EndGame CEO: Root Out Hackers Before They Strike (qz.com) 148
The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers. An anonymous reader quotes Nate Fick's article on Quartz:
Rather than relying on imperfect prevention techniques, or waiting for a breach to happen and then reacting to it, defenders need to 'turn the map around' and hunt proactively for the attackers in order to root out adversaries before they have a chance to do real damage. This is the next frontier of cybersecurity... the vast majority of cybersecurity spending is still going to prevention and perimeter security. Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...
The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
Good luck with that (Score:3)
Re:Good luck with that (Score:5, Insightful)
Yeah, requires three things: time, effort and money
1. Time and effort: Any IT working "looking for hackers attacking the network" is automatically assumed to be doing unproductive work by their immediate supervisor. Or by their supervisor. It is also pretty likely that none of his bosses will not understand anything he has done to stop a hacker, and they are also unlikely to believe him. Released to look for other opportunities.
2. Money: any money spent on this "looking for a problem proactively" is money not available for the executive bonus pool. Since the result of anyone working on doing this at best can only claim to have stopped someone, and only MAY have prevented a loss of some kind, clearly the first executive that realizes this deserves a bonus at least equal to the budget of the department he just cut, because that is real, verifiable savings going hundreds of years into the future. He basically has just saved the company from bankruptcy.
Re: (Score:3)
"automatically assumed to be doing unproductive work by their immediate supervisor" If your job description is not related to IT security you are being unproductive in the eyes of your supervisor. For example, if you are getting paid to develop and support applications that is what you should be doing. You can work on your security concerns after hours or get a job in IT security.
Re: (Score:3)
"automatically assumed to be doing unproductive work by their immediate supervisor" If your job description is not related to IT security you are being unproductive in the eyes of your supervisor.
And whether they are correct or a flaming idiot depends on the rest of your job description, and the job descriptions of those around you. If you are in IT, and it isn't anyone else's job to maintain IT security, then it is your job no matter what anyone else thinks. If it isn't done, you can't do any of your other jobs.
Re: (Score:1)
You are missing that this is all based on hype, charisma and such. Advertising, marketing, and other forms of these get piles of money thrown on them despite having dubious effects.
Depending on the level of FUD a CISO can persuade the company to take security seriously then proceed to spend him checks and team budget on garbage because the only thing that matters is the C levels keep receiving FUD about removing them.
Depending on the level of FUD an army of InfoSec professionals can persuade congress to man
Re: (Score:1)
There's plenty of pro-active spending by businesses that doesn't get chopped: Insurance, Pro-active maintenance...
try telling my lot that..I've been struggling to 'fire-fight' on the maintenance front the better part of a year now..
Any attempt at 'Pro-active maintenance' gets met with 'WTF?, we need that back in service NOW!' (even if there are bits falling off it), our CNCs are now overdue their annual manufacturer's service by months..
I've even offered to do the maintenance of our equipment in my own time, an idea that was kyboshed by someone higher up the food chain, now, I only fix things when they break down, and
Re: (Score:3)
Stupid idea!
You do remember older flicks like Sneakers etc and their depiction of phreaking - with the perpetrators actually monitoring how many hops the called party manage to hack their way back through.
This will be the same - but instead of hacking multiple phone exchanges, you have to hack into multiple systems, before you attack your "true" destination.
On the positive side, this might be a good thing - if a hacker breaks into multiple systems to build up a chain of hosts to route his attack through, th
Re: (Score:1)
Semi-retired hacker here
Hardening transit points takes time, which was / is in short supply
Apart from spoofing addresses, I used to set up honey pot branches for those tracking me and/or to launching counter attacks
That way if that guy actually launch his attack he gonna trash the spoofed address the midway station was pointing to --- which most probably belong to Pentagon or China or Mossad or Kremlin or Iran
Whatever happened next will be popcorn time
All well and good for nation states (Score:5, Insightful)
All well and good for nation states, but typically pro-active "defense" is known as 'attacking', which is almost always against the law when not done by a nation state...
