It has been said that Information Security is Risk Management, and I agree with that. For any given situation, you have to identify vulnerabilities, threats (ie, "risk"), determine ways to mitigate these, and assign some value to that final level of risk. If that value is gauged to be acceptable to the organization (even if it's your family) then you move forward. But this isn't (or shouldn't be) limited just to Information Security groups - as I mentioned above, the same principle applies at home, on the road, and should also be in the minds of those not actively engaged in InfoSec positions. We live in a time and place in which threats abound, and Information Security is also not about saying "No" to everything; it's about figuring out how to say "Yes" where it's appropriate, and figuring out ways to reduce the risk (this also applies at home, on the road, with our kids, etc).
To keep this from being a totally pensive piece, I'm going to bring it back into the context of the work we do daily. As many of you are aware, a few months ago I experienced an abrupt change in job status, while working in digital forensics consulting. I'm still in a bit of a limbo situation (no, not dancing), but am working a contract gig doing information security. While there are business types that are defined as more at risk of cyber attacks due to industry, I think it should be obvious to everyone by this point that we're ALL under attack. I hear people say things like, "Well, we've never been breached, why do you think it would happen to us?" To that I respond, "You've never been breached? How do you know? Can you prove it?" I personally refer back to Dmitri Alperovitch's statement when talking about Shady Rat that in general he divides companies up as those that know they've been breached, and those that don't yet know.
So what's my point? Well, I'm getting there, albeit a little slowly. My point is that I think people today should have a general awareness of security risks, and that this should occur organically (ie, without having to be told). Even granted that mainstream media doesn't talk about APT, and only mentions the smallest percentages of places that are breached and lose integral control of their data, the info that does get out there should be sufficient. And yet, time and again, people buy cardboard iPads and MacBooks from criminals in gas station parking lots, fall prey to Nigerian email scams, and even fake IRS emails to install malware. But, even if common folk aren't hip to the threat, those in the IT industry will be, right? After all, they've all had to clean up after someone, they follow "geek" news not just mainstream, so they at least will get the fact that there are very real threats out there. Sadly, no.
I was at a presentation recently where a guy who's been working in InfoSec for 20 years told a story about his wife opening one of those IRS emails and following the link. She even put in her social security number when prompted. Then she complained of her computer acting strangely, and told him what happened. He "cleaned" the system by running a scan with an off-the-shelf antivirus/antimalware product, and went on, embarrassed that his wife had fallen prey to a scam. His opinion was that the situation was remediated. Really? You ran an AV scan and that's it? Did you analyze RAM, check network traffic, credit report activity, or do any investigation at all? Nope, just ran an AV scan and called it a day. Wow.
And recently at work we had an internal server that allows certain users to perform certain tasks, return odd results for one user. It was on a Monday morning, and results for that one user all appeared to be in Chinese. Do what? Yep, and just for that one user. We approached the admin about the situation, and as it turns out, on Thursday afternoon of the prior week, the admin for that server had installed some new patch rollups. Patch rollups, not fruit rollups. He felt it was probably related to the patches, as opposed to a compromise. Ok, sounds reasonable, but we still needed to play it safe. We pulled volatile data from the machine and started going through that while the admin investigated the patch scenario. We were quickly informed that the patches were to blame; the admin uninstalled and reinstalled (along with a few more), and said everything was good to go (yes, I realize evidence could've just been stomped on). And indeed, it appeared to be fine, and the explanation made sense. But we asked some followup questions nonetheless, and were greeted with the following response (not an exact quote): "I understand you think you're doing your job, but it was the patches, and it's been fixed. I have a lot of things to do, and don't have time to continue wasting on something that's been resolved." Wow, really? Our boss got involved, and there were some additional conversations...
My question when we received that response was, "Sure, it looks like that's what happened, but can you prove it 100%? Would you bet your life on it? Would you bet the company on it?" Because in essence that's what you're doing by turning and walking the other way, and if you're not willing to bet it all, it's probably the wrong answer. No root cause analysis, and with all the companies falling victim to basic compromises, and allowed to bleed data for who knows how long, and you're willing - as an intelligent IT admin - to say that a system which was serving up Chinese characters is good to go, because of a patch? That seems like a bit of a blind risk. It would have taken so little time to go through our followup questions and answer them, and that would have helped shed great light on the situation, to give us all more peace of mind. I guess I shouldn't be surprised, though. And even if I become so jaded that I'm no longer surprised, I think I still get to be disappointed. ;)
Do I have a solution? I wish I did, but I don't. I understand that education is paramount, but I think it takes more than that. I think it takes an awareness and understanding that there is a clear and present danger (er, threat), and a desire to be part of the solution, rather than part of the problem. And that's what I think is lacking - the desire. The IT guy should already have the knowledge, and the InfoSec guy should have the knowledge. And those are just two examples; I could also talk about the IR guy who has no problem - doesn't even give it a second thought - connecting his laptop up to public wireless. Do we just get complacent and lazy as humans? Or is it that some of us aren't driven and determined to make a difference, and are just trying to get by until it's time to go?
Well, I think that's about all I have. I do want to take a moment to say that there are a lot of folks out there who are driven and determined to make a difference. Just take a look at the blogs I read, for a very small selection. I don't really do the #FF thing on twitter, but I'll give a shout out to Lenny Zeltser as I find his blog extremely practical and helpful. I don't think a post goes by that I don't get something very useful out of it. Thanks for sharing!
For those in the US, have a wonderful Labor Day weekend! For everyone else, get back to work! :) And since our attackers don't honor holiday weekends, be alert; we obviously need more good lerts! :D