Security's Everyman

Security's Everyman

Friday, September 28, 2007

A Waste of Time

I just finished a training class on Cisco MARS (Monitoring, Analysis and Response System). It was a Cisco authorized course put on by a major training company. It was two days and cost $2300 (luckily I used Cisco Training Credits so it wasn't "real" money). But between travel and the actual class time it cost me 4 days of work. I can't believe how useless the class was. When I say useless I don't mean that I didn't learn anything but I didn't learn anything that I couldn't have learned on my own for a whole lot less money.

It just wrong when a company like Cisco charges an outrageous amount of money for a class that doesn't do anything. I've been to other classes that were either free or less than $200 for 2 days that I gained much more from. After the class was finished we filled out a class evaluation and I made sure to let it be know that I was unhappy. I was nice and constructive with my criticism. One of the questions was "Based on your experience in this class would you take another Cisco Authorized Training Class?" My answer was a resounding "NO!". This is my first CAT class and I'm sure that many of them are very well done, but his isn't one of them.

Monday, September 24, 2007

Where has the time gone?

I can't believe that I only posted one thing last week. The 2 or 3 weeks prior to that weren't much better either. I haven't been overly busy just nothing has caught my attention enough to blog about. My days at work have been full and my attention has been focused on several projects that I'm working on, but not any busier than usual. I guess it's a case of bloggers block.

I've another personal story of sorts along the same line as my last weeks "flat tire" post. This weekend I was turning onto a main road and went to wave at the car that let me in. As I waved my hand hit the frame of the door and I dropped my new Blackjack cell phone. Of course the car behind me didn't see it and ran over it. :( Believe it or not it still works, sort of. The LCD screen is less than usable and people say that it has lots of static when I talk. So needless to say I'm looking for a new phone. I had to revert back to a old Nokia that I had from 2002. It only works on 850 band networks so at least I get coverage even if it's less than stellar.

Tomorrow I leave for Cincinnati, OH to spend a few days in Cisco training. I'm going to their MARS class to learn how to get the most out of it. I've got friends up there and am looking forward to spending time with them and catching up on all that's going on.

In terms of information security (I guess I should write something about it). :) XSS and CSRF have been dominating my thoughts lately. I'm not sure just how many sites, especially ones that are commonly used by me and those I know, are actually affected by these. I do know that lots and lots and lots and lots of sites are vulnerable and that bothers me. It bothers me because they still haven't been fixed and it bothers me because that means that there are lots of opportunities for them to get pwned and for others to get hurt by them. I've been reading Jeremiah Grossman, RSnake, and other sites about it. Jeremiah and RSnake did a good job of talking about them at BalckHat and on a webinar that was sponsored by WhiteHat Security. Paul and Larry of Pauldotcom Security Weekly have a really good discussion about it in episode 82 of their podcast. Then of course there is the latest news about the Google "Unholy Trininty" that was made public today. I haven't had time to really delve into it, but I hear that one of the affected things it their poll plug-in for blogger. So I'm not going to put out a poll this week just to be safe.

Well, I'd better get to packing for the trip. Hopefully this will clear my mind and refresh my blogging spirit so I can get back to regular posting.

Monday, September 17, 2007

Would you buy Security from this guy?

My good friend and local Atlanta resident Mike Rothman has announced the Pre-Sale of his new project "Security Mike's Guide to Internet Security". This is good news for mom and pop computer user.

I have not actually read the book yet, but I know Mike and his passion for security and his knowledge of how to secure a system. I know this will be well worth the cost. Shoot, just one "non-call" from your friends and family will more than pay for the cost of the book.

You can find out more here, here and here.

Systems Maintenance

I mentioned yesterday about the importance of maintaining your systems. Things like keeping your AV, HIPS, OS Patches, software, etc... up to date. If they are left alone in time either a vulnerability will be found in them or someone will break them.

