Cloudy with a chance of better security

I have been mulling over cloud computing a little bit lately. My thoughts (as usual) are pretty simplistic so far. I work in the small/medium environment where good InfoSec is rare as hens teeth. IMHO, the issues are primarily time and expertise. Small IT shops tend to be reactive and spend a lot of time firefighting. Proactive security is just plain hard, and when you are doing InfoSec as a sideline or a hobby within your daily work it is a million baby steps to reach a decent security posture ala 2010. Can it be done? Yes. Do I feel like I am there yet? Not even close, but moving in the right direction.

So take virtualization and then take cloud computing aka using somebody else's virtual infrastructure by way of the Internets. I am all about that. If it is possible for say Google Apps or Microsoft's "Cloud Power" to serve up COTS applications and protect data in a way that prevents people from the usual bad habits i.e. emailing themselves that spreadsheet full of PII, what is the downside? Plus if cloud computing means that we can move to a thin client desktop approach where few applications need to be installed after the inevitable malware infection(s), then my good friend Matt the desktop guy has a reduced suck factor. That's a win-win in my book.

At the risk of over-statement, do I really believe I can do security better than say Google, Microsoft or Amazon AWS? I guess it depends on how arrogant and/or delusional I am. Enough said.

There is some good reading on Lenny Zeltser's blog around how the risk factors in the Cloud are not all unique in comparison to other disruptive technologies. As for me, I can't wait to stick my head and hands in the cloud(s) - and keep them there.

Fake AV - Phunny Fail

If you are in IT these days you likely see your fair share of fake/rogue antivirus malware, be it @ work or home (or your beloved Aunt Edna - you know the one who always forwards you the Nigerian 419 scam emails wanting to know when to expect the big payoff.)

Last week at work a co-worker received a drive-by 'gift' of goodness on his XP box. We use WSUS for the Microsoft patches and Symantec Endpoint Protection for client side I'net 'security'/AV and your mileage probably sucks as bad as ours. We're still trying to win the battle on Adobe / Apple patching, not there yet but moving along.

Anywho, this particular fake AV crapware does something really quite hilarious - it changes your desktop wallpaper to a FUD factor alarmist litany of bad things that can happen if you disregard the pleas of the badware to detach yourself from your hard earned $50 which will be guaranteed to do nothing but lead to someone spending more money (with your card number.)

If you believe the above warning - all those movies/MP3s you deleted are STILL THERE and "could break your life!" It is too bad the author's English was not up to par. Some days you just gotta laugh, 'cause the crying gets old after a while. And while I hate malware as much as the next guy, no one I know of has ever died from an infection.

Image courtesy of the Rogue Antispyware blog, a great resource for all the latest Fake AV news.

I don't wanna be 'that guy'

I was thinking the other day, reflecting really. I do that once in a while but I'm no Jack Handey. I was thinking about a few times recently where I have been either confronted (by my better half) or felt convicted internally about my behavior as far as either exaggerated or extreme statements I have made on topics that raise my blood pressure. I do not wish to be a robot or shell of a man who has no emotion, but I was surprised on a couple of occasions at the strength of my own reaction - overreaction is more like it.

There are times in life when we all see our own ugliness. When the mirror is raised and we are at our worst, or at least close to it. I am grateful that God reveals these things to me, call it what you like if you are not a believer - intuition / insight / etc. The facts here don't change.

I do not want to be that guy (the jerk with the funny hat). The me who is impatient with people at work who are maybe a bit slow on the uptake, who don't agree with me on a matter that seems obvious (from my perspective), or the InfoSec No Team. You know, the folks who relish explaining ad nauseum why something cannot or should not be done instead of offering up constructive alternatives and/or suggestions as to how something could be done securely or at least more securely. Or sarcastically telling everyone who will listen (or not get away fast enough) about how piss poor and totally pawnable this or that system/software/OS is.

Dan Lohrmann addresses this in several of his blog posts, I am a big fan of Dan's openness and honesty especially in matters related to relationships - the squishy but critical soft skills those of us in IT sometimes fail to give adequate time and effort:
http://blogs.csoonline.com/the_customer_is_clueless_not

So at the risk of sounding like a dork cheerleader, join me in committing to doing better with patience and hearing people out to gain perspective. Think back to the times you have learned things from people you had perhaps written off as total n00bs.