Security's Everyman

Security's Everyman

Friday, August 31, 2007

Information Security Poll

My latest information security poll was a hit with y'all. It received more votes than the other 3 combined. I was very pleased to see the response. I have to admit that I did solicit a couple of votes towards the end of the poll. I was in a chat room with some of the other members of the Security Catalyst Community and since I was just a couple of votes shy of 100 I asked any of them who hadn't already voted (and shame on my friends for not being the first) :) to go ahead and vote to push me over the 100 vote mark.

I have to admit that I am quiet surprised at the results. I honestly expected about 95 to 98 percent of the votes to go to the last 2 options (Slightly or None). While they did receive the majority of the votes it was only about 73% of the total vote. The second option (Mostly) received about 26% of the vote and the first option (Completely) received 1% of the votes. My first glance says that some of you were not being completely honest (yes I'm talking to you who voted for option 1). But then Cutaway pointed out to me that there were a couple of different ways to interpret the question and the response could vary depending on your interpretation. As I looked back at the question I see how that could be so I take back what I said of you who voted for option 1. :) Then there is the possibility that those of you who voted for option 1 were talking about yourself. Maybe you are your user.

If the results of this poll really do show that a full 26% of you trust your users to act securely and there was no misunderstanding of the question then that is quiet encouraging. It tells me that y'all are doing a good job in getting the message of security out to your users and that they are listening. I would love to talk with some of you about what it is you are doing that is working so well for you. Please drop me a note either in the comments or via email.

As usual I don't have a question for the next poll yet, but I'll have something in a day or two. Monday is a holiday here in the US so it may be Tuesday before I have something up. I'm hoping to spend most of the weekend enjoying spending time with my Wife and daughters and not blogging or coming up with another poll. Yet, you never know. I am up earlier than them most of the time and that's when I try to catch up on reading and blogging.

Thursday, August 30, 2007

Where Does the Buck Stop

Dr. Anton asks the question "Where do you draw the line: Security Responsibility?" Well this time the answer isn't "It depends". The way I read the question after reading his post is, Where does the buck stop? The buck stops here. It stops with us. It is our job to secure the environment and part of that job is to ensure that the users know how to practice security.

It would be ridiculous for IT or Security to have 100% responsibility. If we did then things would be locked down so tight that the users couldn't get anything done. If we gave them all of the responsibility then we might as well pack up and go home. That is unless you want to spend your days playing PC clean up or pushing out new Images every few days.

We shoulder most of the burden. It's our responsibility to make sure that the systems are hardened and that the controls are in place and that the policies (both written and system) are effective and to get as much information to the users as possible so that they can do their job (and even their play time) securely. If you have done all you can with what you are given and a system gets owned then it's not your fault (your boss may think otherwise, just tell them to talk to me). If you haven't done all you can and you get owned then it doesn't matter what the user did you are responsible. Users are like little children. We can't send them out into the big bad world without preparing them and expect them to escape unscathed.

So how does Dr. Anton's equation really look? Probably something like Security=85%, IT=10% and Users=5%. We build the security program, create the policies, train the users (and IT), set the rules. IT follows the policies and procedures that come from us. They build the systems according to spec and ensure that the infrastructure works as it should. Then the users do their part and the users do their part and play it smart and safe. Then we are all happy, safe and secure. That is a recipe for information security ala mode.

Staying Fresh

Rebecca Herold has a good post on her blog about keeping your security, privacy, or compliance program fresh. She makes a good analogy between how your program can slowly become ineffective over time due to lack of attention and how running shoes can slowly become less effective over time. I can't relate to that because I bought my new running shoes in April and they haven't had as many miles put on them as hers gets in one day. Try as I may I just can't get into a running frame of mind.

I've seen fist hand how programs start strong and slowly erode or die over time. They don't get the TLC that they need to stay alive. They are put in place to satisfy a audit or a new boss and then they end up in a closet or on a shelf only to be given a passing glance from time to time.

I recently did a review and update of security policies for a company. What they had was between 4 and 8 years old. They had been created (mostly just changed the company name on a template) and filed away. As I looked over them I started asking questions about them. Is this really what is done? Where is the ??? to back this policy up? Where are the ??? that this policy states is happening? Blank Stares and hidden smiles met me. They weren't being followed. They were just there to satisfy a whim.

