Wednesday, August 06, 2008

What is your information worth?

What is information about you worth on the street? Here is an interesting article about what information is worth on the street these days.

What is your stolen data worth?
Criminals and miscreants buy and sell your data today as you would items on eBay. 1,000 Debit cards with PIN number are going to the highest bidder. Criminal have done this for years with credit cards from your wallet now they can do it in mass thanks to the Internet. Online auction sites for you information are out there and being used. The criminal that often steals the data is not the one using it. TJX was a case in point with this. Most of those credit cards number were sold off to others that made the purchases.
Posted by Michael Allred at 4:03 PM

Friday, February 22, 2008

Researchers: Disk Encryption Not Secure

Here is some more information on this attack. The video is worth watching. It does make it look simply enough for the average consumer.

http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html

Here are some comments from PGP's CTO on the problem.


http://blog.wired.com/27bstroke6/2008/02/encryption-stil.html


Take-a-ways from all of this

  • "Encryption is not magic pixie dust that makes everything okay"
  • Don't use sleep mode, shut down and turn off your computer.
  • If the Feds come to grab you computer turn it off first.
  • If someone has physical access and time on their hands they can break almost any security measures.
  • Hard drive encryption needs to move to the hardware level, or at least the key protection part.
Posted by Michael Allred at 1:41 PM

Hard drive encryption

Many organizations today are starting to take laptop security and encryption more serious. Most are in some level or rolling out laptop or whole disk encryption. This can present many interesting challenges both technically and culturally. Most of the disk encryption vendors do not have clients for multiple OSes so duel boot machines with Windows and Linux are stuck with volume level encryption or some other options for now. Vendors are promising some type of Linux client but I've yet to see any deliver. Another problem is the recovery partition on most stock machines installed from the vendors. Once the entire drive is encrypted the recovery partition is no longer useful. Larger businesses may eliminate this with a standard hard drive image. In most cases they don't want the end user restoring their laptop to the vendor provided install.

Cultural challenges included shared or "check out" laptops. Trying to setup multiple encryption users and password on single machine can be complicated. It may be helpful to educating the user that no sensitive or confidential data should be stored or even accessed when using a shared laptop. While a shared encryption may help with laptop loss it may still expose sensitive data to an employee that does not have the proper clearance.

Full disk encryption will continue to grow in popularity as businesses attempt to protect data that gets stored locally. It can present it own unique challenges. While the software solutions available today are good I see encryption moving to the hardware vendor level over the next few years. Either the platform vendors (Dell, HP) or the hard drive vendors' needs to provide better ways to protect the data stored on portable devices.

Researchers find hard drive encryption's Achilles' heel

I think we all knew it wouldn't be long before someone discovered ways around disk encryption technology. As I read this research I couldn't help but ponder who would go through all this effort for a stolen laptop. The average criminal that picks up a laptop in a hotel room or out of the back seat of your car is not going to have the technical skills to figure this out. This sounds more like a great seen from the next Jason Bourne move.

Posted by Michael Allred at 11:00 AM

Friday, January 04, 2008

Data breaches reach new levels in 2007

The year 2007 will be known for the unprecedented number of data breaches. The Privacy Right Clearinghouse contains a database of privacy breaches over the last two years. Of course the TJX breach was one of the more published. Attrition.org also provides a database of breaches called the Data Loss Database. Theft of laptops continues to lead the way for companies to lose data. While we and other entities continue to push the use of whole disk encryption there continues to be user resistance. Other aspect of security layers including user education and training need to be emphasized. At some point all of us will face the prospect of identity theft from a loss of data by some organization we once trusted. As security professional we must continue to work hard to ensure the data entrusted to our organization is well protected.

Posted by Michael Allred at 4:32 PM

Friday, December 28, 2007

I’m Not the Sheriff

A recent article in the ISACA Control Magazine by Steven Ross called "I'm Not the Sherriff" (login required) talks about who is responsible for security control enforcement. He asks the question, is it Information Security, IS Auditor, Management, or technology's role to enforce security controls? To some degree I believe it is one group he left out the end users role. In most cases I'm amazed at how many of the violation are simply the end users just not thinking about the consequences? As we detect SSN being emailed in clear text often the user asks "is that a bad thing?" I guess only if it is not my SSN being emailed to the outside world.

Many vendors would have you believe that their appliance or latest software can enforce compliance. While it may help you detect a violation, often technical solution cause as many problem as they resolve.

