Trusted ID update

I received a reply to my "Did they really think this through?" post from the CEO of TrustedID. He posted a link to their blog where they answer many of the questions that have been raised by myself and others. You may want to check it out. Their answers make me feel a little better, but I'm still not sure that I like it. Check it out for yourself and let me know what you think.

Symantec Advisory Group

A few weeks ago I was asked to participate in a new Symantec Advisory Group. I wasn't too sure about it at first. I figured that they would just be looking for a "Yes Man" and I'm not that guy. As I looked into it I realized that they may hope to get some good press out of it but that wasn't required. They do want us to blog about it, but we can be honest about how we feel. We don't have to say anything good about Symantec. So I decided to join and put my two cents in. A couple of days later I was talking to another blogger and found out that he was also participating. Then today I checked the site and viewed the updated list of members. I couldn't help but smile. I'm not going to mention any names (I'll let them decide if they want to announce themselves), but Symantec isn't going to get a cake walk. I can't think of many bloggers that they could have chosen who will probably be more honest and open with them. I know that at least 3 of them (including myself) have openly blogged about their unhappiness with Symantec int the past. It should prove to be a entertaining ride and hopefully some good will come out of it for everyone.

Preach It, Michael!!

Michael Farnum is more than a little upset with Microsoft for their comments regarding a new bug that has been discovered in IE Vista.


I don't blame him. It makes me mad as well. Why do software companies think that they can just do what they want as they want. Is it because we don't have much of a say or what we say doesn't really matter to them. Once a company reaches a point where they hold a large part of the market for a type of software they just seem to quit caring. They forget who brought them to the dance. Many people don't have much of a choice but to continue to use their software because it is the standard. It is what everyone else uses and if they switch to another vendor then it makes it harder to share files with other business partners and most companies don't want to have to deal with it.

If Microsoft is really concerned with security as they keep telling us that they are then they need to be concerned about ALL of security. That includes availability as well as confidentiality and integrity. What good is data that is confidential and that hasn't been altered if it can't be accessed by those who need it. I know that many people think that IE is a web browser used to play on the Internet, but it's much more than that. Microsoft even bills it as a business critical application and they encourage companies to port applications to browser based so that IE can be used to access the data. I know that in my company IE is CRITICAL. If it fails then we fail. Our main business app relies on IE to the extent that it won't work properly in FireFox, Opera, Safari or any other browser.

I take up Michael's cry of "Microsoft, FIX IT!" and I think that all of us need to rally around this. It's time that software companies get the message that we won't be walked over.

Project Report 1/24/07

10 days to go. All was going well and then a couple of things didn't go as planned and we had to pull back and regroup a little. Doing all of this with limited manpower and resources is really tough. I'm learning lots but it's by trial and error.

Most everything is in place now. We're ironing out a couple of things and down to the mundane tasks for the most part. Soon we will actually start using parts of the new infrastructure in production. Hopefully that will flush out any bugs before the full roll out on 2/3.

I've got one thing that I'm struggling with. It's an ongoing issue that I was hoping would be solved when I replaced my circuits and routers, but it's still around. Here are the details. If anyone has any thoughts please contact me.

Windows 2003 Domain
13 Sites
Each site has a 2003 domain controller with DNS; WINS
All PC's are XP SP2 running Office 2003
Everything is fully patched.
DNS and WINS have been verified as working properly and replicating properly.

Both of these happen only from remote sites.
If I try to access an intranet site via a web browser I can't connect until I ping the IP address.
If I try to access Exchange via Outlook 2003 I have to ping the exchange server by name.

I've posted on several support boards for Microsoft, checked other sites, asked people who are far smarter than I am and have not found the answer yet.

I posted this on the Security Catalyst site yesterday and have gotten a couple of ideas that I'll try today, but just in case they don't lead anywhere I'm open to other ideas.

Did they really think this through?

Martin writes about a new service being offered that allows you to search for your SS# or CC# to see if it has been stolen or compromised. When I saw this I had to drop what I was doing and post about it. Not because it's BIG news, but because I want as many people as possible to know about this so they can warn their friends. Not because I think the guys who are running it are trying to scam anyone, but b/c it does two things. First, as Martin said, it's another database that has the potential to be breached. Second, it encourages people to give out information that they don't need to be giving out.

The site is https://www.stolenidsearch.com/

As I said I'm sure they have good intentions, but I'm not liking the way they are going about it. The site has a Verisign SSL Cert, is a service of TrustedID and is endorsed by the Identity Theft Resource Center. All of these are great organizations that work to keep us secure, but I still don't like it.

