Block chain is safe because it’s like trying to turn a Chicken McNugget back into a Chicken (paraphrase).
Some security gems from around April 2015.
@jeremiahg Believe it, simple Rasp PI proj to receive ADS-B aircraft transponders – no encryption whatsoever. http://t.co/44bbWzdeZl
— Milton Smith (@spoofzu) April 15, 2015
Wired: Feds Say That Banned Researcher Commandeered a Plan, “default IDs and passwords to gain access” http://t.co/oyiq8nmn4r
— Milton Smith (@spoofzu) May 16, 2015
OWASP Top Ten Proactive Controls by @Manicode from @OWASP AppSec California 2015 https://t.co/2ADLTtIfym
— OWASP AppSec Cali (@AppSecCali) April 30, 2015
SecurityWeek: Airbus Says Will File Criminal Complaint Over US Spy Claims #security http://t.co/LcF3l0fXjd
— Milton Smith (@spoofzu) April 30, 2015
Laws and regulations have not kept pace with growth of Internet technologies. No clear expectations have been communicated to the software industry or users of these services by policy makers. Executives have responsibility for protecting customer data but enforcement remains selective. In the most egregious incidents, top C-level execs have been terminated for poor cybersecurity (e.g., Target).
Rob Joyce, Chief, Tailored Access Operations, National Security Agency(NSA) presents on defending against nation states and criminals. Joyce provides a number of tips useful for defending against advisories. Some points from his presentation enumerated.
- “0-days not necessary”, persistence and exploration will get you in, continuous defensive work required
- Top intrusion vectors: email, web site, removable media
- Use software improvements, automatic/rapid patching and anti-exploitation features
- Use secure host [and software] baselines
- Training, NSA trains and teaches exploitation. Are you actively teaching defense?
- Monitoring, if you were hacked how would you know? You can’t fix a problem you don’t know exists. Incident response plans necessary.
- Trust, don’t allow untrusted devices within the trusted perimeter. Home computer with Steam installed brought into the corporate[trusted] environment.
- Discriminate between nation state and criminal intruders. Nation states select targets and persistent in their efforts. Criminals are opportunistic, catch the weak gazelle.
- Specific tips: 2FA makes stealing credentials challenging, limited account privileges and super user access, dynamic privileges based on location, network segmentation, no passwords in scripts, defend pass the hash, block sites on neutral or bad reputation.
The talk provided few surprises and was more of a reaffirmation for keeping tidy systems – an incredible challenge in practical application. While simple, Joyce’s advice is difficult to apply at scale. Other advice, creates a computing environment some users consider unfriendly. In the end there are no silver bullets or quick fixes. Be vigilant, keep tidy systems, and invest in your staff through education.