Security's Everyman

Security's Everyman

Wednesday, February 28, 2007

Business or Security Experience?

I ran across this post from Security 360 the other day and saved it until I could read it digest it. Tonight I took the time to do so. Here are my thoughts on this.

There is a disconnect between security and not only vendors, but also most everyone else. People don't get security. Whether it's the end user, the network guy, the security manager or the vendor. Vendors expect that the IT guys get security, Management expects that the vendor and IT get security and the end user expects that they will be protected no matter what they do.

Often IT (especially in small companies) doesn't understand security. They are lucky to have someone who can effectively do networking, much less securely configuring their equipment and environment. They think that running AV and a firewall is all they need. When a new product is to be implemented they expect it to be "plug and play" and secure out of the box. Vendors give them this idea or they try to sell them consulting services to ensure that the product is configured properly and securely. That is a great idea unless the company can't afford the expensive consulting fees.

Management often expects that security will just "happen". They throw money at it and the problem goes away. Of course if they don't know what it is that they need to secure and what to secure it against they are just throwing money away. Not to mention they need properly trained security professionals to ensure that it is done right. If that isn't' the case then management expects the vendor to "fix" the problem for them. Again, not a bad idea, unless the vendor isn't security conscious (as we have seen here). There is much danger in this mindset.

Then there is the end user who expects that IT has all the bases covered. If that is so they can do what they want without danger. We talk security and we give them the impression that we, and therefore our networks, are bulletproof. So they feel the disconnect even if they don't understand it.

So, long way around to get to my point. Should Security Management be business oriented or technical oriented? Both. If you have too much business and not enough technical then you don't know what your guys are doing and if they are doing it effectively. If you have too much technical and not enough business then they have a hard time aligning with business processes. I'm not sure whether or not a MBA is necessary, but it doesn't hurt as long as there is a balance of technical understanding. Security managers have to stay sharp in what is going on in technology and business. Security isn't a second class citizen anymore and we can't continue to treat it like it is.

Who is responsible?

I ran across this last week and it brought back a memory of something similar (sort of) that I ran across when I was consulting. It also raised my ire because of the concepts that this guy is using to try and win his lawsuit against IBM.

First the story. I was consulting for a small company that had customers from all over the world. They received business related emails from any country that that has a computer. It was request to buy items, get more info, etc. The problem was that every spammer in the world had their address book. They received spam in every conceivable language and on EVERY conceivable (and inconceivable) topic. When I got there they had no spam filter in place and all of their users used MS Outlook and they all used the preview pane (maybe pain is a better spelling). You can imagine what happened. They were hammered with spam that included VERY GRAPHIC sexual content. When I saw this is was shocked and in total disbelief that they had not taken any steps to control this. Actually, bringing me in was their first step. Their previous consulting firm was unable to even realize that this was a problem. This wasn't even the reason they brought me in. I originally came to investigate why their new Windows 2000 AD domain wasn't working properly. Anyway, I noticed all of this porn email as I was doing a general survey of the company. I immediately brought it to the attention of management and explained the risk of possible virus infection, but also the potential for a lawsuit. They didn't realize that they were leaving themselves open to possible legal action for their inaction on this.

Now for my personal responsibility rant. Companies should do all that they can and that is reasonable to protect their employees and data from harm. I do believe that porn can and does cause harm to people. IBM did the right thing in confronting this when it was first discovered. If they were not doing anything to prevent this content from being accessed then they should have. That still does NOT release James Pacenza from being responsible for his own actions. There are plenty of other ways to deal with post-traumatic stress disorder. It is not IBM's fault that he visited this chat room. It is not IBM's fault that he didn't find a better way to deal with his problem. They warned him and he chose to continue in his actions. He knew the consequences. As long as IBM wasn't actively encouraging this action and as long as they had reasonable controls in place to ensure that he wasn't unduly subjected to inappropriate content then it's not their fault.

