I spend almost every day now reviewing breach data and analyzing threats to deconstruct vulnerabilities. Some of my more popular work recently has been to convince IT management that they need to improve their analysis of threats to understand them better.
Although there are many frustrating examples of negligence and ignorance when it comes to security, no one should feel satisfied to always blame the victim after an attack. That is why the security industry can help with more balanced risk analysis instead of pounding only on customer vulnerabilities and writing-off every threat as “sophisticated”.
After a presentation on cloud penetration testing at VMworld this week I was asked by a customer of a provider why their instance was constantly being broken into. First, I went over how they should pinpoint the threat and not just the vulnerability in their particular instance. That was because, second, I explained that if you have a nice house with big windows and live in a dangerous neighborhood when you can afford to move to a better neighborhood…the choices become more obvious when translated to a more familiar risk context.
The viruses in the flu shot are killed (inactivated), so you cannot get the flu from a flu shot.
They say you can’t get the flu from a simulation of the flu, but we all know that the flu shot still carries risks.
There are some people who should not get a flu vaccine without first consulting a physician. These include:
[…]
People who have had a severe reaction to an influenza vaccination.
In the same vein (pun not intended) I strongly recommend to anyone interested in the study of information security and the interruption of threats (to protect the vulnerable) that they watch this movie:
For years Chicago’s El Rukns seemed like the average urban street gang, dabbling in racketeering, narcotics sales and the occasional murder. But El Rukns (Arabic for “the cornerstone”) was far more ambitious than that. Last week a federal jury convicted five members of conspiring to commit terrorist acts against the U.S. The plotters, prosecutors said, expected to receive $2.5 million from Libya’s Colonel Muammar Gaddafi for bombing buildings and airplanes and assassinating American politicians.
[…]
In the late ’70s, the 100-member organization turned to political militancy and religion. The leader, Jeff Fort, 40, regularly presided over meetings from an immense, high-backed throne atop a pedestal, surrounded by outsize posters of himself and Gaddafi.
The daughter of this guy is now trying to stop the violence. I would point you to a Wikipedia reference so you could read all about this amazing and inspirational woman — Ameena Mathews — who has dedicated her life to saving so many others, but a Wikipedia administrator — Fastily — has just decided to delete her page.
This page has been deleted. The deletion and move log for the page are provided below for reference.
00:03, 29 August 2011 Fastily (talk | contribs) deleted “Ameena Mathews” ‎ (Expired PROD, concern was: Does not meet notability guidelines. Lacks citations to significant coverage in reliable sources.)
Uh, she has been written up in the NYT, The Guardian, NPR, PBS…just type her name into a search engine to see the citations. Take her interview in indieWire as an example of the “coverage” she gets:
…you’ve been meeting up with similar groups across America. How has that been?
We met up with a lot of groups that replicated the model. There’s a lot of people out there doing a lot of great things, helping the war on poverty, getting kids in school so they can put the guns down.
[…]
There’s purple hearts for those that are wounded in Afghanistan, but not much for those who do our work.
Hey Wikipedia, get a f-ing clue. The Interrupters and their work to stop threats should be the very definition of notability. Let this be yet another giant blinking warning sign of why you should not automatically trust the supposedly well-intentioned administrators of cloud services to do some basic checks before they act, let alone care about risk and the security of information.
A song from a former capital city (the 4th) of Ethiopia, as performed by Aster Aweke on her new album Checheho.
Gonder is known for preserving tradition and custom like the iskista dance, as opposed to the more diverse and modern capital city Addis Ababa.
Gonder also was the city where Italian forces made their last stand. The British 12th (African) Division led by Major-General “Fluffy”, along with the Kenya Armoured Car Regiment and Emperor Haile Selassie’s patriots, ended the occupation of Ethiopia when they seized Gonder in 1941.
Okta has announced their series B financing today. It includes a recap of security in the cloud that reveals how they pitched it for money, and why it’s different:
The concepts of security, single sign on, user management and auditing are not new. They’ve existed since the first user logged into the first mainframe. Why is the problem different or the potential solutions better in the cloud?
There are more services and applications available to users within an enterprise than ever before.
The cost to build, deliver and sell the services is dramatically lower leading to more services available in the market. Literally, thousands of new SaaS start ups have spawned in the last 10 years.
Companies aren’t limited by their ability to build infrastructure to deploy and maintain as many applications as they want.
In addition to more services, there are more users. Each generation of technology, from mainframe to mini computers to client server to cloud has seen a 10X increase in the number of users. And each of these users is accessing the services in a variety of ways. Gone are the days of one desktop per employee. There are desktops, laptops, virtual desktops, tables and smart phones
Finally, companies need to support a mobile workforce. They can no longer rely on securing the physical network perimeter with a firewall and selectively permitting VPN access. They need to have the same kind of rich authentication, authorization, auditing and logging for all their critical services.
Call me anal, or haiku-obsessed, but it looks like that lists boils down into the following:
More services are available
It costs less to build services
Infrastructure costs are lower
There are more users
Users are mobile
Wait, let me try that again.
More services now
Can’t stop the mobile access
Deployed for less dough
Coming up with definitions and finding differences is fun. Who doesn’t love isomorphism? When is a muscle-car a muscle-car? I mean if a Toyota Camry races a Pontiac GTO and wins, do we still get to call the GTO a muscle-car or does the Camry get the title? More to the point, if we accept the Okta explanation, clouds do not seem far ahead of traditional IT departments. What really stops on-premise IT from providing more services at less cost to more users who are mobile?
But there’s more to a muscle-car than just measuring horsepower (the 268 horsepower Camry LE is still a second slower than a goat BTW. Efficiency is another story). Okta could have highlighted the new cloud use-cases and security issues from cloud behavior.
Many more roles/identities with far more relationships and yet less permanence are cloud specific. Tracking identities and meta-directory data when it’s not clear who exactly should be the one to track identities, now that’s a different problem than on premise where accounts are doled out more carefully by a clear authority.
They also could have highlighted the tall and wide shadows of data created and then “destroyed” when accounts and services are spun up and down on short cycles because “owners” come and go. You thought keeping track of hires and terminations was hard before, try managing it for systems you can’t see or touch and only get a utilization report from. That’s another difference, a sort of opaqueness to their hidden services with their secretive SRE (service reliability engineers), which all may be completely untrustworthy.
Maybe it’s all coming in their next installment and I’m just jumping the gun.
For now, congrats go to them for round B. Perhaps it’s best to end by saying they are in a great market space — cloud providers clearly need identity management solutions like a GTO needs seat belts, air bags and a catalytic converter to control behavior-induced risk.