Security's Everyman

Security's Everyman

Saturday, December 30, 2006

Still Secure Podcast

I doubt if there are many of you who read my blog that do not also read Alan Shimel at Stillsecureafteralltheseyears.com. A couple of weeks ago Alan emailed and asked me and several other security bloggers to participate in the year end podcast for the Stillsecureafteralltheseyears podcast. He has posted the podcast today and it is available at his site.

Thursday, December 28, 2006

Improving Security Awareness

There is a lot of talk about what is most important in security. (Here, here, and others that I can't find at the moment) Protecting from hackers trying to get in from the outside or keeping the insiders from taking stuff outside. Both of these are valid concerns that we need to keep a handle on. Protecting the perimeter and even endpoints is pretty straight forward. Keeping people from walking out the door with data is a different story. It requires different methods of protection and detection. There is a third area of concern that I see. It is usually lumped in with keeping the bad guy out, but the way he gets in is different. He comes in through the front door on a laptop that was compromised outside of the office.

For companies with large IT staffs and budgets this may not be a big deal, but for most small companies this is a major concern. With the prevalence of vulnerabilities, the ease of getting something undesirable on your system, the lack of user awareness and increase in user apathy this is a major problem. Already small companies IT departments are understaffed and have too much work to do. They have the staff or budget for stellar security products and are at the mercy of their users. They have to rely on their users being careful and cautious. The problem is that most users don't think about (or even know about) the dangers that lurk out there. They don't realize (and often don't care) that the porn sites they go to are full of malicious code. They don't realize that the airport and hotel wi-fi are often compromised. They don't think about the fact that email is sent in clear text and can be read by anyone who captures it nor do they head our warnings not to click on email links or open attachments.

It's not the disgruntled user, the sneaky hacker, or the money hungry insider that concerns me the most. It's the unaware, apathetic user who thinks that they can do as they please with their company owned and issued PC. A rootkit or piece of spyware that is on a machine is more dangerous than someone randomly scanning ports looking for a way to sneak into the network. It is even worse than most determined attempts to break in from the outside. Once they are on the machine they don't have to look for a way in. They are already in.

User awareness training has to be a major focus. It has to be improved so that it becomes more effective. It has to get the attention of the user and it has to have relevance to them. If they don't realize the potential impact to the company and how that can potentially effect them then they won't take the necessary precautions. They don't have to clean up the mess. They don't have to try and repair the damage. They don't have to worry about the potential impact to the stock price or have to answer to the board. Therefore, they don't really care. Making them care is the key to effective security awareness training.

Wednesday, December 27, 2006

WOOOO HOOOO!!!!

I just received word that I passed the CISSP exam. Now I have to get my endorsement form filled out and send them my work history to prove that I have at least 4 years of security experience. It feels good to have that behind me.

Friday, December 22, 2006

MERRY CHRISTMAS!!!!

I hope that everyone has a great Christmas and enjoys the time off work (hopefully) and with your family.

Thinking Differently in 2007

I've read a couple of posts (one from Ross Brown of Technobabylon and one from Andrew Hickey of SearchNetworking.com) that has spurred my thoughts on 2007. We all know that the bad guys are getting better and the good guys usually play catchup. Most small companies, and many larger ones don't have the financial or manpower resources to adequately test their network for functionality much less for security weaknesses. At least beyond the "obvious" weaknesses. Keeping up with everything that needs to be done can be daunting no matter the size of your organization or network.

If we are to make 2007 and forward successful from a security and networking standpoint we have to change our thinking. We have to take steps, big or small, to change how we view things and therefore how we design, build, maintain and protect our networks and data. We can't continue to do things as we've always done them. Maintaining the status quo may make you feel good and often look good on the books or to Senior Management, but that doesn't mean that it is what's best for the company.

Ross talks about being creative in our thinking as we assess our security. Some of his suggestions are good, but some are not achievable by many small companies with limited resources. At least not without putting more work on an already overworked staff. Yet, that IT staff isn't left out in the cold either. They just need to take a few minutes and think about how they currently do things and what small thing can they change that will either save them time or allow them to see their security from a different perspective. Those small changes may be just what is needed to prevent a problem. At the very least if they are well thought out they will work together over time to make you more secure.

We also have to look at why we are doing what we are doing. It's easy to not rock the boat, but sometimes the boat needs rocking. We're in the process of building a new network at work. Our CIO wanted to put in a Frame Relay network and build it just like every other network he has ever built. Why? Not because it was necessarily the best option but because it is what he knows. It has worked in the past and he is comfortable with it. When I mentioned other options he gave me the opportunity to build my case and convince him why something else would better suit our needs. As we have been talking with various vendors and looking at different options we could have continued to stick with the "tried and true" or followed the advice of the vendor on how to "best" build this portion of our network. Doing so would have been easy, but not necessarily the best option for our business. Many things that were suggested were overkill for our environment or they would not have given us the needed flexibility for future implementations that are planned. We had to think differently than we did in the past to make these decisions.

I know you are thinking this is common sense and you are right. Who, in their right mind, blindly follows their vendors recommendations? Who continues to do things "because that's the way we've always done it." Many, many people and companies do just that. That is the problem. That is why companies continue to struggle with security. They either over do it or don't have the infrastructure to support what they need so the do without.

One quick story and then I'll stop. I have a friend who works for a company that uses Symantec AV. He tried to talk his boss into switching to another vendor but his boss said, "Why change? I've used Symantec for years and never had any problems" Now for the second time in a year he is having to patch major holes in all of his Symantec clients. A change in thinking could have prevented this unnecessary extra work and left them safer in the long run.

So as you move into 2007 think about how you think about your job. Look at how you do things and come up with different ways to "shake things up". Obviously don't do anything different without testing it and getting proper approval, but most importantly don't stay stagnant in your thinking. Even if you aren't able to implement some of your ideas they will make you a better security practitioner or network guru just because you stretched your mind.

Thursday, December 21, 2006

There must me something in the NJ water.

OK, what is going on with Sys Admins in New Jersey? Now we have 2 high profile cases of logic bombs being set in New Jersey by disgruntled Sys Admins. I just don't understand the mindset of someone who would get so upset over something that they would be willing to potentially destroy a company and the jobs of those who work for the company. Not to mention the downstream effect that it could have.

Don't get me wrong. I get upset with my boss and even my company as a whole at times. I've been done wrong in the past. I've worked my butt off only to have a boss take the credit. I've worked long hours and never even gotten a thank you from management. I've been promised things that were never delivered. Lost "guaranteed" bonuses. On and on and on and on. Yet it never entered my mind to try and destroy the company. Planting a logic bomb or erasing data........ never even considered it.

In 2002 my wife was pregnant with our first child. I was the WAN Security Administrator for a small regional financial services company. My boss called me in one day and told me that he wanted me to start researching some companies that we could outsource some functions to. He gave me a list of requirements and off I went. As I looked over the requirements it hit me that MY job was what I was asked to find a replacement for, among other things. You can read a little about it in this Redmond Magazine article. It's about half way through the article under the heading "Hiring Your Replacement". Did I get mad and devise ways to bring the company to their knees? No, I did as I was asked. The way I figured it was that I worked for them and this was a project that I had been given. As long as it wasn't illegal or unethical then who as I to refuse to do it. Of course I had to do some work after hours to get things in place to get a new job, but I still did my current position to the best of my ability. I did find a company to outsource my job to and I did get laid off and I left in good standing. After about a year they decided that outsourcing the job wasn't the way to go and brought the position back in house. Since I had left in good standing I could have gone back to that position if I wanted.

Things worked out well for me in the long run. I was able to get a position that allowed me to learn many new things that I would not have learned otherwise. I'm making more money and my career is heading in the direction that I want it to. I'd say that is much better than being bitter and hoping that my logic bomb puts them out of business. Not to mention now I don't have to worry about how do I keep "Bubba" from trying to be my boyfriend.

Wednesday, December 20, 2006

Phishing for Users

Somehow I missed this on Monday, but thanks to my buddy Mike at TDI is hit my radar this morning. I agree completely with Mike in his assessment that this is part of security awareness. I can't say that I have done it, but I have given it serious thought. There are a couple of reasons why I haven't done it. First, I haven't had the spare time. Second, I petty much know how the users will fare. Most of them will fail miserably. Many of them already share their passwords freely with one another. They leave their machines unattended while logged on. If I ask for a password they give it w/o reservation. I've often wondered if we shouldn't make everyone that worked with a user change their password when that user leaves. Chances are that he or she knows at least one other persons user name and password.

