Saturday, October 21, 2017

Cybersecurity Awareness Month - should this even be a thing if awareness isn't working?

If I'd written this last week, the post would have been very different.  I would have pondered whether cybersecurity awareness month should even be a thing. Granted I live in the infosec echo chamber, but I often wonder how many out there aren't already inundated with information about staying safe online.  Does one more phishing assessment or security reminder poster really matter? Sure, I regularly perform incident response and forensics, so I know attacks happen.  But the extent to which we can stop them with additional training is questionable.

One idiot, two keyboards

But that was last week...  This week a good friend of mine who is a high profile APT target hit me up for some cybersecurity advice. Now before I tell the rest of this story, it's important to me that you know that he's been educated in cybersecurity hygiene and receives regular briefings on security from his organization. His organization uses regular phishing tests. He's a smart guy.  I'm not mentioning names, but I bet if I did most of you would know who he is and would understand why he's a no joke nation state (dare I say APT?) target.

Read the rest of the story on the Rendition Infosec corporate blog.

Sunday, October 8, 2017

Should Antivirus software be part of your threat model?

Should Antivirus (AV) software be part of your threat model?  Strictly speaking, yes it probably should be.  AV is potentially dangerous to an organization and should be tested thoroughly before being deployed. As argued in the recent WSJ article about Kaspersky (note that the article is behind a pay wall), AV software could threaten the confidentiality of a protected system.

But as any infosec professional can tell you, information security is about more than just confidentiality. The security triad is referred to by the acronym CIA, which most reading this post will know stands for Confidentiality, Integrity, and Availability.  In every security program, one of these items takes precedence over the other two.

In the case of the NSA contractor who placed classified material on their home computer, confidentiality was clearly the most important of the three.  However, there are few organizations for whom a breach of confidentiality is really the most damaging impact.  In the vast majority of organizations, devastating compromises to integrity and availability would have a far greater impact to organizational health.

Read the full post (including scenarios for compromising integrity and availability) on the Rendition Infosec blog.