Security's Everyman

Security's Everyman

Tuesday, October 30, 2007

It's not always what it seems to be

It's kind of ironic that after seeing and posting the Ziggy cartoon about the Nigerian email scams that The Register has an article about a HUGE loss due to email scams.

This reminds us of the importance of being very diligent in how we deal with what seems like legitimate emails. We all get them. More often than not they are SPAM or scams. They are getting more and more realistic now. I received one the other day pleading for money to buy Bibles for Christians in Russia or somewhere. I receive similar emails that are legitimate so that makes these hard to detect. The look of an email will go a long way in determining who will or will not act on it. This is true in business and in scams. The bad guys know this and they are starting to pay more attention to it. They are spending more time polishing their emails so that they will get looked at. That's half the battle. If they can get someone to open the email then there is a much better chance that they will take action on it. Hopefully that action will be to delete it, but often enough it is to click on the link, reply to the plea and then get infected or have their ID stolen or bank account emptied.

We must be careful with all email even those that we receive from people we know or think we know. The incident with SuperValu is a great example of how "blind trust" can really hurt. The emails looked legitimate. The seemed to be from a known and trusted source. Yet it cost the company more than $10 million dollars. All because internal controls broke down. All because everything "looked" right.

You could argue several positions on this. Lack of a good User Awareness program was at fault. Not having good internal policy and controls played a part in this. Having both of these in place could have gone a long way in preventing this but nothing works as well as common sense and due diligence to ensure that things are as they seem.

So, what do we learn from this? Have the proper framework in place. UA program, policy, controls and encourage your people to think. Thinking is the thing that really can make a difference and prevent something really bad from happening.

Ziggy found the scammer

Here is a great Ziggy cartoon that we all can relate to. At long last the identity of the Nigerian Bankers widow is revealed!

Monday, October 29, 2007

Who would have thought?

Who would have thought that a new smart phone that was shipped out in October of 2007 wouldn't have the new DST time change patch already applied? I guess this shows why making an assumption is not a good thing. Especially when dealing with technology. My new BlackJack notified me on Sunday morning that it had updated the clock to reflect the change from DST. I didn't think much of it but was a little annoyed. So I just changed the time and went on.

That was mistake number two. I should have also gone in and changed it to ignore DST because when it next checked in with the tower to get it's time updated it changed back. I didn't notice it until this morning when the alarm went off to wake me up. I usually get up at 4:45 am so I can catch a 6:00 am bus into the city. Of course this morning it was really 5:45 am even though my phone thought it was 4:45 am. Oops.

Needless to say I missed the bus and had to take a later one. Not a big deal just a little annoying. so when I got here I applied my patches and all seems to be well.

Thursday, October 18, 2007

CSI Ticket Winners

Congratulations to Pattrick Harrison and Sajeev Nair for being the lucky recipients of the CSI conference passes. Both guys get free admission to the full conference including all sessions. This is a $1695 value for each of them.

I forgot to post is my original message that there is also a $100 savings code that any of the rest of you can use if you are attending and have not already registered. Just enter CSI2007 and you can take advantage of this savings.

Here is their promo blurb that I also failed to include in the last posting. I'm getting forgetful w/ age apparently.

CSI Annual Conference 2007
November 3-9, 2007
Hyatt Regency Crystal City
Arlington, Virginia
www.CSIAnnual.com

CSI 2007, held November 3-9 in Arlington, VA, delivers a business-focused overview of enterprise security. 2,000+ delegates, 80 exhibitors and features 100+ sessions/seminars convene to provide a roadmap for integrating policies and procedures with new tools and techniques. Register now using code:
CSI2007 and save $100 off the conference or get a Free Exhibition Pass at www.csiannual.com.

We aim to make CSI 2007 a
significant & stimulating gathering of security professionals and it would be great to have you as part of this endeavor.

Wednesday, October 17, 2007

Tickets! Get Your Tickets!