Steve answers his question with what is always the best solution. All of these things working together are what ensures compliance with security controls. Your system can catch a problem but if management does not support the control in the first place then it does not really matter. So a combination of processes, people and technology are what makes for better security.

Posted by Michael Allred at 4:28 PM

Friday, November 09, 2007

Ten Windows Password Myths

While doing research for our password policy I ran across this older article by Mark Burnett Ten Windows Password Myths.

The 10 myths still apply today.

  1. My Password Hashes Are Safe When Using NTLMv2
  2. Dj#wP3M$c is a Great Password
  3. 14 Characters is the Optimal Password Length
  4. J0hn99 is a Good Password
  5. Eventually Any Password Can Be Cracked
  6. Passwords Should be Changed Every 30 Days
  7. You Should Never Write Down Your Password
  8. Passwords Cannot Include Spaces
  9. Always Use Passfilt.dll
  10. Use ALT+255 for the Strongest Possible Password

While I could comment on several of the myths the one I like is "Passwords Should be Changed Every 30 Days". Time and time again, I've seen the more often you force users to change their passwords the weaker it gets. If you force users to have complicated passwords and change them often they are written down on a sticky note. Part of the reason users have simple passwords is to remember then. Teaching them to have longer passphrases is going to enhance password quality more than changing them often.

Recently one of our agencies came up with what I felt was an innovative solution to solving the problems of users not changing the original password they were given. While most systems force a user to change the password the first time they log in not all systems do that. For those systems the agency uses a thirty character hash as the original password. The user only wants to type those 30 characters once and quickly change their password. Making it so the easiest thing to do is the right thing will get users to follow the rules more than force.
Posted by Michael Allred at 1:14 PM

Monday, November 05, 2007

Security Statements you don’t want to hear.

Jon Espenschied's 8/14/07 Computerworld article, 10 Claims That Scare Security Pros,:

  1. "We have a culture of security."
  2. "IT security is information security here."
  3. "That doesn't apply to the boss."
  4. "Our information security officer is on the IT staff."
  5. "We have a password policy."
  6. "Our managers have copies of all passwords."
  7. "The Web app only runs if we … "
  8. "Brand X is our standard."
  9. "Hey, where'd that come from?"
  10. "We sent the firewall rules out to …

While many of these I agree with there are a few I would question.

The role of the information security "officer" can be debated for ever. Is this a technical role assigned to IT or a business person that audits IT controls? My experience shows that in most companies Information Security is seen as a role of IT. Right or wrong that is just the reality. Most of the time the "security person" grows out of a network or system administrator who has a desire to delve into security. The debate of if security is the responsibility of one individual or something everyone does. I feel that when it is everyone's responsibility then no one really focuses on it. While every system administrator has a role in security if it is just one of fifty hats they ware it often gets low priority until there is a problem.

Passwords continue to be a major security issue. Not just end users but often system administrator and developers use simple to guess or no passwords at all. Or as we have found out the same password on every computer they touch.

Posted by Michael Allred at 5:06 PM

Friday, July 20, 2007

Fit to be Tied

This recent article in Government Technology by Chad Vander Veen, peaked my interest because it hit on two of my big workplace pet peeves.

The neck tie, why do we have them? Do they serve any purpose other than to shut off blood circulation to some manager's heads? I wear one almost every day and have often wondered what their purpose is. Why do we dress so formal at work? I have read studies in the past that claim companies that have a dress code of neck ties create a more professional environment. The dotcom era seamed to show that the more casual the better. Isn't it interesting how a new boss can set the dress standard without even saying anything? When our new CIO came on board wearing a white shirt and tie every day it was fun to watch how many managers suddenly starting wearing white shirts and ties. Was it part of his plan to change the culture or just his personal clothing style?

The other subject the article addresses is the 40 hour work week. It is a relic of the past. I know when I worked a few years at a start up there was no such term. I've always felt that people should work until the job is done. My wife tells me if I did that I would never come home because I never get everything done I wanted to. The reality is with today's technology working any time any place may allow us to spend more time with family and friends. It has always interested me that the schools teach our kids these concepts. Kids are given an assignment and sent home to work on them. Remember homework? They aren't instructed to work from eight to five on an assignment. They are told the assignment is due on Friday and late work is not accepted. Once we become adults and enter the work place we get away from this. Instead it seems most manager's think if you stay in your cube eight hours a day and look busy you are a good employee. Late work is not only accepted but often expected. Maybe we should look to the education communicate for a few more managers.


 
Posted by Michael Allred at 8:41 AM
Subscribe to: Posts (Atom)