I’ll be the first one that says TV shows and movies are hardly based on reality. But when they screw up something that is near and dear to me, I get very upset.Â
For instance, I was in the Army and Army National Guard for over 7 years. Though I was never a career soldier, I still took it seriously, and I still do today. Maybe too seriously. I get very upset when I see a TV show or a movie that screws up things like rank insignia (Army sergeant rank on upside down in some sitcom I watched) or basic military rules (you do NOT salute indoors unless you are reporting to an officer - that mistake is in too many military movies).
This feeling also bleeds over big time into my chosen profession of information security.  There is a new show on NBC called Kidnapped that I have been watching and enjoying for the last few weeks. Basically, it is about a rich family’s son getting kidnapped and the family trying to get him back. There are all kinds of twists and turns in the plot. The dad used to be into some bad stuff, so it seems to revolve around someone getting back at him or trying to get some stuff from him.Â
Anyway, last week the family’s hired gun (ex-military, police dude, etc.) gets asked by the FBI for help. They want him to apply for a job with a civilian-run military company (basically, mercenaries) that supposedly has info on some people they think are involved in the kidnapping. The guy goes through some weird psych-interview, then he is placed in front on some computer by himself that has a program running with pictures flashing. The guy looks around, then easily opens some access panel to the PC and inserts a “remote control” device in some very conveniently-placed access port. Of course, I am thinking, “where are the cameras that should be watching this guy?”Â
Then, as the agent outside in the FBI van (real unique, right?) takes over the running of the program, he runs down the hall, guided by the blue prints of the inside of the building (which that type of compnay probably just publishes on the Internet) and strolls into the server room with no challenge and no lock on any door that I can see. There are racks of servers, switches, etc.  Then he sticks another device in the “mainframe”, and away they go.Â
He does get caught, but it was only because another agent ran in the building and called a security alert in a ploy to get the main bad guy to start erasing sensitive files. They capture the screens (with all pertinent information on the first screen - nice, huh?), thus saving them the effort of searching through records.
Yea, ok, right. I know it probably shouldn’t bother me, but that just pisses me off. At least TRY to make it somewhat real.  I think even a layperson without security experience would probably be thinking, “where’s the security here?”
Sheesh.
Vet
This story talks about using third-party patches for security flaws instead of waiting for the vendor to put out a patch. Personally, I am dead-set against it (I posted a while back about it, but I am too lazy to go look for it) for the same reasons the security pros in this article are against it.Â
- It can open other avenues of attack, since the bad guy is likely to start studying the thrid-party patch for security holes.Â
- Potential problems caused by the unofficial patch when installing the official vendor patch
- Management headache of uninstalling the unofficial patch
- Possibly causing support problems with the vendor because of unofficial patch
And I am sure there are more issues. One of the main points brought up in the article is that if you have a good defense-in-depth infrastructure, you can maintain good security without the need to install patches right when they come out. One comment struck me:
Using a mitigation strategy like blocking certain ports or shutting certain programs is the better solution. The user may have to go without a feature for a week, but it’s better than taking a risk with a third-party fix that you then have to go and uninstall before installing the real patch.
I couldn’t agree more. And if you have a good IPS vendor with a quick signature turn-around, then you can probably have the ports turned back on or the features back in operation much quicker.
I talked about this on Alan Shimel’s podcast a few weeks back as well. He asked me what Patch Tuesday was like for a security manager like myself, and I besically told him that it was no big deal really. I trusted in the security I had in place. I’m not saying I’m invulnerable. But locking down the infrastructure and paying attention to current threats and responding to them in a timely manner is the key to stop attacks before patches are available.
Vet
Watch the video below. I have heard and read some stuff about this, but this video really tells the tale. It seems professionally done. The people all seem very genuine and not actors, or they are very good actors.
Just a few of my thoughts on the issue:
- This is from a foreign country, so I don’t know if the insurance issues are the same here in the states, but basically the concern was that if there are no signs of burglary, then your insurance company won’t pay a claim.
- The claim was that this was the end of security for physical locks. I think this is a little bit of the ol’ FUD game, but hearing it from an experienced (30 years) locksmith makes you think a little bit.
- It brings out the need for layers in security. An alarm system is a fairly good layer, even in houses. At least it will deter some low-level crooks, which are your typical crooks in home burglaries.
- When it comes to businesses, they will need to start looking into alarms and better locks (keypads, etc.)
- And the overall lesson, no matter what you do, if someone is determined to break in, they probably will. All you can do is your best.
[gv data="7Uv45y6vkcQ"][/gv]
