Book Review: Essential SNMP by Douglas R. Mauro and Kevin J. Schmidt

This book is organised in 14 chapters and 5 annexes. It helps understanding how enterprise monitoring started and is being done in companies today. Specially recommendable to theorists. By no means this post will replace the reading of the book. However, here you are some of the key learning points in a very telegraphic manner:


Chapter 1 - Definition and ISO processes

A first chapter with two distinct parts, a technical one devoted to define and frame SNMP and a procedural one aiming to briefly describe ISO-related IT processes such as change management. As said, good for theorists.

The initial objective of the predecessor of SNMP was to manage Internet routers. There are three versions of SNMP. Version 3, the last one, adds security features such as strong authentication and communication confidentiality.

Two important communication concepts in SNMP: polling and traps.

In network management, polling means querying an agent. The active element that does the polling is the manager, normally the Network Management Station (NMS).

A trap is a communication from the agent in the managed/monitored element to the manager indicating that something worth being-monitored has happened.

Polls and traps can occur simultaneously.

The syntax that defines the set of elements that an agent tracks is called the Structure of Management Information (SMI). The Management Information Base (MIB) is actually the set of tracked elements using the SMI syntax. An agent can implement many MIBs. MIB-II is defined in all agents.

A first introduction to Remote Monitoring (RMON), a monitoring standard that deals with packet-level statistics related to a network.

There is a strong link to ISO standards. Their processes require that the IT systems and networks are monitored.

This chapter refers to a network management and/or monitoring concept called FCAPS i.e. fault management, configuration management, accounting management, performance management and security management.

Regarding reporting, monitoring data is the source for response time reporting, alarm correlation, trouble resolution. Change management is also a process that benefits from monitoring and reporting.


Chapter 2 - Commands and functioning

SNMP uses UDP. Normally SNMP requests are sent to the agent's port 161, responses are sent to the NMS's port 161 and traps are sent from the agent to the NMS's port 162.

Every agent is configured with 3 community strings: read-only, read-write and trap. These strings are the passwords to be able to read data from the agent, to write data e.g. reset counters in the agent and to receive traps.

According to the SMI syntax, any managed object is broken down into three attributes: Name (also called object identifier - OID), type and syntax and encoding (every instance is encoded into a string of octets).

Objects are using a treelike hierarchy, similar to an LDAP directory scheme.

The authors refer in this chapter to specific SNMP operations:

- get: instruction for the agent to send a specific MIB object.
- getnext: instruction for the agent to send a list of MIB objects (a related command is snmpwalk).
- getbulk: to send a large portion of a MIB table.
- set: sets a variable.
- response: to any of the gets.
- trap: a way by the agent to tell the server that something happened.
- notification (packet format related). 
- inform: for acknowledged sending of traps.
- report (only in version 3).



Chapter 3 SNMP Version 3

The SNMPv3 engine has four elements: The Dispatcher, the Message Processing Subsystem, the Security Subsystem and the Access Control Subsystem. This version divides the functionality of SNMP into 5 applications i.e. command generator, command responder, notification originator, notification receiver and proxy forwarder.


Chapter 4 NMS Architectures

The specs for your NMS, in terms of processing power, will be pretty humble. This does not cover however your log storage requirements. A typical data collection time period will be 10 minutes.

Certainly, placing a NMS close to the network that is managing/monitoring makes sense. Being more precise, it is recommendable to place a remote poller on each of the monitored networks that will forward events to your central NMS if required. This way we save long-distance polling requests.

This chapter also mentions the concept of trap-directed polling. This means that the polling will only take place when the NMS receives a specific trap.

Finally, a new concept called Web-Based Enterprise Management is mentioned.


Chapter 5 NMS Configuration

A first NMS that they describe is the HP's OpenView Network Node Manager (they provide a 60-day 250-node trial license). The second one they mention is Castle Rock's SNMPc Enterprise Edition.
Most NMSs have an IP Discovery function and you can load MIBs into them.


