Category Archives: Security

The Internet of No Fun

Little Bobby rushed in with the speed and joy that told the world he was five and a half years old and loving it. “Dad! A drone fell into our backyard! Can we keep it?”

Dad leaned out to the right to look at Bobby around his monitor. “Hold on there, sonny… have you done a VA scan on it?”

Bobby looked at the ground the way only a five and a half year old whose dreams were being confronted with harsh reality could do. “No…”

“What is our rule about bringing devices on to our wireless network?”

“No devices on the network until we’ve done a VA scan.”

“And?”

“And we’ve either patched or otherwise mitigated the vulnerabilities.”

“And?”

“And we’ve filed the change request documentation.”

“… And?”

“And we’ve got the change window scheduled, gosh, dad, you make all this no fun!” Bobby looked like he was ready to cry. Or update his resume and start looking for a new dad.

Dad knew that it was pretty much the same everywhere. Not wanting to see any turnover in the kid department, he worked on a consoling angle. “You think this is no fun? Then maybe it’s time I had you sit with me doing all the qualification testing so you’ll see just how much no fun this is for me, too!”

The shared experience reminded Bobby that he was in this together with everyone else. It’s not uncommon for five and a half year olds to express contrition and Bobby did just that. “Sorry, dad… I’ll go fire up the Kali Linux box…”

“There’s a good boy. Daddy has to go to a meeting now with Uncle Frank about next year’s family IT budget.”

“Are we gonna get a new firewall?” That exuberance again. Kids sure do bounce back, don’t they?

“Well, we’re still paying for Grandpa’s unexpectedly high syslog generation, but I think we might get a new firewall in Q2 next year.”

Bobby ran laughing down the hallway. “Yaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay!!!”

The meeting with Uncle Frank went well and Dad was happy that there were a few more goodies in the budget besides the firewall that he’d be able to announce at the family Q4 wrap-up meeting on 25 December. Dad had just enough time to type a few lines of code and then Sara stomped in the way only a 13 year old expecting to be disappointed could do. “Dad, can I go to a friend’s house now?”

“Did you finish ringfencing all your old wearables?”

Exasperation permeated the room. “Yes. Dad.”

“OK, did you also wipe the config on our old perimeter router like I’ve been telling you to do for the last three days?”

“Yes. Dad. I did it. It’s all wiped. Are you happy?”

“Sara, don’t take an attitude with me or you’re not going out.”

“Sorry.” Not very sincere, but a dad couldn’t expect much better from 13 years old.

“All right, that’s better. Which friend did you want to go see?”

“Veronica.”

Dad was concerned. He really didn’t want Sara hanging out with Veronica. Veronica’s family didn’t have very good change management processes and it was common knowledge around town that they weren’t necessarily up to date on their patch management. “I would be happier if she came over here.”

“Oh God, not this again.”

“Well, Sara, you tell me. If I try to RDP to Veronica’s family’s domain controller, am I going to get blocked, or am I going to get a login screen?”

“Dad, they have a really secure password on it!”

“That’s not my point, Sara. You know as well as I do that I shouldn’t even be able to reach that server, let alone via RDP. Now am I able to reach that server or not?”

“Fine. You win. I’ll just rot away here.”

“Sara, that’s not a win for me. I just want you to be safe, that’s all. Even if you left your cell phone home, your shoes are still exposed. As are your pants, your shirt, those earrings, am I right?”

Sara rolled her eyes with the wild, limbic-system fueled thinking so prevalent amongst the 13 year old set.

Dad tried to persuade. “And what happens to the rest of your clothes if the ones you’re wearing now are compromised?”

“Dad! That happened ONE TIME when I was eleven! Why do you have to keep bringing it up?”

“Well, you seem to be on track to have it happen again, when you’re 13. I’d rather not have to deal with another breach.”

“What. Ever.” Sara exhaled hard, but then had an idea. “What if I put all my clothes on airplane mode, will that be OK?”

Dad considered. That was reasonable. “OK. You put them all on airplane mode and you can go to Veronica’s. Get mom to take you, though.”

“She can’t dad. She’s on a sev one TAC call with the refrigerator vendor. There was a problem with our proxy and now the licensing on the fridge is all messed up.”

“OK, let me just wrap up this IPS signature modification and I’ll take you, just as soon as I get it into production.”

