TripleCheck Consulting Blog

Anti-virus, Patching, Drugs and the Immune System

mark.linton@triplecheck.ca (Mark Linton) — Fri, 05 Mar 2010 13:17:41 PST

Anti-virus is a hotly debated control. For some it is a very profitable business model, and for others it is a primary portion of their security environment. In other circles pointing out faults and weaknesses in anti-virus controls has become a banner for a crusade. All of this results in confusion of users who are using it to protect themselves against online threats, which makes all of us a little less secure. I'd like to make the point that if we focused on the causes of our online illnesses, secure software development and patching, that this would go a long way to improving our trust in the online community.

Anti-virus, like drugs produced by pharmaceutical companies are good at one thing, treating known conditions effecting us. In anti-virus' case this is known malware and viruses. These treatments are still essential at treating these conditions, and investment in new treatments is also very important.

On the other hand secure coding, development practices and rapid patching of systems is like our immune system, its there to help us prevent the infections from occurring in the first place. And just as doctors provide advice on avoiding situations and preventing conditions which would result in infection, security professional provide advice on improving processes around the management of our environments, and the behaviours of our users.

Unfortunately, like drugs, anti-virus products are promoted as being a cure-all by some vendors biased by the profits to be had in the sale of these products. Doctors live by a code of ethics which prevents them from solely relying upon drug treatments to treat, cure and prevent the conditions of their patients. Like doctors, we security professionals need to provide the best advice to our customers, and ensure that we recognize the clear differences between these controls, and recommend and apply the right amounts of prevention and treatment.

Whitehouse Unveiling Their Cyber Security Initiatives

mark.linton@triplecheck.ca (Mark Linton) — Wed, 03 Mar 2010 22:07:22 PST

The Whitehouse has unveiled a report describing the specific initiatives that the US government is taking in reaction to the global cyber security threat. These 12 initiatives, documented within the Comprehensive National Cybersecurity Initiative (CNCI)appear to be part of a well-coordinated plan championed by Howard Schmidt, the President's Cybersecurity Coordinator and include:

Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.
Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
Initiative #4: Coordinate and redirect research and development (R&D) efforts.
Initiative #5. Connect current cyber ops centers to enhance situational awareness.
Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
Initiative #7. Increase the security of our classified networks.
Initiative #8. Expand cyber education.
Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs.
Initiative #10. Define and develop enduring deterrence strategies and programs.
Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains.

Web Application Vulnerability Scanners Compared

mark.linton@triplecheck.ca (Mark Linton) — Fri, 26 Feb 2010 09:32:11 PST

Web Application Vulnerability Scanning and Identification is a hot topic for many customers, and there a number of excellent products which can help with the identification process. Larry Suto has produced the second of his independent evaluations of these products and posted the results.

In addition the guys over at NTO have posted their response to the report which identifies some interesting debates and responses from the vendors based on the results.

This kind of transparency on the effectiveness of these tools is excellent and really highlights the challenges that ALL web application vulnerability scanners have - especially those tools that can't automatically find the vulnerabilities in their own test sites!

Advanced Persistent Threats APTs

mark.linton@triplecheck.ca (Mark Linton) — Thu, 18 Feb 2010 12:36:48 PST

APTs or Advanced Persistent Threats are threats in which the threat agent (person or persons responsible) is highly motivated, well resourced, and highly skilled. This modis operendi of these people is to identify high-value target profiles (senior management, financially responsible, and influential) and gain persistent access to sensitive information.

Over the last few months, there has been an increasing number of public reports related to APT incidents:

Wall Street Journal

Business Week

Athough it has been widely reported in the past that malware writers and the criminal elements funding their research were moving in the direction of smaller, more targeted attacks, it appears that this trend has been accelerated and is catching many organizations and people off-guard in the process.

There are a couple of difficult challenges associated with countering these types of threats:

1) Threat information - with a few exceptions (government and private intelligence) most people and organizations in the commercial world have no idea who the people behind these attacks are, how they are motivated, the techniques they are using, and what type of information they are after. This severely limits our ability to prevent, detect and respond.