Chapter 6 Configuring agents

At least all SNMP agents have these configuration parameters: location, contact, name, read-write and read only community string and trap destination. The fact that the community strings are sent in the clear means that if you need to send SNMP information through networks you do not control, then you need either to use SNMP v3 or a VPN. I would recommend to use both.

Typical SNMP agents: Net-SNMP is the Microsoft agent, HP OpenView Agent can deal with HP-UX and Solaris, Net-SNMP is an open source agent for Unix, Concorde provides SystemEDGE for Unix and Windows, Cisco has their own SNMP agent and they also mention APC Symetra for uninterruptible power supplies (UPSs).


Chapter 7 Polling and setting

Three typical, basic and important SNMP actions: snmpget (to obtain a value from the MIB), snmpset (to write a value in the MIB) and snmpwalk (to go through a subset of the MIB).

Although most of the times we will use an SNMP-based monitoring software e.g. in the book they first present HP OpenView's command line and graphical interface, we can also create our own Perl scripts to read SNMP information from any monitored device. The Net-SNMP tools are also mentioned in this chapter.



Chapter 8 Polling and thresholds

Internal polling is done from the same machine. External polling is performed by the NMS. The local RMON agent can also perform internal polling.

In this chapter we also read about concepts such as data collections and thresholds assigned to them. Most of the thresholds are build on specific collection features e.g. "higher than X for Y consecutive samples".

Certainly, already in this chapter a open source tool for data collection and graphing is mentioned, MRTG.



Chapter 9 Traps

All different NMSs need to be configured on what they do when they receive a trap from an agent. When a trap is received, an event in the NMS is created. It is usual to assign a severity level to each of those events.

For those who cannot afford an expensive NMS, you can also create your own Perl scripts to both receive and send traps. The default destination port for a trap is UDP 162.


Chapter 10 Extensible SNMP agents

Some agents' MIBs can be extended to obtain values from an external entity such as a script running in the monitored device.

An agent can return multiple lines of output data in the form of tables.


Chapter 11 Adapting SNMP to fit your environment

A key chapter that presents how SNMP can provide value to your IT shop/factory:

A nifty example to show the use of SNMP is to generate traps that would record who is logging into a system. Those traps will be stored at the SNMP-trap receiving end. This remote sending will increase the security of those log-in logs.

A second easy business case could be the detection of core dumps being created in a system. A third one will be checking available disk space.

The list of SNMP uses is long: Port monitoring, service monitoring, web content, SMTP health, DNS and statistics from wireless access points among others.

This chapter also mentions an object-oriented Perl package named SNMP::Info. It enables reaching values in the MIB without having to know where exactly they are.


Chapter 12 MRTG

This is the chapter to go when we need to use the Multi Router Traffic Grapher (MRTG): An open-source configurable graphic trend analysis tool. Among other libraries, MRTG requires Perl to run. Graphs can be seen using a browser.

MRTG itself issues get commands, using the read-only community string, to read from the monitored devices.


Chapter 13 RRDtool and Cricket

Similarly to the previous chapter, this one also presents a tool: "The Round Robin Database Tool to store and process data collected via SNMP". Together with RRDtool, Cricket is one of its front-ends. It requires a configuration tree and presents information via a web browser.



Chapter 14 Java and SNMP

Those who have powerful machines, or prefer not to use Perl, can also create SNMP applications with Java. This chapter explains the Java package snmp4j.



Annex A Using input and output octets

Important when we need to measure network interface speeds.

Annex B and annex C present specific SNMP tools, annex D lists the SNMP-related RFCs, annex E talks about Perl modules for SNMP, annex F lists network management software, annex G mentions open source monitoring software and finally annex H presents some guidelines on network troubleshooting.


In a nutshell, I would say SNMP is your friend whenever you have to administer more than one machine.

Thanks to Douglas R. Mauro and Kevin J. Schmidt for this book!

