Security's Everyman

Security's Everyman

Tuesday, October 31, 2006

A Few Quick Thoughts

Just a few posts and articles that I saved over the last few days.

GOOD READS

F-Secure post on selling domain names. Pretty clever on the part of the bad guys. We need to get the word out to others to pay careful attention to what is actually in the address bar. We may not get everyone to check certificates but this is a quick and easy check.

Another good F-Secure Post related to the one above. Having more TLD's that are specific to industry would help cut down on successful phishsing.

Here is a good article that Michael Farnum wrote for ComputerWorld about the debate between much of the blogsphere (too many to list) on Zero Day vs. Less than Zero Day exploits. I've got thoughts on the whole thing, but I'm tired of reading about it and don't want to add to the fray. That goodness it is slowing down.

Bruce Schneier points us to a good write up on a better voting machine. They still have a long way to go, but I think that the right technology implemented in the right way will make voting secure and reliable. It's far from there now. If it were up to me I would pull ALL electronic voting machines for this election and go back to punch cards.

Here is 2 cents of my input on the Risk Management debate going on. I'm linking to The Mogulls post but I would recommend reading the others that he links to. Hopefully I'll get a chance to put the other 98 cents in later. I like this topic. Risk Management can't be something that is accomplished by any one group be it management or IT staff. It does take a concerted effort by many different departments in order to do it effectively. You can't expect Management to understand how to implement the technology or even to know what technology to implement. Nor can you expect IT to understand how to come to an understanding of the what and why of Risk Management. I know that many in IT do understand, but they are a small percentage of IT as a whole.

That's all for now. I'll be with vendors all day tomorrow so you may not hear from me for a couple of days.

Rethinking Security

Things at work are getting very hectic. Some major changes have caused us to stop and shift direction in many areas and rethink where we are going, how we are getting there and what we will do once we are there.  To make things worse management has moved a deadline up by about 5 weeks while increasing the amount of work required to reach the deadline. This isn't a "soft" deadline either. It's meet it or hit the road. If for some reason this deadline isn't met we would not be able to conduct business until ALL of the items on the list are complete.

In the process of this we are having to rethink how we do security. How it impacts us in day to day business, how threats and vulnerabilities will be dealt with and how we will respond if a breach occurs. In some ways things will be easier in the long run simply because we will not be as heavily regulated as we would be before the changes were announced. The down side of that is that the lack of regulation has already put some members of management into the mindset that security won't be as important as it should be.

My overall goal in all of this is to meet the deadline obviously, but also to impact how security is viewed by the organization as a whole. The right people have to be "shown the light" in regards to seeing that security will have a big impact on how we do business whether or not we are required to monitor, log, or report specific items.

Most people view security still as being simplistic things such as keeping AV up to date and installing a firewall. They don't see the importance of multiple layers of security and how event A can point you to event B which shows a weakness or a breach. Not only that users still don't see how seemingly simple things such as running Skype on their systems can be a problem or how putting their PDA on the wireless is dangerous. They want to be able to go where they want to go on the Internet, hook up to any wireless that will let them, install any program that they deem necessary or fun and still have unfettered access to company resources.

Security has to be rethought from not only those of us who implement it but from those who recommend it and the end user. The digital world is a dangerous place and we have all got to be prepared for it. Part of that means that as Security Professionals we have to come out from behind our firewalls and work with management and end users to make them understand the whys and wherefores of what we do. We can't continue to hide behind our server room doors and make fun of "stupid users". Part of the reason they are stupid is because we have not done our part to educate them.

The changes that are coming at work will have major impact on me and all of my users. Now I have a decision to make, will I lock them down and tell them to "shut up and  go color" or will I work to make sure that they are on my team in keeping everything secure?

Friday, October 27, 2006

Hiding in public places

I have a friend who is in hiding, sort of. He is hiding from a bad relationship and has left the state. He left because his new spouse lives and works in another state, but he was glad to leave the state. He was really worried about the ex. Of course I know where he is because we keep in touch. From time to time I do various web based searches to see if I can find him and up till recently I was unable to locate him on the web. Pretty good considering how easy it is to find most anything on anybody.

Well the other day I was on MySpace (I know, but I have a brother in law in the military and he won't communicate any other way) and I decided to look up a couple of friends. As I was looking at some of their friends who do I see but my hiding friend. Right there in plain view for all the world to see. His name and location were all faked, but you can't hide your face on a picture. Again I had to go back to my "I just don't understand". All that work to hide and he was hiding in public. Needless to say I got in touch with him and informed him that he had been found and that he probably should put up a different picture.

