Ah, the obligatory "it has been too long since I've posted anything" post... I try to approach posting by following the advise of my friend ex-P.F.C. Wintergreen, who usually detests blogs but has relented on this position as of late, and at least keep my posts somewhat oriented towards novel ideas. Sometimes it simply helps to keep writing.
I see that FX is posting at the SABRE Lablog, always interesting to read what he is thinking about or working on.
I don't often find software that is worth paying for outside of music tools and operating systems (donate!) but this is wicked cool diagramming software for OS X: omnigraffle. Go buy a copy and make your life prettier.
Haven't had much time for PDB lately, the whole school + work combination has been crazy busy. I started a project concerned with using a cVu 1000 from the dudes at cpacket to control the bandwidth usage of network flows. I have other more fun ideas for this device... suffice it to say that it is always fun to make networking products earn their rack space.
Showing posts with label rants. Show all posts
Showing posts with label rants. Show all posts
Friday, October 27, 2006
Wednesday, September 13, 2006
Reused Rants on Consultant Presentations
A perhaps hypothetical security consultant asks for suggestions concerning emerginging threats to 'Corporate Data & Privacy' along the lines of 'rootkits, trojans, et cetera'. She/He wanted ideas detailing 'interesting' tactics/malware, especially those that are particularly insidious, legitimate and hard to defend against.
I understand that these types of presentations are meant to motivate cries for help but I think that you can motivate organizations/people without sinking to detailed descriptions of impending doom. I'm not saying that people don't need to understand the risks, but we want a logical and well thought out response not panicked craven mania...
My response:
What are the goals you are trying to achieve with this presentation? A rigorously compiled taxonomy of 'bad stuff' presented to people who aren't in a position to fundamentally address said stuff is just spreading FUD.
I would say that if the audience is of the business type it is might be better to discuss the landscape surrounding adversaries and their motivations/goals; speak at a strategic level about the playing field. Organized crime, Governments, Corp. Competitors, and Bogeymen (teh terrorists!) et cetera are the 'threats' to Corporate Data & Privacy; malware and other attacks are just means. I could rattle off dozens of real tactics that are 'insidious', even before getting into the legitimate but speculative attacks. No one can effectively address every specific tactic let alone a majority, but you have to try your best to address the threats that create the most risk in your particular circumstance. In most cases this means measures that are somewhat orthogonal to those that will address specific tactics, such as rootkits or trojans, measures such as effective security architecture, risk assessment, and preemptive strikes with thermonuclear weapons.
That said, and with tongue firmly in cheek, my vote for 'emerging threats':
New ways to exploit poorly implemented software running in places that no one has realized they have poorly implemented software.
e.g. device drivers, protocol stacks (network, storage,...), network/systems management systems, every single desktop app that reads a file or data from the network...
The sub category of the above worthy of further discussion is crypto systems...
I understand that these types of presentations are meant to motivate cries for help but I think that you can motivate organizations/people without sinking to detailed descriptions of impending doom. I'm not saying that people don't need to understand the risks, but we want a logical and well thought out response not panicked craven mania...
My response:
What are the goals you are trying to achieve with this presentation? A rigorously compiled taxonomy of 'bad stuff' presented to people who aren't in a position to fundamentally address said stuff is just spreading FUD.
I would say that if the audience is of the business type it is might be better to discuss the landscape surrounding adversaries and their motivations/goals; speak at a strategic level about the playing field. Organized crime, Governments, Corp. Competitors, and Bogeymen (teh terrorists!) et cetera are the 'threats' to Corporate Data & Privacy; malware and other attacks are just means. I could rattle off dozens of real tactics that are 'insidious', even before getting into the legitimate but speculative attacks. No one can effectively address every specific tactic let alone a majority, but you have to try your best to address the threats that create the most risk in your particular circumstance. In most cases this means measures that are somewhat orthogonal to those that will address specific tactics, such as rootkits or trojans, measures such as effective security architecture, risk assessment, and preemptive strikes with thermonuclear weapons.
That said, and with tongue firmly in cheek, my vote for 'emerging threats':
New ways to exploit poorly implemented software running in places that no one has realized they have poorly implemented software.
e.g. device drivers, protocol stacks (network, storage,...), network/systems management systems, every single desktop app that reads a file or data from the network...
The sub category of the above worthy of further discussion is crypto systems...
Labels:
consulting,
rants,
risks,
threats
Subscribe to:
Posts (Atom)