These documents and programs are living. They are meant to be reviewed regularly, followed consistently and changed as needed. They are not static documents that are just to satisfy an audit. When I create a policy program or a security plan I make sure to write it in such a way that those who are entrusted with it know that it is a living document. I include regular review schedules and then I encourage those who are entrusted with them to go ahead and put reminders in their calendars to review them. I can't make them do it unless they report directly to me, but I can try to make it easy for them to do.

Another area that gets ignored is log review. Most people hate to review logs. Especially if they don't have a SIM, SEM or some other method for automating it. I've done it before. I've had to sift through thousands of entries to try and find the "bad" stuff. It's no fun. Unfortunately it has to be done and you need to be able to prove that you are doing it. If your policy says that you are doing it then the auditors are going to want to see proof. How many times have you or someone you know spent a day or two prior to an audit "falsifying" log reports. Going through and checking off that they were checked when they haven't been looked at in days, weeks or months.

It's important to remember that these things are crucial to the success of your information security program. If you let them get sick or die then your program will do the same. Security Professionals need to follow the policies and those in management need to ensure that they are being followed. Those who are tasked with keeping the policies or program alive need to be proactive in doing so. Don't wait until the last minute and try emergency CPR. If you will schedule a little time weekly or monthly to check on them then they will stay healthy and your program will be more successful.

Tuesday, August 28, 2007

Is Telecommuting safe?

An article on DarkReading tells us that Federal Information Security Chiefs don't think that teleworking is a security risk. Sounds like a good poll for next week to me.

When I first saw the headline "Federal Security Officers Say Telecommuting Is Safe"my initial thought was "these are the same guys who regularly get D's and F's on their security reviews and they are telling us what is safe and what isn't safe!" Not sure I really want to listen to them on this. I'm not saying that telecommuting is or isn't safe. A comment such as that can't be made carte blanche. The answer to this is again "It depends". It can be safe provided that the right controls are in place.

If you give a user a laptop with admin privileges, a T-Mobile Hot Spot account and tell him to go work where he wants then I'd have to question the security of your telecommuting program. If done correctly I believe that a user can work remotely from most places and still remain secure.

Here is my list of what needs to happen to make telecommuting as safe as possible. This is assuming the use of a company provided laptop. If we get into using personal systems then things get a little more complicated.

  • User has user level access only.
  • Laptop runs AV, HIPS, Personal Firewall that can't be disabled by the user.
  • When connected to company network a security posture of the laptop is done via NAC. This is true whether it's via VPN connection or direct (wired or wireless) connection on site.
  • USB ports and CD/DVD copying is disabled.
  • Autorun is turned off for CD/DVD drives.
  • Wireless radios are disabled when connected to wired network.
  • Bluetooth is disabled
  • Use a 3G, EVDO or similar card for access when not on a company approved secure wireless network.
  • Train the user on how to be secure and reinforce this on a regular basis.
  • Ensure that you have the proper security policies in place to CYA when the user manages to do something that you can't protect against.
I know that there are more things that can be done. Some of you will think that this is too much and some will think that it's too little. But remember, there has to be a trade-off between security and usability. If you go too tight then the user will be unproductive, calls to the help desk will be frequent and the user will try to find ways around your controls.

Friday, August 24, 2007

New Security Poll

I meant to tell you about this in my last post but I got so irritated and on a rant roll that I completely forgot.

My Information Security Poll for this week will deal with How much do we trust our users to act securely. Here is the question and the answer choices. Go to my home page to take the poll.

How much can you trust your users to act securely?
A. Completely
B. Mostly
C. Slightly
D. Not at All

Users don't care about security threats

It seems that most mobile workers think that security should be completely left up to the IT department and that they should be able to do what ever they want. This article from Information Week gives the details.

