It’s not a new threat really. People inside an organization can always be a threat. It’s just that many people, some of them prominent security professionals, have been downplaying the insider threat lately in order to hype other emerging threats. I’m of the opinion that we’ll see insider threats rise through the year and probably into next. As the economy worsens, people who are becoming financially stressed may turn to corporate crime, or may retaliate for being laid off.
Prime example, news this week of a former Fannie Mae contractor leaving a malicious script designed to wipe out thousands of computers after he was fired for…a scripting error he made earlier in the month. Luckily they stumbled upon the script before it was set to execute. They might not have been so lucky though. Bruce Schneier has some good tips about reducing the threat trusted individuals can pose.
In the end, you can take several measures to reduce your insider risk but you can never eliminate it entirely. At the end of the day the weakest link always comes down to people. People are sometimes dishonest, it’s simply a fact of life. Luckily for the rest of us, they seem to be a pretty small minority.
Are you backing up your bookmarks? Oh, you don’t store local bookmarks? You use a social bookmarking website you say? Well I hope you weren’t using Ma.gnolia. They announced on Friday morning that they’ve experienced a catastrophic data loss. Wired is reporting Ma.gnoalia has lost both their production database and backups of user data. Bye bye bookmarks!
So my question to you is, do you have backups? Ma.gnolia didn’t. If they did have backups, my guess is they failed step 5 on the path to the tao of backup. While I have both local and off site backups (that yes, I test on a frequent basis…it’s all about restores!), I had overlooked my bookmarks. Luckily, they are safe and sound on del.icio.us. I might not be so lucky next time though. If you’re a del.icio.us user as well, I suggest you export a copy for safe keeping. Then take a moment to think about what else you have stored, and stored solely, in the cloud. Make sure you add those things to your backup procedures.
Some interesting posts on the SANS Internet Storm Center blog. I’m sure these have already been posted everywhere (I saw one on delicious earlier), but it’s always good to have these kinda things to refer back to later.
The first post is about targeted social engineering. One of the more interesting aspects:
In one incident, an attacker used phrases directly taken from a public blog, as well as a cordial greeting that the blogger had used when writing about a personal topic. This made the message significantly more authentic to the target, who duly clicked on the attachment.
Pretty clever. Anything you can do to make people even subconsciously believe a message is legitimate will increase your success rate. It only takes one person to fall for it in most cases, to get a foothold that you can leverage for a deep internal attack.
The other post is simply a list of what NOT to do when it comes to IT security. Some of the highlights:
- Assume the users will read the security policy because you’ve asked them to.
- Assume that policies don’t apply to executives.
- Don’t review system, application, and security logs.
- Expect end-users to forgo convenience in place of security.
I’d add a couple of my own to the list:
- Assume that because you’ve never been compromised you’re secure
- Assume that you can prevent all compromises
- Protect only the perimeter
- Have no incident response plan
Transatlantic Cables Terminated in Avon NJ
I couldn’t resist this juxtaposition. These cables are VSNL submarine telecommunications cables that cross the Atlantic and come above ground in the VSNL building in Avon, NJ. They are capable of carrying over an estimated 3.5 Tbps (that is terabits per second). Probably less from over head and my guess from the article’s figure (60,000,000 simultaneous voice calls = 60,000,000 DS0s = 60,000,000 * 64kb/s). In any case, those cables are extremely important for international communication but they look like utterly unimportant buried utility cable. Just a great photograph. Via Wired.
Recent Comments