Many of the recently reported incidents have fully funded security teams that are quite well trained and I expect very capable, but without a better understanding of the threats (who they are, what they are after, how they operate, how to respond) their efforts are not likely to be focussed appropriately. Encrypted HTTPS sessions to eastern Europe from client browsers probably doesn't raise any alarms for most people today. There are many sources of vulnerability intelligence (adobe has a new 0-day flaw), but very few sources of threat intelligence (criminal gang X in europe are preparing to target CFO's of petro-chemical organizations by hiring malware developers).

We need to start sharing intelligence better. Governments who are funding intelligence research should expand these programs and build partnerships with the organizations being targeted. This serves to inform the community about current threats, and collect information regarding incidents. Targets are in most-cases commercial non-military organizations who don't have the benefit of being briefed by NSA on a regular basis. Those governments who don't collect this type of intelligence need to start. And commercially, private industry needs to serve our clients better by insuring advice being provided is as accurate and actionable as possible.

A good example of this is the Transglobal Secure Collaboration Program (TSCP).

2) Deployed control in-effectiveness - anti-virus, intrusion detection/prevention products have been developed to respond to malware that is reported to them in most cases after the infection has occurred. Keeping anti-virus software updated is important, but so is realizing that it only protects from well known vulnerabilities.

These threats are using custom malware, in some incidents used in only a small number of cases, and developed to be un-noticeable by the target. Exclusive dependence on traditional types of security controls for protection against these threats will only establish a false sense of security.

We also need to adopt a new set of controls and thinking when addressing these threats. We need to start isolating sensitive information and processing away from other less trustable activities (web browsing, email, etc), and we need to be vigilant in protecting them. We should start reintroducing the basic security concepts of fail-close, and whitelisting rather than signature matching into more of our sensitive processes and educating our clients on reasons they are not permitted to update their facebook profile from the online-banking terminal.

ScanSafe 56%-80% of 2009 Malware Infections Related to Adobe Acrobat

mark.linton@triplecheck.ca (Mark Linton) — Tue, 16 Feb 2010 16:43:12 PST

In a new report released by CISCO's ScanSafe they claim that 2009 started off with 56% of malware infections occurring by way of flaws found in Adobe Acrobat products. This seems to be very high to me, I would think that some of the drive-by browser flash infections are still a larger percentage of this total.

Chip and PIN Vulnerabilities Documented

mark.linton@triplecheck.ca (Mark Linton) — Mon, 15 Feb 2010 15:31:54 PST

There is a significant research document that's been published publicly on some issues related to the new Chip and PIN standard. Looks like the vulnerability is associated with a lack of coordination between each of the organizations involved.

The attack although sophisticated is easily used by individual's with no technical understanding of the attack simply a "wedge" inserted between the card and the POS device.

Considering that these cards are all being migrated to by Canada's largest card issuers, this is a big issue. I have not yet confirmed that this affects chip and pin cards issued in Canada.

Link to press release-http://www.cl.cam.ac.uk/research/security/banking/nopin/press-release.html

Link to technical paper-http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/oakland10chipbroken.pdf

Targeted Attacks - 2010 Predictions

mark.linton@triplecheck.ca (Mark Linton) — Mon, 18 Jan 2010 10:10:42 PST

It doesn't seem long into the new year and we already have two really high-profile targeted attacks,

The one reported at the end of December was a targeted attack on Google and a few other companies using some 0-day code. - Google's release
The other is a new report of defense contractors being targeted using a only-recently patched exploit for adobe acrobat reader. - F-secure's writeup

Not surprisingly, motivation of would-be attackers continues to move from targets of opportunity to targets of value, the surprising thing about it is how quickly this trend is progressing.

Security Updates - 2009/2010

mark.linton@triplecheck.ca (Mark Linton) — Sat, 02 Jan 2010 13:30:58 PST

Sorry about the hiatus between posts - its been a busy holiday season and isn't showing any signs of slowing down in the next few weeks. I've posted a few tweets here and there for some quick updates but nothing major, so here are a few links that have really caught my eye over the last month or so (some really good stuff here!).

Best Practice / Research updates

NIST has published a draft revision of an important risk management framework which guides the implementation and compliance approaches with FISMA. In my opinion this strengthens the guidance and makes it easier to implement - NIST's SP 800-37 Rev. 1 - DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. The draft was open for comment until the end of December, so look for a release sometime in January.