I saw this earlier in the week but was too busy to really look at it or think about it. It was brought to my attention today as I was looking at this weeks SANS News Bites newsletter. For those of you who aren't familiar with this newsletter typically it has stories about this weeks news and the editors will comment on it. It was one of those comments that got my attention today. After reading the story about how mobile workers think that security is IT's job and that they do things that they know they shouldn't without a care the editors started in. They talked about things like how sad this attitude is and how UA training has failed and how people are just stupid enough (my words not theirs) to believe that they really won the UK lottery or some other something. Then Johannes Ullrich, who is Chief Technology Officer of the Internet Storm
Center, made a stupid comment. He said

Why shouldn't users expect IT to take care of securityy? I think we (IT / Security professionals) expect too much if we expect office workers to worry about security. Perhaps we can ask them not to leave their laptop unattended. But beyond that, it's our job!
Before I start ranting..... He is correct that security is OUR job. That's what we get paid for. But unless companies are going to hire a Security Professional for every worker, to stand behind them and look over their shoulder and physically stop them from opening emails, clicking on links, going to porn sites, installing unauthorized software, etc... then we have to put some measure of responsibility in their hands. Information Security technology can only go so far and do so much. Users have to be responsible for their actions. They have to use common sense and follow company policy. They have to learn to be careful with their actions. It's not their laptop. It's not their data. It's not their company to take such risk with. They need to realize that their compromised machines don't only affect them. The data they lose affects the company, the customers, the investors, the partners. The malware that they install on their machine causes the rest of us to be at risk because of their actions. They should be charged with SWS (Surfing While Stupid) and be taken off the information superhighway. They should, in some cases, be fired or put on probation. Mr Ullrich, and those who promote reckless computer use should be charged as an accessory prior to the fact and given similar sanctions.

When technology gets to the point where everyone surfs in their own little virtual world and they can't hurt others by their stupidity then I will quit promoting quality UA training and will happily let users do what they want. Until then I will continue to promote and practice good security. I will work to make sure the technological controls are in place and the users are trained properly. I will also rant when people make ridiculous comments like this.

SSN Poll Results

The polls just closed on the SSN question. Overwhelmingly most people said NO! There is no valid reason for a company to keep you SSN on file. I am a little baffled because there were a couple of you who voted Yes. WHY? I'm having a hard time understanding that. Now I realize that I don't know all the in's and out's of how and why every industry does things the way they do, but I would love to know why you voted yes. Please leave a comment and tell me why.

I was also please to see that the total number of votes increased drastically. I don't know if that means that more people liked this question or if it means that more of you are finding the site or more of you decided to participate. Either way I'm happy.

I'll have another poll up soon.

Incident Response belongs to everyone

Harlan asks "who decides what best practices are" in regards to Incident Response. Harlan is a forensics guy and has written an excellent book (I've only read 1 chapter but many others have told me how good it is) on Windows Forensics Analysis. Obviously forensics plays a part in many Incident Response scenarios. His answer to the question of who decided best practices is "It depends". And I agree.

Dr. Anton asked how PCI can be both complex and basic security. He asked that based on the fact that my PCI poll (as scientific as it was) said that 40% of you said that PCI is complex and 40% said that it was basic security. My take on that was "It depends".

On the Security Catalysts forums someone asked if NAC had any real value due to the fact that there are ways around it. My response again was "It depends".

Security depends on your company, your environment, your level of risk and risk acceptance. It depends on the level of competency of your IT and security staff. The level of competency of your end user employees. What partners, contractors, visitors, etc that are allowed to connect to your network. What controls you are willing and able to put in place. What policies you have and enforce. What level of buy-in you have from management. What does your IT environment look like. Is it new, old or a mix? It is small, medium or large? Is it complex or simple? Do you have lots of different apps or only the core ones required to do business. How big is your Internet facing presence.

This list could go on and on and on and on. There are too many variables to give a concrete answer to these and other similar questions. So the real answer is that it doesn't matter what your idea of the answer is. Your job, as a Information Security Professional is to do the best you can with what you have and plan for the worst. That is where the concept that IR belongs to everyone comes in.

Many companies have IR teams that jump into action at a moments notice. But what happens between the time a incident is discovered and the team is able to take action can make all the difference in the outcome of the teams work. The rest of the company, from end user to IT/IS needs to know what to do in the event of a incident. If they don't then they will invariably do something wrong that will hinder the investigation and fixing of the issue.

I've written too much so I don't have time to go into details here but suffice it to say that IR goes way beyond the team. It has to be dealt with at ALL levels if success in dealing with an incident is your goal.

Thursday, August 23, 2007

Light on Posting

I've been light on posting lately because I've been heavy on busyness. Between work and family life it's been quiet hectic. I've got LOTS of projects going on at work plus we just finished our yearly IT Audit last week and that has spawned a few more.