Security Awareness Training is an area that needs lots and lots of work. Most of it that I have seen and been through is focused on meeting regulatory compliance. It serves no real purpose and teaches nothing of value. At least not in a way that will be retained by the users. That is one reason that I'm hoping that once my company is completely on it's own I will be given the go ahead to do real security awareness training and employ a few "unconventional" methods to teach the lessons.

Tuesday, December 19, 2006

This is going too far

Bruce Schneier writes about a new Cell Phone Service that actually acts as a bug and records 1/3 of the audio it picks up. These devices are supposed to be "marketing" tools, but in reality they are privacy invaders. Obviously this is not something to take lightly. Our privacy is getting to be harder and harder to protect. Now we have to deal with something such as this.

One of the comments that was posted said that the people choose to sign up for it so it's their choice to give up their privacy. That may be so but it's not my choice to give up my privacy if I happen to be talking to you or within recording distance of you. Many people just don't get it that they don't live on an island all by themselves. The choices you make will affect others.

Taking the high road.

It's good to see someone doing the right thing. The AT and T, BellSouth merger has been the topic of lots of discussion over the last few months. Whether you approve of it or not you have to like the fact that Robert McDowell is taking the high road and refusing to vote because of a conflict of interest. You can read more about it here.

14 Years

Today I have been married 14 years.

Happy Anniversary Jennifer. I Love You!

Monday, December 18, 2006

What were they thinking?

Well, hopefully I'm back to regular postings. I still have lots going on at work and of course Christmas time is keeping me busy, but I took the CISSP test on Saturday and so I no longer have to spend my spare time studying. That should give me enough time to blog again.

I got to work this morning and noticed a "suspicious" looking individual sitting in an empty cube connecting his laptop to the network jack. He didn't really look too suspicious, but he looked like an auditor (we all know that auditors are suspicious) :). Then I noticed two others looking around for network jacks in other cubes. I didn't bother to tell them that they were not hot. I figured that if Accounting wasn't going to tell me that we had auditors coming in that would need network access I'd make them tell me when they couldn't get to the Internet. Once they asked I set them up with guest access to the Internet.

It just baffles me that this stuff still goes on. Everyone still wants free, unfettered access to do whatever they want regardless of the potential risk it puts the company at. What gets me even more is that auditors, the very people who come to tell us what we are doing wrong, bring in Wireless AP's expecting to connect them to the network, try to connect their laptops to the network and expect to be able to have access to secure resources.

Obviously there was a failure on several fronts here. First, the accounting department should have informed me that auditors were coming and would need access to the Internet. Any other resources (printers, folders, files, etc) should have also been listed so that they could be gathered and put in a secure place that the auditors could access w/o opening up the whole network to them. I also think that the auditor has some responsibility. In today's world where everyone is screaming about the importance of being compliant the auditors should do their part. Requesting Internet access would have been a good place to start. NOT attempting to connect to the network until they had been cleared to do so would have also been a good first step.

Maybe I'm the only one in the company who sees this as a big deal, but as long as I'm responsible for the security of the network they will play by the rules set forth in our policies.

Thursday, December 14, 2006

I got an email from ebay............

This morning I was greeted at the door by an employee who was all upset because she had received an email from ebay telling her that they had suspended her account. Below is a summary of the conversation.

Me: "Your account wasn't suspended. It's a scam."
Her: "I don't know the email looks official."
Me: "Yeah, they do a really good job, but it's a scam."
Her jaw dropped.
Me: You didn't click on the link did you?
Her: Yes
Me: Never, ever, ever, ever, ever, ever, ever, ever, ever, ever, ever, ever click on a link in an email. You know better that that. Unless you know beyond a shadow of a doubt that it is a legitimate link and you know who sent it and that they were going to send it to you.
Her: But it looked so real.
Me: Did you log in to the site?
Her: Umm, yeah.
Me: Did you give them your credit card info?
Her: Well, I started to but they were asking for my PIN and security panel number so I came to you.
Me: Whew!

I then went with her to her computer and showed her how to spot these scams and had her log into ebay and change her password.

I get asked by friends, family, and co workers all of the time about this email or that link but I've never known anyone who actually fell for it. At least she was alert enough not to fall all the way in.

Thursday, December 07, 2006

Compliance is NOT a driving factor

I found a new blog (new for me) today when they linked to my Compliance posting. I know no harm was meant but I took offense to their accusation that I was letting the wrong thing drive my priorities. All that aside their blog looks to be interesting. I have added it to my feeds so I can keep up with what they have to say and learn from them.

Maybe a little clarification is in order. I think they misunderstood me. I've mentioned before about the major changes coming down the pike for my company. Part of that involves having to bring compliance issues in house that were being handled by a business partner. That means that like it or not, ready or not I have some catching up to do and I have to do it fast. I have to put some things in place to help me prove my compliance. True there were vendors there selling their hype but they are not what made me feel better. I've been doing this too long and dealing with vendors too long to buy into that. I spend roughly 35% of my time dealing with vendors. I know that they play games and I know how to play their games.

What made me feel better was talking to people who have been dealing with compliance issues for several years. They are the ones who gave me tips, hints and ideas that give me some hope in what looked to be an overwhelming task. I still have lots to do and will still have to spend lots of money. Not because spending money makes me compliant, but getting the pieces in place is not a cheap venture when you are starting from scratch.

Compliance is not driving my priorities. Security is driving my priorities. Compliance is just a piece of the puzzle that I have to put together. My priorities have always been a secure network and infrastructure whether or not I had to prove compliance. I practice the mantra "A secure network will almost always be compliant, but a compliant network will not always be secure".

Feeling better about compliance

On Tuesday I attended a day long seminar on Compliance the focused on Risk Management. It was put on by the guys at Tech Target and SearchSecurity.com. I wasn't expecting much for several reasons. Primarily it was free (vendor sponsored) and it was only a day. What can they tell you in a day that you probably don't already know? Actually more than I expected. It was a very well done seminar. There were 4 main speakers, a vendor Q&A session and of course the vendor arena.

With everything that is going on at work I almost decided not to go, but at the last minute decided that it may be worth it if for nothing else it would get me out of the office for a while so I didn't have to think too much about all that I have to do. Also compliance is coming at me hard and fast and I wanted a "refresher" and hopefully a new perspective on what is coming. I was not disappointed in the least. The speakers were informational and entertaining. If you have done much in the field of compliance or risk management you know that they can be boring if left to themselves. Of course the best part of it was the peer networking that goes on at events such as this. The value of a good network can't be overlooked.

What I brought away from the day was actually encouraging. Compliance is still looming over my head, but I actually feel pretty good about getting a handle on it. It will take a lot of work and a fair amount of money, but I don't think it's going to be the bear that I had imagined (knock on wood). I also found out that I am NOT subject to PCI!!!!!! I spoke with the Risk Manager and Information Security Officer for a large Financial Institution who is very well versed on PCI and it's implications for various institutions. This was a difficult question to get a straight answer to. Every person that I talked to gave me different answers, but most of them qualified their answer with "I think" or "I believe". The guy I spoke with is doing things the same way that we will be doing them and he said that they don't even look at PCI except for the framework of it and the benefit that can be gained by that.

Well, it's back to the grind. I've got to place my Cisco order today or I won't have routers and switches to have my WAN in place in time. Not a good thought.

Wednesday, December 06, 2006

Drowning in everything

For the next couple of weeks I probably won't post very much. Between work and the holidays I barely have time to eat. Please keep checking the feed and site and I'll post when I can.

Thursday, November 30, 2006

Refreshing Vendor Story

I met with a Security Vendor today. I told him what I wanted and he told me that his company could do it but that they usually did not work with financial institutions because that was not their specialty. He said that they felt better giving a referral to a competitor than giving us below par security. I kept waiting for him to start laughing but he was serious. He said that they are great at what they do, but for our industry they just chose to stay out. How often does that happen?

