Security Space

A Master Plan for Taking Back Control of Your Life

2011-10-05T11:00:00.002-06:00

Excellent article on ways to take back control of your life. Today we live in a society with constant forms of inputs and interruptions. Phone calls, text messages, emails, twitter feeds and news stores all coming to us from different sources. How do we get control?

You should read the entire article. I’m choosing to focus on only a few points I feel I need to get back into control. Self improvement to me is taking small steps that keep us moving forward until we become who we want and know we can be.

1. Make more of your behaviors automatic.

Interesting thought that we have limited will power. How often do we try to change a habit or begin a new routine only to fall back into our regular schedule? My resolve is to make the good habits I want to become more routine and automatic. If the become part of my regular schedule then I don’t have to motivate myself to do them. I expect myself to do it.

3. Whatever you feel compelled to do, don't.

What drives you to do something? When I’m compelled to really want to do something I shouldn’t do it?? Does this go against what most of us think? Is this what allows us to give into our lazy, impulsive self’s. How do you change what compels you? This is an area I need to think about and research and see what compels me and is that a good or bad thing. Goals, achievement, recognition, or just the feeling of accomplishment often compel me to improve myself. Is that a bad thing?

http://goo.gl/boFl0

Improving Your Writing

2011-09-29T14:51:00.001-06:00

This article on Likehacker made me think I need to update my blog more often. New goal at least weekly post on news, information or just stuff I find interesting.

Is the Internet replacing your own memory?

2011-07-18T09:27:00.001-06:00

Of course it is.

To me the Internet is just replacing books and other printed material. I've also felt that it was more important to know how to access or find information than to store it. That is why we create notes in college. Some teacher feel that memorization is more important than knowledge. Some people can memorize and some people know where to get the information. I do have lots of useless information in stored my brain. A question like “is an ostrich’s eye bigger than its grain.”? I don’t know but I know I can find it in seconds with Google.

I just wish I had access to Google face recognition while at my next family or class reunion so I could remember all those friends from high school. No I will not add you as a fried on Facebook.

Encrypt That Hard Drive

2011-07-15T10:34:00.001-06:00

SANS recently published a newsletter about encryption that is a good primer for anyone that wants the basic of encryption. The SANS Securing the Human project is a great resources for those Security folks looking for a way to jump start their awareness program.

http://goo.gl/DzwWV OUCH! Understanding Encryption

Now that a user knows all about encryption and have encrypted their hard drive, are they required to give up their encryption key to your company or the US Government? Is your key protected by the 5^th Amendment?

http://goo.gl/mC0C0 - Cough up the encryption key or else!

Why there are so many criminals in Russia

2011-04-11T08:35:00.002-06:00

Some interesting thoughts on why there is so much malware code written in Russia. I like the analogy with the guys writing code for at Raytheon.

"Kaspersky said, it's not unlike the fellows working on missile technology at Raytheon in the U.S. They're not the one who will pull the trigger if the weapons are used. They just build it and have little idea of where their handiwork is later used.

For the typical Russian hacker, it's a similar mindset. They just write the stuff. They're not necessarily the ones launching the attacks and picking the targets."

http://goo.gl/49CQ3

Rogue software and Scareware

2011-01-10T12:54:00.005-07:00

One of the latest attacks vectors from malcontents is the rogue anti-virus or sometimes called Scareware. Many users wonder how their computer was infect. They didn’t go to any bad site the just visit popular news or search sites. Many of these sites subscribe to ad service that populate pages with ads from various sources. A number of these ads have malware or rogue software that display a pop-up message saying your computer is infect click here to scan. This malware often looks like a Windows message or message from your anti-virus software. Once you click on the message the damage is done.

Norton’s (Symantec) web site has some great information on this topic.

http://goo.gl/inaNs

A Norton employee wrote a three part blog article on what they do and how to recognize them.

2011 New Year's Resolutions

2011-01-10T12:45:00.001-07:00

Work and personal life has been crazy the last few years. This year one of my new year's resolutions is to be more active with my blog post.

What is your information worth?

2008-08-06T16:03:00.000-06:00

What is information about you worth on the street? Here is an interesting article about what information is worth on the street these days.

What is your stolen data worth?
Criminals and miscreants buy and sell your data today as you would items on eBay. 1,000 Debit cards with PIN number are going to the highest bidder. Criminal have done this for years with credit cards from your wallet now they can do it in mass thanks to the Internet. Online auction sites for you information are out there and being used. The criminal that often steals the data is not the one using it. TJX was a case in point with this. Most of those credit cards number were sold off to others that made the purchases.

Researchers: Disk Encryption Not Secure

2008-02-22T13:41:00.002-07:00

Here is some more information on this attack. The video is worth watching. It does make it look simply enough for the average consumer.

http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html

Here are some comments from PGP's CTO on the problem.

http://blog.wired.com/27bstroke6/2008/02/encryption-stil.html

Take-a-ways from all of this

"Encryption is not magic pixie dust that makes everything okay"
Don't use sleep mode, shut down and turn off your computer.
If the Feds come to grab you computer turn it off first.
If someone has physical access and time on their hands they can break almost any security measures.
Hard drive encryption needs to move to the hardware level, or at least the key protection part.

