Tuesday, April 29, 2008

Because Hackers Don't Care... (Why Metrics Don't Work)

Lets start with some statistics:

99% of all workstations with up-to-date antivirus
Antivirus blocks over 99% of all malware.

That is amazing! That is great stuff to show the IT Director, CIO, CSO, mom and to put on the wall. But, yet, a company I know (not the one I work for) still managed to get a virus which brought about some painful downtime.

The virus was one of the 1% that the antivirus doesn't block and it spread through the organisation like wildfire. Essentially the saving grace was that it infected a small part of the network, brought that down and didn't spread from there. Luck. It was also non-destructive other than network downtime. Luck.

The metrics lied.

You could say that there was residual risk but it really looks quite small. What is 1% between friends? But that 1% is precisely what any hacker (or virus writer etc) worth his salt is targeting.

So, where to from here?

I won't throw the baby out with the bathwater. 99% of PCs with antivirus is certainly safer than 50% or 0%. 99% of PCs fully patched is safer then 70% or even 100% of PCs almost fully patched. But 99% of PCs with antivirus is not a guarantee that no virus will find its way to destroying your network. It is important that your boss(es) know this and more important is that you know this.

And have plans in place when the 1% risk becomes reality.

Security Catalyst Forums

I've written often about all the ways I have met people. My network has certainly grown in the last year between facebook, linkedin, the numerous blogs that I read and the numerous blogs that they all link to.

One place that has certainly been a terrific place to meet smart people interested in Information Security and to harvest some of their ideas are the Security Catalyst Forums. Registration is free and gets you access to some really amazing people.

Each week someone volunteers to sum up the last week's postings and this week is my turn so here goes...

Andrew Hay is doing his CISSP and has been given a lot of advice by the members. Generally it is agreed that cccure.org is a good resource but always ready to jump in and start new Security Catalyst initiatives, Michael wants to put together a resource for those Catalyst Members studying for the CISSP.

I personally did the official CISSP boot camp training course and found it well worth doing. I bought the official ISC2 guide but found it to be too wordy and technical. It is a great resource though and I have used it many times since my exam but at 10pm after a days work it is the last thing your eyes want to see.

Education seems to be a theme at the moment - Didier Stevens write his GSSP-C exam and Kevin Riggins is debating doing a Masters in Information Protection/Assurance.

Information Security is slowly becoming so much more more than just Firewalls and Antivirus and the education needed is becoming vast. I think it has already come to the point where it is impossible to know everything and practitioners now need to work out what section of Information Security they want to get into.

I personally am interested in the management side of InfoSec but if I choose that then I will not be able to get deeply into any particular part of InfoSec anymore. I have my CISSP and would love to get a Masters like the one above but GSSP-C would be too restrictive for me but to each his own. Well done Didier and good luck Andrew, Kevin and all those that are looking to grow their knowledge.

Don Weber raises an interesting question - should businesses be monitoring search queries via their proxy servers. My feeling is that yes, they should. Companies should monitor everything and they have the right (in South Africa at least) to do so. However, (there is always an however with me) context is everything. One has to use the information that one gets from logs as a guide and try to understand exactly why someone browses so much or such strange sites or whatever. I believe that Information Security has to become a central part of the organisation and has to make connections with all departments. All browsing issues must be driven by HR with technical and policy help from InfoSec.

There were other discussions, jobs posted and conferences listed but I'm not going to go into them all. The last thing I'd like to say is that I asked a question on the Security Catalyst Forums and got some quality replies - all different but all quality that will allow me to do my job that much better.

Wednesday, April 16, 2008


So, here I am.

It has been quite a quiet year for me blog-wise and it is not because I have been busy.

Quite the opposite. It is because really I haven't been busy.

And, strangely, now that I have moved jobs to a job where I have more resposabilities and less time I think I will blog more. I have more to think about and more to say.

My new job is very interesting. I have been dropped in the deep end and told "swim". At the moment I am still trying to work out what has been done and what still can use the Allen-touch.

Expect some good postings over the next few months and years.

As per usual - you won't get juicy details about my new employer and all thoughts, mistakes and general views are my own.