|
|
| ITSG - Information Technology Study Group | | Date Created: Mar 30, 2006, 08:15 AM |
This was at the Hyatt in Kaanapali from the 28th to the 31st of March...
It was pretty interesting to me (as a white hat) to have these people all in the same room going over issues that are of great interest to me. The key point of interest is that all of the law enforcement personel in the room asked the right question, but none of the speakers answered the question...
For the most part, the speakers spoke of the great technology that is out there now, and coming in the near future, for security of the network and Internet. The question that wasn't answered is: "All this technology is fine and dandy, but you are living in a dream world. You are assuming that everyone in the network, or chatroom, or all collaborators in some cases, are 'ok to be there'. Estimates show that people are the biggest hole, not the technology - terrorists/predators/criminals/black hats pretending to be legitimate users who gain access through social networking. What are you doing to assure that the correct people are in there in the first place? And, if we were to work from that direction, would all this technology even be required, or neccessary?" No one answered the first question simply because nothing is being done. No one answered the second question because it would make their products obsolete...
There were some heavy hitters in the room (from Cisco, FBI, Motorola, AOL, Earthlink, Google, Skype, Microsoft, ICG, Intel, Adobe, DirecTV, and Yahoo) - none of them answered either question. I spoke directly to a few, they are totally not even thinking of the people who already have access, they are just trying to keep people who do not have access out. This is the wrong perspective...
Due to these people, and those like them, we are getting way to dependant on technology to defend technology. As a person who knows what it is to use social networking to it's extreme, I can tell you that the network is only as strong as the most gullible, or mean, person using it. People have to be trained. Technology does not click on a bad URL or file in an email, technology does not go to a bad website which will load a trojan horse to your computer, technology does not give usernames and passwords to critical systems away. People do...
When I want to crack a network, I don't even try to gain access until I've got usernames and passwords from a person in one way or another (via "social networking"). Once I have that, I own the place. How? Because I'm now inside.
It looks like this will be the way things will be for a long time - because these guys are not thinking about the guy who already has access and how he got it in the first place - they are thinking of the guy who is trying to get in with just the technology. Any serious cracker (bad guy) will use social networking to gain access - so these guys are just stopping the "script kiddies" from getting in. Script kiddies, for the most part, just do it for fun, not to do any damage - so, not only are the product companies diverting attention from the real problem, they're going after the wrong guys. They are taking the most important part of the equation out of the equation - people. Why? Because it costs money to train people, and if they did it correctly their products would be obsolete. They don't want to spend money training people, they want to make it selling product. They need people to be dependant on their products, so they do what they need to do, and say what they need to say, to make that happen...
Whatever, I guess I'll be making money testing networks as long as these guys are pushing product instead of training people. So I'm not really complaining. It's just sad that they're heads are where they are, ya know?
The good news: Law Enforcement IS asking the right questions, AND looking at it from the right perspective. It looks as though they will be the proactive force in training people - this is good, very good. They see through the haze that the product companies are spreading - they can't do anything about it simply because the average user believes the product companies' BS - but they see through it. This all adds up to: they can stay ahead of the curve, because they know what the problem is...
The question I have that comes out of all of this is: Why not license computer users?
Different levels of licensing for different levels of awareness, knowledge, etc. Like Drivers Licenses, Motor Cycle Licenses, CDL's and the like. Why not? This would allow the guys who know what they are doing to do it, and the people who don't would have access according to their knowledge. If someone does something against the "rules of the road", like click on an attachment which loads a virus to their computer, they get a ticket...
Why not license computer users? |
|
|
|
|
