Thursday, November 29, 2007

Just let me do my job!

Another post has popped up. This time from The Hoff. I think general consensus is that you will probably disagree with him at some stage, but you have to read his blogs.

Anyhow, he posted a question from someone at a conference he was at:

Why can't you InfoSec folks quite simply come to your constituent customers -- the business -- and tell them that your efforts will make me x% more or less profitable?

My answer to this is the following: Please correct me if I am wrong because I am probably very biased.

A modern business is essentially a group of people who know how to do something. A doctor is a person who knows how to cure people. He has studied and has certificates and such but at the end of the day if he loses his memory - he is no longer able to cure people and is not worth very much.

A little larger - a company that makes car tyres. There are some people who handle the books of the business and manage the investments of the company, manage the money etc. There are engineers who design the tyres and make them the best way possible. There are the sales reps who sell the tyres in the best way possible. The real value of the business is not the tyres and buildings and such... it is the information that the people know. Some of it is in their heads, some of it is in databases. Some of it is just a culture. But take all of that information away and you have a bunch of useless people hanging about and some desks.

Business today is quick. A company can close down in a few months and a new one can be built up in days. It is relatively simple to get capital. It is fairly easy to get premises, phones, cars, etc . It is not easy to get staff who know what they are doing. That is where the real value of a business is.

So, essentially a business relies on its information to stay alive and to grow. If you lose information, a part of the business is lost.

Steve Ballmer knew this when he lost Mark Lukovsky to Google - he was losing some of Microsoft.

The American Government knows this which is why there is legislation making sure companies protect their systems. Information loss is business loss.

So, the answer to the question is - how much is your entire business worth? Take away the net value of the desks and coffee machines and that is how much information security is protecting. HR is involved in protecting the information inside the heads of the staff so you may want to minus that.

Everyone in the organisation is either creating information (this CEO, accountants, etc) or using information to build products or perform services (think craftspeople, packers, factory workers). Only Information Security is tasked with making sure that the information is available and stays inside the company.

Where is most of the information contained? What is most at risk? That is not so easy to answer but is important to us doing our jobs. Should business be concerned? I'm not sure, I don't think so. Should infosec be required to cough up figures so that we can do our jobs? I really don't think so.

But I could be wrong. What do you think?

Monday, November 5, 2007

You have to take your (white) hat off to these hackers.... and a lot else too!

The Washington Post has an article on an interesting new piece of malware.

Captchas are those weird little blocks with numbers and letters all jumbled up and fairly difficult to read. They are there to check whether the user is a human or a computer pretending to be a human. They essentially prevent hackers from automating things that server owners would prefer them not to automate.

An example is - when you sign up for a mail account you have to decipher the captcha so that you can have the email account. This is to prevent spammers from signing up with free accounts 100 or 1000 at a time and using them to send spam, repeating the process when they are shut down. captchas have a lot of negative points but they have been rather effective.

The new malware is essentially a picture of a blond lady who will do a strip show for you. The catch is that you need to decipher some captchas, for each one she has less and less clothing. This sounds like a nice trade-off but each captcha that you enter basically signs a spammer up for a free email account. They are using you (being a human) as the middle man.

I hate spammers with a passion but I have to admit that this is a piece of genius.

Thursday, November 1, 2007

South African Spam is World Class!

I found this interesting table on Trend's website which takes the number of spam messages it receives, extrapolates it to estimate total worldwide spamming from an IP range and then reports on the range.

The bottom line is that they estimated that SAIX users (corporate, dial up, sub-ISPs, etc) all sent out about 82 Million spam emails in the last 24 hours making SAIX the 88th worst spam network in the world.

It is scary that so many spams are originating in sunny South Africa. Since spammers use unsuspecting PCs to do their dirty work this hints that there are many computers that have been compromised.

Its time for South Africa to take Information Security seriously.

Like Taking Laptops from a Baby

Here in South Africa crime is one of our largest issues but it seems that theft of laptops is a worldwide phenomenon.

It also seems that the controls put in place do not help.

An article on reports that Eric Almly is believed to have stolen 130 laptops from 24 different companies.

All of these companies have the same physical security barriers that most companies do - card machines, cameras, etc. The guy managed to get through them all with a smile and a calm personality.

It may be time to test out your physical security or at least accept that laptops will get legs.