Security's Everyman

Security's Everyman

Friday, March 21, 2008

The Bad Apple

I've been thinking of buying a MacBook Pro for a while now. It's not something that I need I just want one. Just when I think that I am ready to bite the bullet Apple does something that kind of irritates me and makes me step back and take a second look.

A couple of years ago David Maynor and Johnny Cache were smeared by Apple for doing research and that left a bad taste in my mouth. Then I listened to an interview on Pauldotcom Security Weekly with Roamer where he details his experiences with Apple. This did nothing to endear Apple to me. Well, as time heals all wounds I've been thinking again that I may bite the bullet and buy a MBP and once again Apple has done something that just gets my goat.

Yesterday I noticed that my Apple Updater software was prompting me to install something. I looked at it and noticed that it wanted to install Safari. I don't want Safari and as far as I knew I didn't have it. So I said no and quickly checked my system to see if somehow Safari had been installed without my knowledge. I hadn't. So I mentioned it to some friends in a chat room and then forgot about it.

This morning I received a link for my friend Martin McKeay to a story that explains what happened. It seems that Apple decided to push out the Safari install to everyone who runs Apple Updater. Martin wrote about this here and you should read his take on it. I tend to agree with Martin that there is nothing really wrong with this but it is underhanded and it irritates me. It would bother me just a little if this was the first thing that Apple has done that I didn't like but it isn't. What I like even less is that they do these things and think that it's no big deal. Why shouldn't they be able to smear peoples names and reputations or give bad service or sneak their software onto possibly millions of computers. Their Apple!

I don't like this because it's semi-dishonest and it takes advantage of peoples inherent acceptance Apples goodwill. They assume that because it is being delivered by Apple via an update mechanism that it is an update. A install of software not currently on the system is not an update and it's wrong to make people think it is. People assume that if a reputable company is sending them something via an updater then it is an update and needs to be installed. We in the security community have been preaching to our friends and family to keep their software updated and along comes Apple with what could be called predatory practices. That is just plain wrong.

This won't make me not buy a MBP one day but it will cause me to really consider whether or not I want to spend my money with a company who doesn't seem to care about how they do things. I know that I lots of companies that I do business with do things that I don't like or agree with and there have been lots of companies that I've stopped doing business with (at least knowingly). For now Apple has lost my business again and only time will tell whether or not they earn it back.

Tuesday, March 18, 2008

CSO Perspectives Day 2 and 3

I think one of the aims of the conference was to make us feel right at home. What I mean by that is for most of us our days start early, end late and we are always on the go. That is exactly how day 2 was. Breakfast was at 7:00 AM and the day ended (officially) at 9:30 PM and just about every hour in between was filled with something. Even lunch was done in table discussion format. The last 3 hours were geared more towards the "fun" side of things. There was a big St. Patrick's day party open to all. I missed out on it because I had been invited to a dinner that IBM was sponsoring. After the dinner was over and we all parted ways it was pushing 11:00 and we had to start again at 7:30 the next morning.

I'm not going to bore you with all the details of the day. The main thing that I want to stress is that this is a quality conference. It's not geared towards the technical side of life but towards the business/operational side. It's not big and it's not super sexy like some of the larger conferences but it is done right. In talking with lots of attendees I discovered that the reason many of them choose this conference is because it is small and it does offer what the CSO needs. Many people that I spoke with have been to CSO Perspectives at least once before and some were on their 3rd or 4th conference.

What did I like? Pretty much the same things. Not too many people so it was overly crowded. Good content in most of the sessions. Vendors were there but they participated in the conference as both vendors and participants. It wasn't pushy and it wasn't filled with sales pitches. The opportunities to network with others in similar situations was really great. I spoke with guys very much like me who were fairly new to the world of being a information security officer to those who had been doing it for years and who worked for some of the worlds largest companies. The thing that really got my attention is that all of them acted just like they were "real" people. No egos, no "look at what I've done". Just "Here I am. What can I do for you?"

Several times during Q/A sessions I'd ask a question and almost every time someone would approach me afterwards and give me a card and tell me to get in touch with them if I needed any thing.

