As an information security strategist for Intel, and a 20-year veteran of the infosec industry, security is my passion. Throughout the week, I come across quite a few interesting articles, or have thoughts about industry trends that I think could spark valuable conversation.
Each week, I’ll be creating a compilation of articles I think are worth reading, my response to industry trends, and various infosec thoughts I have throughout the week.
1. Response to: Is Rapid Detection the New Prevention?
Rapid detection and response is nothing new and does not supplant prevention. It is and always has been a complementary function as part of the Defense-in-Depth methodology, which everyone should be embracing. Although prevention is very cost effective it is not always the best choice. In some cases Prevention is not the best or most effective option. Attackers typically maintain the initiative, and innovate to bypass established prevention capabilities. No prevention capability is perfect, therefore detection becomes the safety net to protect an environment from attacks that get through.
Additionally, some vulnerabilities are enormously expensive to prevent or are so unlikely they are not considered worthy of a costly hardening investment. For such ‘black swans,’ which may have a low risk of occurrence but a potentially high impact, a strong capability to rapidly detect and respond may prove to be the right economical choice. Interdiction in this way can greatly limit the impact to an acceptable level.
More on the topic of Defense in Depth and financial trade-offs of risk can be found here:
- IT Security Will Spend More in 2012, But Will They Spend Smarter?
- Is Security Spending a Necessary Evil?
- Security is a Tough Sell
- Explaining the Value of Security Spending
- How Security Programs Reduce Loss
- The Purpose of Security Programs
- The Problem of Measuring Information Security (video)
2. With regards to the security community paranoia around NFC lamp posts
Sometimes security professionals, myself included, go off the deep end when it comes to concern and paranoia. Case in point: NFC lamp posts. Yes, NFC technology has inherent weaknesses depending on how it is used and controlled. But some situations aren’t cause for much concern. In my opinion, I am not too worried about this technology use-case being targeted for malicious purposes. The attack is possible, but not likely for a number of reasons:
- Other paths are easier. Given the option, attackers will likely choose the Path of Least Resistance to achieve their objectives. In this instance, that could include spam, phishing, posting a webpage URL or a QR code instead.
- Difficulty: designing and producing a NFC tag is not as simple as creating a QR code. Then there are the practical aspects of delivery. The attacker must be local to overwrite/modify the actual lamp posts and the old NFC tag may need to be removed or a conflict may arise. Seems like a lot of hands-on effort.
- Cost: Producing the NFC circuits costs money. They are not free like QR codes or other online methods easier to procure.
- Longevity: Once in place, it will eventually be discovered. Responders will act to check and remove all the malicious NFC sensors. This would leave the attacker out in the cold for expenses and effort.
- Attribution/Investigation: Ordering, paying, and shipping of NFC tags may be tracked and therefore expose the origins and link back to the attacker. Physical deployment of NFC tags would be exposed to public observation. All of which is good for investigators and bad for the attacker.
Some would argue such malicious tags are inexpensive and easy to order. I agree they can be dirt cheap to buy (beyond the design, test, etc.). But the point is they do cost something. Which means an attacker must pay for them to be manufactured and delivered. Both payment and delivery/receipt are means or an opportunity to identify and track them down. It is a deterrent on several levels (design, cost, logistics, physical access, interference, longevity/interdiction, obfuscation against investigation/prosecution, etc.). All in the face of easier and less risky options.
3. Worth Reading: DefenseNews’s Leadership Poll
Although I am not typically a fan of survey data, the respondents in this report are key people in the government and security apparatus. It gives insights to the fears and concerns of some of the most influential policy people in the U.S. Even more insightful is the trend of growing concern for cyber warfare. Take a look, as it has a few interesting perspectives on the audiences profiles and anxieties.
Where to find me:
In Person: Delivering a keynote presentation at Cyberstrat 2014 in Helsinki on January 22.
On Twitter: @Matt_Rosenquist
My Blog: Information Security Strategy
IT Peer Network: My previous posts
My work: Linkedin