I have been given a press pass to the CSI Annual Conference 2007 this year and unfortunately will not be able to attend. I also have been given 2 FREE full conference passes to give away to anyone who may be interested in attending. It's a pretty sweet deal if you want to go. The conference registration cost is $1695 so it will save you a pretty penny. I've never been to CSI but from what I hear it's a great conference. So if you are interested in attending let me know and I'll give you the information to get the free passes. The conference is in Arlington, VA Nov 3-9, 2007. Here is a link to their site so you can get more information. CSI 2007

It looks like there will be some really good sessions and speakers this year. Just a quick mention of a few names that you should recognize:
Window Snyder
Jeremiah Grossman
John O'Leary
Pete Lindstrom
Ben Rothke

Not to mention the benefit of ISC2 CPE's for those who need them.

Just shoot me an email. My address is on the left side of my blog page. Yes this is a shameless plug to drive traffic to my site. :)

Tuesday, October 16, 2007

Keeping your system updated

I was looking at the latest issue of the SANS @Risk newsletter and it mentioned something that we need to keep in mind. I know that it's not something that I do regularly but I really need to do.

The four most critical vulnerabilities this week touch just about every
Windows user: Internet Explorer, Outlook Express, Word, even Kodak Image
Viewer.

The Kodak threat highlights a useful, but unpleasant fact. Microsoft
patched this product because it was distributed with Windows, but most
of the other products you add to your computer are not patched
automatically. Many vendors expect you to check with their web site to
learn about flaws that need patching. The criminals know that - hence
the new wave of attacks against applications.
All of us have software on our systems that requires us to manually check for updates. This brings up several questions that we must answer.
  1. What software is on our systems? Do you know?
    Make a list of all the applications that are on your system.
  2. How often do you check for updates manually?
    Bookmark the support page for each and check it regularly. Set a calendar reminder to ping you monthly.
  3. Do you use all the applications on your system?
    Uninstall all apps that you don't need or use.
  4. Where did you get your software from?
    Shareware/Freeware are great, but make sure you know and can really trust the source. The bad guys are putting our free software that looks really cool but packs a punch when it comes to owning your system.
  5. Did it come preinstalled on your system?
    Lots of the software that comes preinstalled on your system are trial versions that only work at partial functionality or expire after a period of time. If you are not going to pay the license fee to make it a full version then uninstall it. Even dormant software can be exploited.
OK, I know that for most of you this is common sense and you are already doing much of this, but I just wanted to put it out there that all software is a potential vulnerability and we need to pay attention to the little things.

Monday, October 15, 2007

Measuring Security Effectiveness

Pete Lindstrom wonders if Information Security Professionals really can make a difference for the company that they work for. He wonders if any IT savvy person can complete the tasks that are typically assigned to information security professionals.

Put another way, if multiple individuals were given the same set of constraints within an organization - time/money/FTEs/assets/culture - do you think that some people would be more successful than others at reducing risk?
It almost insults me to have my skills called into question but I don't think that he is implying that what we do is just another task that anyone can accomplish. I think what he is trying to do is help us to think about what, why and how we do what we do. Sound familiar? What I like is that he doesn't just question and move on he asks for examples. What is it that you do to make a difference? What sets you apart from the average IT or security professor?
Put another way, if multiple individuals were given the same set of constraints within an organization - time/money/FTEs/assets/culture - do you think that some people would be more successful than others at reducing risk?
I think that the answer to this is pretty obvious. Yes, just as in any profession information security professionals vary in skills, knowledge and ability to adequately secure their environment. If you set up 10 identical labs and took 10 different security professionals you would get 10 different ways to secure it and all 10 would have their strengths and weaknesses.

The key isn't how you do it but that you don't just follow a checklist and that you do what is needed for your environment. Example, the same 10 lab environment mentioned above would require 10 different security postures depending on the company that they were securing and their individual requirements. I think that a good security professional would set them up 10 different ways. Someone who doesn't really understand security but who knows how to secure a network would set them all up identically. That is not security. That is work that could be done by lots of different people.

So, back to the question of what makes the difference between a real security professional and any other person who calls themselves security professional? It is the ability to adapt and think and to take each situation and analyze it and secure it in the way that it needs to be secure, not just a way that may make it secure.