Lights ON for SNMP!


Book review: Metasploit - The Penetration Tester's Guide by Kennedy, O'Gorman, Kearns and Aharoni


Pentesters of the world, this is a book you need to know about. This book talks in 17 chapters and 2 annexes about "the tool" for security testing i.e. Metasploit.

The first element you find in this book is a foreword by the founder of The Metasploit Project and Framework, created already in 2003 and 2004. In 2007, it was migrated from Perl to Ruby.

The following paragraphs provide a helicopter view of what the reader can find in the chapters of this book. This post by no means replaces the reading, and the careful study, of this book. On the contrary, it encourages it!

1 The basics of pen testing

This introductory chapter refers to the industry-redefining value of the Penetration Testing Execution Standard (PTES): An excellent first place to look at for those starting in this field. This chapter mentions the phases of a pen test and the types of tests i.e. overt and covert, depending on how many people in the tested organisation know about the test.


 
2 The basics of metasploit

Key chapter to grasp the different metasploit tools:
- Interfaces such as the console, the command line interface, the graphical user interface named Armitage.
- Utilities such as msfpayload, msfencode or even the assembly code related tool nasm shell.
- And, certainly, two commercial tools such as Metasploit Express and Pro. 


3 Intelligence gathering

Right after deciding which target to assess, the intelligence gathering phase takes care to collect relevant information before even trying out the target's security capabilities.

There are two types of data collection, passive and active. Metasploit is essential in the active intelligence gathering phase through the use of port, SNMP, SSH and custom scanners. This chapter explains how to link metasploit with two different databases i.e. MySQL and PostgreSQL.


4 Vulnerability scanning

Once the systems to assess have been identified, the next step is to scan them to identify vulnerabilities. There are many tools to scan systems. This chapter focuses initially on NeXpose Community edition, the free version of a vulnerability scanner that provides both a graphical interface and integration with msfconsole.

The second scanner that this chapter mentions is Nessus. It can also be invoked from the msfconsole and its results can also be imported into the metasploit framework.

This fourth ends up with a reference to what the authors call specialty vulnerability scanners and the possibility to use metasploit's autopown to launch attacks based on the scanners' results.  


5 The joy of exploitation

The metasploit console offers the possibility to exploit assessed systems based on the vulnerability scanning. The tester can also launch an nmap scanning from the metasploit console (msf). This nmap action can also contain specific scripts from the nmap scripting engine.

Metasploit offers a specific syntax, explained in this chapter, to proceed with the exploitation of the assessed system by configuring exploits and payloads.


6 Meterpreter

This is a special type of payload that metasploit can inject into the vulnerable system. It consists of an interpreter responding to specific command lines e.g. to capture a screenshot or to capture keystrokes.

This chapter also describes the use of a system to jump into other systems.


7 Avoiding detection 

In this occasion, the authors of the book refer to the controversial topic of antivirus evasion. They also have a small reference to file packers as a simple way to fool malware detection tools.


8 Exploitation using client-side attacks

The pages of this chapter are an introduction to a very common type of attack based on compromising client computers via e.g. browser and file format exploits.


9 Metasploit auxiliary modules

The art of pen-testing starts with metasploit auxiliary modules: A way to perform actions in the compromised box without using payloads.


10 The social-engineer toolkit

This toolkit was born with the social-engineer.org site. This piece of work is where soft skills (social engineering) and technical mastery meet. This toolkit is a comprehensive way to deepen into client-side attacks combining different techniques based on the software that could be easily found in almost every desktop nowadays.


11 Fast-track

On top of the metasploit framework, the creator of the social-engineering toolkit, Dave Kennedy, built a Python-based tool to even further automate some advance attack vectors.


12 Karmetasploit

If the systems you need to assess are using a wireless network, then this chapter can help creating a fake wireless access point from where to launch part of the metasploit arsenal.