One of the tasks that I've been given here is basically creating a information security program from scratch. It's a great challenge and opportunity but it's also a great time consumer. Luckily I've got some good friends who have given me some insight on what direction to take. I'm currently re-reading The Pragmatic CSO because it is basically about building a security program from scratch. I'm also working on a User Awareness Program, several new technical controls are being rolled out for which I have primary leadership responsibility. Luckily I won't have to do all the work on them. I have a VERY talented team of engineers to assist me with that.

I'm also still learning the environment here. There are lots of things going on in the network that are not documented. It's a weekly thing to discover new ones. Talk about a Security Professionals (dream, nightmare, challenge) You pick your favorite answer. :)

I also had a good scare and laugh yesterday. We have a partner that has a connection to our network and they have a DFS share that we access. They have been having problems getting people to connect to it lately. They have tried several things and finally found the answer. Their firewall was blocking some of our subnets. So they fixed the problem and then their server admin got the idea that it would make life much easier on us if we didn't have to "reauthenticate" to access the share. So he decided that since he had several new users to set up access for he would just have them give him their domain username and password. Of course we had a couple of users who did do this before I found out about it. Needless to say I made a phone call to him IMMEDIATELY. As I politely explained to him why this was not an acceptable solution to the problem he said that he understood and was only trying to make it easier for us. Then he said that he too was very security conscious and understood my position on this. OK, if you are so security conscious and really do understand then WHY did you do this in the first place? This just reinforces my stance that much of our User awareness training needs to focus on the average IT staff person.

Well, I've spent enough time here for now. Got to run and get back on these projects. I'll try to post a little more regularly from now on.

Saturday, August 18, 2007

More on User Awareness Training

User Awareness is one of my favorite topics (like I had to tell you that). There are a couple of different camps when it comes to this. Those who think it is a vital part of a Information Security program and those who think it is a waste of time. I fall in the first category (again, like I had to tell you that).

In my opinion the problems with UA is that many programs are close to useless. They cover the topics but they do a poor job. Even if the information is correct the delivery is bad. Poorly written, delivered, boring, etc... This is the challenge in creating an effective UA program for your company. I have been a participant in a few UA classes in the past. They all have lived up to their reputation of being a waste of time. Now I'm in the process of designing a UA program for my company. I'm excited to have the opportunity. Now I will be able to put into practice some of the things that I truly believe will make UA effective. I'm going to work with some good friends who have been doing UA for a while and have created successful programs. Depending on budget and such I will possibly enlist them to provide content and counsel or possibly just allowing me to bounce ideas off of them. Then of course I have the resource of the Security Catalysts Community to draw from. Between their participation in programs and creating or having input into them I will have a rich pool of information and creativity to draw from.

Why do I bring this up now? Well, my thoughts turned back to here when I saw these two posts from Tom Olzak on the ITT Blog (here & here). The first one talks about how the bad guys are starting to turn their focus from firewalls, servers, etc to end users. Why? Because of a couple of reasons. There are lots of new attack vectors that work well and are easy to do. They attack the browser or other popular applications that are used frequently on the Internet. Java, Quicktime, Windows Media Player, JVM, JRE, Adobe Acrobat, Silverlight..... This is just a small sample. Many of these attacks require nothing more than the user visiting a web site that has a malicious add on it. This article from Brian Krebs at Security Fix has a good example of this.

The second post by Tom talks about how we need to start teaching Security Awareness in high school. Start the education before the users get into the workforce. I like that idea. Not only will it help when they do enter the workforce but maybe it will help at home. Maybe what they learn they will then teach to their parents. Hopefully by doing this we can spread the word outside the work place and get it into the homes where it needs to be.

I'm not sure if all of you are aware of how easy things are for the bad guys now. Hopefully you do, but if not I'd like to point you to a couple of good posts that Jeremiah Grossman pointed us to a few days back. They are here and here. Check them out to learn more about some of what is going on or at least what is possible.

Also if you want to learn more about putting together a good Security User Awareness Program you can talk to Michael Santarcangello, Rebecca Herold, or The guys at All of them can help you with your program.

Friday, August 17, 2007

Sun Tzu got this one wrong. :(

I finally ran across an Art Of War quote from my handy calendar that definitely does not apply to information security. Even if vendors try to convince you otherwise.