Blogger Threat

I ran across this today. It's something that we as bloggers and especially those who read blogs need to be aware of. Apparently if a blogger get infected with this malware it will insert a link to a malicious site when a new blog post is created. If the reader visits that site then they will be infected with this variant of the Storm Worm Trojan.

Remember these immortal word from the Hill Street Blues character Sgt. Phil Esterhaus "Let's be careful out there".

Noticebored Malware Newsletter

Noticebored.com has released the March Issue of their newsletter which focuses on gaining a better understanding of Malware. It contains info on how malware works and some remediation steps to prevent and remove (if possible).

New Blogger

I ran across a new blogger this morning. It looks like he just started blogging in January of this year and covers security, networking and some coding. I read several of his posts this morning and liked what I read. I'd encourage you to check his site out and see what you think.

Site Changes

For those of you who only read my blog via RSS I'd like to ask that you visit my "real" blog site here. Why? Because a couple of nights ago I decided to make a few changes and make it a little more pleasing to look at. I'd like to get some feedback on what you think. This is the first step to actually moving to my own website.

Tuesday, February 27, 2007

Teaching IT to Teach

In my rants of late regarding User Awareness and the general attitude that IT has towards users I've commented on how I feel that often IT gets negative because it's easier than teaching. Many of us in IT are not great people people. We are comfortable around others who think as we do, but we feel out of place when taken out of our element. That is when it's easier to get irritated at users than it is to help them.

In talking with many in IT who are like this I've discovered that often they do really want to help the users learn. It's in their best interest to do so. It makes their job easier and frees them up to do the work that they really want to do and the job that they really need to do. I think that many in IT really want to teach they just don't know how and haven't been given the tools to do an effective job of it. This is also something that I hope to get more involved with. I want to train users and IT to be more secure. IT often understands security but they don't understand users. Users often don't understand either. I want to help both IT and users understand each other and as a result understand security.

If companies really want to take security seriously they will actively encourage and equip IT and Security Professionals to work with the users and help them learn how to be more secure as they do their job. As we rethink how we practice IT and start to be intentional about helping users learn we will all be better off.

Sunday, February 25, 2007

Is NAT Security?

A few days back I posted about how Cable ISP's should have NAT on their cable routers instead of just assigning a public IP directly to the PC that connects to the modem. Apparently many of you have taken that to mean that I believe that NAT is a security feature in itself. Well, I do believe that NAT does help to make you more secure, but IT IS NOT a security measure. I would not trust NAT alone to secure my PC. Neither would I trust a firewall alone to secure my network.

I believe that NAT has it's place in securing a network whether it is at home or at work. Would you rather have all of your endpoints assigned a public address or have them be "hidden" behind a NAT device and therefore not directly accessible from the internet? I've never heard of a private address being attacked from the internet unless either there is a vulnerability at the edge that is exploited or the user does something that gives the attacker access to the machine. If it is just "sitting there" it is pretty safe. A PC that has a public IP address that is just "sitting there" is open to attack.

Someone brought up the point that lots of NAT devices are running older, unpatched versions of Linux and that they are vulnerable more so than a fully patched PC. That may be so, but most exploits are aimed at PC's and not home based NAT devices. I still feel more comfortable with the extra layer that NAT gives me. No I don't think it is a security measure in itself, but I do think that it is useful to "help" keep you more secure.

Santa's Wisdom

One thing that I've noticed about many bloggers (I'm guilty myself at times) is that they often use their blog to rant about something and that's as far as it goes. I try to "rant" and then come up with something constructive to add. Maybe a few ideas as to how "we" (security pros) can help "fix" the situation or how "you" (end user) can do something.

I don't like the "rant and run" model so when I got the opportunity to participate in a few different forums to do something constructive I took advantage of it. I'm on a Symantec Advisory Council that will look at some of the things that Symantec is doing and have a chance to put in my two cents worth as to what I like and don't like, as well as make some suggestions as to what I'd do. I've also hooked up with Michael Santarcangelo and joined the Security Catalyst Community as a "Trusted Catalyst". One goal of the SCC is to open up discussion on various security topics and discover better ways to practice security. The Trusted Catalyst Community (a subset of the SCC) has a goal of extending some of the discussions that take place in the SCC forums and working on ways to "put feet" to those and other ideas. We will work on projects as well as talk about how to "do" security in new and better ways.

