Heh, a while ago one site was "slashdotted", meaning that a lot of readers clicked on a link in a posted story and simply flooded the target site, effectively but unknowingly causing a sort of distributed denial of service attack.
For fun I coined a few new abbreviations for this, MiDDoS (media induced distributed denial of service) or McDDoS (media coverage distributed denial of service).
Can I have a McDDoS please? -Do you want fries with it? ... :-D
Oh well... That's what you get for being tired. Honestly, "slashdotted" works better. But on the other hand, could someone order this kind of DDoS via the black market? Just ensure someone posts the vital details to a public site, either via social engineering or just by putting the details there.
July 3, 2009
June 15, 2009
First weeks in new job
So, I got a couple weeks behind me in the new job. Things have gone relatively well, I got up to speed after two and a half days of induction diving right into some work.
The co-workers are quite nice and I've been accepted at least on some level. Time will show how well I fit in the merry bunch. I guess that at some point I can show my value to the company.
I'm also getting used to living away from the rest of my family and they seem to take it pretty well so far. When I'm at home we try to do something fun and I catch up with some manly activities at the house.
The co-workers are quite nice and I've been accepted at least on some level. Time will show how well I fit in the merry bunch. I guess that at some point I can show my value to the company.
I'm also getting used to living away from the rest of my family and they seem to take it pretty well so far. When I'm at home we try to do something fun and I catch up with some manly activities at the house.
May 29, 2009
Back to work!
After 2.5 months break from working I decided to accept a job offer as a senior security consultant. I will start on monday. I hope expectations on both sides will be fullfilled and it will be an enjoyable journey.
Blogging most probably will return to normal as most of that 2.5 months was spent on quality time with family, which was a rare opportunity itself. Honestly, I started to have the feeling I need to do something, but on the other hand I wouldn't have needed to be in a hurry.
Blogging most probably will return to normal as most of that 2.5 months was spent on quality time with family, which was a rare opportunity itself. Honestly, I started to have the feeling I need to do something, but on the other hand I wouldn't have needed to be in a hurry.
May 9, 2009
I ran out of basil, can you get me some?
Sorry for not posting anything lately, I have been enjoying time with family.
A week ago I was making some food which I put some basil in. The basil run out and I tagged it as something to buy from the grocery store. I probably have had too much idle cycles in my brain, because I began thinking about the following.
What if you have never seen, touched and tasted basil before, how would you know it is really basil? How have you ended up trusting it really is that? You probably have seen pictures of fresh basil, you have been told by many it is basil and you have read from literature it is basil. It is also commonly recognized as basil by the population.
Consider this. You just have learnt to read and have never seen, touched or tasted basil. You're told to go buy basil. Someone could sell you oregano in a jar which simply states basil and you wouldn't know. Eventually you would learn more and be able to distinguish between oregano and basil, even thought they look quite the same when dried and chopped into tiny pieces. You would be able to go to trusted shops to buy it. In the above example you are probably told that you got the wrong herb, unless the requestor doesn't know better.
So, how does this relate to security?
What I was thinking of is that the management which has to make security and other decisions is like someone who just have learnt to read. The subordinates are like those who could sell oregano as basil. Might sound harsh but that is my perception.
Even if you're equipped with the necessary skills to be able to understand the very details of network infrastructure, hosts, firewalls, applications, patching, vulnerabilities and so on, you still have to rely on others to produce most of the information for you which you base your decisions on.
What I mean is that you don't have a large population inside the company who agree on the current state of these things like you would with my example of basil, mainly because of resource allocations, different skillsets and interests. Instead you have smaller organizations who are supposed tell you what they see. You are dependent on the skill and ethics of your employees, which on the other hand are affected by thight schedules, money and motivation.
Of course the size of the company and the complexity of the internal organizations affects all this. The larger the company is, the more there are points where things could fail in a way or another. On the other hand, you have more eyes than in a smaller company, which would have fewer but possibly incompetent employees.
Lets imagine there are four steps to the deciding manager: a group of specialists, the group manager, the city-level manager, the deciding country-level manager. In this the city-level manager deals with many group managers and the country-level manager deals with the city-level managers.
On each step from the specialist all the way up there is a possibility that somewhere in the chain oregano is sold as basil, either knowingly or unknowingly. The larger the possibility the less peers pay attention to the details (peer review).
Being able to measure things (security metrics) help to some extent but is still prone to misleading results. For example vulnerability scan data gives you the remote and in some configurations internal posture of a host, but what if the scanner itself has limited view because of firewall rules implemented on the host or network? Things would look good on the automated report but the real state of the host would be totally different.
Surely having auditing enabled and a review board examining each firewall rule change would tackle at least firewall device modifications but you hopefully get my point with the example. Such modification could be the result of an earlier report and you get a "yes, we will fix it" response, a lazy and irresponsible "fix" by blocking the affected ports from the scanner and only patching the necessary services. Motives behind such could be thight schedules and a "we will fix it later" mentality, not understanding the risk caused to the company by leaving the host vulnerable.
That would be you getting oregano instead of basil.
With proper controls, automated reports from different areas, auditing and reviewing things it could be possible to correlate results and mitigate these occurrences of happening to some extent. But without having someone watch over the shoulder all the time you would never be sure, and still there is room for things to go wrong.
