Security's Everyman

Security's Everyman

Thursday, November 30, 2006

Refreshing Vendor Story

I met with a Security Vendor today. I told him what I wanted and he told me that his company could do it but that they usually did not work with financial institutions because that was not their specialty. He said that they felt better giving a referral to a competitor than giving us below par security. I kept waiting for him to start laughing but he was serious. He said that they are great at what they do, but for our industry they just chose to stay out. How often does that happen?

Logs and Blogs

One of the great things about blogging is that you have a topic that you want to comment on. You say what's on your mind and often someone else will pick it up and run with it. Sometimes what they have to say is in opposition to your point of view and sometimes it supports and builds upon it. That is what Martin McKeay does in his post about logs.  I wrote my post with the intent of illustrating how important it is to review your logs. He read it and then built up it by talking about some good ways to keep your logs somewhat manageable. It's kinda like having a conversation with another guy on your security team, except we get to share it with our millions thousands a few others who read our blogs. Now if I could just get him to fly to Georgia and set up my new log monitoring software so I don't have to do it myself.

The Importance of Logs (and looking at them)

This post was prompted by Dr. Anton Chuvakin and his post on ignoring logs. I've mentioned this story before briefly here but felt that more detail would be beneficial to those debating the merit of reviewing log files. There may not be anything more boring in Security than reviewing log files, but there also may not be much that is more important.

A few years ago I did a stint as a Consultant for a small Kentucky company. Shortly after I started a customer called with an emergency. The guy who worked this account was on vacation so I went to investigate the problem. They were having problems authenticating users to the domain and therefore many resources were unreachable. I asked the standard questions about what had changed recently or had anything new been added to the network. They assured me that nothing had changed or been added. After having them show me exactly what they were doing and seeing what was happening I started looking at the DC to see what I could find. In reviewing the Security logs I noticed that a new administrator privileged account had been created 2 weeks earlier. After waiting 2 weeks to ensure that the account had not been discovered the hacker then proceeded to load file sharing software on the server and copies of 4 of the latest movies (2 of them weren't even in theaters yet). Every time the P2P application ran it disrupted AD on the server and caused users to lose their credentials.

How did this happen? There were at least 2 MAJOR mistakes made here. First, the server, which was the Global Catalog and Primary Active Directory server, was dual homed and one NIC was on the internal network and the other NIC was on the Internet so partners could get to it for FTP transfers. I won't even comment on that. The second problem was that they were not monitoring logs. They did a lot of network performance monitoring and WAN connectivity monitoring. Things that look cool on graphs and have a little sexiness to them, but they ignored the mundane, boring task of log monitoring. Had they been doing so they would have noticed the new administrator account and deleted it. Then they could have investigated how it happened and closed up the hole that the truck drove through.

Luckily this turned out to be just a big nuisance. I was able to repair the damage, remove the P2P app, restore everything and get them back up and running in about 4 hours. Nothing else seemed to have gone awry during this. My investigation didn't turn up any other mischief. Needless to say the first order of business after that was to build them a new FTP server that sat on the DMZ all by itself. Then we implemented a log monitoring program to ensure that this didn't happen again. I stayed with the consulting firm for a year after that and no other issues were reported so either they were successful in keeping the bad guys out or too embarrassed to let it be known that it happened again.

More Physical Security

As I've mentioned in past posts I work for a small company and my role is multifaceted. I was hired for IT Security but that quickly morphed into managing all IT functions (if it plugs in, turns on, or looks technical it's mine), project management for new branch openings, managing facilities, and physical security. A lot of this has been trivial due to partnerships that we have had with other companies. I did little day to day, hands on with a lot of these areas. I just managed the vendors, partners and people who did the day to day. All of that is changing. The company that we partnered with that did a lot of this is parting ways with us. Come the first of February we will have brought all these things in house. Some of it will still be outsourced, but the direct responsibility of it will be on my team.