Hard drive encryption

2008-02-22T11:00:00.001-07:00

Many organizations today are starting to take laptop security and encryption more serious. Most are in some level or rolling out laptop or whole disk encryption. This can present many interesting challenges both technically and culturally. Most of the disk encryption vendors do not have clients for multiple OSes so duel boot machines with Windows and Linux are stuck with volume level encryption or some other options for now. Vendors are promising some type of Linux client but I've yet to see any deliver. Another problem is the recovery partition on most stock machines installed from the vendors. Once the entire drive is encrypted the recovery partition is no longer useful. Larger businesses may eliminate this with a standard hard drive image. In most cases they don't want the end user restoring their laptop to the vendor provided install.

Cultural challenges included shared or "check out" laptops. Trying to setup multiple encryption users and password on single machine can be complicated. It may be helpful to educating the user that no sensitive or confidential data should be stored or even accessed when using a shared laptop. While a shared encryption may help with laptop loss it may still expose sensitive data to an employee that does not have the proper clearance.

Full disk encryption will continue to grow in popularity as businesses attempt to protect data that gets stored locally. It can present it own unique challenges. While the software solutions available today are good I see encryption moving to the hardware vendor level over the next few years. Either the platform vendors (Dell, HP) or the hard drive vendors' needs to provide better ways to protect the data stored on portable devices.

Researchers find hard drive encryption's Achilles' heel

I think we all knew it wouldn't be long before someone discovered ways around disk encryption technology. As I read this research I couldn't help but ponder who would go through all this effort for a stolen laptop. The average criminal that picks up a laptop in a hotel room or out of the back seat of your car is not going to have the technical skills to figure this out. This sounds more like a great seen from the next Jason Bourne move.

Data breaches reach new levels in 2007

2008-01-04T16:32:00.001-07:00

The year 2007 will be known for the unprecedented number of data breaches. The Privacy Right Clearinghouse contains a database of privacy breaches over the last two years. Of course the TJX breach was one of the more published. Attrition.org also provides a database of breaches called the Data Loss Database. Theft of laptops continues to lead the way for companies to lose data. While we and other entities continue to push the use of whole disk encryption there continues to be user resistance. Other aspect of security layers including user education and training need to be emphasized. At some point all of us will face the prospect of identity theft from a loss of data by some organization we once trusted. As security professional we must continue to work hard to ensure the data entrusted to our organization is well protected.

I’m Not the Sheriff

2007-12-28T16:28:00.001-07:00

A recent article in the ISACA Control Magazine by Steven Ross called "I'm Not the Sherriff" (login required) talks about who is responsible for security control enforcement. He asks the question, is it Information Security, IS Auditor, Management, or technology's role to enforce security controls? To some degree I believe it is one group he left out the end users role. In most cases I'm amazed at how many of the violation are simply the end users just not thinking about the consequences? As we detect SSN being emailed in clear text often the user asks "is that a bad thing?" I guess only if it is not my SSN being emailed to the outside world.

Many vendors would have you believe that their appliance or latest software can enforce compliance. While it may help you detect a violation, often technical solution cause as many problem as they resolve.

Steve answers his question with what is always the best solution. All of these things working together are what ensures compliance with security controls. Your system can catch a problem but if management does not support the control in the first place then it does not really matter. So a combination of processes, people and technology are what makes for better security.

Ten Windows Password Myths

2007-11-09T13:14:00.001-07:00

While doing research for our password policy I ran across this older article by Mark Burnett Ten Windows Password Myths.

The 10 myths still apply today.

My Password Hashes Are Safe When Using NTLMv2
Dj#wP3M$c is a Great Password
14 Characters is the Optimal Password Length
J0hn99 is a Good Password
Eventually Any Password Can Be Cracked
Passwords Should be Changed Every 30 Days
You Should Never Write Down Your Password
Passwords Cannot Include Spaces
Always Use Passfilt.dll
Use ALT+255 for the Strongest Possible Password

While I could comment on several of the myths the one I like is "Passwords Should be Changed Every 30 Days". Time and time again, I've seen the more often you force users to change their passwords the weaker it gets. If you force users to have complicated passwords and change them often they are written down on a sticky note. Part of the reason users have simple passwords is to remember then. Teaching them to have longer passphrases is going to enhance password quality more than changing them often.

Recently one of our agencies came up with what I felt was an innovative solution to solving the problems of users not changing the original password they were given. While most systems force a user to change the password the first time they log in not all systems do that. For those systems the agency uses a thirty character hash as the original password. The user only wants to type those 30 characters once and quickly change their password. Making it so the easiest thing to do is the right thing will get users to follow the rules more than force.

Security Statements you don’t want to hear.

