Thursday, November 22, 2007
Wednesday, November 7, 2007
I recently heard about David Litchfield's blog. It was a good surprise to see that he posted today a tip about how to deploy "tripwires", or "honeytokens", on databases. I understand that this kind of resource os very important to help on identifying insiders. If you manage a database for a big company, it's worth a try.
Thursday, November 1, 2007
I was planning to talk about one of my favorite resources in my blogroll, Securosis. This post about the insider threat reminded me about it. Look at these remarks from Mr. Mogull and you'll not only understand this "insider threat" better but also about a very good feed to have in your blogroll:
- "Once an external attacker penetrates perimeter security and/or compromises a trusted user account, they become the insider threat.
- Thus, from a security controls perspective it often makes little sense to distinguish between the insider threat and external attackers- there are those with access to your network, and those without. Some are authorized, some arenâ€™t.
- The best defenses against malicious employees are often business process controls, not security technologies.
- The technology cost to reduce the risks of the insider threat to levels comparable to the external threat are materially greater without business process controls.
- The number of potential external attackers is the population of the Earth with access to a computer. The number of potential malicious employees is no greater than the total number of employees.
- If you allow contractors and partners the same access to your network and resources as your employees, but fail to apply security controls to their systems, you must assume they are compromised.
- Detective controls with real-time alerting and an efficient incident response process are usually more effective for protecting internal systems than preventative technology controls, which more materially increase the overall business cost by interfering with business processes.
- Preventative controls built into the business process are more efficient than external technological preventative controls."
This post from Mr. Lindstrom is very interesting. Mainly because I totally agree with him on that "there is no such thing as best practices, but I also believe there really should be such a thing". It's very hard to work on a field where you can't show that you performed well. Particularly for me, it's even worse to see very bad professionals claiming that they are selling/deploying "best practices".I also like when Mrs. Stutsman said that "There may a best practice within an industry but it's tough to go across industries". PCI-DSS is a very good example on that.Putting this and a last comment from Anton Aylward that I mentioned here together I'm starting to believe that we need to build some kind of "basics best practices". We already know pretty much about how to deal with the basics aspects of Information Security, so let's put aside those things that will always change from business to business and build something that every company can use as a way to ensure that its security doesn't sucks, at least.Using Anton's words again, "Lets worry about the baseline before we try to address the esoteric".