Tuesday, November 28, 2017

You Don't Have to Outrun the (Fancy) Bear

   Two hikers are walking through the woods.  They come around a bend in the trail into a clearing where they can take a break, when suddenly a bear steps out of the woods and roars.  One hiker quickly bends down to tighten his boot laces.  The other hiker says, "what are you doing? You can't outrun a bear!".  The first hiker says, "I don't have to outrun the bear, I only have to outrun you!".

   One of the biggest changes in information security over the past two decades has been with the attackers.  Rather than the old stereotype of a hoodie-wearing loner in the basements with Mountain Dew, Twinkies and old computers, today's attacker is typically trained, smart and well-funded.  Instead of defacing websites for fun and notoriety, attacks today are a business.

   It's a simple risk/reward equation.  There is a cost to any attack.  Email-based attacks are very inexpensive to launch.  Developing sophisticated malware is expensive.  And the more expensive an attack is pull off, the higher the potential gains need to be to make a profit.

   Information security is very complex.  It's as much an art as it is a science.  There are basic things that everyone should do, like patching systems and using strong, long passwords.  And then there are complex solutions to complex problems that need to be artfully implemented to compliment the way people do their work.

   There are so many high profile breaches in the news.  Some of these are the result of highly skilled and motivated attackers going after a specific target.  But many more are "crimes of opportunity".

   As I see it, there are basically three kinds of online attacks:

Tuesday, November 14, 2017

It's All About the Squirrels!

   Did you know that in 2016 there were more selfie-related deaths than shark-related deaths?  Same is true in 2015.  We'll see what happens in 2017!

   That might seem counter-intuitive.  And that's exactly the point... we are programmed through evolution to focus on the sensational risks.

   We've been hearing plenty about cyber-war and state-sponsored attacks.  These are big and scary things.  It seems that the power grid is a key target.  Well, it turns out that cyber attack is not the top issue that effects the power grid.  Not even close.  And what's a more serious and regular threat???  Squirrels!  No, that's not a joke.

Here's a great presentation at this year's ShmooCon, an annual security conference:

   But here's the point of all this... while it's fun to laugh at, or dislike, squirrels, there's an important lesson here.  We do need to speculate and consider the future when conducting risk assessments.  But we also need to have strong focus on reality!  That means assuring you are considering mundane, but very real threats and vulnerabilities that are actually happening.  It's far to easy for us to focus on high impact, very low likelihood events to the exclusion of those high-probability, common attacks like phishing.

   So skip the sharks and watch out for the squirrels!