How do I log in again?

My AV guy went to a remote site yesterday to work on a system that had a virus that needed special attention to remove. When he got there he was shown the infected PC and the keyboard had a note taped to it. I think I need to republish the password policy and that segment of the User Awareness Program.

Where's the Breech?!

I was driving back home yesterday from my in-laws with my wife and kids. As usual the girls didn't sleep and they were tired from the long Christmas weekend and they were fussy and grumpy. One would do something just to irritate the other and I was the one getting really irritated.

Shortly after we got on the road my cell phone rang. I answered it to be greeted by a recorded message saying "This is Visa calling to verify some activity on your card. Please call back as soon as possible at 800-br-549". Immediately a red flag went off in my brain. I had only used this card once and that had been several months earlier. In fact I got the card because I had a gift certificate for this online shopping site and they were giving you a "bonus" if you signed up for the card and used it to purchase your items. So I did. I was able to get what I wanted and still have about a $5 credit on the card. So I never even had to enter the card number into the system. The card came in the mail a few days later and I locked it away in a safe place and never even called to activate it.

I called the number that they gave me and it was promptly answered by a IVR asking for the card number of the card I was calling about. Being the ever alert security professional that I am I was not about to actually enter the number into a unknown system (that and the fact that I didn't have the card number with me). I decided that the best and safest way to handle this was to wait until I got home and find the card and get the number off of the documentation that they had provided.

I arrived home late last night and after unloading the car I found the "official" number to call for customer service and gave them a call. Once again I was greeted by an IVR asking for the card number that I was calling about. I entered the number and answered a few security questions before I was asked to verify recent activity. I patiently listened as the recorded voice read off one transaction. A $1 fuel purchase earlier that day. Now the red lights were flashing and bells were ringing. My card had been compromised. If you know anything about stolen credit card numbers then you know that one of the things that they bad guys do when they buy a fresh bunch of numbers is to test them with small transactions usually at gas stations because it is a low visibility place where they can test several cards with small chance of being caught.

I was then transferred to the fraud department where I answered more security questions and promptly had my card canceled. I was assured that I would not be responsible for this or any other charges on the card that may have occurred since the "test". I was told that a new card would be issued and that the credit bureaus would be notified of my misfortune so that they too can be on the look out for my credit well being. All is well.

Now, I've not been notified by any company of a compromise of credit card data since receiving this card so my question is "Where's the breech?". Where along the line did my card info get compromised? Was the online shopping site compromised? Was it the issuing bank? What about the bank that is used by them to process transactions? Maybe it was the clearing house or was it my computer? Since I never entered the number on my computer I don't think that is the problem so where is the problem? Maybe someone stole a copy of the bill that they send me every month (even though I have no transactions) out of the mail. Does this place also have more credit card numbers of mine? Will I be getting more calls on this nature?

I guess I'll have to pay "extra special" attention to my credit reports and my transactions for a while. You gotta love having one more thing to add to the list of things to pay more attention to. Oh well, I guess I should be happy that it was caught and caught early. It could have been a real nightmare.

The passing of a Music Legend

It's not often that I post something that is not Security or IT related but today I decided that this one was worth it. Yesterday morning (Sunday 12/16/07) Dan Fogelberg died of Advanced Prostate Cancer.

I grew up listening to his music and he was one of my favorite singer/songwriters. He wrote incredible lyrics and had a great way of making the music touch you and come alive. I don't think I have ever heard a song of his that I didn't like.

I remember when he released "High Country Snows" back in 1985. A friend lent me his cassette recording of it and I heard a song that has impacted me and been part of my life statement ever since then. The song is "The Higher You Climb". I'm going to post part of the lyrics here and hope that I don't get in trouble.

The higher you climb, the more that you see
The more that you see, the less that you know
The less that you know, the more that you yearn
The more that you yearn, the higher you climb

The farther you reach, the more that you touch
The more that you touch, the fuller you feel
The fuller you feel, the less that you need
The less that you need, the farther you reach

Those words have been in the back (and sometimes the front) of my mind for over 22 years and they have helped to push me to grow in whatever I do.

A couple of things to take from this are: 1) Listen to music that moves you and 2) if you are a male follow Dan's advice and get your Prostate checked regularly.

Dan you and your music will be missed.