ISACA has published two new sets of documents for members, updated guideline on implementing and improving IT governance, and a new framework and practitioner tool-set for identifying and managing IT risks. In my opinion the RiskIT material provides a great high-level explanation of the IT risks management principals and provides and excellent set of tools for identifying and measuring risks as part of an assessment. If you have IT Risk management responsibilities and aren't a member of ISACA it's time to sign up!

Security Tool Updates

There are tons of new updates to tools, in fact too many to list them all here - if your job requires finding and using open-source and commercial tools your box just got a lot bigger.

PacketStorm Security has a bunch of updates to open-source tools recently, too many to list but notables include;

wafp - web application finger printing
hostmap - for mining DNS information
wapati - new web application vulnerability scanner
scapy - update to a great packet manipulator
metasploit! - after the Rapid7 acquisition lots of development happening here...

All for now - have a great new year!

Today's Security Variety

mark.linton@triplecheck.ca (Mark Linton) — Thu, 26 Nov 2009 14:05:53 PST

I've recently come across a few security related items of interest that I thought might be useful to everyone.

1. Shodan - a fairly robust internet search engine that can be used to identify specific products and interfaces. From the site:

"SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. Let me know which services interest you the most and I'll prioritize them in my scanning."

2. Social Media Governance - a site with resources targeted at organization's use of social media. This includes a list of companies such as Walmart, BBC and U.S. Airforce and their social media policies.

3. Wired Story on 9/11 Pager Texts - Looks like Wired is following the wikileaks break of millions of pager messages supposedly captured during the 9/11 terrorist attacks. This will be interesting to follow.

TLS Renegotiation Vulnerability

mark.linton@triplecheck.ca (Mark Linton) — Thu, 12 Nov 2009 23:25:38 PST

As many of you have already heard, there was a very serious vulnerability discovered in the TLS protocol that is used across the general internet to secure many many forms of communication, from the browser used to access banking online, to the protocols used to secure messaging servers.

The vulnerability itself is a design weakness found in the protocol's ability to renegotiate the encryption used in a session after a long-standing connection.

Here is a good write-up and links to some other information regarding the issue.

Stay tuned on this though - and expect many many patches and work-arounds to be issued by vendors.

RBS Worldpay Reading

mark.linton@triplecheck.ca (Mark Linton) — Wed, 11 Nov 2009 15:50:39 PST

Here are a few links from a few of the sites that are discussing the details of the RBS Worldpay hack.

Veracode
SOURCE Conference
Cybercrime and Doing Time
Helpnet Security News

I'm going to try to find out more and maybe provide some additional analysis of how this hack seems to follow the same MO as the other credit/debit hacks.

Evil Maid and the Challenges of Full Disk Encryption

mark.linton@triplecheck.ca (Mark Linton) — Thu, 15 Oct 2009 16:14:45 PDT

Joanna and the crew over at Invisible Things have posted a tool to demonstrate how trivial it is to circumvent full-disk encryption products. Evil maid requires that you have access to the machine and can boot it using a usb-stick with the software installed. It then is able to transparently record the user's passphrase for the disk.

This is another example of how full-disk encryption products need to be architected carefully to ensure that problems like this can be considered and controls put in place to avoid them.

NIST SMB Security Guide - Steps in the Right Direction

mark.linton@triplecheck.ca (Mark Linton) — Thu, 01 Oct 2009 09:55:15 PDT

NIST has published an excellent draft guide on the basics of information security without throwing the users over the deep end. It seems to address the "certainties" of security risks, and provide very basic methods of addressing them, without being too product focused.

It is likely, although it will depend on the organization, that SMB's will need to work through this to understand how their current practices compare to this guidance, and figure out the most effective ways to address any short falls.

I would encourage all security professionals to give the guide a read and provide Richard with comments on improvements to make this guide as helpful as possible. Just don't be like Gartner's Adam Hills and post a critique before the standard is published.

Mandating Protection, Society and Seatbelts

mark.linton@triplecheck.ca (Mark Linton) — Thu, 24 Sep 2009 22:22:39 PDT

There are a number of discussions happening regarding the differences in risk based security vs compliance based security. These mostly have grown from discussions around PCI and other imposed standards of control. My opinion is that risk and compliance are two necessary actions.

