Security's Everyman

Security's Everyman

Friday, June 29, 2007

Security Mentoring

How do you become a "Security Expert"? You can take classes in high school, college and trade school. You can attend "vendor training" or security related classes offered by many different organizations (Global Knowledge, ISC2, New Horizons, etc). You can attend seminars and conferences such as BlackHat, ShmooCon, SANS, etc. You can read books and practice with your own computer, home network or use some online labs. You can participate in forums (security catalysts community, friends in tech, etc). You can read blogs and "security" websites (Andy ITGuy, Tao Security, SearchSecurity, etc). You can join in on chats using IRC or other Instant Messaging type clients. You can join organizations such as ISSA, InfraGard, ISACA.

All of these are good and viable ways to learn about information security and how to practice it and do it. Of course the best way is OJT. On the Job Training. The school of hard knocks. Working side by side with other security professionals who have already been there and learned things by experience. It has been said that experience is the best teacher. This morning on my ride into work I was listening to Chuck Swindoll speak about learning through confrontation. He said that he thinks that the best teacher is "guided experience". I must agree. You can learn a lot from experience but if you don't have someone there to help you understand all that the experience has to offer then you are missing out. If you don't have someone there who will challenge your experience and more importantly, the lessons that you think you are learning then you are missing out on a valuable resource.

Chuck said that "the difference between experience and guided experience is confrontation".
Not confrontation in a arrogant, mean, way but in a way that is meant to challenge and lead. That is what makes a really good security professional. Someone who learns from others as well as on their own. Now please don't misunderstand me and think that I'm saying that w/o a "mentor" you can't and aren't a good security professional. That is not what I'm saying. But it will make you a better one. In order for that to happen you have to have someone who has the knowledge and the desire to pass it on. They have to be willing to be tough without being mean. Then you have to be willing to learn. Listen to what they say whether you like it or not. Take it to heart and make the change.

The security landscape changes too quickly for any of us to know it all and continue to know it all. It changes too fast for us to go it alone. We need mentors to help us along the way. Hopefully you will get the chance to actually work with others who can guide you and hopefully you will get the chance to guide others. If for some reason you don't have that opportunity (all you SMB IT and security guys) then look for ways to hook up with someone in your area. Look into some of the links above for organizations, blogs, training offerings and such that can guide you through the maze of information security.

FTP is Secure?

I'm a really nice guy and usually don't point out what is HOPEFULLY just an oversite on someone elses part but this is just TOO ridiculous and WRONG to let go.

This article on starts off in very wrong way. To quote:

For years, file transfer protocol has been the standard for file transfer security. While FTP still offers the gold standard in security over the Internet,
Since when did FTP become the gold standard in security? Since when did FTP offer any form or security?

I really, really, really hope that the writer meant SSH or SFTP instead of FTP. I really hope that he wasn't quoting from a press release that was sent to him by the company who has finally solved all of our file transfer woes. I really hope that he retracts this statement and corrects this error.

Thursday, June 28, 2007

An Open Letter to Marketers

Dear Marketing Professional,

I often receive press releases from you about various new offerings that are coming out from this vendor or that vendor. I probably will never blog about one of them just because this blog is not for advertising. If I use something and really believe in it then I will write about it. Just as if I use something and it is a really bad product I will also write about it.

I'm not asking that you stop sending me the press releases because I do like reading about these products (usually). What I am asking is that if you are going to send me something DO NOT attach a .pdf or anything else to it. That is one sure fire way of not getting your release read or published. In todays world of rampant malware being spread in every conceivable way I will NEVER open an attachment that I receive from some random marketer.

As you probably can tell I did receive just such an email today. Not only was there an attachment with it but the person didn't even have a signature beyond a name. I am a security professional and if you are marketing to security professionals you probably should NOT employ the very practices that we preach and rant about.


Andy ITGuy

Tuesday, June 26, 2007

Incident Response Response

Things happen all the time in the digital world. Often they go unnoticed for a long time and sometimes things go our way and we are aware of something going awry early on. When this happens we need to be prepared. We need to have a plan in place to deal with all that is involved in tracking a cyber criminal. Now I'm not a forensics guy for that you need to talk with Harlan Carvey
or The Security Monkey but I do know enough to realize that there are some best practices that you can employ to make the job of IR and forensics much easier. The nice people over at Network World have even put together a good article for you on how to be prepared for your next hack.
It covers many things that you need to do to ensure that you are covering the bases. Many of the things that they talk about can be easily forgotten in the heat of the moment but they are crucial in the investigation process.

