Josh More – Starmind Blog

Most cultures have a trickster figure of some sort.  Though they go by many names: Coyote in North America, Anansee in Africa, Puck in Britian, Loki in the Germanic regions... and many others.  In the stories, there is usually not much if any justification for the actions of the trickers... though their tricks usually fail in the end and they learn an valuable lesson along the way.

No matter what the story may be, the point often seems to be less the story itself and more about the learning.  There are stories about ethics, significant social changes, developing new skills and personal growth.  In almost every one, though, the lesson is learned by either the trickster character itself making a mistake or leading someone else into making a mistake.  Then, inevitably, significant learning occurs.

In many ways, it's all about attitude.  Tricksters tend not to care much about others, being lead instead by their own desires and intuitions.  They get an idea and run with it, ignoring all else, until their actions bring about their own downfall.  In short, they are driven by curiosity, creativity and intelligence.

Tricksters break everything they touch, and sow discord everywhere they go, but they do make things happen.  You probably know people like this in your own organization.  They may be a bit narrowly-focused and their projects may have a significant number of... unintended consequences, but they manage to complete more projects in less time than anyone else.

Just as tricksters benefit a story, these personalities benefit an organization.  In a developer, these traits create new products.  In an administrator, they can produce significant efficiencies.  In a security professional, they can protect an organization in ways never before though possible.  Of course, they also cause a significant amount of chaos as they implement these changes without really thinking things through.

There are many organizations... especially in I.T... that have the occasional local trickster.  Called "cowboys" or "lone wolves", they are often thought of immature or unready for the business world.  In many cases, this is right. It is extremely easy to look merely at the negatives, and as a result, these people are often the first on the firing lines.

However, just as security is all about balance, so is business.  It is worth considering the long-term value of trickster-types.  Maybe they won't fit into the business over-time, and it's best to let them go.  However, maybe they can learn (possibly through a mythic journey of growth and pain).  Maybe they can learn to temper their own erratic tendencies and put their creativity and curiosity towards the benefit of the business.  Perhaps all they need is a bit of guidance.    You'll never know if you don't try.

But remember, most cultures can only tolerate one or two tricksters.  Fewer than that, and they would stagnate, but more than that and they would be destroyed by chaos.

Related posts

• No related posts.

I normally avoid spreading word about specific attacks, as it is better for overall security to continuously strengthen your defenses and keep an eye out for strangeness.  Focusing on attack types and general security practice tends to have a better overall result then trying to play whack-a-mole and knock down individual people or pieces of malware.

That said, there is a current threat that people should know about, so I want to do my part to boost the signal.

At issue is a specific piece of malware that is targeting people with access rights to financial systems.  It generally arrives in the form of a targeted email (spear phishing) which then installs the malware.  Once installed, the malware monitors the computer for financial transactions and will then make some additional ones.

What's different here is that small businesses are being singled out.  This is largely because they tend to have weaker security and audit controls when compared to the larger firms.  So, though the larger firms tend to have more money to steal, stealing a smaller amount from a great many other business can net just as much.  And after, a dollar is worth a dollar, no matter who it's stolen from.

To protect against this attack, you have to keep one thing in mind -- there is no guaranteed way to prevent it.  All you can do it do your best to protect yourself and check transfers regularly to make sure that you've not been hit.  In short, if your account people are not doing all of the below, your business is facing some serious risk:

• Using a two-factor authentication system (RSA tokens are the most popular) to login to the banking system.
• Using a dedicated workstation for financial transfers.  This system should not have any email client installed and be firewalled to only access the necessary web systems.
• Enter into an agreement with your bank so that all transfers must be confirmed.  A verbal confirmation originating from the bank is best, as that way the attackers cannot initiate a transfer and then call the bank to confirm it.  If they cannot do that and you have to stay with them, look into email or SMS-based confirmation systems.
• Using a bank-enforced 24-48 hour hold on transfers.
• Check your accounts regularly and reconcile all transactions.

Check out the following links for more information:

• Washington Post Article
• TrustCC Post

I would like to thank Rob Lee for alerting many of us to this situation.