The Value of Best Practices

Update: I'm unofficially changing the title of this post to "The Value of Checklists". I originally wrote this at about 5:00am this morning and the words best practices were in Dr. Anton's post and the morning fog carried them over to my title. Thanks to Mike for pointing out that Checklists and Best Practices are not the same thing.
____________________________________________________________________

Dr. Anton and Ross Brown talk about the benefits of just plain good security over just following the check list to be compliant or just for the sake of doing something. I couldn't agree more, but we have to be careful that our desire to see people practice good security doesn't discourage them from doing something that can help secure our networks. Checklists do have a place in security. They remind us of things that we need to do each and every day. Without them we will get caught up in the fires and emergencies of each day and overlook something that may be happening that needs our attention. They also keep us accountable to do a good job. Security professionals need accountability to management and users to show that we are doing our job. It's easy to say that we do our jobs because if we didn't then there would be lots of problems, but that doesn't always fly with management. As much as I dislike checklists they do have their place and we need to encourage the use of them. Not as proof that we are secure and surely not as the "key" to being secure, but to help us remember the little things that we often forget and to keep us aware of all that we have to do to have a secure environment.

Fixing Securitys Biggest Problem

Yesterday I was talking with a VP of a large bank and he asked me what I thought was the biggest problem facing security professionals today. I didn't even have to think hard to come up with my answer. User awareness. Then he asked me how we fix this problem. I had to think a little longer, but then it hit me. This is not a new answer by any means. I've talked about it in the past and I've read what others have said on it also. The answer, at least part of it, is that we, as security professionals, have to take the time to explain security to users.

This isn't easy for many in the tech community. We tend to do better with machines than people. We tend to get irritated when users do stupid things. We don't like it when we try to explain something to them and they give us the "deer in the headlights" look so we give up and walk away. We pass up opportunities to pass some of our knowledge on to others. If we will just come out from the depths of our security lairs and take a little time to figure out how to explain security at a layman's level then we will put see drastic improvements in how users view and practice security.

As I say this I'm thinking about how this ties in perfectly with one of my goals in joining the Security Catalyst Trusted Catalyst Community. As Michael and I talked about the community and what we would both like to see come out of it this one a goal that both of us shared. I'm excited to see what will come from this. Something that we can all use to help educate users is sorely needed.

Project Update 1/17/07

Feeling much better! Even though things are still on a VERY tight schedule they are moving along right nicely. All of my WAN links are up. My AD is designed and deployed to the first 2 servers. The slow part is the hard disk images. Hopefully by the first of next week all of my remote sites will have servers and switches installed and then we will start converting PCs. We are doing between 1 and 4 per site ahead of time; depending on the number of PCs in each location. Then the evening of 2/2 we will do the rest of the machines. At that time all that will have to be done is put the drive in the PC, boot it up, join the domain and push AV.

Project Progress

The routers are configured and being installed. Active Directory is ready to go. I'm sill deploying images one at a time. Trying to get a money to help but he won't return my calls. Maybe I shouldn't refer to him as a monkey.

I'm feeling pretty good about most of this. Just need a nap so I can keep a clear head.

Had a small problem last week. My tape library died and so I had to buy another one. I got an Exbabyte - VXA 320. It's nice. Rack mounted and fast. Much better than the old HP SureStore DLT 7000 that we had been using.

Just wanted to post something so everyone would know that I'm still here. Maybe next time I'll be more alert and my writing won't seem like something from a desert island castaway.

Something to think about

One of my favorite books is "The Art of War" by Sun Tzu. I received a Page-A-Day desk calendar for Christmas that is based on this book. Today's page really caught my eye and I think that it is very applicable to the life of a Security Professional.

"Generals in the field must already be acquainted with all the sciences of warfare before they can command their own soldiers and assess battle formations."

We too must know security principles and what is out there that could bite us. If we don't then we will never be able to adequately protect or networks and users. It's Risk Management in a nut shell.

Project Update 1/11/07

My routers have arrived and I'm pushing out images to the desktops. This is a slow process because we are replacing the hard drives only. I don't have a duplicator so I have to do the images one at a time. 87 of them have to be done. I'm still trying to get the other things that I need ordered ( waiting on management sign off) and am waiting on Sprint to finish the installation and turn up of my MPLS circuits.

I have 23 more days to get it all done.

Secure Software

With the release of the adobe vulnerability that many of us have written about there is a renewed debate on software security. Many, including myself, have been calling for software vendors or be more diligent in ensuring that their code is secure before it is released. Unfortunately, most of this has fallen on deaf ears.

Ravi Char has a good post on the adobe issue at his site here. I agree that the problem falls solely with the vendors. They MUST do more to secure their code before it hits the shelves (or ftp server). They need to spend more time on secure coding, code review, and vulnerability testing while still in the house. If they do so they will spend less time writing and issuing patches.