Logs and Blogs

One of the great things about blogging is that you have a topic that you want to comment on. You say what's on your mind and often someone else will pick it up and run with it. Sometimes what they have to say is in opposition to your point of view and sometimes it supports and builds upon it. That is what Martin McKeay does in his post about logs.  I wrote my post with the intent of illustrating how important it is to review your logs. He read it and then built up it by talking about some good ways to keep your logs somewhat manageable. It's kinda like having a conversation with another guy on your security team, except we get to share it with our millions thousands a few others who read our blogs. Now if I could just get him to fly to Georgia and set up my new log monitoring software so I don't have to do it myself.

The Importance of Logs (and looking at them)

This post was prompted by Dr. Anton Chuvakin and his post on ignoring logs. I've mentioned this story before briefly here but felt that more detail would be beneficial to those debating the merit of reviewing log files. There may not be anything more boring in Security than reviewing log files, but there also may not be much that is more important.

A few years ago I did a stint as a Consultant for a small Kentucky company. Shortly after I started a customer called with an emergency. The guy who worked this account was on vacation so I went to investigate the problem. They were having problems authenticating users to the domain and therefore many resources were unreachable. I asked the standard questions about what had changed recently or had anything new been added to the network. They assured me that nothing had changed or been added. After having them show me exactly what they were doing and seeing what was happening I started looking at the DC to see what I could find. In reviewing the Security logs I noticed that a new administrator privileged account had been created 2 weeks earlier. After waiting 2 weeks to ensure that the account had not been discovered the hacker then proceeded to load file sharing software on the server and copies of 4 of the latest movies (2 of them weren't even in theaters yet). Every time the P2P application ran it disrupted AD on the server and caused users to lose their credentials.

How did this happen? There were at least 2 MAJOR mistakes made here. First, the server, which was the Global Catalog and Primary Active Directory server, was dual homed and one NIC was on the internal network and the other NIC was on the Internet so partners could get to it for FTP transfers. I won't even comment on that. The second problem was that they were not monitoring logs. They did a lot of network performance monitoring and WAN connectivity monitoring. Things that look cool on graphs and have a little sexiness to them, but they ignored the mundane, boring task of log monitoring. Had they been doing so they would have noticed the new administrator account and deleted it. Then they could have investigated how it happened and closed up the hole that the truck drove through.

Luckily this turned out to be just a big nuisance. I was able to repair the damage, remove the P2P app, restore everything and get them back up and running in about 4 hours. Nothing else seemed to have gone awry during this. My investigation didn't turn up any other mischief. Needless to say the first order of business after that was to build them a new FTP server that sat on the DMZ all by itself. Then we implemented a log monitoring program to ensure that this didn't happen again. I stayed with the consulting firm for a year after that and no other issues were reported so either they were successful in keeping the bad guys out or too embarrassed to let it be known that it happened again.

More Physical Security

As I've mentioned in past posts I work for a small company and my role is multifaceted. I was hired for IT Security but that quickly morphed into managing all IT functions (if it plugs in, turns on, or looks technical it's mine), project management for new branch openings, managing facilities, and physical security. A lot of this has been trivial due to partnerships that we have had with other companies. I did little day to day, hands on with a lot of these areas. I just managed the vendors, partners and people who did the day to day. All of that is changing. The company that we partnered with that did a lot of this is parting ways with us. Come the first of February we will have brought all these things in house. Some of it will still be outsourced, but the direct responsibility of it will be on my team.

Because of the nature of our business and the location of many of our offices, physical security is a BIG deal. Prior to this job I had very little experience with physical security beyond typical IT physical security. Server Room access and monitoring and such. I got this responsibility because I have a security mindset like The Mogull talks about here. Now that I'm responsible for ALL aspects I'm learning lots of new things that are being done in the realm of physical security. There is some pretty cool stuff and what is really great is the convergence of physical security and the rest of IT. Were in the middle of talks with various vendors to get all of the pieces in place prior to February and choosing the right vendor for each piece will be critical to the safety of our employees and the success of our business. Luckily my inexperience in this area is offset by my security mindset and others in the company who have been in this and similar industries for many years. They are not security experts, but they have seen and experienced lots of things that add value to my information gathering. I'm getting hints, tips and ideas from executives, hourly employees and everyone in between. It's good to know that even if most of my users don't get IT security that at least they are thinking about physical security and have something to add.

Wednesday, November 29, 2006

My Day

Michael Farnum wrote about his talk to Alert Logic. He was talking to the sales staff about what a typical SMB Security Managers day looks like. I wish more people knew what our days look like. I especially enjoyed the maybes beside Lunch and Drive Home. I can't recall the number of times that I've missed lunch and putting my girls to bed because of work. I really don't think that most people realize all that we have to do each day. Especially those of us in the SMB world. One person working in a department such as security (and often, as in my case, one person doing most everything IT related). I'm amazed at the number of people who either email, call or come to my desk and expect me to drop everything to fix their problem. Sometimes they are justified but most times they are petty and surely don't justify me dropping everything. Yet, the user often thinks that because their mouse ball needs cleaning that I don't have anything better to do.

If Michael doesn't mind I may just post his "typical" day on my door and maybe even email it to everyone in my company. Maybe I'll get some peace and quiet then. Nah, it'll never happen.

The No's have it.

Kevin Devin writes on his blog about how we write policies that tell users what they can and can't do. When it comes to user education we often focus on the "do nots" as opposed to the "can dos". We all know that giving a list of "do nots" usually raises the curiosity level of people and often encourages them to explore the "dark side". For those of you who have kids you know what I'm talking about.

Kevin wonders what it would be like to give our users a list of things that they can do with their laptops, and portable devices, as well as any company resource. He is right in noting that it would be a longer document but it could provide some good direction for our users. I know from personal experience users often look at IT (and more lately the security team) as those "kill joys that want to control everything". Having a list of things that they can do would go a long way towards improving our reputation. Not that our reputation is important compared to keeping things secure.

Even though it may provide benefits I think that going down that road is not a good idea. Too much room for wiggle. I can see users thinking that there is an "implied" clause that allows them to do "a" because it is similar to "b". Having a clearly defined policy that sets boundaries, defines the consequences for exceeding them and is enforced is the best way to keep things in check.

Tuesday, November 28, 2006

The flash is falling, the flash is falling!!

Clement Dupuis posted a response to a message from a cccure.org member about his decision to use flash for a presentation that he is offering on his site. The guy had some valid arguments as to why flash can be a danger to use. He then shot himself in the foot by spouting off his "research" into the dangers of flash. What he failed to do was review the results of his research and make sure that they were relevant to his topic.

We are all susceptible to this. We get a notion in our head and run with it. We do some quick "research" on google and declare our hypothesis as truth. Security is serious business and we all do well to take it seriously but we also need to make sure that the case we build is built on fact and not FUD. This is the kind of stuff that makes it hard to get management on our side. We play the part of Chicken Little and look like a nut case. Even if our concerns are valid we have to be smart about how we deal with them. When we rush to judgement we make bad decisions or often look like fools in making good decisions. Some say that they don't mind looking like a fool or a control freak if it keeps the network safer, but I say that you can keep it safe and keep the rest of the company from thinking that IT is a bunch of nuts at the same time. It just takes common sense.

Why don't I like the sound of this?

This article on CNET.com makes my skin crawl. I know it's not new information but it just doesn't sit well with me. They say that due to the fact the the microphones are 3 to 4 meters off the ground that they can't pick up normal conversations, but we all know that it won't take much to change that. These are the things that are slowly stealing our privacy and rights.

Trouble waiting to happen?

Here is a really good idea that I'm afraid has the potential to go really bad. This is open source software that basically sets up a tor type network to allow people to anomalously connect to the web from countries that restrict what users can do on the internet. What scares me about this (I only know what I read so maybe I'm way off base) is that since it is open source it possible could be modified by someone with less than good intentions to do all sorts of bad things. Turning the machines that connect to the "bad" server into spam bots, infect them with trojans and other malware, decrypt the session and steal personal data. There is a long list of possibilities.

Did you forget something?

I hope everyone had a great Thanksgiving and got plenty of rest for the year end nightmare that we call IT Security. I know for me it's gonna be a wild, fast ride.