Because of the nature of our business and the location of many of our offices, physical security is a BIG deal. Prior to this job I had very little experience with physical security beyond typical IT physical security. Server Room access and monitoring and such. I got this responsibility because I have a security mindset like The Mogull talks about here. Now that I'm responsible for ALL aspects I'm learning lots of new things that are being done in the realm of physical security. There is some pretty cool stuff and what is really great is the convergence of physical security and the rest of IT. Were in the middle of talks with various vendors to get all of the pieces in place prior to February and choosing the right vendor for each piece will be critical to the safety of our employees and the success of our business. Luckily my inexperience in this area is offset by my security mindset and others in the company who have been in this and similar industries for many years. They are not security experts, but they have seen and experienced lots of things that add value to my information gathering. I'm getting hints, tips and ideas from executives, hourly employees and everyone in between. It's good to know that even if most of my users don't get IT security that at least they are thinking about physical security and have something to add.

Wednesday, November 29, 2006

My Day

Michael Farnum wrote about his talk to Alert Logic. He was talking to the sales staff about what a typical SMB Security Managers day looks like. I wish more people knew what our days look like. I especially enjoyed the maybes beside Lunch and Drive Home. I can't recall the number of times that I've missed lunch and putting my girls to bed because of work. I really don't think that most people realize all that we have to do each day. Especially those of us in the SMB world. One person working in a department such as security (and often, as in my case, one person doing most everything IT related). I'm amazed at the number of people who either email, call or come to my desk and expect me to drop everything to fix their problem. Sometimes they are justified but most times they are petty and surely don't justify me dropping everything. Yet, the user often thinks that because their mouse ball needs cleaning that I don't have anything better to do.

If Michael doesn't mind I may just post his "typical" day on my door and maybe even email it to everyone in my company. Maybe I'll get some peace and quiet then. Nah, it'll never happen.

The No's have it.

Kevin Devin writes on his blog about how we write policies that tell users what they can and can't do. When it comes to user education we often focus on the "do nots" as opposed to the "can dos". We all know that giving a list of "do nots" usually raises the curiosity level of people and often encourages them to explore the "dark side". For those of you who have kids you know what I'm talking about.

Kevin wonders what it would be like to give our users a list of things that they can do with their laptops, and portable devices, as well as any company resource. He is right in noting that it would be a longer document but it could provide some good direction for our users. I know from personal experience users often look at IT (and more lately the security team) as those "kill joys that want to control everything". Having a list of things that they can do would go a long way towards improving our reputation. Not that our reputation is important compared to keeping things secure.

Even though it may provide benefits I think that going down that road is not a good idea. Too much room for wiggle. I can see users thinking that there is an "implied" clause that allows them to do "a" because it is similar to "b". Having a clearly defined policy that sets boundaries, defines the consequences for exceeding them and is enforced is the best way to keep things in check.

Tuesday, November 28, 2006

The flash is falling, the flash is falling!!

Clement Dupuis posted a response to a message from a member about his decision to use flash for a presentation that he is offering on his site. The guy had some valid arguments as to why flash can be a danger to use. He then shot himself in the foot by spouting off his "research" into the dangers of flash. What he failed to do was review the results of his research and make sure that they were relevant to his topic.

We are all susceptible to this. We get a notion in our head and run with it. We do some quick "research" on google and declare our hypothesis as truth. Security is serious business and we all do well to take it seriously but we also need to make sure that the case we build is built on fact and not FUD. This is the kind of stuff that makes it hard to get management on our side. We play the part of Chicken Little and look like a nut case. Even if our concerns are valid we have to be smart about how we deal with them. When we rush to judgement we make bad decisions or often look like fools in making good decisions. Some say that they don't mind looking like a fool or a control freak if it keeps the network safer, but I say that you can keep it safe and keep the rest of the company from thinking that IT is a bunch of nuts at the same time. It just takes common sense.

Why don't I like the sound of this?

This article on makes my skin crawl. I know it's not new information but it just doesn't sit well with me. They say that due to the fact the the microphones are 3 to 4 meters off the ground that they can't pick up normal conversations, but we all know that it won't take much to change that. These are the things that are slowly stealing our privacy and rights.

Trouble waiting to happen?