Drug Dealer Found w/ Nuclear Weapon Data

This article from Techworld.com points out the ever continuing struggle security professionals face in securing data. We all know that it's impossible to secure everything to the point that we would like it. That is why we do Risk Analysis and then determine what we will protect and how we will protect it. It would be comforting to know that data that is classified as "Secret Restricted Data" is secured to the point that it can't be stolen, but it doesn't seem that is possible either.

Thursday, October 26, 2006

Rich Unknown Relatives

I can't tell you how many times I've received emails telling me about the death of a long lost relative or someone who could have been. It' amazing how many Willinghams that live over seas were rich and died with no known family. I'm just so lucky that the executor or their estate found me so I can become rich. Well me and the executor. Why is it that he or she gets more money than I do?

I bring this up because the other day I received a new phishing email. It's similar to the ones mentioned above. I'm sure all of us have gotten them. I'm just amazed that people actually fall for them, but this new one I got is pretty slick. I'm including the body just because it's so good.

Dear Friend,

I'm happy to inform you about my success in getting those funds transferred under the cooperation of a new partner from paraguay . Presently I'm in paraguay for investment projects with my own share of the total sum. Meanwhile, I didn't forget your past efforts and attempts to assist me in transferring those funds despite that it failed us some how.
Now contact my secretary in nigeria, her name is VIVIAN OBASI on vivian_obasi1_1@myway.com ask her to send you the total of $450.000.00 which I kept for your compensation for all the past efforts and attempts to assist me in this matter in the past. I appreciated your efforts at that time very much.So feel free and get in touch with my secretary VIVIAN OBASI and instruct her where to send the amount to you.
Please do let me know immediately you receive it so that we can share the joy after all the sufferness at that time. In the moment, I’m very busy here because of the investment projects which me and the new partner are having at hand.Finally, remember that I had forwarded instruction to the secretary on your behalf to receive that money, so feel free to get in touch with VIVIAN OBASI she will send the amount to you without any delay.
Regards,
sanetor John E Williams Esq

How many people that have received the rich, familyless, dead guy email and didn't fall for it will fall for this? Even if you don't believe the first one this one is almost too easy not to follow through on. Pretty slick.

Wednesday, October 25, 2006

Security-Go-Round

This article on DarkReading.com brings up some interesting fodder for thought. Security professionals realize that technology just isn't doing the job when it comes to protecting our resources so we should focus more on user training. But wait, we learned long ago that user training was a waste of time in many cases. So we spent more money on technology that isn't doing the job. Now we hire more security professionals to help but there aren't enough good security pros out there. Now we are left with entrusting our junior guys with the task of securing our networks. But they don't have the skills so we have to get them trained and certified. And it keeps going round and round.

There is good news in all of this.

  1. We improve the security awareness of the end users (I can dream can't I).
  2. We improve the technology.
  3. We improve the security of the company through implementing 1 and 2.
  4. We improve the skills of those who are in the field.
  5. We improve ourselves by getting better positions in the field.
  6. We improve each other by sharing what we have learned via blogging, podcast, etc..
This is all part of the cycle of how this world works. We can make the best out of it and improve or we can let it run us over and lose ground. I know that I only looked at the "bright" side of this but I'm in a good mood this morning and didn't want to start off with a negative post. This cycle reminds me of one of my favorite songs by Dan Fogelberg that has a similar theme. In it he says:
The higher you climb, the more that you see
The more that you see, the less that you know
The less that you know, the more that you yearn
The more that you yearn, the higher you climb.

Tuesday, October 24, 2006

Reactionary Security

Isn't it just like the government to rush out a multimillion dollar "security" project because it is reacting to something. This article from ComputerWorld outlines how the TSA is basically rushing out a ID card that has not been fully tested and the main reason is because they are under pressure to get something out. Apparently rolling out the appropriate solution isn't necessary. Just get something out so it looks like we are on top of things.

This quote seems to sum up the attitude of those pushing to get this implemented. "Moving quickly to implement the TWIC program 'without developing and testing solutions to identified problems to ensure that they work effectively could lead to further problems, increased costs and program delays without achieving the program's intended goals,' the GAO said."

Apparently ensuring that taxpayer money is spent in the best manner isn't high on the list here. I wouldn't mind extra money being spent if it was going to do some good, but to blatently push a so called security objective before it's time is stupid.

