Security's Everyman

Security's Everyman

Friday, March 30, 2007

Just Trust Us (Update)

I stuck to my guns and received a sanatized copy of their router config. Now I'm ready to do business.

____________________________________________________________________

A vendor needs access to some systems on our network. They installed a Frame-Relay circuit and sent me a router to connect to the Frame and our network. I told them that before I could connect it I needed to see a copy of the router config because I wanted to see exactly what they are doing so I can make sure that I have the proper controls in place on my side. I also wanted to have something to show the auditors when they ask "What is that router for?"

The vendor told me that they didn't share their configs with customers. I completely understand because I wouldn't give my configs to just anyone. They could give me a sanitized copy of the config. They just want me to trust them without any questions asked. Now I don't have any reason to not trust them. Many other customers of theirs have this same setup, but I still have a problem with them wanting me to put this on my network blindly. I'm still working through this. Management is putting pressure on me to get this completed, but at least they are being understanding of why I'm sticking to my guns.

If any of the rest of you have run into a similar situation how did you handle it? I'd love to hear your stories.


Wednesday, March 28, 2007

Security, One Step At A Time

Often people ask those of us who are in the security field how to "break in" or what certifications they should focus on. Sometimes they want the "fast track" but usually they realize that it's not something that you can just do overnight. You have to have a goal in mind and make a plan on how to get there.

The same holds true for companies. Whether you are a new startup or have been in business for many years you have to have a plan for your companies security. You can't just decide that you want to get secure and start installing devices and implementing policies. Or if you do you will realize that it will possibly hinder your business or be one major headache for the entire company.

It's a process that has to be developed to fit YOUR companies needs. What is right for Company X is not what is right for you. You may be able to use them as an template, but you have to customize it to fit your business.

Once you have this completed you still can't just rush out and buy something. You have to implement the right "something". It might be technology, policies, procedures, etc. It also has to fit your need and budget. You have to take into account what other resources will be needed. Do you have the right people to deploy, manage, maintain and understand the technology? Do you have the infrastructure to support it?

What about those who have limited budgets? How do they secure their environments? That's where the "One Step At A Time" comes into play. Companies that have limited budgets have to look at what will give them the most bang for their buck. Do they need a better firewall (I'm assuming they already have something in place), end point security, web security? What is it that is most valuable to the company?

Once you have addressed that you can then plan and move on to the next step. What needs to be done next? How can you mitigate risks while in the "waiting" phase? How do we protect yourself as best you can with what you have? You always have to think forward. Look towards your goal and how to get there as safely and effectively as you can.

The inspiration for this post came after I read this post by Scott Wright at the Security View blog.



Tuesday, March 27, 2007

Why We Need To Educate Others

This fits perfectly with my post earlier today about not understanding why someone would actually buy something that is being advertised in a spam email. A Canadian woman bought anti-anxiety pills from an online pharmacy.

The coroner's report revealed that the pills were laced with dangerous traces of uranium, strontium, selnium, aluminium, barium and boron.

This is a really sad case of the dangers of not having an educated and security minded public.

ID Theft rates increase

Dark Reading reports that identity theft and phishing are on the rise at an alarming rate. The bad guys are getting smarter at making emails look legitimate and at making the links look real. More and more the actual link is more realistic instead of being masked in the email. People are getting smarter about checking the link before clicking on them, but if the link looks real in both the email and the status bar it is more likely to be clicked on.

This is why we have to keep pushing forward with user awareness training. People have to learn that clicking on a link in an email is a VERY bad thing. Unless you know that it's a good link and was sent by a trustworthy source DON'T click on it. This is the word that has to be gotten out to friends and family. Personally I don't understand how someone could actually buy something that comes to them from someone they don't know, you are buying it from some place that you don't know where is, you don't know the trustworthiness of the seller and mostly from someone who can't spell, use proper English, or puts "Hey Dude!" in the subject line.

Unfortunately I seem to be in the minority here. I'm a big believer in the adage "With knowledge comes responsibility". Those of us who know the dangers have to pass that knowledge along to others. We can't have the attitude that if they are dumb enough to click on the link or give out their credit card info then they deserve what they get. It wouldn't be right if the only one affected was the person who clicked on the link. What makes it worse is that often they get malware on their PC that makes it a danger to the rest of us.