Here is a really good idea that I'm afraid has the potential to go really bad. This is open source software that basically sets up a tor type network to allow people to anomalously connect to the web from countries that restrict what users can do on the internet. What scares me about this (I only know what I read so maybe I'm way off base) is that since it is open source it possible could be modified by someone with less than good intentions to do all sorts of bad things. Turning the machines that connect to the "bad" server into spam bots, infect them with trojans and other malware, decrypt the session and steal personal data. There is a long list of possibilities.

Did you forget something?

I hope everyone had a great Thanksgiving and got plenty of rest for the year end nightmare that we call IT Security. I know for me it's gonna be a wild, fast ride. has a pretty interesting article The 10 Most Overlooked Aspects of Security. It also fits pretty well with my post last week What I Worry About. Most of it is common sense things that are often overlooked either by accident or by someone who is inexperienced or lazy, but it's good to be reminded from time to time about things that can slip past our radar. One of the things that I like about this article is that each of the 10 items has a page to themselves with a little more detail and even some tips on how to prevent and reduce the impact of these items. It's not a thesis on security but it's pretty good reading to keep you on your toes.

Wednesday, November 22, 2006

I Won

I just finished one of the most draining things of my career. As I have mentioned we are making BIG changes at work and part of that involves bringing our WAN infrastructure under our control instead of an outside entity. There was a fight to let our telco manage the whole thing verses having it brought in house. I wanted in house for several reasons and fought long and hard to convince management that it was worth it. We looked at numbers, pros, cons, scenario A - Z of what could go right or wrong. Just when we thought that one side was going to win something would change or a new a new pro or con would come up that gave new life to the other sides argument. It was mentally draining and consumed way too much time. Well we finally reached a decision today and my argument prevailed. I was able to convince all of the parties that it was best to bring it in house.

Having the telco manage it tied our hands. We would not have access to the routers and any changes that we wanted to make would have to be submitted to them for review and approval. That could take several days. We currently do have some hosted services at a CoLo and there have been 3 different times when the translation table on the PIX firewall got corrupted and it caused all incoming traffic to our server to be dropped. That doesn't work well when you have customers that use that server to conduct business. All three times I called the help desk and told them what was wrong and what needed to be done to correct the problem. It took them 4 hours each time to fix it. That is 4 hours of down time that we really didn't need. That argument worked in my favor in getting this brought in house.

Anyway, I'm happy now.

Hope Y'all have a great Thanksgiving.

Tuesday, November 21, 2006

Fast Security

I'm playing catchup before getting behind with the holidays so I'm posting more than usual today. Plus there is just more out there that is catching my attention today. Like this post from Richard Bejtlich of TaoSecurity. Someone sent him an email asking Richard to impart all of his security wisdom in a quick and simple format. Maybe this guy is a fast learner and could glean all of Richards knowledge in record time. Probably not though. In all likelihood this guy is probably an executive who really thinks that security is that quick and easy. Just kidding, but it does seem that upper management seems to think that we can work miracles.

I've been in IT for 10 years and doing Security for 6 of them. I've read books, attended classes, played with various technologies and such for much of that time and I still am not where I want to be in my skills or knowledge. It seems like I always see someone that knows much more than me. But I keep plugging along learning what I can as I go. I'll be glad to help this guy or anyone else who really wants to learn security (not that I could teach nearly as much as Richard), but there is one condition. They have to realize that it takes work, discipline, lots of time and there are NO shortcuts.



Link to StillSecure, After All These Years: Is IPv6 in your future? If so, when?

Alan Shimel asks if IPV6 is in my future. As a small shop I know that v6 is a long, long, long way off. We have no compelling business reason to convert. It is my bet that most companies will hold off until they are forced to convert. Until it gets to the point that business is hampered by staying with v4 most companies will stay there. Converting is going to cost lots of money and require lots of testing. You have to have people on staff who understand v6 and who can troubleshoot it. As with most things the market will dictate how quickly something is adopted. As long as most companies have no need for it then it will be slow in coming. The Federal Government is forcing the change on some and that will speed it up somewhat, but it's still years away.