Dad was ready to get out and drive around for a while, anyway. Drive wasn’t really the right word, since the car did it all itself, but it was best to have a parent go with a kid, just in case. Gary Rasmussen’s daughter knew how to hack past parental controls on cars and could go pretty much anywhere unsupervised. Then there was that fight that Linda Hartford’s son got into where he and that other kid, Jerry something or other, kept hacking the speed governors on each other’s cars so they’d barely crawl. Having a parent ride along tended to keep those kinds of teenage shenanigans from happening.

Grasshopper and Ant and the App Store

One day, at the beginning of spring, Grasshopper and Ant each got a new smartphone. They both chose the same make and model. They even had the same cell carrier with the same data plan. The only difference, apart from Grasshopper being of the order Orthoptera and Ant being of the order Hymenoptera, was their general attitude towards security in general and app permissions in particular.

Ant was very security-conscious. He switched off his GPS and other location services, activating them only when he needed them, and then turned them off again right away. When he loaded an app, he read carefully over what permissions it required. Any game, for example, that needed access to his contacts list was right out, as were other apps that seemed to need access to data that seemed unrelated to the primary function of the app. As a result, Ant did not have many apps on his smartphone. He did load quite a lot of music and ebooks on his phone for entertainment, but refused even to install Facebook or Twitter. He was just that kind of guy.

Grasshopper, on the other hand, loaded all kinds of games and apps on his phone. He didn’t care what permissions they wanted, he would load them up. He would load them up, use them for a while, and then forget about them and load more apps. Ant thought Grasshopper was out of control. Grasshopper thought Ant was a party pooper.

It may not surprise you, dear reader, to discover that Ant also checked his credit card statements regularly while Grasshopper had a more carefree attitude towards personal finance.

At any rate, all through the spring and summer and into the fall, Grasshopper combined hundreds and thousands of shapes into rows of three or more, built up digital armies and empires, and used every emoji that he could find. Ant, meanwhile, kept to his books and his music.

As the first snow of winter fell to the ground, Grasshopper got a letter in the mail that many of his credit cards had been maxed out. Grasshopper didn’t think that he’d made that many in-game purchases, so he checked over his recent statements in greater detail. He was shocked to discover a number of very large purchases on his account for goods that he had never received. Not knowing what to do, he went to Ant’s house and begged Ant for a few scraps of food to tide him over through the winter, for he had no means to purchase provisions, what with his maxed-out cards.

Ant chided Grasshopper, “I’ll give you nothing, foolish Grasshopper!”

Grasshopper felt like a melting snowflake. “That’s a bit harsh, Ant. Where is your pity? Your sense of charity?”

Ant growled on, “Look, those are obviously fraudulent charges on your accounts. Just call the credit company and have them removed. You’ll have to cancel all your cards, but-”

“Oh! Whatever will I do without credit cards?”

“Well, you could let me finish my sentences, for a start. As I was saying, cancel the cards, BUT you will get new ones in a few days. That’s how it works out. It’s possible that the charges were just simple fraud from one of your apps being a front for bandits or from you not using secure sites for purchases.”

Grasshopper began to dance a little. “Why, that is marvelous news! All will be well!”

“Quit interrupting me. And you could stand to be a little less manic-depressive, if possible. All will not be well if this is part of an identity theft. There have been a number of major breaches of late, and I’m sure at least one of the million apps you’ve downloaded was a headline. You should get a credit report and see if any accounts in your name have been opened up recently – and if those accounts also have maxed out cards. Then there’s a follow up with the IRS to see if someone files a fraudulent tax return in your name, to get a government refund sent to them. That’s just the start, really.”

Grasshopper was silent.

Ant said, “I’m done. You won’t interrupt me if you say something now, if-”

“Oh! Goodness! Identity theft! Whatever shall I do? Please, brother Ant, do you have an identity I can borrow to see me through the cold of the winter?”

“It doesn’t work that way, Grasshopper. I recommend you check out articles on what to do if you’re a victim of identity theft.”

“Why can’t you tell me more, O wise Ant?”

“Because I’ve never had my identity stolen! I don’t know what else to do, as I’ve never had to know!”

“Why haven’t you had your identity stolen?”

“Well, for starters, I’m careful about the apps I load on my phone. Now, do you mind? I’m with people, here.”

Grasshopper bid farewell and trudged home, sadder but wiser. One by one, he started to uninstall all his apps and vowed to never again blithely install a game that needed access to his web history, contacts, location, calendar, phone records, media folders, and core OS files.