Monday, March 26, 2007

New IT/Security Blogger on the Block

Michael Ramm has started a new blog that I wanted to point y'all to. He isn't new to blogging, just to the IT/Security space. He also blogs here with a friend of his on Productivity. I've followed it for a while and enjoy what they have to say. Now I just need to start putting some of it into practice. Michael is also an active participant in the Security Catalyst Community where he has added value and good comments in the forums. I've also had a few email and IM conversations with Michael and have been impressed with his desire to learn more about security and his understanding of IT in general. I also can relate to some of the pain that he experiences as a 1 man IT show for his employer. And finally he is a Alabama Crimson Tide fan which means he has LOTS going for him. :)

When you get a few minutes go check out his new blog and add a comment of encouragement.

Friday, March 23, 2007

Just Trust Us

A vendor needs access to some systems on our network. They installed a Frame-Relay circuit and sent me a router to connect to the Frame and our network. I told them that before I could connect it I needed to see a copy of the router config because I wanted to see exactly what they are doing so I can make sure that I have the proper controls in place on my side. I also wanted to have something to show the auditors when they ask "What is that router for?"

The vendor told me that they didn't share their configs with customers. I completely understand because I wouldn't give my configs to just anyone. They could give me a sanitized copy of the config. They just want me to trust them without any questions asked. Now I don't have any reason to not trust them. Many other customers of theirs have this same setup, but I still have a problem with them wanting me to put this on my network blindly. I'm still working through this. Management is putting pressure on me to get this completed, but at least they are being understanding of why I'm sticking to my guns.

If any of the rest of you have run into a similar situation how did you handle it? I'd love to hear your stories.



Wednesday, March 21, 2007

Apple removes java script support in QuickTime

Back in January I posted about how it would be nice if software vendors would not put in unnecessary extras that it would make their software more secure and our lives easier. Well it seems that Apple has listened to me (since I am on "The List" I'm sure they closely follow my blog). :) Didier Stevens has reported that Apple has actually removed a feature from QuickTime that reduces functionality but increases security. The new version of Quicktime (7.1.5) has removed support for Java Script.

Kudos to Apple for doing the right thing. Maybe soon other vendors will follow suit.

Thursday, March 15, 2007

Stuck in a rut

This story on ComputerWorld reminds me of how easy it is for all of us to get stuck in a rut. We do things the same way all day every day and it can and does make us insecure. Just as these emergency workers failed to switch over the their emergency network, we often get used to doing things just one way and fail to think differently. Thinking differently, when done correctly, will help keep you on your toes and keep you alert to how you need to adapt when the unexpected happens. If we, as security professionals, can not only think differently but also teach others to do so we can really make a difference.

Wednesday, March 14, 2007

I don't know what to say

I received an email tonight informing me that I have been named as on the The 59 Top Influencers in IT Security. I'm honored and surprised. I'm not sure that I really belong on this list, but it does validate my reasons for starting my blog. I wanted to have a place to voice my thoughts and opinions on Security and hopefully make a difference while doing so. It's good to know that someone thinks I have something worthwhile to say.

In spite of being honored to be named I want to make sure that one thing is perfectly clear. The post starts off with this quote

"Insecurity is indeed the Internet’s original sin, as blogger and security expert Andy Willingham, put it. That's why it pays to keep tabs on what some of the smartest and most influential IT Security professionals are talking and thinking about."
The post The Internets Original Sin is an RSnake post on darkreading.com. I did write about it a few days ago and added my comments and take on what RSnake said. I even made sure to link back to him. He had a really good post that spurred some thoughts of my own. I want to make sure that RSnake gets full credit for what he wrote. The last thing I want is to be accused of taking credit for the work of someone else.

Did compdlacency kill the cat or was the cat already wounded?

