A perhaps hypothetical security consultant asks for suggestions concerning emerginging threats to 'Corporate Data & Privacy' along the lines of 'rootkits, trojans, et cetera'. She/He wanted ideas detailing 'interesting' tactics/malware, especially those that are particularly insidious, legitimate and hard to defend against.
I understand that these types of presentations are meant to motivate cries for help but I think that you can motivate organizations/people without sinking to detailed descriptions of impending doom. I'm not saying that people don't need to understand the risks, but we want a logical and well thought out response not panicked craven mania...
My response:
What are the goals you are trying to achieve with this presentation? A rigorously compiled taxonomy of 'bad stuff' presented to people who aren't in a position to fundamentally address said stuff is just spreading FUD.
I would say that if the audience is of the business type it is might be better to discuss the landscape surrounding adversaries and their motivations/goals; speak at a strategic level about the playing field. Organized crime, Governments, Corp. Competitors, and Bogeymen (teh terrorists!) et cetera are the 'threats' to Corporate Data & Privacy; malware and other attacks are just means. I could rattle off dozens of real tactics that are 'insidious', even before getting into the legitimate but speculative attacks. No one can effectively address every specific tactic let alone a majority, but you have to try your best to address the threats that create the most risk in your particular circumstance. In most cases this means measures that are somewhat orthogonal to those that will address specific tactics, such as rootkits or trojans, measures such as effective security architecture, risk assessment, and preemptive strikes with thermonuclear weapons.
That said, and with tongue firmly in cheek, my vote for 'emerging threats':
New ways to exploit poorly implemented software running in places that no one has realized they have poorly implemented software.
e.g. device drivers, protocol stacks (network, storage,...), network/systems management systems, every single desktop app that reads a file or data from the network...
The sub category of the above worthy of further discussion is crypto systems...
Wednesday, September 13, 2006
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment