At the end of December I left my position with KPMG to concentrate on technical security consulting and my masters degree. This all leads me to announce the creation of a new corporate entity, and my security company:
Strange Research Corporation
There isn't much content up on the site yet as I'm still playing with the layout, but check it out!
Showing posts with label consulting. Show all posts
Showing posts with label consulting. Show all posts
Thursday, February 01, 2007
Wednesday, September 13, 2006
Reused Rants on Consultant Presentations
A perhaps hypothetical security consultant asks for suggestions concerning emerginging threats to 'Corporate Data & Privacy' along the lines of 'rootkits, trojans, et cetera'. She/He wanted ideas detailing 'interesting' tactics/malware, especially those that are particularly insidious, legitimate and hard to defend against.
I understand that these types of presentations are meant to motivate cries for help but I think that you can motivate organizations/people without sinking to detailed descriptions of impending doom. I'm not saying that people don't need to understand the risks, but we want a logical and well thought out response not panicked craven mania...
My response:
What are the goals you are trying to achieve with this presentation? A rigorously compiled taxonomy of 'bad stuff' presented to people who aren't in a position to fundamentally address said stuff is just spreading FUD.
I would say that if the audience is of the business type it is might be better to discuss the landscape surrounding adversaries and their motivations/goals; speak at a strategic level about the playing field. Organized crime, Governments, Corp. Competitors, and Bogeymen (teh terrorists!) et cetera are the 'threats' to Corporate Data & Privacy; malware and other attacks are just means. I could rattle off dozens of real tactics that are 'insidious', even before getting into the legitimate but speculative attacks. No one can effectively address every specific tactic let alone a majority, but you have to try your best to address the threats that create the most risk in your particular circumstance. In most cases this means measures that are somewhat orthogonal to those that will address specific tactics, such as rootkits or trojans, measures such as effective security architecture, risk assessment, and preemptive strikes with thermonuclear weapons.
That said, and with tongue firmly in cheek, my vote for 'emerging threats':
New ways to exploit poorly implemented software running in places that no one has realized they have poorly implemented software.
e.g. device drivers, protocol stacks (network, storage,...), network/systems management systems, every single desktop app that reads a file or data from the network...
The sub category of the above worthy of further discussion is crypto systems...
I understand that these types of presentations are meant to motivate cries for help but I think that you can motivate organizations/people without sinking to detailed descriptions of impending doom. I'm not saying that people don't need to understand the risks, but we want a logical and well thought out response not panicked craven mania...
My response:
What are the goals you are trying to achieve with this presentation? A rigorously compiled taxonomy of 'bad stuff' presented to people who aren't in a position to fundamentally address said stuff is just spreading FUD.
I would say that if the audience is of the business type it is might be better to discuss the landscape surrounding adversaries and their motivations/goals; speak at a strategic level about the playing field. Organized crime, Governments, Corp. Competitors, and Bogeymen (teh terrorists!) et cetera are the 'threats' to Corporate Data & Privacy; malware and other attacks are just means. I could rattle off dozens of real tactics that are 'insidious', even before getting into the legitimate but speculative attacks. No one can effectively address every specific tactic let alone a majority, but you have to try your best to address the threats that create the most risk in your particular circumstance. In most cases this means measures that are somewhat orthogonal to those that will address specific tactics, such as rootkits or trojans, measures such as effective security architecture, risk assessment, and preemptive strikes with thermonuclear weapons.
That said, and with tongue firmly in cheek, my vote for 'emerging threats':
New ways to exploit poorly implemented software running in places that no one has realized they have poorly implemented software.
e.g. device drivers, protocol stacks (network, storage,...), network/systems management systems, every single desktop app that reads a file or data from the network...
The sub category of the above worthy of further discussion is crypto systems...
Labels:
consulting,
rants,
risks,
threats
Subscribe to:
Posts (Atom)