Sunday, June 24, 2007

Successful Security

I'm really tempted to copy and paste this entire article here. Hoff nails it right on the head with this one. It's a no holes bared quick look at what we as Security Professionals need to know and understand. If we want a successful program then we have to look beyond the day to day things that often occupy our time. We have to move outside our self imposed little boxes and look at the big picture.

He gives a nod to Rothman's P-CSO in the intro to this and it does contain a lot of the same principles that Rothman and others (including myself) often preach.

Some of the Key points that I liked are:

  • Measure something - like it or not if you can't measure it chances are that it won't last long or it will never get implemented. Management demands measurable results.
  • Don't be a technology crack whore - technology is not the answer to everything. It may be fun to play with and it may look cool in the data center but if the processes aren't in place and the people don't understand them then technology will not work.
  • Shut Up and listen - Our job is to secure and enable. We can't do this if we only tell the users what we want we have to listen to what they need.
  • Learn to say yes by saying no and vise-versa - We often have to say "no" but we don't have to me rude about it and when we say no we need to explain why in a way that makes sense to the users.
Hoff, great job.

Thursday, June 21, 2007

Things I'm quickly looking at

I've been super busy lately and haven't been able to keep up with my feed reading like I'd like to. Obviously my posting has slowed quiet a bit also. Today I've got a little breathing room so I decided to post links to several articles that I saw that I quickly looked at and found to be of interest or value. If you haven't already done so check them out.

More UA fodder. Good article on DarkReading about how people are the root of the problem and thus why they need training.

Another good DarkReading article. This one is on the value of having a well trained IT staff.

DarkReading is our winner today with 3 straight awards in my picks of the day.

Rebecca Herold is quickly becoming one of my favorite bloggers. Today I discovered that in addition to her Realtime Community site she has another site that is also loaded with great information regarding privacy.

Cutaway jumps in with both feed talking about how Universities need to take care to secure and protect sensitive information.

The Liquid Matrix blog rings in about the woeful state of DHS. Maybe they should call it the Department of pwnedland Security.

Finally I'll leave you with some "lite" reading from the guys at Matasano. They make my head hurt.

Why do security?

I've got mixed feelings regarding compliance. On one hand I like it because it is forcing many companies to do things that they wouldn't normally do to better secure their network. On the other hand too many companies are only doing what they have to do to pass their compliance
audit. They are checking the boxes on their compliance checklist and missing a hole somewhere because that area isn't on the compliance "watch list". They may be making the auditors happy for now but what about next year when they come back? What about next week when the bad guys find your vulnerability? After that happens you are going to then be forced to take action to fix the problem. Only it may be more expensive and difficult to fix than if you had done it when it should have been done. Not to mention the clean up costs.

Compliance is not the reason to secure. You secure because what you have on your network is worth something to your business. You secure because a breach will hurt your business and possibly destroy it. You comply because you have data that is valuable to other people. Things such as customer and employee data, credit card numbers, social security numbers, etc... All of these things are "protected" by your compliance checklist, but if a hacker gets into your network through some venue that is not on the checklist it doesn't really matter what is checked and what isn't.

When considering security for your network you have to look past compliance and look at the "real" picture not the one painted by GLBA, SOX, HIPAA, PCI or any of the others. Listen to your IT Security staff (or those who have a clue), listen to consultants, VAR's, Vendors etc... Don't just cast them off as either trying to get all the cool toys to play with or trying to sell you more than you need. Yes, those things happen, but you should at least consider what they have to say and look at it with an eye towards gaining knowledge on what will really make you secure.
Too often companies look at the bottom dollar and what will fill the check boxes. The only problem is that the check boxes keep increasing in number and the bottom dollar can't been seen because of hidden costs that you can't know about.

Friday, June 15, 2007

My Security RoadTrip

Martin asked several of us to tell our Security story again. I told it here (which was an updated story from earlier) and this time I'm going into a little more detail. Hope you enjoy it and I promise no Sun Tzu quotes Amrit.

I've mentioned before about how I got started in IT and sort of moved into Security but as I look back at what I wrote I didn't go into much detail about why and how I made the change.

I used to think that security meant a firewall and AV. The company I worked for never patched machines and I don't think that we even put AV on all machines (can't remember for sure). We ran MS Proxy Server 2.0 for a firewall and that was the extent of our security.