Re: (Score:1, Interesting)
and... we take another step towards Stallman's predictions of you needing a license to own a compiler or a debugger..
Re: (Score:1, Interesting)
All well and good for nation states, but typically pro-active "defense" is known as 'attacking', which is almost always against the law when not done by a nation state...
You forgot about the added bonus that you receive in the US for being pro-active.
The government response is also to be "pro-active". By labeling you a "terrorist". Welcome to the No Fly club.
Re:All well and good for nation states (Score:5, Interesting)
Re: (Score:1)
Whew, good thing governments aren't owned by corporations.
Read the article ... (Score:2)
Seriously though ... the article makes a clear distinction between looking for intruders (legal) which the article advocates and "hacking back" (illegal) which it doesn't.
So this AC post is completely barking up the wrong tree (or a troll). I admit that the article is the usual clueless CEO bumf, but at least don't make it into something it isn't.
Either way
Re:Too good at the job (Score:5, Interesting)
Buying security from security firms gives very little bang for the buck. Security isn't a commodity any more than love is. You can only buy fake versions of either.
Spend the same on security minded employees and individualized training. Spearfish your employees and require mandatory training of anyone caught. Hold security training without powerpoint, and keep your employees informed with facts. Pay out small bonuses to people who display awareness. Post the name of departments where anyone has attempted to run malware or otherwise shown gross negligence. Make it a people thing, not a box in the server room and some licenses.
When TFA says "Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...", they were dead wrong. It should be closer to 100%, with almost all going to internal resources.
Re: (Score:3)
Simple. Open door, if what's behind it is neither a lawyer or has access to some, use flame thrower. Else, wave and close door quietly.
I've got one for you: wise up, do your homework. (Score:5, Insightful)
Just stop babbling nonsense. It seems that "we gotta get 'em basterds" makes for a better headline, but... every breach I've seen in the last years is due to *catastrophic negligence*. Including the (admittedly, for the time) very high tech Stuxnet thingie in Natanz. I mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports? And operators willing to stuff a $RANDOM_USB_STICK into that? Seriously?
How many levels of fail was this?
Now go through all the last breaches, and think again: how many levels of fail?
> Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
So stop buying snake oil and take your security seriously. It starts by educating your people, thinking hard about (gasp!) social factors, investing in people (double gasp!).
Next step is implementing technical measures. Make sure that someone in-house understands thoroughly what's going on. Resist the urge to buy the next shiny thing because the salespeople of this company look smartest: remember that the investment in those smart salespeople isn't going into hard core development -- and that's what you want.
Fick's an idiot. This kind of sabre-rattling is just a way to divert from realizing how sad the state of our industry is, where well-known "products" often enlarge your attack surface instead of reducing it.
Fick reminds me of some dictator in some semi-failed state making up an Enemy of the Nation to make people forget that their actual problem is internal corruption and missing crops.
Re:I've got one for you: wise up, do your homework (Score:5, Interesting)
Re: (Score:3, Interesting)
> End-users, the "layer 8" of the OSI model.
They are definitely the most vulnerable part. But don't get me wrong, it's not about blaming the users. They just want to get stuff done, it's their job. And they are put under considerable pressure at that.
It's the job of the organizations to strengthen the users and to raise their level of proficiency in understanding the issues involved. Heck, they are not stupid, in real life they wouldn't hand over their flat keys to a random stranger on the street (with a
Re: (Score:1)
I mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports?
If they had plugged up the USB ports with glue, which some companies actually do by the way, would you call them more or less ridiculous?
This comment is haxzor-smug, a form of posing.
take your security seriously. It starts by educating your people, thinking hard about (gasp!) social factors, investing in people (double gasp!).
Yes, please, step up to my tent. I'm offering "security training courses."