It's also important for companies to realize that just because something is old and now widely know anymore doesn't mean that they can ignore it. Here is a perfect example. A 13 year old boot sector virus was shipped on MS Vista laptops with AV installed on it. The virus got past all of Vista's protections and the AV scanner missed it. I don't know the details, but it sounds like it's a case of the forgotten virus coming back to bite you in the boot sector. :)

Microsoft "Patch Hole" Poll

Here is this weeks poll.

The Microsoft "Patch Hole"

1) Big deal that must be closed
2) Not a big deal, let it be
3) I'm a Mac
4) Linux rules!

I'll tell you my vote right up front. This is a big deal and Microsoft must close it. This is nothing less than a back door into our systems. It is irresponsible for any company to do something such as this. In this day in age with hackers being smarter than ever there is NO excuse for this.

Security Purchases Poll Results

Voting was way down this week. Either it was a lousy question or not enough people voted early on and forgot about it. It could also be due to my lack of posting last week. I know traffic to the site was down.

Here is the question and answer choices:

In your Organization are most security purchases based on

1) Reaction to an event or scare 30%
2) Cool Toy "C" level wants to implement 13%
3) Careful Research 30%
4) Good sales pitch by vendor 17%
5) Other (Please leave comment w/ details) 8%

I was glad to see that careful research was up at the top. It wasn't as high as we would like to see it but at least it tied for first. The fact that many purchases are based on a "reaction" isn't surprising but a little disturbing. It's sad that many companies won't take reasonable steps until something bad happens then they often end up buying the wrong solution or buying something that isn't the best fit for their environment.

I also wanted to thank Alex and Dr. Anton for pointing out a couple of options that I left out. I had them in my mind when I wrote the first option (Reaction to an event or scare) but failed to put them in their own category. They are Risk reduction and compliance. Two of the biggest factors in our decisions (or should be) and I forgot them. That's what happens when you try to do something quickly.

I'll have a new poll out shortly. I know you can't wait. :) Please vote this time!!!!!

Sunday, September 16, 2007

Travel, training and technology

Over the last couple of weeks I've been to two different "free" one day classes. The first one was put on by TechTarget's and focused on Data Protection and Storage. It consisted of 3 or 4 sessions talking about various aspects of security data and a couple of round table discussions. This is the second free TechTarget seminar I've been to and I have to say that both of them were pretty good. Especially for the price. :) They both have been informative and I've either learned something new or they spurred some thoughts and ideas that have proven to be helpful to me.

The second class was done by Foundstone. It was a one day mini class of their Hacking Essentials class. The presenter was Carric Dooley and he spent the day covering basic hacking essentials. He discussed some of the threats, attack methods and ways we can protect against them. It was a good day but I don't think that I really learned anything new. Again, it did spur some thoughts and I met some good people that I look forward to getting to know better over the next few weeks. I must say I'm glad that Carric is on the good guys side. He is a smart guy that I wouldn't want trying to break into my network.

Hopefully I'm going to be in Cincinnati for a couple of days the week of the 24th. I'm planning on taking some Cisco training up there. If anyone is in the area let me know and maybe we can meet up. Then in October I'm going to Orlando for a day or two to meet with the other members of the Symantec Advisory Council and some of Symantecs team, including John Thompson. That will be a whirlwind trip, but hopefully it will be beneficial. The Symantec Council has been pretty much inactive since the beginning but they now seem to be on the road to getting it going. I know that Santa members who are also members of the will be there and I'm hoping that a couple of my buddies from the SCC will also be there. Michael Farnum, Alan Shimel, and Kurt Wismer are all SCC members who are also on the Symantec Council. I'm not sure if they will be there or not but I hope that they are so we can meet face to face. I've enjoyed the interaction I've had with them in the SCC and via email and our various blogs.

Lots of exciting things going on in the next few weeks. I hope that I have time to update you on what's going on and adding insight as I can.