Related posts

• Small Business Defense – AntiPhishing (1)
• Small Business Attack – Phishing (0)

The term Web Filtering has many connotations.  On one side, employees (often younger ones) view it as a form of censorship.  On the other, business owners do have the right to require that employees spend their time doing what they are paid to do.  As is often the case, the best answer doesn't really match either extreme.

Filtering technologies come in many flavors.  They range from highly simplistic technologies that block specific domains to complex deployments that set rules for each user, matching them against a set of categories to block or allow.  They can also give fine-grained control over operations like file downloading and updates.

The costs vary too.  Generally, the more control you want, the more it will cost.  While there are some open source solutions that you could deploy for free, they tend not to be robust enough to work well in enterprise environments.  The dedicated appliances work well, but often require rearchitecting the network for implementation.  Lastly, there are modules that can plug into your existing network equipment, but they may be a bit more expensive than you would like.

Of course, the challenge of using such a technology is often not technical.  The problem is primarily a social one.  Do you have the political environment where it is acceptable to monitor Internet traffic?  Will users allow you to block access to sites that they're used to visiting?  Will management have a problem with you knowing the browsing habits of your fellow employees?

As usual, it's best to start with a policy that specific controls what you will be doing and how the technology should work.  Then you can start implementing the technology using the policy as a guide.  At a minimum, you will want to define:

• which types of sites are to be permitted and which are not.
• which types of downloads are to be permitted (if any).
• what to do when employees are regularly found to be attempting to visit blocked sites.
• what "regularly found" may mean.

Lastly, before you implement the technology, it may be good to identify which types of applications you are using.  Some of these filters support a "transparent" mode but some must be run as a proxy.  Both methods work fine, but some applications may not be proxy-aware.  This can determine both the solution selected and the mode of deployment.

Related posts

• Small Business Attack – Web Browsing (0)

As much as we dislike it, a part of most people's jobs these days involves waiting.  Though they keep making computers faster and faster, there is still a bit of downtime involved.  While in the past, this time might have been spent talking with coworkers, these days it is more likely to be spent online.

There are many ways to spend your time online, from shopping to reading news to social media.  While there is nothing inherently wrong with being online, there are some concerns.  From a business perspective, managers may be concerned about productivity.  From a legal perspective, H.R. may be concerned about "inappropriate" sites.  And, of course, from a security perspective, we would concerned that sites could be the source of a compromise of user data.

At issue is the fact that, while most malware runs directly on the computer, web malware can run inside the browser. If it doesn't run locally, and is sourced from a web site, it cannot be blocked with traditional anti-malware (though newer malware is aware of this attack vector). If all the malware accesses is data, there isn't a good way to identify valid data access from unintentional leaks.

So, how to you protect against this particular threat vector without completely banning employees from accessing the Internet? How do you manage to classify which websites are OK and which ones are not?

Related posts

• Small Business Defense – Web Filtering (0)

Recent research has shown that some species of cactus manage to grow on bare rocks with the help of bacteria.  Basically, the bacteria breaks down the rock to give the roots crevices into which to grow as well as provide nutrients to the cactus.  In turn, the cactus likely shelters the bacteria and allows it to grow and spread.

There are two items of interest in the article.  First, there is the basic observation that, though neither plants nor bacteria are capable of living exposed on bare rock (well, mostly), through combining forces, they manage to live in an inhospitable environment.  Since the environment is also inhospitable to many competitors, they can expend more energy towards growth and less towards defense.  Second is the realization that the cacti have managed to shelter the bacteria within their seeds.  This way, not only do the cacti themselves manage to thrive but their children get the same benefit.

From a security perspective, it's important to remember that the ultimate goal of security is to maximize protection while minimizing resource expenditure.  Commonly, this is done by erecting barriers and monitoring them to make sure that only the right people can get through.  However, alternate methods do exist.  Taking a lesson from the cacti, one would look for business niches that difficult for other businesses to thrive within.  Then, one would seek out business partnerships to make it easier.

Such a path would not be for everyone, and after all, live as a cactus may be a tad... prickly. However, if you are starting a new business, this sort of partnership may allow you to protect your business simply by making it more difficult for competitors to gain a foothold, and allow you to focus more directly on growth.

Related posts

• No related posts.