(It's not a bad idea. I'm just saying, once you get into this tone of voice, anything can be made to seem stupid to the imaginary peanut gallery by putting it in quotes.)
This kind of sabre-rattling is just a way to divert from realizing how sad the state of our industry is
Now we agree. The industry is in a really sad state. I'm nostalgic for the old da
What? (Score:1)
"Instead, going on the offense and hunting for adversaries entails surveying your assets stealthily and continuously."
You mean like having a monitoring system in place? Checking for too many consecutive failed logins? Unauthorized IPs trying to connect to sensitive servers/devices? Checking to see if any IPs registered to APNIC have gotten logged in? Checking on the md5 hash of the /etc/password file and reporting whenever it changes? Installing an IPS in front of the edge of the network?
Can someone pl
Re: What? (Score:2)
Read The Practice of Network Security Monitoring.
He seems to be referring to active NSM and Hunt Teams as opposed to passive compliance and vulnerability monitoring, which is what most organizations do.
Re: (Score:2)
Can someone please help me understand what's so different about what this guy is proposing, vs common practices which already exists?
Not a damned thing different, though it might be argued that "common practices" and "best practices" are two very different things. What TFA is actually suggesting is little more than the best practice of paying attention to what's going on in your environment, as opposed to throwing up defenses and expecting them to stop all attacks. That takes effort, proper tools, and expertise. The mix of those three can vary, but the bottom line is that it costs money to be vigilant and that is not something that our i
Re: (Score:2)
Re: (Score:1)
Well it isn't, but it's certainly easier to exploit a system if you allow shit like BYOE - oh sorry, that's normally BYOD, but "Bring Your Own Exploit" is far closer.
"" Insisting staff use laptops and 'floating injection points' rather than the good ol 'machine on a desk' that's assigned to you.
I'll concede 'floating injection points' , sorry desks, do initially save money, but really it's not a win.
The base problem is that when it comes to a choice between money, convenience and security - security is alwa
Re: (Score:2)
I can't even imagine what he's talking about. (Score:2, Insightful)
Re: (Score:2)
Re:I can't even imagine what he's talking about. (Score:4, Interesting)
Honeypots are a bit like undercover policemen. You can use them to catch the dumb ones and give the smart ones more leg- and elbowroom.
Re: (Score:2)
He's talking about counter-terrorism. We know there are bad guys out there; suit up and go get them before they get us.
The problem is we don't know how many bad guys there are, who they are, what they want, where they might be, or how they might behave. You can't hunt an infinite enemy into extinction; and an enemy which is your own species is an infinite enemy. Wars haven't ended because we can't extinct bad humans without extincting all humans (and defining "bad" is hard); whereas we can extinct all
Re: (Score:2)
This was done during a war the Chinese were losing, badly, and it completely reversed the war. I keep forgetting the details because it's hardly ever relevant (it was, amusingly, referenced in Babylon 5 in exactly one scene); it's relevant here.
When was it?
Re: (Score:2)
Re: (Score:2)
There's a lot of words (Score:1)
But very little content in there. I did not read any form of plan.
Re: (Score:3)
Re: Legal? (Score:1)
Yes the blushing telepaths are the worst.
Re: (Score:2)
Buzzword bonanza (Score:4, Insightful)
Read the article, and I honestly don't see his end goal.
Got the impression all he wants is penetration testing and security through obscurity, or monitor incoming traffic for "malicious intent".
I could be mistaken as the whole article was a bit of a buzzword bonanza.
Re: (Score:1)
I think all he wants is to promote his security business
Threat Hunting (Score:5, Insightful)
Threat Hunting isn't exactly a new concept, it's been around for ages.
But it seems someone, somewhere decided it is going to be the new "hype-base" for magical next generation boxes.. because the previous hype (Threat Intelligence) is dying.
So yeah, cue 2-3 years of "you must hunt proactively with our products"-hype
Re: (Score:3)
Threat Hunting isn't exactly a new concept, it's been around for ages.