Rothman hits close to home with his comments regarding SMB security. But I have to admit he is right. I've spent my career in SMB IT and have many friends who are in it also. Security is a back burner issue for many of them. Sometimes it's due to complacency, sometimes it due to lack of understanding from upper management and sometimes it's due to lack of funding. The funding can be gotten around. There are too many good open source free tools out there that will do the job as good as most commercial products. They do take a little more work to set up and maintain, but they will get the job done.

Rothman is also correct in his assessment that SMB's think that a firewall and AV is all that is needed. That may be true if you have an office that only has PC's and is very restrictive on who is given Internet and email access. If you don't have remote or mobile users, lock down your systems so that USB, CD/DVD, and floppy drives, keep all network jacks disabled until needed, monitor and restrict access via MAC address on your switch I (I know this can be gotten around it's just to make a point), scan for rogue wireless AP's, and absolutely refuse to allow anyone from outside the company to connect to your network. If you do allow any or all of these then you need more than a firewall and AV.

I think the biggest problem that SMB's have when it comes to securing their networks, endpoints and data is that they don't understand how important it is. The IT guy is usually not a security guy and often the security guy is only that because he is the one that opened his mouth at the wrong time. He doesn't have training or a security mindset so he doesn't see anything wrong with what they are doing.

I'm not sure I'd call it true complacency that affects SMB security as much as it's complacency by default. They default to complacent because of not understanding security.

DST: Almost a nonevent for me

I spent a good deal of time planning and patching for DST. The worst part was trying to figure out exactly what needed to be done to make Outlook, Exchange and Blackberry Enterprise Server play nice together and not mess up calendar items.

All went well except for a couple of small issues.

  • Some of my laptop users who are on the road often didn't get the windows patch pushed to them.
  • Something didn't go right with the Exchange Mailbox tool so some users have a 3 week period between 3/11 and 4/1 where the appointments that were already on the calendar show up an hour early.
  • The CEO's new Blackberry Pearl was all messed up. Too many issues to outline. I had to erase the Pearl and delete his account on the BES server to get it to work properly. Spent 2 3/4 hours on the phone with Cingular and RIM. All but 25 minutes of that was on hold. 2 hours on hold with RIM alone.
All in all it wasn't too bad. At least my Sunday was peaceful.

I do have a couple of comments and questions for vendors.
  1. Why wasn't this dealt with in code long before this year? Many vendors issued patches in Jan or Feb of this year.
  2. Why wasn't the NEW Blackberry Pearl already compliant? It hasn't been out that long and we've know about the time change for 2 years.
  3. Why did I receive emails from 3 vendors on Friday 3/9/07 telling me to make sure that their applications would work properly? Why wasn't this email sent several weeks ago? Did they just get the word that time changed early this year? What did they expect me to do at the last moment? I guess the assumed that I would be working over the weekend to make sure everything was ready so what's a few more apps to worry about.
Many vendors are suffering from poor customer service relations already and I don't think many of them did anything to improve their image. They had a big opportunity to make this a non-event for IT by making it a priority starting 2 years ago instead of waiting until the last minute.

Tuesday, March 13, 2007

Heed Good Advice

In Security advice is cheap and easy to come by. Often it is VERY slanted. Slant can be affected by many things. When talking to the guys in the trenches the slant comes from using the products and how they deem that they protect or don't protect their systems. Sometimes it comes from bias based on what they know and feel comfortable with. Other times the bias comes from vendors who are pushing their products.

I ran across an article this morning that offers some good advice for security professionals. "Have You Read Your Regulations?" by Roger Grimes talks about the importance of reading the various regulations that your company is subject to. Often knowing what is and isn't expected and acceptable is the difference between being compliant or out of compliance. Now don't start thinking that I'm pushing compliance as a means to security. I firmly believe in the adage "Compliance rarely leads to good security but good security almost always leads to compliance". You can have great security in place and be in compliance but make a small mistake that is out of compliance. That is why it's important for those who practice and manage security to be well versed on what is required and expected. Management looks to us when needing a solution to a problem. If they need to send data to a customer or business partner they come to you to find out the best way to do so. Often they come with a preconceived idea of how they will do it and they want to know if it is "in compliance" with the various regulations. When you know answer not only does it keep the company secure and compliant, but it also looks good to management. They know that you are the guy (or girl) that they can trust to keep them out of trouble.

