J2SECOPS WEEKLY NEWS: This week in the J2 CSC, Weak Hash; and again what’s with the weak Passwords, Social Engineering and Business buy-in.
As a big fan of the HBO series “Silicon Valley” I have enjoyed the antics this past season whereby Richard Hendricks, CEO of fictional start-up Pied Piper, and his band of misfits worked tirelessly to bring about their take on a new kind of internet, PiperNet, to market. As the product itself is fictitious, Pied Pipers website appears real, and in a twist of life imitating art; a number of players are making progress making this futuristic internet, one that is decentralized so users don’t have to rely on intermediaries like Microsoft, Amazon, Google or Facebook.
Solid (derived from "social linked data"), Holochain, Blockstack, the InterPlanetary File System, MaidSafe and Storj are some of the real-life Pied Pipers working on such a decentralized future of the internet.
Watch this space folks; and with all of this in mind, enjoy our roundup of stories for this week…
Weak hashing leads to Police phone tracking firm being hacked
Securus, which tracks phones for police, was using the MD5 algorithm to hash stored passwords.
After breaching Securus, an unnamed hacker gave Motherboard a spreadsheet titled "Police" that included 2,800 "usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users," spanning 2011-2018, the report said. Data on Securus staff members was present in the sheet, along with data on law enforcement and government users from cities including Minneapolis, Phoenix, and Indianapolis.
Social Engineering your next job using Open Source INTelligence (OSINT)
Many years ago, before the internet existed, a person would use the local newspaper to perform a job search. The usual protocols were often followed, including the sending of a resume, an introductory phone call (if the recipient liked the resume), and then a subsequent job interview. Back then, a job candidate was always advised to “learn something about the company” to which they applied. This was good advice, particularly when the interviewer would inevitably ask the candidate “do you have any questions for me”.
IT, Security and Buy-in from Business, how do you get it?
The past week or so, I have been reviewing a number of strategies for large enterprises and my take on the state of security risk management is dire, especially when it comes to ratio of Security or even IT to total staff.
The “right” ratio of IT staff to users varies widely, depending on the type of business, the industry’s reliance on technology, etc., and for the most part, if you are looking to find out how many total IT staff your company needs, you can find decent data to start with.
The task becomes a lot harder, however, when you start looking for staffing ratios for information security staff.
You could also look at budgets - consider total cost for all of IT compared to total cost overall - numbers I have researched indicate that your IT spending should be 6-15% of the total spend.
The above numbers are probably already useless, and they apply to all of IT. So how about InfoSec?
Should there be 1 security person per 4 IT? 1 per 10?
Should there be 1% security of total cost?
Much depends on the daily security operations performed by IT. Alternatively if your IT department manages patching, vulnerability scanning, system hardening, incident management, ticketing and Log retention then maybe only 1 security person for the first 100 employees makes sense, and then add 1 more atop that and scale up to 3-4 for the first 1000.
The ratio should reduce once you get above 300-400 employees, and justifying the scaling of InfoSec in a linear manner with number of employees is virtually an impossibility, and as the number of endpoints goes up, the number of servers does not increase at the same rate after your first 100 employees.
Certainly, my recommended range of 1.5 per 100 to 8.5 per 100 of IT staff. Interestingly, the budget ratios cover a similar spread, just moved slightly higher: 3% to 11% of IT budget.is based on a combination of much research and pondering and more research and mostly past experience;
I think the decision comes down to risk. If you can express to management the risks of something not being done with the desired scope consistently over time, and you can justify that this is not possible with current staffing levels, then it becomes a risk appetite choice for management - they will need to accept the risks and if they cannot, then you should be allowed to hire right then and there.
Or you could just outsource - Talk to us we can help!
- Hits: 972