All that said I want to point you to a post by Santa (Michael Santarcangel0) that has some good things to say about being different in how you practice security and gives some great ideas and suggestions on how to make a positive change.

I've spent a lot of time with Santa in the last couple of weeks on the phone and via IM. We both have a passion for doing security differently and especially User Awareness. We have talked in depth about how to help users learn in a way that will actually work for them and how to change the attitude that many in IT and security have about "stupid users". There should be some good content coming out of these discussions. Michael has just come out with some things that he is marketing to customers and also is releasing some of it to the community at large at no cost. I'm hoping to also put some things out soon that will be useful to you as you work on either teaching users or changing your attitude towards them.

I used to (OK, sometimes I still do) have the "stupid user" mindset. It really irritated me when they did things that just didn't make sense. I used to hate trying to explain something so simple to them because they just didn't get it. I didn't like trying to "dumb myself down" to their level to make them understand. I discovered a few things along the way that helped me change my attitude and look for ways to do things differently. That is what I will be sharing with you over time as I put them into a format that will be useful.

For now my "tidbit" for today is this. Next time a user comes to you with something that you consider to be "stupid" take time to listen to them, ask questions to help you understand them, and take a little extra time to teach them. If you have to take a few minutes alone to gather your composure before engaging them do so. Tell them that you will be with them in a few minutes and go take a few deep breaths. Don't go and share their "stupidity" with a co-worker just go somewhere where you can clear your head and think. Then come back to them and help them learn to be more secure.

Friday, February 23, 2007

Default Passwords

I originally asked the question on the Trusted Catalyst mailing list. Martin picked it up and posted it on his blog. Now I'm going to do the same.

Why can't we start a campaign to get the vendors to
make a change so that the default password has to be
changed after the initial log in?

We all know that default passwords, configurations and such are the cause of many security issues that we fight against every day. If we can do something to change this then we will make things safer for all of us. There are some vendors who already implement this, but not nearly enough of them do so. The big offenders are those who cater to the consumer market. I understand that by making this change it will create some support issues as users forget their passwords, but it will cut down on issues such as this. Not to mention it will help keep your neighbor from logging into your wireless router to get your ISP login info.

If you feel the same way feel free to post the question on your blog. The more blogs that this is posted on then the better chance that vendors will read it and consider implementing it.

Still shaking my head in confusion

I looked at a product the other day that is designed for a specific compliance need. It requires a web server and a SQL server. Sounds pretty normal, right? That's pretty much where the "normal" ends.

Files containing user info are sent to the web server via FTP. They are "processed" by the software that is on the web server. All of the processing is done via .bat files. Once the processing is completed the output it sent to the SQL server where is resides and is accessed via the web interface.

What struck me as "odd" about this is the following:

  • BATCH FILES!!!! Is this 1986?
  • All Processing done on the web server! Why do I have to pay for a SQL server? (of course they recommend a dedicated SQL server) WHY? The SQL server does NOTHING other than serve up the data to the web server when requested. No stored procedures run, nothing. I could use Excel for that.
  • This is a compliance product and it stores unencrypted user data on the WEB SERVER. Last time I looked web servers were pretty vulnerable to hacks. And there are NO procedures for removing the data once it was finished being processed (by batch files on the web server). Sorry, that still blows my mind.
  • Since it's a "Compliance" product it's not cheap. And they are using batch files.
There were several other "little" things, but I think you get the idea here.

Thursday, February 22, 2007

Congrats to Martin

I wanted to be one of the first to publicly say Congratulations to Martin Mckeay on his new Position with StillSecure. I'm sure that since he officially announced it on Tuesday that I'm a little late to the party. I know that many of you already know and will join me in wishing both him and StillSecure much luck. I think they both will be the better because of it.