Just a quick rundown of some of the highlights of the conference and who some of the speakers were.

  • Eric O'Neill - Former FBI Operative. The movie "Breach" is about his role in bring down one of the foremost spies in recent history, Robert Hansen.
  • Dave Morrow - CSPO, EDS - spoke on the topic of monitoring employees
  • Milton Ahlerich - VP Security, NFL - talked about the challenges of security when dealing with "stars" and very large venues.
  • John Stewart - VP & CSO, Cisco Systems - John spoke about the value Security adds to an organization and how to sell that value to management and the users.
  • Andrew Nash - Sr. Dir. of Information Risk Management, PayPal. Andrew talked to us about the growing threat of malware and what companies like PayPal are doing to fight it and help make us all safer.
  • Louis Freeh - Former Director, FBI - This is a guy who's shoes I wouldn't have wanted to be in. He was put in the undesirable position of having to conduct multiple investigations into the actions of his boss. The President of the United States, Bill Clinton. He spoke to us about leadership keys that can make or break your career.

There were also "break out" sessions that touched on different concepts and strategies to help us do our jobs better. There were lunch sessions around various topics of interest and there were other "Hot Topic" sessions for the whole group. The only thing that I would have done differently was to reduce the number of "break out" sessions and increase the amount of time for these sessions. Each as 30 minutes long and that's just not enough time to do much more that get going good. Other than that I think the team at CXO Media did an excellent job in planning and executing the conference. If you have never been I'd make a note to attend next year if you are a CSO or in a position of security leadership with your company. It's worth the investment in time and money.

Sunday, March 16, 2008

Quote of the Day

My favorite quote from the CSO Perspectives conference today.

"Someone tasked with trying to influence the activities of an organization without the authority to do so."

Why do I like it? It describes my job to a tee. :)

CSO Perspectives Day 1

Today was the first day of the CSO Perspectives Conference here in Atlanta. This is a conference put on by CXO Media that is designed to bring CSO's (and aspiring CSO's) from all over and give them tools to do their job better. I must say that they got things off to a good start.

Today was sort of a pre-conference day. It was a half day hands on seminar on Presenting to the Board of Directors. They brought in Paul Argenti who is Professor of Corporate Communications at the Tuck School of Business, Dartmouth College. He spent the day talking about how to be better communicators especially when we have to face the Board. This is an area that many CSO's need help with and few of us get to learn outside the "School of Hard Knocks".

The first part of the day was us listening to him teach us some keys to effective communication. We had some homework that we were supposed to do prior to the conference. A paper to read and a case study to go over. These were used as tools in the discussion and learning aids. After we had been given a good overview of effective communication we then broke up into groups of 5 and were given 1 of 3 scenarios to talk about. After 30 minutes of brainstorming we then teamed up with the other groups who had the same scenario that we had. Then as a larger group we put together a short Board Presentation and had one of the group make the presentation to a mock Board. After each group made their presentation we wrapped up the day and went to have some light snacks and refreshments.

So what were my take-away's from today? Several things I think.

  • First, when we communicate our message, no matter who the audience is, we must be clear and focused.
  • Second, be prepared. When you are going before the board you need to have all your facts and you need to be prepared to defend your position and be ready for them to throw you a curve ball.
  • Third, know your audience. Find out what you can about who they are, what they like and don't like. Anything that you can use to boost your message and get it across to them

I didn't really know what to expect out of today's session but I was pleasantly surprised at just how good it was.

There are 2 more days of the conference with lots of sessions to choose from. It promises to be a good two days of learning and networking.

Friday, March 14, 2008

Information Security is a people problem

I know this has been said before but it needs to be said again and again until we ALL finally get it. Technology isn't going to solve the problem by itself because there are too many flaws in either how it is coded, deployed or maintained. Then there is the whole thing of people who come up with ways to get around what has been put in place. Once one person figures it out they tell two friends and they tell two friends and so on and so on.......

Amrit talks about how securing just the desktop alone can cost a small fortune for a company. Douglas Schweitzer talks about how we seem to be in a losing battle. NetworkWorld has an article from ComputerWorld on how Execs fear the security risks of remote workers but still have to deal with them.