If you carry on alliances with strong countries, your enemies won't dare to plot against you.
Alliances with strong countries (i.e. security vendors) will NOT protect you from the attempts of the bad guys to get into your network, application or systems. I would even venture to say that for some of the black hats they consider it a challenge and the stronger the defense the harder they work to penetrate it. Especially if they think that there is something worthwhile waiting on the other side.

Sun, I'm sorry to say that you have let me down on this one. I can see Amrit smiling now. :)

New Information Security Poll

Yesterday I asked a few guys on the TCC SILC channel for ideas for a new poll. The first suggestion had to do with keeping SSN's. I thought it was ironic because there was a thread on a PCI mail list asking that very question. They guy on the TCC channel that suggested the SSN question was completely unaware of the PCI mail thread. Then when I got home I had a letter in the mail telling me that a company that has access to my PII had had it compromised. It was sold by an employee to a marketing broker. Who knows what happened to it after that. Part of the information that they had was my SSN. How lovely. Then on top of that I remembered a friend who works in a university environment that has had a couple of SSN incidents lately. So all of that combined made me think that a Poll on the validity of companies keeping SSN's was in order. So here is the question and you can rush to my web site to take the poll.

Is there a valid reason for companies (other than employeers) to ask for and keep SSN's?

This is a hot topic in the world of Information Security. Many think that there is no valid reason for any company to ask for them and definitely not to keep them. Then there are those who think that there is a valid business reason. Others argue that it depends on the industry. In my opinion SSN's and ANY PII (personally identifiable information) should only be used when absolutely necessary and storage of them should be kept to an absolute minimum and guarded like it was financial information. Customers are the life blood of any business and need to be treated as such.

Thursday, August 16, 2007

What's wrong with this statement?

I saw this article on Network World today regarding VOIP (in)security. This statement caught my eye. See if you have the same thought that I did.

Much of the notoriety of VoIP vulnerabilities come because the technology is relatively new and its code wasn’t necessarily written with security in mind — a problem that plagues many new technologies.
What do you see wrong with this statement? Shouldn't newer technologies be written with security in mind? I can see where ethernet and IP and such didn't take security into consideration when they were created. Security wasn't hardly even on the radar then. Now it's everywhere! There is no excuse for any technology that has come about in the last 10 years to not have security as a primary design consideration. I know that even 10 years ago security wasn't big but anyone who had any foresight would have seen what was coming.

I haven't ranted in a while about how software companies have to put more work into shipping secure products. This mindset of sacrificing security for "speed to market" has got to go.

PCI Poll results

My newest information security poll on the PCI/DSS ended yesterday and it looks like we almost have a tie. Out of the thousands of votes (OK, maybe not quiet thousands but at least 10) the results were 55% said PCI was basically common security 101 and 45% said that it was complex and costly. There were 5 possible answe

  1. Too Complex 40%
  2. Easy to Understand 30%
  3. Too costly for most 20%
  4. Too time consuming 0%
  5. Basic Security 101 40%
Now I know that the numbers don't add up but voters were allowed to select multiple answers and the percentage is based on the total number of voters.

So I guess it goes back to my original thought that the level of difficulty that PCI compliance involves depends on the shape of the network you are working with. Large or small if it is a poorly designed network you are going to have a struggle. If it is a securely designed network then your job will be much easier. The issue isn't understanding what is required it's putting the requirements into practice.

I'll have another poll soon. This week has been all audit all the time so I've not had a chance to think of another question and nothing in the RSS feed has jumped out at me. If any of you have any suggestions let me know. And lets get more involved with the process. Poll response has been less than steller. Consider it practice for the November election. :)

Tuesday, August 14, 2007

Shunned by the WSJ

After my letter to the author of the WSJ article "Ten Things Your IT Department Won't Tell You" I was contacted by the author. She thanked me for my comments and told me that she would do a follow up article and asked for my input. The topic was to be something along the line of what the IT department wants users to know. I decided that since I was quick to criticize I would also give my input on how to be a better user.

After thinking about it I decided that my advice was to basically ignore the advice given in the original article. I was a little more tactful than that but that was the essence of it. I pontificated on the virtues of NOT trying to skirt company policy and why it was a bad idea for security reasons and such. Well today she published her new article and lo and behold my advice was NOT included. Why? Is it because she had better advice from others? Possible. Is it because it didn't fit with the nature of the article? Possibly. Is it because I told everyone to ignore her first article? Hmmmm.