Maybe this is the same group that screwed up configuring all thoser DNS servers we heard about a few weeks back.

Novell Virus

Now there are 2 words you don't often see together. As I've said before I started out in the IT world using OS/2 and Novell and this is the first time I can remember seeing a virus that targeted Novell. I know that there have been some, but I don't remember them. I received my copy of the SANS @Risk Security vulnerability report last night and this was the top story. In my mind this says something about what the bad guys are wanting to do. Just like with Apple, it's not that Novell is so much safer than Microsoft it's that it wasn't being targeted. Smaller user base less potential for impact. Now that the motive is profit rather than impact everything is fair game.

I also am guilty of ignoring things that don't directly impact me at times. This is true when I review this newsletter each week. If it applies to me I check it out. If not I let it pass. Probably not the wisest thing to do. Why? Because that leads to apathy and laziness. I need to keep up with security as a whole not just my little corner of it. If I plan on advancing my career past where it's currently at I need to focus on my goals and areas of responsibility while at the same time keeping an eye out on everything else that is going on. If not I'll get left behind.

A Strong Foundation

A friend called me the other day with a concern and complaint. Here is the jest of what he said.

Everyday I work hard to ensure that my company network is as secure as possible. Currently we don't have much in place in the way of formal policies. Thankfully that is in the process of changing. What we do have is loosely defined and rarely enforced. Since I hold the responsibility of ensuring the 3 A's of Security are all there I have implemented my own policies. I enforce them and update them as I see fit. I often get accused of being on a power trip, but that's OK. I know why I do what I do. It's because I see that as being my reason for being hired by the company.

That being said I obviously can't enforce these "policies" on all users. I still have to answer to those in authority over me. That is where the frustration factor comes in. What good does it do to work hard to lock most all the doors and windows to my network when you have to leave a side door open so that certain users can do as they please? Why not just put up a firewall, install AV, setup a patch server and walk away? Spend the rest of your time cleaning monitor screens and mouse balls.

Management needs to realize that when you leave a door open the bad guys will find it. One rogue user (intentional or unintentional) is all it takes. It's hard enough to keep the rogue users out without giving "special" users permission to be rogue. Management thinks that since we currently don't have to comply with regulations (meaning SOX, GLBA, etc) that we are OK for now. Once we have to start complying we will change.

Now for my 2 cents. That makes about as much sense as saying that I currently don't have termites (this analogy works well in the south) so I don't need to protect against them. Once I have them I will start getting treatment. A network that is left open will be compromised and once you start complying with regulations the problems will still be there. They are not going to magically go away just because you put in a few controls and implemented policies. Unless this company plans on starting completely from scratch they will be starting with a compromised network most likely. Those few machines that have been left open will still be compromised after they are locked down. Locking down a machine will not prevent a well planned piece of malware from doing it's job. The lockdown is designed to keep it off your system not to keep it from doing damage once it's there (mostly).

Just as in building a building you have to start with a strong foundation. Too often the foundation of a companies network is weak and rotting. Once it's in place it's almost impossible to rebuild it. All you can do is shore it up. Work hard to convince management that security has to be a priority and has to apply to everyone whether regulations require it or not.

Saturday, October 21, 2006

Week in Review

It's Saturday afternoon and I've got a lot of catching up to do. With vacation and sick servers at work I've had very little time for blogging. I saved my favorite stories from the week and hope to catch up on them now.

PRIVACY CONCERNS (or lack of concern)

I've started reading the series on Privacy on MSNBC that Martin McKeay recommends. I've only read a few paragraphs and it's already making me sick, angry and scared. There are 9 different articles on this and I've only skimmed a few of them. I'm sure once I've digested them I'll have more to say.

Martin also points out a good article on Identity Theft protection here.

 

MICROSOFT NEWS

It seems that many people couldn't wait for the first security flaw to be found in IE 7. It had only been out 24 hours when the news was full of reports of the first reported flaw. They did sort of get vindicated because the flaw was not in IE 7 but in Outlook Express.

I almost feel bad for MS because the whole world almost expected it. Of course there are going to be flaws found. It happens in ALL software not just MS software. I know that they have had a pretty rough track record but the wolves just couldn't wait to jump on them.