Regulations can be boring and often are difficult to understand but it will serve you well to read and understand them.

Monday, March 12, 2007

Small Business IT

Mitchell Ashley writes about how guys who work in IT for small companies often have to do it all.

SMBs face a unique challenge when it comes to IT. Frequently, there are only a handful or sometimes just one IT person (even part time for very small businesses) to support the entire organization. This includes all aspects of IT; desktops, printers, end user applications, servers, web and spam filtering, networks, VPN, security software and devices, telephones, voicemail system, data and voice connectivity, hardware and software inventory, software license tracking, and upgrades, to name a few responsibilities. That’s a very large domain to train, cross-train, and manage going concern or growing business.
Man can I relate. He has nailed it right on the head. I've exchanged a couple of emails with Mitchell, but I've never spoken to him, but you would think that we just finished talking about my job.

There is really little out there that makes life easy for small companies who are trying to maintain a network. There are lots of companies who are claiming that they have the answer, but so far all I've seen is solutions that are actually just one more thing to maintain. Often they create as much or more work than they save. Last week I posted about how having better tools would have made my life easier when it comes to detecting new devices on my network. I got lots of comments and email from all of you with all kinds of great suggestions for different tools to help with this problem. I really appreciate all the suggestions but my real problem isn't so much a lack of tools (although I don't have them; It'll make sense later) as it is the fact that many of them require more work than I have time to put into them or (as Rothman puts it) a lack of organizational understanding.

I have downloaded but not installed StillSecures alpha version of their new UNP product Cobia so I can't really talk about it, but I do hope that it does what they envision. Someone needs to do something to make life easier for those of us in the SMB space.

Wednesday, March 07, 2007

Security Sins

I try to follow the posts on DarkReading.com daily. Sometimes I find something good, some times I find something that sets me off and sometimes it's just black dots on a white background. A couple of weeks ago every time I went to their site I saw red. That was when they were on their "stupid user" kick. Lately they have been putting a smile on my face. I wrote yesterday about the Internet's Original Sin by RSnake and today, following the same theme, I read an article by Curt Franklin called Security's Three Deadly Sins.

As I read this post I couldn't help but smile. Not because I liked all the "problems" that he talks about, but because they look like every day life in IT. Not that that is a good thing. It brings back many memories.

He talks about Sloth, Hubris (Pride), and Greed and then breaks each of them down into some of the more common mistakes that are often made in each area.

Here are some of my thoughts on each area.
Sloth - Too often IT staffs take the path of least resistance. They don't necessarily do it out of true laziness as much as out of just being too busy. I've worked in such situations. Actually at times my current situation is like that. The real problem with this is that it creates situations that usually don't get clean up because it requires too much work to "fix" them. That's where the old adage "If you don't have time to do it right the first time, what makes you think you will have time to do it right later" comes into play. Take the extra time and do it right from the start.

Hubris - The area of Pride that I see most often in IT/Security is the "stupid user" mindset. I'm not going to go into that again. If you want you can check some of my recent post and get my feelings and ideas on that. The other area that can be a problem with pride is the "I know security and you don't" attitude that often occurs between security and other IT departments.

Greed - I think IT is as guilty as anyone when it comes to "free" software. IT guys love tools that are designed to make their life easier. They are often suckers for a free download. And thus "ripe for the picking" when it comes to getting owned. Just because something is "open source" doesn't mean that it's not been compromised and that many people either check the hash or the code. Besides what can be better for the network than free software that helps keep it safe?

One of the best attitudes that we can have to keep our networks secure is Humility. It helps keep our perspective where it needs to be. Keeps us from giving in to the "deadly sins" and helps us remember that we are all human and that we need to work together to make things secure.

I wish I had better network monitoring tools

You often hear of someone bringing a laptop from home or a wireless access point and connecting it to the corporate network. There are all kinds of security risks surrounding such things. I've even posted several times about an auditor or consultant coming in and just assuming that they can connect their laptop to our network. It's not even that uncommon for an Executive to come to me and ask if the auditor or consultant could connect.

