Security's Everyman

Security's Everyman

Wednesday, November 26, 2008

Infophysical Security

Information security teams work hard to secure the data that they are responsible for. They put in perimeter protections, network protections, host protections and all sorts of devices to monitor and manage all of these devices and protections. Configurations are checked before they go into production and all changes are tested and approved. All of this hard work pays off when you look at firewall logs, IDS/IPS logs, and the reports that your SIEMs generate to show just how many attacks are blocked, dropped and stopped before they get to the goal of stealing or damaging your data.

Of course we all know that this can easily be bypassed by one unpatched system, zero day exploit, reckless admin or user or a really good hacker or social engineer. There is always something that isn't exactly as it should be and that one thing leaves you vulnerable. There is one other area that information security needs to have regular contact with and influence with. Physical Security. Physical Security are the ones who are tasked with keeping the bad guys physically away from the data. Unfortunately, many times these two disciplines don't communicate with each other and this lack of communication can ruin the well laid plans and protections that have been put into place.

CISO's and their management teams need to be proactive and take the lead in reaching out to the physical security teams at their company. They need to collaborate with each other and they need to work together to ensure that the data is protected. Often physical security teams don't realize the dangers that a person can present when they allow them to roam the halls unescorted or when they don't do their job and ensure that a person is really supposed to be there. They don't understand that a good hacker may not be able to gain physical access to the data center due to other access controls in place but if he gets a hold of a hot network jack or a unmanned system. They aren't aware of the fact that a seemingly innocent flower, stuffed animal or other item can hide wireless AP's, mini laptops, wireless cameras, etc...

This is another reason that when you are rolling out a security awareness program you need to ensure that it's not a generic one size fits all program. Different departments need to be taught different things so that they are aware of the things that are most likely to affect them. A effective security program will reach out to all lines of business and work with them to be proactive in securing the data.

Tuesday, November 25, 2008

Someone Please Help Me Understand

A friend came to me with a delima. A company is replacing all PC's within the organization. They are looking at buying laptops, desktops and VDI terminals. They are also using this as an opportunity to ensure that they have all the security software that they need on the systems to provide the most protections. They are looking at things such as AV, DLP, Encryption, HIPS, etc... One of the guys on the team decided that they needed phone home software to help in recovery of lost or stolen devices. Actually he says that it's pretty handy software. It has the ability to do much more than just phone home. It takes inventory of all software on the machine, alerts you when new software is installed, gives you asset management capabilities, can reinstall itself if the software gets removed, and lots more. They are considering installing this on all systems because a few desktops have gone missing. When asked how many and over how long a period of time no one was able to give an answer. Yet they are willing to invest thousands of dollars in this software that will really not give them anything that they don't already have except the phone home capability. So why the big rush to buy something that isn't needed?

There are several questions that need to be asked and answered before a purchase such as this can be justified in my mind.

  1. Just how many systems do actually go missing every year?
  2. Are they really missing or are they just not being tracked properly as they are moved, replaced, etc?
  3. How many systems can they afford to lose per year before they actually see any real value in this program?
  4. Can they replace any other applications with this software? Asset tracking, System Monitoring, etc
  5. How much of an investment in infrastructure and personnel resources will be required to manage this program.
According to my friend none of these things have been thought about enough to give an answer yet still the push is on to include this application when the systems are replaced. So I thought I'd ask you to give me answers that I can pass on to my friend. I figure that's about as useful as what he is currently getting. :)

The Sky is falling....... no wait it's not the sky.

Remember my "Pay Close Attention" post a few days ago? I hope you did because obviously I didn't. At least I didn't heed my own advice. Not long ago I had a Pen Test done against my network. I got the report back, looked it over and wrote up a Management report and sent it off to Management (imagine that). I had a few actions items that I needed to address and put them on a to do list and went on with life. Granted life has been VERY busy and since none of the action items were critical they kept getting pushed aside. Well today I made a point to take action on them and fired off a few emails to the proper people to get the issues resolved. That's where the problem (little as it may be) started.

I won't go into specifics but here is the scoop. A issue was identified and the host system was finger printed. If you have ever done a Pen Test or scanned systems to determine the OS you know that it isn't 100% accurate and that is what happened here. The scan came back with it's "best guess" and since it was known that we do have that particular OS and device in use on our network the assumption was made that this was most likely what the device was. This is where I quit paying attention. The emails that I sent were based on the assumption and not the "facts" regarding the type of device. As I started to get feed back from the vendor and one of our engineers I had to do a little more research to get them the answers that they were requesting. That is when I actually paid attention to the IP address that was associated with the device and I realized that it could not be the "assumed" device. Are y'all still following this, it's confusing me.

So since I didn't pay attention at the beginning I had to start back pedaling an trying to explain how I could make such an obvious mistake. Of course Management had also been copied on emails so there was no keeping this just between those in the Network Engineer team. So what can I learn from this? PAY ATTENTION! Things aren't always as they seem. :)

Friday, November 14, 2008


I feel like I'm never going to get back into the swing of blogging again. I keep trying to do daily posts but it doesn't work. I've got a few thoughts running through my head that I wanted to throw out. Most of it is security related but not all.