The right bait

I often get phishing emails. They don't bother me because I'm aware of them and I'm very careful before clicking on links. Every now and then I get one that catches my attention and I check into it a little further before declaring it as phish. This morning I got one that made my heart beat a little faster and made me quickly check my paypal account. Below is the text of the email.

You have added as a new email address for
your PayPal account.

If you did not authorize this change or if you need assistance
with your account, please contact PayPal customer service at:

Thank you for using PayPal!
The PayPal Team

Please do not reply to this e-mail. Mail sent to this address cannot
be answered. For assistance, log in to your PayPal account and choose
the "Help" link in the header of any page.

                     PROTECT YOUR PASSWORD

NEVER give your password to anyone and ONLY log in at Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape)
and typing in the PayPal URL every time you log in to your account.


PayPal Email ID PP0018


What really scared me about this is that it came to the email account that I have registered with paypal. Most of the phishing emails I get don't come to the address that I have registered with the site in question or if it is the email is so obviously fake that I know it right away. It did't take too much investigation to discover that the link is redirected to somewhere in the Asia/Pacific rim but it still gave a little jump to my blood pressure. I can't imagine what I would have done if I was the typical uninformed user. I hate to think that I would have just opened up my paypal account to joe hacker. Even after confirming that it was a phish I still logged in to paypal to make sure. I still had a sinking feeling that I had been compromised. I need to go take a shower. This makes me feel violated.

Data Backup and Recovery

The Mogull wrote a blog post about a valuable but mostly unwanted Christmas gift yesterday. His recommendation was a reliable and easy backup system for home PCs. Not a bad idea. Actually it's a pretty good gift idea. I can't count the number of times that I've had either friends, family, coworker, or clients call me and say with a tremble in their voice that their system crashed and won't come back up. Many times the hard drive was wasted and all of their data, and often memories, was lost. A good backup system would have saved a lot of heartache. Especially since more and more we are storing everything on our PCs. Tax returns, Pictures, Work documents, etc... Obviously a backup isn't fool proof. It has it's weaknesses. It's often hard to use and it's still vulnerable to defective drives, bad backups, and disasters that may befall your home. Other options are online backup services. I'm not crazy about these myself because of the fact that you are storing possibly valuable personal information about yourself on a strangers server. If you choose this option make sure you use a reputable service.

One other thing that I have found useful is having good data recovery tools at your disposal for those times when you receive those calls from friends and family. I know these often aren't cheap, but they can save a lot of pain for those who have no backup. My personal favorite is SpinRite by Steve Gibson of GRC and the SecurityNow! netcast. I have used it many times to recover data and bring "dead" PCs back to life.

Finding the right gift for those on our list who are heavy PC users is often an easy task. Think smart instead of easy. A fun PC game or toy is nice, but it's not much good if your system dies and all your data is lost.

Monday, November 20, 2006

What I Worry About

As the primary IT guy and security guru for my company I have lots to worry about. I don't worry about my data circuits, my servers (too much), my routers or firewalls (unless I need support for my Barracuda). I don't worry about most of these things.

What I do worry about is security. What "evil" is lurking out there trying to ruin my day and get at my data. I worry about virus's, worms, trojans, rootkits and keystroke loggers. I worry about remote users who are at Wifi HotSpots while I'm waiting on the vendor to fix a driver vulnerability. I worry about someone sniffing my wireless and getting on it and thus gaining access to my network. I worry about who it was that left FTP open on my firewall all weekend (since no one remembers doing it). I worry about home users using their laptop from home to connect to the vpn while "hitching a ride" on their neighbors unsecured wireless. I worry about all the IM traffic that crosses my network (especially the user who practices IM Sex). I worry about the users who have USB thumb drives and IPODS connected to their machine. I worry about the users who have local admin rights on their machine because some program that they use requires it. I worry about Spammers and phishers and users who click on links and attachments.

That's enough to drive any security nut even nuttier. That was how my IT life was, but luckily it has and is changing. It's still not perfect. The tools are slowly getting put in place to reduce or eliminate these things and hopefully make my life easier. But until then I worry............

More woes of small shop IT and our struggle to make it through the day.