There has been talk of holding vendors liable for sloppy code. I know that there are lots of problems with doing this. Determining exactly what is "sloppy" code, was it affected due to poor deployment procedures, what else happened to allow the exploit to occur... and on and on. Not to mention the whole issue of those who write and distribute software for free. Something like this would severely restrict what they could do.

I don't have an answer beyond us, as consumers, have to keep on the vendors and demand changes. We blog about sloppiness, laziness and just plain bad practices. We let the vendors know when and why we are unhappy. We let them know that they are not the only option and if it comes to it we move to a new platform. Adobe isn't the only pdf vendor out there. They are the "Big Boy", but there are other options. This hold true for most all types of software. There are very few applications that are the only guy on the block. It's a good idea to know what options are out there so when a vendor is unresponsive and irresponsible we can move on.

Project Updates

I'm on my way back to Atlanta from Va Beach and using the time to write several posts. [Rich C., this is one way to maintain a blog while busy. :)] I made some phone calls on Friday and was able to get confirmation that Cisco will ship my routers tomorrow (Monday). That makes me feel much better. If hoping to get approval to have them sent overnight so we can start configuring them Tuesday and get them installed starting Thursday. That way I can get this part of the project completed and focus on the domain rollout and a lot of the petty things that have to be done.

Early on I was hoping that I'd get everything done early and still make RSA, but that won't happen. Even if I do have everything in place, tested and ready to go the follow-up and post project support will not allow me to leave. Actually that translates into "I couldn't get my CIO to approve me leaving that soon after implementing all these major changes.

Benefits of blogging

I started blogging because I felt that I had something to say and I wanted a way to get it out to others who may be interested. I doubt if I've made any earth shaking posts but it has become something that I have come to enjoy and look forward to. I know that during the month of December I had a slow down due to my schedule and then the last 2 weeks of the year when most blogger's did the same I almost went through withdrawals. There wasn't much to read and I found myself really missing it.

It has also allowed me the pleasure of reading a pre-release copy of The Pragmatic CSO my Mike Rothman. Participate in the Still Secure After All These Years year end podcast. The best thing is that I have made contact with lots of really great security professionals in many different security arenas.

This weekend I discovered another benefit of blogging. Back in November I blogged about my unhappiness with Barracuda Networks tech support. (here and here) I got several comments from people on my posts and a couple of others blogged about their experiences or thoughts on this topic. Well yesterday I got an email from the founder of Barracuda networks. He had read my posts and wanted to know if everything was ok now and if I had any other issues.

Now this doesn't change my attitude on their tech support and it may not make their tech support any more responsive, but knowing that my concerns and complaints have been heard by the big guys makes it worth the time it took to write the posts. Now all I can do is hope that they take my feedback, both from the posts and what I said in my email to him, and use it to improve their tech support. I guess only time will tell and honestly I hope that I don't ever have to call them. Of course I hope that I never have to call any vendors tech support.

Finished the Pragmatic CSO

Well, I was able to finish the Pragmatic CSO on my flight to Virginia on Friday evening. I must say that, just as many others have already said, this is required reading for anyone who is either in Security Management, those who desire to move into Security Management or even those who just work in Security. The concepts that Mike talks about and teaches are beneficial at several levels.

I don't think that anything that he says is new or groundbreaking but it puts the key concepts into a place and format that are easily accessible and learnable. After reading it through fairly quickly I can't tell you all 12 steps but I can remember concepts from them all. I plan on reading it through again at a slower pace and take notes so that I can keep them posted at my desk and in my server room.

Many have commented on the price and I have to admit that at first it caught me off guard, but then as I thought back on other books that deal with Security Management I have seen plenty of them that were well over $100. After reading it I know that it is worth the price and even more. I can honestly say that if my free PDF copy was set to self destruct in 30 days I would dig into my wallet and pay the $97 to be able to have it at my disposal for future reference.

Mike, Great job my friend. I look forward to other things that you put out in the future.

Too many cooks spoils the broth

Brian Krebs over at Security Fix wrote a really good piece on the Adobe flaw that opens up pretty much anyone to a XSS attack if they use Adobe and have java script enabled. That pretty much covers about 99.9% of computer users. The really scary thing is that you don't have to go to a bad web site, you don't have to do much except open a pdf from a web site. The good news is that it looks like you do have to click on a "specially crafted link" in order to pass the commands to java, but the link could be from a supposedly trusted site itself. Brian give a good overview of it in his article. There is also good news in that the problem is not in version 8 of Adobe and that there are other options beyond completely disabling java and never viewing .pdfs on the web. Again, Brian gives some good advice regarding this.

My beef with this is that once again we see software vendors loading their software down with features that are completely unnecessary. They put in more bells and whistles to lure customers to upgrade because of all the "cool" new features. Why do we need all these "new" features? Why can't we just get by with what we already have. 99% of software users never use the features that were included in versions that were released 5 years ago. Why do we need new ones that won't be used either?

