Security's Everyman

Security's Everyman

Wednesday, May 30, 2007

Selling Security, It's our job

It's good to hear someone else from time to time get on the same rant as me. I'm talking about my regular "We need to quit bashing users" routine. Pete Lindstrom rants about how we need to pay closer attention to the business needs and not whine and cry about how Management doesn't understand or care about us. Now Pete is talking specifically about a podcast that Marcus Ranum did where apparently Marcus does just that. I have not listened to the podcast and so I can't comment on the specifics, but suffice it to say that whether or not Marcus did "whine" or not isn't the point. The point is that often Management does NOT get security (or IT at all) but it's not their job to get us. It's our job to explain ourselves and why we are important. They are business people and we need to sell them on the business of security. I don't mean try to scare them with FUD, compliance or horror stories. I mean we have to present a business case to them for security. Why is it important and what kink of ROI can be gained from it. How we can implement it without making the users life miserable. How it can make the company money. That's what they care about. Management is about the business being successful. If we can convince them that a secure business is a successful business then we have done our job (or an important part of it).

Now, before I start getting comments and emails about how most security professionals aren't business people. How they need to stay focused on technology in order to be good at what they do. I know that and I'm not suggesting that we should all make a run for the board room, but as an industry we have to take the steps to prove our worth and value. Many companies implement security just to get the auditors and compliance people off their backs. They hate security and think it is a waste of time, money and resources. We can continue to wallow in the basements of industry or we can take it upon ourselves to change the attitude of not only the "stupid user" that we all so often complain about, but also the "Clueless C's" that often complain about us. Management isn't going to come to us until they see a clear benefit to the company. We have to provide that clarity of vision.

Sunday, May 27, 2007

New Blackjack

For the last 4 years my previous employer supplied me with a Blackberry. It was my first "smart phone" and I loved it. I started out with a 6510 which was old when I got it. Then I upgraded to a 8703e which I really liked. Color screen, pretty fast data speeds, more memory, etc... When I left that job I had to leave my Blackberry and get my own phone and calling plan. As I was looking at what carrier to use, what plan to get and what phone to get I kept looking at the free and low (under $50) phones. What can I say I'm cheap. As I looked at them I just couldn't get past the fact that I was losing so much functionality by going with one of those phones. Not to mention not having a full keyboard. I HATE having to push the 2 key three times to type a "C". I also dislike the fact that most of these phones don't allow you to associate more than one number with a contact and many of them don't give you a place to add email addresses or notes. Then there is the whole ordeal of having to manually add contacts to many of them. So I decided to go with a Samsung Blackjack. I didn't even get a data plan so I'm not using many of the features, but just having the "key" features that I'm used to is VERY nice. It's a little different than the Blackberry but close enough that there was not much of a learning curve. Overall I like it. The call quality is really clear and the features on it are useful. There are a few things that I don't care for but they are mostly semantics and I'm sure I'll get used to it. Now if I'd just get a little less cheap and subscribe to a data plan I'm sure I'd be thrilled. Maybe once I go permanent with my employer I'll take the plunge.

Becoming a Pragmatic CSO

Unless something happens between now and then I'm planning on attending the "Maiden Voyage" of the Pragmatic CSO training next week. I have to take unpaid time off since I'm new and since I'm on a contract for the time being. That stinks in terms of training and such. Until I go full time with the company I have to foot the bill, including not getting paid, for any training. Not a big deal for a single day event but it shoots me in the foot for anything such as BlackHat or DefCon. I know that the content of the P-CSO will be well worth it so I'm willing to go w/o pay for a day. I think Mike still has one or two seats available so if you want to go this is the opportunity. You will never get a price this cheap.

Hope to see you there!

Pushing without testing

My first week at work was pretty exciting. Several things happened that allowed me to jump right in and start putting my training to work. I'm not going to go into any details obviously, but there is one incident in particular that I want to talk about.

Our network is quiet extensive. It seems to have been well thought out in it's design and although security wasn't always a top priority they have done a pretty good job of implementing policies technologies to mitigate threats and to "shore things up". We have several partner networks that connect back to various segments of our network and one of them went awry this week. It wasn't exactly a security issue but easily could have been.