Then when they do finally come out with some serious security practices there are those who complain about that. I wrote about not liking the idea of having MS being in charge of my AV and security as well as the OS. As I've read more about their PatchGuard technology in the 64bit version of Vista I'm not so sure that I wouldn't like it in all versions. If it really keeps software from hooking into the kernel then that will stop a lot of malware that we deal with today. Symantec, McAfee and others who want access to it don't seem to realize (actually they do, they just know that the end of malware puts a big hit on their bottom line) that if they get to hook then so will the bad guys. I'm sure that before this all gets ironed out security will be reduced and/or the bad guys will find a way around this and we will still have more to do than we can handle. Job security at it's finest.

It's also good to see that I'm not the only one who is confused on this subject. Pete Lindstrom of the spire security blog has a good post that links to other writeups on this.

 

GOING BEYOND THE BASICS

I've written before about how I feel strongly that our job as Security Professionals it to know more than the technology behind what we do. We need to know the reasons behind why a technology will or will not help our company meet it's business objectives. We need to understand business process as well as technology. We also need to understand the regulations that affect our industry so we can best meet the audit and regulatory requirements that they bring with them. Michael Santarcangelo of the Security Catalyst website is also supporting this mindset. He is developing what he calls Security 2.0 to help those of us in security to better understand this and learn how to implement it into our daily practices. I encourage everyone to check out what he has to say.

 

FINAL THOUGHTS (for today)

Diebold has once again let source code "slip through" the cracks. I'm in talks with Diebold to provide some equipment for my company but their total lack of professionalism in how they have handled this whole voting issue is giving me severe second thoughts. They have demonstrated complete incompetency in all of this. If they can't seem to get anything right on the evoting side of the business how am I supposed to trust them with the financial side of things?

SearchSecurity.com has an article that when I first saw it I thought "good grief why do they keep writing about the obvious", but then I remembered that even in IT and Security we have more than our fair share of slackers who need to be reminded about such basic things. Unfortunately my company does not have a policy in place currently that prevents IPODS and other such devices from being connected to machines, but I do hope that it happens in the near future.

Thursday, October 19, 2006

Vacation Blues and a Salute to our Military

I've just about decided that vacation isn't worth it. You rush to get out of town. You rush around while you are gone. You get back at the last minute. Then when you get back to work you have tons of email and voicemail to sort through plus playing catch up on the work that wasn't done while you were gone. That's how it goes if you are lucky. I wasn't so lucky. I came back to a sick Exchange Server and a sick accounting server. Luckily neither of them seemed to be too bad. They are both back up and running. I don't know why I'm complaining it's kinda the norm. Last time I took more than a day off our Blackberry server crashed and our CIO had to rebuild it.

But all that said it was worth it because we went to visit my brother-in-law who is about to be deployed somewhere in the middle east. This is quiet possibly the last visit we will have with him until he returns in 18 months or so. We gave up our planned vacation next week to make the visit.

I'd appreciate it if all of you would keep him and the rest of our military men and women in your prayers while they are out serving our country so we can be free. When you get the chance tell them that you appreciate what they are doing for our Country.

Wednesday, October 18, 2006

Today's News

Kudos to Netflix

You gotta love it when you hear about a company that finds out they have a potential security issue and they fix it BEFORE it becomes a problem and BEFORE it even becomes public. I'd love to see more companies be this proactive instead of the trend of many to deny a problem and hope that we are dumb enough to think it will go away on it's own.

The Week of the Trojan

I posted on Monday about the McDonalds MP3 Trojan and since then there have at least 2 others that have made the news. One was a mistake and the other was probably intentional. Apple shipped some of their popular IPODS with a Windows virus. The thing that gets my goat about this is that in what has become typical Apple fashion they don't just admit that there is a problem they have to attack someone else. In this case they put in a jab at Microsoft saying "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it," compare this to the Netflix story above. The other story is a website promoting the zcodec was actually a trojan. This one was probably meant to be malicious from the start.

Microsoft and Privacy

I'm not sure how I feel about this yet. Microsoft has published their internal privacy guidelines hoping that other companies can learn from them. I'm glad that they are taking proactive steps not only internally, but also to help others. What I'm not sure about is their exact motives. Given their record of past privacy issues I can't help but think that this is a PR scheme. Even if it is if it helps others do a better job then I can live with it.

Schneier's Top Ten Security Trends To Watch

Here is a link to Bruce Schneier's Top Ten List that he spoke about at Hack in the Box a couple of months ago. As usual he has good insight and I'm not here to dispute any of the things on his list. I did want to comment on number 10. He says that Regulations will drive security audits. I think we all agree with this and know it to be true. This is why I think it is so important that we have a good understanding of the various regulations that affect our business. Maybe I'm preaching to the choir here, but I know too many security professionals who think that regulations are a different group in the company and they don't have to know them. They are looking for trouble.