2007-11-05T17:06:00.001-07:00

Jon Espenschied's 8/14/07 Computerworld article, 10 Claims That Scare Security Pros,:

"We have a culture of security."
"IT security is information security here."
"That doesn't apply to the boss."
"Our information security officer is on the IT staff."
"We have a password policy."
"Our managers have copies of all passwords."
"The Web app only runs if we … "
"Brand X is our standard."
"Hey, where'd that come from?"
"We sent the firewall rules out to …

While many of these I agree with there are a few I would question.

The role of the information security "officer" can be debated for ever. Is this a technical role assigned to IT or a business person that audits IT controls? My experience shows that in most companies Information Security is seen as a role of IT. Right or wrong that is just the reality. Most of the time the "security person" grows out of a network or system administrator who has a desire to delve into security. The debate of if security is the responsibility of one individual or something everyone does. I feel that when it is everyone's responsibility then no one really focuses on it. While every system administrator has a role in security if it is just one of fifty hats they ware it often gets low priority until there is a problem.

Passwords continue to be a major security issue. Not just end users but often system administrator and developers use simple to guess or no passwords at all. Or as we have found out the same password on every computer they touch.

Fit to be Tied

2007-07-20T08:41:00.001-06:00

This recent article in Government Technology by Chad Vander Veen, peaked my interest because it hit on two of my big workplace pet peeves.

The neck tie, why do we have them? Do they serve any purpose other than to shut off blood circulation to some manager's heads? I wear one almost every day and have often wondered what their purpose is. Why do we dress so formal at work? I have read studies in the past that claim companies that have a dress code of neck ties create a more professional environment. The dotcom era seamed to show that the more casual the better. Isn't it interesting how a new boss can set the dress standard without even saying anything? When our new CIO came on board wearing a white shirt and tie every day it was fun to watch how many managers suddenly starting wearing white shirts and ties. Was it part of his plan to change the culture or just his personal clothing style?

The other subject the article addresses is the 40 hour work week. It is a relic of the past. I know when I worked a few years at a start up there was no such term. I've always felt that people should work until the job is done. My wife tells me if I did that I would never come home because I never get everything done I wanted to. The reality is with today's technology working any time any place may allow us to spend more time with family and friends. It has always interested me that the schools teach our kids these concepts. Kids are given an assignment and sent home to work on them. Remember homework? They aren't instructed to work from eight to five on an assignment. They are told the assignment is due on Friday and late work is not accepted. Once we become adults and enter the work place we get away from this. Instead it seems most manager's think if you stay in your cube eight hours a day and look busy you are a good employee. Late work is not only accepted but often expected. Maybe we should look to the education communicate for a few more managers.

Base Rate Fallacy

2007-05-18T15:29:00.001-06:00

Recently, I attended a seminar put on by the local chapter of the ISACA. It was a great seminar with various speakers and topics. One of the speakers was from Oakley Networks and he talked about Base Rate Fallacy as it relates to security. He used examples from Bruce Schneier Security Blog. I reviewed his post on Terrorists, Data Mining, and the Base Rate Fallacy, while I agree with the overall premises I think he missed the entire point of why they use data mining to find terrorist. Like any data mining project you are looking for patterns to narrow down your results to something you can manage. Also I would have to believe that the NSA would not use only one source to form an opinion. The NSA may use data mining to target 30,000 people then use other methods to validate and verify the assumptions. Any good law enforcement officer, scientist or security guru would use the same processes.

Symantec Internet Security Threat Report released

2007-05-04T10:02:00.001-06:00

Symantec has released it semi-annual threat report. After reviewing the document here are a few items I found of most interest or highlights.

The government sector accounted for 25 percent of all identity theft-related data breaches, more than any other sector.
The government sector was the sector most frequently targeted by DoS attacks, accounting for 30 percent of all detected attacks.
Symantec observed an average of 63,912 active bot-infected computers per day, an 11 percent increase from the previous period.

Item	Advertized Price US Dollars
United States-based credit card with card verification value	$1–$6
United Kingdom-based credit card with card verification value	$2–$12
List of 29,000 emails	$5
Online banking account with a $9,900 balance	$300
Yahoo Mail cookie exploit—advertised to facilitate full access when successful	$3
Valid Yahoo and Hotmail email cookies	$3
Compromised computer	$6–$20
Phishing Web site hosting—per site	$3–5
Verified PayPal account with balance (balance varies)	$50–$500
Unverified PayPal account with balance (balance varies)	$10–$50
Skype account	$12
World of Warcraft account—one month duration	$10

You can get your own copy of the report at

http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport

Cost of a Security Breach

2007-04-13T16:11:00.000-06:00

By now most of us have heard the Story of TJX and its security breach involving 45 million credit cards. And I’m sure none of us would want to be in their Security Officers shoes right now.