Yesterday a guy asked me if I would be interested in buying a PC that he wanted to get rid of. I told him that I may and asked him for details. It's not much but will make a nice system to add to my home network. I told him that I wanted to look at it an assumed that he would bring it in today or tomorrow. Well today he mentioned it again and so later I went to his cube to look at it. When I got there he had already left for the day but the PC was there. Connected to the network! As I did some investigation I realized that it has been there for quiet some time. I'm not happy.

I know that you are wondering how someone who claims to be a security professional could allow this to go unnoticed for some time. I'd like to be able to say that I found it as soon as it attempted to get an IP address and that I was able to lock it out and keep it off. But I work for a small company that has a limited IT and Security budget. We have to spend what money we have on the necessities and not luxuries. Not to mention that we have added lots of new systems to the network lately and I'm still trying to get a handle on all the information being gathered now. Well, it is off the network now and I will be having a talk with him about this.

Note: I realize that there are several things that could have been done proactively to prevent this from happening. Many of them are things that I have tried to get approved by management, but have been rejected because or small company politics.

Securing the Insecure

RSnake has a good post on DarkReading called The Internet's Original Sin. His point, as I see it, is that we are trying to use the internet for secure transactions yet it was never intended for secure transactions. The "original sin" is that it was not conceived with security in mind. We keep throwing new technology at it to make it secure, but the underlying framework is still insecure.

This is another reason that we need to work to ensure that end users are educated on how to surf the internet securely. There is little chance that we will ever make the internet, or networks in general, fully secure so we have to teach people how to be careful and pay attention to what they are doing.

I've been participating in an email thread where we were talking about being aware of what is going on around you. We have been sharing ideas and tips on how to live more securely in the physical world. We will never live in a world that guarantees safety so we have to be aware of possible dangers. Same applies to the cyber world. You have to pay attention to where you how, how you are getting there and what you are doing when you are there.

When you drive into a part of town that has known dangers you lock you doors, roll up your windows and pay very close attention to your surroundings. Following the same guidelines on the internet will help keep you safe. If you find yourself on a site in the seedier part of the internet you have to do similar things. The best thing is to get out of there as quickly as possible.

Have you ever stopped to ask for directions and later discovered that the person intentionally sent you somewhere else? It's happened to me so now I'm more careful when I ask for directions. Same principal holds true when clicking on links from unknown sources. Don't do it until you are sure it is going to take you where you want to go.

I could give lots of other comparisons, but I think you get the point. People learn to live safely and securely in the physical world because they spend their time there and they interact with others who help them develop their "spidey senses". Now the challenge is to help everyone develop their "cyber senses". Those who have the "gift" need to share it with others.

Tuesday, March 06, 2007

Sharing Security

Every now and then you run into something that you know is really going to be good. Something that is well worth the effort you put into it. I don't want to come across as being a "fanboy" but I've come to realize that the Security Catalyst Community is one of those things. We now have about 180 members that are in the community. They participate in forums and email threads that discuss various security related topics (and a couple that are just plain fun).

There are some really bright people involved in the community and they have some really great insights. We've attracted people form different countries and different disciplines in security. There are also people involved that are new to security and those that have been in it for many years. One of the best parts is that with all the big guns that are involved there are no big heads. There is a freedom to voice your ideas and opinions without fear of being ridiculed or made to feel like you are inferior.

Another huge benefit is the opportunity to network with others who share my passion for security. I've had the opportunity to interact with lots of people that live all over the country. I'm developing real friendships with some of them and with others I'm developing a professional relationship that will benefit me as I continue to practice security.

All that said I encourage you to check out the community and join in the discussion. I don't think you will be disappointed.

Monday, March 05, 2007

New Security

I've been thinking a lot lately about Security and how it affects our daily life. Both as end users of security products and those who implement and maintain Security systems.

As end users we are often held captive by the solutions that we have chosen. Of course we have the option to move to something else, but for many that isn't a real option.

As Security Professionals we are also held captive by many things. If we are lucky we are in a position where we have significant input into what solutions are chosen and how they are implemented and maintained. More often than not we inherit what is already there or have to take what is given to us.