But it seems someone, somewhere decided it is going to be the new "hype-base" for magical next generation boxes.. because the previous hype (Threat Intelligence) is dying.
So yeah, cue 2-3 years of "you must hunt proactively with our products"-hype
Unfortuately, you had to go through 3/4 of the article before he even got to what he was talking about. I was pretty disappointed once I got there, although I was expecting it.
Maybe it is time to set up an on-prem cloud-based hunt team solution?
In chess (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
In chess, everything is black and white.
Not so much in the world.
Re: (Score:2)
In chess, everything is black and white.
Not so much in the world.
Then you lack the right level of granularity.
Said only partially tongue in cheek.
Not just hackers... (Score:4, Insightful)
We should also root out murderers before they strike, by "determining" who will commit murder and punishing them while they are still innocent. Or maybe not.
Maybe this CEO is phenomenally dumb?
TFA is a bit vauge (Score:5, Informative)
Re: (Score:2)
But the companies' (Endgame [endgame.com]) blog pages has some actual concrete info. Reading over the site, much of what he talks about is already implemented, or at least there is software out there that companies can get (much of it open source). To quote his page Hunting on hosts [endgame.com]:" running processes, active network connections, listening ports, artifacts in the file system, user logs, autoruns", using Yari, etc. BUT, at least this page isn't just "buy my product" but does give some tutorials / examples of how to use various free utilities (like Sysinternals, Yari with Powershell, Elasticsearch) and he even includes CLI examples. I'm bookmarking this and will read over it later when it's not 04:32 and I should be asleep instead of posting on Slashdot LOL.
Exactly. It is not a new concept at all and something I did as a sysadmin 10 years ago when I got bored. You don't need a product, you just need to pay attention and have the management support to spend some time doing it. In more security-evolved companies, everybody contributes x% of their time doing this.
Re: (Score:2)
yes, but this software is cheaper to license than a sysadmin is to hire. at least at first, and who cares if it actually works? that's what insurance and PR is for, but you need to show "good faith measures" that you're doing something.
in this context, the company's name is very funny.
I call bullshit. (Score:5, Interesting)
There are about 2 million sixteen year old boys in the USA (alone). Of these a bunch are interested in computers. Just because "that's a large enough group", I'm ignoring the 15 year olds, 17 year olds and the girls.
And one day, one of them will spot a uid=1234 in the URL and try what happens if you change that into uid=1235. According to current laws that is considered hacking, and the culprit needs to go to jail. And you're going to predict which one of the two hundred thousand computer-interested sixteen year olds is going to do that? Good luck!
Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!
In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable. Checking that the right amount was paid is elementary to a payment system. Similarly not only checking that a user is logged in, but also checking that he/she is logged in as the RIGHT user is elementary.
You cannot blame the guy who stumbled upon this issue for "hacking". Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail? Well, I'll tell you: since they adopted those anti-hacking laws. And for those, it doesn't matter if you're nice. If you ARE nice and report it, they can (and often do) throw you in jail anyway.
Re: (Score:3)
...Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!
In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable...
Yes, this is likely true. They should be held liable once the issue is reported and not acted upon. Not even knowing about an issue makes it a bit harder to pin blame. IT professionals may appear to work magic at times, but they're not psychics.
You cannot blame the guy who stumbled upon this issue for "hacking".
Yes, you can. When the law labels it as hacking, especially when the individual performing the hack knows this.
Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail?
Unethical? Not "nice"? You have a very cute way of labeling theft, which was blatantly obvious to the person doing the "hacking", and is also blatant
Re: (Score:3)
Sorry, but allowing the client to manipulate critical data like the amount due that he should not have control over is criminal negligence. At the very least it should be, for any programmer should know that this is critical. If he doesn't know that, he has no reason creating computer programs.
