Security's Everyman

Security's Everyman

Tuesday, October 28, 2008

Identity Theft knows no age

WOW! There has got to be a better way. My friend Mort has started a new blog with the Identity Protection company Debix. Today he has a post about a study that was done looking into identity theft and children. Yes, I said children. I'm talking people 17 years old and younger. I'm talking people who can't legally enter into a contract and therefore can't legally have credit. I'm talking boys and girls, little children, underage minors. I'm talking stupidity!

The numbers and statistics are frustrating and scary. They are also very irritating to me. Why? Because there is NO (repeat NO) reason for someone 17 or younger to have their identity stolen and to have credit opened in their name. As advanced as we are technologically there is no reason for this to happen. It's utterly ridiculous that we have let things get to the point where banks and other financial institutions have not put processes in place to verify the information required to get credit opened in your a name. Simple steps and checks could be put in place to verify whether or not the owner of a SSN is 5, 15 or 55 years old.

As irritating as the data is there is also some good tips that we all need to follow, especially for our kids. Check out the blog to learn lots of good things about protecting your, and your kids, identity.

CSI Discount Code

Interested in attending CSI 2008 this year? Don't have the budget to pay full price? Well if you're interested in a 55% discount I can help you out. I have 2 discount codes that I can give if you are interested. Drop me a message and I'll get them to you.

Thursday, October 23, 2008

Too patch or not to patch

This morning I slept through my alarm. I woke up at 7:20 am and realized that there was no way that I'd make the last bus into town since it leaves at 7:35 am. That meant that I had to drive the 30 miles to the office. I wasn't happy. Normally I would have declared it a work from the coffee shop day but I had an audit meeting and a couple of other things on the calendar that I needed to take care of. It's now 11:30 pm and I'm still at the office and I'm glad that I didn't make the bus into town. I'd really be stuck here all night. Actually that may still happen.

After jumping into the shower and getting dressed I headed to a coffee shop to get some coffee and wait for traffic to lessen before making the drive into town. I fired up my laptop and started checking my RSS feeds and email. One of the first things I see is that Microsoft has a pre-release announcement of a out-of-cycle patch that they are releasing today. Once Microsoft released info and I thought about it I realized that this has the potential to be bad news. I remember Blaster, SQL Slammer and Nimda all too well.

We called a meeting to discuss the issue and determine what our approach to this would be. The management team is made up of former network engineers who lived through Nimda when it hit the company a few years back. As soon as the word "worm" was mentioned they got that far away look in their eyes. You know the one. It's the same look that you get when someone punches you in the gut. We discussed the pros and cons. We talked about what is the likelihood that we would actually get hit with anything. We talked about the potential impact if we did get hit. Like most companies we live and die by network activity. Due to the nature of our business we are in a little bit of a unique position because if something got loose on our network it could put people in physical danger as well as do damage to the business itself.

Needless to say the decision was made to start patching immediately. We've been at it for several hours now and still have a ways to go. We had to convince applications that this needed to be done. We had to put into place our emergency response team (OK, we don't have a real one but it sounds good). We had to get management buy in. Some would say that we are over reacting but since there has been confirmed reports of active exploits and Immunity Security has released an exploit for their tool and I just read that supposedly there is a new worm in the wild I think a little paranoia is good for the soul.

Tuesday, October 21, 2008

November is a BUSY month

I'm looking at my November calendar and it's already jam packed. In addition to the normal work and home things there is Thanksgiving and lots of other events. I'll be doing some traveling to conferences both as a attendee and panel member, plus attending a few things in the Atlanta area. If any of you are going to be at any of the following events I'd love to meet up and say hi.

Nov. 4 -6, 2008 Information Security Decisions - I'll be attending ISD in Chicago this year and am looking forward to it. I've been wanting to go since 2002 and it has never worked out until now. In my opinion TechTarget has some of the best seminars out there, especially when you consider that most of them are free of charge. I know that several of us are trying to plan a dinner on Tuesday the 4th so if you are going to be in town by then and want to join us let me know. Of courese there is also Wednesday dinner for any who want to get together then.

Nov. 12, 2008 The inagural meeting of the Atlanta Chapter of NAISG (National Information Security Group). I'm proud to be a founding member and on the advisory board for the Atlanta chapter. If you are in the Atlanta area we'd love to have you join us. I'll be posting more details soon.

Nov 17, 2008 CSI2008: Security Reconsidered - I'll be participating in a panel discussion titled "‘Why Information Security Should Evolve to Information Risk Management." Unfortunately I won't be able to attend the whole conference but I hope to have enough time to meet several people that I know via the internet but have not meet yet.

Nov 20, 2008 I'll be attending another TechTarget seminar in Atlanta. This one is on compliance and should prove to be interesting.

As I said, I'd love to meet any of you that will be at any of these events so just let me know.

Monday, October 20, 2008

NAISG - Birth of the Atlanta Chapter

It seems that technology is filled with it's share of things to do. From local chapters of national organizations to small meet-ups between friends who all work in technology. Everywhere you look there are conferences on all things technology. The bad thing about these events is that often they are not what you are looking for. If you are a pen tester then an ISACA meeting may not be your cup of tea. If you are a firewall jockey then InfraGard may not be what you are looking for. Then there is the question of value. Is the organization giving you value? Does it help you learn, connect with others, grow your career? Then when it comes to the conferences most of them are out of reach for you unless you either live close enough to not have travel expenses, you get a free pass or your company is willing to pay. A conference can easily run $4k before you know it. Even if you get a a press pass for some events the hotel, travel and per Diem cost alone can break the bank.