The partner, which maintains a important aspect of our business, pushed out an upgrade and it caused all sorts of problems. Fortunately this segment is completely separated from our core network and it is not accessible from the Internet in anyway. What if it wasn't though? What if we had an Internet facing interface that was affected by this. What if we didn't have an air gap between this network and our core?

The potential for a breach would have been very great. Either from the Internet or from the partner network. This just goes to show that diligence pays off in designing security for your network. I know many small and medium sized companies that would not have been so diligent in ensuring that the design of this was secure and that the proper controls were in place. Why? Lack of staff, knowledge and money.

How could this have been averted in our case? Obviously the vendor needed to do more testing before pushing out the upgrade. The biggest thing is that they pushed it all at once. Every location was upgraded at the same time so the problem affected all locations. If they had pushed it to one or two locations and then let it run for a day they would have discovered the problem and rolled back, fixed it and averted a big problem.

Other than that it was a quiet week. The other issues mentioned earlier were nothing compared to this. They just required some changes in the way a couple of things were configured and in how a couple of things were done. It does feel good to make a difference on your first week. Especially when it doesn't require me to be up all night working on something that broke. I think I'm gonna like this. :)

Thursday, May 24, 2007

User Awareness Awareness

I had to go to a training session yesterday for an app that is used for special purposes within my new company. It is used by several different groups some are regular computer users and some are not so savvy. The training went pretty well for all concerned up to the point where he was trying to explain the password policy for the app. It uses complex password requirements. You know Uppercase, Lowercase, number, special character. The problem was that it was explained poorly.

This is the problem with user awareness training that I'm always harping about. We take a subject that may be somewhat confusing for many people and make it even more confusing. Then we blame it on the user and call them stupid. These users aren't stupid. If they were they wouldn't be in the positions that they are in at work. They are very competent at their jobs. Also this goes back to poor security policies over many years. Users are accustomed to simple passwords. Having complex passwords that are poorly explained compounds the situation.

So what's the answer? First, when we plan our training (or explaining) talks we need to make sure that our examples make sense to not just us and others who are technical and regular users. We need to have someone who isn't so computer literate give us their input on how we explain the concept. Secondly, we need to work to change corporate culture on passwords and security. It may take a while and we may have to take "baby steps" but that is better than nothing or better than going from simple to complex and having the help desk flooded with calls because we took too big a step too quickly.

Tuesday, May 22, 2007

Thrown in head first

Two days on the new job and I have been thrown in head first. Not that that is a bad thing. I like it that way. They are giving me time to get adjusted and acquainted with the network, but they have already filled up my plate.

My title is Senior Security Engineer. I'm responsible for overseeing all aspects of network security. I don't have to do all of the work my self but I'm responsible for ensuring that it gets done and that it follows best practices, company standards, etc... I've spent the 2 days looking over network diagrams, device configs, Pen Test results and policies. The Pen Test and Policies are my first "major" projects to complete. I'm also trying to get up to speed on some of the devices that they use that I've not seen much of. The firewall and IDS systems are ones that I've not used before. That's not a big deal though.

So far I've seen both good and bad (imagine that) in how things are done. The best part is that they are aware that they need work and they have an idea as to where they want to go. It will be my job to refine that vision and make it happen.

All in all I'm happy with the position and where I think it will go.

Monday, May 21, 2007

Look Who's Talking Now

I started my new job today. I'll post a little about it in the coming days, but for now I want to talk about my commute. I live about 35 miles away from the new job so I decide to take public transportation. I take an express bus into town and then hop on the subway and get out right at my office building. I like this for several reasons. One, it's lots cheaper than driving 70 miles round trip in Atlanta traffic. Two, it gives me time to read, think, listen to my IPod or nap. Three, it keeps me from going to jail because if I had to sit in traffic for an hour or more every day I would go mad and do something really stupid.