13 Building your own module

Currently metasploit is coded in Ruby. The creation of new modules is possible. This is one of the beauties of this framework: It grows with its community. 


14 Creating your own exploits

For those advanced ninja pen-testers out there, this chapter provides guidance on how to write their own exploits starting with running a fuzzer to discover and exploiting new vulnerabilities in systems.


15 Porting exploits to the metasploit framework

Again a chapter for those advanced pen testers planning to introduce into metasploit stand-alone exploits.


16 Meterpreter scripting

Pen-testers can also extend metasploit's scripting environment. Advanced stuff.


17 Simulated penetration test

This is the chapter you need to read if you can only read one chapter of this book: a guided example of what this book describes.


Annex A Configuring target machines
Annex B Cheat sheet

These two final annexes provide guidance, first, on how to create a testing lab to start using metasploit and, second, on the commands available in metasploit.

All in all, a reference book in the world of pentesing and code hacking/development!

Thanks a million to all the authors!

Happy exploiting!

A page in History

Security sites to bookmark: krebsonsecurity.com and grahamcluley.com

Information security journalism: Creating a Personal Brand

Human Resources 2.0 is revolutionizing the workplace. The relationship between employers and professionals is changing. The traditional long-term contract is giving way to other means of collaboration. These are much more varied and adapted to specific needs from both sides. In this context, the creation and maintenance of a personal and professional public brand becomes a clear value.

The world of information security also lives this change. These two sites are two examples of this new trend: krebsonsecurity.com by Brian Krebs, a former Washington Post reporter and grahamcluley.com by Graham Cluley, an antivirus developer in the nineties.

Brian Krebs worked as a reporter on security issues at the Washington Post for 14 years, until 2009. His interest on digital security grew since 2001, when his home network was compromised.

Unlike Brian Krebs, Graham Cluley is a security professional with a technical background. He wrote the first version of the Windows-based Dr. Solomon antivirus and, outside the security field, two MS-DOS based games, still available on their website. He was one of the security specialists blogging for "naked security", the Sophos antivirus vendor's site. In June 2013 he left Sophos, a company where he worked since 1999 and released his own information portal for Internet security,  grahamcluley.com, to market his personal brand as independent security analyst. This site deals with IT security topics and it is not so cybercrime-focused as krebsonsecurity.com.

As they both confirm, they are now their own bosses. They regularly publish security news that could well appear in general-purpose newspapers and news portals, related to espionage, newly discovered vulnerabilities or the latest security breaches.

The simple architecture of these sites makes them easy to read and follow. Krebsonsecurity.com and Grahamcluley.com are platforms that both authors use to publish news while growing their personal professional brand and marketing their expert security analysis services in the form e.g. of articles in the case of Brian and public appearances in the case of Graham.

Finally, two questions I would like to pose to the reader:
- One for security entrepreneurs: have you already created your own personal brand?
- One for security practitioners in order to facilitate public awareness of the need for 'effective' security in the organization: do you regularly provide security news to your top executives?

A version of this post in Spanish is available here.

Looking through the glass


Happy reading!

Physical safety - Checking CPU temperatures in Linux Ubuntu

Dear all,
Short post to propose two easy ways to check physical parameters via sensors in our Ubuntu Linux box.

The first one is command line based and it is described in this Ubuntu help page.

Basically we need to install lm-sensors:
# apt-get install lm-sensors

Run the sensors-detect routine:

# sensors-detect

Type YES several times ;-) and load the module:
# service module-init-tools start

Finally run sensors and we will see the rpms of the fan and several internal temperatures including their usual functioning range.

The second one is a graphical but lightweight application called gkrellm with lots of configuration possibilities.


Sensing the sky!

Happy sensor-based monitoring!

Security site to bookmark: www.pentest-standard.org

In current times, the option to abandon a company's payroll and become an entrepreneurial Information Security freelancer appears as a plausible option to many IT Sec professionals. This choice comes either as a thoughtful decision or as a "last resort" before "being forced" to leave the industry and test their luck in other, more generic, IT areas.