In Atlanta there are a few different opportunities to get involved with different organizations. There is ISSA, ISACA, InfraGard, and several other local groups that meet weekly, monthly, quarterly or whenever they get around to it. I've not been involved in any of these for a few different reasons. Value, Time, lack of content, etc... Well, for me at least that is about to change. Starting next month Atlanta will be the home of a new chapter of the NAISG (National Information Security Group). I'm supporting it for a few different reasons. (Now comes the full disclosure part) I am on the Advisory Council for the chapter so that does sway my opinion a bit, but not only that but I'm supporting it because I like the mission of the NAISG. It focuses on Information Security. It's not a platform for vendors to hock their wares, it's a good mix of "in the trenches" technology and soft skills that are needed to succeed in some areas of business. I also like it because there is no fees associated with it. I don't want to pay a national chapter, a local chapter, and a registration fee just to join a group that is asking me to give of my time and resources.

Anyway, the first meeting will be Wednesday Nov 12, 2008 at 7:00 PM. We will be meeting at 3030 Royal Blvd. South, Suite 220, Alpheretta, GA 30022. We are being hosted by Upgrade IT Consulting Services. There will be pizza and drinks provided. The program will be given by the Founder and President of NAISG, Brad Dinerman. He will be speaking on "Employee Monitoring and Surveillance" You can read more about the meeting at the Atlanta chapter page of the NAISG web site.

If you are in the Atlanta area we'd love to have you join us and become an inaugural member of the Atlanta chapter of NAISG. Tell your friends and co-workers to come also. Hope to see you there!

Monday, October 06, 2008

Lessons learned from the gas shortage

Since just before Hurricane Ike hit the Texas coast we have had problems with finding gas in the Atlanta area. When we are able to find it we are paying 20 to 30 cents a gallon above the national average and 50 to 70 cents above some areas. This has forced Atlantans to make changes in the way we live in many cases. We're making fewer trips to places that are unnecessary, combining trips so that we only have to go out once. Taking alternate transportation to work. Things like car pools, buses, trains, bikes, even working from home. Luckily, things are getting a better here now, at least on the supply side. The 1 - 2 hour wait for gas is over but we are still seeing several stations with little or no gas and we are still paying close to $4 a gallon.

In my opinion Atlanta needs to reconsider how we do transportation. I'm not talking about how our transit agencies are run or plan their systems. I'm talking about the average Joe and Jane Commuter. Atlantans rely way too much on their cars and way too little on other ways to get around. We tend to think nothing of making 4 trips when everything could be done in one trip. We love to drive. I assume it's so we will have more reason to complain about how bad traffic is. :)

So, how does this relate to Information Security or technology in general? I'm glad you asked! Just as Atlantans have had to come up with creative ways to handle the gas shortage we need to review creative ways to protect our networks and data. We need to look at what we have and how we can leverage it instead of buying something new. We need to look at how we are doing things and find ways to maximize our processes instead of just adding more to the pile. We need to think about how everything fits together and how we can make changes to improve security instead of making things more complex by adding additional layers. (I'm not talking about security layers but about layers that are unnecessary and make more problems than they solve).

Times are tough all over and that holds true for security programs also. As I'm writing this the Dow Jones is down 760 points for the second time in a week or so. It recovered some of the first loss but it's not getting any prettier out there in the foreseeable future. Companies are tightening belts and spending is going to slow way down and jobs are going to be lost. This is the time to get creative and show your company how you can make things better and save money. Of course creativity means risk and that may not be the best thing at the moment but at least let them know that you are thinking and working on ways to improve security w/o spending lots of money.

Friday, October 03, 2008

Book Review - Into The Breach

I love to read. Unfortunately I don't get to read as much as I'd like to (blogs are the exception) and when I do get to read it's usually in short segments so reading a book can take a while. I used to spend lots of money on Technology books but realized that they usually just adorned my shelves and never were fully read so I quit buying them for the most part. Every now and then a really good book comes along that meets a need that you have and is enjoyable to read. One such book was Mike Rothman's "The Pragmatic CSO". It was short and didn't have a lot of fluff in it and it has proved to be very valuable to me over the last 18 or so months since I read it.

A few weeks ago my friend Michael Santarcangelo sent me a preview copy of his book "Into The Breach" to read. I liked it immediately because it's less than 100 pages long. :) I started reading it and new immediately that this was good stuff. I read about 25 pages and set it down. It then got buried under other things and I couldn't find it. I had another copy but had no idea what I had done with it either. Finally about 2 weeks later I found it and started reading it again. Unfortunately I'd only get to read about 5 pages in a sitting and then something else would demand my time. It took me a good 6 weeks to finally finish it. It should have taken me 2 to 3 hours to read it from cover to cover.

This book is quick and easy to read. It makes sense. Isn't filled with fluff and unnecessary stuff just to bloat the size and price. Michael lays out a solid plan for implementing processes that can literally change the way you protect information. He puts lots of emphasis on common sense, out of the box thinking and working with your users. The last part is key. Our users are the ones that primarily make put information at risk because they don't understand the whys and where for's of protecting data. Michael lays out a plan for engaging them and helping them understand why they need to do things differently.

This is a book that all of us need to read and take to heart. If you are serious about making a difference in your company then this book is for you. If you want to have your old fashioned assumptions challenged then "Into The Breach" will do just that.

I gave a copy of it to my CIO about a month ago to read. He told me that he would read it and let me know what he thought. He has now requested more copies because he wants all of his Directors and Managers to read it. We were on a call with Gartner this morning and he told our Gartner Rep about it and said that it was a book that he needed to read. You don't know my CIO (most of you anyway) but coming from him that is saying a lot. He is a man of few words and those he says he means.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.