I have been listening and watching some really good talks online about discovered vulnerabilities and new threat and attack vectors. While you must take hacker and pen tester claims with a grain of salt, there is something to be said for some of the tools and demonstrations I have seen over the past year. In particular, I am impressed with the social engineering efforts I have seen. I am really looking forward to trying out some of the tools I saw last week which really demonstrate what lack of user education and awareness can do when coupled with a little bit of technological ingenuity. These methods would likely have a 75% or higher success rate and, when successful, will completely compromise your target. Now I guess the question some will have is "How do I prevent it?" I love to hear that question, it's much more refreshing than hearing "that can't happen here" or "we're the best.." and yeah I have heard people boldly state that.
There's no new method of prevention, Information Security (or Cyber Security) is not difficult or overly complex. It consists of understanding current threat and attack vectors, knowing where your organization is deprecated or deficient, and mitigating or remediating those deficiencies. The problems pop up when you either hire the wrong people to defend your enterprise or you hire the right people and do not give them the funding and authority they need to accomplish their mission. Having worked in several different environments, it's pretty rare that the absolute wrong folks are hired but it definitely happens and you might be surprised at the types of places that have that issue. More often, I have witnessed the lack of authority and funding for security. Now, we could go into what make people "right" or "wrong" for these positions but if you work in infosec and don't know what I mean when I say that then I can't really help. It's kind of like being able to point out that one annoying relative every family has; if you can't identify who that is in your family, it's probably you. If it's you, no problem there's plenty of training and reading that can bring you right into the loop if you want to be there. I recommend SANS for training, and their certification process. If you really want a deep dive from the community you are doing yourself a disservice if you don't check out DefCon and BlackHat. Other good cons include Shmoocon and CanSecWest. I am sure there are more but these are what came to mind. If you know of some good cons that really educate folks please post them. The more information we can get out there together, the better we can defend our infrastructures.