Fox and Crow and the Strong Password

Once upon a time, Crow had a rather nice hunk of cheese. Rather than hold it in his beak, which would leave it vulnerable any time Crow wanted to talk, Crow placed it in a vault and secured the vault by means of a very strong password.

Now, Fox happened to be walking past Crow’s tree when he saw the vault in the tree’s branches and a computer system connected to the vault. “There’s something you don’t see every day!” Fox said to himself as he sat under the tree a while to watch what was going on with the vault and the computer, which really stuck out among the leaves and branches of the tree.

Crow noticed that Fox was making general observations. Being a rather clever animal himself, Crow decided to try to get Fox to move along before Fox learned enough to compromise Crow’s security. Crow shouted, “Move it, Fox, or I’ll start throwing acorns at your head!”

Fox replied, “But good sir Crow, I’m only resting in the shade of this lovely tree a moment! Would you deny a fellow woodland creature such a blessing in the heat of the day?”

Crow would have none of that. “There are plenty of trees around here, move your bushy butt!” With that, Crow started to pelt Fox with acorns.

Fox ran away, but was still determined to get at the contents of that vault, whatever they were. Only valuable things go into vaults, and there was a good chance that what was valuable to Crow would also be valuable to Fox. Fox thought of a plan on how to penetrate Crow’s security.

As a first step, Fox went to the nest of a killdeer bird. The nest was on the ground and it held four small eggs, really too small even for Fox to want to make a meal of them. Fox merely placed his paws near the eggs and waited for Killdeer to return.

When Killdeer came back from foraging, she saw Fox near her eggs and immediately pretended to have a broken wing, hoping to draw Fox away from her nest.

Fox would have none of that. “Easy, sister, I’m not falling for the broken wing con you killdeer run. And I’m not interested in eating the eggs. I’ll be happy to leave them alone if you have a simple conversation with Crow on my behalf.”

Killdeer was a little panicked, given how Fox was holding her eggs hostage. “I’ll go to Crow. What do you want me to say?”

A short time later, Killdeer hopped on to a branch in Crow’s tree. She introduced herself. “Hello Crow, I’m a security researcher. I’m checking with folks in this area to see if they’re using strong passwords to secure their valuables.”

Crow puffed up his chest feathers. “I have a very secure password, indeed.”

“Does it include upper and lowercase letters?”

“That it does, and more!”

“Does it include numbers and non-alphanumeric symbols associated with the number keys?”

“That it does, and more!”

“Does it involve a phrase so that you can use the phrase as both a memory aid and as a lengthy password?”

“That it does, and more!”

“Does it involve non-alphanumeric characters not associated with the number keys?”

“That it does, and more! Look, is this going to go on much longer? I got things to do.”

“Oh, that was pretty much my last question, Crow. If all those things are true, then you certainly have a nice, strong password. Although…”

“What?”

“Well, I just don’t know if it’s the strongest password possible. It may be good, but is it the best?”

Crow was a vain fellow and couldn’t stand the thought of his password possibly not being the best. “Well, what’s the best password you’ve heard so far?”

Killdeer said exactly as Fox had instructed her. “*aRRa(ud4B1t35Ar3Pa1nFu|”.

Crow laughed. “That’s only 24 characters! Mine is much better than that!”

Killdeer asked, “Well, what is it?”

Crow cackled out, “,,V4n!7Y_I5-tH3(f1477eREr_()f=7hE_S0u1,,”.

Killdeer nodded, “My! That truly is a great password. It absolutely sounds like the best one, ever!”

Crow nodded proudly. “Told you so.”

Later that night, Fox climbed up Crow’s tree. Red foxes like Fox normally didn’t climb trees, but Fox had watched a few YouTube how-to videos on how to climb trees made by some gray foxes, who themselves are famous for their climbing abilities. Once up the tree, Fox entered Crow’s great password into the computer and was able to access the vault. Although the large hunk of cheese made climbing down difficult, Fox managed the maneuver and made off with his ill-gotten gain.

In the cold morning light that followed the robbery, Crow saw the opened vault and his insides turned ice cold. Too late, he realized that a password is no good at all once someone else knows it.

Tortoise and Hare and the Internet

Once upon a time, Tortoise and Hare both decided to start their own e-commerce firms. Both received roughly the same amount of bank financing, but while Tortoise put some funds towards a firewall, an IPS, and an anti-phishing program, Hare went cheap on his firewall and put everything he had into fancy marketing materials. For storage, Tortoise kept his data on-premises while Hare put all his data into the cloud.

Hare thought he was pretty slick as he started to rack up contracts at a faster pace than Tortoise.

