…culled from tweets.
I meant to write this for sometime. I just never got around to it. I felt moved to tweet the bare bones notes earlier today.
I will replicate those here.
– Avast for AV http://bit.ly/8bcLxX
– I try to separate out my on-line life as Purpleslog from my real life as XXXX. http://bit.ly/oE15sU
– I have an use a cross-cut paper shredder http://amzn.to/rhzXeM
– I don’t use my own email client. I use GMAIL for Purpleslog and Yahoo Email for XXXXX for their anti-malware
– I have MS Updates set to auto-download. I require it to wait for me to install. http://bit.ly/LncO
– I have the MS Firewall turned on. http://bit.ly/9MArC
– Browser extension WOT – to give warnings of malicious web sites http://bit.ly/dHANri
– Secure Zip http://www.pkware.com/software/securezip/windows
I ‘ll add Mac OS/X stuff in the future TBD.
It sounds like some Computer Scientists…
A team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, and they think found a ‘choke point’ [PDF] that could greatly reduce the flow of spam…If a handful of companies like these refused to authorize online credit card payments to the merchants, ‘you’d cut off the money that supports the entire spam enterprise,’ said one of the scientists. [Link]
…has caught up to my thinking…
Often much of the cost of an information security incident falls not onto the party that is responsible for providing the Security but onto third parties. While the enterprise/individual that has the incident may incur costs, much of the cost of this InfoSec externality is put onto others (organizations/individuals/taxpayers).
What is lacking is proper incentives. By incentives I do not mean government regulations or criminal statutes.
I mean money. Getting money is a good incentive. Avoiding loosing money is a good incentive. Not having your Balance Sheet, Income Statement, and Cash Flow Statement be effected by information security loss is a good incentive.
What is needed is Information Security Lawfare.
If an organization or individual deploys information technology in such a way that normal best practices are not followed (read: Duty of Care) and is subsequently used as part of an information security incident, those effected by that information Security incident should sue for a Tort Remedy.[link]
Why leave Lawfare just to the bad guys?
…from here [The bolding is mine]:
Unlike traditional malicious attacks that occur over a number of minutes (days to weeks at most) and result in a demonstrable system payload, APTs are far more subtle. There is no single event to indicate compromise; the threat is made up of a number of small activities occurring over a long period of time, often up to 18 months.
The challenge facing security experts is that many of these small activities will not raise any alerts. APTs often include a degree of social engineering, with malicious individuals getting information from phone calls or looking up web addresses as a starting point for finding creative ways to gain access to systems, or they use people within the organisation to plant malware components within the system.
These small actions will not stand out from the millions of events occurring on an IT infrastructure every day– they get lost in the crowd. Even if they are noticed, they may be viewed as low risk when compared with traditional security threats, but in the era of APT these low-key events need to be considered differently.
Is there a trend in activity? Could this action actually provide a route into other company assets, such as financial information or intellectual property? Is this small event part of a larger scheme?
What does that sound like sort of? Hmm…