When we built a new data center we decided to "upgrade" our infrastructure we put in a Cisco PIX and MS ISA 2000 server. We put in McAfee EPO to manage AV. It was then that I started monitoring the firewall logs and ensuring that all our machines were updated with AV and we even started some patching. It was around this time that Code Red (or some high profile virus/worm) hit. It was then that I realized the implications of having a secure environment. I was also noticing attacks that were being attempted on our network from the outside. Several projects that I was involved in required me to do lots of research and talk with vendors about their offerings. I started realizing that there was lots of cool "toys" out there that allowed me to see deeper into the network and do things to mitigate the risks that I was starting to see.

My Boss was pushing me to upgrade my CCNA to CCNP. I had decide that I wanted to focus more on Security and asked him if he would object if I pursued what was at the time the equivalent of the CCSP (I think it was call CSS I and CSS II). He agreed and I started studying for it. Shortly after that I was laid off and my next job was a consulting position where I was hired to be the Security Specialist for the companies clients. I did network surveys to look for security weaknesses in their environments. Of course Security awareness was still in it's infancy (especially in small town USA) and most companies didn't want to pay for the service or the recommended changes to their environment. So I spent lots of time doing network monitoring and maintenance.

Until a month ago I had never held a pure security position. It was always just part of my job as a Network Engineer. I personally took the initiative to make it my priority and primary focus. As I was looking at what direction I wanted to take my career I decided that obtaining the CISSP over vendor certs would benefit me more. Since I was on my own for training, study, paying for tests, etc I had to choose carefully. Thus even though I'm qualified to work with several vendor devices I'm not certified on any of them.

There it is. My story. Long winded as it may be.

Thursday, June 14, 2007

Scott Wright at the SecurityViews blog has a good post where he gives his take and analysis on the Pfizer laptop breach incident. He said that he make this into a series. I hope he does.

He makes some good points about what went wrong, what could be done differently and what the implications are. My favorite on for a couple of reasons is this:

Get serious about security awareness in the organization. Policies are no fun to read, and just having them doesn’t make them happen automatically. Security awareness training and regular updating is essential. But it doesn’t have to be tedious, and people need to be kept up to date on what to watch for.
I like this because right now I'm in the middle of reviewing, updating and creating new policies for my company. They are dull and it's hard to stay away while doing this at times. Unfortunately if you make them fun then legal whines and they rewrite them in a way that no one can understand. I also like it because it re-enforces my belief that security awareness training is a KEY piece in a security program and maintaining a secure environment.

I just turned to todays entry of my handy "The Art of War" calendar and what do you know Sun Tzu has an appropriate comment for this very thing.

If your own army is hesitant and confused, you bring trouble on yourself, as if you were to bring enemies in to overcome you.
If we don't have effective security awareness training then our "army" will be hesitant and confused. They don't know what is and isn't safe to do because they don't live this stuff like we do. We have to train them. We have to give them the knowledge and understanding of what is going on so that they are not hesitant and confused. How many "average" computer users know the dangers of file sharing software? Their friends use it and their computers haven't crashed. What about the dangers lurking on sites such as My Space and porn sites. Do most people really think that by surfing for porn that they are possibly giving bad people access to their online banking credentials? No they don't. They aren't aware of the problems.

That is why a good security awareness program at work will not only benefit the company but the employee and their family and friends also. When they know the reality of this they will share it with others. Information Security may be focused on the corporate network but it expands way beyond the borders of our firewalls. Someone posted a comment on my "Why IT doesn't really get security" post where he said that he had all but given up on security awareness because ... well I'll let you read it here, it's a bit long. He has some good points but as I've said before we can't give up on security awareness training. We can't quit our users. Technology can only do so much. People have to do the rest.

Let's be careful out there,

Andy ITGuy

Sarcasm, bad passwords, and Dilbert under a Southern Moon

Since it's so 1990's to use The Art of War for security analogies or to use Dilbert to explain management principles I'll just point you to a Dilbert cartoon for a security analogy.

Tuesday, June 12, 2007

Why IT doesn't really get security

Since I've started my new job I've there have been four (4) different occasions where members of the IT staff have given me their USB thumb drives to transfer data to. These are guys that I work with daily but I don't know them and they don't really know me. One guy even gave me a U3 drive.

Now I take all the normal precautions against getting owned this way. Autorun is disabled and I have HIPS and AV installed on my laptop. While 3 of the 4 stood by while I copied the data to their drive the other one gave me his drive and walked away. I had it for over an hour before he came back for it. Those who did stay with me weren't paying attention to what I did. I could have copied data from their drive to my laptop or copied more than they expected to their drive.