The Big Question

Michael Farnum of The Information Security Place blog wrote a post about the pros and cons of being either a generalist or a specialist when it comes to IT. This is the big question facing most people when they decide on going into IT. I know that for myself I often struggle with this question even after 10 years in IT. Just in case that comment didn't give it away I consider myself a generalist with a strong foundation in Security.

When I first got into IT I considered programming. Then I figured out that I don't think like a programmer. Then I went down the Novell path because that is what my employer wanted. Then I moved into the world of NT and decided that becoming an MCSE and a MCT was the way. The I discovered that there really was a use for all the OSI stuff that I had to learn and realized that some really exciting stuff could be done in the world of Cisco. That's when I discovered security. Ever since then I have focused my energies on Security and learning more and more about how to keep my systems safe and teach others how to do the same.

I guess being an specialist is my desire, but being a generalist has been my lot in IT. As I have gone from place to place I have never really been able to focus solely on security because I've always been with smaller companies. I like that in many ways because it keeps variety in my job, keeps me up on other areas of IT besides security and helps me see how security fits into other areas that I might miss otherwise.

I think that someone coming into IT should spend a few years as a generalist just so they get a good foundation of different technologies and then as they mature focus on where your passion is. If it's programming, security, networking, dba, whatever it is do it with all you have.

Friday, November 17, 2006

The Physical Part of Security

One of the unique and sometimes exciting part of working for a small company is that you often get to do things that don't fall under your normal duties. For me that means that I do a lot of things that are not IT or Security related and often some thing's that I really don't want to do. But I do get to do a fair amount of Project Management. Both IT related and non-IT related.

Today I did something that falls under the unrelated, yet it still relates. I did a site survey of a new location but my primary concern was physical security. I was looking at things such as lighting, ingress and egress points into the building, building materials used on both external and internal walls, ceiling and crawlspace access, objects that could obstruct the view or easily hide someone, etc... Those of you who have taken the CISSP test or who are studying for it are at least a little familiar with these issues because they are covered on the test.

Physical security has been a part of my job since my early days with the company, but it always focused on video, alarms and locks. This was a new area for me and it was pretty cool getting to put my training to work. I don't think I would want to do it for a living, but something new always brings a sense of adventure.

Thursday, November 16, 2006

Barracuda Update

Yesterday was another interesting day with my Barracuda Spam firewall. When I got in the office I went to check everything out and discovered that there was still a small problem or two. I had already planned to call them back to "discuss" the support issues that I had. I placed my 3rd call in less than 24 hours and told the lady that answered the phone that it would be highly appreciated if she put me in touch with a tech immediately and briefly explained my frustration. A tech was on the line in less than 5 minutes. I explained to him the issues that I had been experiencing and he started troubleshooting. He needed to access my system via ssh and asked me to enable the connection. He was unable to connect and told me that they were having issues on their end and would call me back once they were resolved.

About 4 hours went by and I received another call. Once he was able to connect to the system he then asked me to explain what was happening. (At this time the "Block Fake Sender Domain" option was blocking all incoming messages when I turned it on.) He told me that this was the way it was supposed to work. I told him that blocking all incoming email was not a good feature and suggested that they change it. He then started to argue with me about the merit of doing this. Then he realized that he was thinking about the feature that blocks "spoofed" addresses. Being rude rarely pays in the end.

The issue was finally resolved so that all functions of the system work as they should and I'm again happy with the performance of the Barracuda. I'm still not happy with their support. There is a lot of room for improvement. I also still need to call and talk with someone who has some clout about all of this. I did not "lite into" either the call screener or the tech. They are not the problem (except the tech being rude). I will clear all of this up with someone at a higher lever.

Now a quick word in defense of Barracuda. I had several people comment saying things such as "that's what you get for buying crap" then they recommended another product. Sounds like a sales guy. :) Rothman also made some good comments on his "Rant" about why he thinks Barracuda support is what it is. I realize that Barracuda may not be the best product out there. We bought it because it did what we needed and it was within our budget. It has served us well for the most part and as long as I don't have to call support I'm happy. It also turns out that the problem was never really with the Barracuda itself. Some DNS servers went offline and as it did Reverse DNS lookup and other DNS related functions they all failed. Once I changed the DNS entries it started working flawlessly. All that said now that I have a bigger budget to work with I still will work to get it replaced soon. I don't care how good a product is if support stinks I can't live with it.

