Silicon Shecky

Infosec Practitioner

Connect

In our own sandbox

By Leave a Comment

We all do it. We are so caught up in what we do, and what we are, we give what seems to be good advice, but really is impractical advice. The world of Information Security is all about a balance that reduces risk while still allowing productivity, and we service, that is right SERVICE not only the company, but the end users.

The latest round of Cisco WebEx vulnerabilities produced a lot of the same advice. Patch now, make sure you are patched, please patch etc… you know the usual advice. Then I come across this on my feed:

Running WebEx in a VM seems like sound advice, almost a no brainer. Almost, is the key word. Let’s look at this from a more realistic perspective.

First, how many normal, everyday, end users that you know of can spin up a VM? Not many, which immediately makes this advice not practical for the every day person. Then add on licensing of the OS, driver compatibility for sound and video, memory amount and processor specs. All of that can create an issue too. So the theoretical secure answer of “Use a VM” becomes rather impractical overall.

Now, what implementing this solution might do is create a backlash from the sales force, the C level executives and possibly more. Add on that there is still nothing preventing them from not using the VM, and instead just using their desktop. What have we done? Basically given our department a black eye. Shown that we are not thinking of the needs of the people we service, let alone the company at large.

We do this all the time. I see solutions posted for different things, that just do not seem practical from a different perspective. Even patching can be detrimental, especially with legacy software which is why patch testing is important. The thing we need to do is work across the business units, talk with them, find people willing to try what might be an impractical solution if we really want to push for it. We need to get into the heads of the normal user and think like them. I use the (grand)parent test mentally. Is this something I can see my parents or grandparents who are non-IT people use. If not, then throw it in the impractical pile and find a different solution.

In the perfect world, our solutions should have little to no visibility to the end user when working properly. Reality is that this might not be possible, but we can still strive for it. We need to learn that the end user is not a burden, they are the reason we have jobs in this field in the first place.

Microsoft might actually do something right…

By Leave a Comment

Windows vista I have looked at, and for the most part, considering it the spawn of Windows ME. Vista has its good points, and Microsoft tried with it, but with a moving target, stripped down capabilities compared to what it was supposed to have, and massive delays on getting it to market, Microsoft really messed up.

It wasn’t just that older software would not run on it, but software and hardware companies didn’t buy into it. It took forever for applications to be written for it, let alone all the issues with hardware drivers Vista has had.

Well, it seems that Microsoft can learn from its mistakes. Windows 7 has been in beta for a little while now, and most people call it a big improvement from Vista. The first Release Candidate becomes public on May 5, and yes I’m going to get it. What I am looking forward to seeing how it works is the newest feature announced for Windows 7. XPM the feature is called, and if it works the way it is supposed to , well, there will be very little reason not to move to Windows 7.

The idea behind XPM is basically Windows XP sp3 running in a virtual machine, which allows legacy apps to be run normally. The kicker to XPM is the idea that it runs seamlessly in the background. Apps that require XP still get shortcuts installed to your normal Start menu and when you launch the app, it seamlessly launches in its own window, even though it is on a virtual machine, you don’t see the virtual machine running. You don’t have to start a virtual machine session first. Supposedly, it just works.

We shall find out how well it just works rather soon. This is the one thing that if it works right, could save Microsoft’s reputation.