From time to time I would look up from the book I was reading or wake from the nap I was taking and look around at the people on the bus with me. You wonder who they are, what they do, who they work for, etc... and if you listen close enough you can hear their conversations, phone calls, or see what they are reading or working on. The same thing is true for those who travel by air regularly. People just let the whole world in on what's going on with them. It doesn't matter if it's public, private, personal or professional. People just don't pay attention to what they are doing or saying.

Then today I ran across this article on that talks about this very thing. The article requires you to register on their site for free, but the jest of it was that just by listening the author was able to glean lots of information about the bank that this person worked for. Name, phone number, part of an account number, etc... All because this person didn't take simple precautions while working and talking during a commute on public transportation.

It's easy to get caught up in the moment and forget about your surroundings, but if you are dealing with sensitive information you really need to pay more attention.

Sunday, May 20, 2007

My new gig

I'm excited to start my new job tomorrow. Not just because it brings in a pay check again, but because it will be interesting to see things from a different perspective. This will be my first purely security job. No more network admin responsibilities and no more trying to piece together free technologies to make a make something work as I want it to. I'll be working in an enterprise environment for the first time also. No more "small shop blues". I will finally have others at work that I can bounce ideas off of and talk to about concerns regarding security. I can get feedback from real live people instead of via email, posts and forums. I will get to experience what it's like to be in an environment where they have real tools to use. Where security is (at least in perception) taking seriously.

I read this post which pointed me to this post and it got me to thinking about my last job and how things would be different at my new job. Or will there be and difference? I sure hope so, but you never know.

When I left I had been preparing for this for about a week. I knew that this was a highly likely possibility that I would be laid off. Then as I wrote in my post about being laid off the morning that I was laid off I knew it just as soon as I walked in the door that day. I had spent the week getting things in order. I had ensured that I had backups of all data on my laptop that I needed. Not company data but personal things. I could have easily taken copies of ALL data on the network if I so desired. I had the access rights to EVERYTHING and if something had been set up so that I couldn't access it casually with my admin level rights I had the account info to get access to it. Obviously I had access that only myself and one other person had, but there wasn't any "real" protections in place to prevent the average user from taking anything that he/she had access to. It wasn't because we didn't want or have a need for it, but because we didn't have the money or staff to implement it.

Now that I am going into an enterprise environment it will be interesting to see what kinds of data protection they have in place. Will it be just as easy for someone to walk out the door with what they want or will there be things in place to either prevent it or at least make it VERY difficult. Unfortunately these are things that I probably won't be able to blog about. I'd love to be able to tell the story, but by doing so I will be giving away too much info that could be used against us. I'll have to see what I can do, but don't count on hearing much about it.

Friday, May 18, 2007

My vacation is over

Just wanted to let y'all know that my vacation is over and I start a new job on Monday. I really hoped that this wouldn't be a long break and it worked out to be 9 working days. After I get settled in and learn more about what I can and can't do I'll blog about the new gig. If may not be able to say much, but I'll do what I can.

Thanks to all of you who sent me notes and left comments on the blog. I appreciate your concern.

I hope I don't forget to set my alarm Sunday night. :)

Thursday, May 17, 2007

Identity Theft on the rise

One of my biggest fears is to have my Identity stolen or my financial data compromised. I'm careful about what I do online and when I do transact financial business online I'm careful to do it only from a PC that I trust and feel confident is free of malware. I check the URL to ensure that it's using a valid SSL cert and that it is the actual URL of the site I want it to be and not a phishing site. I only deal w/ reputable sites. I never give credit card info to those I don't know. If they won't accept PayPal then I don't buy from them. I don't click on links in emails that point me to financial sites. I always go to the site and navigate manually to the page that I need.

When it comes to physical transactions (ATM cards, Debit Cards, POS, etc) I check to ensure that the terminal is properly installed (as much as a visual inspection can do). I check to ensure that it's not a "face plate" over the real scanner that will capture my data. I ensure that I enter my PIN in a way that is not easily seen by others. I shred my receipts and others paper documents that may be used to steal my ID or financial data.

