Thursday, May 9, 2013

If you know nothing else about Information Security... know this!

[The best advice you can get (today anyhow)]

Information Security, like any other profession or specialisation has a lot of technical confusing terms and jargon. It has tools that only experts can use and statistics that only the same experts can read. It creates a brotherhood (and sisterhood) of professionals and this is fine.

But, also like other professions, Information Security has its borders of knowledge and its dark scary patches. "Thar be dragons!" Or pirates, or the end of the earth. Or (back to Security) APT. Or super skilled haxors with l33t everything. The guys that can escape jails and sandboxes. They can string single characters together to create small but dangerous stack attacks where there is no stack. And evade DEP and take over phones that don't allow even good programs to do naughty things.

These are the stories that Information Security professionals tell each other. These are the stories they tell their kids over camp fires and only at night and slowly and carefully. Each. Word. Leading. To. The. Next . Scary. Word.

But the reality is quite different. Most doctors that I know, even GPs and only the good ones, have specialities and other interests (not Golf..) because, although they have been through many years of medical school, most of their patients are either suffering from a cold or flu and require either pain killers and cough syrup or antibiotics. The more interesting patients may suffer from allergies to penicillin but that is where it ends.

So it is with Information Security. While we worry about super-great hackers - the two biggest highest profile breaches of recent times have been via a Firewall backdoor in the Playstation network that relied on people not digging in their Playstations' code. And a trojan email sent to some non-technical staff at RSA Security that led to them recalling their entire product range and their devices used to break into some US government departments.

Verizon comes out each year with a report on major breaches across the world. Every year it tells the same story - they are opportunistic and not targeted and they are generally (68% in the 2013 report) easy.

So, if all Information Security is, is a lot of flu... what is the Vitamin C equivalent?

Websense is a company that specialise in border control systems. They are the guys you swear at when you can't browse Facebook at work. They also block a lot of nasty sites and can block secret documents leaving an organisation. They have a lot of systems out there keeping people browsing what they are allowed to. A lot. They gather a lot of information too. Like, what version of Java people are running. They published this pie chart recently:

This is the spread of different Java versions that are used around the world, mostly in organisations but also by home users (and office staff who take their PCs home). The interesting thing about this pie chart is that if you are running anything but the version coloured dark blue at the top right or the thin red line next to it - you are at risk of downloading malware automatically. Let me rephrase that in my campfire voice - if you are not in the 5% of people running the latest version of Java in your browser, you can get infected by any number of types of malicious software (most that are out to steal your money or files) AUTOMATICALLY (fire crackles). You don't have to do anything to get infected, the website does it for you. More than that, your antivirus won't know about this "transaction" until it is too late. 5% of people in the world are safe from this. Simply because they are running the latest version of Java (which is free to upgrade.) That right there is your vitamin C. Patching Java (which 95% of people don't) will protect you from the flu. It won't protect you from interesting attacks but those are less likely to find you.

Do online attackers actually use Java? Yes, they all do, from guys looking to steal money, game credits and information to large Government agencies to groups like Anonymous and Lulzsec. Why? Because its easy to attack and works against 95% of all browsers. Why wouldn't they use Java exploits?

Advice? Patch Java. And flash too. And Microsoft software. Then sleep happy.

And go camping.