Trying to determine the actual cost of a data breach may be near impossible. Developing a method to be used to determine a security breach seems to be a popular news story. Many news stories like to report large figures like US Department of Justices cases in 2006 determined the averages loss per incident was $1.5 million or the Ponemon Institute survey that figured the average at $4.8 million.

A resent Forrester report on Calculating the Cost of a Security Breach has some great information and background on what to include in your calculation. A few interesting point I pulled from the article include

$50 per record for Notification. Think about the 45 million credit cards TJX has to notify on.

Visa levied fines of $4.6 million to it acquirers for mismanaging customer data in 2006.

Estimated cost of a security breach can range between $90 and $305 per record.

Even the a small incident of several thousand credit card records could cost you company a lot of money. Now we have to work on getting management to believe it could happen here.

How To Spot Insider-Attack Risks In The IT Department

2007-02-24T13:28:00.000-07:00

A recent survey by the Secret Service and CERT Coordination Center/SEI indicates that 86% of internal computer sabotage incidents are perpetrated by tech workers.

Two weeks after your trusted UNIX administrator leaves all your major UNIX database systems go down for a day. Coincidence? Often the most trusted employees in the organization are those in our IT group. They have the keys to the kingdom. They know all the right passwords, which systems contain which data and where the companies’ real weaknesses are.

What are some measures you can take to protect your organization?

Hire Smart
1. Do background check
2. Check their references or other professional groups they may belong to
3. Search the web to see if they have blog or Myspace type web site.
a. What does it tell about their personality?

Separation of Duty
Sounds simple but in most organization it is tough having enough staff. So often companies count on one of two people to run the show. The employees know it and can often hold company hostage rasies or discipline actions. As a manager I’ve had employee tell me “you can’t get ride of me I’m the only one that understands the system”. That was when I realized I needed to change they way I managed things.

Know your employees
Sometimes employees get them selves in to trouble because of external forces in their life. Knowing when employees are going through a divorce, death in the family, bankruptcy or other live changes events can help you know when there is am increased risk.

As Ronald Reagan said "trust but verify".

See related post Would you hire a hacker?

Banks could pass on phishing losses to customers

2007-02-09T12:57:00.000-07:00

This could be a bad precedent, other fee that banks will pass on to customers. It does bring up the interesting question of who is responsible to protect your data. Clearly if you give out your PIN or Password you are responsible. If your credit card is taken are you responsible for the protection of it. If you leave your wallet unprotected on a city bench and someone picks it up and uses your credit card are you responsible? You didn’t adequately protect it. If you didn’t keep your anti-virus or anti-spyware up to date and you get a Trojan that steals your password who is responsible?

Henry said the Bank of America has adopted the attitude that a Trojan on your PC is "your problem".

Questions to be answered in court I’m sure.

LINUX: Over 34% more geeky than any other operating system

2007-01-05T13:42:00.000-07:00

You will spend countless hours figuring out how to do the simplest things. What could be more fun?

Once again I attempted to switch my desktop system from Windows XP to Linux. While the install of SLED (Novell SuSE) was very simple the configuration and getting it to do what I wanted is taking hours. Simple task in Windows XP seem to take forever to get to work in Linux. While this may be great to the average technical person, I have to question my productivity loss in this latest attempt to make the switch. The newer versions of desktop Linux have come a log way and the user interfaces are greatly improved. However, I still find myself opening up a terminal session and issuing commands. Much like I did in the old Windows 2000 days. I don't consider myself an expert in Linux but I can get it to do what I need to. It is just figuring out the right command to do it.

One of my employee sent me this great link that sums up my experience with Linux on the desktop.

http://www.dumbentia.com/pdflib/moregeeky.pdf

Network (Internal Network Layer)

2006-12-27T16:39:00.000-07:00

This layer contains methods to protect the network by monitoring traffic types and segmenting traffic via different security models.

These methods include:

Intrusion detecting and alerting in place to identify proactively respond to problems

Intrusion prevention systems to allow for automated response to potential security breaches.
Network traffic shaping and flow to determine patterns and identify potential risks.
Network segmentation:

Separated network via agencies and security levels.
VLAN used to separate traffic and limit access between agencies
MPLS to tag traffic from individual agencies.

Access control lists (ACLs) that block traffic and ensures that only those individual IP addresses can access systems and services.
Non-routable IP addresses are used where possible to keep internal State services from exposure to external networks.
Internet and Web filtering to protect users from accidentally surfing to inappropriate or hazardous Web sites.
Network based anti-virus software to eliminate virus and worms before they reach other layers
Regular vulnerability assessment and testing of network services

Would you hire a hacker?

2006-12-08T15:18:00.000-07:00

Several weeks ago while doing a presentation at a local university; I was asked by a student “Would you every hire a hacker?” My immediate response was “no” and then I went on to explain why.

A recent blog posting on CSO by Ken Pfeil express some of the same concerns I have.