One day, though, a Big Bad Moose pointed his tools at the IP range that included the public addresses of both Tortoise’s and Hare’s firms. The Big Bad Moose didn’t specifically target Tortoise or Hare: their numbers had just come up, so it was their turn to be targeted by the Big Bad Moose. Next week, it would be the Big Bad Duck or the Big Bad Gerbil, or, well, {Big Bad {$SPECIES}} would pretty much define all the evil hackers out there in the land. Point being, there were lots of hackers of all different types, so one shouldn’t be surprised if a Big Bad Moose is trying to pwn servers.

While Hare’s cheap firewall was enough to stop Moose’s general port scan, it didn’t do a thing against Moose’s SQL injection attacks on Hare’s firewall or the spear fishing emails to CarrotFest that Moose sent to people in Hare’s company.

Meanwhile, Tortoise’s IPS caught the SQL injection attacks and his phishing defenses blocked the emails to LettuceCon that Moose had sent to Tortoise’s company. Moose didn’t care. In his work, some attacks worked and some just made one focus on the attacks that worked.

After the Big Bad Moose got some username and password combos for Hare’s network, he was delighted to discover that the RDP port was allowed in from the firewall to servers and desktops inside. Moose used the stolen credentials to get good stuff like financial details and company credit card info, which he then used to buy lots and lots of stuff for himself, particularly big-ticket items like home theater systems that would fetch a pretty good return on eBay in “unopened” condition. Once those transactions had cleared, he sold the credit card numbers.

Big Bad Moose then sold access to Hare’s open relay mail server to a Big Bad Komodo Dragon. Within seconds, millions of spam mails in Bahasa Indonesia were flying through Hare’s mail server, effectively shutting down his business operations. Worse, only a few hours later, Hare’s email server got black-holed. Hare had no idea about what to do to get back into production. Nobody at Hare’s company knew what to do except to shut down the email server, which they did for a day, allowing them to get off the blacklist.

But, as soon as they turned it back on, the Indonesian spam from Big Bad Komodo Dragon came back on, as well. Hare shut down the email server again and called a consulting company to assess the damage. When the consultants found all the penetrations on Hare’s network, they recommended that he flatten all his systems and start over. When Hare looked at the consultants like they were crazy, the consultants showed Hare where his servers were now storing illegal pornography. That got Hare to agree with the consultants.

Meanwhile, Tortoise kept going like business as usual. He even started to get clients that had dropped Hare, due to Hare’s extended outage.

Hare noticed how Tortoise was getting more business and reckoned that his was going to fail soon. Hare made a career change and got into consulting, so that he could share his lessons learned with other small business owners. Whenever he saw another business owner trying to go as fast as possible without putting much emphasis on security, Hare would say, “Not so fast, there, buddy! Let me tell you why slow, steady, and secure can win the race…”

Trump Confirms His Own Breach of Security

The story was earnest and hotly debated by partisans: The President of the United States, in discussion with Russian officials, revealed highly sensitive materials. Supporters of the president denied such things ever happened as opponents demanded answers.

Then, on Twitter, the president confirmed that he had revealed secrets to the Russians. He gave a reason that ostensibly justified the revelation in his view, but the kernel of the message was that, yes, Trump freely gave sensitive information to Russian officials.

This is disastrous. Not only did Trump speak freely about things best kept secret, he also allowed a Russian photographer into the Oval Office for an unrestrained photo shoot. What other pictures were taken in the Oval Office besides those of Trump and the Russian dignitaries? What documents would have been in view that the photographer would have recorded?

Back to the conversation: in US Army training films from World War Two, the message is emphatic – even if one reveals only bits and pieces of a fact, those bits and pieces are assembled with other bits and pieces to reveal a more complete picture. The training films illustrate this more complete picture with scenes of one’s brothers in arms getting slaughtered by the enemy and an officer delivering a post-mortem condemning those who talked.

Trump claims that he was being helpful and humanitarian. The training films talk about that: Name, rank, serial number, that’s all you tell them. Some observers speculate that Trump was bragging about what he knew. The training films talk about that, as well: Name, rank, serial number, that’s all you tell them. What about cooking up a story to deliberately mislead? The army’s advice on that is as simple as it is predictable: Name, rank, serial number, that’s all you tell them.

