Comments, administrivia, and the future of the “infosec professional”

re: Comments, administrivia, and the future of the “infosec professional”

ColonelBlinky — Thu, 16 Oct 2008 11:36:34 GMT

Totally agree on the last paragraph, add to it based on sound strategies, policies and procedures supported by the business (ie C-Level) we are no longer part of a Break/Fix department living in a place with no sign of daylight, but an intergral business unit.

re: Comments, administrivia, and the future of the “infosec professional”

Orin Thomas — Thu, 16 Oct 2008 16:22:37 GMT

I was thinking about your comment about opionion revision in relation to philosophy of science. Scientific theories map against observations of a static reality - that is reality doesn't change even though the theories we use to describe it do. Information security is even more complex because the things that we are modelling in our head do not remain static - unlike the speed of light which is the same today as it was 100 years ago, the way that computers and networks interoperate does change over time. The modelling in our heads needs constant revision because the thing that we are modelling does not remain static (and even if it did, history of science shows that things a lot of smart people once believed were fundamental truths turned out not to be so fundamentally true when someone else came along with a better explanation). Of course new evidence can suggest that one doesn't understand something as well as one thought one did, or it could mean that the thing that you did understand was actually flawed in some way.

re: Comments, administrivia, and the future of the “infosec professional”

MikeS — Thu, 16 Oct 2008 20:34:16 GMT

Steve: I agree with you completely, but unfortunately I think there's one element you didn't include in your "thesis": the mixed-client corpnet and extranet.

I understand that if all the correct (Microsoft) pieces are in place, then we can start to calm down the "enemy at the gates" approach to security. However, even though we are thoroughly Microsoft on the inside of our company, many of the people who use our systems are NOT Microsofties, and aren't very tolerant of us telling them how they should/shouldn't configure their networks, PC's, firewalls, etc to use our connected services.

Overall, I really, really like where Microsoft is going with their security technologies and emphasis, but I fear that in the near future the only people who will truly and completely benefit from this "new era" will be the folks with a self-contained corpnet that have gypsies who venture beyond the gates.

Those of us who have to deal with B2B service delivery to diverse customers will still see limited benefit from these new technologies. The main reason? As with any larger company, it's nearly impossible to push through such sweeping changes unless the ROI can be demonstrated. And despite the obvious benefits to our OWN people, reconfiguring our network in such a manner would NOT generate a high-enough ROI for the beancounters to approve such a major change.

So, I guess we're stuck with evolutionary (not revolutionary) baby steps in this direction. I look forward to it, though, and to your future posts.

Mike

re: Comments, administrivia, and the future of the “infosec professional”

Paul Y — Mon, 20 Oct 2008 04:50:57 GMT

I gave up worrying about the device and netwrok several years ago. Today I have only worry about 2 things.

1. Who are you, and what should you be allowed to access.

2. How do I manage the bandwidth.

Devices don't access data, the most they can damage is point 2. Bandwidth impacts are irritating, but not long term critical. Data loss is the problem, and it's device and network agnostic.

Of course - there is the problem of sensitive data accessed on an untrusted device, and that device using those credentials or storing that data. I haven't seen ANY good answers for this space yet.

Paul

re: Comments, administrivia, and the future of the “infosec professional”

Mikko — Wed, 22 Oct 2008 00:11:17 GMT

Hi Steve

I saw your demo at teched US and it was interesting and cool and as MikeS says it works if you have all the MS part in place... this should however not be the only way of access, you can have the opposite as well with terminal server technology where no data ever leaves the data center and no client ever has straight connection to the data center. So for your trusted MS clients you could use the "new" way and for the rest you could use the TS way or Citrix if you prefer that. one don't have to rule out the other, witch is a bit of the feeling you get when you are so exited about this "new" thing Steve :-)

Regards.

Mikko

re: Comments, administrivia, and the future of the “infosec professional”

Marta Guillen — Wed, 22 Oct 2008 07:58:20 GMT

Mr. Steve,

I have to appologize for using this way of communication with You, but after hours and hours of searching the Web for technical support in order to get help and solutions to my problem, I bumped into Your blog which I found very interesting.