The comments are of interest as well. Information Technology and IT security in general is all about TRUST. It’s not about certifications, labels or other things. It comes down to do I trust this person with the information they come across every day working in IT. Most corporations do background and reference checks to get some level of assurance that this person does not have previous criminal or malicious behavior. Would you hire a tax consultant that had previously been convicted of tax fraud? Of course not.

Hiring someone who can hacked a systems does not #1 make them smart and #2 make them a good employee. In fact, if they got caught by someone wouldn’t you be better off hiring the person that caught them?

In my mind, the difference between a “hacker” and a security administrator is permission. We do penetration testing and vulnerability assessments all of the time, with permission of management and the information system owner. The hacker accessed someone else system, break several laws and more important compromised some basic principles of society. What is their level of integrity and respect for some one else’s property, including the company that just hired them. Poor behavior tends to repeat its self.

Are Security Blogs a Security Risk?

2006-12-04T16:23:00.000-07:00

A recent post on a blog on CSO magazine addressed this issue. I think blogs like this and other can present some security threat by giving out information about security products or strategy. They can also embarrass a company, it employees or officers. So with any type of blog you must consider your words wisely. I hope I’ve been able to do that here. Provide basic sound information about security while not embarrassing my self or my employer.

Perimeter (First Line of Defense Between the Internet and Internal Networks)

2006-12-04T16:10:00.000-07:00

This layer is the border between the external world and the internal network and systems. The perimeter service acts as the hard outer shell that protects all that is inside. This layer must allow traffic and commerce to take place while eliminating as many threats as possible. Methods include:

• Perimeter firewall protection.
• Firewalls between the company assets and the Internet are essential.
• Logging, analysis, and reporting of access.
• Elimination of clear text and other services that can expose internal systems to external threats.
• Encryption of incoming network traffic destined for more secure internal systems, such as:

o VPN
o SSL
o Secure Shell

• Bastion host and proxy services funnel services and limit exposure.
• Proxy cache and other technologies to limit the exposure of internal systems to external services.
• Authentication of employees accessing the network.
• DMZ and filtered networks are in place to only allow external traffic to specified areas and zones.
• Regular vulnerability assessment and penetration testing done to identify weakness and proactively resolve potential problems

Physical Layer (Access and Environment Controls)

2006-11-22T13:04:00.000-07:00

This layer wraps around the core components to maintain and control physical access and the environment of the devices. This layer ensures that only appropriate physical access is allowed to the systems. This layer also includes environment controls to ensure that systems do not receive damage from temperature, water, or electrical service failures. Methods include:

Employees have appropriately badge to enter protected areas.
Physical locks and controls are in place to prevent access to systems.
Physical layers or zones in place depending on security requirements.
Required n-factor authentication to access areas that demand increased security.
Individual computers and desktops are secured and locked when not in use: and
Environmental controls are in place and monitored to ensure there is no damage to the critical systems.

Organization must make sure that the proper physical controls are in place to mitigate some of the biggest security threats. How many times have we heard if they can get physical access to a computer they can own it? This includes network equipment as well as servers, workstations and other devices.

Proper physical access and environmental controls are an important part of a Defense-in-Depth strategy.

Defense in Depth

2006-11-17T13:30:00.000-07:00

A recent article in Federal Computer Week “Agencies urged to focus first on policies to protect data” talks about the first step of a good computer program is to have and enforce policies.

Other the next several weeks I’m going to post what I think are the layers of a Defense-in-Depth strategy.

Policies Procedures and Awareness

As the base of the defense-in-depth layer policies, procedures and people are the foundation of the model. The most secure system is only as secure as the person administrating the system or the users accessing it.

The first layer in a multi-layer strategy is the appropriate policies and procedures. So what are the appropriate policies and procedures? There are a number of frameworks such as ISO 17799 and NIST that layout the policies that your origination should have in place. They are all good starting points, chose a framework and begin developing those policies that make sense for your organization.

Then you need to make sure that employees, vendors, contractors and customer know what is expected of them. Make sure they know that security policies exist are and that they will be enforced. Policies must layout the organization philosophy policy on what and how information is protected.

As Stephen Covey likes to say, “Start with the end in mind”. What do you want your security to look like then build polices, procedure and technology around that.

The End of Control As We Know It

2006-11-03T14:05:00.000-07:00

Flocks and Swarms

What creates the greatest fear in IT staff? Is it change? No. Its control. This is the same with most managers. This is why very few employees feel “empowered”. Empowerment is turning over information to employees to allow them to make informed decisions. Many managers and employees feel if you withhold information forcing people to have to come to you for every decision, then you maintain your control.

The best managers are those that establish the vision or big-picture and empower employees to decide the activities to accomplish it.

Great quotes from the article:

“Swarming behavior depends on decentralization of information and that is accomplished by giving everyone in the organization a common big-picture view of the whole organization.”

“Decentralization of control is accomplished by giving everyone a clear set of performance targets that they are motivated to achieve.”

