Following the Wh1t3 Rabbit - Practical Enterprise Security

Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.

Rafal (Principal, Strategic Security Services)

Hacking: Next Up Movie Theaters

Reference: http://breachblog.com/2008/12/16/zyacorp.aspx

    In one of those "I bet they didn't see this coming" moments a CineMagic movie theater in Merrimack, NH has fallen victim to digital thieves (or hackers, if you prefer).  What I see here is a rather obvious comparison case for tackling the "we're too insignificant to be hacked" argument.  If you have data or click-stream... you have something of value.

    I've said it before and I'll say it again - hackers aren't just targeting the huge repositories of information.  They're coming after anyone and everyone with exposures and unmitigated risks.  While there is direct indication that this was done with a web application hack... I wouldn't discount it as an avenue for easy attack.

     Think of how many times you've bought movie tickets online or anything else that you wouldn't think twice about... what if that entity was compromised?

    In what I can only call an unfunny twist of comedy, the article's writer comments -

"Anytime I read about credit card
breaches, PCI compliance comes to mind.  If I were to guess, I would
guess that there is a 50/50 chance that Zyacorp is compliant.  Not that
compliance = secure
.
"

Harsh Reality - Life in InfoSec

  It's Monday again, and it's absolutely brain-numbingly cold here in Chicago... but I wanted to get these thoughts down before they fell out of my brain to make room for new stuff.


  Last week I had the pleasure of meeting with a group of guys that are running the Information Security practice within one of the largest and most respected retailers to the "hip" crowd... these folks live sales volume and press... good or bad.  I think they've got some extremely unique challenges so I wanted to present the angle I proposed in case it's useful to anyone else.


  First off, they have a very small "security" team, mainly consistent of compliance activities and common "operational security" tasks such as identity provisioning, anti-virus, firewall, you get the picture.  They also have a relatively well-established QA team which is critical to the success of their online retail component - so the established value of that team is there.  This is unlike the value of the security team - which unfortunately doesn't have a good foot-hold... not for lack of trying from what I heard.  Their problem?  No one cares about security.  (Sound familiar yet?)


  To overcome some of these challenges we focused on what was important to the business from an IT perspective - Software Quality.  More specifically the quality of the online application(s) was important to this customer.  Having their eCommerce site(s) up, and available for business is top-priority.  Given that information we can quickly re-tool our approach and make *security* a component of the overall quality cycle.  I know, some of you security purists are probably mad at me right now, but this is the harsh reality of life in a downturn.  Why not though, use the business-critical areas to get the job done?  The Security guys know they need tighter security but maybe the business doesn't care so much - except to check the box of compliance (PCI-DSS) - so I think taking a modified approach is the only way to fly in cases like this.


  Making security a sub-component of overall software quality works like this.  Security, amongst other things, aims to keep a site/application "up and running" and resistant to hacking.  Now, hacking often-times causes Denial-of-Service conditions so there we have link #1 to quality and uptime.  The second link comes in a little more vague.  Hacking an application means loss of data, potentially - and that can lead to downtime and disrupt the consumer's ability to purchase or buy - basically data corruption.  I know these aren't ideal links, and you'll like the PCI "compliance" link even less I'm sure - but there you have it.


  Those 3 links into application quality may be the difference between *zero* security budget and getting *some* security budget.  Now, the question of TTH (from Jeremiah Grossman, Time-To-Hack) may come into play again... we have to ask ourselves if what we're doing makes any difference in the time that it takes to take the app down, and steal the data.  Maybe yes, maybe no right?  The main point here for these guys is to demonstrate due-dilligence for PCI comliance.  While this is a bit of a sad commentary on the way of the world and how much security *really* matters... at least they're doing something.


   Keep pushing guys, you're on the right track!

Search
About the Author(s)
Follow Us
Twitter Stream


Community Announcements
HP Blog

Technical Support Services Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation