Today I’ve seen two posts which cause me some level of discomfit.
In both cases, the outlined “security issue” is not really a security issue – it’s something else entirely.
Case the First – Close the Barn Too Late.
In a widely linked Search Security Dot Com “tip”, SANS darling Peter Giannoulis hits us with his THREAT MONITOR – Pod slurping: The latest data threat – in which he lays out the threat of the 80gb iPod Video as the latest and greatest way to steal all information from your organization… and tells you how to solve the problem in 3 easy steps:
- Restrict access to the USB port(s) on a computer system.
- Implement and enforce policies. No USB devices in the office means, no USB devices in the office for ANYONE (including technical staff, managers, etc.).
- Implement the principle of least privilege. Doing so will ensure a user can’t access files which they do not need to access.
Welcome to the dark ages.
How about an enlightened approach which is based not on some limp pseudo preventative, but really just compensating controls – tell staff that you appreciate them, then follow up with actually meaning it – make the disgruntled insider the exception rather than the rule. Taking away someone’s music at work isn’t going to endear you as an infosec professional – it makes you one of the top disgruntling forces.
But I suppose that a Technical Director for the GIAC family of certifications might have a different set of design criteria for policy than an actual in-the-field-up-to-h(is|er)-eyeballs-in-regulatory-compliance-working-infosec-stiff. I’m much happier with a set of policies that make me the champion of the business by letting them be risk takers who know that someone is watching their back. And who isn’t toting around a glue gun as a “tool of the trade”.
I’m not afraid of a good technical preventative measure, but I’m convinced (and have the proof to back it up) that a good awareness program delivered by people who actually care not just about the material, but about the attendees, combined with a willingness to help the business rather than just saying “no” is the way to solve security problems. People want to do things securely, it is not our job to mock them or treat them like children – it is our job… our career… our calling – to bridge the gap between what IT can offer and what the users need to get their jobs (and lives) done.
What kind of professional do you want to be?
Case the Second – Brilliance.
In a posting to the focus-apple@securityfocus.com list, Todd Woodward points us to an Ars Technica article – Infinite Loop: New Airport Extreme could expose Macs via IPv6 – in which is described the behaviour of the new 802.11n Airport Extreme and it’s handling of IPv6 in a default configuration.
It is decried as a security issue, however, I think it’s pure brilliance. You see, the time of perimeters was short enough, and now it’s over. In 1998, I can recall a certain ISP which ran without firewalls or packet filters of any kind other than a bogon filter. It ran that way until 2001 – when it had to go have a permanent lie-down. It was the way of things. Of course it was under constant attack, but the servers were designed, configured and secured in order to operate in that environment. Bill Gates and Craig Mundie cheerfully told us that last week – you should design and build systems which simply do not require a perimeter firewall in order to operate safely on the Internet. Additionally, it’s time to send IPv4 on it’s way – I’m tired and frustrated with the endless “which port-forward on the firewall/router goes to which internal box” dance that happens because I’ve got 3 machines that I’d like to talk to from the Internet. What Apple has done is essentially build in “get me out of RFC1918 hell and please do it automagically” functionality. Without any of the other features of the newest Airport Extreme, this feature (not security issue — FEATURE) is selling me on spending 3 times the price of a reasonable alternative. I want to be able to hop on IPv6 and get past the 1918 world… sooner rather than later.
As always, please post a comment, a counter-rant, or colourful pictures of unicorns and kittens – we here at Ye Olde’ Digest would love to hear from the ?thousands? of you who read the RSS feeds every day.