Sunday, 7 November 2010

The how and why of IT Security - interesting presentations

I've watched a lot of hacker-conference videos recently, and several of them have made a strong impression. I feel that these two together excellently demonstrate current challenges in offensive/defensive IT Security.

Rather than waffle on too much about them I thought I would post links to them together here with a brief introduction.

If you work in IT Security I would suggest it is worth spending a couple of hours to watch these. Take a look.

First the how

Basically, the easiest way to attack most companies is by using social engineering techniques using email and web.

Dave Kennedy (Rel1k) demonstrates how to use the Social Engineering Toolkit

(The back-doored keyboard is interesting, but not so ubiquitous as attacks based around "click here" or "open attachment").

Anyway, it looks to me that employee IT Security training programs are probably the best solution to some of these issues.

Then the why
A good exploration of the economic motivations for cybercrime from Beau Woods.

Several really interesting points here, especially around; the motivations of attackers, the "we're outnumbered" situation, and how the market economy drives business to choose cheap solutions to meet regulatory requirements so that they can continue to do business.

In terms of solutions to the "why" I'm not sure that more regulation will really help improve IT Security budgets over the next few years, nor will it deliver real value. (If more solutions are mandated, this will drive down the budget for each solution to the cheapest - and probably worst.)


  1. Hey, Ben. I'm glad you enjoyed the talk. Be sure to watch the others from that event, they're great as well!

    I'm not a huge fan of regulation either, but in this case I think it is necessary. I also agree with you that regulation so far hasn't helped to solve any of the problems we have in InfoSec. But the question comes down to who who protects the interests of the people when those interests are in conflict with the free market? In any situation where the full impact of an economic choice is not felt by those making the choice, you have this kind of problem.

    Take the example of some organization losing my information. A criminal gets it and creates a fake identity, credit cards, bank accounts, etc. I'm on the hook for lots of time and money to help fix the problem. The banks and credit card companies are on the hook for thousands in fraud. And the group that lost my information pays none of those costs! Therefore they're not economically incentivized to fix the problem. At that point, who looks out for my best interest?

    I'd argue that the government should, though they haven't so far. Take the Healthcare-oriented HIPAA regulation as an example. That regulation was intended to require organizations to safeguard personal information. But I doubt anyone would say it has been as successful as intended. But a well designed and implemented regulation would have a huge impact. I'm hopeful that HITECH - an addon to the HIPAA rule - will do that (although it has its flaws, as well).

  2. Thanks for the comment Beau - I really enjoyed your talk.

    I definitely agree that regulations are required, and that these must impose standards, but I'm not sure how legislated standards can keep up with the accelerating pace of technology - time will tell.

    Also, I feel legislation needs big teeth to be effective, and the risks need to be very real and visible to senior managers, and decision makers. I’m not sure if current legislation requires senior managers attend IT Security awareness training – perhaps it should? ;o)

    I will look into HITECH...

  3. Thanks for sharing. Learn a lot from your Blog.I have read your blog about Penetration Testing It is very help full.I really enjoyed reading it, you may be a great author.I must say you've done a wonderful job by sharing your article with us. Blackbox penetration testing