Security's Everyman

Security's Everyman

Saturday, December 30, 2006

Still Secure Podcast

I doubt if there are many of you who read my blog that do not also read Alan Shimel at Stillsecureafteralltheseyears.com. A couple of weeks ago Alan emailed and asked me and several other security bloggers to participate in the year end podcast for the Stillsecureafteralltheseyears podcast. He has posted the podcast today and it is available at his site.

Thursday, December 28, 2006

Improving Security Awareness

There is a lot of talk about what is most important in security. (Here, here, and others that I can't find at the moment) Protecting from hackers trying to get in from the outside or keeping the insiders from taking stuff outside. Both of these are valid concerns that we need to keep a handle on. Protecting the perimeter and even endpoints is pretty straight forward. Keeping people from walking out the door with data is a different story. It requires different methods of protection and detection. There is a third area of concern that I see. It is usually lumped in with keeping the bad guy out, but the way he gets in is different. He comes in through the front door on a laptop that was compromised outside of the office.

For companies with large IT staffs and budgets this may not be a big deal, but for most small companies this is a major concern. With the prevalence of vulnerabilities, the ease of getting something undesirable on your system, the lack of user awareness and increase in user apathy this is a major problem. Already small companies IT departments are understaffed and have too much work to do. They have the staff or budget for stellar security products and are at the mercy of their users. They have to rely on their users being careful and cautious. The problem is that most users don't think about (or even know about) the dangers that lurk out there. They don't realize (and often don't care) that the porn sites they go to are full of malicious code. They don't realize that the airport and hotel wi-fi are often compromised. They don't think about the fact that email is sent in clear text and can be read by anyone who captures it nor do they head our warnings not to click on email links or open attachments.

It's not the disgruntled user, the sneaky hacker, or the money hungry insider that concerns me the most. It's the unaware, apathetic user who thinks that they can do as they please with their company owned and issued PC. A rootkit or piece of spyware that is on a machine is more dangerous than someone randomly scanning ports looking for a way to sneak into the network. It is even worse than most determined attempts to break in from the outside. Once they are on the machine they don't have to look for a way in. They are already in.

User awareness training has to be a major focus. It has to be improved so that it becomes more effective. It has to get the attention of the user and it has to have relevance to them. If they don't realize the potential impact to the company and how that can potentially effect them then they won't take the necessary precautions. They don't have to clean up the mess. They don't have to try and repair the damage. They don't have to worry about the potential impact to the stock price or have to answer to the board. Therefore, they don't really care. Making them care is the key to effective security awareness training.

Wednesday, December 27, 2006

WOOOO HOOOO!!!!

I just received word that I passed the CISSP exam. Now I have to get my endorsement form filled out and send them my work history to prove that I have at least 4 years of security experience. It feels good to have that behind me.

Friday, December 22, 2006

MERRY CHRISTMAS!!!!

I hope that everyone has a great Christmas and enjoys the time off work (hopefully) and with your family.

Thinking Differently in 2007

I've read a couple of posts (one from Ross Brown of Technobabylon and one from Andrew Hickey of SearchNetworking.com) that has spurred my thoughts on 2007. We all know that the bad guys are getting better and the good guys usually play catchup. Most small companies, and many larger ones don't have the financial or manpower resources to adequately test their network for functionality much less for security weaknesses. At least beyond the "obvious" weaknesses. Keeping up with everything that needs to be done can be daunting no matter the size of your organization or network.

If we are to make 2007 and forward successful from a security and networking standpoint we have to change our thinking. We have to take steps, big or small, to change how we view things and therefore how we design, build, maintain and protect our networks and data. We can't continue to do things as we've always done them. Maintaining the status quo may make you feel good and often look good on the books or to Senior Management, but that doesn't mean that it is what's best for the company.

Ross talks about being creative in our thinking as we assess our security. Some of his suggestions are good, but some are not achievable by many small companies with limited resources. At least not without putting more work on an already overworked staff. Yet, that IT staff isn't left out in the cold either. They just need to take a few minutes and think about how they currently do things and what small thing can they change that will either save them time or allow them to see their security from a different perspective. Those small changes may be just what is needed to prevent a problem. At the very least if they are well thought out they will work together over time to make you more secure.