DarkReading.com has a pretty interesting article The 10 Most Overlooked Aspects of Security. It also fits pretty well with my post last week What I Worry About. Most of it is common sense things that are often overlooked either by accident or by someone who is inexperienced or lazy, but it's good to be reminded from time to time about things that can slip past our radar. One of the things that I like about this article is that each of the 10 items has a page to themselves with a little more detail and even some tips on how to prevent and reduce the impact of these items. It's not a thesis on security but it's pretty good reading to keep you on your toes.

Wednesday, November 22, 2006

I Won

I just finished one of the most draining things of my career. As I have mentioned we are making BIG changes at work and part of that involves bringing our WAN infrastructure under our control instead of an outside entity. There was a fight to let our telco manage the whole thing verses having it brought in house. I wanted in house for several reasons and fought long and hard to convince management that it was worth it. We looked at numbers, pros, cons, scenario A - Z of what could go right or wrong. Just when we thought that one side was going to win something would change or a new a new pro or con would come up that gave new life to the other sides argument. It was mentally draining and consumed way too much time. Well we finally reached a decision today and my argument prevailed. I was able to convince all of the parties that it was best to bring it in house.

Having the telco manage it tied our hands. We would not have access to the routers and any changes that we wanted to make would have to be submitted to them for review and approval. That could take several days. We currently do have some hosted services at a CoLo and there have been 3 different times when the translation table on the PIX firewall got corrupted and it caused all incoming traffic to our server to be dropped. That doesn't work well when you have customers that use that server to conduct business. All three times I called the help desk and told them what was wrong and what needed to be done to correct the problem. It took them 4 hours each time to fix it. That is 4 hours of down time that we really didn't need. That argument worked in my favor in getting this brought in house.

Anyway, I'm happy now.

Hope Y'all have a great Thanksgiving.

Tuesday, November 21, 2006

Fast Security

I'm playing catchup before getting behind with the holidays so I'm posting more than usual today. Plus there is just more out there that is catching my attention today. Like this post from Richard Bejtlich of TaoSecurity. Someone sent him an email asking Richard to impart all of his security wisdom in a quick and simple format. Maybe this guy is a fast learner and could glean all of Richards knowledge in record time. Probably not though. In all likelihood this guy is probably an executive who really thinks that security is that quick and easy. Just kidding, but it does seem that upper management seems to think that we can work miracles.

I've been in IT for 10 years and doing Security for 6 of them. I've read books, attended classes, played with various technologies and such for much of that time and I still am not where I want to be in my skills or knowledge. It seems like I always see someone that knows much more than me. But I keep plugging along learning what I can as I go. I'll be glad to help this guy or anyone else who really wants to learn security (not that I could teach nearly as much as Richard), but there is one condition. They have to realize that it takes work, discipline, lots of time and there are NO shortcuts.

IPV6

 

Link to StillSecure, After All These Years: Is IPv6 in your future? If so, when?

Alan Shimel asks if IPV6 is in my future. As a small shop I know that v6 is a long, long, long way off. We have no compelling business reason to convert. It is my bet that most companies will hold off until they are forced to convert. Until it gets to the point that business is hampered by staying with v4 most companies will stay there. Converting is going to cost lots of money and require lots of testing. You have to have people on staff who understand v6 and who can troubleshoot it. As with most things the market will dictate how quickly something is adopted. As long as most companies have no need for it then it will be slow in coming. The Federal Government is forcing the change on some and that will speed it up somewhat, but it's still years away.

The right bait

I often get phishing emails. They don't bother me because I'm aware of them and I'm very careful before clicking on links. Every now and then I get one that catches my attention and I check into it a little further before declaring it as phish. This morning I got one that made my heart beat a little faster and made me quickly check my paypal account. Below is the text of the email.

You have added restenterprises@yahoo.com as a new email address for
your PayPal account.

If you did not authorize this change or if you need assistance
with your account, please contact PayPal customer service at:

https://www.paypal.com/us/cgi-bin/webscr=_email-login

Thank you for using PayPal!
The PayPal Team


Please do not reply to this e-mail. Mail sent to this address cannot
be answered. For assistance, log in to your PayPal account and choose
the "Help" link in the header of any page.

-----------------------------------------------------------------
                     PROTECT YOUR PASSWORD

NEVER give your password to anyone and ONLY log in at
https://www.paypal.com/. Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape)
and typing in the PayPal URL every time you log in to your account.

-----------------------------------------------------------------


PayPal Email ID PP0018

HHIKCSLWEFSWXIRMDXOCHIDSSJDZBRRBYLDHYC

What really scared me about this is that it came to the email account that I have registered with paypal. Most of the phishing emails I get don't come to the address that I have registered with the site in question or if it is the email is so obviously fake that I know it right away. It did't take too much investigation to discover that the link is redirected to somewhere in the Asia/Pacific rim but it still gave a little jump to my blood pressure. I can't imagine what I would have done if I was the typical uninformed user. I hate to think that I would have just opened up my paypal account to joe hacker. Even after confirming that it was a phish I still logged in to paypal to make sure. I still had a sinking feeling that I had been compromised. I need to go take a shower. This makes me feel violated.

Data Backup and Recovery

The Mogull wrote a blog post about a valuable but mostly unwanted Christmas gift yesterday. His recommendation was a reliable and easy backup system for home PCs. Not a bad idea. Actually it's a pretty good gift idea. I can't count the number of times that I've had either friends, family, coworker, or clients call me and say with a tremble in their voice that their system crashed and won't come back up. Many times the hard drive was wasted and all of their data, and often memories, was lost. A good backup system would have saved a lot of heartache. Especially since more and more we are storing everything on our PCs. Tax returns, Pictures, Work documents, etc... Obviously a backup isn't fool proof. It has it's weaknesses. It's often hard to use and it's still vulnerable to defective drives, bad backups, and disasters that may befall your home. Other options are online backup services. I'm not crazy about these myself because of the fact that you are storing possibly valuable personal information about yourself on a strangers server. If you choose this option make sure you use a reputable service.

One other thing that I have found useful is having good data recovery tools at your disposal for those times when you receive those calls from friends and family. I know these often aren't cheap, but they can save a lot of pain for those who have no backup. My personal favorite is SpinRite by Steve Gibson of GRC and the SecurityNow! netcast. I have used it many times to recover data and bring "dead" PCs back to life.

Finding the right gift for those on our list who are heavy PC users is often an easy task. Think smart instead of easy. A fun PC game or toy is nice, but it's not much good if your system dies and all your data is lost.

Monday, November 20, 2006

What I Worry About

As the primary IT guy and security guru for my company I have lots to worry about. I don't worry about my data circuits, my servers (too much), my routers or firewalls (unless I need support for my Barracuda). I don't worry about most of these things.

What I do worry about is security. What "evil" is lurking out there trying to ruin my day and get at my data. I worry about virus's, worms, trojans, rootkits and keystroke loggers. I worry about remote users who are at Wifi HotSpots while I'm waiting on the vendor to fix a driver vulnerability. I worry about someone sniffing my wireless and getting on it and thus gaining access to my network. I worry about who it was that left FTP open on my firewall all weekend (since no one remembers doing it). I worry about home users using their laptop from home to connect to the vpn while "hitching a ride" on their neighbors unsecured wireless. I worry about all the IM traffic that crosses my network (especially the user who practices IM Sex). I worry about the users who have USB thumb drives and IPODS connected to their machine. I worry about the users who have local admin rights on their machine because some program that they use requires it. I worry about Spammers and phishers and users who click on links and attachments.

That's enough to drive any security nut even nuttier. That was how my IT life was, but luckily it has and is changing. It's still not perfect. The tools are slowly getting put in place to reduce or eliminate these things and hopefully make my life easier. But until then I worry............

More woes of small shop IT and our struggle to make it through the day.

The Big Question

Michael Farnum of The Information Security Place blog wrote a post about the pros and cons of being either a generalist or a specialist when it comes to IT. This is the big question facing most people when they decide on going into IT. I know that for myself I often struggle with this question even after 10 years in IT. Just in case that comment didn't give it away I consider myself a generalist with a strong foundation in Security.

When I first got into IT I considered programming. Then I figured out that I don't think like a programmer. Then I went down the Novell path because that is what my employer wanted. Then I moved into the world of NT and decided that becoming an MCSE and a MCT was the way. The I discovered that there really was a use for all the OSI stuff that I had to learn and realized that some really exciting stuff could be done in the world of Cisco. That's when I discovered security. Ever since then I have focused my energies on Security and learning more and more about how to keep my systems safe and teach others how to do the same.

