Defensive Security Podcast Episode 25

Snowden offered asylum, Germany’s interior minister cautions Germans against using US-based services, California AG urges legislation to require the use of encryption, 85% of virus infections are from drive by download, Attacks on energy sector, Texas government infections, MS Tuesday

Subscribe in iTunes | Podcast RSS Feed | Twitter Email

85% of virus infections are from drive by downloads: http://www.csis.dk/en/csis/news/3981/

Attacks on energy sector: http://securityaffairs.co/wordpress/15820/security/ics-cert-surge-in-attacks-against-energy-industry.html

Texas government infections: http://www.kens5.com/news/State-computers-compromised-but-theres-not-enough-staff-to-fix-it-214231541.html

MS Tuesday: http://www.theregister.co.uk/2013/07/05/ms_july_2013_patch_tuesday_prealert/

 

Defensive Security Podcast Episode 24

Kaspersky study indicates 200,000 malware variants are released daily, the Carberp trojan’s source code is leaked and an 0day is discovered, FINRA reports on prolific cyber attacks against its members, the FT is attacked by the Syrian Electronic Army and gives a play by play on what happened, Kaspersky reports an 87% increase in phishing attacks, Google reports that compromised legitimate sites are more dangerous than malicious sites, Sophos says 30,000 SMB sites are hacked per day to spread malware, the age old debate about administrator rights, password complexity, and the unintended consequences of leaks: foreign companies defect to more hospitable countries, renewed focus on systems administrators, and we can stop pretending to not know where Stuxnet came from. Continue reading Defensive Security Podcast Episode 24

Defensive Security Podcast Episode 23

The discrepancy between perception and reality when it comes to quantifying risk, the major fail that was OpPetrol, Malvertising, EMET 4 released, How not to be a CSO by the Harvard Business Review, Linked In’s DNS woes, and CSOs are not recognizing reality. Continue reading Defensive Security Podcast Episode 23

Risk Perception Versus Reality

One of the side effects of podcasting is that I read a lot of infosec news on a daily basis and a lot of industry reports.  Sometimes, I see an odd overlap.  For instance, I was reading this article about a survey from McAfee on how long IT professionals believe it would take for them to detect a breach.  The numbers were all over the map, but is described like this:

“… 22 percent thought they’d need a day to recognise a breach, with one in twenty offering a week as a likely timescale.

Just over a third said they would notice data breaches in a matter of minutes, which counts as real-time by today’s standards.

In terms of general security, three quarters  confidently reckoned they could assess their security in real-time, with about the same number talking up their ability to spot insider threats, perimeter threats and even zero-day malware.”

 

The article raises the point that the polled population seems overly optimistic, however I think it needs to be explored a little deeper.

  • Mandiant’s 2013 annual report claims that data breaches take an average of 243 days to find.
  • Trustwave’s report finds that the average to be 210 days.
  • Verizon’s DBIR finds that 66% of breaches in the scope of their report took “months” to “years” to discover.

This is not a minor miss.  This is not “being overly optimistic”.  This is a fundamental lack of understanding of the world we live in.

What concerns me most about this disconnect is how these beliefs are used as an input into risk management processes.  If organizations are prioritizing their security efforts based on the input from internal authoritative sources, such as the 500 people McAfee polled, that breaches will be detected quickly, when in reality they take months, there will be little appetite to make improvements in detection capabilities.

 

Defensive Security Podcast Episode 22

Risk Science Podcast, Forensic 4Cast podcast, Gartner security myths, 2013 OWASP top ten, FDA finds security risk in medical devices, Oracle fixes 40 more java bugs, B-sides Rhode Island videos, Can the Germans break PGP?

Subscribe in iTunes | Podcast RSS Feed | Twitter Email

Risk Science Podcast: http://riskscience.net/

Forensic4Cast :http://forensic4cast.com/

Gartner security myths: http://www.networkworld.com/news/2013/061113-gartner-reveals-top-10-it-270738.html

2013 OWASP top ten: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

FDA finds security risk in medical devices: http://www.networkworld.com/news/2013/061413-federal-regulators-address-rising-security-270844.html

Oracle fixes 40 more java bugs: https://www.infoworld.com/d/security/oracle-ship-40-security-fixes-java-se-220758

B-sides Rhode Island videos: http://www.irongeek.com/i.php?page=videos%2Fbsidesri2013%2Fmainlist

Can the Germans break PGP? http://malwarejake.blogspot.com/2013/06/are-germans-really-breaking-pgp-and-ssh.html

Defensive Security Podcast Episode 21

Verizon, PRISM and Edward Snowden, Java users are bad at patching, cost of breaches is up, Microsoft operation takes down 1462 Citadel botnets, malware increasingly using peer to peer communications for command and control, and malware trends.

 

Subscribe in iTunes | Podcast RSS Feed | Twitter Email Continue reading Defensive Security Podcast Episode 21

Defensive Security Podcast Episode 20

US power grid is highly vulnerable and under constant attack, Iran attacking energy companies, increase in sophisticated attacks against keys and certificates, Indian government site redirects to black hole exploit kit, FSB report find that only 36% of small businesses regularly patch, 5 quick wins from the DBIR, Google to give software vendors 7 days prior to releasing information on active exploits, and planning for the failure of malware prevention.

Subscribe in iTunes | Podcast RSS Feed | Twitter Email Continue reading Defensive Security Podcast Episode 20

https://defensivesecurity.org Is Classified As Porn Site (if you are at Disney World)

I am here on vacation in Disney World, using wifi in the hotel and I’m being blocked.

20130525-223241.jpg

Disney appears to be using an old (I mean old) web filter called the 8e6 R3000 from 8e6 Technologies, now Trustwave. Interestingly, when I check this site’s category using Trustwave’s site here and it is not registered. The site is correctly categorized as “IT” in the other filtering engines.

So, it would seem that Disney World is keying off some element of content on the site, rather than on the Skye’s categorization.

Defensive Security Podcast Episode 19

Adobe and Microsoft patches, signed Mac malware, EC Council website hacked, 7 steps to secure Java,  Microsoft on invulnerable software, more on OpUSA, Ohio city’s taxpayer database stolen and the importance of malware being invisible.

Subscribe in iTunes | Podcast RSS Feed | Twitter Email Continue reading Defensive Security Podcast Episode 19

Defensive Security Podcast Episode 18

Adobe warns customers of a Cold Fusion 0day, Washing courts owned by that 0day, web servers found compromised with the Cdorked/Darkleech, critical vulnerability in Nginx, Anonymous’ opUSA turned out to be a bunch of nothing, too many admins is bad for security, Name.com gets compromised, The Onion’s twitter feed is compromise by the SEA, slippery slope of BYOD and Google’s plans for authentication.

Subscribe in iTunes | Podcast RSS Feed | Twitter Email

 

Cold fusion: http://www.networkworld.com/news/2013/050913-adobe-warns-customers-of-unpatched-269596.html