Friday, August 22, 2014

The Commandments of Safety

“You don't have to be a coder in order to really do well in this position. In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction.” Michael Daniel, who currently is the White House’s security coordinator, began his interview for GovInfoSecurity with these words.

In fact, such words inspired Network Security’s editors who opened an intense debate about the viability of senior management without technical profiles. Among its supporters, Michael Daniel himself highlights the importance of decision making supported by a group of techie consultants. On the contrary, Martin, an editor at Network Security, recalls the danger involved in making a decision for the future of a country’s security ignoring its mid / long term consequences.

A good example of this is the data leakage suffered by UPS - one of the largest parcel companies in USA - in 51 of its branches. The company did not specified the number of compromised customers, nor the type of malware used in the attack, but considering the kind of information that this company usually handles (addresses, account numbers, phone numbers and personal ID’s), we could be facing one of the most succulent booties for the black market.

Black Hat, one of the most important security events of the year was held in Las Vegas last week. At CIGTR we were telling you everything about such event in daily basis. Of course, more media did so, such as the Kaspersky's blog. There Brian Donohue tells his own feelings about it with special reference to Dan Geer’s talk. Geer, chief information security at In-Q-Tel, surprised the attendees with the Ten Commandments of Modern Cybersecurity, a collection of requests to governments, businesses and consumers around the world for making the third environment a safer place.

Among the possible solutions, there is the possibility of regulating ethical hacking in a clear and simple way, since its only interest is to enhance the systems security by alerting their creators. Today this alert can be enough to end up in court. Dan Geer proposed that the United States government pays for 0-day exploits 10 times more than what it is paid in the black market, and publicizes them in a public file for companies and administrations to consult them and fix them. Lorenzo Martinez, from SecurityByDefault, stands up for a more permissive legislation on pentesting that protects your work and mark clear operation boundaries.

At Black Hat, they also addressed the reasons why the intensity of attacks that jeopardize our data is becoming higher and higher. At Net-Security they are clear: Better organized cybercrime gangs, increasingly sophisticated techniques, digital identity’s expansion and increased use of such services. At least, not everything is against us. Following a series of routines such as changing passwords, reviewing our profiles and having all our digital interaction located minimize the risk.

On the other hand, it is interesting the proposal of carrying out massive malware analysis considering DNS and IP’s information. When many attacks come from botnets formed by infected clients, security suites could establish prediction patterns for future attacks based on the DNS request information and the IP ranges called.

All these strategies aim to improve security in the digital world, what is something we all can do together, whether auditing systems as pentesters do, watching our social profiles, or sharing these articles with our Google+ circles.


Post a Comment