I envy Martin for landing such a position as this. I know that being a "Product Evangelist" will fit him well. It's a position that I think I would enjoy myself one day. I've spoken with Martin many times by IM, Email and on the phone and consider him a friend as well as a Security colleague. I'm hoping that we will get to meet in person now that he will be traveling. I know that he has much to share with the world in regards to security and I'm looking forward to learning what I can from him.

Tuesday, February 20, 2007

Let's quit bashing users

All the rage lately seems to be user bashing. Here, here. There are others but I can't remember where they are off the top of my head. There have been several articles written by various people all of them talking about how User Awareness Training is a failure and that we can't trust end users to do the right thing. We need to quit wasting our time, money and efforts on them. Some even call them stupid and rant about how much of a problem they are.

We need to step back and remember a few things.

  1. We all have subjects that we are clueless about.
  2. End users are why we have a job in the first place.
  3. IT and Security have bad reputations among users already we don't need to do things to further foster it.
  4. We are all supposed to be professionals and calling people we work with stupid is not professional.
If we have problems with users then we need to either ignore it and do our job or do something to help them out. End users are not going away and they are not going to quit making mistakes.We all make mistakes even in areas that we are supposed to be experts in. It's up to us as to whether or not they learn to make changes or not. It's up to us to help them understand what they are doing wrong and how they can do it differently. It's up to us to protect them not only from outside attacks, but also sometimes from themselves. That may mean that we take time to teach one on one, we teach a User Awareness class at work, we keep our patience when they come to us with problems, we treat them with respect instead of like big dumb losers.

Technology Professionals are often seen as controlling, unfriendly, obnoxious, uncaring, and "know it alls". Even Staples has a commercial that depicts this. If we continue to perpetuate this by assuming that they will mess up and will be stupid then we are not helping. I will admit that they can be frustrating. So can ALL of us. We all have subjects that we don't fully understand and have a hard time getting a handle on. We need to remember that the next time we are tempted to give up on our users.

Another good quote

Todays quote on my "The Art of War" calendar is a perfect fit for getting Management buy in on security.

"One whose upper and lower ranks have the same desires will be victorious."

When we get everyone on the same page then we will be much closer to being secure. As long as that page is secure. According to my last post many companies are on the same page, it's just not a secure page.

Basic Security

I try to talk to lots of people who are in IT and especially in Security. I like to get a feel for what is going on in various organizations with respect to security. I'm curious about who has a grasp on what security really is and who has no clue. I've discovered that there are lots of companies who really have a very limited view of security and who only practice basic security. They do just enough to get by and make the auditors happy. As we all know security is not achieved by being compliant.

I'm often surprised at what companies allow to happen on their networks.

  • Leaving access points open or with minimal security
  • Allowing any consultant, auditor, or "friend" to connect to the network
  • Opening ports in the firewall because the "need" this application.
  • No Acceptable Use Policy for computer and network access
  • Allowing administrator access to local systems
  • No hard drive encryption
  • Etc, etc, etc,.....
It just doesn't seem to end. They they wonder how they got compromised. After all, their auditor said that they were fine. Auditors, for the most part, are not security professionals. I've met a few who really knew security, but most of them just carry around their checklist and take notes.

I've also discovered that many Security Professionals who work in these organizations are really frustrated. They work hard to keep things safe only to have Management subvert the process because it makes things easier. I've been there myself.

As I talk to people at all levels of IT management and in the field I realize that many people don't think about security being a key issue in IT. They assume that if they are behind a firewall and have AV installed then they will be OK. They don't realize that this is not 1998 any more. It often shocks me because I assume that everyone who is in IT thinks security. Even before I started focusing on security in my career I just naturally took security into consideration when doing my networking duties. I thought it was just how things were done. Then I remember the stories I read, the people I talk to and the things that I've seen and am reminded that many people don't realize that security needs to be a natural part of IT. Basic security is often ignored and when it isn't it is often just enough. Just enough is never enough.

That is why I think that those of us in Security have to keep fighting hard to keep us safe, all the while preaching and teaching real security to all that will listen to or read what we have to say. We have to argue our point with management and give them hard facts as to why what we have to say is worth listening to.