I guess being an specialist is my desire, but being a generalist has been my lot in IT. As I have gone from place to place I have never really been able to focus solely on security because I've always been with smaller companies. I like that in many ways because it keeps variety in my job, keeps me up on other areas of IT besides security and helps me see how security fits into other areas that I might miss otherwise.

I think that someone coming into IT should spend a few years as a generalist just so they get a good foundation of different technologies and then as they mature focus on where your passion is. If it's programming, security, networking, dba, whatever it is do it with all you have.

Friday, November 17, 2006

The Physical Part of Security

One of the unique and sometimes exciting part of working for a small company is that you often get to do things that don't fall under your normal duties. For me that means that I do a lot of things that are not IT or Security related and often some thing's that I really don't want to do. But I do get to do a fair amount of Project Management. Both IT related and non-IT related.

Today I did something that falls under the unrelated, yet it still relates. I did a site survey of a new location but my primary concern was physical security. I was looking at things such as lighting, ingress and egress points into the building, building materials used on both external and internal walls, ceiling and crawlspace access, objects that could obstruct the view or easily hide someone, etc... Those of you who have taken the CISSP test or who are studying for it are at least a little familiar with these issues because they are covered on the test.

Physical security has been a part of my job since my early days with the company, but it always focused on video, alarms and locks. This was a new area for me and it was pretty cool getting to put my training to work. I don't think I would want to do it for a living, but something new always brings a sense of adventure.

Thursday, November 16, 2006

Barracuda Update

Yesterday was another interesting day with my Barracuda Spam firewall. When I got in the office I went to check everything out and discovered that there was still a small problem or two. I had already planned to call them back to "discuss" the support issues that I had. I placed my 3rd call in less than 24 hours and told the lady that answered the phone that it would be highly appreciated if she put me in touch with a tech immediately and briefly explained my frustration. A tech was on the line in less than 5 minutes. I explained to him the issues that I had been experiencing and he started troubleshooting. He needed to access my system via ssh and asked me to enable the connection. He was unable to connect and told me that they were having issues on their end and would call me back once they were resolved.

About 4 hours went by and I received another call. Once he was able to connect to the system he then asked me to explain what was happening. (At this time the "Block Fake Sender Domain" option was blocking all incoming messages when I turned it on.) He told me that this was the way it was supposed to work. I told him that blocking all incoming email was not a good feature and suggested that they change it. He then started to argue with me about the merit of doing this. Then he realized that he was thinking about the feature that blocks "spoofed" addresses. Being rude rarely pays in the end.

The issue was finally resolved so that all functions of the system work as they should and I'm again happy with the performance of the Barracuda. I'm still not happy with their support. There is a lot of room for improvement. I also still need to call and talk with someone who has some clout about all of this. I did not "lite into" either the call screener or the tech. They are not the problem (except the tech being rude). I will clear all of this up with someone at a higher lever.

Now a quick word in defense of Barracuda. I had several people comment saying things such as "that's what you get for buying crap" then they recommended another product. Sounds like a sales guy. :) Rothman also made some good comments on his "Rant" about why he thinks Barracuda support is what it is. I realize that Barracuda may not be the best product out there. We bought it because it did what we needed and it was within our budget. It has served us well for the most part and as long as I don't have to call support I'm happy. It also turns out that the problem was never really with the Barracuda itself. Some DNS servers went offline and as it did Reverse DNS lookup and other DNS related functions they all failed. Once I changed the DNS entries it started working flawlessly. All that said now that I have a bigger budget to work with I still will work to get it replaced soon. I don't care how good a product is if support stinks I can't live with it.

Wednesday, November 15, 2006

Legal Lies

I'm not a big fan of government getting involved in our daily lives beyond the basics of what is needed to keep us safe and secure. But stories like this put a smile on my face. :)

Just as government needs to do what is required of it and then leave it up to us, businesses need to do what they say they will do and make sure that they tell us what they are doing. If as a Security Professional I tell my employer (or potential employer) that I will do this and that then that is what I should do. I don't go behind their backs and read emails, modify documents, sell company secrets or install unauthorized software. In the same way when I, as a consumer, install software on my computer that is obtained from a "legitimate" company (meaning one that is out to make a profit either by selling it products or advertising) then they should tell me up front, in a way that is clear and easy to find exactly what this software will do to my PC. If it will install additional software let me know. If it will "phone home" let me know. If it will it collect data on my web surfing habits let me know. If it is going to download updates or other software let me know. This crap about hiding things in the EULA and installing things that are not needed or wanted is WRONG!

People are screaming because they say America is headed in the wrong direction because of this political party or that political party. America is headed in the wrong direction because we participate in unethical business practices such as this. We allow these companies to do what they want because the hid a clause deep in a EULA that can't be understood even if it is read by the average person. We require food companies to clearly explain what is in their products that will hurt or help us, but we allow companies to legally mislead and lie to us.

Then there is the whole notion of the security risk that the "unknown" and unwanted software can cause. If legally obtained software is collecting info and sending it home how am I to know that my financial transactions are secure or that it's not collecting things that it isn't meant to collect. We all know that software can do unexpected things and we can't rely on the companies to do the right thing if they discover that private data is "accidentally" being collected. After all they lied to us, or at least made it very difficult for us to know the truth, in the beginning. Not to mention the studies that show how unethical IT pros are now. Fred the Admin may be using your SSN or Credit Card right now.

When I buy a computer with my money and install legally obtained software (commercial or freeware) I feel that I have the right to know exactly what is going on my computer and I should be able to do it without a law degree.

That's my opinion and I welcome yours.

Poor Tech Support

It's been 17 hours since my Barracuda Spam Firewall went haywire. It started rejecting all incoming mail saying that it was from a fake sender domain. I went into the configuration and turned off that option and it quit rejecting mail based on that reason. It still rejected the mail only now it changed the reason to "intent" and the intent varied from things such as the domain name, a domain name that wasn't even associated with the message, the message had a signature, the message didn't have a signature, it really didn't matter it just rejected the message.

I've been in IT for 10 years now and I've been on both ends of the tech support issue. I've worked in Tech Support for a vendor and I've been an end user needing tech support. I've worked with some companies that had excellent tech support and some that had lousy tech support. I must say that Barracuda Networks has some of the worst tech support I've even encountered. It's not that they didn't work with me to resolve the issue or that the tech was untrained or unqualified or didn't speak english well. I have no idea how qualified or linguistically talented they are because the didn't see fit to ever call me back.

I called in the problem and was told that it was listed as the highest priority and that I would receive a call back within an hour. That didn't make me very happy, but I was willing to live with an hour. Two hours later I called them back to follow up and was told that they would call back within an hour. I explained that I had already been told that two hours ago and I continued to wait patiently.

By this time I had already done some basic troubleshooting of the box myself. It receives what they call "energizer updates" daily. I knew that it had received a new one that day and assumed that it was the problem so I used the option to "roll back" to the previous update to see if that would solve the problem. It didn't. I also turned off most every thing that causes it to block spam using the theory that spam with regular email was better than no email at all. That also didn't work. I didn't want to do much more than that because I didn't want them to point back at me and say that it was my fault. So I waited, and waited, and waited. I'm still waiting. My email is working now. I eventually got tired of waiting and did several more things that ended up fixing the problem. Now I don't know exactly what happened or why it happened and I'm not happy. My theory is that if you are paying a company for their product and ongoing support that you should at least get support and being down several hours and not receiving a call back is not support. Their web site claims 24/7 support. Maybe that's what it is. They will call you back sometime between 24 hours and 7 days.

Needless to say I am not happy. There is no excuse for lousy tech support. There is too much competition out there for my dollars and I have a feeling that Barracuda Networks won't be getting many more of mine.

Monday, November 13, 2006

Thank A Vet

Saturday was Veterans Day. I encourage all of you to say "Thank You" to those who sacrificed for our country. Whether you agree with war or not if it were not for those who were willing to fight for our freedoms we would not have the freedoms that we have today.

I would like to say Thanks to those of you who served our country. I know that you did not get the recognition or money that you deserved. I am truly thankful for all that you have done.

If you see some of our current military men and women stop and thank them for what they are doing. Buy them a cup or coffee or a tank of gas if the opportunity arises. They will appreciate it.

