Powerless Security

I found this report both concerning, and comical.  Forgive me, I realize neither computer theft nor data theft are laughing matters, but bear with me…  A laptop computer containing “a fair amount of records” was stolen and an on-board camera was damaged while a ploice cruiser was left at an auto dealership for service in New Hampshire.

The theft and damage to the “brand new” cruiser occurred when the crusier was parked overnight at a Chevrolet dealership, left for work on decorative trim.  The police chief said he’s been advised that it’s unlikely anyone could access personal information stored on the stolen laptop because the battery is so old it barely functions without a companion power cord How is that for a protective strategy?  I hope anyone that chided me for giggling understands now.  What would stop a thief from simply hitting up a used parts distributor for a battery or power supply?  I’ll bet there are refurbs at Tiger Direct.  The data that can be expected to be on this laptop is probably quite valuable to the criminal element compared to the cost of a laptop battery.  There are also convertors that allow one to connect laptop interfaces to standard IDE or even USB connections…

Mike Jones, manager of the dealer’s auto body department, said he was expecting a police officer to pick up the cruiser after hours which is why it was left outside overnight.  He said if he knew it wasn’t going to be picked up, the cruiser would have been brought inside.  “We thought someone was coming to get it,” he said. “With a phone call we would’ve taken care of it.  Obviously we don’t want any thefts here.”  So…  Why didn’t Mike just make a phone call to confirm?  Last time I checked, my phone worked both ways…


Michaels Stores PIN Pad Tampering

Michaels Stores Inc. locations in Chicago and possibly other locations have been reportedly breached through PIN Pad tampering.  Credit and debit card information was compromised, the company announced Thursday.  Although not quite as large in scope as the Play Station Network hack, my wife and friends like and shop at Michaels stores.

Banking and law enforcement officials contacted the popular craft supply chain after some fraudulent debit card transactions were reported.  Authorities believe the transactions may be linked to legitimate transactions in Chicago-area Michaels stores.  If you have purchased goods at Michaels using credit ro debit cards, monitor your statements closely, and change your PIN code to be on the safe side.  It takes 5 minutes, and costs you nothing.


Security Karate Basics

In order to avoid “boiling the ocean”, most security industry “best practices” inevitably offer the same combination of high-level recommendations for vague IT security problems:

  • Improve paper-based IT security policies and guidelines.
  • Apply patches to systems.
  • Use strong passwords.
  • Conduct Security Awareness training.
  • Etc.

While these considerations are fundamentally important, these “best practices” alone typically contribute little to the tangible improvement of overall security.  The media coverage of successful attacks versus solutions to improve IT security has caused many IT and Security professionals to dangerously accept the situation as “just the way things are”.  This is compounded by the media’s tendency to provide the latest silver bullet to solve all of our security problems in the form of product recommendations.   Don’t get me wrong, there are many great security technologies and products out there, but simply implementing one or more of these on top of a weak foundation does not provide better security.

All organizations face the dangers of falling behind on patches or being susceptible to zero-day, un-patchable, and sophisticated threats.  To build a strong foundation, today’s IT professionals must take a step back and look beyond the failures of their Anti-Virus, IPS, firewalls, and other point solutions.  They need to ask what could be done to go above and beyond generic security and technology implementations.

One lesson that I have learned over the years from my instructors in both Tae Kwon Do and in Karate, is; if you want to defend yourself well, focus on the basics.  A flying Superman punch looks real cool, but can be countered easily with a simple, well-timed snap-kick.  Build a solid foundation in the simple movements, even after you have mastered them.

To effectively protect an organization, always work under the assumption that there will be an attack.  Assume that the attack methods used will be unforeseen.  Anticipate that an attack may eventually result in a breach.  The goal is not to prevent every possible attack, but to build a foundation that is resilient enough to withstand known and common attacks, to detect and identify other attacks as early as possible, and to contain the damage that a breach could cause.

Continue reading