When It Rains It Pours

It's always good to be prepared. I try to be prepared for situations that may arise both in my professional and personal life. I look at potential threats and issues that may arise and see what I need to do to be prepared. That's part of any good security program. Having controls in place to prevent a breach or reduce it's impact are important in securing a network, web site or application. Doing preventive maintenance on your systems (patching, monitoring, etc) will help ensure that they are in shape to prevent holes that can be compromised.

Similarly at home I check for leaks around windows and doors. Change my HVAC filters, maintain my vehicles to ensure that they run properly. There are many, many things that need to be taken into consideration to ensure that you prevent problems and are prepared in case they occur.

On Friday I had an incident happen that I wasn't prepared for. I had left work about 2:45 in the afternoon to ensure that I missed the bulk of the terrible Atlanta Friday afternoon traffic. I'm traveling up the interstate when I hear a loud roar coming from my Jeep. I immediately turn of my radio and start checking for smoke or flying parts in my rear view mirror. I quickly pull to the side of the road and discover that I have a flat tire. So I get out my jack and lug wrench and start removing the flat tire. I get it off and grab the spare (one of those crappy temporary tires) and the first thing I notice is that it is also flat. Oh yeah, I forgot to mention that by this time it is now raining VERY hard. So I'm getting soaked while changing one flat for another.

I go ahead and put the spare on and then walk back to the drivers side of the car to get in. I had forgotten that my windows was down so now my drivers seat is also soaked. I then call the Georgia Department of Transportation to inform them of my situation. One of the good things about living in Atlanta is that they have incident response trucks to assist stranded motorist.
After about a 45 minute wait my HERO (Highway Emergency Response Operations) arrives and puts air in my tire and I'm on my way home. Of course now I have to sit in traffic because by this time it's about 4:30.

So, what did I learn? It's the little things that can bite you. Not keeping an eye on the air pressure in my spare cost me time and a headache. What is there at work that is possible being overlooked that may come back to bite me in the butt? Unfortunately I don't know what it is right off but I'm going to start looking at those little things a little closer.

Tuesday, September 11, 2007

Security boundries

A constant struggle many of us face is getting users to understand that security does not stop at the firewall. That mindset is so ingrained in users that they just can't grasp how something that is not directly exposed to the internet needs to be worried about. Then when we finally convince them that we still need to worry about the security of internal systems they tell us that their systems aren't vulnerable because the users can't get to them w/o going through 2 or 3 different authentications or levels of security. What they fail to realize is that even though we have a defense in depth we still have to protect everything.

This came up this week during a change control meeting. The last few meeting there have been lots of request for new reports that have to be created and put out for the users to access. I asked them if these reports were viewed via a locally installed app or a web browser. That's when they started on about it didn't matter because the database can't be directly accessed. They just couldn't grasp the concept that if the web server being used as the front end was compromised that it was just a matter of time until the back end was compromised. Even though I explained it 6 ways to Sunday they had a mental block that kept them from grasping it.

That got me to thinking about how important internal controls are to an organization. Even if you don't have malicious users who will hack you from the inside you still have users who don't understand the dangers and may get you through ignorance. If we don't have sufficient internal controls in place to prevent "accidents" then we might as well take down our firewalls. Security needs to be implemented at every level and not just at the "high" points. In a perfect world we would all have them money and support to protect everything with the best technology possible. We don't live in a perfect world so we have to be pragmatic about how we decide where to spend our money and energies. We have to focus our resources on what is important and not just what is sexy, cool, or the hot topic of the day.

Sure we need to protect our perimeter. We need to have firewalls, IDS, IPS, DMZ, etc... but we can't let our focus be lost there. We can't limit our internal controls to AV and OS patches. We have to take a good hard look at what we are doing inside our perimeter and how we are ensuring that the good guys don't hurt us unintentionally and that the bad guys have a harder time getting to the company jewels if they get in.