This is just a sampling of part of the problem that the average IT guy has when it comes to really understanding security. They may get some of the more obvious security concerns such as what to do to secure a router or how to properly secure data on a shared drive. They may even understand some of the risks associated with various activities, but if they continue to pass around USB keys to people that they don't really know (and walk away!) then there is a problem. I think that many IT professionals do things such as this because they figure that they can trust one another and hopefully they can, but carelessness in one area will eventually lead to more carelessness unless they are very aware of their actions.

Another problem is that many IT departments are understaffed and they are always working in crisis mode. Even if they want to implement best practices in regards to security they don't have the man hours to do so. It's patch things together and then plan on coming back to fix it later. Unfortunately too often later never comes. Then if the department isn't understaffed they have the problem of lack of communication. One department is working on an initiative and another department is working on their project and they never meet to discuss how they may affect one another. They you have 2 projects that work against each other instead of together. Any security measures that one may have could be voided by the other.

I could keep going on and on with this but I think you get the point. Security doesn't come naturally for end users or most IT guys. It's something that has to be fought for. That's our job.

Info Security goes beyond the data

I've written before about how you need to be careful about what you say when you are in public places. You may be overheard talking about company secrets or just "gossip" that doesn't need to be out in the open. The same is true for using your laptop in public. People are curious and often will look to see what you are doing. I was riding home on the bus last week when I noticed the guy in front of me typing an email that contained info that I'm sure he didn't want the world to know. Yet there it was for all to see on his laptop.

We also have to be careful not to disclose too much information when talking to reporters. Just ask Terrell Karlsten. She is a spokesperson for Yahoo and she gave out a little too much information in an interview with InformationWeek. A hacker named Danny read the article and promptly used the information to find the flaw and write an exploit for it. Now before you come down too hard on Ms. Karlsten you need to consider what she had been told. Was she properly briefed on what to say and what not to say? Was there even a reason for her to know enough to be dangerous? Maybe she just needed to know that there was a vulnerability that involved a buffer overflow. Maybe she just needed to know that there was a vulnerability. Did she have any real idea as to what the implications of her statement were? I doubt it. Thus, another reason for a good security awareness program.

Good security covers all areas not just the data whether it be at rest, in transit or in use. It looks at the whole infrastructure and the company culture. It finds ways to work with everyone for the good of the company.

At least Yahoo was quick with a fix so hopefully the damage was contained. Makes me glad that I use Pidgen instead of Yahoo Messenger. :)

More Security Wisdom from The Art of War

"When your strategy is deep and far-reaching, then what you gain by your calculations is much, so you can win before you even fight. When your strategic thinking is shallow and near-sighted, then what you gain by your calculations is little, so you lose before you do battle."
This sums up the role of the Security Professional. You have to keep your eye on the big picture and not let the little things distract you. You can't let apathy set in.

Friday, June 08, 2007

P-CSO Bootcamp Revamp

As you know I spent Wednesday with Mike Rothman and the other brave adventurers on the Maiden Voyage of the Pragmatic CSO Boot camp. As I said it was a day well spent. Especially considering the fact that I just moved into a new position where I am in charge of security for all practical purposes. I'm not the CSO but it's up to me to ensure that we are secure. If I fail it's my head. Since I'm new here I have the opportunity to implement the steps in the P-CSO methodology from the very beginning so the timing was right.

We started at 9 and went until around 4. It was a small group (I think 10 is the most that Mike wants at one time) which was good. It allowed us all to share and learn from one another as we went over each of the 12 steps. The background of the guys that attended was varied but we all had the common understanding of security principles. We talked about what worked and what didn't work. Told stories about being hacked and cleaning up after the hack.

Mike took us through each step and allowed us to interact and ask questions. He didn't push us or force us to hurry onto the next section. The material was what is in the book and then some. He has some "freebies" that he gave us that adds value. He was able to expand on some topics based on his own experiences and on feedback that he has received from others.

Now I'm gonna dust off my copy of the book and take it, the materials and new knowledge I gained from the boot camp and prepare to kick butt in my new job.

If you get the chance plan on attending the next time he offers this. It's well worth it for CSO's, Security Managers and techies. Something for everyone.

Where is your malware?

The F-Secure Blog has a good post on where to look for malware launch points on windows boxes. The looked at thousands of samples of malware to see where they were hiding themselves in the registry to ensure that they were launched when the machine is rebooted. They have a nice graph and a list of the top 10 registry keys to look in to see if you are unknowingly infected.