Monday, February 19, 2007

Takin' Vista for a ride

The CEO of our company is a "gadget guy". He gets the latest and coolest toys when they come out. Several years ago he flew to NYC to buy a Palm 7 b/c that was the first place you could get one. Anyway, he is going on a "roadshow" and wanted to get a good portable projector to take with him. His plan was to get one that would fit in his laptop bag so he wouldn't have to carry 2 bags. As he was looking he wasn't satisfied with anything that he found so he bought a Sony Mini PC that had XP on it. It was small and pretty cool, but alas it wasn't what he wanted. So he took it back and came back with a Sony VAIO Mini laptop. It has Vista on it. After spending a day and a half with it our CIO was unable to get it to do much other than surf the internet. Both the CEO and the CIO hated it. Rather they hated Vista. They debated taking it back and continuing the hunt for a good portable projector, but decided to keep the laptop so we could "learn" Vista on it. So now I have it and so far I am NOT impressed.

  • It's slow. Of course that is b/c Vista needs more horsepower than this little laptop can provide.
  • Vista is hard to navigate. Nothing is where it should be.
  • Most of our apps aren't supported in Vista so it is a expensive "deck or cards" at the moment.
I do like the portability of the VAIO, but I hate Sony laptops as a rule. So, we'll just have to wait and see how it goes.

Glad it's not me

A buddy called me the other day to share a story. A couple of consultants came to the office to help set up a new application that was required for compliance. The CIO told him that they were to have full network access. All of his concerns went unheeded. Then to top it off he was told to give them a temporary local admin account to the web and SQL server. By this time his head is ready to explode.

The real kicker came when a network tech went to connect them to the network. He asked if they needed to be added to the domain!! My friend about fell out of his chair. It's hard for him to work in an environment that is so security ignorant about such basic things. Needless to say he is thinking hard about a new job.

Wednesday, February 14, 2007

User Education can't be a bust

RSnake thinks that user education is a bust or so he says in his DarkReading post. The only problem with this is that if it is a bust then we might as well all just pack up and go home. If we give up on trying to teach our users how to be more secure then we will lose. We can't and I surely don't want to work in an environment where IT and Security controls every thing that goes on. Why? Because it would be a support nightmare. Users will still find ways to cause problems and the tighter we twist the thumb screws the more they will fight back.

If we don't continue to train them and attempt to make them more secure at work and at home then eventually the bad guys will own enough systems to make it impossible for us to secure enough to do any good. My little corner of the network might be secure, but no one else out there will be secure enough to do business with.

I have lots of respect for RSnake and would not want to have him try to come after my systems, but I have to call him to task on this. Having this kind of attitude towards User education is easy. It takes the onus off of us to deal with people who don't get it and who irritate us because they don't get it. I'd much rather have total control than spend 30 minutes teaching someone something that should only take them 3 minutes to understand, but that does no one any good. I've said it before and I'll say it again; what we teach them will make the internet safer for everyone, even if it drives us crazy.

Tuesday, February 13, 2007

Is user training useless?

DarkReading.com has an article about a forum at RSA last week where they discussed some of the industries greatest obstacles. The 2 items that received the most attention were 2 of those that are near and dear to my heart. Root kits and User Awareness. I firmly believe that these are directly related. Getting a root kit is not hard, but in most cases it requires a user doing something that many would consider stupid or at the least unnecessary.

Much of the talk actually centered about repercussions for someone when things get out of hand. Either the end user for doing things that they shouldn't or the ISP for not taking enough precautions and preventive measures to deal with traffic that is obviously "odd". Well this time I'm going to side with the end user a little. They go out and by a PC or laptop and take it home to connect to the internet. In most cases they have DSL or Cable internet and they just want to hook it up and go. This is where the ISP or the modem manufacturer comes in. The DSL providers and modem manufacturers USUALLY have equipment that provides NATing and basic firewall features. Cable does not. When you hook up to a cable modem provided by most ISP's you are hooking up straight the the internet. You are given a public IP address and are fair game in the wild. Hackers will find you and take aim at you with all they have. Most PC's, especially those that are fresh out of the box, are not capable of handling this. They will fall victim to attack in a short period of time.