We also have to look at why we are doing what we are doing. It's easy to not rock the boat, but sometimes the boat needs rocking. We're in the process of building a new network at work. Our CIO wanted to put in a Frame Relay network and build it just like every other network he has ever built. Why? Not because it was necessarily the best option but because it is what he knows. It has worked in the past and he is comfortable with it. When I mentioned other options he gave me the opportunity to build my case and convince him why something else would better suit our needs. As we have been talking with various vendors and looking at different options we could have continued to stick with the "tried and true" or followed the advice of the vendor on how to "best" build this portion of our network. Doing so would have been easy, but not necessarily the best option for our business. Many things that were suggested were overkill for our environment or they would not have given us the needed flexibility for future implementations that are planned. We had to think differently than we did in the past to make these decisions.

I know you are thinking this is common sense and you are right. Who, in their right mind, blindly follows their vendors recommendations? Who continues to do things "because that's the way we've always done it." Many, many people and companies do just that. That is the problem. That is why companies continue to struggle with security. They either over do it or don't have the infrastructure to support what they need so the do without.

One quick story and then I'll stop. I have a friend who works for a company that uses Symantec AV. He tried to talk his boss into switching to another vendor but his boss said, "Why change? I've used Symantec for years and never had any problems" Now for the second time in a year he is having to patch major holes in all of his Symantec clients. A change in thinking could have prevented this unnecessary extra work and left them safer in the long run.

So as you move into 2007 think about how you think about your job. Look at how you do things and come up with different ways to "shake things up". Obviously don't do anything different without testing it and getting proper approval, but most importantly don't stay stagnant in your thinking. Even if you aren't able to implement some of your ideas they will make you a better security practitioner or network guru just because you stretched your mind.

Thursday, December 21, 2006

There must me something in the NJ water.

OK, what is going on with Sys Admins in New Jersey? Now we have 2 high profile cases of logic bombs being set in New Jersey by disgruntled Sys Admins. I just don't understand the mindset of someone who would get so upset over something that they would be willing to potentially destroy a company and the jobs of those who work for the company. Not to mention the downstream effect that it could have.

Don't get me wrong. I get upset with my boss and even my company as a whole at times. I've been done wrong in the past. I've worked my butt off only to have a boss take the credit. I've worked long hours and never even gotten a thank you from management. I've been promised things that were never delivered. Lost "guaranteed" bonuses. On and on and on and on. Yet it never entered my mind to try and destroy the company. Planting a logic bomb or erasing data........ never even considered it.

In 2002 my wife was pregnant with our first child. I was the WAN Security Administrator for a small regional financial services company. My boss called me in one day and told me that he wanted me to start researching some companies that we could outsource some functions to. He gave me a list of requirements and off I went. As I looked over the requirements it hit me that MY job was what I was asked to find a replacement for, among other things. You can read a little about it in this Redmond Magazine article. It's about half way through the article under the heading "Hiring Your Replacement". Did I get mad and devise ways to bring the company to their knees? No, I did as I was asked. The way I figured it was that I worked for them and this was a project that I had been given. As long as it wasn't illegal or unethical then who as I to refuse to do it. Of course I had to do some work after hours to get things in place to get a new job, but I still did my current position to the best of my ability. I did find a company to outsource my job to and I did get laid off and I left in good standing. After about a year they decided that outsourcing the job wasn't the way to go and brought the position back in house. Since I had left in good standing I could have gone back to that position if I wanted.

Things worked out well for me in the long run. I was able to get a position that allowed me to learn many new things that I would not have learned otherwise. I'm making more money and my career is heading in the direction that I want it to. I'd say that is much better than being bitter and hoping that my logic bomb puts them out of business. Not to mention now I don't have to worry about how do I keep "Bubba" from trying to be my boyfriend.