I take all of these precautions and still am in danger of being "tricked" into having my data stolen. This article from PC World points out that the crooks are getting better at getting our data. Of course this has been known for a long time, but now they have card terminals that are identical to those you use at WalMart and other stores. The only difference is that they have a circuit board that captures all card data. Then the crooks come back and get their terminals and your data.

Obviously this isn't easy and it takes skill and planning. It works because it looks and works the same. So now retailers and vendors have to step up their security to ensure that this doesn't happen. They have to develop and put measures in place to ensure that when a "rogue" terminal shows up on the network that it won't work. I don't know what they would be because I don't know the specifics of how they work, but I'm sure something such as encryption keys or activation keys that have to be entered prior to them coming online is a reasonable possibility. There must be some way of identifying each terminal and not allowing them to come online until they have been "approved" and entered in the system.

The key here is that if we are going to win this war vendors have to design their products in such a way that the plug and play mentality won't work. Making things easy is great but it doesn't work. It makes us less secure and makes the lives of the bad guys that much easier.

Wednesday, May 16, 2007

10% of web pages host malware according to Google

Did you see the article about Goggles research that said that 10% of web pages are hosting malware? Pretty scary stuff. Especially the part about most of it coming from banner ads and such. That means that the web site owner may not even know that they are hosting it.

Most of us aren't even fans of banner ads and this is another reason to not like them. I understand that the web site owners make money off of them and that allows them to do what they do without charging the site users a fee to visit the site, but we still just don't like banner ads.

Now for the security implications of this. Any time you post code on your site that points to another server you are opening yourself and your visitors up to potentially being compromised. How do web masters deal with this? What do they need to do to mitigate the risk associated with something like this?

Obviously the first thing is to do a review of the site that is being referenced as well as the code that they give you to put on your site. Then you have to be diligent to keep an eye on things to ensure that nothing changes over time. Just because it is (or appears to be) secure when you check it doesn't mean that it won't change.

Banner ads won't go away for a while so just as with everything else we need to be careful. Users need to be wary about what ads they click on. Stay away from those ads that take you to the "darker" side of the Internet. Stay away from those that go to places that you aren't familiar with. Just because it looks pretty doesn't mean that it is pretty.

Again I have to go back to education being a big part of the answer. Site owners have to be educated on how to operate a safe site and users have to know how to surf safely.

Tuesday, May 15, 2007

Time to think

I've taken the last week off from blogging and spent it focusing on my job hunt and career. I've spoken with several recruiters and friends. I've been on interviews and spent time online researching companies. Then on Friday we got a call from my wife's sister that she was ready to give birth so we went to Ohio for the weekend and saw our new nephew. We just got back in late last night and I'm ready to start the week off with more interviews and calls to potential employers.

I didn't pay much attention to the news in the security space last week so I don't have much to say about anything along those lines. What I do want to talk about is the importance of being prepared for something unexpected. As security professionals we often spend our days doing our best to mitigate risk, preventing breaches from occurring and being prepared in case they do occur. Many times it can take all of our time just to do this and when we get home the last thing we want to do is spend time on our career focus. So our resumes go untended and don't get updated with our latest accomplishments and achievements. We don't spend time developing other aspects of our career such as learning a technology that we don't use in our day to day work, learning a different aspect of security such as Risk Management, system assessment, policy creation, etc... Things that help make us a little more well rounded.

I say this because I have done some of this and some I haven't done. My resume was up to date and that was a big time saver since I had people requesting it right away. I have tried to learn new things but obviously I can't learn it all. As I've been looking at positions and talking to recruiters and hiring managers I realize just how much I don't know. It puts into perspective just how big the security space is.

In this day where lay offs are common place and companies are outsourcing jobs more and more it is wise to be prepared. To know what you want to do today and in a few years. Do you want to move in a different direction down the road? If so you had better start preparing now. If you don't you will not be ready when you are ready to make a move.

One of the things that I'm doing to prepare for the future is working with Michael Santarcangello. He has a program called "Career Compass" that helps you to focus on what you want out of a career and where your strengths are. Hopefully I will have a new job before I've completed this but I know that it will be beneficial for the future. Even though I know where I want to go this will help me to focus more and take the right steps.