Thursday, June 07, 2007

Something to Talk About

I just read an article in Fast Company Magazine that made me think. The article had nothing to do with Information Security, IT or computers. It had to do with marketing (which I dislike immensely). Yet marketing can make all the difference in a security program. (See my post about Selling Security). How we package and market our program can make or break whether or not we get the funding and approval to do what we have deemed as necessary to protect our environment. Do our policy recommendations get accepted? Do we get to implement this technology or this program that will improve our security posture? How we market and sell it may make all the difference.

In the FC article they talked about making your product “stick”. What is it that you do the makes your product stand out from the crowd? What makes people talk about your often sub-par product? (I'm not suggesting that we try to sell sub-par security) We have to think about our image to build and maintain credibility within the organization. We have to ensure that the security group is viewed positively within by management as well as by the end user. We have to adopt a positive posture of security and do all we can to eliminate the negative attitudes that WE have created over time. Our attitude towards end users, management, the company culture and our jobs has to be positive if we are to develop a positive security mindset within the company.

Yesterday I attended the maiden voyage of Mike Rothman's Pragmatic CSO Bootcamp. It was a day well spent. We talked about this very thing on and off through out the day. It seems that most every step in his 12 Step Security Master program came back to this in some form or fashion. In security it is all about image and credibility. If we are viewed as the group that wants to make it hard for the users to do their job or as the guys who don't want us to have any “fun” then we are developing a negative image. That image will spread throughout the entire organization if we are not careful and it may well come back to haunt us when it comes time to secure funding for projects.

At my previous job the marketing group branded the IT department as the “Red Tape” department (now you know why I don't like marketing). That came from the fact that every time they wanted to do something we put the brakes on them. Often we did it in ways that didn't help our image. They would say that they wanted to do such and such and we said NO!!!! and then walked off. They would ask to implement this technology and we would make them jump through hoops to justify it. Sometimes just because we could. Pretty sad, huh? I have to admit that I participated in that. Sometimes out of a spirit of being ornery and in a position of “control”, sometimes out of a spirit of joking around (I'd come back later and tell them it was approved just to irritate them) and sometimes because it was just a bad idea that affected security. After they branded us the “Red Tape” department it made me stop and think about our image in the company. I didn't like being the bad guy. If it is necessary to be the bad guy to remain secure that is one thing, but to be the bad guy because of an attitude is something else. So I decided to change that attitude. Not because I wanted to be liked but because I knew that a negative attitude affected the whole program and the company.

So what do you do to make your IS program “stick”? What do you do to make it stand out and be seen as a way to enable secure business practices? What things are going on that encourages a negative or positive attitude within your group, department and company? How can you make changes to improve the image of security within your company? It doesn't matter whether you are the CSO or your are the new guy who is stuck with the most boring security job in the company (log review) you can start with changing your attitude and how you react or respond to things that happen. It may not be easy or fun (after all making fun of dumb things that users do can be very funny at times) but it WILL make a difference over time.

Tuesday, June 05, 2007

Singing the PCI Blues

Back in December I posted about being happy that I had finally been able to get an answer to my question as to whether or not my then current employer was subject to PCI/DSS. The answer was that they were not and I was happy.

Now that I'm in my new job PCI is a part of my daily life. I'm now having to refresh my memory on PCI (I boned up a little in the past just in case) and am having to start the process of checking out what we are doing and what we still need to do. I like it though. It's new ground in some ways.

This position is much different than my past jobs in that I'm doing less hands on with the network devices and more security support work. Things such as working on updating policies, reviewing configs and change request, reviewing results of a 3rd party Pen Test and working to ensure the issues are corrected. After I get my self firmly planted here and get many of these projects either well under way or completed I am supposed to take over some hands on jobs. I'll have to see how that works out. There is lots to do here and I'd like to see this continue in a position where I continue to focus on moving us into a more secure direction and let others do the hands on under my guidance. But then again I the "geek" in me doesn't want to get too far removed from the 1's and 0's.

A new threat to security

I ran across this story today and it sends chills up my spine. A new wave of attack technology. DARPA is implanting chips in moths that will allow them to be controlled remotely and possible infiltrate enemy camps and beam back A/V signals.

What are the security implications of this for us? Are we now also going to have to be exterminators? I know this sounds ridiculous, but if this gets into the wrong hands it could prove to be a real problem. Imagine a moth watching you enter you password or sending video of your security configs to a hacker. What about listening in to conversations about security plans or board meetings?

This gives a whole new meaning to "shoulder surfing". I gotta go get a can of bug spray. :)

Monday, June 04, 2007

Get Your Malware!!

I was browsing today when I ran across this post. Do people actually do this? Why not just invited a hacker to dinner and let him use your computer for a few hours while you are in the other room watching TV?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.