So why are we allowing the cable companies to do this? Why are we allowing Motorola (they manufacture a lot of the cable modems in use today) and other vendors to do this. If a Linksys can make a Cable modem that NAT's why can't Motorola? If the DSL providers can use equipment that uses NAT and has a basic firewall why can't the cable providers?

Many of the panelist mentioned consequences for those who practice bad security on a regular basis. Isn't an ISP that issues a public IP to a customer that didn't specifically request it practicing bad security? Having a vendor sell a wireless AP that is open by default is bad enough, but having an ISP give a public IP address by default is much worse in my opinion. At least an open access point isn't available to the WHOLE world a public IP is.

Sunday, February 11, 2007

I got an email today from TouchStone Software. It was an ad for their site driveragent.com. They claim to be able to scan your PC for out of date drivers and then for a fee of $29.95 a year they will give you unlimited scans and automatic updates for all of your PC's. Sounds like a good idea and from what I can gather it is a legitimate service. My problem is that they are using a advertising method that is used my phishers and pharmers. Just like so many others that I've written about in the past they are encouraging people to do exactly what we keep trying to teach people not to do.

  • Click on email links
  • Give out Credit Card info to a unknown or untrusted source
  • Allow sites to install agents on your PC
  • Allow sites potentially unfettered access to your hard drive
We keep preaching security and then companies keep encouraging people to ignore basic security just to make money. There are many other ways to advertise your site and service without encouraging people to practice insecurity.

Saturday, February 10, 2007

How Much Security Do You Have?

Security touches every area of IT. It ranges from the perimeter to the end point and everything in between. This InformationWeek article talks about the consolidation of security and how some think that security will evolve into part of the infrastructure that will eliminate the need for stand alone products. Of course others think that there will always be a need and a market for stand alone products. What caught my eye in this article is this statement "But customers also can't manage 32 separate security vendors and their products--a number cited by Noonan last week as the average these days for a large enterprise. IT security spending continues to grow at three times the rate of other tech investments, he said, "a pretty unsustainable business problem.""

I work in a small shop and 32 separate vendors and products sounds like an awful lot to manage. I'm glad that I don't have to deal with that many. We have 8 different security products currently and 2 more in the works. For our needs this give us what I would consider to be a good mix of security that covers multiple layers and various avenues of potential attack. Then when you consider how each of these has various configurations and options most of them go 2 or 3 layers deep.

I'm curious how many different security products do you have? How big is your company? If you take into account the various options that each security product has how deep can you really go? What do you consider to be part of your security platform?

I talk with a lot of people who work in companies ranging from 2 to thousands of employees and I've seen lots of different security devices and products used. What I'd really like to know is how many of them are really unnecessary. How many of them take away from something else? How many of them could be consolidated into other products to reduce cost and management time. This ties in well to Thursdays post on "Too Much Security?" What can companies do to get the best bang for the security dollar?

Part of my passion for security is seeking ways to make security work with minimal pain for the company (financial and administrative), minimal impact to the user experience and most importantly ensuring that all aspects of the security infrastructure works together and not in opposition to each other. That is where I'd like to take my blog and my career. I'm seeking ways to expand my influence and teach others how to make themselves and their company more secure. There are many companies and IT professionals who really don't get security and it's implications to business and their personal lives. Those that do often only do so in a "Security Theater" way. They do what looks good without regard as to whether or not it really mitigates a valid security risk. In my opinion that is why a company can get saddled with 32 or more different security solutions.


Friday, February 09, 2007

What's the big deal about DST?

I had a conversation with someone yesterday who couldn't believe that some people were making a big deal about the DST change happening 3 weeks early. His comment was "It's only an hour. We change time twice a year and have been doing it for years." He didn't realize that in computer time an hour is a long time and can have a drastic effect on many different things. Some of them are small and trivial and some of them are pretty big and major.