Of course I probably will never really know why and it's very possible that it has nothing to do with that, but I will always wonder.

Saturday, August 11, 2007

Great Awareness Video

Roger over at the Infosecblog links to a great video on them importance of "thinking" before posting something on the internet. Once it's there it's there. This is true for what you say, what pictures and videos you post and comments you make. Remember, what happens on the internet stays on the internet. And one day your parents, spouse,child, boss or potential boss may find it. That may not be a good thing.

Thursday, August 09, 2007

Egg on you FaceTime

Even security companies make mistakes. It's just a little more embarrassing for them than the rest of the world.

ComputerWorld reports that FaceTime Communications applied some patches to their web server that reset defaults on some folders. This allowed the contact information for people who had downloaded whitepapers to be exposed on the net. I don't really blame FaceTime for this. It was an innocent mistake that anyone could make. What we need to do is learn from their mistake.

As I've mentioned before we are in the middle of rolling out a new Change Management system and our users HATE it. They like the old way of little or no accountability and having the freedom to do things their way. I don't know if FaceTime has a Change Control procedure in place or not but either way they do need to revise their test scripts. They need to expand what they test and also go back and check to ensure that unexpected changes don't happen. You can never be to careful when applying changes, especially to public facing systems.

1 year and 275 posts

One year ago today I started my blog. I did it as a way to say somethings that I wanted to say. At that time I didn't have much interaction with IT and Information Security Professionals on a day to day basis. I was the lone IT guy at my company and was tired of talking to myself so I started blogging. I have to give credit to a couple of those who gave me some inspiration. I read their blogs and thought "hey, I can do this to". Martin McKeay, Michael Farnum, and Michael Santarcangello. These were guys a lot like me that were blogging and telling stories from the trenches and giving good sound advice. Now I count each of them as a friend that I can turn to with security, technology and life advice. I've only met Santa face to face but in todays world of the internet it doesn't even matter anymore.

Since then I've made lots of other friends because of my blogging. I'm involved in the Security Catalysts Community as a Trusted Catalysts and this has allowed me to interact with some of the brightest guys in Security. I've also gotten to know several people who are well known and well regarded in the blogshepere and in Security in General.

I hope that all of you have found something of value in my rantings, questions, concerns, and comments. I guess you have or you wouldn't keep reading. I've heard from lots of you and it amazes me that people from all over the world actually read what I have to say.

I look forward to this next year and the fun times ahead. :)

Oh yeah, one other thing. I discovered a few days ago that my friend and Art of War and User Awareness nemesis, Amrit Williams, also started blogging one year ago today. I found that rather amusing considering the number of times we have butted heads over these subjects. But I must say Amrit is a great guy and I wish him all the best on his next year of blogging.

Wednesday, August 08, 2007

Viva VM!!

Good news! According to my latest completed poll Virtual Machines are not doomed to failure. The potential problems do not out weigh the benefits and users are still confident that VM technology will provide their needs with adequate security. OK, so I read into the results a little but I'm allowed because it's my blog and my survey. :) Not a single person said that VM was on it's way out and only one said that they wanted to "wait and see" on how the research and technology played out. Obviously most think that even though we are starting to see issues with VM technology that we can stay well enough in front of the curve to keep pushing on.

This weeks survey is about PCI. I'm still crafting the question and answers to pick from, but it will have something to do with your thoughts on PCI complexity or lack thereof.

PCI and your network

Many of us work for companies that have to comply with various regulations. HIPAA, SOX, GLBA, FISMA, PCI, and on and on. For me in my current position it it PCI. I am familiar with the basics of most of the above mentioned regulations and know enough about them to tell you that many of them are vague (which may or may not be good) and difficult to interpret and understand. PCI is NOT one of those that falls under that category. PCI is pretty clear and does pretty much everything except tell you what brand of equipment to use and what vendor to buy it from.

I read a couple of articles today by Rebecca Herold and Ben Rothke at that got me to thinking a little about my own PCI woes today. Both of these articles assert that PCI is not a complex monster like some would lead you to believe. It is fairly clear and straightforward. Yet lots of people complain about it and talk about how much it costs to comply and how much work is involved and how long it takes. Which is true to some degree. It can be long, costly and time consuming, but it is still just basic information security sense.