Friday, November 10, 2006

Link

Here is the link to Martin McKeays post that I couldn't find earlier.

http://www.mckeay.net/secure/2006/11/cisco_is_going_to_die_and_roll.html

Small Business IT

InformationWeek has an article about a survey that reveals that a lot of small businesses leave data vulnerable. A lot of the survey respondents have no real data recovery plan in place for data stored on desktops and laptops. Many of those who do have a plan are still storing the data in ways that leave it vulnerable to loss and possible misuse.

What really caught my eye about this is this quote by Kiyoshi Maeda, Verio president and CEO "Given the affordability and easy deployment of some of today's PC data backup and recovery solutions, it's surprising that such a large number of small businesses leave their data exposed and at risk,". Obviously he has never owned or worked for a small company. There are many, many, many companies out there who can barely afford what little technology they have. They have no IT staff or their IT person is whoever could spell PC when they first got computers in the office.

When I did my stint as a consultant I spend lots and lots of time talking with small businesses who needed the services provided my my company but could only afford an hour or two a month. And our rates were VERY cheap compared to major metro areas of the country. When we did get into many of these companies to help them out we ran into all sorts of issues related to old equipment, expired support contracts and subscription services for AV and such. Getting these companies up to a decent level of usability was often a very slow process as they could not afford to spend money to buy what was needed. When they did it was often in small chunks here and there.

A couple of weeks ago Martin McKeay posted (sorry about not linking I can't find it on his site) about the NAC debate being almost not worth his time keeping up on because his company couldn't afford a NAC solution. He said that they were lucky to keep what they had up to date with support contracts and such. This is what much of small business America faces. It doesn't matter how cheap or easy technology is to use if you can barely afford to pay normal bills. I know it may be cheaper than the loss incurred due to a virus, data loss, network failure, etc... but that is just the reality of how many business have to live.

Wednesday, November 08, 2006

Vendor Selection

As I've mentioned before there are a lot of changes taking place where I work. Many of those changes involve us doing things for ourselves that have been done for us in the past. So I've spent a lot of time meeting with vendors lately. As we have gone through the process of meeting with various vendors to either provide a product or service I've been pretty impressed with most of those we have meet with. The FUD has been kept to a minimum (contrary to my post a few months ago) and the meetings have been productive for the most part.

We have to get 3 bids for most of these projects so at times we talk to several vendors and then narrow our list to the top 3 or 4 to actually invite to submit a bid. We did just this with one service that we needed and a couple of weeks ago I sent an RFP to the 3 selected vendors. Then early last week I received a bid from one of the vendors that had NOT been selected. At first I didn't think much about it because that stuff happens. But then it hit me that the bid included my internal RFP document that I had created and maintained control over. No one else in my company even had a copy of it. I quickly checked my sent items box to make sure that I had not sent it to the wrong vendor and I hadn't. Then I checked my Exchange logs and other audit logs to see if someone else in my company got a hold of it and sent it out. No evidence of it anywhere. Next I called the vendor to see where they got the document. The guy I had been dealing with there was out of the country until the end of this week and no one else knew anything.

That leaves only 2 options that I can see (if anyone else sees any others please let me know). Either the email was intercepted after it left my exchange box or one of the 3 chosen vendors shared it with this other company. The first I can live with (like it or not). The second does not sit will with me. Well I sent the vendors a letter outlining the situation and asking for them to do an internal investigation. Two of them have called back very concerned and with unequivocal denials that it happened by anyone within their company. No response from the third. Are they still investigating or is their silence convicting them?

I doubt that it came from anyone of the actual sales people or their trusted group that helps them put together a proposal, but maybe someone a little farther down the food chain who stands to make a few bucks from a "friend" if the other company actually gets the contract. Who knows. I do know that the 4th company is still not in the running. Their price was much lower, but I think that I would be getting what I paid for and that is not what I need.

If anyone has any thoughts on this or if something similar has happened to you please write me and let me know. This is a first for me and I'd love to know how others handled it.

Tuesday, November 07, 2006

Voting on Diebold Machines

I voted today on a Diebold DRE Voting machine. I've voted on the same one in the past, but this time I paid close attention to the whole process. It was quick and painless. After I had completed the ballot I reviewed my selections to ensure that what it said it was going to register was what I really wanted. After feeling confident that I was going to cast the ballot that I desired to I pressed the the "Cast Ballot" button and away it went. Of course I have no idea what happened to it after that. It may have been intercepted by a malicious politician or someone from the Taliban who wants to ensure that democracy is thwarted. More than likely it was cast just as I voted, but ......

Sorry for the cynical comments, I know that this is a very serious subject that has to be addressed VERY soon. I have even gone on record with a few unflattering comments on the whole issue, especially in regard to the Diebold machines. Those who have taken this up as their call to arms need to continue to get the news out and the rest of us need to do the same. Those in a position to affect this directly either through policy or what ever need to do all in their power to ensure that things get done right. We need to pressure the politicians to enact regulations that have teeth and pressure the manufactures of the machines to do all the right things in regards to security and auditing.

I have faith that this will eventually have a happy ending. Even Hansel and Gretel had to go through some tough times prior to their happy ending.

Go Vote

Today is election day and ALL of us need to go vote. It doesn't matter who you vote for as long as you vote. Too many people fought too hard and gave up too much for us to sit around and ignore our rights and responsibilities. Elections, at any level, are important and deserve our full attention and participation.

As Americans we love our rights and freedoms. Don't let them disappear because you chose not to participate.

Remember, with freedom comes responsibility.

Friday, November 03, 2006

Careful who you trust

Just a personal story of how even those of us who are Security Pros can let our guard down and do the very thing that we keep telling others not to do. I want to stress that I am not suggesting that this was a malicious act. It was just a "freak" coincidence that teaches a good lesson.

Yesterday I sent Martin McKeay about a personal email asking him a question about PCI compliance. I know that in addition to being "Captain Privacy" as Shimel calls him he is very knowledgeablePCI. A little while later he replied to my email and included a link to a website that he recommended I check out (you know where this is going now don't you).

I hate to admit it but I did click on the link with out any hesitation or checking to make sure it was legitimate. After all Martin is a trusted Security Pro and I have had some contact with him over the last few months regarding the CISSP test and such. I've given him my thoughts and kudos on his podcast a few times. I had no reason not to trust him. Yet I really don't know him so I should have been more careful. Haven't we all heard similar excuses by our users?

What was really scary about this incident though is that the site that he sent me to has a pdf on it that I needed to download and read. As soon as I clicked on the pdf link FireFox crashed. :( My heart sank and I felt like such a loser. I immediately isolated my laptop from the rest of the network and spend quiet a while checking to make sure that I had not been compromised. After I was convinced that all was OK I went back to the site and downloaded the pdf and quickly became despondent because it told me just how much extra work was going to be required for me on the compliance side.

But all is well. Martin is not a hacker in hiding. :) His help was GREATLY appreciated. I just wish that I had been a little more careful. Crow doesn't taste too good. At least most of my users don't read my blog.

Wednesday, November 01, 2006

Imagine That

Someone using file sharing app to steal personal data. I just can't believe that would happen. :)
http://test.denverpost.com/nuggets/ci_4564807

Tuesday, October 31, 2006

A Few Quick Thoughts

Just a few posts and articles that I saved over the last few days.

GOOD READS

F-Secure post on selling domain names. Pretty clever on the part of the bad guys. We need to get the word out to others to pay careful attention to what is actually in the address bar. We may not get everyone to check certificates but this is a quick and easy check.

Another good F-Secure Post related to the one above. Having more TLD's that are specific to industry would help cut down on successful phishsing.

Here is a good article that Michael Farnum wrote for ComputerWorld about the debate between much of the blogsphere (too many to list) on Zero Day vs. Less than Zero Day exploits. I've got thoughts on the whole thing, but I'm tired of reading about it and don't want to add to the fray. That goodness it is slowing down.

Bruce Schneier points us to a good write up on a better voting machine. They still have a long way to go, but I think that the right technology implemented in the right way will make voting secure and reliable. It's far from there now. If it were up to me I would pull ALL electronic voting machines for this election and go back to punch cards.