First, Wednesday night we had our kickoff meeting of the Atlanta NAISG chapter. It was a success. There were about 8 of us, but that's not bad for a first meeting. Especially considering that we didn't do much advertising. Mostly word of mouth. Everyone there seemed to have a good time and seems genuinely interested in making this work. Brad Dinerman, NAISG founder, flew down from Boston to help us kick things off and give our first talk.

I was listening to a Manager Tools podcast the other day and they were talking about the importance of attitude. Attitude makes a big difference in most everything. If you have a good attitude then things usually go better. People enjoy being around you more and usually give you more respect and listen to what you have to say. It makes for a better day for you and makes for better results out of what you are trying to accomplish. It also makes other people feel good when you have a upbeat attitude. That reminded me of someone that I met last week at ISD. As I was listening to the Security Researchers Roundtable I noticed that Billy Hoffman of HP was really energetic and passionate as he spoke. It made me listen a little closer to what he had to say because of the energy that he had. After the talk I went up to meet him and there was someone else with him (no names). As I introduced myself to them and told them how much I enjoyed the talk the other person was real standoffish and just said a lame "thanks". Billy on the other hand was very appreciative of the fact that I took the time to let them know. He talked to me a few minutes about Atlanta (he went to GA. Tech) and my job. As we parted he commented on how he enjoyed meeting me. None of this was a big deal but the attitude he put out really made a difference. That is something that many of us in the IT world need to work on. We need to get past our often introverted personality and project goodness to our users and this will go a long way in changing the negative mindset that many have towards their IT department.

I was listening to The Network Security Podcast on the way into town this morning and it was a recording of a bloggers meeting that DHS Secretary Michael Chertoff held in San Francisco earlier this week. Martin asked several questions about the TSA and airport security and Mr. Chertoff made a good point about the public not always seeing what is going on behind the scenes and therefore not understanding the why and where for of decisions that are made regarding airport security. While I don't think that we are doing the best job at airport security and I do often question the value in some of what they do (and why they aren't doing some other things) his comment did make me stop and think that I don't see the big picture in airport security. I don't have insight into all the data that goes into making the decisions that are made. They may look like stupid or inappropriate decisions to me. They may look like they do nothing more than make the public think that the TSA is doing something. But there is more to it than I see. In my job as Information Security Officer for my company I often look at decisions that are made above me and wonder why. Later on as I get more info or see things unfolding I realize that the decision made more sense then I gave it credit for. It's a good idea to withhold judgment until you know all of (or at least most of) the facts.

Tuesday, November 11, 2008

Pay Close Attention

Paying close attention to life can save us all a lot of headaches and unnecessary grief. This applies to our lives as information security professionals as well. We need to make sure that we pay close attention to what we are doing. Whether it's monitor logs, configuring devices, reviewing configs or RFP's, writing policy or procedures, etc... If we aren't careful and diligent in what we do we will make a small (hopefully it's small) mistake that may come back to bite us.

We also need to be careful of the message that we give to our customers and users. We need to ensure that we are clear in how we present the message and that it is in line with the business requirements. We need to make sure that we are looking for answers to solve a problem and not just saying "NO". How we communicate our security plans has to be in a way that the user will understand and that will make them want to work with us.

What made me think of this? This picture tells a story that is very different from the one that was trying to be conveyed. If Mom and Dad had paid attention to what little Suzie was drawing for her class project it just could have saved them lots and lots of embarrassment.

What little Suzie was trying to convey was that her Mom worked for a Hardware store and was selling a shovel to a customer.

Atlanta NAISG is Wednesday Night

Just a reminder to everyone in the Atlanta area that Wednesday November 12, 2008 is the date of the inaugural meeting of the NAISG chapter. We are meeting at 7:00 PM in Alpharetta, GA at 3030 Royal Blvd. South, Suite 220, Alpheretta, GA 30022. This is the office of Upgrade IT Consulting Services who has graciously allowed us to use their facility for our kick-off meeting. Pizza and drinks will be provided. The program will be given by the Founder and President of NAISG, Brad Dinerman. He will be speaking on "Employee Monitoring and Surveillance" You can read more about the meeting at the Atlanta chapter page of the NAISG web site.

Happy Veterans Day!

Today is Veterans Day in the US. A day when we honor all of those who have served in the Armed Forces. A day to stop and remember all the sacrifices made and to remember that our Veterans are the ones that have given their all to protect our freedoms.

I want to personally say a big THANK YOU to all of you who have served.

Last week when I was at Midway Airport in Chicago waiting for my flight home from ISD I spent several minutes viewing the display that they have set up to honor all those who fought in the Battle of Midway in World War II. I have to admit that it tugs at my heart strings to think about all that has been sacrificed by those who have fought for our freedoms and rights.

So today (actually doing this every day is a good idea) if/when you see a member of our military or a veterans make sure to tell them Thanks and if you get a chance buy them a cup of coffee.

