Sunday, June 22, 2008

Wired quote on storage sizes

I thought this quote from Wired magazine interesting:

The Petabyte Age is different because more is different. Kilobytes were stored on floppy disks. Megabyites were stored on hard disks. Terabytes were stored in disk arrays. Petabytes are stored in the cloud.


I wonder what the next size up will be.

Friday, June 20, 2008

Verizon Data Breach report

I finally got a chance to read this report, and I'll say, it's excellent. You can find a copy of it here.

I'll highlight a couple of points.

90% of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach.


I see this all the time. I can't believe how many times I've responded to an incident and I ask "do you apply the updates from Microsoft's update service?" Usually I get looked at like I have two heads. I've been one place that applied patches less than quarterly.

Investigators concluded that nearly all breaches would likely have been prevented if basic security controls had been in place at the time of the attack.


This sounds like a no-brainer, but some places I've responded to have ZERO security.

Some other points the report brought to light:

  • Know where your data is. Many times the critical data is stored on the sql server. However, reports may be contained elsewhere, and there's no thought to securing that data.
  • Attacks that originate from outside the company make up most of the attacks. However, the greatest damage comes from insider attacks.
As far as the origin of the attacks, the report found:
  • Asia: application exploits for data compromise
  • Middle East: mostly defacements
  • Eastern Europe/Russia: compromises of POS systems
Internal attacks were created by:
  • Sys Admins: 50% of the time
  • Employees (non-sysadmins): 41% of the time
  • Everyone else: 9% of the time.
This is a great point that everyone in charge of security should be aware of and remember:

Given enough time, resources and inclination, criminals can breach virtually any single organization they choose.


Of course, they go for the low hanging fruit, or where they can get the most reward.

Here's a stat on timing:
  • From the point of entry to compromise - it runs from a few hours to days.
  • From compromise to discovery - the average is MONTHS!!! No one is watching the fort.
  • From discovery to mitigation - WEEKS!!! What? I mean some things take some time, but I would think there would be pressure to get that timeframe down.
Finally, there was a section titled Unknown Unknowns. It said that:

9 out of 10 breaches include:
  • A SYSTEM unknown to the organization (or business group.)
  • A system storing DATA that the organization did not know existed on that system.
  • A system that had unknown network CONNECTIONS or accesibility.
  • A system that had unknown accounts or PRIVLEDGES.
A great read. It's on

Wireless ATM update

I took the kids for bagels the other day. Since school is out, there are lots more kids out and about; and apparently many of them hit up the bagel store during lunchtime. (Ed. the bagels at this place are really really good.)

So, since I had to wait in line (and that line stretched out the door,) I figured I would casually check out the ATM. There's a sign on it that states that it is owned by the store. On top, is a mini-antennae, with a cord going into the kiosk. While casually looking around, I could not find an access point in plain site. What I can't answer is if the store has an access point in the back somewhere, or the signal goes "off premises."

This needs checking out. And I would NEVER ever use this ATM.

Wednesday, June 11, 2008

Wireless ATM?

[caveat: I don't know much on the mechanics of ATMs. I've seen the inside of one while it was being repaired, but that's about it. The machine in question was a stand alone unit in a bagel shop, not in a bank.]

The other day, I took my son to a local bagel shop for lunch. As we went in, there was a woman standing by the door, not in line to get anything, and holding her bank card and her wallet. I didn't think much of, I just looked to make sure my son wasn't cutting her in line. We place our order, wait five minutes, then leave.

On the way out, I notice that one of the managers is talking to her, and the only thing I hear as we walk by is "honestly, I can't tell you much, the machine connects wirelessly."

WHAT THE?!?

I must have mis-heard him. That can't be, can it? Like I said, I don't really know the mechanics of how they work. I have a (real) high level understanding. But, I would have thought the machine would have connected via a hard wire of some kind. I never would have guessed wireless. So.....Where's it connecting to? How many other machines connect to the same location? And really, what's the security like on that connection?

One of these days we're going to have to go down there, get bagels, and eat in the car. And I may just have to bring the laptop.

I'm still surprised by what I heard. I hope someone can set me straight and either fill me in on what I (probably) missed; or explain how the machines really work.

Passed the exam!

I forgot to write last week, but I passed the exam for SANS GCIH.

Woohoo!

I took both practice test that were alloted to me. And I'll say, if you pay attention in class, and generally know the material, you will do fine. Also, I thought the actual exam I took was harder than both of the practice tests I took; I don't know if that is done intentionally.

The center where I took the exam was fine; I was the only person taking a test at the time. I'd say it took a little over an hour and a half to complete. The proctors were surprised I passed. I had to look at them a little quizzically, as that is not the reaction you want to hear when you are finished. But, they added that they have had people sit for the same exam and run out of time.

Anyway, I whole-heartedly endorse the exam and the certification.

Tuesday, June 3, 2008

Now what?

Saturday, I went down to my office to take advantage of some free time to pay bills, do some accounting, etc. I noticed outside that it was getting ready to rain; so I decided to get home before the rain started. On my way back to the car, I see a guy headed for the front lawn of the office building carrying what looked like a real estate sign.

Hmm.

I go do an errand, and instead of heading right home, I circle back around my office building. Sure enough, there is a For Sale sign on the front yard of the building. Great. Then it starts pouring.

After I get home, I fired off an email to my landlord; asking what's up. He replied that he "just got an investment opportunity" and needed to sell the building.

Fast forward to today, and I get a phone call from the landlord asking me if it would be ok if he showed my office; a prospective buyer had just flown in today. Yes, he normally gives twenty four hours notice. It doesn't matter to me, so I said yes.

I can't imagine this is good. A best-case scenario has my rent doubling, probably. A worst-case scenario has me looking for new office space (though I could be doing that even in the best-case scenario.) This is not the stress I need.

I plan for all kinds of issues, and try to have some kind of fallback for some of the risks. This was one risk that I had on the "low" side of the list. It wasn't the issue I thought I would be mitigating right away.

Opt-Out phone spam?

Here's a new one...
We got a call for my wife. It was an advertisement; the last day for her to sign up for a conference. She gets mail from them all the time, so it was a company/association I was at least familiar with. They were advertising that today was the "very last day to register for their conference and take advantage of the EARLY BIRD SPECIAL." I don't think my wife knew of this conference; certainly, if she did, she wasn't planning on attending. But, at the end of the message, the recorded caller said I could opt-out of future phone calls. WHAT?!?
When did this start?