For the Live Journal users

For the people who asked. I created a Live Journal syndication feed here of this blog. If you wish to read any articles I post via LJ instead of my site, just add the lj user infosec_syn like you would any other LJ user and you can view the entries in your friends section.

Close Only Counts in Horseshoes and Hand Grenades: Hackers Target U.S. Power Grids

The Washington Post is running a story about hackers targeting U.S. Power grids. When it comes to my own beliefs about security in the news, any news is good news. Not that weak security in critical systems is a "good thing" but the fact that these kind of stories help to raise public understanding and to put a little fire under the feet of the people implementing security policies for these places, which in my mind is a good thing.

I will start by discussing what I like about these types of articles. For too many years, security has been put on the back burner. Unless you are a company that offers security services, many companies have difficulties justifying the costs involved in properly securing your systems and training employees on updated security policies. In the past, trying to explain money spent on "potential security issues" to the accountants and people who signed off on budgets in large companies was an uphill battle, if not a brick wall. In the recent years an increasing number of non-security personal have become aware of the important of security. The costs of recovering from a “security incident” generally are much higher then the initial cost to prevent such incidents from happening in the first place. I like articles like this because it increases awareness of such issues even more. Any time a company gets hacked, or a new worm makes it's rounds, people take notice. I am hoping in the future it won't always take the "penny in a light socket" approach for a company to change its ways. I'd like to see a more pro-active method used to focus on keeping hackers out BEFORE you find your confidential company info on some website along side Paris Hilton's recent cell phone pictures.

Awareness is step one. In the US, we have been making a slow climb towards awareness that everyone is at risk. Whether it is your grandma's PC being used as a zombie in a DoS attack or a high profile credit card company, everyone needs to be aware that they are at risk. That said, we move into phase 2, the attackers. Now that CEOs understand they need to beef up security, the next question is "who" is trying to hack us? This leads into the problem I had with these types of articles. Since 9/11, "terrorism" has been used as the primary "scare tactic"/cheerleader in pushing security agendas. As I said earlier, I strongly agree with any plan [as long as it's the truth] that encourages companies to take a second look at their security and make sure it is not being neglected. The problem with pushing the terrorism angle over and over is, they do not represent that total threat. My concern with focusing too much on one security "enemy" is that you can easily forget about the others. Organized crime syndicates, intelligent bored 16 year old kids in China hacking sites from their parents basement, and even new high tech gangs provide as much [and some would argue more] threat to security in the US. I am not down playing the threat of cyber terrorism by any means. I do feel that if we focus too much on it, we are not preparing ourselves for the full range of targets approaching and the tactics they will be using. As we reach a new dawn of understanding in the US about security we need to further the education and take a good look at ALL threats to security and not just focus on terrorists. Sometimes the biggest threats come from with in your own country. Let's hope companies in the US don't require a Julius Caesar like event to realize this.

Welcome!

I finally have gotten around to creating an infosec blog on my site :)

My love for computing started at the age of 8 with the purchase of my very first computer, an Apple IIc. I taught myself how to write programs in Applesoft basic and from there I was hooked. Over the years I continued to learn more and more about both computer software and hardware. I entered the IT industry in 1995 while a junior in high school. This was my first real experience to networking and C++ code outside the scope of my home network in my parent's basement.

My background in information security goes back to the late 90's professionally though it has always been a hobby of mine on some level since I learned how to setup and run my first BBS (WWiV)... and then how to reinstall and patch the code myself once someone else found my BBS and gained access to it,lol. I still think to this day my mom thinks I was selling drugs out of her basement because "why does a 15 year old need more than one phone line?".

My learning continued through high school (1993 or so) when I set up my first [slackware] linux distro. The joy I had when I finally realized what that silly $ sign was for, and how superior it was to that C:\ sign I had been using for all those many years ;)

I created this blog mainly to share security related stories, rants, and just provide a general discussion area for current events relating to us, information security professionals. This will be geared more for the tie wearing white hats like myself. You won't find any "how to haxor windows in 20 seconds" articles on here or serial numbers. Google can help you find plenty of those. Feel free to check out the RSS feed to read my current posts or email me at kevin [at] kevinblanchard [dot] com for story and post ideas. Enjoy!