While it may not be illegal for a president to breach security, it certainly is unwise. It certainly also has consequences outside the legal system. Elements in what Trump revealed could indicate sources and methods used to acquire the information, even if Trump himself did not discus those things. Once the bits and pieces are combined, that more complete picture could have US intelligence assets picked up for questioning by enemies of the nation. It could have other partners in intelligence sharing hesitate and ask if what they share will eventually make it to the Russians by way of Trump. These consequences are serious.

Whatever his rationalization for revealing the information, Trump should not have revealed it. The Russians can help themselves with their own resources. Humanitarian concerns could be addressed in a host of other ways, without revealing sensitive information. Granted, there are certain topics that must be discussed in such meetings, but they must be discussed in a guarded and deliberate fashion, no matter how genial and cordial one’s discussion partners may be. For everything else, and I mean *everything* else, there’s only one answer and the US Army beat me to it: Name, rank, serial number, that’s all you tell them.

Shame on Mr. Trump. He can’t maintain proper security. How sad!

Meet the Hackers

Hackers… they’re a bunch of social misfits, loners, hoodie-wearing, energy drink slamming programming geeks, right? Well, no. They’re not. The bad guys with computers are not the sort to slide easily into media stereotypes. Most of them are members of criminal organizations or have nation-state backing. Awkward loners don’t fit in with the Russian Mob or the People’s Liberation Army. Gotta have team players in those groups.

Hackers don’t always use computers, either. Social engineering – also known as running a con job – is incredibly effective and simple to do. You’d be surprised how many people will give out their passwords when accused that they’re not strong enough. “Why, you better believe I got a secure password! It’s +O;66fg#3.>ha!” Hint: the password isn’t secure anymore if it’s been read out loud to someone else. It’s also not secure if it’s written on a notepad or post-it note.

Do you have someone that’s always asking questions about where things are on the network? That’s possibly social engineering. One guy did that at a company and learned where the financial data was stored. After a two month interval, a tiger team broke into the server room and stole that exact server. The thieves were caught and the connection to the inquisitive employee became evident. The people at that company were shocked to discover that a guy they all considered to be a cheerful, bumbling, balding co-worker was in fact in league with organized crime.

That guy, and others like him, are well-camouflaged. They blend in. They go to lunch with the rest of the gang. They have neither an excess, nor a deficit, of cool. They live in apartments and homes, they watch sports and reality teevee shows, they drink beer, they may not even know anything more technical than how to copy and paste and add an attachment to an email. Because, face it, if a guy copies a sensitive document and then sends it to someone that shouldn’t have access to it, that’s a data breach. A hack. And the guy that did it could have been a total shlub.

True, he could have been a more exotic chap, say, a soldier in an army unit responsible for espionage via computers. But that guy’s not working alone. He’s also not working on a short timetable. Guys like him or the organized crime types have all the time and patience in the world to find where the weaknesses are in an organization and then exploit them. They develop custom code, just like other corporations do, but their custom code is dedicated to undermining their target, rather than developing just-in-time strategic synergies. Most of what they do goes undetected for the simple reason that the vectors they use are either ones that haven’t been used before or their target isn’t looking where they’re active with .

If you like the shows with slick hackers with social flaws, keep on enjoying them, along with everything else that’s been Hollywood-ed up. But in your real life, the guy compromising your financial data is going to buy a case of beer and then have a trip to Disneyland. Be careful about the questions that you answer and hope that you’ve got a security team that has a data loss prevention tool in place, among other things.

The Myth of Efficiency

Would you like for your car to run faster? Well, it’s easy. Just shed excess weight on the vehicle. Get rid of the doors, seat cushions, seat belts, airbags, windows, the roof, electronic systems, and man! That car will MOVE!

What’s that I hear you say? It will be unsafe? Well, pardon me, but you wanted it to be faster. You said nothing about preserving the current level of safety.

And although I doubt that any sensible person would want to drive that vehicle at top speeds, we do precisely the same things with our Internet usage and our programs and apps. We want them to be as fast as possible and, if it means less security, we accept the higher risk by saying “I’ll be careful!” and then going forth to enjoy the higher efficiency without really being any sort of careful at all. Why?

It’s simple to my mind. Our brains are well aware of the possible bodily harm that can result from a car accident, so we reject a tradeoff of mayhem mitigation for super speed. But a computer application? A website? No physical harm can result from using those things, so why not worry less and enjoy them more? We simply don’t think of the potential financial and personal wreckage that could result from unsecured data transfers. We fail to see that the injuries from unsafe computing are very real and very damaging and very permanent. If we did see what could happen, we’d ask for the digital version of safety belts, every time.