Here is 2 cents of my input on the Risk Management debate going on. I'm linking to The Mogulls post but I would recommend reading the others that he links to. Hopefully I'll get a chance to put the other 98 cents in later. I like this topic. Risk Management can't be something that is accomplished by any one group be it management or IT staff. It does take a concerted effort by many different departments in order to do it effectively. You can't expect Management to understand how to implement the technology or even to know what technology to implement. Nor can you expect IT to understand how to come to an understanding of the what and why of Risk Management. I know that many in IT do understand, but they are a small percentage of IT as a whole.

That's all for now. I'll be with vendors all day tomorrow so you may not hear from me for a couple of days.

Rethinking Security

Things at work are getting very hectic. Some major changes have caused us to stop and shift direction in many areas and rethink where we are going, how we are getting there and what we will do once we are there.  To make things worse management has moved a deadline up by about 5 weeks while increasing the amount of work required to reach the deadline. This isn't a "soft" deadline either. It's meet it or hit the road. If for some reason this deadline isn't met we would not be able to conduct business until ALL of the items on the list are complete.

In the process of this we are having to rethink how we do security. How it impacts us in day to day business, how threats and vulnerabilities will be dealt with and how we will respond if a breach occurs. In some ways things will be easier in the long run simply because we will not be as heavily regulated as we would be before the changes were announced. The down side of that is that the lack of regulation has already put some members of management into the mindset that security won't be as important as it should be.

My overall goal in all of this is to meet the deadline obviously, but also to impact how security is viewed by the organization as a whole. The right people have to be "shown the light" in regards to seeing that security will have a big impact on how we do business whether or not we are required to monitor, log, or report specific items.

Most people view security still as being simplistic things such as keeping AV up to date and installing a firewall. They don't see the importance of multiple layers of security and how event A can point you to event B which shows a weakness or a breach. Not only that users still don't see how seemingly simple things such as running Skype on their systems can be a problem or how putting their PDA on the wireless is dangerous. They want to be able to go where they want to go on the Internet, hook up to any wireless that will let them, install any program that they deem necessary or fun and still have unfettered access to company resources.

Security has to be rethought from not only those of us who implement it but from those who recommend it and the end user. The digital world is a dangerous place and we have all got to be prepared for it. Part of that means that as Security Professionals we have to come out from behind our firewalls and work with management and end users to make them understand the whys and wherefores of what we do. We can't continue to hide behind our server room doors and make fun of "stupid users". Part of the reason they are stupid is because we have not done our part to educate them.

The changes that are coming at work will have major impact on me and all of my users. Now I have a decision to make, will I lock them down and tell them to "shut up and  go color" or will I work to make sure that they are on my team in keeping everything secure?

Friday, October 27, 2006

Hiding in public places

I have a friend who is in hiding, sort of. He is hiding from a bad relationship and has left the state. He left because his new spouse lives and works in another state, but he was glad to leave the state. He was really worried about the ex. Of course I know where he is because we keep in touch. From time to time I do various web based searches to see if I can find him and up till recently I was unable to locate him on the web. Pretty good considering how easy it is to find most anything on anybody.

Well the other day I was on MySpace (I know, but I have a brother in law in the military and he won't communicate any other way) and I decided to look up a couple of friends. As I was looking at some of their friends who do I see but my hiding friend. Right there in plain view for all the world to see. His name and location were all faked, but you can't hide your face on a picture. Again I had to go back to my "I just don't understand". All that work to hide and he was hiding in public. Needless to say I got in touch with him and informed him that he had been found and that he probably should put up a different picture.

Drug Dealer Found w/ Nuclear Weapon Data

This article from Techworld.com points out the ever continuing struggle security professionals face in securing data. We all know that it's impossible to secure everything to the point that we would like it. That is why we do Risk Analysis and then determine what we will protect and how we will protect it. It would be comforting to know that data that is classified as "Secret Restricted Data" is secured to the point that it can't be stolen, but it doesn't seem that is possible either.

Thursday, October 26, 2006

Rich Unknown Relatives

I can't tell you how many times I've received emails telling me about the death of a long lost relative or someone who could have been. It' amazing how many Willinghams that live over seas were rich and died with no known family. I'm just so lucky that the executor or their estate found me so I can become rich. Well me and the executor. Why is it that he or she gets more money than I do?

I bring this up because the other day I received a new phishing email. It's similar to the ones mentioned above. I'm sure all of us have gotten them. I'm just amazed that people actually fall for them, but this new one I got is pretty slick. I'm including the body just because it's so good.

Dear Friend,

I'm happy to inform you about my success in getting those funds transferred under the cooperation of a new partner from paraguay . Presently I'm in paraguay for investment projects with my own share of the total sum. Meanwhile, I didn't forget your past efforts and attempts to assist me in transferring those funds despite that it failed us some how.
Now contact my secretary in nigeria, her name is VIVIAN OBASI on vivian_obasi1_1@myway.com ask her to send you the total of $450.000.00 which I kept for your compensation for all the past efforts and attempts to assist me in this matter in the past. I appreciated your efforts at that time very much.So feel free and get in touch with my secretary VIVIAN OBASI and instruct her where to send the amount to you.
Please do let me know immediately you receive it so that we can share the joy after all the sufferness at that time. In the moment, I’m very busy here because of the investment projects which me and the new partner are having at hand.Finally, remember that I had forwarded instruction to the secretary on your behalf to receive that money, so feel free to get in touch with VIVIAN OBASI she will send the amount to you without any delay.
Regards,
sanetor John E Williams Esq

How many people that have received the rich, familyless, dead guy email and didn't fall for it will fall for this? Even if you don't believe the first one this one is almost too easy not to follow through on. Pretty slick.

Wednesday, October 25, 2006

Security-Go-Round

This article on DarkReading.com brings up some interesting fodder for thought. Security professionals realize that technology just isn't doing the job when it comes to protecting our resources so we should focus more on user training. But wait, we learned long ago that user training was a waste of time in many cases. So we spent more money on technology that isn't doing the job. Now we hire more security professionals to help but there aren't enough good security pros out there. Now we are left with entrusting our junior guys with the task of securing our networks. But they don't have the skills so we have to get them trained and certified. And it keeps going round and round.

There is good news in all of this.

  1. We improve the security awareness of the end users (I can dream can't I).
  2. We improve the technology.
  3. We improve the security of the company through implementing 1 and 2.
  4. We improve the skills of those who are in the field.
  5. We improve ourselves by getting better positions in the field.
  6. We improve each other by sharing what we have learned via blogging, podcast, etc..
This is all part of the cycle of how this world works. We can make the best out of it and improve or we can let it run us over and lose ground. I know that I only looked at the "bright" side of this but I'm in a good mood this morning and didn't want to start off with a negative post. This cycle reminds me of one of my favorite songs by Dan Fogelberg that has a similar theme. In it he says:
The higher you climb, the more that you see
The more that you see, the less that you know
The less that you know, the more that you yearn
The more that you yearn, the higher you climb.

Tuesday, October 24, 2006

Reactionary Security

Isn't it just like the government to rush out a multimillion dollar "security" project because it is reacting to something. This article from ComputerWorld outlines how the TSA is basically rushing out a ID card that has not been fully tested and the main reason is because they are under pressure to get something out. Apparently rolling out the appropriate solution isn't necessary. Just get something out so it looks like we are on top of things.

This quote seems to sum up the attitude of those pushing to get this implemented. "Moving quickly to implement the TWIC program 'without developing and testing solutions to identified problems to ensure that they work effectively could lead to further problems, increased costs and program delays without achieving the program's intended goals,' the GAO said."

Apparently ensuring that taxpayer money is spent in the best manner isn't high on the list here. I wouldn't mind extra money being spent if it was going to do some good, but to blatently push a so called security objective before it's time is stupid.

Maybe this is the same group that screwed up configuring all thoser DNS servers we heard about a few weeks back.

Novell Virus

Now there are 2 words you don't often see together. As I've said before I started out in the IT world using OS/2 and Novell and this is the first time I can remember seeing a virus that targeted Novell. I know that there have been some, but I don't remember them. I received my copy of the SANS @Risk Security vulnerability report last night and this was the top story. In my mind this says something about what the bad guys are wanting to do. Just like with Apple, it's not that Novell is so much safer than Microsoft it's that it wasn't being targeted. Smaller user base less potential for impact. Now that the motive is profit rather than impact everything is fair game.