I am facing a security problem, where somebody has stolen passwords for old hotmail accounts of mine and is using them to harass me and harm me in many ways.

I don't seem to be able to find answers anywhere and don't know how to stop it. Would You be so kind to help me with this problem if you could?

Thank you very much, Best Regards.

re: Comments, administrivia, and the future of the “infosec professional”

Steve Riley — Wed, 22 Oct 2008 20:08:18 GMT

MikeS-- true, direct connect works best when the clients are Windows. However, we can still support heterogeneous environments with third-party support for NAP and group policy provided by partner-created add-ons. And for those instances like you mentioned -- you simply can't make configuration decisions about computers you don't own -- there's always Terminal Server. In the next security newsletter, I'll have an article that covers this briefly.

Mikko-- again, I'm not discounting Terminal Server; indeed, it's a critical part of the complete design. In the detailed documention I intend to start writing later, I will include that.

re: Comments, administrivia, and the future of the “infosec professional”

Steve Riley — Wed, 22 Oct 2008 20:10:39 GMT

Marta-- I'm sorry but there's not a whole lot I can do to help you here. How do you know your passwords have been stolen? What evidence can you describe that supports this? What harassment are you receiving?

Perhaps the best thing to do is simply close those accounts down. Log into them, change their passwords, log out, and never check them again. Eventually (I think after 90 days) they will deactive themselves.

re: Comments, administrivia, and the future of the “infosec professional”

gbromage — Sun, 09 Nov 2008 16:42:52 GMT

Steve, I did enjoy your presentation at TechEd EMEA in Barcelona on this.

I still have a concern over the portion of "Validate the health of machines initiating incoming connections and remediate if necessary "

Validating the health would mean validating again known threats, surely? It's the unknown ones that concern me more.

I would think that there is a risk that people might make a basic assumption that a "trusted" client is automatically trust-worthy.

A zero-day exploit would not be picked up by health certificate, and once the client is compromised that negates the BitLocker and client-side firewall mitigations.

Further, if a client was root-kitted, it would not be detected by a server-side validation because how would the server tell, if the client (at the kernel level) is unaware that it has been compromised. This could lead to an administrator assuming a trusted client is safe (for a given definition of "safe") and exposing more information then they should.

It might be better to still consider these clients as manageable, but inherently untrusted.

I do realise that this is more of an implementation/assumption risk than an inherant design flaw, but it does still need to be considered.

P.S. - there's comment spam above.....

re: Comments, administrivia, and the future of the “infosec professional”

Steve Riley — Wed, 19 Nov 2008 00:16:50 GMT

gbromage-- No, the validation isn't against threats, but rather it's validating that the computer is configured the way you want before a connection is made. NAP gives you some of this, SCCM is more thorough (mostly through inventorying).

No configuration can completely protect you against zero-day exploits and rootkits. Most of these have to run as local admin to spread beyond themselves; that's why it's important that people run as standard user and that UAC remain enabled.

re: Comments, administrivia, and the future of the “infosec professional”

Sanjay Tandon — Fri, 21 Nov 2008 00:38:16 GMT

What the mind doesn't know, the eyes can't see.

Corollary: If you don't know what attack surface you're exposed to, how can you adequately defend yourself?

Further: If your people don't know what they're protecting your organization against, they can't adequately protect you.

In other words: ...

Know what I mean? :-)

re: Comments, administrivia, and the future of the “infosec professional”

.NET Library Developer — Fri, 21 Nov 2008 10:16:28 GMT

You are doing a great job. Thank you.

P.S. Are you checking your comments? There are several ads comments posted in last two days.

re: Comments, administrivia, and the future of the “infosec professional”

Steve Riley — Mon, 01 Dec 2008 09:10:43 GMT

Thanks much ... And yeah, I know, the blog spam is getting bad again. I can't believe that there's any kind of economic gain from it, I just don't get it.

re: Comments, administrivia, and the future of the “infosec professional”

bred — Tue, 02 Dec 2008 05:44:27 GMT

it's nice site!!! <a href=" http://www.scam.com/member.php?u=103405 ">adipex cheap</a> 6317