Empowering people to hold themselves accountable for achieving the known organizational objectives is what makes good teams and good companies great. Control is what causes companies and government entities to move slowly. Agile companies are those that can respond quickly to changes or threats because the focus is on the long term objectives, not the current controls and processes. The real challenge for organizations is to have enough controls to move in the right direction and enough empowerment to quickly change when necessary

Add News Links to Blog

2006-10-20T14:47:00.000-06:00

Nothing new to report just a blog update, I've added an RSS feed of news links from my del.icio.us books mark site.

The Luddites within

2006-10-13T17:56:00.000-06:00

The use or feared use of technologies can be one of the greatest challenges facing IT management. This article in CIO talks about the Luddites fighting the new or innovative use of technology from the outside of your company. There are also Luddites within every company including your IT Department. There are many times employees within IT are worried about outsourcing so every new technology or change within the company looks like it part of the plan pushing the company toward outsourcing. As an example recently we changed our billing rates and some rates when up while others were reduced. Employees saw the rates as part of costing the IT services higher than outsourcing companies and as a sign they were about to outsource that service.

Implementing new monitoring or log analysis tools bring out the Luddites that worry they are being watched and management is just trying to catch them doing something wrong so they can be fired. Making sure you communicate, communicate, communicate the real reasons that the technology is being implemented.

Evolution of the Chief Information Security Officer

2006-09-22T13:38:00.000-06:00

A new survey produced by NASCIO outline the changing role of the State CISO position. I’ve experienced first hand this changing role over the last thee years.

A number of years ago Security was something only thought of on the mainframe. If you maintained RACF or ACF2 you were the security person. Then as the distributed computing model involved network staff became security staff. The firewall guy became your security person. For the last few years I’ve tried to merge these staffs with different backgrounds into a Security Office. Both sides needs additional training and insight in to the strengths and needs of the other side. The mainframe has always had great access control while the network and open systems side loves the openness of letting things happen.

The role of CISO was created in our State three years ago. Unfortunately at the time security was reporting to the Operations Manager. As the importance of Security evolved so did the role. After a lot of convincing the position was moved out from under Operations to report to the director of Technology Services. Finally with the consolidation of IT services on a statewide basis the position was finally formalized and now reports to the CIO.

I think this NASCIO survey shows the evolution of the position as well as the security profession from a group of overly paranoid technical geeks that wanted to stop all traffic on the network, to a high level position that understands that Security’s role is really to enable the business function in a safe manner.

Crimeware-Spreading Phishing Site Proliferation

2006-09-08T15:20:00.000-06:00

Growing evidence shows that criminals are moving to the net to make their living. Identity theft is one of the biggest drivers, but not the only means to make money from fraudulent activity on the Internet. A recent report by the US-CERT shows that the number of phishing and fraudulent solicitation sites increase during the hurricane season.

For additional information regarding phishing, US-CERT recommends reading the following documents:

Recommendation include

Do not follow unsolicited web links received in email messages.
Contact your financial institution immediately if you believe your account and/or financial information has been compromised.
Verify the legitimacy of the email by contacting the company directly through a trusted contact number.
Visit the Anti-Phishing Working Group for more information on known phishing attacks.

The Anti-Phishing WorkGroup has released their annual report of Phishing activity. From this report we see that Phishing continues to be a hot avenue for criminal to steal identities, bank account information and even access to your paypal account.

Every week we receive emails that warn of PayPal account access or our account at a bank we never have heard of needs us to verify our information. Phishing studies say that 3% of adult internet users revealed personal information on a phishing site. Why does phishing continue to grow, because it works? Social engineering has always been a useful method to gain access to system. Ask Kevin Mitnick, whose claim to hacking fame almost always included social engineering.

Other information about phishing:

Why Phishing Works

Phishing study

Punished for our own sins.

2006-08-25T16:45:00.000-06:00

Welfare spies sacked

Hundreds of government works were fired, resigned, or faced salary reduction because of an audit by the Human Services Department in Australia. These employees were found to be browsing client records inappropriately. As a security person I believe if you are breaking the rules you are punished. Now did they have adequate protection and policy in place and did those employees know they were breaking the rules.

A while back I read a book called “Spies Among US” by Ira Winkler. This was a great book about how some countries use spying for economic gain. This book ties right in to this news story by Government Computer News (GCN). Red storm rising

DOD’s efforts to stave off nation-state cyberattacks begin with China. I believe China with is vast people resources may truly be our next great challenge, both military as well as economy.

Chinese military writings make it clear that in cyberspace there are no boundaries between military and civilian targets. If crashing a country’s financial system through computer attack will paralyze the foe, that’s all part of the new face of war.

When people ask me why computer security as become such a big thing all of the sudden I point them to stories like this.

Summer Activities

2006-08-04T10:27:00.000-06:00

Busy summer activities have kept me from posting lately. Family vacations, scout camp other youth activities can consume all your time and energy. Maybe this is a viable alternative for hackers to spend their time focused on building the next generation of youth to be responsible citizens and not attacking my systems.