I also am guilty of ignoring things that don't directly impact me at times. This is true when I review this newsletter each week. If it applies to me I check it out. If not I let it pass. Probably not the wisest thing to do. Why? Because that leads to apathy and laziness. I need to keep up with security as a whole not just my little corner of it. If I plan on advancing my career past where it's currently at I need to focus on my goals and areas of responsibility while at the same time keeping an eye out on everything else that is going on. If not I'll get left behind.

A Strong Foundation

A friend called me the other day with a concern and complaint. Here is the jest of what he said.

Everyday I work hard to ensure that my company network is as secure as possible. Currently we don't have much in place in the way of formal policies. Thankfully that is in the process of changing. What we do have is loosely defined and rarely enforced. Since I hold the responsibility of ensuring the 3 A's of Security are all there I have implemented my own policies. I enforce them and update them as I see fit. I often get accused of being on a power trip, but that's OK. I know why I do what I do. It's because I see that as being my reason for being hired by the company.

That being said I obviously can't enforce these "policies" on all users. I still have to answer to those in authority over me. That is where the frustration factor comes in. What good does it do to work hard to lock most all the doors and windows to my network when you have to leave a side door open so that certain users can do as they please? Why not just put up a firewall, install AV, setup a patch server and walk away? Spend the rest of your time cleaning monitor screens and mouse balls.

Management needs to realize that when you leave a door open the bad guys will find it. One rogue user (intentional or unintentional) is all it takes. It's hard enough to keep the rogue users out without giving "special" users permission to be rogue. Management thinks that since we currently don't have to comply with regulations (meaning SOX, GLBA, etc) that we are OK for now. Once we have to start complying we will change.

Now for my 2 cents. That makes about as much sense as saying that I currently don't have termites (this analogy works well in the south) so I don't need to protect against them. Once I have them I will start getting treatment. A network that is left open will be compromised and once you start complying with regulations the problems will still be there. They are not going to magically go away just because you put in a few controls and implemented policies. Unless this company plans on starting completely from scratch they will be starting with a compromised network most likely. Those few machines that have been left open will still be compromised after they are locked down. Locking down a machine will not prevent a well planned piece of malware from doing it's job. The lockdown is designed to keep it off your system not to keep it from doing damage once it's there (mostly).

Just as in building a building you have to start with a strong foundation. Too often the foundation of a companies network is weak and rotting. Once it's in place it's almost impossible to rebuild it. All you can do is shore it up. Work hard to convince management that security has to be a priority and has to apply to everyone whether regulations require it or not.

Saturday, October 21, 2006

Week in Review

It's Saturday afternoon and I've got a lot of catching up to do. With vacation and sick servers at work I've had very little time for blogging. I saved my favorite stories from the week and hope to catch up on them now.

PRIVACY CONCERNS (or lack of concern)

I've started reading the series on Privacy on MSNBC that Martin McKeay recommends. I've only read a few paragraphs and it's already making me sick, angry and scared. There are 9 different articles on this and I've only skimmed a few of them. I'm sure once I've digested them I'll have more to say.

Martin also points out a good article on Identity Theft protection here.

 

MICROSOFT NEWS

It seems that many people couldn't wait for the first security flaw to be found in IE 7. It had only been out 24 hours when the news was full of reports of the first reported flaw. They did sort of get vindicated because the flaw was not in IE 7 but in Outlook Express.

I almost feel bad for MS because the whole world almost expected it. Of course there are going to be flaws found. It happens in ALL software not just MS software. I know that they have had a pretty rough track record but the wolves just couldn't wait to jump on them.

Then when they do finally come out with some serious security practices there are those who complain about that. I wrote about not liking the idea of having MS being in charge of my AV and security as well as the OS. As I've read more about their PatchGuard technology in the 64bit version of Vista I'm not so sure that I wouldn't like it in all versions. If it really keeps software from hooking into the kernel then that will stop a lot of malware that we deal with today. Symantec, McAfee and others who want access to it don't seem to realize (actually they do, they just know that the end of malware puts a big hit on their bottom line) that if they get to hook then so will the bad guys. I'm sure that before this all gets ironed out security will be reduced and/or the bad guys will find a way around this and we will still have more to do than we can handle. Job security at it's finest.

It's also good to see that I'm not the only one who is confused on this subject. Pete Lindstrom of the spire security blog has a good post that links to other writeups on this.

 

GOING BEYOND THE BASICS

I've written before about how I feel strongly that our job as Security Professionals it to know more than the technology behind what we do. We need to know the reasons behind why a technology will or will not help our company meet it's business objectives. We need to understand business process as well as technology. We also need to understand the regulations that affect our industry so we can best meet the audit and regulatory requirements that they bring with them. Michael Santarcangelo of the Security Catalyst website is also supporting this mindset. He is developing what he calls Security 2.0 to help those of us in security to better understand this and learn how to implement it into our daily practices. I encourage everyone to check out what he has to say.

 

FINAL THOUGHTS (for today)

Diebold has once again let source code "slip through" the cracks. I'm in talks with Diebold to provide some equipment for my company but their total lack of professionalism in how they have handled this whole voting issue is giving me severe second thoughts. They have demonstrated complete incompetency in all of this. If they can't seem to get anything right on the evoting side of the business how am I supposed to trust them with the financial side of things?

SearchSecurity.com has an article that when I first saw it I thought "good grief why do they keep writing about the obvious", but then I remembered that even in IT and Security we have more than our fair share of slackers who need to be reminded about such basic things. Unfortunately my company does not have a policy in place currently that prevents IPODS and other such devices from being connected to machines, but I do hope that it happens in the near future.

Thursday, October 19, 2006

Vacation Blues and a Salute to our Military

I've just about decided that vacation isn't worth it. You rush to get out of town. You rush around while you are gone. You get back at the last minute. Then when you get back to work you have tons of email and voicemail to sort through plus playing catch up on the work that wasn't done while you were gone. That's how it goes if you are lucky. I wasn't so lucky. I came back to a sick Exchange Server and a sick accounting server. Luckily neither of them seemed to be too bad. They are both back up and running. I don't know why I'm complaining it's kinda the norm. Last time I took more than a day off our Blackberry server crashed and our CIO had to rebuild it.

But all that said it was worth it because we went to visit my brother-in-law who is about to be deployed somewhere in the middle east. This is quiet possibly the last visit we will have with him until he returns in 18 months or so. We gave up our planned vacation next week to make the visit.

I'd appreciate it if all of you would keep him and the rest of our military men and women in your prayers while they are out serving our country so we can be free. When you get the chance tell them that you appreciate what they are doing for our Country.

Wednesday, October 18, 2006

Today's News

Kudos to Netflix

You gotta love it when you hear about a company that finds out they have a potential security issue and they fix it BEFORE it becomes a problem and BEFORE it even becomes public. I'd love to see more companies be this proactive instead of the trend of many to deny a problem and hope that we are dumb enough to think it will go away on it's own.

The Week of the Trojan

I posted on Monday about the McDonalds MP3 Trojan and since then there have at least 2 others that have made the news. One was a mistake and the other was probably intentional. Apple shipped some of their popular IPODS with a Windows virus. The thing that gets my goat about this is that in what has become typical Apple fashion they don't just admit that there is a problem they have to attack someone else. In this case they put in a jab at Microsoft saying "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it," compare this to the Netflix story above. The other story is a website promoting the zcodec was actually a trojan. This one was probably meant to be malicious from the start.

Microsoft and Privacy

I'm not sure how I feel about this yet. Microsoft has published their internal privacy guidelines hoping that other companies can learn from them. I'm glad that they are taking proactive steps not only internally, but also to help others. What I'm not sure about is their exact motives. Given their record of past privacy issues I can't help but think that this is a PR scheme. Even if it is if it helps others do a better job then I can live with it.

Schneier's Top Ten Security Trends To Watch

Here is a link to Bruce Schneier's Top Ten List that he spoke about at Hack in the Box a couple of months ago. As usual he has good insight and I'm not here to dispute any of the things on his list. I did want to comment on number 10. He says that Regulations will drive security audits. I think we all agree with this and know it to be true. This is why I think it is so important that we have a good understanding of the various regulations that affect our business. Maybe I'm preaching to the choir here, but I know too many security professionals who think that regulations are a different group in the company and they don't have to know them. They are looking for trouble.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.