Comments for Beast Or Buddha

Comment on “Emerging Threats” – Most “emerged” a long time ago….Emerging Responses? by Jay

Jay — Thu, 11 Mar 2010 13:38:06 +0000

Luke, I think we’re splitting hairs over threat agents, threat actors, blah blah blah. Michael is saying there are new attack vectors which weren’t previously considered but the human factor (e.g. apathy) still exists.

BTW Drazen, APT is not new. At all. I agree with Vanderstock on this one:
http://www.greebo.net/2010/02/03/advanced-persistent-threat-risk-management-by-a-new-name/

Christian, interesting you mentioned Curphey. I caught his update too. Does anyone know the real story behind that move? Sounds like he was too demoralised with security based on exactly that – nothing changes.

Comment on Why is “Commander” still allowed to do business? by Jay

Jay — Thu, 11 Mar 2010 13:32:31 +0000

Dunno who works here. Seems like we’ve got half their staff. LOL.

Comment on “Emerging Threats” – Most “emerged” a long time ago….Emerging Responses? by Luke O'Connor

Luke O'Connor — Tue, 09 Mar 2010 22:33:59 +0000

Hi, and a good point is made.

I have often thought that IT security people should not be looking at emerging threats, but rather emerging vulnerabilities or weaknesses. The threats – the actors who are ready to exploit weaknesses – do not change dramatically over time.

However what really changes are vulnerabilities, how they can be detected and exploited, and the scale of the impact. So I would say that the smart grid and the cloud for example are not emerging threats – they are not going to attack your banking application – but they are emerging vulnerabilities, and big ones at that.

Comment on Why is “Commander” still allowed to do business? by Commander

Commander — Tue, 09 Mar 2010 21:18:14 +0000

http://www.smartcompany.com.au/Free-Articles/The-Briefing/20080811-Commander-collapse-highlights-the-perils-of-growth-for-growths-sake-Boyd.html

http://www.theage.com.au/business/commander-on-hold-as-banks-call-up-receivers-20080808-3sdr.html

http://forums.whirlpool.net.au/forum-replies-archive.cfm/1031035.html

Comment on Security Consortium Watch….. by BLT

BLT — Tue, 09 Mar 2010 11:33:21 +0000

Thanks for the watch. Nothing of any value has been added to the industry. Grab every player and add them to the list of bullshitters! Cisco, IBM, Microsoft, Juniper, Nokia, Adobe, EMC, SAP, Symantec, and http://cloudsecurityalliance.org/Membership.html

Comment on What’s your “checklist of choice” for an Enterprise State of Security review? by Devman

Devman — Tue, 09 Mar 2010 03:38:03 +0000

Love or loathe it, pcidss has achieved more than anything else. I challenge anyone who says otherwise but support it with something.

Comment on “Emerging Threats” – Most “emerged” a long time ago….Emerging Responses? by Devman

Devman — Tue, 09 Mar 2010 03:33:56 +0000

Software is the constant in this wherever it is found and whether mobile tech or whatever, it is there.

Bad software has not changed. Bad is bad and in this area, we have not improved much.

As mentioned here before, innovation grows the area of bad software further. We know the reasons why. Don’t let security issues delay time to market. Worry about that later if it becomes a problem.

Apathy in this regard combined with so few smart people in IT who care and have a voice is to everyones detriment.

The basics of the threats haven’t changed. They are dressed up differently and bad guys just finding new creative ways to do the same thing.

We need to look at these things in different ways so this is good.

Comment on “Emerging Threats” – Most “emerged” a long time ago….Emerging Responses? by Michael Baker (@cloudjunky)

Michael Baker (@cloudjunky) — Tue, 09 Mar 2010 01:41:43 +0000

Hey Drazen (been awhile),

I agree with your point around security threats remaining the same. However I still think there are ‘emerging threats’ in the sense of how these play out in reality.

I am sure you have ‘Mobile’ on your slide-deck but rewind just 3 years and you don’t have the kind of platform available to exploit. The technology has changed and also the threat has increased. It’s a fertile area that will grow the more these devices are connected to the internet – and that is approaching a permanent connection. They are pretty much PC’s now and you have Windows/BSD and Linux sitting there. How many developers do you think have applied secure code techniques to applications submitted to the app-store? Is objective-c able to be exploited by buffer overruns? We know the answer right – same exploit, important new application of it in reality.

Another emerging threat is similar to what we might have experienced 3 years ago and that is apathy. A variation of this is lip-service or questioning the need for security. One scary new threat is employees asking for direct access to the internet (open firewall/no proxy) and also asking prospective employees whether they filter internet connections? You won’t believe me but it’s true. Companies need talent, today’s talent isn’t keen to work in an environment that restricts their digital lifestyle. This leads to a scary compromise. Don’t want to compromise? – Lose talent.

So maybe not emerging threats but emerging trends? Eitherway the world today is a 100 times more dangerous than that 3 years ago. There are more people playing for keeps. Serious, targeted, UFC style hacker dudes.

Lastly look at where security professionals are getting the average organisation? What have they delivered? How have they mitigated these emerging threats (if they have stayed the same since 2002). That’s an interesting topic as well I take it this is what you meant by Emerging Responses.

Comment on “Emerging Threats” – Most “emerged” a long time ago….Emerging Responses? by Drazen Drazic

Drazen Drazic — Mon, 08 Mar 2010 07:19:38 +0000

Christian,

Thanks for the post referral:
http://securitybuddha.com/2010/03/05/farewell-security-buddha-hello-curphey-2-0/

Reminds me of my first ever post in Beast or Buddha:
http://beastorbuddha.com/2006/11/27/lip-service-only/

Interestingly, it hasn’t dated either. I think I’ve gone on and spent the rest of the years in posts here trying to out all that I see is wrong, all the FUD and other BS in our industry and those things that impact it. Has it helped?

As I’ve said before, if I’ve been able to change for the better just *one* person or thing….well……that would be a pretty poor result.

You need the “fun”….it’d drive any passionate person to despair otherwise. With you.

PS. That CIO I mentioned (who was never a client of this business, SG or SA) is still there I believe. You hear things about his organisation today and you just shake your head!

Comment on “Emerging Threats” – Most “emerged” a long time ago….Emerging Responses? by Christian "xntrik"

Christian "xntrik" — Mon, 08 Mar 2010 06:36:33 +0000

I don’t think you’re being unfair.

This rings some bells from Curphey’s last post, “Farewell Security Buddha – Hello Curphey 2.0″. Nothing really changes, it’s just people that change, and mostly things go round and round. Insource/outsource, thickclient/thinclient, server logic/client logic.

But you know what it’s like. It’s the “machine”, we’re all cogs in it, it wants to keep on turning, and ’sides, I get to go to work and have fun n stuff you know. I mean that’s what counts right? Having fun, watching AC/DC or just drinking some beers.