For those of you not familiar with Healthy Paranoia, it is an excellent podcast on PacketPushers, hosted by the wonderful and brilliant Mrs Y. Check out some of the shows on which Joe had the pleasure of being a guest:
Healthy Paranoia Show 13: To CISSP, or Not to CISSP takes on the question of “the profound problem of security certifications.
Healthy Paranoia Show 9: Live and Let Scada discusses Scada and ICS security issues.
Healthy Paranoia Show 4: IPv6 Security Smackdown offers up an amusing and informative take on security issues and common vulnerabilities of IPv6.
For the last year, I have been reading many books about start-ups. Currently I am reading a book called “The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses”; a book which in October 2011, debuted at #2 on the New York Times Best Seller list, with CNBC stating that it had “already [become] a must-read for any entrepreneur”.
Throughout this and other books, I see the topic of security risks and protecting customer Information ignored and dismissed.
I guess the meme IBGYBG (I’ll be gone, you’ll be gone) discussed in Thomas L. Friedman’s “Why How Matters”, The New York Times, October 14 2008, applies to the security of business systems and networks.
To paraphrase Mr. Friedman with a security spin, “We got away from the basics — from the fundamentals of prudent security, where the company or organization maintains some kind of personal responsibility for, and personal interest in, whether the person receiving the private data can actually protect it. Instead, we fell into what some people call YBG IBG security: “you’ll be gone and I’ll be gone” before the compromises happen.
What do you think B-School graduates, ‘C-Suite’ set and entrepreneur community? Am I being too hard?
Today I reviewed my blog entries, hosting services, domain names, videos and slides I have created for over 8 years. Once I was complete, only one thing still needed to be tested – the ability for WordPress to support IPv6. Well they failed and I needed a method to ‘proxy’ my site through an IPv6 to IPv4 infrastructure. The solution was CloudFlare, a provider that frontends IPv4-only websites allowing them to be accessible via IPv6.
The process was quick and easy, took a short time to set it up including making CloudFlare the hosting service for my domain DNS.
Upside: quick and easy
– Turning the hosting of my domain names over to another vendor,
– IPv4-only code running under IPv6 is now vulnerable
– CloudFlare’s inability to support DNSSec.
Anyway, for the short term this seems the only solution.
Over the last 8 years, I have convinced several large organizations to enable an IPv6 only network, disabling IPv4 completely. The result has been a lower cost of managing the networks, as compared to organizations running dual-stack environments. Another major benefit is mitigating a vast amount of malware, command and controls channels (C&C), and Remote Access Trojans (RATS), lowering the number and cost of compromises.
It now seems others are beginning to think about these issues, according to an article from Government Computer News (GCN). It looks like Steve Pirzchalski, IPv6 program manager for the Veterans Affairs (VA) Department, gets it.
I have been interested in graph theory since I worked for the railroad back in the 90’s and even further back when I was working on my degree in the 80’s. Last year, as a side project (we all seem to have them), I asked the question “Has graph theory been applied to cybersecurity”. The answer was yes. I discovered 10’s of papers, some great and some not so good, but many more then I realized existed. I also found sample code, working templates and even two commercial products.
After my IPv6 presentation was not accepted for Schmoocon 2012, I decided to present my attack graph findings at the NOVAHA ShmooCon Epilogue event. The event was great, I learned things from all of the speakers, and had many good side discussions.
Here is the video, if you are interested.
Other videos from the event can be found here:
Special thanks to Georgia for video taping the conference!