contributed

TRUST: Threat Reduction via Understanding Subjective Treatment

It has become obvious (to me, anyway) that spam, phishing, and malicious software are not going away. Rather, their evolution (e.g. phishing-to-spear phishing) has made it easier to penetrate business networks and increase the precision of such attacks. Yet we still apply the same basic technology such as bayesian spam filters and blacklists to keep the human at the keyboard from unintentionally letting these miscreants onto our networks. Ten years ago, as spam and phishing were exploding, the information security industry offered multiple solutions to this hard problem. A decade later, the solutions remain: SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance). Still: we find ourselves still behind the threat, rather than ahead of it. Do we have the right perspective on this? I wonder. The question commonly today is: “How do we identify the lie?” But as machine learning and data science become the new norm, I’m […]

Continue Reading

Dan Geer Keynote: Security of Things Forum

The following is a transcript of a speech given by Dr. Dan Geer at the Security of Things Forum on May 7, 2014. The Forum was held at The Sheraton Commander in Cambridge, Massachusetts. The official copy of Dr. Geer’s speech lives on his web site, and can be found here. .Security of Things .Dan Geer, 7 May 14, Cambridge Thank you for your invitation and to the other speakers for their viewpoints and for the shared experience. With respect to this elephant, each of us is one of those twelve blind men. We are at the knee of the curve for deployment of a different model of computation. We’ve had two decades where, in round numbers, laboratories gave us twice the computing for constant dollars every 18 months, twice the disk drive storage capacity for constant dollars every 12 months, and twice the network speed for constant dollars every […]

Continue Reading

Is Pavlovian Password Management The Answer?

Something hit me straight in the face that may be a method for inducing cognitive awareness to end users in regards to password management. Ironically this also has a side effect of scalability when managing password changes. It isn’t completely flushed out but I wouldn’t mind getting some opinions on this. I am thinking of prototyping this in a PAM module in my spare time. Here goes… For end users we have been trying to get users to understand the importance of constructing good passwords. We provide guidance on what a good password is (even though the guidance that I have seen is still usually unacceptable in most places when compared to NIST guidelines). We spend a lot of time telling the user to “do this because security experts advise it, or it’s part of our policy” but we don’t really provide an incentive or an understanding of why we tell them to do this. Well humans are programmable, and the best […]

Continue Reading

For SANS Critical Controls: Authentication Missing In Action

Authentication is the gateway to privilege and authorization. Consider how many portions of your life, digital and otherwise, revolve around authentication. Whether you want to do Internet banking, tweet a friend, or buy a present, some sort of authentication likely occurred to allow you to do so.   But when it comes to one of the most widely used sources of advice for organizations to improve their security, authentication is absent. I’m speaking about The SANS Institute’s “20 Critical Security Controls.” This list represents a great public-private partnership effort with SANS, the Center for Internet Security, and Center for Strategic and International Studies all involved in its production and maintenance. The goal of the document is to help provide organized guidance and actionable improvements for organizations wanting to strengthen their security posture. Because of the separation of subject matter into individual control areas, the document is quite useful at conveying […]

Continue Reading
1 16 17 18