Black Hat Conference

The cost of the Black Hat conference kept us from sending staff this year. In retrospect it is always easier to justify the expense once the press reports on the value of the presentations start coming out. A few items I found of interest:

Wi-Fi Driver Attach Demonstrated

White Hat hackers have demonstrated how to use low-level hacking exploits on wireless drivers to gain control of Apple MacBook PC.

Quotes from Ellch and Maynor describe why they targeted the Apple MacBook, while Windows Wi-Fi drivers are also vulnerable.

“Mac user base aura of smugness on security"

“We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,"

Any vendor that stands up and says my product is more secure is going to be a target of every hacker out there. The vendor just presented them with a challenge.

Serious flaw puts Xerox printers at risk:

Demonstrated at the Black Hat conference was a vulnerability in Xerox printers that allowed a hacker to take over the printer’s control software. For years I’ve felt that printers were a good target for hackers because they are often not monitored or even set up by default with passwords and they are almost never patched. Maybe this will get Xerox, HP and other printer manufactures to realize they have a role in securing the network.

Disclosures of breaches

2006-07-03T11:17:00.000-06:00

It seems that it is all the rage to disclose every security breach today. Is this a good or a bad thing? I can see both sides of this. If my bank account data had been disclosed I would want to know. On the other hand when a laptop gets stolen from a business, is it good to let the thief know what they have? Think about the thief who when reading the morning papers discovers they have just stolen a laptop with 26 million names and SSN on it. The value of that laptop just increased. In the past banks often did not release how much a bank robber got away with for multiple reasons. I’m sure some of this was to limit embarrassment to the bank, but it was also to keep other potential robbers from knowing that they could walk out the door with hundreds of thousands of dollars.

There in lies the dilemma; from a personal point of view I want public notification of my data, from the security point of view, I don’t want to disclose more of my weakness than necessary. I also don’t want to be the target of every possible miscreant out there.

The best possible solution is to ensure the proper controls are in place in the first place, not after they fact.

That goes back to my recent post on “What is the True cost of Security?”

What is the true Cost of Security

2006-06-08T07:51:00.000-06:00

Often in security when we try to justify expenditure we use examples of fines and law suits that others have experienced to justify projects. Most of the time I hear people saying it won’t happen here, or that the project cost more than the penalty. Or even “you security guys are overselling the consequences of something happening”.

What is the cost of not being secure?

This week the Veterans Affairs found out.

A law suit is seeking $1,000 for every person in the list of 26.5 million. That is 26.5 BILLION dollars!!! That should get someone’s attentions both locally and nationally. The total budget for Veterans affair is $33.4 Billion. This should also get tax payers attention because we are the ones that ultimately pay for that.

DEPARTMENT OF VETERANS AFFAIRS

AT A GLANCE:

2006 Discretionary Budget Authority (with collections):

$33.4 billion (Increase from 2005: 3 percent)

Angry Veterans Sue VA over Data Loss

The suit seeks $1,000 for each person whose name was listed in the stolen data files and demands that the U.S. Department of Veterans Affairs be forced to use at least minimal security to protect records.

Disconnect between users knowledge and their behavior

2006-06-02T16:15:00.000-06:00

Disconnect between users knowledge and their behavior

A recent survey conducted for the National Cyber Security Alliance (NCSA), says that "Consumers say that they know how to stay safe on the Internet, but they don't practice what they preach". This should not surprise any one in the security field.

I would say this is true with physical security as well as cyber security. For years people have been told not to leave packages on the back seat of their cars. Yet you can walk through any mall parking lot today and find many vehicles with recently purchased items sitting on the back seat of their car.

You ask people not to open email message with attachments from unknown senders and they still do. Like I always tell my kids “You are not a winner, you didn’t win anything.” Don’t click on those glitz ads and phishing emails. Don’t trust the Internet just because it’s the Internet.

While security awareness programs are necessary and help consumers learn what they need to do. The real issue is taking it from training to understanding. In following the OZ principles you must first give people experiences that form the belief that modify their behaviors that get the desired results. The purpose of security awareness programs should to be give people experience that form their belief systems.

Oracle's security chief lambastes faulty coding

2006-05-26T08:01:00.000-06:00

We've got to love the marketing department at most companies. Oracle is no exception. When Oracle rolled out their "unbreakable" campaign a few years ago, I think most of us security types wondered why they would paint such a target on them selves.

Mary Ann Davidson, chief security officer at Oracle Corp., remembers the first time she heard her company's marketing scheme that advertised its database products as
"unbreakable."

"I think my response was, 'What idiotdreamed this up?'" Davidson said Thursday at the W3C conference in Edinburgh, Scotland.

I'm afraid Apple is doing the same with its new adds touting how much more secure they are than Windows. Software engineers always seem to think that their code is “tight”. Unfortunately that type of attitude normally gets them into trouble. Throw down a challenge and someone is
always willing to prove you wrong.