Scanning, monitoring, ACL's, VLAN's, HIDS, HIDS, etc... All of these are key to an overall security program that will help keep your data, systems and users safe. Knowing what is going on in your network will help you to know how top best protect your assets. Ensuring that new systems and technologies (hardware or software) are secure prior to being introduced on the network will go a long way to preventing accidents.

We often focus on scanning the perimeter to ensure that we can't get in but we neglect to scan the interior to ensure that the same vulnerabilities aren't present on the inside. A XSS or SQL Injection vulnerability that can cause problems on the outside are also places for problems to exist on the inside. Just because we have multiple layers of defense doesn't mean that we ignore some areas because we feel that the rest is secure enough. Once someone gets a foothold in the ignored area it's just a matter of time until they are able to move to the next.

Remember, security is a 360 degree process. It doesn't focus on just one area or even just a few. It looks at the whole environment and starts at the key areas and grows out and in from there. It encompasses technology, policy, process, procedures, education and maintenance. Don't forget maintenance. Without that even the most secure environment will eventually fall prey to decay and advancement in hacker skills and newer technologies.

Monday, September 10, 2007

New Poll is Up

I just put up my new poll for this week. Here is the questions and answers to choose from.

In your Organization are most security purchases based on

Reaction to an event or scare
Cool Toy "C" level wants to implement
Careful Research
Good salses pitch by vendor

If you select Other please leave me a comment and let me know how your company decides on what to buy.

Information Security Poll Results (SPAM)

The poll regarding SPAM and who has done what has ended. Just as a recap here is the question and the answer choices.

Have You or anyone you know actually bought something sold via spam or gotten a virus due to clicking on a malicious email link?

Yes, I bought something. (0%)
Yes, I know someone who bought something. (7%)
No, I have not bought anything nor no anyone who has. (45%)
Yes, I have gotten a virus via a malicious email link. (11%)
Yes, I know someone who has gotten a virus via a malicious link. (54%)
No, I have not nor do I know anyone who has gotten a virus via a malicious email link. (27%)

Obviously the totals add up to more than 100% because you could choose more than one answer.

I like the honesty of those who admitted to getting a virus because the clicked on a malicious link. That's something hard to admit especially when you are in IT or Information Security.
What is really interesting is that only 7% of you even know anyone who has bought something via SPAM. It still boggles my mind that anyone would actually buy something via a complete stranger because they received an email. Just think of the possible dangers. 1) You have now given them your address. 2) You have given them your Credit Card or Bank Account information. 3) Even if they don't do anything malicious w/ the first two you are taking the chance that they will bill you and never ship the product. Unless you are using a 3rd party that guarantees you some sort of protection you are out that money. I guess though that if 7% of all SPAM that is trying to sell you something is acted on that is a whole lot of sales. I don't know what the average actually is but I'd venture to guess is quiet a bit less than 7%.

That is bad enough but to me the real danger here is the potential of getting your machine infected or owned by clicking on a malicious link in and email. Getting a traditional virus or worm is bad but today the real likelihood is that you will get botware that turns your PC into a SPAM bot or allows it to be used for other nefarious purposes. Worse than that is getting a rootkit or keystroke logger that is used to steal your identity and all of your user ID's and passwords for online banking, trading, etc... This can really cause nightmares in real life.

Thanks again for taking my poll and I'll have another one posted soon.

Sunday, September 09, 2007

Security Catalyst Community

I know that many of you that read my blog also read Michael Santarcangello's blog and are members of the SCC. For those who didn't get the word and for those who forgot :) I wanted to remind you that the SCC web address has changed. Now to get the the SCC you need to go to:

The look has changed somewhat but the functionality and content are still the same. I encourage all of you to check it out and give serious consideration to joining. Those who participate quickly learn that this isn't just another forum. It's truly a community where people are excited about changing the way we do information security and how we protect data. I don't think you will be disappointed.