Firms depend heavily on IT. They increasingly engage security professionals. A typically demanded service is the security analysis of their information systems, also known as a penetration test. Pentest-standard.org is a valuable initiative that provides both security vendors and their customers with one common "pen testing" language and scope, as you can read in their FAQ section.

Key players such as Chris Nickerson , Dave Kennedy , Chris John Riley , Carlos Perez and Wim Remes, among many others, have contributed to make pentest-standard.org a necessary go-to site for security pen testers. First thought of in 2009 and created in 2010, the site has had over 1800 content reviews and it continues evolving. Pentest-standard.org uses a handy wiki format and it welcomes contributions from the community via either the corresponding Linkedin group or a PDF-based collaboration site powered by Adobe.

I highlight two components of this site:

  • The seven pen-testing execution stages: Each of them starts off with a valuable mind map that could very well be the script to follow in a formal pen-testing engagement. Non-technical, but pivotal, elements such as scoping and payment methods are also present.
  • The technical guidelines: An excellent compilation of links and tools, both free and commercial software, required for each of the pen-test phases.

Finally , I would like to thank everyone involved in this "pen-testing vademecum" and invite the Infosec community to contribute. A revealing question would be: How much of what you can read in pentest-standard.org do you already know?

A version of this post in Spanish is available here.

A nice tool to fly ... and to pen test?

Unattended updates in Ubuntu Linux

A key measure to keep our IT boxes in a healthy state is to regularly update the operating system and applications. This simple measure could save us from the "low-hanging hacks". Let's take this statement and link it with the fact that automation in IT is worth-considering. The following lines provide some tips on how to automate the software upgrade process that, otherwise, would require typical manual steps such as these ones:

- For a complete update:
$ sudo apt-get update
$ sudo apt-get upgrade

- For a specific update
$ sudo apt-get install package-names

There is a nifty package in Ubuntu Linux called unattended-upgrades that would do the magic for us, as mentioned in this Ubuntu Help page. The command line I would highlight from that page is:


$ sudo dpkg-reconfigure -plow unattended-upgrades

The AskUbuntu community also provides juicy input for this. In this case, I highlight the following steps I extracted from the AskUbuntu page:

- Uncomment the Ubuntu packages to be installed silently, mainly security patches and updates. This is also the place to prevent any package from being silently upgraded by using the Package-Blacklist section:

$ sudo gedit /etc/apt/apt.conf.d/50unattended-upgrades

- The command line to check whether things are OK is this one:

$ sudo unattended-upgrades --dry-run and --debug.

- The line to check whether the upgrades are really taking place:

$ tail /var/log/unattended-upgrades/unattended-upgrades.log

Finally, for those using Google Chrome, it can also be included in this silent process with the info provided by this AskUbuntu page:

$ sudo gedit /etc/apt/apt.conf.d/50unattended-upgrades

and adding

 "Google\, Inc.:stable";

 in the Unattended-Upgrade::Allowed-Origins section of the

etc/apt/apt.conf.d/50unattended-upgrades file.


Nothing to do with Ubuntu, however, the way to silently update Java in Windows 7 using Powershell and VisualBasic is explained in this Superuser page. The security catch with this one is that the Task Scheduler would need to save the admin password in order to run the silent update.



Good to keep the house updated!


 Happy silent updating!

Security site to bookmark: www.reddit.com/r/netsec - The IT Security global bulletin board on the Internet

Wikipedia reminds us that the Agora was a meeting place, an open space, the center of commerce, culture and political life in Ancient Greece. The section in reddit.com devoted to information technology security, located at reddit.com/r/ netsec, is the agora of our security community and profession. The place to visit to stay on top of the security news, both politically correct and incorrect.
 