Monday, October 16, 2006

Scary Stuff

I'm not an analyst. At lease not a professional one. I mean that I don't make a living by looking at things like this story and determining what they mean and what impact they may have on the industry or on society in general. I do analyze stories like this and come up with my own thoughts and this one scares me. I have not read the full patent nor done much research on this, but just the fact that one company could own such a patent does not give me a warm fuzzy.

Not being a patent lawyer and only giving the patent a quick look it seems to me that they have been given the rights to tcp/ip traffic that has voice, video and data on it. Sounds like my network and most others that I know. Including the internet. Unless I did miss something then this only applies to ethernet networks so maybe I'll invent the non-ethernet internet that will replace the current ethernet one and then I'll own the patent. :)

McDonalds gives customers a break, or a trojan

Check out this story on the F-Secure blog. Another example of a company doing something without getting IT and security involved. A simple review of the MP3 players before shipping probably would have found this trojan and prevented a major security breach. Plus I can't wait to see the law suits that come from this.

Friday, October 13, 2006

They just don't understand

I've had a few posts where I've stated that I just don't understand. I don't understand why someone one do this or that, or not do something, or whatever. Now I've figured it out. It's not me. It's them. They just don't understand how serious security really is and how many bad things are out there just waiting for a chance to get into the network.

Just a little while ago one of our employees came to me and said that they had someone here that was trying to do a web demo but they couldn't access the Internet and wanted me to "fix" if for them. Then they looked at me like I was crazy when I told them no. I don't know this person or what kind, if any, of AV protection they have, what malware may be on their system or anything. Yet they honestly expected to just waltz in here and jump on the network.

I do feel better now. I was beginning to think that I was the problem.

Why I'm in IT and Security

When people that I knew in college and previous to that hear that I'm in IT they usually get a glazed over look and ask how in the world that happened. I was never fond of computers and really had no use for them. That is until I took the time to understand them and realized that they were not the enemy. (my redneck background really had a hold on me)

Once I got into IT I realized that I not only had a knack for it but that for once I really liked what I was doing. I enjoyed the challenge that it presented and I loved learning new things. Especially when I would figure out how to do something on my own. It's hard to describe the feeling of exhilaration you get when you come across a new or better way of doing something. After I had been in IT long enough to see what was what I had to make a choice on where I wanted my career to go. I quickly ruled out programming. I just don't think like they do. It's a completely different mindset. As I explored the options I kept getting drawn to security because I saw that it was where I could really make a difference. I knew that I could have a good career in pure networking or administration, but that wasn't where I saw the real difference being made. At least not for me.

After focusing my career on security I realized that there were still choices to be made. Do I focus on the perimeter, the interior, getting in (penn testing), keeping them out, educating others, policy and procedure, or what. I spent some time dabbling in various areas to see where my skills and talents were and where my interest was. I know where I want to go and I'm working on how to get there. I'm improving myself in the areas that will help me achieve my life goals and will make these things happen.

Many people wonder why put all this work in to something when I could have easily chosen the path of least resistance. The answer is that I'm just not made that way. I don't believe that God put me here to sit back and take the easy path. He put me here to make a difference in everything that I do. If you have been reading some of my recent post you have figured out that I don't like apathetic people who jut get by and that I take my responsibilities seriously. Martin McKeay wrote a nice piece on having a career and not just a job that I feel tied in nicely with some of my earlier tirades. Then this morning I ran across a great piece by John Maxwell that really stoked my fire, thus this post.

I may not be the most knowledgeable person on any topic (duh) and I may not be the best security professional in the world (again stating the obvious), but I do know that I am going to give it my all and continue to do it with passion. If the passion leaves then I'll post one more blog saying good bye and if you look hard enough you will find my new blog about my new job and new passion.

Today's Thoughts

The Value of Certification

Martin McKeay has a good article on CW about certification. In it he talks about how certification is really nothing more than a piece of paper that says that you study and test well. I can't count the number of times that I've worked with someone who was certified in various technology areas yet they couldn't apply their so called knowledge to real world technology and problems. I think certification is a good thing, but it's too easy in many cases and need to be backed up by real world experience. As I'm sure we all know some of the sharpest and best technology professionals have never been certified in any field. They just go out and do the work and do it right.