Tuesday, September 04, 2007

Being a CISSP

There is a lot of talk around lately about the CISSP and it's value as a certification and how it compares to other security certifications. Martin (here and here), Michael, Daniel (here and here), and Rich have all chimed in and I'm sure others that I've forgotten about. The common theme is that each cert has it's own value and that value differs for each person.

This post is not about whether or not the CISSP is the best certification as some think it is. It's not about whether or not it's technical enough or whether or not it still holds value as some have argued for and against. This is about what being a CISSP means to me and how it has helped my career.

I first decided about 3 years ago that I wanted to become a CISSP. At that time I was still doing lots of hands on technical work and was spending my spare cycles learning technology and decided to hold off on pursuing it. Around January of 2006 I decided that it was time to start getting serious about pursuing a vendor neutral security certification. I took a long hard look at what I felt would help my career the most. I was considering the CISA, CISM or the CISSP. I talked to people who held these certs and some who held a couple of them. I asked them about what value they held for them, how the felt that they benefited from them, what was involved in getting them and so forth. I also did lots of research on them and felt that the CISSP was the cert that held the most value for me.

I must admit that when I got the email telling me that I had passed the test I was VERY excited. Even though at that time I had talked to a few people who are CISSP's and they were very unhappy with ISC2 and the direction that they felt the Organization was heading. For me it was a big deal. It was the culmination of lots of hard work preparing for the test (plus it meant that my employer would reimburse me the $600 test fee). It meant that I now had a leg up on some jobs that I would not even be considered for without either the CISSP or the CISA or CISM.

Whether or not you feel that it has merit, value or is a big waste of letters it has been very good for me. It has gotten me interviews that I would not have gotten otherwise. When I was laid off in May of this year the recruiters were knocking down my door to talk to me because of those 5 little letters after my name. It also played a big part in getting me the job that I currently have. They were looking for someone who was a CISSP. That was one of their requirements even if they weren't really sure why. If I had been a CCIE I may have gotten another position with the company but not the Security Manager position.

So being a CISSP has been very good to me. I'm still proud of the fact that I hold this certification and that it opens doors for me. I'm proud that being a CISSP still does mean something in many circles (even if they aren't all security circles). I'm glad that I chose the CISSP over the other 2 I was considering. Unless something drastic happens in the next few years I will make sure that I pay my yearly dues and get my yearly CPE's to maintain it. I hope that those who have concerns about the ISC2 and it's direction get some answers that they like and that the CISSP continues to hold value to all that obtain it.

The CISSP is not the cert for everyone. It depends on what your career goals are and where your interest in security are. It may be the best thing that you do for your career or it could be just another bunch of letters after your name. I think a lot of it's value depends on you and how you use it.

E-Cards are evil!

Ok, maybe they aren't evil, but they are pretty scary. I arrived at work this morning after a 3 day weekend to discover that an employee had sent an e-card to lots and lots of our users. We have about 5000 employees most of which have an email account. The user doesn't have access to the global email group but was able to send it to a lot of people by selecting different groups that they did have access to plus individual accounts.

As I said, when I saw the e-card in my inbox and noticed that it had also gone to lots of other users I got that sinking feeling in the pit of my stomach. My initial reaction was to send out an email to everyone telling them not to click on the link to view the card. Then I noticed that the card was sent Friday afternoon around 3:30. Too late. If this was malicious then the damage was already done. The good news was that I had not heard of any thing going awry over the weekend. Of course, since lots of people cut out early on Friday there was a good chance that this morning would be the time to fear.

Before I reacted rashly I decided to check out the link to see if it was malicious or not. I did a search on the e-card company. It was one I was not familiar with. Nothing bad came up. I then went to the site and looked around. It looked OK. Then I took the next step and put in the e-card number to view it (all of this was done in a safe environment). Whew, nothing evil appeared. It was a Thank You card for something that the company had done for her.

Of course there is a "dark" side to this. We don't state in our email policy that it is against the rules to send e-cards but we do state that email is to be used for "business purposes". So the user did "break policy". What is really bad though is this.