Why do faster computers make us more impatient (or how technology has made us lazy)

Mitchell has answered my answer to his posting on Automatic Security. Mitchell has some valid points and I agree with him. Security software has to be user friendly. It has to be easy to use, understand and mostly not annoying or intrusive. But we still have to educate the user. If we focus on taking them completely out of the picture in making decisions then we have done nothing to benefit them or the rest of us. Our current model teaches them to click OK. So when the get a pop-up that asks them if they want to install this "add-on" they say yes. When they are asked if they want to allow malware.exe to connect to evilhacker.com they say yes. When they they are asked if they want to trust an unvalidated certificate they say yes.

We don't need to take those decisions out of their hands we need to explain to them what they mean and why answering yes may be a bad thing. One point that Mitchell made was that the default behavior for many security apps is to ask the user what they want to do. This is true, but as I said some vendors are changing that. They are looking at how the OS and various apps work and what they need to do to be useful and instead of asking "do you want to allow IE to connect to the Internet?" they are automatically allowing it to connect. They are looking at apps that are signed and allowing them to do what they are designed to do without asking the user. Another point that Mitchell made is that security software doesn't know what the user is doing or the context in which they are doing it. Again, he is exactly right. That is where we need user interaction and that is where the user needs questions and answers that are in plain English so they can make a informed choice. The software vendors have got to quit thinking like techies and start thinking like the average person when it comes to this.

Over the last decade computers have gotten faster and faster and we have gotten more and more impatient with them. They have gotten smarter and smarter and we have gotten lazier and lazier. That is the other byproduct of poorly designed technology. Just as it has taught us to click yes it has also taught us to be lazy. It has been too complex for the average person to learn so they don't even try. We have taught them that they have to sacrifice security for convenience because we have made security inconvenient without explaining it to them.

I keep going back to this over and over because there are too many out there who think that the users are never going to learn or change. As long as we make change difficult then they won't change. We need to quit expecting the worst out of them and work to make them make the right choices and learn why each choice is right or wrong.

Where are the leaders?

This is inspired by both my buddy Sun Tzu and Michael Farnum. Michael is a little down in the tooth over the state of security. It seems to all be about playing catchup and buying stuff. But are we getting anywhere? It seems that we are always a few steps behind the bad guys.

My handy dandy Art of War calendar quote for last Friday says "The lives of the people and the order of the nation are in the charge of the generals. The difficulty of finding good leadership material is a perennial problem."

Therein lies the problem. Leadership. We have leaders in security but mostly they are focused on their company issues or their own little area of expertise. What we need are leaders who lead from where they are and then move out into larger area and share their experience. We need people who aren't afraid to take chances and challenge the best practices. Much of our problem stems from the fact that we tend to lean too much on the concept of best practices. We say "Oh look we need to implement X solution because it is a best practice." We look at things and say "What best practice can we implement to address X issue?" We don't stop and think about where the problem stems from and what is the best answer for us instead of the best practice answer.

In today's world of regulations and compliance we are afraid to look outside of best practices for fear of having auditors question us. Those who don't worry about the auditors and worry about securing their networks and protecting their data in the way that is best for them are the ones who are the leaders. They are the ones who stay ahead of the bad guys instead of playing catchup.

So to answer Michael's question "Does Security Nirvana Exist?" No, but those who think and don't just blindly follow the crowd are a lot closer to it than the rest of the world is.

Monday, October 08, 2007

Automatic Security?

I love and hate the Firefox addon "noscript". I use it to add an extra level of protection to my web browsing but I hate it when a site requires java or some other script to run and I haven't approved that site. It's not a big deal when I first visit the site but when I write a fairly long comment on a blog post and have it wiped out because scripting is required is really irritating. I did that this morning. Mitchell Ashley wrote a blog post on the need for security vendors to do more to take the ball out of the end users hand. I had a great (ok that's subjective) comment and it was a little lengthy but it got wiped out when I went to post it because I had scripting enabled.