Wednesday, December 20, 2006

Phishing for Users

Somehow I missed this on Monday, but thanks to my buddy Mike at TDI is hit my radar this morning. I agree completely with Mike in his assessment that this is part of security awareness. I can't say that I have done it, but I have given it serious thought. There are a couple of reasons why I haven't done it. First, I haven't had the spare time. Second, I petty much know how the users will fare. Most of them will fail miserably. Many of them already share their passwords freely with one another. They leave their machines unattended while logged on. If I ask for a password they give it w/o reservation. I've often wondered if we shouldn't make everyone that worked with a user change their password when that user leaves. Chances are that he or she knows at least one other persons user name and password.

Security Awareness Training is an area that needs lots and lots of work. Most of it that I have seen and been through is focused on meeting regulatory compliance. It serves no real purpose and teaches nothing of value. At least not in a way that will be retained by the users. That is one reason that I'm hoping that once my company is completely on it's own I will be given the go ahead to do real security awareness training and employ a few "unconventional" methods to teach the lessons.

Tuesday, December 19, 2006

This is going too far

Bruce Schneier writes about a new Cell Phone Service that actually acts as a bug and records 1/3 of the audio it picks up. These devices are supposed to be "marketing" tools, but in reality they are privacy invaders. Obviously this is not something to take lightly. Our privacy is getting to be harder and harder to protect. Now we have to deal with something such as this.

One of the comments that was posted said that the people choose to sign up for it so it's their choice to give up their privacy. That may be so but it's not my choice to give up my privacy if I happen to be talking to you or within recording distance of you. Many people just don't get it that they don't live on an island all by themselves. The choices you make will affect others.

Taking the high road.

It's good to see someone doing the right thing. The AT and T, BellSouth merger has been the topic of lots of discussion over the last few months. Whether you approve of it or not you have to like the fact that Robert McDowell is taking the high road and refusing to vote because of a conflict of interest. You can read more about it here.

14 Years

Today I have been married 14 years.

Happy Anniversary Jennifer. I Love You!

Monday, December 18, 2006

What were they thinking?

Well, hopefully I'm back to regular postings. I still have lots going on at work and of course Christmas time is keeping me busy, but I took the CISSP test on Saturday and so I no longer have to spend my spare time studying. That should give me enough time to blog again.

I got to work this morning and noticed a "suspicious" looking individual sitting in an empty cube connecting his laptop to the network jack. He didn't really look too suspicious, but he looked like an auditor (we all know that auditors are suspicious) :). Then I noticed two others looking around for network jacks in other cubes. I didn't bother to tell them that they were not hot. I figured that if Accounting wasn't going to tell me that we had auditors coming in that would need network access I'd make them tell me when they couldn't get to the Internet. Once they asked I set them up with guest access to the Internet.

It just baffles me that this stuff still goes on. Everyone still wants free, unfettered access to do whatever they want regardless of the potential risk it puts the company at. What gets me even more is that auditors, the very people who come to tell us what we are doing wrong, bring in Wireless AP's expecting to connect them to the network, try to connect their laptops to the network and expect to be able to have access to secure resources.

Obviously there was a failure on several fronts here. First, the accounting department should have informed me that auditors were coming and would need access to the Internet. Any other resources (printers, folders, files, etc) should have also been listed so that they could be gathered and put in a secure place that the auditors could access w/o opening up the whole network to them. I also think that the auditor has some responsibility. In today's world where everyone is screaming about the importance of being compliant the auditors should do their part. Requesting Internet access would have been a good place to start. NOT attempting to connect to the network until they had been cleared to do so would have also been a good first step.

Maybe I'm the only one in the company who sees this as a big deal, but as long as I'm responsible for the security of the network they will play by the rules set forth in our policies.

Thursday, December 14, 2006

I got an email from ebay............

This morning I was greeted at the door by an employee who was all upset because she had received an email from ebay telling her that they had suspended her account. Below is a summary of the conversation.