So my advice for the day is "be prepared". Take some time to update your resume and think about your future. Then start taking steps to make you future a reality.

Tuesday, May 08, 2007

When Things Don't Go As You Plan

Last week the company that I worked for hit a major road block that threw it for a loop. It really hurt financially and caused them to go into "emergency survival" mode. Part of that involved cost cutting and layoffs. Yesterday I became a causality of the cutbacks. My boss called me in at 4:00 and told me that he had pulled all the strings that he could to save my job, but had lost the battle. I saw it coming. I knew last week that it was a possibility so I started getting my house in order. Then yesterday morning when I came in I knew that something wasn't right. I could just feel it and I was right.

A few things happened that made me smile in spite of the "dreariness" of what was happening. First, it was obvious that my boss was not happy to have to lay me off. He told me that he had spent the last 3 day working every possible angle to prevent this from happening. Once he realized that he couldn't win he started working his network calling people and telling them that he had someone that they needed to hire. He called about 15 people trying to either get me another position or get some leads for me.
Second, as we left his office and went to my cube to collect my laptop my phone rang. It was a local Recruiter calling to talk to me about a position that they needed to fill. I have an interview tomorrow at 4:00. :)
Third, my only cell phone is a Blackberry that the company provides and pays for. He agreed to let me keep if for a couple of days while I got a new phone and transferred my number. One thing that he had to do though was disable my network and email account and then he was going to initiate an "erase" of my Blackberry via the Blackberry Enterprise Server. So he disabled my account and sent me a test email. It appeared on my Blackberry. He then told the BES server to erase my Blackberry. Nothing happened. He tried it again. Still nothing. This went on for about an hour as I was packing my office. He eventually gave up and just deleted my account from the BES server so I couldn't send or receive email on the Blackberry. Even the network didn't want me to go. :)

Anyway, I'm looking for a position if any of you are hiring or know someone who is. I'm in Atlanta, Ga and that is the place that I'm looking first. I'm open to relocating also. Lexington, Ky or Cincinnati, OH are my first choices, but I would consider other locations as well.

Here is a little about my work experience. I'm a CISSP, and my background is networking and security in a Windows environment. I'm experienced in WAN and LAN technologies, project management, team leadership, working with vendors from first meeting to negotiating contracts, physical security, systems analysis. I'm experienced in dealing with end users and Upper Management.

Hopefully you already realize that I have a passion for security and making it understandable for everyone. I like talking about security and helping others see it from a different perspective if possible. I also want to help those in the security profession understand their users better and learn how to relate better to them and understand where they are coming from.

Thanks for letting me "ramble" and I'd appreciate any help that any of you can give me. I'll probably post my resume online soon and I'll post a link here once it's up. I'd also like to say thanks to the guys in the TCC of the Security Catalysts Community for all of their words of support and encouragement during this time.

Thursday, May 03, 2007

No one is exempt

I ran across this article this morning. The author and some people he interviewed seem to have been under the impression that corporate networks were almost immune to bots and similar malware. At first I thought "how naive" but then I remembered that I used to think that also. That is until I thought about all the different attack vectors that a network is susceptible to.

Years ago, when malware was sparse, a firewall and AV software was all many companies (even large ones w/ big budgets) needed and used. Virus' popped up from time to time when someone took a floppy disk home and got it infected and then used it at work. Then email started being used more frequently to spread them but they were mostly limited to doing little "real" damage and could be contained fairly easily. The malware writers got smarter and the advent of the Internet as a critical tool of business for both home and business use raised the stakes.

Now a corporate network can be secure at the perimeter, secure at the end point (as secure as is reasonably possible) and secure on the wire, yet still be open to attack from many points. Machines can get infected and the protections in place are often totally in the dark that anything has happened. You can get infected by doing things you shouldn't be doing and you can get infected by doing things that aren't inherently dangerous (browsing a legitimate site that has been compromised). The corporate network may be adequately secured to prevent this (at least we like to think so) but your home network, the coffee shop, the book store and other open wi-fi hot spots are ripe for the picking. These are the places where many users get infected and then they often bring the infection back to the office.