I mention all of these to highlight some of the problems and issues that we face everyday whether you are a company dealing with securing workers or a worker who has to be secured. The thing is that we are constantly under attack and the attacks are getting better and better and technology is having a hard time keeping up. Even when it is up to date there are still the issues of misconfigurations, wrong deployment scenarios, wrong technology for the environment or threat, work arounds, etc, etc, etc...  It's also been said before that the best technology can't stop stupidity, apathy, or someone who is determined to get around it (in most cases). Until everyone, including IT and security pros get their act together we will continue to have big problems.

What do I mean by this? Let's start with the IT/Security Pros. As long as we have people who don't know what they are doing trying to do things that they aren't qualified to do we will have issues. As long as we have people who are apathetic and don't bother to ensure that they have the proper controls in place and that they are properly deployed, configured and maintained we will have issues. As long as we have those in this field who feel that they are above the law (or policy) and continue to skirt the rules we will have issues. IT and Security has to take the lead (assuming management buy in) in doing things in the best way possible.

Then the users have got to get their act together. They have got to quit being so click happy and so focused on the next "cool site" or funny flash animation. They have got to quit being so enamored with the Internet, email and IM that they lose all common sense. I'd like to say that there is no reason for them not to be aware of the threats but it seems that I can't. Actually I can say it. There is no reason. There has been enough media coverage to let everyone in on the secret. The problem is that they think that it will not happen to them and so they ignore it. That doesn't mean that we don't need to continue to educate and get the word out but people just can't use the ignorance excuse anymore. Although I am surprised at the questions and looks I get from people when I talk about some of the attack vectors and threats that are out there. Even people in IT sometimes look at me with that deer in the headlights look.

Technology is a very important part of securing our networks and systems but it has to be paired with common sense and good security practices. If we could get people to do their part then we wouldn't need to spend hundreds of thousands of dollars per year to secure the company............ huh?, what?, just five more minutes mom, please. I promise I'll get up in 5 minutes......zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

Thursday, March 06, 2008

DR vs BC

Yesterday I went to a TechTarget breakfast seminar on Business Continuity. They had an analyst from The Burton Group talk about BC and then a short case study by Stratus on how they had solved a BC problem for a client with their solutions.

It was a good morning and started me to thinking about the difference between DR and BC. It seems to me that lots of companies think that DR = BC and that they will be in for a very rude awakening if/when they ever have to put the plan into play. BC involves much more that DR but as technology professionals it's easy to get caught up in the technology of it all and forget the processes that make the business run. I'm not suggesting that IT is responsible for ensuring that Finance or HR or any other department within the company has their BC plans in place but we do need to ensure that our DR plans match up with the companies overall BC plans. That is where we can step in and raise the proper questions. I'm a firm believer that in order for technology to do it's job properly that we must understand the business. By understanding the business and knowing the technology (and how the DR plan works) we are in a great position to bring up other BC related issues.

This got me to thinking that this may be a good time to start doing polls again. So here is my first Poll question for this year. Does your company have a full Business Continuity plan in place or only a Disaster Recovery plan? DR Only or BC and DR

It's quick and easy and a good way to start the polls again.

Monday, March 03, 2008

Screen Savers

Recently we implemented mandatory screen savers for all PC's at work. There were a few systems that we had to exempt from the policy due to legitimate business need. These systems are in secured areas and have limited access by only a few users. The rest of the systems received the policy early last week.

The decision was made to use a common Text based screen saver and allow the user to change the text but not theme of the screen saver. We sent out several messages informing the users of the change and when it was scheduled to happen. The day that it went into effect you would have thought that we took away their PCs and replaced them with an etch-a sketch. All of a sudden no one could work because they would be in the middle of intense computation and all of a sudden the screen saver would kick in and they would lose all of their work. In reality the problem was that they either didn't like having to reenter their passwords or they were upset because they couldn't change the screen saver to something else.