So Long to "In The Trenches" Podcast

Back in 2005 I got my first IPod and discovered podcasts. I did a search for technology podcasts and one of the first, if not the first, one I found was In The Trenches with Kevin Devin and George Starcher. At the time I was truly "in the trenches" and found the content to be relevant and enjoyable to listen to. Even since moving out of the trenches I've continued to listen just because I felt that it was a quality show plus it helped to keep me grounded.

Well Kevin and George have decided to hang up the mic and have recorded and released the last episode of "In The Trenches". I know that I'm gonna miss hearing it every week and want to wish both Kevin and George all the best in their lives and careers.

Thanks Guys for all the hard work and good content.

New Blog Tagline

Last week I went to a luncheon put on by StillSecure and Force10 Networks. I was hoping that Shimel would be there but he had other commitments. I got to meet some great people with both companies, get a good, free meal and some swag. One of the things that they gave out was T-Shrits that had a quote on the front that I loved.

I like you. I just don't trust you.

I checked with Alan to make sure that it wasn't a company slogan and see if I could use it as the new tag line on my blog. It's not part of StillSecure's official slogan or anything and Alan said that they didn't have a problem with me using it. So it's now on my blog as the tag line.

Possibly the BIGGEST Security Story of 2007

When you are dealing with Rich and Chris you never really know what is real and what may be a giant Christmas Hoax. If this story is true then this is the biggest security story of the year. It also goes to prove that your have to be VERY careful, even when dealing with friends, when it comes to opening attachments and clicking on links. So Mom don't get offended that I didn't click on the link to the cute Christmas site that you sent me this morning.

The UTM Argument

There's a (discussion, debate, argument) going on regarding UTM's and multi-purpose firewalls. Actually it's probably cleared up by now, but I'm going to put my 2 cents worth in anyway since Cutaway did ask me to (I was just too busy to do so at the time). This all started when Cutaway made a post the had some misunderstanding in it. Then he asked for some clarification from several other bloggers, He said:

I wanted to cover this because UTM is actually a different animal then what I was originally addressing. Although I do not have any experience with Unified Threat Management, as a blogger I don’t feel ashamed jumping into it. I am sure that Chris Hoff, Rich Mogull, Lori MacVittie, Andy Willingham, or Alan Shimel will correct me if I am misguided.

Then Hoff and Rothman both responded in somewhat harsh ways and it just kept going from there with Farnum jumping in and dragging me in with him.

Now that I have a few minutes I want to give my take on it. I agree with Cutaway that there is the potential for devices that are labeled UTM to be problematic. Now, whether or not they are truly a UTM device is to be debated. Is Astaro a UTM? What about some of the other smaller vendors who have all in one devices? Do only the "big boys" such as CheckPoint, Juniper, and Cisco have real UTM's?

This is what I think caused the misunderstanding. Lots of vendors call their products UTM's and lots of them are just hardened Linux boxes with various features added to them. Cutaway tried to find out what is it that defines a true UTM instead of a firewall w/ additional features but that got lost in the shuffle. The comment that I made on Cutaway's blog was in regards to the boxes that are multipurpose in practice but not specifically designed that way. I would much more readily trust a CheckPoint box over an Astaro box to protect my enterprise. Why? Because as Farnum says it's a proprietary OS that has been designed to handle different functions in a secure and efficient manner.

So, when is a UTM not a UTM? I guess that all depends on your point of view. I consider a UTM to be a box that has several security features built in (firewall, IPS, VPN, NAC, ACL) to be a UTM. I don't consider them all to be on equal ground when it comes to reliability or secure functionality. You do get what you pay for in most cases. I doubt that most of the smaller vendors have true separation of duties between each function of their device. So if one is compromised then getting to the others is not a big deal.

To answer Cutaway's question, yes there is a difference in a UTM device that has been built from the ground up for that purpose and one that has been "retro fitted" to handle multiple functions. There is a difference in the security of them and the complexity of them. Just as there is a difference in a OS that is built for home use and one that is designed to handle classified government documents. If you are looking to deploy a UTM to protect the enterprise then you need to get a enterprise class UTM and not settle for something that sounds good.

