Who Needs Information

So I’m listening to Pink Floyd the other day, and what kind of story isn’t going to be fun that begins with that line? Roger Waters Radio KAOS, specifically, and the song Who Needs Information is just WEDGED into my head for days now. You can look up the lyrics and listen to it if you’re that interested, but the concept of information it repeatedly brings up are relevant to INFOSEC (as is the opening stanza about theft).

We see a lot of information theft these days. The people going after it are our threat actors. Thinking about who needs it helps us fill out our risk register. Thinking about risk while listening to music (or doing anything) is our JOB. The first stanza looks at the opportunistic aspects “we could win a million pounds” and that’s just how some of our actors look at our blue targets. You’re a prize. Your company is a scratcher to them and all they have to do is buy enough, and it’s a cheap buy-in, and they’ll find a winner.

The second run through is about fear, and the obvious correlation here is the FUD our industry pushes on the rest of the business world. Like Management, the song posits that we just want reassurance there’s an escape and we can get on with business. That desire applies to both the attackers trying to claw their way out of their socio-economic position and management in the blue company that wants a three color graphical chart of security showing GREEN so they can go back to business issues.  They’re both desperate for a solution to their respective concerns.

Information security IS a business issue, and management IS getting better at grasping the importance, but they’re still not entirely on board in many cases. Which brings us back to selling with FUD instead of selling with BUSINESS.  And, coincidentally, why we strongly feel that the CISO position needs to be either under the CFO or an independent with CFO ties.  Stop putting operational responsibilities in the security department because it creates a pressure to put them under the CIO and that is the WORST business choice a company can make.  Let the IT department handle the operational aspects of security, because isolating the security functions from the IT positions directly associated with them creates a barrier to work flow and adds costs.  The system administrator is perfectly capable of handling the security duties assigned which the security TEAM under the CFO can correctly monitor and manage.  Best of all, the CFO isn’t going to put up with FUD responses, they’re going to demand financials.  The harder the better, as it should be.  Let’s put a stop to throwing blinky box solutions at problems that are systemic and get down to brass tacks of business improvement in security areas.

But back to the song. The desperation of the characters looking for a way out of their situation is a key element of the emotional direction of the song.  The motivations of the attackers in our security situation are key to figuring out how assets are at risk and what level of intensity will be brought to bear against your defenses.

Who needs information? The blue team.  More than anything else in the INFOSEC world, information about what’s going on is vital to protecting the business.  So one of the key things you need to ask yourself as you’re spending money on security is “What new information is this product/service/person providing?” And if it’s not obvious, you probably don’t need that particular solution.  Some tools are not information providers directly, but all produce information in some fashion, and that is the most important aspect, because even a purely functional tool like an email system that do not provide information in the form of statistics and metadata is a blind spot in your field of vision.

To quote yet another 80’s icon, Billy Idol, “Information is power and  currency.” And the blue team needs all they can get, because the maxim is that blue must hold against a thousand threats while red only needs one gap in the defenses and they win.

Layered security isn’t about what gadgets you have protecting your assets, it’s about what information you have and filling the blind spots.

Liticode can assist with your security needs in ways other vendors can’t; as a trusted advisor interested in helping you improve your information flow for defenses.

80’s musical references are free for all customers.

Malwarebytes

It’s not often we endorse a product, so this is worth your time. Anti-malware software, anti-virus, whatever the new spin name is for “you clicked something and now you’re in trouble” is a tedious product. None of it, not a single vendor, not even this product, is perfect.

In the course of business here, we install, test, use, and fuss with everything on the market. One product we keep coming back to is Malwarebytes. It’s consistently good. Not perfect, but good.

Recently, it kept one of our computers from picking up something nasty, and I don’t let happenstance good work go unnoticed.  A rebuild of a workstation here costs us a lot of time and money. So this is us thanking Malwarebytes for a job well done. We even purchased additional copies to install on the other Windows systems in the office.

Some security curmudgeons will claim that anti-malware applications are useless, but they’re lying to themselves. We all get surprised by something from time to time, so even if you practice good operational security and don’t click random links, surprises still happen. Like we had last month.

Layered security is not optional, and Malwarebytes is one layer. Something even modestly useful that a professional tells you worked one time is worth it, because JUST ONE TIME is all it takes to ruin your year.

Thanks, Malwarebytes.  If you’re listening, about that CPU hit on initial load…