So, I decided to take it to the streets. I'm going to rewrite my comment (at least what I can remember) here and see if I can get some good chatter going between Mitchell, myself and any others who may want to jump in here.

First go read Mitchell's post and then come back here. While you do that I've got a meeting to attend.

Ok, so were all back. Here are my thoughts and comments:


Mitchell, I agree with you that we need to make these issues transparent to the user to a point. Some AV/HIPS vendors are already doing this somewhat. They have taken lots of the firewall alerts and answered them "by default" so that the user isn't bothered with answering questions that they don't understand. They are making it easier for updates to be pushed/pulled to the system instead of making the users do this manually. There is still work to be done but.... Where I have a little disagreement is in completely removing the user from the fray. If we do so we may make it easier on them but we are missing out on an opportunity to educate them on the risks associated with life on the internet. We are missing the chance to teach them how to be more secure by giving them information that they can understand and then make a intelligent decision on. What I would like to see is the software vendors write alerts and pop-ups in layman's terms so that a user doesn't have to decide if it's safe to allow lsass.exe and svchost.exe to access the internet. And it gets even more confusion when the internet isn't really the internet but the internal LAN if they have one. I would like to see the vendors provide easy to understand tutorials (via the help button) that explains what the dangers of allowing or disallowing something is. We have conditioned them to click "yes" just to shut up the firewall but they have no idea what they are clicking "yes" to. I agree that User Awareness isn't the silver bullet but it has to be focused on because we can't change users behavior if we don't give them data that will educate them effectively.

Thanks for a good post that gives us something to think about. Thanks for stoking the fire of how can we make a difference and not continue to do things in the same way. What I would like to see now is how can we really make this work. What are our action points for making security transparent yet still making the user be (in the active sense) more secure?

OK, the floor is open for your comments and for you to add to the discussion on your blog. I think there is lots of good stuff here to chew on. Let's get going.

Friday, October 05, 2007

Oh, You Sad, Sad, Little Man

I hope that none of my readers take this personally. Actually, I hope (and really believe) that none of my readers would fall for this. I know that there are lonely people out there who want and need love and attention, but really now, the Internet (at least not via a unsolicited email) is not the place to find it. It's hard to believe that people actually fall for this kind of stuff. It reminds me of a scam that was going around in the late 90's where you would receive an email saying that someone had a crush on you and it was your job to guess who it was. It would take you to a site where you would put in their email address and press "submit". If the email address was right then they sent you the message from them. If it was wrong then you were prompted to enter another address. Needless to say you were never right. It was just a way to harvest email addresses for other malicious purposes.

I love this quote from the article.

"It's a pretty sad state of affairs that cybercriminals need little more than a picture of a blonde woman with pigtails to steal passwords from unwary internet users."

This goes back to how do we as security professionals address this? Hopefully within our organizations we have the policies and controls in place to deal with and prevent this, but what about when your employee goes home. We have to remember that bad practices at home will lead to bad practices at work and technology won't always prevent human error. Educating your employees on how to be safe online at home is just as important as being safe at work. Especially in today's world where more and more people are working remotely. A compromised home PC that connects to the network via VPN is just like having a compromised PC in your office.

Thursday, October 04, 2007

Why you do the things you do?

I spent a day in Orlando with the nice people of Symantec. As I've said before I'm on an Advisory Council for them and this was an opportunity for us and them to get together face to face and talk about security. It was really a very good experience. I went in with a little trepidation (at least as much as you can have when you get a free trip to Orlando) thinking that it was going to be all marketing and fluff. I expected them to try and feed us a bunch of good PR in hopes that we would all run back to our blogs and write good things about them. Well they didn't. They treaded us like the information security professionals that we are. They didn't try to insult our intelligence or feed us the company line. They showed us some of the things that they are doing and some things that they are working on or researching. They asked for our thought and feedback and gave us a chance to ask questions, give input, and talk about what we did and didn't like about their products. Then when we did this they actually engaged in serious conversation with us. They gave us access to top management and engineers. When we asked questions they were answered and not side stepped. Again, I must say I was very impressed with how they treated us.