I’ll point a finger at programmers and designers: they want their customers to have the smoothest experience possible. That smooth experience makes money or facilitates the making of money, so it’s no small thing. But, again, the blindness to the risks in the digital world mean that those designers and programmers aren’t necessarily thinking about the safety of that experience. This is particularly evident in the emerging area of “smart controls”. Smart controls basically turn a phone or a laptop into a giant remote control device for something that used to not be remotely controlled.

Even the idea of remote control doesn’t sound all that bad. Our teevee remote controls do just fine, don’t they? But would you maintain that benevolent attitude towards your teevee remote if some kid a mile away was able to interfere with your choices and put your channel choice on anything he wanted? It’s no mistake that a “nightmare scenario” in many a spy thriller or sci-fi flick involved The Bad Guy taking over the airwaves and forcing the world to watch whatever he dictated. Stuff like that really freaks us out. Well, how about a nightmare scenario in which The Bad Guy messes with your thermostat? Or forces you to order an extra gallon of milk? Or locks all the world’s ovens on cleaning mode?

OK, so those are all #firstworldproblems. But the ones that can hit the third world involve disruption of power grids or supply chains. How about a man-in-the-middle attack that scrapes a few pennies out of every bank account in India? In places where microcredit is embedded into the local economy, such an attack could destroy lives. Who would do such a thing? Well, there’s a Marxist insurgency in about a third of India, so there’s my first candidate to execute such a move.

A home with a closed, unlocked door offers more security than some of these highly efficient applications. I mean, at least the door is closed, so that someone has to make an effort to see what’s going on inside. Far too many apps send every transaction, back and forth, in plain text.

Now, there are some security measures that are as easy as locking a door. But there are also some security measures that are as difficult as putting on a suit of plate armor and mounting a horse. As one would expect, the more complete security measures are also those that involve the biggest drags on performance. But look at it this way: which vehicle would you rather operate, a unicycle with a solid-rocket booster engine, or a comprehensively-tested motor vehicle with excellent safety ratings from its excellent safety features? While the unicycle rocket will definitely move faster than that car, the car exposes its operator to a much shorter list of potential hazards. For example, “death due to improper aim at start of journey” is a biggie to consider with the unicycle, not so much with the car.

So it should be in the programming and development world. It’s my frustration as a security professional to see security treated as a cost that should be minimized. Too often, I’ve heard of businesses that refused to stand for a reduction in efficiency that later wound up with their doors shut for good within days of the major breach that happens in the early days of their existence. To treat security as a costly afterthought is tantamount to saying one or more of the following phrases:

“I’d like to have all my employees lose their job after a major breach, which is statistically bound to happen very soon.”

“I would prefer for my company’s intellectual property to be in the hands of my competitors, preferably without my knowledge or ability to get recourse through criminal and/or civil courts.”

“I feel much better knowing that, when my financial records are breached, the criminals involved will enjoy high levels of server uptime, plenty of bandwidth, and be ‘very satisfied’ with their experience in compromising my network.”

“Our company’s vision statement is: We will have synergies of poor security and high ease of use enable criminals to have first grab at our profits, even before we pay our fixed or variable costs.”

That last one might actually get shareholder attention.

But what to do? I’m not a C-something-O or a member of any board or anything like that. I can’t tell my company or any other company that there are areas where security is a joke, and that’s where to expect the next breach. Even if I was a CxO or chairman of the board, there’s no guarantee that I’d have all my company’s employees take security seriously enough to realize when they need to help implement it. This becomes a huge deal in major corporations, where employees tend to reject anything not done 100% by the book, and offer little or no help after making the rejection. Now, the “why” of that may have more to do with outsourcing and other heinous practices to control labor costs, but it does point up the old Machiavellian maxim that mercenaries aren’t going to protect you as passionately or as effectively as your own citizens.

So, if you want to predict where the next headline-grabbing breach will be, look for a major company with a massive contract labor pool in place of full-time employees, that also brags about how fast and effective its operations are. That’s where the money is and, chances are, also where the advanced persistent threats are already embedded in the system.

Who knows? Maybe even one of those threats is so embedded, it even has a section of actual employees tucked away somewhere that actually provide technical support for it. They file exemptions with anti-malware groups and open up firewall rules and away they go…

So, to sum up, efficiency without security is reckless endangerment. We should be ready to have things be at least a little slower so that we can enjoy a greater measure of security.

For more, feel free to visit and join up with http://www.networking-forums.com.