I'd dare to say that most corporate networks are not equipped to notice this unless something really unusual happens to trigger and IDS/IPS or they happen to stumble across it. Michael at mcwresearch gives us a great example of this. I also tell a story here of a time when I "stumbled" across something at a client site.

This is what is so scary about today's malware. It's easier than ever to get infected and harder than ever to be detected. That's why it's so important that security professionals continue to work diligently in all areas to protect their little corner of the network and Internet. Everyone from the Security Researcher down to the desktop guy is important in the fight. No one is better than anyone else and no one is more important than anyone else. We all have to work together if we ever hope to win this battle.

Wednesday, May 02, 2007

The ineffectiveness of technology solutions

Amrit thinks that user awareness training is a waste of time and money. I think he is wrong. I think ineffective user training is a waste of time and money. I also think that if we follow his line of thinking on this that we should abolish user training and all technology designed to secure our networks. After all we spend lots of time and money on them and they still have vulnerabilities that allow the bad guys access to our systems.

I know he has been listening to lots of people gripe about "stupid users" lately and he has experienced his fair share of them in his life. I know I have and they are very frustrating. But statements like his regarding it being a waste are VERY unproductive. He said "As security professionals let’s focus our efforts on developing, defining, and implementing technical and procedural controls that are transparent to the end user and have as limited an impact on their computing experience as possible," That's all fine and good, but it's not something that we can all do. Not all of us are in positions where we can do these things, but most of us are in a position to teach someone how to be more secure. Not to mention that until the time comes that we have these "technical and procedural controls" in place we still have users who need to be trained. It's
unreasonable to think that a session (probably quiet boring) of UA training and a few emails, posters, and (more boring) documents to read will change a behavior that has been going on for years.

User Awareness training has to be relevant and interesting in order to be effective. Different people learn in different ways and to expect them to all fit into the same mold is unreasonable. We adapt spam filters and firewall rules and IDS/IPS signatures to various attack styles, why aren't we willing to adapt UA training to various learning styles?

Now all that said I do want to be fair and let Amrit finish the quote above. "
that doesn’t mean that no awareness training should be performed but in an enterprise it should probably consume 1% of 1% of the total security budget, of which on average is 4-8% of total IT budget." He isn't against user awareness he just doesn't like the current state of it and thinks that there are better ways to spend time and money. Fair enough. I just think that before we go off making statements like this in a public forum we need to think about them more.

Finding bots and learning from them

Michael at has a good post about finding a bot infected machine on his network. He outlines how he was alerted to the problem, the steps he took in investigating it, how it was resolved and lessons learned. Go check it out.

Tuesday, May 01, 2007

Tip of the Day - Write it down

I don't plan on making this a daily habit, but a few things have crossed my mind and keyboard lately that has made me want to write about something that is often overlooked. One of the things that started this was a thread on the Security Catalyst Community about password policies. A comment was made about the need to use different passwords for different service accounts, the need for complexity, using things such as PWSafe to keep them organized etc... Then the comment was made

Need I say that you should NOT write them down anywhere.
I replied that writing them down is a good idea as long as they were secured in case of emergency. In this particular case the guy who started the thread is the only IT guy for his company. The loss of these passwords could prove costly to the company. I know of a couple of instances where the lone IT guy left under bad circumstances and refused to tell anyone the passwords for the systems. They were able to recover them, but it wasn't easy or cheap.

Then this morning I was looking at the SANS @Risk Newsletter and it listed all the vulnerable apps. As I was looking at the list it occurred to me that many of these were small apps that are often installed unknowingly w/ other software or they are small apps that you install and forget about. If these do not have auto update features then when they become vulnerable you are at risk and won't even know it. Having a list of ALL apps on your system and doing regular Google searches for updates or checking their web sites for them is a good idea. If you don't write them down then you won't remember them and they will remain unremembered or at least you won't think of checking for updates.

Using things such as the freeware Belarc Advisor (free for personal use only) will greatly simplify your search for installed apps. There are also others out there that will give you a good snapshot of just exactly you have installed.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.