A long time ago in a valley far away... When I was 8 years old our first computer was a Macintosh. My mother fondly nicknamed it Mac-Baby. She would travel with it to accounting jobs. For lack of a better way to explain it - because my old brain doesn’t remember the model/type, it was an all-in one, with the huge floppy drive and square CRT monitor. I used to play chess on it among other black & white graphic type “video games”.
Now fast forward to 2016 and I ditched the Windows machines, bye Felicia...and I now have 2 Macs. I love the stability of it. The lack of viruses and issues that make it appealing to me, so here we sit. And yes, I know it can still get viruses..I am not delusional.
Recently though there has been a issue with Apple’s calendar feature. What? I know. Looks like someone took note of a system vulnerability and had its way with it. Spammers unit! Ugh. It was black Friday a few weeks ago and myself and hubby both noticed these crazy alarm/alert notifications coming through. On my computer and his phone. We both looked at each other confused and then decided to Google it. And there you have it. Apparently Apple is trying to fix this none sense asap, which is good. But the reason I am touching on this now is because in my current course work we are threat modeling and part of that comes with noting system vulnerabilities.
Recently though there has been a issue with Apple’s calendar feature. What? I know. Looks like someone took note of a system vulnerability and had its way with it. Spammers unit! Ugh. It was black Friday a few weeks ago and myself and hubby both noticed these crazy alarm/alert notifications coming through. On my computer and his phone. We both looked at each other confused and then decided to Google it. And there you have it. Apparently Apple is trying to fix this none sense asap, which is good. But the reason I am touching on this now is because in my current course work we are threat modeling and part of that comes with noting system vulnerabilities.
What broke and what do we do with it
As I am in the thick of building a threat model, which by the way is even harder than it sounds when you feel overwhelmed by two graduate level course and your risk management course was months past and you can’t remember things...just throwing that out there, lol. However, I do know that a key component is identifying threats and vulnerabilities. With that being said...what the heck Apple! You missed one. Anyways..to my points.
- Something like this issue should have been caught during whatever process is used for system development testing. Test before release. Say it with me, test before release. Not afterwards. This is how many famous viruses/worms get out and about.
- If that was done properly, it would have been repaired or a non-issue.
- If it wasn’t caught here, it should have been at least on a radar of some sort in a threat modeling process cycle...maybe? I mean I think so, but I also don’t work for Apple. AND I am in no way bashing them..but this is a really good example in vulnerability assessments.
- If it was determined and found, was it considered a part of the risk appetite for the organization or not? My basic question would have been, who dropped this ball?
What to do
So what happens when we miss these? Clearly processes need to be more reformed if things like this are being missed. I mean I know accidents happen, but there is process in place to avoid stuff like this. If it was caught, but it wasn’t determined to be a consider a threat...yikes! I mean it could have been worse for sure! It’s more annoying than anything for the users/customers, but it’s not necessary either.
Threats and vulnerabilities need to always be defined and cataloged in some way shape or form, these processes then help use this to determine next steps and preventive measures. Although even when we try our best, things will still be missed. I realize this and it is OK. I just hope all of these are learning experiences and allow for organizational growth. Plus, I hope no one got fired.
For now, I am going to go work on my threat modeling process some more..maybe I will share that with you all at some point? Either way until next time, stay safe out there!
More info on the Apple calendar debacle: http://www.itnews.com/article/3149056/software/apples-promised-calendar-spam-fix-is-coming.html
Cartoon from: http://www.glasbergen.com/
Week 3 Assignment - CYBR 650
No comments:
Post a Comment