Friday Musings.5/13... sharing wise thoughts as I visit the security world of the past week

Friday Musings... 

It's Friday the 13th, a day as auspicious as days are and I am going to try to reach out to you every week. So, every week when I am musing you will definitely say TGIF!

Some old friends had threatened to cut off their "dosti" if I did not restart musing and I have been trying since the past month but just kept getting put off. This one is going out late and I will just make the deadline of sending it out on Friday itself. 

Please excuse the intro bit.... and now to actual musing... 

It is strange that (nearly) every security professional, young or old or just-born, is a true tiranga nationalist. I find them to be more patriotic than the thousands of shaheeds who have shed blood for the country before and after 1947. Every single of them will "protect the critical infrastructure", "educate, empower and train the masses and create awareness", "fight cybercrime" and do so much that I feel I must take samadhi! Our defence forces should have been redundant by now. 

With every day one sees the sophistication of cyber security risks / threats becoming increasingly complex. The paradox is that, at the same time, the complexity of vulnerabilities that are responsibly disclosed and patched are also increasingly complex. I still don't understand why is software still created without thought for security and why do we pay for insecure / weak products when we know it is 'substandard' 

However, among all this complexity the perplexing fact is that all the hacks / breaches / compromises being reported depend on simple tricks like honeytraps or insiders or payload-via-email etc. Last week has been pretty exciting considering the number of international banks that have been 'haped' in Bangladesh, Greece, Cyprus etc. 

In the middle of global chaos, turmoil and attacks our country is an oasis of security. No headline grabbing hacks, no compromises nothing happens - it's so boring to pay top salaries to the CISOs for getting bored and to spend money on new fangled technologies like APT. 

With time the CIO / CISO is also becoming very confident (over/under?) as this report points out :

It is good to see our LEA making progress (positive progress) in setting up capacity and developing capability at good speed. I may not subscribe to the training programs but good stuff is happening. I was fortunate to see some good initiatives first hand in UP and Lucknow (more about this in another blog). 

From time to time (frequently) I am also witness to announcements of successes by LEA in arresting cyber fraudsters. Fake job offers, insurance scamsters, bank account frauds - all crimes perpetrated using social engineering are highly profitable businesses operated by criminals and it is great to know about these guys being arrested!

It is a crappy world - sometime back FBI took Apple to court for not helping to crack an iPhone and now Mozilla is taking FBI to court for not sharing a vulnerability in the Tor browser. 

I have yet to read more about our IP bill and maybe I shall ask my lawyer friends to explain it to me but there is another IP bill that was passed in the UK and it is already being labelled dangerous
Of course their IP is different from ours we are talking Intellectual Property and they are talking Investigatory Powers !! Not to worry we will have it soon too.

Anyway there is a lot to say and share but I do not want to take too much space and will call it a day. I shall reach out again next week and will ramble less but focus more in my attempt to add a bit of color to this drab world of weaknesses, vulnerabilities, threats and risks! A world where carpetbaggers and snake oil sellers abound, co-exist and are respected or revered as experts. 

Oh ... I can just go on!

Have a nice weekend. 

Labels: , , , , , ,