Since its foundation in 2005, reddit became the global Internet bulletin board, especially for US-based users, living up the role that the "Bulletin Board Systems" (BBS) played in past decades. As an example of the relevance and currency of reddit net sec articles, the same day that Cisco has announced the purchase of Sourcefire, on July 23, 2013, a user on reddit (they are called "redditors") shared the piece of news in reddit.com/r/netsec. Reading the comments shared on reddit posted by users after reading the news hints the so important "market sentiment". It is comparable to follow a related "hashtag" on twitter.  

This network security section in reddit links to related subsections. For example, the social engineering, computer forensics or reverse engineering pages are valuable. The popularity of this site makes it an optimal site to witness and to participate in fruitful conversations between Information Security professionals (itsecuriteers) on technical, organizational and business-related topics. Anyone asking questions can receive interesting and alternative answers. Noteworthy is the link to a jobs site. While most positions are based in the U.S., there is a growing number of postings for positions in Europe and to work remotely.

Finally, there is also a place for those who starting in this field: The academic discussion forum (e.g. the "2013 Q3 Academic Program Thread"). There, students post their evaluations regarding
security degrees and training courses. 
A wise piece of general advice given by reddit.com to those who want to post news or comments is to avoid creating unnecessary conflict: Something that we can also apply almost in any aspect of our lives.


Sometimes there is no room to manoeuvre

You can also read this entry in Spanish here.

Happy redditing!

Book Review: Ninja Hacking by Thomas Wilhelm and Jason Andreas

Every now and then I share with the readers my views on a specific security related book. This time the title I scanned through is "Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques". In a nutshell, this is a book for those who would like to get introduced into the world of security and insecurity. Especially those who also enjoy martial arts. However, this book does not target specifically at technical IT security professionals. Here you are a biased and telegraphic view:

chapter 1
It starts with the disclaimer that this is not a usual pen testing book. It includes
a reference to ancient feudal Japanese tradition: ninjas and samurais, the documented and the undocumented side of war and military strategy. It mentions how the public image of ninjas was negative. Stealthy reconaissance was a ninja technique. The authors establish a parallel between ninja codes and weapons and unusual pen testing.

chapter 2
This chapter links pen testing with Ninjitsu. They mention arts such as espionage and unconventional warfare. The authors propose that while white hats use methodologies to perform pen tests, ninjas take alternative paths. Important detail: ninjas move undetected.

The difference between white and black hacking is system owner permission. The description of grey hat hackers in this book is somehow confusing: they use illegal attack methods without hacking the spirit of the law?

All in all, 17 chapters for those readers willing to get an initial flavour of what insecurity means today. A light appetizer for a non-technical audience before embarking on more robust references.

Ninja "security" turtles?

A new lecture by Robin Dreeke on Social Engineering - Earning trust

In the past February 2013, the Social-Engineer.org crew interviewed again the behavioural and rapport builder expert Robin Dreeke. The podcast can be found here.

Robin Dreeke shared in this interview some input coming from a new book related to trust and empowerment. Here you will find a very personal set with some of the points he mentioned:

Empathy foundations

 - The three key questions to ask in an input-gathering conversation are how, what and why.
- Dopamine goes to our pleasure centers - our brain rewards us then.
- Getting our interlocutor to get their brain rewarded by you talking to them should be our goal.
- It is important to understand context. How can we adapt ourselves to understand their way of being?

The tribe

- We need to understand the tribe mentality.
- When we are part of a tribe, it means survivability.
- Our ancestors had the need to belong to a tribe.
- Our brain rewards us when we feel part of a tribe.
- We could use DISC to identify communication styles.
- How do we do it quickly?

Make it all about them from the psychological viewpoint

- We should not memorise anything we are planning to say.
- Proposal: Use sympathy and an artificial time constraint.
- We can practise sympathy e.g. help me find a Valentine’s day gift for my partner.
- Our conversation would identify direct individuals (people oriented persons).- If they get us to do most of the talk (then they are passive).
- Just by analysing the way they dress they will tell us whether our interlocutor is people-oriented or indirect, task-oriented or analytical.