Agusto, over at securitybalance blog is the latest to discuss the merits of compliance based security. I share his opinion that creating prescriptive measurable requirements goes a long way to improve the security of a large number of organizations. This is a given - I compare this other compliance programs like laws regarding the use of seat belts in automobiles. They exist because it is better to protect everyone to the same level of protection than it is to measure the specific protections required based on the roads that are being driven on that day, or the specific use of the vehicle, etc.

What this doesn't mean is that there isn't some degree of risk management being performed - its just that its not being performed at the vehicle operator level - where in many cases people would chose not to wear them out of inconvenience.

Like the laws for seatbelts, the larger risk which needs to be managed is not at the corporate level but at the societal level. The consequences of security failures at the organization level do not usually gain enough attention to warrant the appropriate protection, but I would argue that the consequences of systematic security failures across our society's infrastructure are the basis of massive harm.

Protecting our society at this level is the responsibility of our governments - and laws should be enacted to require adequate security protection, and impose legal penalties where they are not sufficient.

The identification of information warranting this protection is a required risk-based process. What types of information need to be protected in order to protect our people, our intellect, our industries and our livelihood?

To drive out the waste of objective-less risk management processes Anton asks the question on his blog-

"What is the risk-driven, correct frequency of changing my email password?"

Attempting to measure specific risks to a combination of the frequency of a control's failure and the existence of a real threat is for sure the wrong way to measure risk. But I think there still is a valid risk discussion regarding the use and standards of password use in protecting certain types of information. Lets rephrase:

"Should passwords be managed for systems that are used to communicate financial transaction data?"

This subjective question is far easier to qualify - and debate the merits and extent of compliance requirements associated with it. Will it make sense in every scenario in every organization? No. But will its application across the majority of scenarios in the majority of organizations help protect our livelihoods as a society? If the answer is yes - it should become a standard.

We need to define a scope of information which should be protected, create the standards to which the information should be protected, and institute formal legal processes to enforce compliance.

This is exactly what the FIPS and NIST standards describe? But these programs need to be extended to more than just federally controlled information types, and begin enforcing these rules on all data we value as a society.

Simple and Free File Examination

mark.linton@triplecheck.ca (Mark Linton) — Thu, 24 Sep 2009 07:24:15 PDT

I know many people that despise running multiple version of desktop antivirus. One of these programs us usually enough to drop performance to a crawl. For those careful people who like to validate suspect files you get there is a great service VirusTotal.

This service works by accepting uploaded files from users, then running them through a series of tests and virus scanning engines, currently 41 different ones to be exact. This makes it extremely useful for gauging how to treat that questionable email attachment. It manages to do this by making hashes of the files that get uploaded then instead of using additional CPU cycles by scanning duplicate files, just matches the hash then returns the information to the user.

The other really cool part is that it provides detailed file information as well by analyzing the file's actual structure. Someone sends you a .jpg - but really it contains windows executable code ready to infect your machine. Find out what PE information, file structure, and signatures exist within the file.

Best of all the service is free - and actually gets a much better set of core data the more people that use it!

Gonzalez, Toey - Ringleaders?

mark.linton@triplecheck.ca (Mark Linton) — Mon, 24 Aug 2009 10:02:39 PDT

It appears that there are a number of sources that are questioning the indictment of Gonzalez as a ring-leader such as the NY Times. I agree that Gonzalez is wrongly accused as the “ring-leader” of the operation - but for different reasons.

1. Gonzalez is likely just a low level carder (one who gathers and sells credit and debit card information), and one that was once on the secret service payroll to infiltrate the carder network. No different than other junkies that break into cars to steal ID information for drug money, but he just happened to use a more efficient method. SQL injection and wifi-sniffing are not very sophisticated attacks - nor was Albert’s MO - including leading a very lavish and noisy personal life. He used ICQ to chat with other affiliates and didn’t try to hard to protect information related to his wrong-doings.

2. The eastern European individuals named in the indictment appear to be MUCH more sophisticated as they organize the processes of converting the stolen information into cash. These guys are likely to be the real ring-leaders of the operation as they take the largest share of the profits. They normally operate out of non-extradition countries where they are permitted to operate as they wish. They still do slip up from time to time though as you can see with Maksym Yastremski sitting in Turkish Prison.