  • By doing this the user (who has a supervisory role) has told their subordinates and others that it's OK to do this thus increasing the likelihood of others doing the same.
  • By doing this they are teaching the users that clicking on an e-card that seems to comes from someone you know is OK, even at work.
  • By doing this they are reducing the effectiveness of company policies. (Unless something is done which is out of my realm of responsibility).
Something so seemingly innocent and nice really has a negative effect on information security. A simple email saying thanks would have sufficed and would have been much less damaging.

The good thing is that this will give me opportunity to ensure that this and similar issues are addressed in a way that ensures that all understand the importance of following policy and practicing safe computing. Plus it will add to my UA Training listing.

Monday, September 03, 2007

Spam Attack

This weekend my wife and I took our 2 girls to the Atlanta Children's Museum. They had a special exhibit that was a recreation of Sesame Street. Both of our girls watch Sesame Street and of course my wife and I both grew up watching it. We were pretty excited about taking the girls to see and experience it. When I was checking into it I was kind of surprised to see that tickets were $11 each for everyone one 2 years old. That meant that we had to buy 4 full priced tickets. I had a feeling that it wouldn't be worth $44 dollars but it was for the girls so I was willing to do it. It did turn out that it wasn't worth it. It would have been better if we hadn't found out how to get to Sesame Street.

We got there and it seemed like every kid in Metro Atlanta was there. Plus the each had at least one if not both parents there. My wife described it as "stay at home mom hell". Kids were running around everywhere screaming, laughing, pushing, shoving and just generally acting crazy. Just like kids are prone to do.

I was checking my email over the weekend and I noticed that not only was I getting lots of spam but lots of spam was getting past my filters. That means that I was checking my email I was having to sort through lots of JUNK! People wanting me to act as their US representative and share millions of dollars with them. I've won the UK lottery at least 25 times in the last month. Enough grass seed spam to turn the earth into a "lush tropical paradise". I could even grow hair on Santa's head. :) Then there are all these people who think that I need to be a few inches taller. I just don't understand.

Then it hit me that our experience at the Children's Museum must be similar to what an email server experiences with all that spam. (OK, I know I'm really reaching here but it did occur to me) The museum was set up in a particular way to handle a certain number of kids in an organized fashion but when the attendance exceeds expectations then chaos occurs. Just as an email server is set up to do a specific function then you add a spam filter to help keep out the junk. As email comes into the system in greater quantities then it makes it more difficult for the system to function as it was designed. Just as kids run amuck and cause chaos all of the spam causes chaos on the server. Then spam gets through the filter and into your inbox.

Then just as with more and more kids running around someone is bound to get hurt. I saw 2 or 3 minor injuries occur and one of them involved my youngest. I didn't see it but my wife told me that a mother knocked her down and turned and said sorry and went on chasing her kid. As more and more spam gets through our filters the likelihood of someone acting on one of them increases and as that increases the likelihood that a virus, worm, rootkit or keystroke logger is going to get installed on your network or home system.

Unlike the museum where I at least understand why parents bring their kids there and allow them to run amuck I still don't understand why people actually act on these emails. Why they buy stuff advertised in them. Why they click on links promising them great pictures, the latest movie, the best price or the greatest deal on improving their whatever.

That leads me to this weeks information security poll.

"Have You or anyone you know actually bought something sold via spam or gotten a virus due to clicking on a malicious email link?"
A. Yes, I bought something.
B. Yes, I know someone who bought something.
C. No, I have not bought anything nor no anyone who has.
D. Yes, I have gotten a virus via a malicious email link.
E. Yes, I know someone who has gotten a virus via a malicious email link.
F. No, I have not nor do I know anyone who has gotten a virus via a malicious email link.

In this poll you will be able to choose more than one answer so please answer all that apply. If you do have a good story to tell please take a moment and leave me a comment about it. I'm sure some of you have great stories to tell.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.