Spammers vs. ICANN

I'm all for Spamhaus and others who put up a good fight against spammers. I'm also not a big fan of lawsuits just for the sake of getting to play your way. I'm really not in favor of the courts trying to force their opinion on a US company that has the potential for such wide spread controversy. Not only does this involve companies in 3 different countries, but it involves the world. SPAM and the Internet are worldwide issues and can't be treated like a US only problem. Check out this CW article by Robert McMillan to read more on this.

User Education

This article on CNet News caught my attention. It's about the futility of user education. I'm a big fan of user education. Not because I think that it's all that effective, but because I think that part of my job as a security professional is to teach others how to be more secure. Even if a lot of it goes in one ear and out the other. I like sharing my knowledge and I know that it helps a lot of people and that makes it worth it. Although I do want to replace some users computer with a Palm M105 and a etch-a-sketch.

At Work

We are in the midst of MAJOR changes at work. Many of them are contingent on a couple of things that are still up in the air. We are having to plan for 3 or 4 different scenarios and they range from drastic differences to minor changes. What I like about this is that it keeps me on my toes and I'm rarely bored. It also gives me the opportunity to delve into areas that are not in my normal day-to-day responsibilities. As I mentioned before I like to stay on top of issues that may come back and bite me either directly or indirectly. Regulatory and compliance  issues have a real chance of doing that. What is frustrating about that is trying to sort through all the legalese to get to the meat of what a regulation requires. Some of them are well summarized with documents that take you right to the heart of what you need to know. Some of them though are brutal and require either a good imitation or lots of money to figure out what you need to know. But like I said it keeps me on my toes. Especially as I'm close to taking the CISSP test all of this extra work gives me opportunity to stay sharp in this area. Of course there is also those times when I've just finished several hours or days of work on a plan only to find out that my boss just came from a meeting where things were changed that totally void my plan or cause me to make major revisions. Oh yeah, the really good thing about these changes is that some of them will force the company to implement some things that I've been pushing for since I've been there. It can only go up hill from here.

 

Wednesday, October 11, 2006

Back Scratching

When I started blogging way back when ( about 6 weeks ago) I quickly noticed that if I didn't do something to get noticed then my blog would be just for my own enjoyment. Not excatly what I had in mind when I started this. I did all the things that was suggested on the blogger tips page of blogger.com and this helped a little but my readership still consisted of me and a couple of friends. It wasn't long before I got a mention on the Network Security Podcast with Martin McKeay and a link in his show notes. Then Alan Shimel mentioned me in a blog post and before I knew it my readership picked up quickly. A few other, Mike Rothman and In The Trenches, made mention of a thing or two that I wrote and again my readership went up. I'm not saying all of this to toot my own horn (goodness knows my readership numbers aren't that high), I'm mentioning this to return the favor not only to these guys who I've already linked to and quoted in the past, but to a new feed that I'm now part of. I received word today that my feed will be included in the Headlines from the Security Roundtable over at SecurityCatalyst.com. I'm fully convinced that if you have something to say that others will promote you to their readers and I hope that I can turn someone on to some of those who have helped me.

I'd just like to say thanks to all those who have linked to me and mentioned my blog and I look forward to continuing to learn from all of you and hopefully add something of value to the security blog community.

Check out my links to the right of my page (if you are getting this via RSS go to my blog page http://andyitguy.blogspot.com) and visit some of my favorite blogs and web sites.

A new take on IT Security


So if you do something that goes against the company security policy does IT call these guys? I know I wouldn' t want the Hell's Angels after me. I wonder if they use computers from Chopper Computers?

Interesting Things

This has to be filed under the heading "What are they thinking!" I bet this is just people (especially IT pros) who are testing IE 7 in preparation for Microsoft forcing it on us soon. That or Microsoft's Mind Machine is hard at work trying to brainwash us. I tested IE 7 on a couple of machines and had nothing but headaches with it. It's not going on my systems anytime soon.

Here is an article that should help me sell some of my security ideas to the suits. And my users can't understand why I don't just give out VPN access to anyone. It's bad enough that I have to give out so many laptops with wireless access.

My development guys are crying now. Now that Microsoft has ended support for XP SP1 they have had to upgrade to SP 2. They fought it tooth and nail but finally had to give in.

Today should be fun as we start patching and testing. The really bad thing is that a large part of my network is currently under a business partners patch management department and they don't test. Just push and pray. They did this last year with the October patches and broke our primary application. It took weeks to straighten it out.

I haven't followed this much but this article raises a lot of questions. The first one being how can they be so sure that these $100 laptops are going to be as bulletproof as they seem to be claiming. If anyone knows more about this I'd love to hear it.

