Security's Everyman

Security's Everyman

Tuesday, September 30, 2008

Playing catchup

I think this may be the longest stretch that I've had with no blogging. My last post was on Sept 14th. Since then I've gone on vacation and been preparing for vacation and catching up after vacation. Needless to say it's been busy. Hopefully Ill be back to regular posting now.

I'm going to do a "catch-all" post to try and comment on a couple of things.

I'm going to start off by going back just over 2 months to a post that Rebecca Herold made regarding awareness training and a part 2 here. I starred this in Google Reader and then forgot all about it. I'm bad about that. I need things screaming at me so I will remember to go back and read it. Anyway, she talks about the fact that we often fail to give adequate awareness training to those who need it most. Specifically those who deal with customers on a daily basis. Our Receptionists, call center reps, etc. These folks are on the front lines but are often ignored as we focus our awareness training on those who are in "check box" positions. What I mean by that is that those who work with PCI data, financial info, etc.. Somewhere there is a regulation that says "train these people or else". We train them so we can claim compliance and then give the crumbs to the rest.

The next item is actually recent and both of these were posted within the last 24 hours. Two different stories with the same theme. I saw this one on Foxnews.com first and then a few minutes later this one on cccure.org. It seems that we still haven't learned basic security in many cases. What's really sad is that in both of these cases there is really no excuse for this happening. It seems that we are still disposing of devices that have not been sanitized. One case involves a British MI6 agent selling a digital camera on eBay that had all sorts of Top Secret data on it. There were pictures, fingerprints, names of terror suspects and other information. I can see this happening to someone who is a "regular" person (obviously not the top secret data but selling a camera with pictures still on it) but a MI6 agent. I'm sure they are trained in basic security such as this. The next article talks about a Cisco VPN Concentrator that was bought by Andrew Mason on eBay that was still configured to automatically connect to the central VPN concentrator at the company it originally belonged to. It's a good thing that Andrew is one of the good guys. According to him he had full access to the network by simply plugging it in and connecting to the internet.

A story that is close to home involves patient data for 45 people who were patients at Atlanta's Grady Hospital. It seems that their data was inadvertantly put on a unsecured web site instead of on a secured web site. There are lots of interesting facts and issues involved in this that you can read about here. First of all often companies give too many people access to their web sites to add content. Just as we don't give everyone access to our financial data we shouldn't give everyone, or even several people, rights to add content to web sites. There is way too much risk in insecure or unauthorized code/data getting put up. We have a hard enough time getting our web developers to write secure code much less allowing marketing to add content at will or any other department. The second problem that I see is that Grady outsourced the work to one company who outsourced it to another company who outsourced it to a 3rd company. I'm not totally opposed to outsourcing but this is ridiculous. Either legal didn't do their job in contract negotiations or they need to do a better job in ensuring that outsourcers are staying within the bounds of the contract.

One last thing that I want to comment on. Kudos to Jeremiah Grossman and Robert "RSnake" Hansen for the way that they handeled themselves when vendors requested that they not release information regarding their OWASP talk on clickjacking. It shows maturity on their part to be patient and not try to rush something out just to get name recognition. Not that either of them are hurting for name recognition.

There are lots of other things that have been going on over the last 2 weeks but many other bloggers have done a great job of covering them so hopefully you already know all you need to know about them.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.