We're also affected by decisions that are made by other departments or by management. Decisions that we often have no control over and no input into. Decisions are made that go against policy or good security practice because it is easy and isn't considered to be a "real" risk.
Things such as this are not going to stop until we are able to change the attitudes of those we work with. We have to change the way we do security in order to change attitudes. Users view security as being a hindrance to getting their job done. Management views it as a "necessary evil" to meet compliance requirements.

Part of the reason is that we are still doing security the same way we did when security wasn't the hot topic. We have been playing catch up and it has affected everything. We do security better in some ways, but actually more efficient is a more accurate word. We still implement systems and policies that continue to make life more secure, yet also more difficult for users. When we change our focus to learning new ways to do security and when we seek to engage our users we will change their attitudes and therefore make things more secure by default.

Technology will never solve our security issues. It will take more than technology, it will take a change in attitude for both the end users and professionals. Why not be an early adopter and lead the way in making a change.

Saturday, March 03, 2007

Thinking Alike

I started blogging in August of last year. I did it for a couple of reasons. I had been reading a few blogs and liked the idea of having a place to talk about what I thought of things that were in the news, things that I learned, things I needed to learn, and a place to vent when necessary. As I've mentioned before I quickly learned that there are other advantages: New Friends, Learning from others, interaction with vendors, opportunities to participate in the security community that extends beyond my company and life. Things such as getting an opportunity to review a pre-release copy of The Pragmatic CSO, participate in the Stillsecureafteralltheseyears year end podcast, the Symantec Advisory Council, becoming a member of the TCC and a few things that are in the works.

A few of days ago I was thinking about all of this and it hit me that one of the biggest advantages is that I'm being mentored in a round about way. I interact with people that come from other disciplines of security and learn from them. I get feed back on my blog posts that help me put my thoughts into perspective. I get to talk via IM to other security pros about lots of different things relating to security and technology. I've got a community of probably 50 people that I didn't know this time last year that I could call on for advice or help. Some of them I haven't even interacted with beyond a comment on their blog or them commenting on my blog. Yet I know that they would be willing to lend a helping hand if necessary.

That is also what Cutaway has come to realize with a little help from Richard Bejtlich and Mike Rothman. He feels the need for more mentoring in the security community and has come to realize that he has a built in mentoring community via his blog and the relationships that have come out of it. This is quiet possibly the best benefit derived from blogging. I hope that I gain much from this but I also hope that I give much. I want this to be a mutually benefiting relationship for myself and those I interact with.

Friday, March 02, 2007

Reasonable Expectations

What is a reasonable expectation of security? I guess it would depend on what was being secured and what kind of resources had been allocated to secure it. If you want to secure your data you have to look at the risk and plan appropriately. If you want to ensure that files on your personal home computer are safe from prying eyes would you buy a new PC with Norton (or McAfee) security suite and let it go at that. Maybe the average consumer would, but I sure hope that a Jury would not accept that.

Apparently Michael Alan Crooker thinks that being told by a store salesman that his new PC was impenetrable provides a very high expectation level. You can read the whole story here. I know that his level of expectation was derived from more than that, but I think that if the ATF has to send the drive to the FBI's Cryptologic and Electronic Analysis unit in order to get the info off the drive then that exceeds the reasonable level of expectation for a user class PC. If he really wanted that high a level of security he should not have bought a PC running the brand new Microsoft OS.

This is another case of someone not taking responsibility for their own actions. It also looks like he figures to gain financially from his own irresponsibility.

Family Security Podcast Series

Michael Santarcangelo is releasing a podcast series called the Family Security Series. It spans several topics that will help your family be more secure online. He has produced a promotional video that you can see on YouTube. Check it out and when each episode of the podcast is released listen to it, share it with your friends and family and help make things more secure for all of us.

Spammers Gone Wild

I checked my Yahoo account this morning and noticed that I had an unusually large amount of spam. When I checked it I found that I had 38 messages all informing me that I could get a Nintendo WII or a PS3 for free. That's a new record for me receiving the same message at the same time.

I wonder if they came from different spam bots or do we have a "rogue" bot out there doing it's own thing. BTW, if anyone knows how I can check the email headers on yahoo let me know. That will answer my question.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.