Me: "Your account wasn't suspended. It's a scam."
Her: "I don't know the email looks official."
Me: "Yeah, they do a really good job, but it's a scam."
Her jaw dropped.
Me: You didn't click on the link did you?
Her: Yes
Me: Never, ever, ever, ever, ever, ever, ever, ever, ever, ever, ever, ever click on a link in an email. You know better that that. Unless you know beyond a shadow of a doubt that it is a legitimate link and you know who sent it and that they were going to send it to you.
Her: But it looked so real.
Me: Did you log in to the site?
Her: Umm, yeah.
Me: Did you give them your credit card info?
Her: Well, I started to but they were asking for my PIN and security panel number so I came to you.
Me: Whew!

I then went with her to her computer and showed her how to spot these scams and had her log into ebay and change her password.

I get asked by friends, family, and co workers all of the time about this email or that link but I've never known anyone who actually fell for it. At least she was alert enough not to fall all the way in.

Thursday, December 07, 2006

Compliance is NOT a driving factor

I found a new blog (new for me) today when they linked to my Compliance posting. I know no harm was meant but I took offense to their accusation that I was letting the wrong thing drive my priorities. All that aside their blog looks to be interesting. I have added it to my feeds so I can keep up with what they have to say and learn from them.

Maybe a little clarification is in order. I think they misunderstood me. I've mentioned before about the major changes coming down the pike for my company. Part of that involves having to bring compliance issues in house that were being handled by a business partner. That means that like it or not, ready or not I have some catching up to do and I have to do it fast. I have to put some things in place to help me prove my compliance. True there were vendors there selling their hype but they are not what made me feel better. I've been doing this too long and dealing with vendors too long to buy into that. I spend roughly 35% of my time dealing with vendors. I know that they play games and I know how to play their games.

What made me feel better was talking to people who have been dealing with compliance issues for several years. They are the ones who gave me tips, hints and ideas that give me some hope in what looked to be an overwhelming task. I still have lots to do and will still have to spend lots of money. Not because spending money makes me compliant, but getting the pieces in place is not a cheap venture when you are starting from scratch.

Compliance is not driving my priorities. Security is driving my priorities. Compliance is just a piece of the puzzle that I have to put together. My priorities have always been a secure network and infrastructure whether or not I had to prove compliance. I practice the mantra "A secure network will almost always be compliant, but a compliant network will not always be secure".

Feeling better about compliance

On Tuesday I attended a day long seminar on Compliance the focused on Risk Management. It was put on by the guys at Tech Target and SearchSecurity.com. I wasn't expecting much for several reasons. Primarily it was free (vendor sponsored) and it was only a day. What can they tell you in a day that you probably don't already know? Actually more than I expected. It was a very well done seminar. There were 4 main speakers, a vendor Q&A session and of course the vendor arena.

With everything that is going on at work I almost decided not to go, but at the last minute decided that it may be worth it if for nothing else it would get me out of the office for a while so I didn't have to think too much about all that I have to do. Also compliance is coming at me hard and fast and I wanted a "refresher" and hopefully a new perspective on what is coming. I was not disappointed in the least. The speakers were informational and entertaining. If you have done much in the field of compliance or risk management you know that they can be boring if left to themselves. Of course the best part of it was the peer networking that goes on at events such as this. The value of a good network can't be overlooked.

What I brought away from the day was actually encouraging. Compliance is still looming over my head, but I actually feel pretty good about getting a handle on it. It will take a lot of work and a fair amount of money, but I don't think it's going to be the bear that I had imagined (knock on wood). I also found out that I am NOT subject to PCI!!!!!! I spoke with the Risk Manager and Information Security Officer for a large Financial Institution who is very well versed on PCI and it's implications for various institutions. This was a difficult question to get a straight answer to. Every person that I talked to gave me different answers, but most of them qualified their answer with "I think" or "I believe". The guy I spoke with is doing things the same way that we will be doing them and he said that they don't even look at PCI except for the framework of it and the benefit that can be gained by that.

Well, it's back to the grind. I've got to place my Cisco order today or I won't have routers and switches to have my WAN in place in time. Not a good thought.

Wednesday, December 06, 2006

Drowning in everything

For the next couple of weeks I probably won't post very much. Between work and the holidays I barely have time to eat. Please keep checking the feed and site and I'll post when I can.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.