Between the stuff that you can find at the PCI Security Standards web site and a little searching (still not using Google unless I have to) you can find just about everything that you need to put together a plan to be compliant in short order. That doesn't mean that there will be some areas that you need clarification and direction on. There will be questions that you have no clue how to answer. But it's not rocket science. I think Ben Rothke nails it on the head when he says.

The issue really is that these merchants have created their networks with little to no thought to security and privacy. They have placed minimal controls on their users, given no direction to their application developers, nor documented required procedures for their administrators on how the network should be managed. Merchants are not noncompliant due to PCI DSS; they are noncompliant because they never developed their security programs in the first place.
These Tier 1 and 2 merchants and many of the smaller merchants have large complex networks that are old and were designed with ease of use and administration in mind and not security focused. They put in the basics to keep the passive snooper out but not the aggressive hacker. They are complaining because they did not do a good job and now they have to go back and clean it up. That is why it is expensive, time consuming and complex. I know this first hand because that is what I'm up against. I'm having to retro fit security into some areas that should have had it in the first place. I'm just lucky that I'm working with a standard that is cut and dry or I'd really have something to complain about.

Monday, August 06, 2007

I'm confused (or one of my readers is)

When I started blogging I decided that I would not be a "fan boi" for a vendor and that I would speak my mind and always try to get my facts straight before I wrote about anything. I also decided that I would post all comments provided they weren't spam or of a obscene and vulgar nature. Well I received a comment today on my "Open Letter to the WSJ" post and I've decided not to post it in the comments section. I'm going to post it here. I'm doing that for 2 reasons. First, whoever wrote the comment decided to submit it anonymously and secondly it makes absolutely no sense what so ever. I thought maybe some of you could add some insight into what in the world he/she is talking about.

Yes, I'm certain that our having casualties over there is entirely the fault of the Post and the Times outing every operation (or Geraldo on Faux News), and has nothing to do with our military and our government simply not having sufficient planning or men involved to properly control the dismantling of another country.

If the 'secret details' they inform us about happen to be against the law, or violations of our civil rights, then they are doing what they should, making the citizenry aware of inappropriate behavior on the behalf of their government. Are you guys all for such behavior?

That's just like encouraging people to skirt the rules, precisely what you are castigating this reporter for doing. Yet you are applauding the government for doing it?

  • I can vaguely understand the connection between papers posting reports about troop movements and the WSJ posting ways to subvert network security.
  • Apparently the reader assumes that I and most of my information security and blog friends are in favor of the war and think alike regarding it and politics. I can assure you that there are many of my security/blog friends that are on opposite sides of the fence from me in regards to politics, the war, social issues, etc..... (I'm getting this from his comment "Are you guys all for such behavior?")
  • It seems that the reader thinks that I am being double minded in regards to media coverage of political events and such. I applaud them when they say what I want and chide them when they say something that I don't like. I may be wrong but I don't think I have ever written about anything political. I make a very conscious effort to not do so.
If anyone has any insight into this please let me know. If the person who wrote this wants to clarify I sure would appreciate it. At first I thought that maybe he/she meant to post it to some other site, but I don't think so.

I'm also making a modification to my comment rules. I will continue to post all comments, positive or negative, as long as those who have negative comments (especially off the wall ones) will identify themselves. The way I look at it is if you have something negative to say and you don't want to identify yourself then you can find another place to make negative comments.

Saturday, August 04, 2007

We're All #1

I've received 2 comments from others who checked their Technorati ratings after reading my post and they also were number 1. One of them actually just registered his site with Technorati after reading my post and immediately went to number 1. I guess he was a instant best seller. Shortly after I posted the Technorati site went down and when it came back up I had gone back to my usual ranking. Actually I even fell a little into the 38000's. Oh well, glory is short lived.