That isn't something obscure where the "oh, I didn't know that" excuse should work. That should be reserved for nontrivial cases where it did actually take a security researcher to unearth something buried in some lay
Re: (Score:2)
Yes, you can. When the law labels it as hacking, especially when the individual performing the hack knows this.
The law is an ass...doubly so for computer-related laws.
Laws have very little to do with actual right and wrong. The US has a legal system, not a justice system. Justice and/or fairness are rare occurrence in the US legal system.
All the atrocities and war crimes that occurred in Nazi Germany and other totalitarian regimes were all according to the laws in place at the time and perfectly legal.
Just because some politicians pass a law doesn't make it right.
Strat
Re: (Score:2)
Yes, you can. When the law labels it as hacking, especially when the individual performing the hack knows this.
The law is an ass...doubly so for computer-related laws.
Laws have very little to do with actual right and wrong. The US has a legal system, not a justice system. Justice and/or fairness are rare occurrence in the US legal system.
All the atrocities and war crimes that occurred in Nazi Germany and other totalitarian regimes were all according to the laws in place at the time and perfectly legal.
Just because some politicians pass a law doesn't make it right.
Strat
There's little here that I would argue against, save for one. That whole "right and wrong" part. When you know it's illegal, it's wrong.
Don't give a shit if you agree with it or not. You still know damn well it's wrong.
And citizens have known this since the dawn of time. Parents instill it in their children for a valid reason. So they don't end up criminals.
And the IT circle adopted the old-fashioned wild west mentality with it as well, putting certain color hats on your head, all based on the legali
Re: (Score:2)
When you know it's illegal, it's wrong.
So then Rosa Parks was wrong?
OK I can see that you've clearly not thought this one through.
Might want to give it another good think. Just saying.
Strat
Re: (Score:2)
When you know it's illegal, it's wrong.
So then Rosa Parks was wrong?
OK I can see that you've clearly not thought this one through.
Might want to give it another good think. Just saying.
Strat
You had to reach back 50 years to a civil rights issue (as if that's some kind of parallel here) to provide an example, and I'm the one who hasn't thought this through...riiiiight.
Re: (Score:2)
I chose Rosa Parks as pretty much everyone, young or old, even non-Americans, are familiar with Rosa Park's famous act of civil disobedience.
How about Mr. Edward Snowden and his whistle-blowing on the unConstitutional spying on innocent US citizens by the NSA?
There is such a thing as right & wrong, and in many cases what's "right" in most peoples' view is often illegal and what may be legal is wrong.
Legal/illegal =/= right/wrong.
It's perfectly legal for a cop to c
Re: (Score:2)
...No one Is bound to obey an unconstitutional law and no courts are bound to enforce it.
Strat
I think we both know why this statement is VERY hard to believe anymore (cough, FISA, cough). This is unfortunately the world we live in today, as our Constitution is reduced to a tourist attraction, lacking the teeth it once had to bite back against attacks on our Rights.
Again, you've brought up some solid points here, and I agree with you on them, but let's bring the example you brought forth back to a proper frame of reference; a kid hacking a website for the blatant purpose of stealing a product over a
Re: (Score:2)
Are you saying that a site that doesn't notice the 0.10 € payments in their bookkeeping for a year is without blame?
I am not saying that any pizza beyond the first isn't theft (and if you can cancel the first one, you should) but saying that a vendor is not responsible for the shortcomings of his products is what landed us in this situation in the first place.
You might not have noticed this, but ignorance has become a rather valid defense, both in and out of a courtroom.
Yes, an internal audit should have caught this issue long ago, especially on the accounting side. But to be honest, it's probably not that hard to bury a few 10-cent pizza transactions among tens of thousands, and escape even a detailed audit. If he was the only thief in this case, that could have been chalked up to a rounding error within a day's worth of transactions. No one employs enough p
Re: (Score:3)
"Are you saying that a site that doesn't notice the 0.10 € payments in their bookkeeping for a year is without blame?"