3. Even Gonzalez lawyer charges that Damon Toey was more of a ring-leader than Albert - but in reality both of these guys are simply carders - good ones, but carders nonetheless, both fencing card information to the European guys overseas for a small piece of the action.

It is my opinion that the US Attorney’s offices should describe these truths an these guys involvement in the scheme rather than try to make it falsely appear to the public that they’ve caught the “ring-leaders”. The should equally provide public information on how the whole scheme works. Wikipedia has some decent information for the uninformed, but doesn't get into how the organized portion of the fraud scheme really works. The RCMP even have a page for information, but again it just touches on the subject.

Maybe someone can post a link to a better explanation of the entire scheme.

Albert Gonzalez aka soup Nazi - 130M Records?

mark.linton@triplecheck.ca (Mark Linton) — Wed, 19 Aug 2009 09:38:38 PDT

So it looks like the same suspect has been charged with both of the biggest credit card theft/fraud cases in history. Albert Gonzalez aka "segvec," "j4guar17" and "soup Nazi". Who is this man behind these crimes? What was the motivation behind the crime? What kind of training did this guy have? What kind of MO was used? 2 Russian accomplices? Who are these guys?

Secret Service Informant? - There must have been a more detailed file on this guy?

So many questions so little available information? If anyone has more credible information on this guy I would be very interested to hear more.

This story appears to have legs...

Wikipedia Page

Update 1:

Stephen Watt aka “Jim Jones” and “Unix Terrorist.” happened to be one of the unfortunate ones who associated himself with Albert - without any of the financial benefit however. Wired Story. Here is also a link to a page with his bio from Phrack magazine.

Update 2:

Here is link to the google docs version of the indictment of Gonzalez, Hacker 1 and Hacker 2.

Ineffective Laptop Recovery Software + Whitelisted Persistent BIOS Rootkit = Fail!

mark.linton@triplecheck.ca (Mark Linton) — Fri, 31 Jul 2009 09:56:04 PDT

Following up their bleeding edge research on bios resident malware at CanSecWest the ultra-smart guys (Alfredo and Sacco) from CoreSecurity have disclosed a significant issue with the laptop recovery software LoJack.

I have debated the effectiveness of laptop recovery software many times arguing that its cost does not justify the recovery of the hard asset (how much is laptop hardware worth vs the cost of recovery).

But now this is even worse - by having this BIOS resident software installed (or pre-installed in an estimated 60% of new laptops - Lenovo, HD, Gateway, Dell, Toshiba) there is a significant exposure to having the LoJack software modified by someone malicious. Compounding this issue is the fact that the software is already white-listed by virus vendors meaning there would be no way to prevent or detect it from occurring.

Its a bit ironic when security software exposes its paying users to much more risk that it addresses. "Get it. And get it back - twice as bad."

PCI Compliance - Brand Fines Changing?

mark.linton@triplecheck.ca (Mark Linton) — Mon, 27 Jul 2009 10:34:58 PDT

Looks like there is some rumors related to the payment brands changing their policies on fines levied on non-compliant merchants. Branden's security convergence blog is reporting changes to MasterCard's fine schedules for varying levels of merchant.

Top 10 Botnets

mark.linton@triplecheck.ca (Mark Linton) — Wed, 22 Jul 2009 20:50:54 PDT

An interesting article was posted describing the today's top ten botnets and summary information describing there characteristics. The interesting thing is where conficker showed up (10th) and the percentage of these botnets whose criminal purpose is to collect valuable and sensitive information (1/10). Looks like most of these are intended to provide control - and then be capable of what ever the controller wishes.

Twitter Hack - Techcrunch Ethics

mark.linton@triplecheck.ca (Mark Linton) — Thu, 16 Jul 2009 11:16:41 PDT

There is a real storm of activity after documents which were gained through a hack of a Twitter employee's google apps account. Over at Techcrunch a heated debate over the ethics and newsworthiness over the public posting of the actual data that was ill-gotten is beating down the site's editors.

While it might be entertaining to voice opinions on people ethics regarding the outing of the actual information, I think the real story is the lapse in security of the Twitter employee. A bad, guessable password was used to protect access to very sensitive internal data - but this raises an important point regarding the use of Google apps or any other easily accessible service.