I wanted to post here about it in hopes that if there is anyone else out there who doesn't think that this has the potential to be a big deal will take heed and do a little research. One example from real life. A secured web server uses time stamped cookies for authentication and access. The cookies are refreshed as the user continues to interact with the server. After a period of inactivity the session times out. You have sold this to customers across the country and it is a big part of your companies business. What happens if you don't plan for DST this year and all of a sudden customers are getting kicked out immediately after they log in? Obviously there are a couple of things here. One it's Sunday and your IT staff goes to Church and isn't available until after 12:30. You can't reach them because they keep their phone turned off during Church. Since all of your customers started attempting to access the system at 10:00 am that is at least 2 1/2 hours of down time and that is if the IT guy knows exactly what the problem is and fixes it immediately. What does this do to your SLA and customer satisfaction? Not good.

There are several good articles our on how to deal with this. I'm going to point to 2 places that I found to be useful. The first is the Microsoft DST page that has lots of good information on it. The other is a podcast the my friend Michael Santarcangelo did a couple of weeks ago. He brings up lots of things that need to be considered when planning for the change. Both of these are good places to start if you haven't already thought about this. I'd also check sites for your specific vendors to make sure that you know how to handle various applications and hardware that you may have. It's something that can be handled with relative ease and shouldn't cause too much of a headache for those who plan and prepare. For the rest of you.......................... good luck.

Thursday, February 08, 2007

Too Much Security?

I like this post by Chief, The Security Monkey. It's true that too often companies just throw "solutions" at problems without really understanding what the problem is and how the solution will help mitigate the problem or how it will work with or against other "solutions" in place. Not only that but often they will put in a "solution" without really considering if it is necessary. They get calls from vendors who often use FUD ,or ignorance on the part of the company, to sell something that isn't needed or that isn't the best fit for the problem at hand. Nothing should be implemented without considering how it will work with other things that are in place. It's also not necessary to implement something just because someone, vendor or consultant, says that it is necessary. Companies need to get out of "panic" mode and take time to investigate different solutions to find the best product for their needs.

Root DNS Servers Crippled!

OK, I admit this title is misleading and designed to draw traffic. OK, I admit it's not designed to draw traffic. It's purpose is to play off an InformationWeek post that does have a title that appears to be designed to draw traffic. DoS Attack Cripples Internet Root Servers by Sharon Guidin obviously leads one to believe that this attack was so big and bad that it crashed the servers and caused wide spread panic. The truth is that it only affected 3 of the DNS servers and they were NOT crippled, they were put into a "slow down" and as Martin McKeay mentioned no one really noticed.

Wednesday, February 07, 2007

Legitimate Rootkits?

I ran across an article on SearchSecurity.com this morning that caught my attention. It's about how rootkits are becoming more popular. What caught my attention is this comment on the teaser page "industry experts at RSA Conference 2007 say rootkits have also emerged as useful tools for legitimate businesses trying to exert control over users." My jaw dropped. After the Sony fiasco and just the fact that rootkits are, by design, hacker tools used to hide bad things you would think that we would have learned something. I know that there are lots of hacker tools out that have legitimate uses in security. I think it's great when we can use hacker tools to make our networks and systems more secure against those very tools. I think it's a good idea to keep a close eye on what the hackers are doing so we can counter them. I don't think that using something designed to hide bad things on our systems is a good idea for any reason. If there is a way to subvert the legitimate rootkit, and there is a way that will be found, then it is a major danger to our systems security and we need to fight against any company that wants to implement their use.

Tuesday, February 06, 2007

Users continue to prove that security is about much more than technology. Many people talk about how it will take more than firewalls, AV, IDS/IPS, ACL's, and other technologies to secure our home PC's, our networks and the internet. As long as there are people using these resources then there will be security issues. Why? Because people continue to either ignore or not care about basic security.