Friday, November 07, 2008

ISD Wrap-Up

I had planned on doing a Day One and Day Two post but that didn't happen so I'm gonna do a all in one summary. Things started on Tuesday when I met up with Chris Hoff in the Hotel fitness center for a workout. After that was over I hooked up with Adrian Lane, Adam Dodge and David Mortman for dinner. After that there was a informal meet-up back at the hotel with some of the Tech Target team.

Things really got going on Wednesday morning.  The day started off with a talk by Kevin Mandia talking about Incident response. He shared some stories about cases that he had worked on and talked about trends in what he has been seeing and where he thought it might go. Unfortunately they didn't have paper for us and I didn't bring any so I was unable to take notes to give more detail.

Next up was the ear bleeding "4 Horsemen of the Virtual Apocalypse" talk by Chris Hoff. Why do I call it ear bleeding? Because he had a lot of info to cram into a 45 minute talk. Chris is the man when it comes to virtualization and security (or the lack there of). Unfortunately even though he talked fast he still didn't get it all in but he has the slides and notes available for download. I recommend getting it if you want to learn more about virtualization and security.

After that I had a hard choice. David Mortman and Mike Rothman were both speaking at the same time. I decided to listen to Mort's talk on Web 2.0 in the enterprise.  He talked about how it's here whether we like it or not and that as consumers of it we have to demand that the vendors/creators do it securely. He also went over the importance of secure code delivery across the board.

After lunch there was a Panel Discussion from this years winners of Tech Targets Security 7. They break the world up into 7 verticals and choose someone from each vertical who has made significant contribution to the world of information security during the last year or so. This years winners are Bill Boni, Mark Burnette, Michael Mucha, Marc Sokol, Eugene Spafford, Martin Valloud and Mark Weatherford.

Next we were treated to one of Joel Snyder's informative and entertaining talks on Security Agility.  Joel spoke about the need for IT and Security to be agile and why it is important. Joel's mantra is that it's better to be innovative than efficient. This goes against a lot of what is preached by many others. Joel believes that when we are innovative then we are agile and are better prepared to face the challenges that we come up against daily. Not only that but by being agile we can stay ahead of the curve and when business units come to us with a need or problem we are better prepared to help them.

Day two was a little slow (or maybe it was me) and by far the highlight was the Security Researchers Panel that included Thomas Ptacek, Billy Hoffman, Dave Aitel and Alexander Sotirov. They talked about SDLC, attacks, breaches and such. It was refreshing to hear guys of this caliber giving their insights into what was going on and possibly where we were headed. This panel was actually my favorite session of the whole conference.

I'll stop here. It's been a long post already and I've probably lost most of you by now.

Tuesday, November 04, 2008

TSA strikes again

I left Atlanta this morning to fly to Chicago for ISD. Last night as I was packing my bag and going through my laptop backpack to ensure that I didn't have any "contraband" that would raise the ire of a TSA agent. I had a Leatherman that I took out. Removed a USB drive that had a pen knife in it. Made sure not to pack my Cross Fountain Pen because there is no way in the world that I would throw it away if they told me I couldn't take it on the plane. I was careful to pack on liquids that were less than 3 ounces and packed them all in one 1 quart clear plastic bag.

As I went through security at the Atlanta airport all went well as my bags passed through the x-ray scanner and I walked through the metal detector. I grabbed my bag and other stuff and put it all back where it belongs and went on my merry way to the gate. The flight went well and I arrived in Chicago on time. As I was riding the train from the airport to the hotel all of a sudden I remembered that I had another knife in my laptop bag that I didn't remember taking out. It's a Buck 3" straight blade boot knife (don't ask why I carry it). I opened up the compartment that I keep it in and sure enough there it was. How the TSA missed it I'm not really sure. Now I'm faced with the delima of what to do with it. Do I take the chance that I can get it on the flight back to Atlanta? If they catch it what happens then? Do they just give me the option to give it up and go on my merry way or do the strip search me and put my name on the no fly list? Not real sure I'm willing to take that chance. Maybe I'll mail it to myself before I leave here.

Help a Hacker

A year or so ago I became a fan of the work that Johnny Long was doing. Not only his Google Hacking, No Tech Hacking, and other cool things, but also his Hackers for Charity work. Back in April I had the pleasure of seeing Johnny give his No Tech Hacking talk and I meet him after the talk. We spend a few minutes talking about hackers for charity. At that time I encouraged all of you to check out the site and do what you could to help with this endeavor. Today I'm renewing that call to action. There are a several things that you can do that are very easy, enjoyable and even free (not all are free). You can buy the book No Tech Hacking by clicking to the Amazon site directly from Johnny's site. When you do this all the proceeds go directly to Hackers for Charity. You can buy a "I Hack Charities" vinyl label for you laptop from here. Again all the proceeds go to hackers for charity. You can donate time, money or equipment to the cause. If you blog or podcast tell your readers and/or listeners about the work that is going on at Hackers for Charity.

Now there is something new that you can do. Peter Giannoulis, founder of The Academy web site, is offering to donate $1 for every new member that joins during the month of November. So not only do you get to make a charitable donation that costs you nothing but you also become a member of a very cool site that is aimed at making your job as a information security practitioner easier.

So I encourage all of you to take a look at the work that hackers for charity is doing and think about how you can help out and then do what you can.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.