So I thought I’d offer up, in the spirit of the season, my two cents:
Under the Category of Bad Idea, we have:
1. Yahoo, Bing and Google are racing to integrate Twitter, Facebook and other social media to include up-to-the-minute postings from popular social networks atop search results.
Why, exactly, is this a good idea? When your teenager posts something numb on Facebook, will it will now appear in multiple search results?
2. “Cloud Computing.” Still has yet to prove itself secure, audit-able or a real cost savings in the long run. Losing real control of your data is going to be expensive.
3. Outsourcing overseas. Yes it’s cheaper, and so are the security measures. The laws are different, and will you travel to India to prosecute? This is what happens when the bottom line ignores common sense. See “cloud computing.”
For the Category of Internet Fraud:
1. Social Networks have become an increasingly rich mine of personal activity that can lead to malware and theft of personal information. Including, now the business networks, such as LinkedIn. Don’t personally know who invites you? Now what do you do with the people you accepted? “Unfriend” them?
2. Peer-to-peer part 1 – Pretty soon (if they haven’t already) they’ll figure out how to encode malware into audio and movie files. Watch a movie, get a Trojan!
3. Sql Injection – Is only getting worse, and it’s one of the few things we could fix.
In the Category of “We Knew This, Didn’t We???”
1. Peer-to-peer part 2 – Those networks are loaded with malware. Are your kids on one? Or two? Do they bring their laptops home from college loaded with them? Best hope they don’t do any banking or personal business on those machines. Wait, they’re kids! Kids think they’re invincible. Uh oh.
2. Millions of websites are unsecured and allowing i-frame malware and other code to run so that they can install Trojans, etc. We’re still surfing, and infection is rising. Solution, anyone? Other than having two computers?
3.The bad guys have already figured out banking’s “Is it your picture?!” attempt at cheap two-factor authentication. Get ready to have a keyring full of tokens – I have two already!
3. Leave your debit cards at home – how long do you want to spend hassling with the bank to get your money back?
4. Haven’t you encrypted all your laptops, yet?
And last, but not least, the category of “Bad Uses of Good Technology:”
1. People that break into cars and steal your GPS can use it to track back to your house for burglary purposes. Snopes says this is partially true. I suspect car burglars are not that bright, but, who knows? Especially if I am not bright enough to put my GPS away.
If they get your car registration and your garage opener, you’ll be much more vulnerable. They’ll just use the GPS for easy driving to your house.
2. ATMs continue to siphon enormous amounts of money from banks, businesses, payment card processors, etc. No end in sight. Who will pay for it, ultimately?
3. “Cloud computing” can be used to speed up decryption across multiple CPUs. A bad use of Bad Technology! Double winner!
Ho, ho, ho. Have a great holiday, get lots of presents, and try to think of it as job security. That’s what I’ll be doing.]]>
The focus is different for both groups; auditors want secure IT practices only on financial systems (which is where they are allowed to look). IT Security will often push back when they ask for more, saying things like “out of scope.”
IT Security is mostly focused on production systems and network devices. It’s a constantly changing environment, where you have to move quickly to combat threats and intrusions. They’re focused on actions, not documentation and procedures. They’re not thrilled, for the most part, with endless requests for policies and procedures, as well as documentation of what they’re actually doing. They’re darn busy with a lot of trees in the forest.
The problem is, they’re both right, and both wrong. IT sees documentation as unimportant (i.e, “I’ll get to it when I can”), auditors see non-financial systems as unimportant (“Firewall? They have one, they’re fine).
The real problems come with the trees neither one of them looks at. That’s Part 3.]]>
Late last night (yes, I know, we geeks have no life) I was grinding my teeth over the Google Technology Ads, and starting once again making up MY OWN definitions, to wit:
GREEN – Gag Reflex Entirely Engaged Now
CLOUD – Calling Legacy Operations Utterly Dazzling
PCI – Pay Cash Instead
SaaS – Simply Awful Acronym Sizing
IPS – Inventing (a) Product Synonym
RSS – Really Stupid Software
Facebook and Twitter? Stay tuned, I’ll come up with something.
Wouldn’t it be great if we decided not to buy anything that has an acronym attached to it?]]>
As if that were not bad enough, the hacked websites have injected hidden code in an iframe that calls another iframe to connect to a website named 318x. For the really technical details, check the blog post from Mary Landeman at ScanSafe.
318x(a dotcom) downloads particularly nasty malware to the victim, which includes banking trojans. As of this evening, (12/14/09) a Google scan for the script source now has 166,000 websites listed.
If you do the search on Google or Yahoo, all sorts of alerts will go off (which is why I didn’t link it here), but you get infected only if you click on one of the links with the embedded script.
Search your own site for this string of code! If you find it, your website has been compromised, and you’d better find out how. Your customers and users can get infected, and it could get back to your company.]]>
She also said that their IT department was very much against the idea, and she wanted some information to reassure them. Let’s hear it for the IT department!
Starting from today’s post on HelpSecurity.net describing social media as a “playground for cybercriminals,” a quick Google search will give you 16 million or so sites that are considering the issues (or trying to sell you something, as usual).
It seems that businesses have a common mis-perception about social media (it IS easier than saying Twitter, LinkedIn, Facebook, Friending and MySpace, but I really don’t like the phrase “social media.” It’s just a little too “marketing…”)
Business doesn’t yet understand that “attention” does not translate into “interest.” Social media is very transitory, and attention shifts constantly to the next new thing. I don’t really want to hear what a business is thinking four times or so a day. (Does a business think?) I’m not sure, actually, that writing a blog, as many businesses do, is a fab idea, either. People write blogs, not company presidents. But that’s just me.
The other issue, at least on Twitter, is trying to build up the “fan” base. Companies are pushing their employees to become “fans,” but that means that the company can see the Twitter profiles of their employees. This has already resulted in company policy changes for employees, telling them to behave themselves on Twitter (or other places). This turns an employee fun toy into a business process, and nobody I’ve talked to that is on Twitter likes it, not at all.]]>
Usually, when this happens, I’m an auditor sitting with IT Security people, or I’m an IT Security person sitting with a bunch of auditors. (Yes, we’re all a little – a little? – nuts, but who wouldn’t be with everything going on right now?)
I am a member of a public accounting firm; today I was sitting with a group of IT auditors listening to the latest requirements in performing “An Understanding of IT Controls” for a financial audit. (Good thing they didn’t use any numbers; I’d have been doomed.) Fundamentally, financial auditors, (not IT auditors) are not concerned about any IT systems except the IT financial systems. Those must have reasonable controls.
“Reasonable” meaning that the auditor can obtain reasonable assurance that the systems have effective controls in place. This applies to financial audits, SOX 404 audits and banking audits. No money in ‘em? Not interested.
So the “tree” in the “forest” has to be a money tree. The rest of the forest doesn’t really matter. Needless to say, I can’t agree with this stance, even though it makes perfect sense to the financial auditor. I can see where they are coming from; they can’t (nor do they know how) examine every system to find inoperative controls, etc. The things IT Security people find.
But if all the other trees around it are infected, will the money tree (I’m losing control of the metaphor here) still be OK?
Now, in the auditor’s mind, they are also testing the financial documentation, so there are a lot of “compensating controls” in the paperwork. But if the CFO is editing the database, the paperwork can look pretty good.
Of course, this all sounds rather black and white because there are times when IT Controls can report a ‘material weakness” if a number of IT controls are not in place, not effective, etc. But it is a financial auditor that makes that decision, and if it is outside the money tree, they tend to think that it is unimportant.
So how do we reconcile just looking at a few trees? Stay tuned.]]>