Big Heads Maxim: The farther up the chain of command a (non-security) manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Father Knows Best Maxim: The amount that (non-security) senior managers in any organization know about security is inversely proportional to (1) how easy they think security is, and (2) how much they will micro-manage security and invent arbitrary rules. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Earlier this month (in April 2015 if you are reading this post in the far distant future...) the National Institute of Standards and Technology (NIST) released NIST Draft NISTIR 8050; in which, an interesting summary appears of a technical workshop held at Stanford University in conjuction with the Presidents' Cybersecurity Summit.
Pursuant to completeing the draft cycle of the document, the National Cybersecurity Center of Excellence NNCoE (a Center of Excellence and a component of NIST) has issued a Call for Comments, focusing on the content of that document. In this instance, related to your agency, company, buereau, department, country or other organizations' information and/or cybersecurity issues. I've included a link to NISTIR 8050 to assist in fulfilling the Call for Comments. Enjoy.
News, brought to my attention by Steve Hailey, CEO of the Cybersecurity Institute, is todays MustRead, focusing on Anti-Forensics. Examine, if you will, the affect anti-forensics has on investigatory professionals when performing examinations targeting computational systems. If you read anything today regarding forensics, read Steve's posting on LinkedIn, and the paper published by the three University of Washington researchers responsible for this superlative effort. Namely, Justin Brecese MSIM , Aaron Alva MISM and Casey Rodgers MISM. You may also download the documents from the CyberSecurity Insitute here in a compressed file, or from UW's Capstone Archives.
Behold, the so-called Lonely Cyberwarrior. A remarkable story conveyed to us via The Daily Beast's prolific Vijai Maheshwari. The story of intestinal fortitude whilst in the presence of Force Majeure certainly is astonishing...
“I compared myself to Joan of Arc, but I hope that I don’t have a violent end as she did.” He laughs nervously. “There’s still so much to be done. This war is only just beginning.” - via The Daily Beasts' inimitable Vijai Maheshwari
via Steve Ragan, writing at CSO, comes a story of renewed interest in one of the older attackable network interefaces known - namely, the venerable Server Message Block (SMB) protocol, utilizing the equally old (two decades plus) UNC Share Block abuse . Interestingly, the number of vulnerable software platforms have increased exponentially, due to the know blossoming vector that can include both HTTP and HTTPS. Oops.
SPEAR, the research team at Cylance, has discovered new attack vectors for an 18-year-old vulnerability in Windows Server Message Block (SMB). The updated attack vector, called Redirect to SMB, impacts products from Microsoft, Apple, Adobe, Symantec, Box, Oracle, and more. - via CSO's Steve Ragan
In astonishing (yet unsurprising) news - a discovery by FireEye Labs (and published under the company's Threat Research blog) - of a decade-long espionage campaign by miscreants thereto (in thi case, allegation point to entities in the Peoples Republic of China). FireEye has announced the availability of an indicators download on GitHub here; the full report is available here. Clear proof of why security professionals should be quite concerned, specifically those folks who rely on *deeply flawed and nearly useless enterprise anti-virus and anti-malware products employed throughout most, if not all, enterprise IT environments... Ladies and Gentlemen, Girls and Boys, behold the money quote:
"All of the key findings we examined in the report lead us to conclude that APT 30 is a professional, cohesive threat group with a long-term mission to steal data that would benefit a government, and has been successful at doing so for quite some time. Such a sustained, planned development effort coupled with the group’s regional targets and mission, suggest that this activity is state sponsored." - via FireEye Labs and the FireEye Threat Research blog
Schneier’s Maxim #2 (Control Freaks Maxim): Control will usually get confused with Security. Comment: From security guru Bruce Schneier. Even when Control doesn’t get confused with Security, lots of people and organizations will use Security as an excuse to grab Control, e.g., the Patriot Act. - as compiled by [Roger G. Johnston, Ph.D., CPP], Argonne National Laboratory
Too Good Maxim: If a given security product, technology, vendor, or techniques sounds too good to be true, it is. And it probably sucks big time. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory