This post is about the bill. Not the criminal cases – those resolved years ago and they were not the actual cost. The actual cost was paid by the security industry itself, and the industry has been pretending it did not pay it ever since.

What I wrote in 2011 that aged correctly

I covered some of this in real time. “Are the Lulz Officially Over?” was published the day LulzSec announced their disbandment. “Who Is to Blame for the Success of the Latest Round of Attacks?” was published a few weeks earlier, and the answer it gave then is the same answer that is still correct now: the people responsible for the success of those attacks were not the attackers. The attackers were good at what they did, but what they did was not technically remarkable. They ran SQL injections against unpatched web applications belonging to organisations that had certifications proving the SQL injections should not have been possible. The success of the attacks was a function of how much daylight existed between the certified posture of those organisations and what those organisations actually had running in production. That daylight was the size of a barn door. It is still that size.

The reason “Another Fake Boutique Security Firm” got reposted by a half-dozen blogs in 2011 is because everyone who was paying attention had spent the previous year watching the same fake boutiques get publicly broken into without anyone noticing the contradiction. That contradiction has now been institutionalised. The fake-boutique class of vendor did not go away. It got bought.

The through-line nobody wants to draw

Look, here is the part I am tired of arguing about. The thing that Sabu and the rest of the AntiSec crew demonstrated in 2011 was not “look how easy it is to hack a Fortune 500.” That was already known. What they demonstrated was the response cycle. Specifically:

1. The breach happens.
2. The victim’s PR team frames it as “a sophisticated, targeted attack” within forty-eight hours, regardless of whether the actual entry vector was a five-year-old SQL injection.
3. The compliance auditors arrive, scope the problem to the single application that got hit, and certify the rest of the environment as still compliant.
4. Six months later, a different actor walks in through an adjacent door using a similar primitive, and we redo the whole cycle.

That cycle is the one Cl0p ran against MOVEit in 2023. It is the cycle Cl0p ran against Accellion FTA before that. It is the cycle the people who hacked the Senate’s webserver in 2011 ran. The technical details have moved upmarket – file-transfer appliances instead of forum software – but the response cycle is structurally identical.

I keep waiting for the industry to admit this. It does not.

The supply-chain narrative was already there in 2011

Read the LulzSec press releases in order. They make a specific argument, repeatedly, about the targets they picked. The argument is that the entities responsible for protecting consumer data – InfraGard contractors, security-certified law-enforcement liaisons, the certified-vendor pyramid – are themselves softer than the consumer-facing targets they are theoretically protecting. The argument is not subtle. It is in the actual press releases. They wrote it down.

What the security industry did with that argument was nothing. The argument was treated as edgelord posturing rather than as the prescient supply-chain warning it actually was. Sabu was indicted, became an FBI cooperator (per DOJ filings; the timeline is well-documented at this point), and the cooperative phase rolled into the Stratfor leak, which itself was a supply-chain compromise: a private intelligence firm whose customers expected confidentiality got its customer database dumped, and the rest of the threat-intelligence ecosystem responded by issuing a couple of press releases and then continuing to sell to the same customers.

The right take in 2011 was: the supply-chain attack is the future, and the security industry is institutionally unable to defend against it because the industry’s revenue model depends on the customer’s compliance posture being acceptable, not on the customer’s security posture being good. Some of us said exactly that. We were ignored.

The “sophisticated nation-state” laundering operation

The other thing AntiSec demonstrated, which I do not think the industry has internalised, is how fast a breach gets relabelled. Within weeks of LulzSec disbanding, every breach narrative shifted. Compromises that previously would have been blamed on script kiddies or underfunded IT teams started getting blamed on “sophisticated nation-state attackers.” The framing shift was not driven by the people doing the breaches changing. It was driven by the legal and insurance incentives changing. “We got hit by a nation-state” is a story that boards accept, that insurers underwrite, and that auditors do not have to second-guess. “We got hit because our patch cadence is six months and our WAF is in monitor-only mode” is a story that gets the CISO fired.

This is why fifteen years on we still get post-mortems on breaches like MOVEit that lead with “sophisticated” before the technical detail (a SQL injection in a file-transfer tool with default config) is even mentioned. The framing is laundering. It started in 2011-2012. It is now the default.

I have written this paragraph in five different posts at this point. I am going to keep writing it. Go ahead, tell me I am wrong.

What changed for the better (a short list)

I am cynical, not bitter. Some things did move:

• Mandatory disclosure regimes are real now. The 2023 SEC cyber-disclosure rule is imperfect (we will get to that in a future post), but it forces public companies to file an 8-K within four business days of a material incident. That four-day window did not exist in 2011. In 2011, the public company in question would just decline to comment for a year.
• The criminal-prosecution side caught up to the technical reality. Prosecutors now know what a Tor relay is, what an anonymising VPN is, what a leaked HOSTS file looks like. In 2011 the indictments occasionally read like science fiction. They have improved.
• The EFF, Schneier, Krebs, the abuse.ch crew, and a handful of others built a body of public-record analysis that did not exist in 2011. Schneier was already there, but the rest grew up after.

That is the list. The list is not long.

What did not change, and probably will not

The industry is still organised around the compliance posture, not the security posture. Vendors still ship default credentials. Auditors still scope around the parts of the environment they do not want to look at. Insurance carriers still write policies that pay out on “sophisticated nation-state” but contest “we did not patch.” Boards still hire CISOs from the same fifteen-firm consulting pyramid.

Fifteen years after AntiSec, the most accurate single-sentence description of what AntiSec actually accomplished is this: it gave the industry a free preview of the next decade’s threat model, and the industry filed the preview under “miscellaneous” and went back to writing policy documents.

What I would write in 2011 if I had today’s hindsight

I would still write the posts I wrote, with one change. I would have spent more time naming the consulting firms that were certifying the breached environments, by name, in 2011 – not the AntiSec targets themselves, but the firms that signed off on those targets’ compliance posture. Some of those firms are still in business. Some of them are public companies now. The certifications they sold in 2010-2012 covered the SQL-injectable web applications that AntiSec walked through, and the lawyers for those firms made sure none of the post-incident reporting linked the audit work product to the breach. That is the link that should have been drawn in public, in real time, and was not.

I am going to draw it now. The next post in this series is going to name the auditors. If you were on one of those engagement teams and you would like to push back, my contact form still works.

For the record

My older posts on the AntiSec era are still here, at their original URLs:

• Are the Lulz Officially Over? (June 2011, the disbandment post)
• LulzSec Declaration of War (May 2011)
• AntiSec: Shoot the Sheriff Saturday (June 2011)
• Who Is to Blame for the Success of the Latest Round of Attacks? (June 2011)
• Another Fake Boutique Security Firm (June 2011)
• #AntiSec Initiates Peaceful Protest? (July 2011)
• PBS Hacked a Few Times Today (June 2011)
• th3j35t3r Social Engineers the Lulz (June 2011)

I am going to leave them alone. They are time capsules and they were correct then. Most of what they argued is still correct, which is the point of the post you just read.

Boris Sverdlik CISSP# 70063 as of 2/2005

Linkedin Profile

Thank you again for all your support.

To nominate me for the Ballot:

1) Send an email to  isc2board@jadedsecurity.com pledging your support! THANKS in advance.

2) Subject: 2013 ISC2 Board of Directors  Petition

3) Message Text: I’d like to nominate Boris Sverdlik for the 2013 ISC2 Board of Directors. My E-mail address is on file with ISC2 and my CISSP# is $

Platform:

I’m not going to promise things that I may or may not be able to deliver on, but I can promise I will stick to what I believe is a shared vision in the community for a value add certifying body. In order to change perception of the certification and the certifying body we need to change. The platform that  I have is relatively straight forward:

1. The current test does not adequately provide any assurance that the candidate has a firm grasp of real world security as a whole. It is geared towards individuals that are good at memorizing text and being able to test well on the subject. It is very reminiscent of the MSCE/CCNA of the 90s. The format needs to change beyond just being updated with the latest technology. I’d like to see some form of essay driven questions that would truly test the candidates knowledge of real world security problems and identify their logical thinking on how they would address them. This would be akin to the CCIE where candidates are required to actually fix hw/sw problems on Cisco gear to demonstrate aptitude.  This is one of the few ways I feel we can test true knowledge and eliminate the bootcamp mentality.

2. The pre-certification audit process also needs to be updated to provide assurance that the candidate has “real” security experience and to do this we must change the current endorsement process. ISACA requires that candidates have former employers and/or colleagues sign off on the attestation. ISC2 should do the same as this is the only way to attest to experience.

3. CPE requirements should be expanded so that they treat content producers and consumers equally. We produce a daily podcast, yet can only submit one hour of CPEs for the production of the content, while individuals who listen to the podcast can submit per episode. This is somewhat biased and puts off individuals from producing content and contributing to the community. We all agree that to be a good security practitioner you need to always stay up to date on the industry and there are many ways this can be done, outside of vendor driven conferences.

Edgar and his crew have done a top notch job of bringing everyone together for a world tour in a truly exotic location to some. The speakers selected are awesome, from Andy Ellis Keynoting to Wim Remes and Ian Amit to David Kennedy and Chris Nickerson just to name a few.  I can’t wait for what is sure to be a learning opportunity and an overall great time..

Big thanks to Edgar Rojas and  Security Zone 

Come see me present http://www.securityzone.co/conference.html#boris

I’m not going to promise things that I may or may not be able to deliver on, but I can promise I will stick to what I believe is a shared vision in the community for a value add certifying body. In order to change perception of the certification and the certifying body we need to change. The platform that  I have is relatively straight forward:

1. The current test does not adequately provide any assurance that the candidate has a firm grasp of real world security as a whole. It is geared towards individuals that are good at memorizing text and being able to test well on the subject. It is very reminiscent of the MSCE/CCNA of the 90s. The format needs to change beyond just being updated with the latest technology. I’d like to see some form of essay driven questions that would truly test the candidates knowledge of real world security problems and identify their logical thinking on how they would address them. This would be akin to the CCIE where candidates are required to actually fix hw/sw problems on Cisco gear to demonstrate aptitude.  This is one of the few ways I feel we can test true knowledge and eliminate the bootcamp mentality.

2. The pre-certification audit process also needs to be updated to provide assurance that the candidate has “real” security experience and to do this we must change the current endorsement process. ISACA requires that candidates have former employers and/or colleagues sign off on the attestation. ISC2 should do the same as this is the only way to attest to experience.

3. CPE requirements should be expanded so that they treat content producers and consumers equally. We produce a daily podcast, yet can only submit one hour of CPEs for the production of the content, while individuals who listen to the podcast can submit per episode. This is somewhat biased and puts off individuals from producing content and contributing to the community. We all agree that to be a good security practitioner you need to always stay up to date on the industry and there are many ways this can be done, outside of vendor driven conferences.

4. Financial Transparency is what we have all been asking for. ISC2 collects annual dues and has a responsibility as every responsible 501(c) to be transparent with accounting.

So Vote for Boris Sverdlik aka JadedSecurity

[Original embedded Google Form has expired.]

Long story short after my wife had pointed out that i had 2 lumps on the side of my neck that looked “off” I had gone to a general practitioner who sent me to a specialist, who sent me for a biopsy. After a few weeks of back and forth I went from it’s probably nothing to you have a disease that “can” be treatable, isn’t curable, no real survivability stats available for your age because it usually effects older individuals. Yay Me..

It’s been a rough couple of months for me, more emotionally than anything else.. I’m not depressed or anything but every so often it hits me that I might not see my kid grow up.. Obviously I’m not giving up without a fight.. DefCon was hard enough for me trying to keep from breaking down during the fail panel when @mycurial was talking about Cancer. It all became real again after finding the new bumps in my neck this morning.   My wife and daughter are out of town so when the Dr said he wanted to see me ASAP, it freaked me out and I sent the tweet.

Guess the good news is the Oncologist isn’t too concerned with the new lumps.. He says it’s still not worth treating with radiation at this point, and I’m good for now..

I didn’t mean to put out my personal problems on Twitter, but the response from the community truly brought me to tears… I honestly can’t say thank you enough for all the warm wishes that were sent. I absolutely love our little community on Twitter, and I’m so honored to be a part of it. Many of us have never even met, but the support is overwhelming.  I wish I could thank each and every one of you… Thank you so much for cheering me up in my freaking out moment.  I love all of you guys!!

I know I definitely missed a few and I’m sorry in advance.. Special thanks goes out to in no particular order

@rodsoto
@alexhutton
@sp0rkbomb
@bmkatz
@kylecooper
@Forensication
@BillBrenner70
@selenakyle
@banasidhe
@gillis57
@sukotto_san
@pinoles
@tothehilt
@randomlyAnnoyed
@wimremes
@rattis
@infosec_rogue
@fjhackett
@gattaca
@grap3_ap3
@can0beans
@crshbsod
@itsecurity
@erratarob
@icristerna2
@kylemaxwell
@jack_daniel
@voulnet
@kittycommando
@mccrory
@jmp_ebp
@c0ncealed
@encryptedsorrow
@hrbrmstr
@archangelamael
@awpii
@facelessloser
@stylewar
@synackpwn
@klhay
@sparetimegeek
@RogueClown
@hhopk
@4DC5
@russ81
@seczone
@davienthemoose
@kydpror
@bond_alexander
@hacktalkblog
@jaredsperli
@dave_rel1k 
@coolacid
@adamcaudill
@wikidsystems
@gozes
@rmogull
@Savant42
@K0nsp1racy
@_funtime
@Josephwshaw
@wendy451
@hackerhuntress
@jackiea
@revrance
@nafatigar
@doocie2000ca 
@hacktress09
@sukotta_san
@douglasbrush
@daveshackleford
@grey_area
@ltawfall
@tomryanblog
@willsecurity
@virtsean
@tkrabec
@_fmm
@darr7h
@glesec
@charleshooper
@itsec_machete
@fl1bbl3
@ammermanb

I remember when BlackHat meant that it was time to see things that we would only hear about on IRC and other non conventional means. Sadly, this is no more. As others have pointed out BlackHat is now the new RSA. It represented RSA as much as any other corporate sponsored conference.  Vendors were set up with their RFID scanners ready to stalk you post conference with all their wonderful spam… Good thing for me a certain colleague had allowed me to scan his card with my phone, and even better yet I was able to replay it for all.. Thanks Martin

There were some interesting talks, but nothing like it used to be.  The main problem to me anyway was the ambience of vendors and the proliferation of FUD that we as an industry have been subjected to more and more in recent times. Hallway con was where it was at for the majority of the conference. I had bounced between the Galleria and the SeaHorse for the majority of the event and as usual had nothing but interesting conversation with old friends as well as new ones.

The upside for being in Vegas for BlackHat, is that BsidesLV runs concurrently..  BSidesLV and BSides in general always tend to be much better events. The attendees are rarely the industry vendor mouthpiece types and this alone makes the conference enjoyable. I had attended more talks at BSides than I have at other conferences combined this year.  Johnny Cocaines open discussion forum on ethics was probably the most enjoyable to date.  The room had almost cleared when he had said that this was going to be a discussion as opposed to a talk. The people who stayed got to enjoy a great roundtable type of debate.  Obviously it being in the underground track precludes me from discussing the details, but I can say I hope we see more of these types of talks. I even got to do a last minute lightening talk on my upcoming presentation which I thought went fairly well..

The venue for BsidesLV is small and as such can feel cramped, but @banasidhe worked her magic once again keeping everything in check.. I personally really enjoyed it and would take it over Blackhat any time..

Next up DefCon, well what can I say about DefCon that hasn’t been said already? Well, let me think.. oh yeah.. You kinda suck! First off WTF is up with wireless village being set up in a closet? Really?? I remember when all of us sat around conference tables tinkering with wep cracking and the likes. With all of the wireless technologies now being researched are we seriously supposed to be able to converse in such a small room? It was smelly and overall pretty bad experience. The SecCTF and other contest rooms had literally 10x the size. Why were we limited? Ok Rant off for now..

Overall it wasn’t a bad year for DefCon, some really good talks combined with some really shitty ones. Hallway Con Once again takes over for most of the event. I did go to see a bunch of sky talks as well as some others. Dave Kennedy and friends tore the roof off their presentation with Bananas and a video with hundreds of shells popping up thanks to their SCCM hack.  Some other notable talks were around javascript bots which was hilarious from what I had heard. Overall, I would of went to more talks if the lines weren’t atrocious.  I guess with 15K people, you should expect not to get in to see the talks you want to..

I was also at the last minute asked to wear a mankini during the Comedy Jam/Fail Panel for Charity. While I would rather not post any pictures, I do have to say it was great to be on the panel with such an interesting bunch of characters. @rmogul kicked ass with his TSA talk, Larry Pesce talk on fail was just perfect.. It was a blast serving waffles to the hungry masses with McKeay and Jack Daniel.  I hate to admit it but @myrcurial had almost made me cry on stage when he was talking about how many people are/have been effected by cancer.  I’m so happy knowing that @Wendy451 @gattaca’s wife and others have beat their battles and not looking forward to my own..  I’m so proud of our communities persistence in supporting the causes that plague us all. THANK YOU!

The Elitism that everyone has talked about is apparent, but it’s apparent in all circles not just ours. As some had said no one wants to flip the bill for 15K people, so there might be some parties you just might not get into. However it’s not always about the parties.. It’s about meeting people, learning new things and hanging out with old friends. If it wasn’t for our podcast, I wouldn’t of gotten a ninja networks invite despite all of our contributions to the industry. It is a friends and family thing and there isn’t anything wrong with that. You want in, then as Timay (303) and @jericho had said during their talk on the CISSP. You need to be Bad Ass at what you do and you will get noticed.  Get out of your shell and start meeting people and engaging conversations.

It’s not just about getting in to the parties it’s also about mingling once you are there. Keep networking and your invites will come.  To be honest almost every party that I had attended, I ended up just chatting with friends. The best talks I had all weekend were in the smoking area by registration and not in any party wehre the music is way to loud to hear yourself think.

Finally, I’d like to thank my followers for posting these all over the ATMs at the RIO.. It brought me nothing but laughs…

The NinjaTel team distributed custom Android phones to select attendees. These phones were connected to their own private cellular network running inside the conference venue. The phones came pre-loaded with custom firmware and the whole setup was designed as both a social experiment and a technical demonstration.

From a technical perspective, setting up a private GSM network at a hacker conference is both brilliant and terrifying. It demonstrated just how accessible the technology for running a cellular network has become, and by extension, how vulnerable cellular communications can be.

The implications for security are significant. If a small team can set up a convincing mobile network at a conference, imagine what a well-resourced adversary could do. Rogue base stations, IMSI catchers, and man-in-the-middle attacks on cellular traffic are not theoretical – they are practical and increasingly affordable.

DEFCON continues to be the place where the security community pushes boundaries and demonstrates what is possible. NinjaTel was one of the highlights of this year.

Before you reach for the pitchforks, let me explain. I am not saying that employees should be ignorant about security. I am saying that the way most organizations approach security training is fundamentally flawed.

The typical approach: once a year, force everyone through a PowerPoint presentation or online module. Check the compliance box. Move on. Then act surprised when someone clicks a phishing link the very next day.

The problem is not the employees. The problem is us. We are asking humans to be perfect security sensors in an environment where the attacks are specifically designed to exploit human psychology. That is not a training problem – it is a design problem.

Instead of spending millions on awareness training, invest in:

• Better email filtering and sandboxing
• Removing admin rights from end users
• Application whitelisting
• Network segmentation
• Automated patch management

Design your systems so that when (not if) an employee makes a mistake, the blast radius is contained. That is a much better investment than another round of “don’t click suspicious links” training.

1) Install TrueCrypt http://www.truecrypt.org/

2) Create a hidden volume. Pick a strong passphrase you will not write down and use a keyfile

3) Mount the volume

4) Run the Script

I’ll port it to Python this weekend, or maybe even something more platform independent. Also, don’t forget to set Auto Dismount to 15 minutes, so you don’t leave it up and running.

[code]

#!/bin/bash
#
#
# For Resiliency I keep the volume in multiple places, but for ease of use
# of use, I suggest keeping it on dropbox. Set TrueCrypt to unmount after
# 30 minutes of idle.

echo “Hello, “$USER”. This will generate your password. Please make sure you have mounted your truecrypt volume with your password file”

echo -n “Please enter the path to your encrypted vault file [ENTER]: “
read vaultfile

echo -n “Please enter the patch to your encrypted mount, this will be used for temp files [ENTER]: “
read encmounts

echo -n “Enter the website or application that this password is for and press [ENTER]: “
read site

grep -i $site $vaultfile

if [ $? == 0 ]; then

echo -n “Do you want to create a new password for this existing account? (yes or no): “
read update

if [ “$update” == “yes” ]; then

echo -n “Enter the user ID you will be using and press [ENTER]: “
read name

echo -n “Enter maximum password length characters can the password be [ENTER]: “
read counts
sed “/$site/d” $vaultfile > $encmounts/tmp ; mv $encmounts/tmp $vaultfile

curl -s http://www.bing.com/news?q=$color > $encmounts/temp

newpass=`md5 $encmounts/temp | awk ‘{print $4}’ | openssl sha | cut -c 1-$counts|sed -e ‘s/[a-z]/A/’ -e ‘s/[0-9]/#/’`
echo $name $newpass $site >> $vaultfile
# rm $encmounts/tmp
exit 1
elif [ “$update” == “no” ]; then

echo “Goodbye”
fi
fi

echo -n “Enter the user ID you will be using and press [ENTER]: “
read name

echo -n “Enter maximum password length characters can the password be [ENTER]: “
read counts

curl -s http://www.bing.com/news?q=$color > $encmounts/tmp

newpass=`md5 $encmounts/tmp | awk ‘{print $4}’ | openssl sha | cut -c 1-$counts |sed -e ‘s/[a-z]/A/’ -e ‘s/[0-9]/#/’`
echo $name $newpass $site >> $vaultfile

rm $encmounts/tmp

echo “Goodbye”

[/code]

There has been some confusion in what BYOD is and what it isn’t according to the tweets I have been able to follow. BYOD (Bring your own device) is the latest in buzzwords that product vendors have introduced over the last few years. It shouldn’t be any difference than the remote access we have provided to our users for years.  Some argue that productivity will increase if users can use their own “Insert iDevice” here to perform their jobs. This may or may not be true, but as security professionals our job is to enable the business to continue being profitable while minimizing risks /cissp_speak_off

So where is the disconnect? Why are some for and some against the concept that essentially has been around for at least the last 15 years? It comes down to the fact that organizations are starting to realize that they aren’t even in a good position to provide remote access, let alone support new technology. How can you possibly provide remote access when you don’t implement the basic controls such as data classification, role based access, centralized logging, intrusion detection?? We all complain about introducing new risks? Are we really introducing new risks?

Let’s look at how most organizations have their corporate network rolled out? Production access is usually granted on blind faith based on the whole “I trust my Lan”. How can you put so much faith into equipment that you have purchased? Is it because you have extensive control of those systems? In most cases you do not. Do you know what type of data users have on their workstations? If their is sensitive data in use on the endpoints, do you require two factor authentication and encryption to that endpoint? Why not? It’s the same data that you are trying to protect in your production environment, why should the endpoint be any different? Oh because you bought the equipment. It’s because you can control what sites the user accesses, you can control data leakage with that shiny DLP device right? You have that NAC thing rolled out right?

I hope you see the sarcasm in that last paragraph. Most organizations definitely fail at basics, so the introduction of new technology scares them and so it should. What if you started treating the corporate network as hostile? Wouldn’t life be so much easier from a security perspective if you stopped nitpicking endpoint controls? Call it BYOD, call it endpoint enforcement, call it whatever the hell you want? If it’s done right it should work across all of your platforms and you’re shiny iPads.

Imagine for a second everyone has to VPN in to get to production? Regardless of if you bought the equipment or they did? Regardless of it they are at the office or at home? Who cares? All hostile all the time… In order to do it right you must first get the basics in place. Data classification needs to perfect! Your access control program must also be perfect. If you can’t say that you’ve nailed either, than you aren’t ready for remote access let alone BYOD and/or wireless.. If you have however, then read on. You shouldn’t be introducing any additional risks if you have already gone through the above.

There are several solutions available that will allow you to quarantine devices that are physically plugged in or connected wirelessly into a DMZ where they have to authenticate. We all know NAC fails because of exceptions and misconfiguration and that’s not where I’m going. What if to get production, you have to authenticate to a central enforcement agent such as I dunno VPN??? The VPN solution can then in turn allow you to access only what you need to do your job. If it’s access to sensitive data, then you have to go through additional levels of control which can also be pushed by the choke point.  The point is that a central enforcement solution is the only way to go.

You can do everything from force software installation to perform a vulnerability assessment prior to allowing access. It’s not a question of technology, it really isn’t. The one problem that we keep running into is that user’s don’t want us installing things on their personal devices. It’s the whole entitlement mentality that our users have somehow attained through all of our babying.  That’s the cost of using our resources and I’m sorry to say there must be some compromise.  You have to pay to play!

With all that said I’m not crazy about users replacing corporate owned systems with user owned devices just yet, but depending on the environment it might be a feasible solution. What I am saying is that BYOD is not as big of a deal as everybody is making it out to be.  Get your basics in place and then when your CEO wants to use his new shiny iPad to access the Scada console you can give it to him because you’ve built your environment with the understanding that the host is hostile!

That’s my asshole or my .02 Thanks for reading!