One of the good things about the trip was that my good friend Michael Santarcangello was also there. There are 5 of us from the Security Catalysts Community on the Advisory Council and unfortunately Michael and myself were the only SCC members able to attend. I've spent lots of time talking with Santa one on one over the last year but this time he really amazed me. I got to see him in action and was able to see the things that he writes and talks about. Michael really does think differently (in a good way, usually) and challenges people to do the same. He is passionate about this and it shows.

As you may have noticed that lately I've not been posting as much as usual. This is because I'm tired of the "same ole same ole" blog posts. Most of the news worth talking about is chewed up and spit out 100 different ways on 200 different blogs and I just didn't feel the need to add to the fray. Why? Because I (at least I hope so) try to think differently. I try to not take the same perspective as everyone else. So you could say that if that's true then why didn't I take those stories and present them in a different light. Well, you are right, but not all stories are worth doing that to.

Well, since the Symantec trip I've really been thinking about thinking. Thinking about what it means to think differently. I posted some thoughts on that here back in December of last year. I still think that we must continue to find ways to think and do things differently. I'm tired of seeing people do the same thing just because that's the way we've always done it or just because it considered "best practices". People, especially those tasked with protecting information, need to consider not just how to do something but why are we doing it in the first place. Alex Hutton of the Risk Analys.is blog asked a basic question on the SCC forums today that too many times is just over looked by IT and security professionals. The discussion was around the fact the the SCC doesn't use SSL for logins. Someone questioned why a community of security professionals would do such. After several people commented Alex asked "What's the risk?" That's such a basic question but we are so ingrained into thinking about how and not why that we missed it.

Some people would argue that we are less secure today than we were at the beginning of the year. If that is true I think that it's our fault more than anything. We see a problem and start looking for a solution that will fix it and we don't stop to think about it. We don't ask the hard (or sometimes easy) questions that can shed valuable light on the subject. We have to think in order to adequately protect. We have to quit looking for a solution until we understand the problem. We have to quit striving to check a box on our compliance forms. We have to get out of the "best practices" mindset and get into the "what will best solve my problem with the least amount of pain" mindset.

Passion for what you do

A few months ago I ran across a new (to me anyway) blog called The Trustedtoolkit Blog. He was doing a series of posts on Security Policies and I linked to them. Since then I've been following the blog and today as I scanned the 500+ unread posts that were in my RSS reader this one caught my eye again. This quote is what grabbed me.

I write for this and The Breach Blog because I am passionate about information security and protecting people when dealing with confidential information.
I thought what a perfect candidate for the Security Catalysts Community because that is exactly what we are looking for is passionate people. So I pulled up the site to read the rest of the article and get contact information. As I looked around I didn't see any contact info but I did see a link to the SCC so I'm assuming that He is already a member. It seems that at one time I had his name but it completely escapes me and apparently he wants to remain anonymous to the rest of the world.

As I read the rest of the post I must say that I was please with what I saw and wanted to share it with the rest of you. He shares a story about a seemingly minor security slip up. I'll let you read the story here and then come back if you want to read my comments.

Ah, there you are! Pretty good post, huh. Did you see the same thing that I saw? Passion. He's right. It would have been so easy to just say "no big deal". Call HR tell them this is wrong and move on. But what about the unknown? If the easy way had been taken then they wouldn't know if the data had gone outside of the company. The potential for the seemingly small thing to become a big thing is pretty scary. If this had gotten into the wrong hands or had just been stored on a drive that was accessible to others then these 50 people could have been exposed (beyond the "small" exposure).

I commend the Masked Toolkit Avenger for his foresight in this and his passion for taking this seriously and not just sweeping it under the carpet. He would have passed up an opportunity to educate his client and those of us who read his blog. He would have passed up a chance to really make a difference in how information is protected.

I just hope that the rest of us (myself included) would have done the same and that we will keep this in mind when situations arise that seem small. Sometimes these small things turn out to be like Snoopy's Dog House. Little on the surface but HUGE on the inside.


Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.