Fuzzy Promises

Nothing is ever as you want it to be and never as good as it seems. I should know better, but I guess I got a little giddy and naive. I trusted Ask.com to help protect my privacy when I do Internet searches. I don't have anything to hide in my searches. I'm not looking for bomb making tips. I'm not trying to find out where the next terrorist training camp will be held. I'm not looking for porn or anything else that I wouldn't want my friends or family to know about (except when I'm looking for a gift for my wife, then she can't know until after the fact).

I decided back in July to change my primary search engine to ask.com because they announced that they would be introducing a new feature that erases your search information and other normally gathered information. I trusted them to do that and to do it completely. I trusted them to do the right thing. I should have known better. Thanks to the guys at the Emergent Chaos blog I now know more about the truth. I should have done as they did and read the privacy policy but I didn't. They are boring and too long, but it would have been a good idea in this case. It seems that they are erasing your info but only from their database. They are still sending it to Google via Google ads. They say that Google is contractually limited in what they can do w/ the data, but they still have it. Why not just give it to them right up front? Google is a better search engine and if they are getting the data anyway why use Ask?

Does this mean that I'll change my primary search engine back to Google? Probably. I haven't made up my mind yet. I'm still irritated and try not to make decisions when my mind isn't clear. I guess I need to also do that when giddiness and excitement fog my thinking also.

Christmas List, End of Year Wrap-up, Predictions for 2008

My Christmas List
I've noticed that the older I get the more content I am with what I have. My Christmas list isn't very long and most of the items are things that I don't need and they are too expensive to ask friends or extended family to get for me. Here it is in order of preference:

1. 2009 Dodge Challenger (I can't wait until these things hit the street)
2. 1967 Chevy Camaro SS Convertible (call for specifics)
   
3. 2008 Harley Davidson Fat Bob Motorcycle (Not the Fat Boy the Fat Bob)
4. 17" Apple Mac Book Pro with 4 gig of Ram and 250 gig Hard drive (just because)
   
5. 160 Gig Apple IPOD (my 4 gig nano still has space on it)
   
6. Magellan Maestro 4210 Portable GPS (not sure what I'll do w/ it but I want it)
   

Now for my thoughts on 2007 and what happened in IT and Security.
It was a big year for me in terms of my career. Early in January I was notified by ISC2 that I passed the CISSP exam and was now officially certified. Also, I had been wanting to move my career from a "in the trenches" roll to more of a strategic planning roll and it kind of snuck up on me. I was laid off in May and found a Network Security job that quickly became one where I was asked to create an official security plan and lay the ground work for the overall program. So I've touched very little technology in the last 7 months and have become good friends with policy, procedures and compliance. It's been fun although I'm itching to get some 1's and 0's under my fingernails again. :)

There were lots and lots of big stories mostly dealing with data loss, theft or breaches. It seems that every week there was something new happening that gave us reason to hold tighter to our wallets to ensure that our bank accounts weren't emptied or our Identity wasn't stolen.

In my humble opinion one of the best things to happen in 2007 is the Security Catalyst Community. Why? Because there is a quiet storm brewing there. Most people who are in the community only see the surface of what is happening. There are people in the community who are serious and passionate about security and they are actively working to make some changes. There are some people in there who stop and think and make others think. I think that in the near future this group of people are going to make significant strides towards making a difference.

What will next year bring?
I really don't know. I'm not an analyst who looks at trends and acquisitions and such and comes up with predictions. I know that there will be good bad things with regards to security. I know that companies will introduce new products and technologies that will make great strides towards making us more secure and then the bad guys will figure out ways to get around them. People will continue to make bad choices in regards to their online habits and cause problems for themselves and others.

What does this mean? It means that we have to continue to be on our toes, we have to work together to protect the internet, we have to continue to think about what we do, why we do it that way and is there a better way. I think 2008 will bring lots of new ideas on how to do things better. They may not (probably won't be) technology focused. They will be people focused and conceptually focused. More people will question why instead of just following the crowd. This may not be good news for vendors because we will discover that we don't need new products to do things that we really don't need done.

Privacy is a goner!

When I wrote my post on the SSN fiasco earlier this week I started to title the post
"Is Privacy Dead?", but I decided against it for lots of reasons. It's an over used
statement, it's been used before on other blogs, etc. Then today I listened to the
latest episode of Secuirty! Now and what was the title? "Is Privacy Dead?" It was an interesting episode that was very light on "true" security content (many would say that all episodes are light on true security) but had some interesting information.