There are at least 2 articles this week on major news sources that highlight this. The New York Times has a technology article here that talks about a paper (here) that is being written for the IEEE Symposium on Security and Privacy in May. The other is a InformationWeek article that talks about workers ignoring basic security principles. I'll let you read them yourself and you can read more on them here, here and here.

I've written before about the need for better Security Awareness Training and I'm working on some things that I hope will evolve into something that will help make this a reality. One of the things that I'm doing is networking with some others in the security world who also care about SAT and who want to do something about it. Now that I'm finished with my latest project I'll have more time to put into this and other things. These will involve not only what will hopefully be more interesting SAT programs, but also working with Management to change the culture within organizations to make Security Awareness part of every day and not just a once a year or so. As security issues make more headlines and as companies have to start taking responsibility for their actions or inaction's in regards to security SAT will have to take a more visible role in the company. This will open doors for those of us who want to make a difference to be able to introduce new concepts that can make a difference. I know that today compliance drives much of this, but I think that this will change. Doing a SAT program that just meets your compliance needs may work today, but in the future compliance won't drive this survival will.

I also believe that before we can really make a impact on the user community we have to make a impact on the IT community. There are too many people who work in IT who don't get security. The TJX breach and many others give us examples of this. End users won't take security at work seriously until those in IT do. So Security professionals have to work with all departments to ensure that security basics are understood and implemented. This isn't easy in many companies because each department likes to be self-sufficient and not questioned by others, but this has to stop or the bad guys will find a way in and will win.

In my opinion Security Awareness Training has to be a priority for companies. They have to look at all aspects of their business and figure out how users can make it less secure and then implement a plan to mitigate this risk and teach our users something that will help not only they company but also their homes and the Internet as a whole.

Monday, February 05, 2007

Project Completion

After several long, long weeks of 15 to 18 hour days and no weekends my network conversion project is finished. All in all it went pretty well. There were some problems along the way but nothing that couldn't be overcome quickly and mostly painlessly. Friday night and Saturday were long days because we closed at 2:00 pm Friday and then opened again on Saturday at 10:00 am. During that window we had to get everything done that we had not been able to do before hand. Things like replacing the drives on the PC's and finalize local network setup. The company that we were doing business with came in and pulled their drives and network equipment and left us with a mess to clean up. Much of that is still waiting to be done. After about 1:00 Pm Saturday things calmed down pretty much except for a couple of password resets.

I feel like a big monkey has been removed from my shoulders and I can finally relax. I reintroduced my self to my wife and 2 girls yesterday and we spent the whole day together. Today I'm going over my "punch list" and assigning tasks to my field tech. I may even go home a little early. :)

Changing Phishing Bait

Over the last couple of days I've received 2 phishing emails that are seeking help with the transfer of funds from an account overseas that is in danger of being confiscated by the government. Nothing new there but the tactics are different than I have seen before. One was short and sweet.

Hello, I want you to act as the contract beneficiary of a contract executed here in Nigeria for the Federal government of Nigeria on the Niger Delta Development Commission (NDDC) which the fund is presently in a commercial bank ready for immediate transfer. The funds in question is US$10m and we really need someone who can act as the contractor to claim the money. RESPOND FOR MORE DETAILED INFORMATION. Paul Adaka.

The other one was much longer and it appealed to my good Christian nature. No dead Willinghams who I could claim as my relatives. Just someone appealing for me to do the Christian thing and take her money before she dies and use it for God's work. I guess I'm a heartless wretch for not helping her. Oh well.

Friday, February 02, 2007

Today is the day

Today all of my hard work over the last several weeks comes to a head. By the end of the day our network will be completely different that it is today. There will be no remnants of our current partners network and it will all be managed in house.

All in all things have gone pretty well. We had a few unexpected things that popped up and a few things that didn't go as planned, but nothing that couldn't be worked through with minimal pain. My biggest regret is that many of the security features that I planned in had to be put on hold until after we get through this transition. Obviously we have good security in place it's just not exactly what I feel we need. I have it all planned out, have an implementation schedule that will have it all in place within a few months.

Hopefully starting next week I will be able to be back to blogging on a regular basis and about something other than this project.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.