 Demographics and culture

- One very simple technique - the easiest listening technique is have nothing to say - shut up!
- Key point: We want to validate them, we need to be focused on what they say, so shut up!
- The second we need to say something, we need to discard it!
- Example of input-gathering sentence: “I had a similar experience, tell me about yours”.
- If necessary, we can give a little bit of info but let's remember it’s about them.
- People are constantly testing how much we will accept them, if we accept them, they will tell us a little bit more about them.
- We need to become that person that will accept them unconditionally.
- We need to control our non-verbals so that we don’t reveal that we are judging them.
- It is almost as if we turn the conversation into a science experiment about people.
- One step further would be how did they decide to dress that way?
- Our focus will influence our approach, we want to know why that person
made some decisions.

Curious people

- What do we do with people who keep on asking questions?
- This is a validation coming to us.
- We could bounce it back and be conscious of the information we are giving away.
- If it keeps coming back to us, we'd better cut the engagement.
- Internet based social networks - people are constantly seeking validation - that is why people have thousands of friends e.g. in facebook.

Job interviews

- In a job interview, we'd better put in context how we can help them and their company.
- Currently, given labour market limitations, we could go back to a time constraint, e.g. "let’s run a contract o three months and you test me".
- Become fascinated about people.
- No one will hire us because of us but because of the benefits we can bring to them.
- Feel the emotion behind what you are saying.
- Positive psychology - be happy with what you are doing now.



Getting closer to the empathy palace

Happy empowering 2014!
















How Things Gain from Disorder: Nassim Taleb - Applicable to Infosec?

The series of lectures by Entrepreneurial Thought Leaders by the Stanford University's Entrepreneurship Corner is always a must-visit place for those 'eternal learners' who follow these posts or these tweets.

In this occasion I highlight some thoughts extracted from a lecture that Nassim Taleb gave (@nntaleb at @edcorner) on part of the content from his book Antifragile: Things that gain from disorder. Are those thoughts applicable to our Information Security world? Let's see.

As always, a modest disclaimer: These lines by no means replace the reading of this interesting book (or, at least, the watching of the lecture at Stanford).

- The aim will be to look in our activities for a convex function of luck (and not for a concave one). This way, by producing small changes in our activities, we could be aiming at getting greater results. In other words, look for something in which if you lose, you lose small but, if you earn, you win a lot. Look for anti-fragility.

I would consider a proactive defence approach in IT Security an anti-fragile field. A series of small information security preventive and detective improvement measures can bring superior benefits. However, the endless possibilities to undergo an attack by any of the current threat actors is probably a fragile environment. A small mistake in defending against threats could lead to big losses.

- There are certain fields in our lives in which forecasts cannot be made on statistical probability (e.g. he mentions the financial world).

This statement hints an alternative view to the book I wrote titled "Secure IT Up! Cyber Insurance Due Diligence" with regards to cyber security. It cannot be completely managed based only on statistical calculations (a long collection of statistically rare cyber incidents can be a reality).

And now some adjacent wisdom pills also from the talk:

- The sponsor of an option should also have disincentives together with incentives so that, if the adventure fails, they also undergo a kind of failure.

- Be aware of those sponsors trying to hide (but not mitigate) risks from you.

This piece of advice on avoiding hiding risks is also applicable to Information Security.

- Respect and even promote the culture of subtracting (in opposition to the culture of adding): e.g. Mankind will be better off if some toxic elements are taken away (e.g. those who damage public health).

Avoiding complexity facilitates the work of the Information Security practitioner.

- Contrary to common academic views, hands-on practice leads to technology. Technology leads to science (and not vice versa i.e. science leads to technology and technology leads to practice).

This last thought deserves some reflection wearing our Infosec hat. Would we improve Infosec at a faster pace if we allocate funds initially thought for governance to secure DevOpS?


 Happy anti-fragility!

Build your anti-fragile option