Wednesday, November 15, 2006

Legal Lies

I'm not a big fan of government getting involved in our daily lives beyond the basics of what is needed to keep us safe and secure. But stories like this put a smile on my face. :)

Just as government needs to do what is required of it and then leave it up to us, businesses need to do what they say they will do and make sure that they tell us what they are doing. If as a Security Professional I tell my employer (or potential employer) that I will do this and that then that is what I should do. I don't go behind their backs and read emails, modify documents, sell company secrets or install unauthorized software. In the same way when I, as a consumer, install software on my computer that is obtained from a "legitimate" company (meaning one that is out to make a profit either by selling it products or advertising) then they should tell me up front, in a way that is clear and easy to find exactly what this software will do to my PC. If it will install additional software let me know. If it will "phone home" let me know. If it will it collect data on my web surfing habits let me know. If it is going to download updates or other software let me know. This crap about hiding things in the EULA and installing things that are not needed or wanted is WRONG!

People are screaming because they say America is headed in the wrong direction because of this political party or that political party. America is headed in the wrong direction because we participate in unethical business practices such as this. We allow these companies to do what they want because the hid a clause deep in a EULA that can't be understood even if it is read by the average person. We require food companies to clearly explain what is in their products that will hurt or help us, but we allow companies to legally mislead and lie to us.

Then there is the whole notion of the security risk that the "unknown" and unwanted software can cause. If legally obtained software is collecting info and sending it home how am I to know that my financial transactions are secure or that it's not collecting things that it isn't meant to collect. We all know that software can do unexpected things and we can't rely on the companies to do the right thing if they discover that private data is "accidentally" being collected. After all they lied to us, or at least made it very difficult for us to know the truth, in the beginning. Not to mention the studies that show how unethical IT pros are now. Fred the Admin may be using your SSN or Credit Card right now.

When I buy a computer with my money and install legally obtained software (commercial or freeware) I feel that I have the right to know exactly what is going on my computer and I should be able to do it without a law degree.

That's my opinion and I welcome yours.

Poor Tech Support

It's been 17 hours since my Barracuda Spam Firewall went haywire. It started rejecting all incoming mail saying that it was from a fake sender domain. I went into the configuration and turned off that option and it quit rejecting mail based on that reason. It still rejected the mail only now it changed the reason to "intent" and the intent varied from things such as the domain name, a domain name that wasn't even associated with the message, the message had a signature, the message didn't have a signature, it really didn't matter it just rejected the message.

I've been in IT for 10 years now and I've been on both ends of the tech support issue. I've worked in Tech Support for a vendor and I've been an end user needing tech support. I've worked with some companies that had excellent tech support and some that had lousy tech support. I must say that Barracuda Networks has some of the worst tech support I've even encountered. It's not that they didn't work with me to resolve the issue or that the tech was untrained or unqualified or didn't speak english well. I have no idea how qualified or linguistically talented they are because the didn't see fit to ever call me back.

I called in the problem and was told that it was listed as the highest priority and that I would receive a call back within an hour. That didn't make me very happy, but I was willing to live with an hour. Two hours later I called them back to follow up and was told that they would call back within an hour. I explained that I had already been told that two hours ago and I continued to wait patiently.

By this time I had already done some basic troubleshooting of the box myself. It receives what they call "energizer updates" daily. I knew that it had received a new one that day and assumed that it was the problem so I used the option to "roll back" to the previous update to see if that would solve the problem. It didn't. I also turned off most every thing that causes it to block spam using the theory that spam with regular email was better than no email at all. That also didn't work. I didn't want to do much more than that because I didn't want them to point back at me and say that it was my fault. So I waited, and waited, and waited. I'm still waiting. My email is working now. I eventually got tired of waiting and did several more things that ended up fixing the problem. Now I don't know exactly what happened or why it happened and I'm not happy. My theory is that if you are paying a company for their product and ongoing support that you should at least get support and being down several hours and not receiving a call back is not support. Their web site claims 24/7 support. Maybe that's what it is. They will call you back sometime between 24 hours and 7 days.