Cliff Stoll saw a $0.75 error and followed it to Markus Hess, exposing a deliberate espionage effort.
"it's probably not that hard to bury a few 10-cent pizza transactions among tens of thousands, and escape even a detailed audit"
If so, it's not a detailed audit. But that particular 'free pizza' hack could have been have been averted, probably, by adding ion a check for the cheapest menu
Re: (Score:2)
Connected to that "Endgame"? (Score:2)
Is that endgame somehow connected to that "Endgame [nerdist.com]"?
Anyone knows a site that shares the solution of those puzzles?
Here we go again (Score:2)
FTA:
Some worry that such an aggressive approach to defense and security may break laws. It does not. To be clear, proactive hunting is not “hacking back” or illegally “shooting back” at cyber adversaries beyond the infrastructure you own. Hunting is essential, while hacking back is illegal.
I can just hear it now - the sound of yet more privacy being trampled underfoot as all those 'proactive hunting' parties go traipsing through our virtual back yards.Lovely!
Will Gibson be proven right? (Score:2)
I have also an idea (Score:5, Funny)
How about rooting out future CEOs before they have harebrained ideas. It's also much easier to predict. Just shoot every CEO during his inaugural speech.
Nothing to see here. (Score:2)
What if were T-shirts? (Score:1)
What if it were T-shirts that might disintegrate under certain conditions? We would know that the fabric wasn't well tested and it could break down, but we would not know exactly how, so we follow some of the steps suggested in the comments here. (1) We would find experts on disintegrating T-shirts and learn that fire would most certainly destroy them, but water might dissolve them as well. UV light might break down some of the fibers, so stay out of sunlight and don't spend too much time in certain kinds o
Learn how to secure your systems first (Score:1)
Re: (Score:2)
I think money was better spend learning how to properly configure you corporate systems and actually learn how to make secure applications...
Erm..., no. The very notion that such a thing is possible is flawed, evidenced by the fact that we are having this discussion. Granted, there's a lot of room for improvement and not fixing (let alone releasing) software with known exploits is inexcusable, but the reality is that there is no substitute for vigilance.
How about 3 suggestions to start ... (Score:2)
Hold C level officers criminally liable for breaches, including in government. The OPM, IRS and Target hacks should have resulted in the enablers going to jail.
Re: (Score:2)
2 suggestions.
In other words (Score:2)
The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers.
In other words, this ignore the fact that most hacking incidents are the result of gross negligence and incompetence (most of that shit would be stopped on its track if people do their security homework and put the necessary money in IT and user training.)
Moreover, it tell us to go wild west hunting for hackers. How far would you take that? Hack others before they hack you? Block others that might be suspicious? Because if you take this shit to its logical conclusion, that is where we end up.
Look, just
Re: (Score:1)
Look, just do your bloody homework when it comes to security.
...But, but, but, but offensive hunting and attacking sounds so much more fun than homework and education.. who wants to RTFM when you can pretend you're in a cheesy movie?
Who's liable when there's damage? (Score:2)
When you give a chimp a gun, and the chimp shoots someone, you don't blame the chimp.
If we can't rely on organizations to adhere to frighteningly basic security concepts (usually at the core of these breaches) how can we trust them to hire a mercenary to go on the offensive against bad guys?
Proactive Monitoring (Score:2)
EndGame CEO is a moron. (Score:2)
Basically what he's saying is "Arrest these hackers before they commit a crime" without ever knowing if they're actually being targeted by hackers or if the hackers are even committing a crime in the first place.
Sounds like wonderful precedent for a company to try establishing here in the USA.
Re: EndGame CEO is a moron. (Score:1)
The equivalent is "arrest them for breaking and entering before they steal or sabotage anything."
Which is entirely plasible and just uses the current legal structure.