I understand that there are "niche" markets where these features are used and that the software vendors need to give their customers what they want and need, but why can't these things be "after market" add-ons that are available to download or install from the CD. Just like there has been a push for hardware vendors to ship there stuff with security enabled by default there should be a push for software vendors to ship there code in the most secure way. We all know that the more you add and the more complex you make something the harder it is to secure. We as security professionals have to make a lot of noise about such things so that the vendors will get the message. We also have to go one step further and make everyone we know aware of such issues and encourage them to let the vendors know their feelings. We can't continue to allow unnecessary convenience and our desire to have the "latest and greatest" of something make us less secure. Our lives depend too much on computers and technology to continue producing insecure products.

Wireless Security

Preston Galla has written an article on Computer World about how to secure your wireless connection when connecting to a "open" hot spot. Of course it attracted my attention since I've been on my kick of late about users getting owned for doing unsafe and careless things. He has 10 steps that he recommends. All of them are good suggestions that will help protect you. In my opinion they are things that we all should be doing anyway no matter where we are. The problem with them is that getting "joe" user to do them will be next to impossible. Not to mention the support nightmare that it would create because they did something wrong or something won't work due to these precautions. If we could get users to do at least some of them it would help to a degree and every degree counts.

No Man Is An Island

I've been thinking a lot lately about the concept of how everything that we do has ramifications beyond the moment we are in and beyond us as well. What I mean is that everything that you do will affect you and at least one other person and it's impact will be immediate and lasting. Don't quit reading at this point. I'm not going to start preaching.

As I thought about this I also thought about how it applies to security. Actually this is the kind of security breach that worries me the most. As I wrote about last week. We have to get our users to the point of understanding that they realize that what they do with the network enabled device can and does affect others. They can't just go to any site they want, they can't just connect to the Internet at any "open" place they find.

I know that you are now thinking why is he repeating himself. Well, it's because I think that this is possible the biggest problem that we (at least those in the SMB space) have. There are too many laptops out there where the users have admin rights. There are too many people spending time behind closed doors surfing porn from their company PC. There are too many people who connect to any open wireless network. I can't count the number of times I've heard someone say that they found a "Free Wireless Internet" and connected. Can you say owned?

These acts open up the users system to attack. That attack often will be brought back to the office and spread to other systems or will snoop around the network and see what it can find of value. These are the things that done alone but have the potential to affect others in a very negative way. These are the things that make this world one big island instead of 6 continents and thousands of small islands.

OK, it's officially panic time. In one month my work life will have changed drastically. By Feb 2 at the VERY latest I have to have the following projects completed.

1. New WAN circuits installed, equipment configured and tested. Still waiting on Routers. If anyone has any pull at Cisco PLEASE ask them to put a super rush on my order.
   
2. New Domain built, secured, tested. This includes about 15 servers and 100 workstations.
3. Associated equipment and security to allow the new domain and the existing domain to talk.
4. New physical security systems. both alarm and video.
5. Exchange Server upgrade to handle additional users.

Much of this can be prepped ahead of time but the actual swap out of PCs has to be done on the 2nd. Once we get past the initial phase we can then focus on the "ancillary" projects that have to be completed shortly after that. Why does this justify a "panic" time? Mainly because of a shortage of manpower and the fact that my Cisco order is still up in the air on at delivery date. It's hard to connect remote offices w/o equipment. Plus due to the fact that we are a small company I have over site responsibilities in other areas that don't fall under Security or IT even. These things also require planning and coordination time if not actual "hands on" time.

All that said if you don't hear from me much hopefully you will understand. I'm hoping to blog about many of the experiences.

Keeping Focused

Every now and then it's a good idea to go back to the basics. If we don't we are in danger of getting off track. There is a pretty good series on OSI security at serchnetworking.com called Securing the Stack. The reading isn't too heavy and it has some good points and tips. Each month they take a layer and talk about some common security flaws, exploits and tips that are relevant to that layer. If you are new to security this is a good place to start. I remember when I first got into IT and was working on my Novell certification as I started studying network fundamentals the OSI stuff just blew me away. I thought why in the world would anyone ever want or need to know this stuff. Now I can't get by without it.

Pragmatic CSO Launch

Mike Rothman asked me to read his pre-release of The Pragmatic CSO. I haven't finished it yet due to everything that has been going on with work and holidays. I'm about half way through it but wanted to put in my 2 cents worth since today is the official launch date for the book and web site.

What I have read so far has been both entertaining and educational. Mike writes to the common person. You don't have to be technical or Executive level to understand the Pragmatic CSO plan. I'm hoping to finish it this week while flying and I look forward to what else he has to say.

Congratulations Mike and great job!