Anti-Virus Whining and Moving on

I've never been a fan of Symantec/Norton or most of their products. I do use it at work as my AV product, but only because I inherited it and the CIO isn't willing to change at this time. I guess if I have anything good to say about them it's that I have made a little money on the consulting side when I have to go and fix a system that was hosed because the user either installed or upgraded their version of the home internet protection suite.

Now Symantec and McAfee (who I'm also not crazy about) along with a few others are crying about Vista. Whiners aren't high on my list either.  I do find it interesting that while many are crying fowl Kaspersky Labs is defending Microsoft. Either they know something that the others don't or they are hoping that by playing nice they will have an "in" with Microsoft and Vista while the others are out, or maybe they just have a positive outlook on things. Alan Shimel has a good story about those who are whining in his fable The Squealing Pigs, the Golden Goose and the Big, Bad Wolf.

Something else I'm not excited about is letting Microsoft have my servers, desktops and security. I don't care how seamlessly OneCare integrates with Microsoft products (especially Vista) I'm scared of having a Microsoft AV product. I will keep an eye on it and see how it compares to other products. If it shows itself to be a good product I will consider using it as one tier of protection.

I do like the fact that Symantec is not sitting back on their laurels while the Vista issue unfolds. They announced several new or upgraded products and initiatives earlier this week. Some of them look promising. I'm not sure yet how I feel about their Security 2.0 initiative, but they are showing that they don't intend to roll over and play dead. If they lose market share in the desktop space then they intend to gain in other areas. I like that mindset. I'll reserve judgement on the products until I see how they perform.

 

Monday, October 09, 2006

The Problem with IT and Security

Laziness, apathy or poorly trained IT staff? After reading this NetworkWorld article on the state of DNS server configuration I'm once again scratching my head and wondering what is going on.  I just don't get it. Why is it that there are so many instances of poorly implemented technology. Is it because so many unqualified people got into IT because they thought it was the road to riches? Is it because they see it as an easy job that doesn't require much physical exertion? Is management putting that much pressure on them to get it up and running? Why?

I know that if you are unfamiliar with a product that you can overlook some things that leave it vulnerable, but why are you putting it into production if you are unfamiliar with it? Why are you not taking the time to read the documentation or do a google search on common issues and problems? I just don't get it. Especially when the item can really cause a major problem, not only for you but for the whole company or internet. I like what the guys at Pauldotcom.com advocate. They scan everything with Nesus or Core before putting it into production.

I'd like to think that there is a good reason for this. But I've been in this too long to know better. I've seen too many servers, switches, routers, firewalls, and other appliances just configured with a new password and ip address. Then they were put on the network, marked off the list and the next task was started. When I was consulting I ran into many instances where a company called and said that they were having probems. As they described them and/or I looked into them in almost every instance the problem was do to improper configuration or implementation. Only once or twice was the problem related to vendor software issues or hardware problems.

Two of the incidents that really stand out are the time a guy put a dual-homed server that served as the domain controller on both the internal network and the internet. Needless to say that didn't go well. The other one was when a company called and said that since migrating to Windows 2000 that they were having all sorts of problems with authentication, printing and everything else excpet internet and SMTP email. The company that did the migration installed DNS for AD, but they pointed the servers to public DNS servers. Go figure. I just don't get it.

 

Thursday, October 05, 2006

Stating the obvious, but doing something about it.

ComputerWorld reports about the GAO (Government Accountability Office)report the the WAN that carries data for the Medicare network has security vulnerabilities. Who would have thought? There is both good and bad news in this, besides the obvious bad news that there were vulnerabilities.

The bad news is that this was a managed implementation by AT&T. They were paid $76.6 million dollars over 4 years to operate the WAN. I know that there will be problems and issues in any WAN implementation that large, but when you have been operating the WAN for the last 3 years and there are 47 vulnerabilities that have not been fixed something is wrong.

The good news is that CMS (Center for Medicare and Medicade Services) acted on the news as soon as they were informed by the GAO. It's good to see someone take responsibility for problems and work on getting them fixed right away instead of pointing fingers at AT&T or anyone else. I applaude them for taking action to fix problems.

 

It keeps getting worse

Redmond Magazine now has an article on IT Gone Bad. The stories just get worse and worse.

 

Poll Results

Technorati tags: ,

Shortly after my last post I ran across the results post from Dark Readings Scruples poll. I'll let you read it and keep my fingers quiet this time.