Is it war? (Score:2)
If this is a cyber war we are engaged in, mere defense is not enough. DDOSing botnets for instance, or counterattacks directly against black hats, but it's fair, as in all's fair in love and war.
I can see where a botnet seeking known MAC addresses and hammering them might result in black hats having to come up with new laptops, changing LAA, spending time responding to counterattacks, which impedes them at least minimally. Good work.
Why the hell hasn't ... (Score:2)
... anyone thought of this before?
How fucking clever.
Oh, wait ...
I had this goddam discussion with management back in 1996 all the way up until I retired in 2014.
They said, while it's a problem, it's an IT problem, and we get no funding for training, best-practice firewalls and shit like that.
My insistence that they change passwords at least once a decade, and to refrain from using the same simple password for EVERYTHING went ignored.
As a courtesy, I just sent them a mass email saying that I put every one o
So, avoid responsibility and push legal limits? (Score:1)
Why bother migrating your outdated Windows XP machines to Linux, when you could instead have all the job security in the world - repairing virus-infected systems?
Why not open a
If your office is lazy, uses minimal passwords, doesn't update Windows or have antivirus, open ports everywhere,
This is all well and good but... (Score:2)
until executives start making security a priority, rather than a reflexive action, nothing will change. The majority of corporate boardrooms are filled with MBA types and people with sales backgrounds. Even in high tech companies, the tech founder usually gets squeezed out at some point to make room for the MBA that is going to grow the company.
Typically, MBA's and salespeople view security as a burden, a necessary evil, a nuisance. They would rather allocate funds to marketing. Or the latest diversity flav
OOOO!! $75 BILLION!!! (Score:2)
Je T'Accuse! (Score:1)
"I hereby label Nick Fink as a security risk, a potential terrorist, a possible molester and an unperson.
Worse, he is not a team player.
Based on this irrefutable accusation, and the serious risk of Pre-Crime ... I demand that he be neutralised.
Either interned for life or simply eliminated.
I cannot allow the evidence for this to be scrutinised, since our security, nay our very freedom, depends on secrecy.
Dissent or protest will prove the accusation."
Fascists. We know how this ends.
Re: (Score:1)
*Name changed to protect the guilty! Absolutely no relation to Nate Fick, whatsoever.
Obviously.
War on terra? (Score:1)
Did you fools learn NOTHING from Gitmo?
All you do with arrests (or attacks) PRIOR to any crime is make angry people into enemies dedicated to your destruction
Ah, preemptive strikes (Score:2)
They've worked so well in the past! Next we just need thoughtcrime, and everyone will live happily ever after.
Another Also-Ran or Illegal "Solution"... (Score:2)
Anomaly detection and whitelisting are measures that already exist in actual code that can run on a real computer right now. Monitoring and alerting tools are becoming commonplace, and we even have an acronym or two to sum up the process (thinking of SIEM here). So this call-to-arms is either late or stupid, depending on how far it intends go.
Assuming the attacker has half a brain, he will proxy his inputs and outputs through intermediate devices. Compromised servers, botnets, whatever. This pro-active appr
Re: (Score:1)
And deprive me of a treasure of laughs and giggles?
You can't take the biggest comedian on the planet from me! I mean, just read what he writes, he's acting like he's some kind of politician and proposing stuff that makes even old NK-Kim look sane, that guy's hilarious! He should have his own TV show if you ask me.
Thinking 'bout it, could it be that I've seen that face on TV at some point? Maybe it was while zapping, did he do stand-up somewhere in the past?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Perimeter security?!? No, No, No! Every serious security professional knows that it does not work. Repeat after my: "Defense in-depth".
Agreed.
One of the big problems out there is that so much software is *written* to be insecure; at best it checks external inputs, but once you get past external inputs you pretty much have free reign over calling any other function that is accessible.
So until programmers start taking security seriously and start writing software with the goal of keeping people out unless the software is used correctly (e.g checking all inputs and outputs of functions at all levels, internal or otherwise) then there wi