The manager of the help desk is also the one who sent out the emails explaining everything that was going to happen. She is also the one catching the wrath of many of the users. She has been bombarded with calls, emails and visits by people who complain that they can't work or extremely upset because they no longer have pictures scrolling across their screen when the screen saver kicks in. The sad thing about this is that in the past this has worked. A new policy is put into place, the users whine and cry, the policy is rescinded. Fortunately things are different now. Management realizes that the policies have to be put into place whether the users like it or not.

Often management caves to the whims of the user without taking the bigger picture into account. I've seen this in many companies that I've worked for and have heard stories of many others. Management wants the users to be happy, which is important, and security wants them to be secure, which also is important. The important thing is to reach a "happy medium". The point where users are happy and can actually do their job, yet the systems and network are secured. In a company that has a history of allowing the users to make policy decisions it can be a challenge to reach this happy medium.

There are several steps involved in getting past history and to where the company needs to be. It starts with education.

  • Management needs to be educated in the need to find balance. They need to understand that users want convenience, ease of use and control over their systems (ability to add programs, manage how it looks and feels, etc).
  • Users need to be educated. They are not concerned, at least by default, about security. They push back on most anything that changes how they are able to control their systems. The problem with this is that users are not "secure by default". They don't understand how to secure a system or why "that cool screen saver" they downloaded may just be the back door into the network. They need to understand "WHY" security is important and how it affects them personally.
  • Communication of changes MUST happen well ahead of the actual change. All affected parties need an opportunity to think about this and how it may affect them and then ask questions. Maybe they need time to work out new processes to minimize the impact on their jobs without compromising security. This step does not happen just by sending out an email telling that the change is coming. The communication needs to tell them to think (kinda sad isn't it?). Unfortunately many people don't think by default.
  • Feedback from users needs to be taken into account to work around issues that may come up. An example from our screen saver issue is we have a few systems that are used by our call centers to view call queues. That is all these systems do so we need to exempt them from the policy while still ensuring that they are secured. Remember, we have to balance security with usability.
  • IT/Security has to remember that they do not have the final say on what, when, where, how or why these things happen. Their job is to come up with solutions to problems and convince the company why this is what we need and then work with the business units to make the solution as painless as possible.

Saturday, March 01, 2008

Digital Forensics

I've mentioned before that I'm not a forensics guy by any means. I've never done any "real" forensics, at least not anything beyond simple looking for fairly obvious evidence of a breach or problem. I enjoy reading about digital forensics because it fascinates me. The way that data can be extracted from media after it has been deleted, hidden, and even when the disk has been formatted. Not to mention how someone who is trained can look at the system and determine what happened, how it happened, who did it, how they gained access to the system, etc....

Last week I read this post by Harlan Carvey here. This quote that he made got me to thinking:

My personal thought on this is that ideally what an organization would want to do is develop an in-house capability for tier 1 response...trained folks whose job it is to respond to, triage, and diagnose a technical IT incident. By "trained", I mean in the basics, such as NSM, incident response, troubleshooting, etc...enough to be able to triage and accurately diagnose level 1 and 2 incidents, as well as preserve data until outside professionals can respond to level 3 or 4 incidents.

What is it that companies really need? What are the basics to ensure that triage is done in a manner that doesn't compromise "the crime scene". I decided to post that question to my friends in the Security Catalysts Community here. As I expected I have gotten some good responses.

On Thursday of this week I attended a one day event put on by ISC2 called SecureAtlanta 2008. I had forgotten what the topic was and it turned out to be Digital Forensics. It was a high level discussion that covers a lot of the basics of what DF is and why companies need to be informed and concerned about it. Not much of the content was technical but it was informative. One of the things that grabbed my attention was the topic of DF and the law. We need to keep in mind that what we are doing in incident response and forensics needs to keep in mind the possibility of going to court. Our findings may need to be presented in court to convict or defend. Therefore we need ensure that our teams are trained in the basics but also trained in how to not contaminate the crime scene.

One last thing to consider is that just as all things related to security there has to be a balance. We have to balance IR and DF with ensuring that we get (or keep) the company running. We can't forget that our company probably relies on these systems running in order for them to make money. So if your company doesn't have proper policies and procedures in place for this that you start the conversation with your boss. Then work with management to put in place the proper program and training get put in place.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.