Wednesday, October 04, 2006

IT and Integrity

I started to write about the DarkReading.com IT Scruples poll the other day and never did get my thoughts fully together. Then yesterday I ran across a ComputerWorld blog about The Importance of Integrity and read about the "humorous" Toorcon joke about the Firefox flaws. Now I HAVE to write.

This kind of stuff is not funny and it IS unethical. It may have been meant as a joke, but when you do something that causes bad press for someone and causes them to lose time and money trying to find problems that don't exist then it quickly ceases to be funny. It's sad enough that so many seem to be taking such a casual stance towards integrity and honesty in their job. Especially when your job is IT security. Did the company hire you to secure the data from everyone but you? Just because you have access to it does not mean that you can or should look at it.

I don't understand why so many people think that integrity is something that you use when it's convenient for them or when it serves their best interest. Integrity matters at work, home and everywhere. If you are dishonest in one place then you will be dishonest in another.

In the world of IT Security there are pretty much 2 groups, the Black Hats and the White Hats. Just because you work in the White Hat world doesn't mean that you are a White Hat. If you cheat, lie and steal then in my book you are a Black Hat.

Now, having said all of that let me clarify a couple of things.
1. I'm not perfect. I have done unethical things in the past.
2. I'm not talking about someone who does something once or twide or makes honest mistakes.
3. I am talking about someone who thinks that they can so these things regularly because of the
position they hold and the trust that has been given to them by their company.
4. I am talking about someone who does something purposefully malicious (even once) that is
just plain stupid. Like lying about vulnerabilities or lying about their experience or talents just
to get a job. (Listen to ITT's Roll Call Segment to hear a good story about this)

One quick story and I will get off my soap box. I used to work with a guy who was a very talented network guy. He knew a lot of stuff and taught me lots of things. His problem was that he thought he was above the law when it came to honesty and integrity. It cost him his job with the company that we worked for. It didn't take him long to find a new job but he soon lost it also. He quickly found another job and then he got caught. It seems that he obviously lied about getting fired from his previous 2 jobs, but he also lied and told them that he was certified as an MCSE and a CCNP. Once these lies were discovered he was reported to both Microsoft and Cisco and supposedly has been black balled from ever holding certs with either company. I'm not sure if they do black ball but if so he does deserve it.

Monday, October 02, 2006

Speaking of Compliance

Here are 3 good articles on compliance specifically relating to data archiving, retention, and deletion. Also IM issues.

Computer World IM Article

Byte and Switch Data Forensics Article

Information Week Data Deletion Article

Pretexting and compliance

With the HP scandal being front page news there is a lot of talk about what they did, what was legal and what was ethical. It should make all of us think about our situations and where we are security professionals and our companies stand on similar issues. It should also lead us to look at where exactly we stand in regards to compliance on these and other issues. How many of us really knew if pretexting was legal and what regulations cover it.

How about other compliance issues? Often compliance and security are handled by different groups but they can directly affect each other and if the left hand doesn't know what the right hand is doing then we can bring trouble on ourselves. Compliance is tricky ground and depending on what industry your company is in, is it public or private, who our customers are, what data we have, etc.. we may be subject to several different regulations. They may be industry specific, state or federal. Here is a good blog post on the pretexting issue specifically, but it points out that not knowing can get you in trouble. Ignorance is certainly not bliss.

I know in the financial industry we come under scrutiny from a long list of agencies and regulations. I don't claim to know all the why and wherefores of what may bite me, but I have to have a good idea as to what they are so that I can reccommend and impelement the proper controls and technologies to keep us out of hot water. It my not be my job technically, but I'm not going to take a chance that I will implement something that another department says is OK and then find out later that it doesn't do the job or that it actually put us out of compliance. I won't go around (to quote the bloggers phrase of the week) "with my head stuck in the sand".

This is very similar to what I wrote about a few weeks back regarding HIPAA. I was astonished to find out who had no idea that they were subject to HIPAA and even more astonished to find out that many didn't care. Instead of security by obscurity they were going to claim compliance by ignorance.

3rd Party Patches

I'm not a fan of 3rd party patches as I mentioned in a previous post. I think that there are too many unknowns and potential problems. Although something I had not thought about was brought to my attention by this CNet News.com article. ZERT (Zeroday Emergenty Response Team) is not only patching current versions of OS's but also versions that are no longer supported by Microsoft and therefore not being patched by Microsoft. I'm fortunate in that I don't have to support any non-supported versions of Windows, but I know plenty of guys who do. What are they to do unless a third party helps them out?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.