Black Hat 2014 Las Vegas, NV - The thought of a network breach or targeted attack is what keeps most systems admins up at night and constantly irritated to boot. The need to man the walls and make sure the moat is filled all the time is exhausting and nearly impossible in today’s moderns and increasingly distributed networks and business models. It makes the thought of a breach not a “what if”, but a “when”. This is becoming the new way of thinking about security. As we have talked about in the past people are no longer thinking they can keep everyone out, but are concentrating on quickly identifying and mitigating the inevitable breach.
This morning as I was cursing through the internet news sites I noticed a trend. I saw multiple articles about the state of security all of them claiming that the bad guys a winning or lamenting about the increase in cyber-attacks. Both of these themes are very true, we are seeing an increase in the number of attacks per day (in 2012 it was roughly 1 per day) and the “bad guys” seem to be able to penetrate security with ease. So if this is the case, why do we see more and more efforts to move data and services into the cloud?
Malware and breaches are inevitable. Anyone that has been in security knows that this is a simple fact. Every day there are hundreds of attempted (and successful) attacks executed against businesses, consumers, and the government. These attacks have been traditionally met with an incident-response thought process. IT departments monitor their networks for suspicious activity and respond when/if they find someone who is either attempting to or actually has broken in. Sadly, this is probably not the best way to handle security.
About five days ago a hacker that goes by the name of Reckz0r kicked off a new group called SpexSec which created quite a stir. We talked about the group’s appearance and just as sudden disappearance. They showed up made three dumps of data and after a short exchange with someone on Twitter all three of the SpexSec members announced their retirements.
You know, back a very long time ago (sometime in 2007 or so) I wrote an article on how dangerous the idea of cloud computing was (and is). The article centered around the fact that in almost 99 cases out of 100 the company that is responsible for the security of your information and services are going to spend as little as possible on maintaining them and securing them. They are banking on the hope that no one tries that simple exploit or can even find the servers in question. Or for that matter they put their trust in other companies to manage their security for them. These companies then do the same thing all over again all to make sure they keep the best profit ratio possible.
A couple of weeks ago there was an uproar over the data collection practices of the iPhone social networking app Path. This app was intended to allow users to have a more intimate social networking experience. Well like an intimate partner they appear to have been going through some of their users personal information. In fact Path was requesting and uploading users contacts lists; including phone numbers, email addresses, physical addresses, and anything else that was attached to the contact in question (there is a lot you can put in a contact entry).