Needless to say I am not happy. There is no excuse for lousy tech support. There is too much competition out there for my dollars and I have a feeling that Barracuda Networks won't be getting many more of mine.

Monday, November 13, 2006

Thank A Vet

Saturday was Veterans Day. I encourage all of you to say "Thank You" to those who sacrificed for our country. Whether you agree with war or not if it were not for those who were willing to fight for our freedoms we would not have the freedoms that we have today.

I would like to say Thanks to those of you who served our country. I know that you did not get the recognition or money that you deserved. I am truly thankful for all that you have done.

If you see some of our current military men and women stop and thank them for what they are doing. Buy them a cup or coffee or a tank of gas if the opportunity arises. They will appreciate it.

Friday, November 10, 2006


Here is the link to Martin McKeays post that I couldn't find earlier.

Small Business IT

InformationWeek has an article about a survey that reveals that a lot of small businesses leave data vulnerable. A lot of the survey respondents have no real data recovery plan in place for data stored on desktops and laptops. Many of those who do have a plan are still storing the data in ways that leave it vulnerable to loss and possible misuse.

What really caught my eye about this is this quote by Kiyoshi Maeda, Verio president and CEO "Given the affordability and easy deployment of some of today's PC data backup and recovery solutions, it's surprising that such a large number of small businesses leave their data exposed and at risk,". Obviously he has never owned or worked for a small company. There are many, many, many companies out there who can barely afford what little technology they have. They have no IT staff or their IT person is whoever could spell PC when they first got computers in the office.

When I did my stint as a consultant I spend lots and lots of time talking with small businesses who needed the services provided my my company but could only afford an hour or two a month. And our rates were VERY cheap compared to major metro areas of the country. When we did get into many of these companies to help them out we ran into all sorts of issues related to old equipment, expired support contracts and subscription services for AV and such. Getting these companies up to a decent level of usability was often a very slow process as they could not afford to spend money to buy what was needed. When they did it was often in small chunks here and there.

A couple of weeks ago Martin McKeay posted (sorry about not linking I can't find it on his site) about the NAC debate being almost not worth his time keeping up on because his company couldn't afford a NAC solution. He said that they were lucky to keep what they had up to date with support contracts and such. This is what much of small business America faces. It doesn't matter how cheap or easy technology is to use if you can barely afford to pay normal bills. I know it may be cheaper than the loss incurred due to a virus, data loss, network failure, etc... but that is just the reality of how many business have to live.

Wednesday, November 08, 2006

Vendor Selection

As I've mentioned before there are a lot of changes taking place where I work. Many of those changes involve us doing things for ourselves that have been done for us in the past. So I've spent a lot of time meeting with vendors lately. As we have gone through the process of meeting with various vendors to either provide a product or service I've been pretty impressed with most of those we have meet with. The FUD has been kept to a minimum (contrary to my post a few months ago) and the meetings have been productive for the most part.

We have to get 3 bids for most of these projects so at times we talk to several vendors and then narrow our list to the top 3 or 4 to actually invite to submit a bid. We did just this with one service that we needed and a couple of weeks ago I sent an RFP to the 3 selected vendors. Then early last week I received a bid from one of the vendors that had NOT been selected. At first I didn't think much about it because that stuff happens. But then it hit me that the bid included my internal RFP document that I had created and maintained control over. No one else in my company even had a copy of it. I quickly checked my sent items box to make sure that I had not sent it to the wrong vendor and I hadn't. Then I checked my Exchange logs and other audit logs to see if someone else in my company got a hold of it and sent it out. No evidence of it anywhere. Next I called the vendor to see where they got the document. The guy I had been dealing with there was out of the country until the end of this week and no one else knew anything.

