlier no one solution can do that . You are reducing an attack surface and tying up loose ends and endpoints , culling avenues of attack and trying to reduce the over all visibility, as a weak sick animal lying out on the planes ready for the attack.

Kinet1c is spot on once you become a targeted attack you really have no chance whatsoever if you do not employ these solutions as with APT attacks the payload is new every day and not recognized by scanners and sandbox's , scanning for known pattern files and code sets is useless with targeted malware driven breaches as once they are under the skin its curtains for the defense side of things .

Why would you be a target ? maybe your a good platform to island hop from or you deal with the intended target and have some admin privileges on the true end targets systems . Your general security is observed as very low and full of holes - then really you are asking for it .

Heuristics monitoring , intrusion prevention , Virtual patching or actual patching , rigorous control of the DATA flow in, around, and out of the company is paramount without out it you are running around the streets naked with a jar of vaseline in your hands shouting "NEEEEXT!"

zweton · 17-03-2015 9:43pm

dbit wrote: »

Solutions can only enable you to aid in the protection of any environment , No one solution will do that , its a tricky thing to do but you must employ a platform of multiple solutions or and all in one effort - as per earlier no one solution can do that . You are reducing an attack surface and tying up loose ends and endpoints , culling avenues of attack and trying to reduce the over all visibility, as a weak sick animal lying out on the planes ready for the attack.

Kinet1c is spot on once you become a targeted attack you really have no chance whatsoever if you do not employ these solutions as with APT attacks the payload is new every day and not recognized by scanners and sandbox's , scanning for known pattern files and code sets is useless with targeted malware driven breaches as once they are under the skin its curtains for the defense side of things .

Why would you be a target ? maybe your a good platform to island hop from or you deal with the intended target and have some admin privileges on the true end targets systems . Your general security is observed as very low and full of holes - then really you are asking for it .

Heuristics monitoring , intrusion prevention , Virtual patching or actual patching , rigorous control of the DATA flow in, around, and out of the company is paramount without out it you are running around the streets naked with a jar of vaseline in your hands shouting "NEEEEXT!"

lol:pac:

syklops · 18-03-2015 1:29am

Two men are walking through an african jungle when a leopard walks out in front of them. One of the guys take off his backpack and starts pulling on a pair of running shoes. The other guy says to him, "What are you doing you can't outrun a leopard!". And the guy replies, "I don't have to outrun the leopard. I just have to ourtun you".

Corporate Information Security is the same deal. You don't need to out think the hackers, you just need to run faster than the other potential victims.

Interestingly, cryptolocker and its variants could do more to improve the general level of InfoSec than any other single thing since the invention of the firewall. Clients of mine, some of whom have been lax, even negligent in their approach to InfoSec in their organisations have become a lot more engaged when they have been asked by superiors about the threat of cryptolocker.

Losing data that gets replaced from a back up a day later, losing a days productivity was perfectly acceptable to many. Losing data because its been encrypted and having to pay actual money to get it back, and there is no guarantee that you will get the data back is a lot scarier. A question I keep being asked is "How do I prevent us getting cryptolocker?".

They look disappointed and just a little bit guilty when I tell them "By following all the advice we have been giving you going back years".

AnCatDubh · 18-03-2015 3:48pm

If for a moment, you consider that in reality nothing is ever entirely secure, rather that there are levels of protection that are consistent with levels of resources that you apply to the complexity of your prevailing scenario then imho security is a question of risk management.

Your client should, as part of their corporate risk management identify information security or technology security as a corporate risk, conduct an analysis of its constituent parts (simple likelihood v impact score lines, and identification of remediation costs) and then make an informed business decision as to what to do along a continuum of "do nothing" if there is zero impact of your information security risk assessment, to "invest lots, build a team, 24x7 monitor, alerts, alerts, alerts, patch, harden, iso27x, etc..." if their business is critically relying on their information (and/or devices) being secure and where the remediation costs can be provided for. This is a delicate balance.

To build on the analogies above;

If there is nothing of value in your house then you won't mind the thief helping themselves to it. If there are items of significant value then you will deploy means consistent with that value in terms of protecting those items (locks, alarms, rottweiler, food for rottweiler!!, security guard, gun, electric fence, etc.., etc..).

If everything was unimportant then there would never be any need for information security to be applied. But the real world generally isn't like that. Something will be important to somebody, somewhere..... and hence need security to ensure it isn't compromised or made off with.

dbit · 26-03-2015 10:09am

Maybe the person would understand a game better ?
http://targetedattacks.trendmicro.com/?linkId=13121721

dbit · 26-03-2015 10:30am

syklops wrote: »

Two men are walking through an african jungle when a leopard walks out in front of them. One of the guys take off his backpack and starts pulling on a pair of running shoes. The other guy says to him, "What are you doing you can't outrun a leopard!". And the guy replies, "I don't have to outrun the leopard. I just have to ourtun you".

Corporate Information Security is the same deal. You don't need to out think the hackers, you just need to run faster than the other potential victims.

Interestingly, cryptolocker and its variants could do more to improve the general level of InfoSec than any other single thing since the invention of the firewall. Clients of mine, some of whom have been lax, even negligent in their approach to InfoSec in their organisations have become a lot more engaged when they have been asked by superiors about the threat of cryptolocker.

Losing data that gets replaced from a back up a day later, losing a days productivity was perfectly acceptable to many. Losing data because its been encrypted and having to pay actual money to get it back, and there is no guarantee that you will get the data back is a lot scarier. A question I keep being asked is "How do I prevent us getting cryptolocker?".

They look disappointed and just a little bit guilty when I tell them "By following all the advice we have been giving you going back years".

We see it every day People whinging about paying for a solution and yet cryptolocker has struck again. Its amusing to ask if they have read the white papers and if they fully understand the how and why elements of it . Every time i see a large scale case of this, no where in the admins policy will you find employment of SRP's . Nuking it from orbit , only way to be sure.

limnam · 27-03-2015 12:53pm

He has a point to an extent.
Personally I think there's a balance to be had.
You can spend millions on DLP/IDS/Control Compliance/Latest fad here and still not get anywhere close to "100%" not to mention the staff to deploy them the consultant to tell them what they need to deploy (sorry syklops). The security admin to maintain it.

Follow very basic guidelines that don't actually cost anything. Patch all the things, all of the time. Attack surface reduced by 99%. KISS.

Plus backing up to a 3rd party server sounds like a horrible idea.
Or maybe I'm too old to understand the cloud

If companies did the security 101 basics 99% of the time they'd be 99% secure without spending a penny.

dbit · 27-03-2015 1:04pm

The off prem offerings from MS are stating all the way that they will only hold encrypted data and no keys onsite thus promising fully secure off prem . Vmware on the other hand pending on how you are provisioned its all readable for the most part and hijacks coming from badguys nested in same kernel as you are coming up with some really advanced ways of getting your info, if parked on same host/cluster .

AWS not sure about that platform but i would imagine they have two tiers for encrypted and non encrypted offerings .

The problem i have is with crypto every time i hear someone whinge about the non effectiveness of security tools and ask to see theyre SRP's, i get that blank look on they're face. Seems to me the mass attitude is :- If you buy a solution why be arsed learning how to use it to your advantage . You have 5,000 end users and by not having basic level srp's you are saying i don't really care what they install ?????

What's the point to do ...

Comments