Sounds like it is not easy to be a manager who has to make important decisions driving the security (or any) posture of a company forward. But take into account that this is also vice versa, the people below the deciding manager has to trust fair and correct decision making happens, all the way down to the specialist level. Specialists and upper management could be fed oregano by their middle manager who alters information to suit his own personal goals better, e.g. by painting a rosier picture upwards which causes the upper management to make wrong decisions that affect the specialists and the whole company. Depressing, huh? But we are humans, after all...
A week ago I was making some food which I put some basil in. The basil run out and I tagged it as something to buy from the grocery store. I probably have had too much idle cycles in my brain, because I began thinking about the following.
What if you have never seen, touched and tasted basil before, how would you know it is really basil? How have you ended up trusting it really is that? You probably have seen pictures of fresh basil, you have been told by many it is basil and you have read from literature it is basil. It is also commonly recognized as basil by the population.
Consider this. You just have learnt to read and have never seen, touched or tasted basil. You're told to go buy basil. Someone could sell you oregano in a jar which simply states basil and you wouldn't know. Eventually you would learn more and be able to distinguish between oregano and basil, even thought they look quite the same when dried and chopped into tiny pieces. You would be able to go to trusted shops to buy it. In the above example you are probably told that you got the wrong herb, unless the requestor doesn't know better.
So, how does this relate to security?
What I was thinking of is that the management which has to make security and other decisions is like someone who just have learnt to read. The subordinates are like those who could sell oregano as basil. Might sound harsh but that is my perception.
Even if you're equipped with the necessary skills to be able to understand the very details of network infrastructure, hosts, firewalls, applications, patching, vulnerabilities and so on, you still have to rely on others to produce most of the information for you which you base your decisions on.
What I mean is that you don't have a large population inside the company who agree on the current state of these things like you would with my example of basil, mainly because of resource allocations, different skillsets and interests. Instead you have smaller organizations who are supposed tell you what they see. You are dependent on the skill and ethics of your employees, which on the other hand are affected by thight schedules, money and motivation.
Of course the size of the company and the complexity of the internal organizations affects all this. The larger the company is, the more there are points where things could fail in a way or another. On the other hand, you have more eyes than in a smaller company, which would have fewer but possibly incompetent employees.
Lets imagine there are four steps to the deciding manager: a group of specialists, the group manager, the city-level manager, the deciding country-level manager. In this the city-level manager deals with many group managers and the country-level manager deals with the city-level managers.
On each step from the specialist all the way up there is a possibility that somewhere in the chain oregano is sold as basil, either knowingly or unknowingly. The larger the possibility the less peers pay attention to the details (peer review).
Being able to measure things (security metrics) help to some extent but is still prone to misleading results. For example vulnerability scan data gives you the remote and in some configurations internal posture of a host, but what if the scanner itself has limited view because of firewall rules implemented on the host or network? Things would look good on the automated report but the real state of the host would be totally different.
Surely having auditing enabled and a review board examining each firewall rule change would tackle at least firewall device modifications but you hopefully get my point with the example. Such modification could be the result of an earlier report and you get a "yes, we will fix it" response, a lazy and irresponsible "fix" by blocking the affected ports from the scanner and only patching the necessary services. Motives behind such could be thight schedules and a "we will fix it later" mentality, not understanding the risk caused to the company by leaving the host vulnerable.
That would be you getting oregano instead of basil.
With proper controls, automated reports from different areas, auditing and reviewing things it could be possible to correlate results and mitigate these occurrences of happening to some extent. But without having someone watch over the shoulder all the time you would never be sure, and still there is room for things to go wrong.
Sounds like it is not easy to be a manager who has to make important decisions driving the security (or any) posture of a company forward. But take into account that this is also vice versa, the people below the deciding manager has to trust fair and correct decision making happens, all the way down to the specialist level. Specialists and upper management could be fed oregano by their middle manager who alters information to suit his own personal goals better, e.g. by painting a rosier picture upwards which causes the upper management to make wrong decisions that affect the specialists and the whole company. Depressing, huh? But we are humans, after all...
April 4, 2009
Saturday stuff
Lately I have spent quality time with my family. It has felt good to relax and and just set your brain into a different mode, waiting for spring to arrive. On the nerd side, I bought a new laptop battery but seems it has 30% of the capacity already gone. I complained about it, not sure what kind of capacities you should expect anyways but 30% sounds too bad.
I took my kids toy train and hooked it up with the USB hub. At least the batteries give some power. Now I'm not sure if there is something wrong with cabling or what, but the N810 complains about a bad hub or cable. If I use it with a memory stick, it works. Could be that the plug I managed to fit in the power socket is damaged somehow and it short-circuits the hub. But anyways, I thought of leaving that project for now, unless a friend has another hub I can test.
In the meanwhile I need something else to work on. Haven't yet figured out what.
I took my kids toy train and hooked it up with the USB hub. At least the batteries give some power. Now I'm not sure if there is something wrong with cabling or what, but the N810 complains about a bad hub or cable. If I use it with a memory stick, it works. Could be that the plug I managed to fit in the power socket is damaged somehow and it short-circuits the hub. But anyways, I thought of leaving that project for now, unless a friend has another hub I can test.
In the meanwhile I need something else to work on. Haven't yet figured out what.
Subscribe to:
Posts (Atom)