One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 1131777 |
| Date de publication | 2019-05-29 20:16:09 (vue: 2019-05-30 03:00:32) |
| Titre | Your threat model is wrong |
| Texte | Several subjects have come up with the past week that all come down to the same thing: your threat model is wrong. Instead of addressing the the threat that exists, you've morphed the threat into something else that you'd rather deal with, or which is easier to understand.PhishingAn example is this question that misunderstands the threat of "phishing":Should failing multiple phishing tests be grounds for firing? I ran into a guy at a recent conference, said his employer fired people for repeatedly falling for (simulated) phishing attacks. I talked to experts, who weren't wild about this disincentive. https://t.co/eRYPZ9qkzB pic.twitter.com/Q1aqCmkrWL- briankrebs (@briankrebs) May 29, 2019The (wrong) threat model is here is that phishing is an email that smart users with training can identify and avoid. This isn't true.Good phishing messages are indistinguishable from legitimate messages. Said another way, a lot of legitimate messages are in fact phishing messages, such as when HR sends out a message saying "log into this website with your organization username/password".Recently, my university sent me an email for mandatory Title IX training, not digitally signed, with an external link to the training, that requested my university login creds for access, that was sent from an external address but from the Title IX coordinator.- Tyler Pieron (@tyler_pieron) May 29, 2019Yes, it's amazing how easily stupid employees are tricked by the most obvious of phishing messages, and you want to point and laugh at them. But frankly, you want the idiot employees doing this. The more obvious phishing attempts are the least harmful and a good test of the rest of your security -- which should be based on the assumption that users will frequently fall for phishing.In other words, if you paid attention to the threat model, you'd be mitigating the threat in other ways and not even bother training employees. You'd be firing HR idiots for phishing employees, not punishing employees for getting tricked. Your systems would be resilient against successful phishes, such as using two-factor authentication.IoT securityAfter the Mirai worm, government types pushed for laws to secure IoT devices, as billions of insecure devices like TVs, cars, security cameras, and toasters are added to the Internet. Everyone is afraid of the next Mirai-type worm. For example, they are pushing for devices to be auto-updated.But auto-updates are a bigger threat than worms.Since Mirai, roughly 10-billion new IoT devices have been added to the Internet, yet there hasn't been a Mirai-sized worm. Why is that? After 10-billion new IoT devices, it's still Windows and not IoT that is the main problem.The answer is that number, 10-billion. Internet worms work by guessing IPv4 addresses, of which there are only 4-billion. You can't have 10-billion new devices on the public IPv4 addresses because there simply aren't enough addresses. Instead, those 10-billion devices are almost entirely being put on private ne |
| Envoyé | Oui |
| Condensat | $600m+ $billion 000 000+ 200 2019the 2019yes 900 :should @briankrebs @nicoleperlroth @tyler able about access act active actor added address addresses addressing admin afraid after against ago all almost alone also amazing annoying another answer antifragile any anything anyway apparently are aren assumption asus attack attacks attempts attention authentication auto autoupdate avoid away baltimore based because been behind being bigger billion billions black blamed blaming books both bother briankrebs but cameras can cars case catastrophic cause caused centralized cleans co/erypz9qkzb com/q1aqcmkrwl come conclusionthe conference confirm connected continuous contrast coordinator corporation correct couple created credentials creds crippling cybersecurity damage deal department desktop desktops destruction device devices digitally directory disincentive doing domain domains down easier easily else elsewhere email employees employer ending enough entire entirely eternalblue even event events everyone everything exactly example exists experts exploited exploiting exposed exposure external fact factor failing fall falling feature fedex fired firewall firing first fix fixed focused fragile frankly frequently from gets getting going good government grade grounds guessing guy hacked hacker had harmful has hasn have here his hit hosts how however https://t identify idiot idiots imagine important including indistinguishable individual infect infected infection infections infections:low infectionsthere insecure instead internet internetautomatic iot ipv4 isn just lateral laugh launched laws lead leaked least legitimate like likely link list local log login longer look looked lot lots low machine main major makes making malicious malware mandatory many mass massive may mention merck merk message messages microsoft millions mirai misunderstands mitigating model more morphed most movement much multihomed multiple name nat nats needed neither network networking networks never new next nicholas nicole non not notpetya now nsa number nytimes obvious often one only organization organizations other others out paid particular partner past patch patched patches path paying people perlroth permissions phish phishes phishing phishingan pic pieron point popular port pretend private probably problem problems productiot proof psexec public punishing pushed pushes pushing put question ran ransomware rather recent recently regularly remain remote repeatedly reporter requested resilient response rest right rights risk roughly said same saw say saying secure security securityafter seen segment seldom sends sent services several should shouldn signed simply simulated since sized smart something sort specific spread spreading spreads start step stolen stream stupid style subjects successful such suck sure swan systems take taking taleb talked targets test tests than that them themselves these thing thing: third those though threat three:windows through thus title toasters too tool tools training tricked true trust tvs twitter two tyler type types understand university unpatched unwilling update updated updates used username/password users using vendor very victim victims vpn vulnerability vulnssomething want wasn way ways weaknesses website week weeks weren what when which who why wild will windows words work worm wormable worms would wrong yet you your |
| Tags | Ransomware Tool Vulnerability Threat Guideline |
| Stories | FedEx NotPetya |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.