It really shouldn't take an incident like this for companies to get these types of simple protections over their information. If there is risk related to disclosure of the information - make sure you have it protected.

Anti-virus Statistics - Motivations

mark.linton@triplecheck.ca (Mark Linton) — Thu, 16 Jul 2009 10:47:08 PDT

In a study completed and published by Avira (http://www.avira.com/en/company_news/recognition_performance_virus_protection.html) The results of the survey showed that for 34 percent (3,207 respondents) a long-established, trustworthy brand was key. Almost as many users, 33 percent (3,077 respondents), based their decision on the virus detection rates achieved in independent tests.

Detection rates - lets call this effectiveness of the control - as this is the key metric used to measure effectiveness. This is a skewed metric as for the large majority of evaluations (ICSALabs, VB100, etc) use the "in-the-wild" or ITW list of viruses to perform the evaluations. There is no evaluation of these product's ability to respond or even detect newly released virus and malware.

In all honesty really what we are dealing with here is preventative vulnerability management not virus detection and correction, and in my opinion there are four types of preventative protections required for the average consumer (some are currently reality - others not):

1. The consumers buying products based on their security. This does not exist in any meaningful way for the general community. Lets get someone to independently evaluate the software makers on this and publish it for consumers to make choices based on their performance.

2. A service used to update software code quickly. There should also be an independent evaluation of a code's susceptibility to vulnerabilities and speed in which these are patched by the vendor. This should apply to all software not just operating systems and browsers. Again there could be independent evaluations of the companies policies, practices and past performance related to this.

3. A perfect ITW detection engine - 100% - there is no reason a product should be less than this for KNOWN viral code. Really this should be combined with #4.

4. A product to detect and respond to new threats - ones without signatures - which is a significantly larger threat as they are generally being developed with more financial motivation. Apple's and Microsoft's authorization of unsigned code is a good first step but this should be done at the CPU level to detect suspicious behavior by software and apply a policy to it. Do consumers actually read a warning about unsigned code? or do they just click "continue". AMD - Intel - Other chip makers? Is this possible at a low level? and how do we trust these companies themselves.

Anyone else have thoughts on other ways of preventing the impacts of vulnerabilties?

White-hat Budgeting

mark.linton@triplecheck.ca (Mark Linton) — Tue, 14 Jul 2009 18:24:53 PDT

In response to his recent black-hat budget post I commented on what Richard has also described he would spend the 1 mil$ on in defense. Ends up that it doesn't buy you much - Although I agree with his approach to spend the cash on people and their ability to use the tools they already have access to.

I would take a slightly different perspective on the problem however. The 1$ million dollars is not just spent in one place but spent multiple times in defense of the black-hat team as they can target multiple organizations, i.e. the same team can move from target to target without spending any additional money, and force multi-millions of dollars in defense in multiple companies.

The other reality is that the defense is not just defending against one black-hat team but the potential for multiple black-hat teams.

My opinion is that like the black-hat teams, the defense should target the amount of money spent on the defense based on the potential loss of the information (or availability if that is the risk). This then would balance as you can spend less in focused efforts targeting protection of the specific information. There is no reason to spend $$$ on a commercial security management solution to protect only one table in a database where the sensitive information exists. The problem is that you have to know where that information lives through-out its life.

Mobile Device Protection - Is this not standard practice yet?

mark.linton@triplecheck.ca (Mark Linton) — Tue, 14 Jul 2009 08:13:38 PDT

Anyone need any more reasons to avoid situations regarding the loss of sensitive information on mobile devices? Dell has released the results of a study looking into actual data regarding lost mobile devices.

Blackhat Economics - Are you feeling safe today?

mark.linton@triplecheck.ca (Mark Linton) — Mon, 29 Jun 2009 23:48:11 PDT

Just want to point people over to a great blog post over at TaoSecurity - Black hat budgeting. This is an excellent article which starts to examine the economic factors related to attacking and protecting information. Thinking in this way really puts some perspective on the security budget that people spend on attempting to protect information. Long story short - if you don't think or don't know if bad guys are targeting you - find out (what information are you protecting and why?), and if the bad guys are targeting you - you should be thinking this way.