I'm #1

It's been said that bloggers blog to feed their own ego. I have to admit that it does my ego good as I get to be known by more and more people. Honestly that isn't why I blog but I do keep track on my Technorati ratings and do "vanity" searches from time to time to see who my be linking to me.
Today I checked my Technorati ratings and got a complete shock. I'm sure that there is some sort of an error but it shows me as being #1! I had to do a screen shot of it and save it for posterity. I know it can't really be right because I know roughly how many readers I have and when you click on the "Top 100" button I don't show up. Usually I'm around 37,000 or so and I imagine that I will be back there as soon as they fix whatever is causing this error but it looks good. :)

Lots of good stuff to read

This is my "semi occasional" (yes, that's my own made up word) link post. I've been too busy to write much and today I'm playing catch up. There is so much good stuff out there that I can't do separate posts on them all so I'm just gonna link and make quick comments.
This "State of Information Security" report of sorts from Mark Curphey is gives his take on several issues regarding security.
Richard Bejtlich gives us "no hope" in getting ahead of the game when it comes to securing our networks and systems. Unfortunately he may be right, but I'm not ready to give up yet. I also thing that even though he is "depressed" Michael Farnum isn't ready either. Of course Richard isn't a total pessimist either. He promises some defensive strategies in the near future that will brighten our outlook.
Rebecca Herold has some good points on Security Awareness Training. This is one of my favorite topics, especially since I'm in the middle of creating a program for my company. I look forward to seeing more details on her upcoming offering.
This is another good post on SA Training.

Now for the awards!
Blog post that I am MOST sick of seeing. I've seen this sooooooooooo many time in my Google blog search listings that I am really ready to delete the search and just rely on other blogs that I read keeping me linked to the new and good stuff out there. I'm also so tired of seeing it that I'm not gonna link to it I'll just give you the post title. I'm sure all of you have seen it. Welcome, Postini Team.

Best story of the week has to go to the one about Michelle Madigan getting kicked out of DefCon for trying to get video of the event w/o registering as press. It would have been so much easier for her to do her story if she had just stayed on the up and up. Of course that would not have made for very exciting coverage.

Thursday, August 02, 2007

What are the boundries of security?

I read this from Bruce Schneier and it wasn't the article he referenced that got me to thinking it was this comment.

The real issue here is that people don't understand that an airport is a complex system and that securing it means more than passenger screening.
This comment holds true for Information Security as well. The issue is that a network is a complex environment that involves many different systems, applications, connections and users. Securing it means more than traffic screening at one level.

I was speaking with someone the other day and she commented that we didn't need to worry about security on her project because nothing was internet facing. That statement might have held some truth in it a few years ago but not today. The average user doesn't realize all of the attack vectors into a system. They think that if you secure the perimeter or stay off of it then you are safe by default. Unfortunately there are still some IT professionals who feel the same way.

At my company we are in the middle of rolling out a change control system. We have had a policy and manual process for years but it was always just a formality. Someone would request to make this change at this time and it was approved. The focus was to keep 4 groups from making major changes at the same time in case something went wrong. Now we are starting to make the requestors justify their request and give full documentation as to who, what, where, when, why and how. Most of the users do not like this. They whine and complain constantly. Luckily we have someone in control of the process that sticks to his guns and hold them accountable.

This is the same mentality that we need in all of IT/IS. We need to ensure that our users understand the where and why of security. That way they will understand that security belongs everywhere in the network and not just at the border.

On Open Letter to the WSJ

This is an email that I sent to the WSJ writer and her editors regarding the article "Ten Things Your IT Department Won't Tell You"

You can also read some more good thoughts on this article here, here, and here.
Ms. Vara,

Isn't it good to live in a country where you have the freedom to be an irresponsible reporter? You don't have to live with the consequences of your own actions here. You can just speak your mind, reveal your little secrets and move on to your next assignment. Maybe your next article can tell people how they can steal confidential company data. Oh wait, you did that in this article.

As a security professional my days are filled with trying to protect the assets of my company. I strive to educate my users to practice safe security and not do things that will put the network or the company at risk. Your article has just thrown lots of work out the window. I realize that you have a "The Risk" section for each trick, but that doesn't diminish the fact that you are telling people how to break the rules, policies and procedures that are in place for security. This will put the company at risk and the offending persons job at risk. Not to mention the fact that people will use the work-arounds that you suggest even if they know better because now they know how.

Your attempt to justify your position by calling in hacking and security pros does little to nullify the bad advice that you are giving to people. It's NEVER a good idea to encourage people to do things that they are not supposed to do. Just because either you or anyone thinks that Security is being too strict or that it's just easier to do it at work does not justify such actions. Your attempt to say that if you take work home then you should be able to take home to work is also a very weak argument. If you take work home it should only be because you have a legitimate business need and it has been approved by Management and Security. Not to mention that your home network and PC should also be checked and approved before use. Carelessness such as this only leads to problems.


Andy Willingham

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.