Experts say Mac computers showing more security holes
Viruses targeting Apple's OS X

By Associated Press | May 1, 2006

Making the case for Security

2006-05-22T14:34:00.000-06:00

Is there a case for funding Security?
This has been on my mind a lot lately as I plan projects and funding requests for the next several years. We’ve made a lot of progress in security in the last two years, but the tide is starting to change. More and more I hear other IT areas say “Aren’t you done building security”, “We can’t afford any additional security”. Everyone wants security if some other cost center pays for it.

NASCIO has released a paper on Sustainable Funding to Manage the Risk. It does a good job of outlining the issue around funding security.

New! The IT Security Business Case: Sustainable Funding to Manage the Risks (May 2006)
Produced under the guidance of NASCIO’s Information Security and Privacy Committee, this brief takes a holistic approach to constructing the case for enterprise IT security investment by outlining for the state CIOs the following steps:

Understanding state government’s IT environment that drives the need for security
Constructing an IT security business case in the context of Enterprise Architecture (EA)
Starting with an enterprise-wide IT risk assessment
Making the case for IT security through demonstrating the risks (bolstered by the IT risk assessment results), the benefits of security, and how security aligns with the state’s business needs.

Donn Parker takes an interesting view of getting support for Security. His article appeared in this months (May 06) issue of the ISSA Journal.
Making the Case for Replacing Risk-Based Security
By Donn Parker, CISSP

What are we doing wrong? Is the lack of support for adequate security linked to our risk-based approach to security? Why can’t we make a successful case to management to increase the support for information security? This article addresses these very points and argues that we should replace intangible and unmanageable risk-based information security with security management based on due diligence, compliance and enablement.

The Google employee benefits-at-a-glance

2006-05-17T16:22:00.000-06:00

Sign me up!

Wow how do we get these types of benefits? I'm sure it is not going to happen working for the state government. I guess with 1800 opening Google is always hiring. No wonder Google is producing some the most innovative software and ideas today. Bring in the best and take care of them you produce the best results.

Since we are on the benefits band wagon here is a link to the SANS security salary survey. Something to share with your boss at your next performance review. That is if you aced the review.

Spam Fighter Calls It Quits

2006-05-17T12:59:00.000-06:00

Bluesecuirty's unique business mode of spamming the spammers comes to an end. It is not always a good option to become the aggressor. Attacking those that send spam or have malicious intent often ends in a battle for the most bots. In this case spammers have resources to load up on bots and take down a company’s web site.

We do need to do something about spam, but stooping to there mentality is not the answer.

Best quote from this article is when the spammer says “I'm sick with the spam in my mail boxes, so I don't use email any more.”

SCADA on thin ice

2006-05-17T08:30:00.000-06:00

A number of articles and presentation have been done on the threats surrounding SCADA systems. This growning threat to the countries infrastructure which could be the next be target of domestic and international terrorist.

SANS Webcast on SCADA Security
The SCADA and Process Control Security Procurement Project Update
https://www.sans.org/webcasts/show.php?webcastid=0

Worker gets 10 months for spying on boss

2006-05-16T08:00:00.000-06:00

A former U.S. government security auditor has been sentenced to 10 months in jail and home confinement, after pleading guilty to snooping on his supervisor's computer.

Just a fair warning to all security professoinal that unauthorized access, spying or other activites can lead to criminal action. While I'm sure most of us would like to know more what our boss was doing, spying on them might not be the best method to find out.

Student' CISSPs put cert's value in jeopardy

2006-05-12T16:23:00.000-06:00

Success can be your own worst enemy. The CISSP in the past has been a very prestigious certification. With college and technical schools now looking at offering this as part of the curriculum there is the risk that its value will be diminished. But the important thing is that more people have security knowledge and backgrounds.

Is the CISSP going the way of the MCSE? Now that colleges are beginning to offer the Certified Information Systems Security Professional certification as part of their undergraduate degree programs, this highly valued certification just might lose its luster, much like the once prestigious Microsoft Certified Systems Engineer has.

Colorado State legislature passes bill in support of CISO position

2006-05-12T15:13:00.000-06:00

It would be great if our State would get serious about Security and pass similar legislation.

$4.2 million in funding and 1 FTE? WOW. How do you get that job?

The Colorado State legislature has passed HB06-1157 "Concerning the Security of Communication and Information Resources in Public Agencies" with Senate Amendments; it now goes to Governor Owens for signature. This model legislation provides for the formal appointment by the Governor of a Chief Information Security Officer (CISO) and outlines specific duties and responsibilities of the CISO. It also outlines the responsibilities of Colorado public agencies to develop an information security plan in accordance with CISO guidance. Most importantly, it provides a specific timeline for implementation and also gives the CISO authority to enforce the information security program. This legislation will have a profound effect on our ability to secure the information system resources in Colorado state government. This is not the cleaned-up version the Governor will be signing.

Lets Get Started

2006-05-11T17:06:00.000-06:00

This blog is my chance to cover basic security topics and post security related web site and documents.