That leaves only 2 options that I can see (if anyone else sees any others please let me know). Either the email was intercepted after it left my exchange box or one of the 3 chosen vendors shared it with this other company. The first I can live with (like it or not). The second does not sit will with me. Well I sent the vendors a letter outlining the situation and asking for them to do an internal investigation. Two of them have called back very concerned and with unequivocal denials that it happened by anyone within their company. No response from the third. Are they still investigating or is their silence convicting them?

I doubt that it came from anyone of the actual sales people or their trusted group that helps them put together a proposal, but maybe someone a little farther down the food chain who stands to make a few bucks from a "friend" if the other company actually gets the contract. Who knows. I do know that the 4th company is still not in the running. Their price was much lower, but I think that I would be getting what I paid for and that is not what I need.

If anyone has any thoughts on this or if something similar has happened to you please write me and let me know. This is a first for me and I'd love to know how others handled it.

Tuesday, November 07, 2006

Voting on Diebold Machines

I voted today on a Diebold DRE Voting machine. I've voted on the same one in the past, but this time I paid close attention to the whole process. It was quick and painless. After I had completed the ballot I reviewed my selections to ensure that what it said it was going to register was what I really wanted. After feeling confident that I was going to cast the ballot that I desired to I pressed the the "Cast Ballot" button and away it went. Of course I have no idea what happened to it after that. It may have been intercepted by a malicious politician or someone from the Taliban who wants to ensure that democracy is thwarted. More than likely it was cast just as I voted, but ......

Sorry for the cynical comments, I know that this is a very serious subject that has to be addressed VERY soon. I have even gone on record with a few unflattering comments on the whole issue, especially in regard to the Diebold machines. Those who have taken this up as their call to arms need to continue to get the news out and the rest of us need to do the same. Those in a position to affect this directly either through policy or what ever need to do all in their power to ensure that things get done right. We need to pressure the politicians to enact regulations that have teeth and pressure the manufactures of the machines to do all the right things in regards to security and auditing.

I have faith that this will eventually have a happy ending. Even Hansel and Gretel had to go through some tough times prior to their happy ending.

Go Vote

Today is election day and ALL of us need to go vote. It doesn't matter who you vote for as long as you vote. Too many people fought too hard and gave up too much for us to sit around and ignore our rights and responsibilities. Elections, at any level, are important and deserve our full attention and participation.

As Americans we love our rights and freedoms. Don't let them disappear because you chose not to participate.

Remember, with freedom comes responsibility.

Friday, November 03, 2006

Careful who you trust

Just a personal story of how even those of us who are Security Pros can let our guard down and do the very thing that we keep telling others not to do. I want to stress that I am not suggesting that this was a malicious act. It was just a "freak" coincidence that teaches a good lesson.

Yesterday I sent Martin McKeay about a personal email asking him a question about PCI compliance. I know that in addition to being "Captain Privacy" as Shimel calls him he is very knowledgeablePCI. A little while later he replied to my email and included a link to a website that he recommended I check out (you know where this is going now don't you).

I hate to admit it but I did click on the link with out any hesitation or checking to make sure it was legitimate. After all Martin is a trusted Security Pro and I have had some contact with him over the last few months regarding the CISSP test and such. I've given him my thoughts and kudos on his podcast a few times. I had no reason not to trust him. Yet I really don't know him so I should have been more careful. Haven't we all heard similar excuses by our users?

What was really scary about this incident though is that the site that he sent me to has a pdf on it that I needed to download and read. As soon as I clicked on the pdf link FireFox crashed. :( My heart sank and I felt like such a loser. I immediately isolated my laptop from the rest of the network and spend quiet a while checking to make sure that I had not been compromised. After I was convinced that all was OK I went back to the site and downloaded the pdf and quickly became despondent because it told me just how much extra work was going to be required for me on the compliance side.

But all is well. Martin is not a hacker in hiding. :) His help was GREATLY appreciated. I just wish that I had been a little more careful. Crow doesn't taste too good. At least most of my users don't read my blog.

Wednesday, November 01, 2006

Imagine That

Someone using file sharing app to steal personal data. I just can't believe that would happen. :)

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.