I think most of us have known for a while that remaining anonymous and retaining full
privacy is a thing of the past. Just when we think we have found the way to hide our
tracks someone else finds a way to follow us. Just about everything that we do is
monitored. Our TV viewing habits, phone calls (or at least who and when), what we buy, what web sites we visit, when we go through a toll booth w/ a "FastPass" type of
technology, who we IM and text message, what music we download, what movies we rent
and on and on and on. These are just a short list of things that someone is watching.

What is bad about this for the average person is that there is little in the way of
control as to what happens to the data. Rarely, if ever, do you have a say in what the company that has the data will do with it. They may sell it, store it, give it away, use it to "profile" you, make recommendations on ads to push to you, products to sell you, which department of the government to pay you a visit. :) It's just mind boggling.

Why can't we just live our lives and remain somewhat anonymous? Why do all these companies need to know so much about us? I know the answers to these questions. At least the reasons that they give, but I just want to be me. I just want to buy my milk and bread without being told that other people who bought milk and bread also bought beer and chips.

We have to rethink what we decide to try and keep private about ourselves. Do we care
that the grocery store knows that we always buy a certain type and flavor of Ice Cream? Is it worth saving 50 cents a tub? Probably for most of us. The same goes for our browsing and buy habits online. Most of us aren't doing anything that we don't want others to know about so we don't care.

What is the problem then? The problem is that we risk becoming apathetic and then when something that really matters comes along we let it go without asking why or doing something to prevent it. The loss of something usually starts out small and then slowly gets bigger and bigger until it's gone.

So, who has your data? Who knows what you do? It may not matter now but I think that you need to care and take steps to limit it.

1. Ask why a company needs to know this much about you in order for you to save a few cents.
   
2. Ask what other options you have other than giving out PII about you.
   
3. Ask then what data they collect, what do they do with it and who do they share it with.
   
4. Ask what controls do you have over the data and what they do with it.
   

Then make a decision.

• Do you go ahead and give in?
  
• Do you not give out what you don't have to?
  
• Do you "opt out" of what you can?
  
• Do you make up some of the information so they can't track the "real" you?

They aren't going to quit collecting data and the bad guys are getting better at getting to it so you have to decide what to do. Protect what you can and make plans to recover if something bad happens with what you can't protect.

Patch Management Poll Results

Judging from the voter turnout for this weeks poll you would think that it was a local government election. Voter turnout is usually in the 10% arena and this week it was closer to about 3%.

Here are the results:
How does your company handle Patch Management?
A)Research, Test, Deploy w/i 30 days 27%
B)Research, Test, Deploy with no set time frame 18%
C)Deploy all soon after release 0%
D)Deploy all after a month or so if no bad effects made known 27%
E)Use MS Update w/ automatic installation 18%
F)We don't need no stinkin' patches 9%

The good news is that most of you are patching your systems and I imagine the one who
voted for (E) is either lying or works in a one may shop running Linux and needs to
patch it.:) The better news is that most of you actually have a plan beyond using MS
Update with no over site. The really good news is that no one said that they were blindly deploying the patches soon after release. Wait, except for those who chose E. :( The bad news is that since so few of you actually voted that makes me wonder if you aren't patching and just don't want to admit it.

There won't be anymore polls this year. It's getting close to the end of the year and
lots of people are going on vacation and when it comes to reading blogs and such I
imagine that lots of people will just give them a quick glance and only actually
read them if they look really interesting or exciting. Actually taking action and
making a choice on a poll is probably asking too much.

Ask.com delivers on promise

Back in July I said that I was changing my primary search engine to ask.com because they were actually going to do something to protect privacy by not storing search information. Today they have delivered on that promise. Dave Lewis of the Liquidmatrix security digest had a write up the the new ask eraser feature at ask.com.

When enabled it completely erases all history of your search from ask.com. Pretty cool. It's good to see a company really doing something. I just hope that in a few weeks or months we don't discover that they were just blowing smoke up our................ well, you know.

Have SSN's outlived their usefulness?

Everywhere you look someone has lost data that contains SSN's. It's on a spreadsheet, on a USB key, in a database, in a text file or email. We treat them like they are just a number that has no real value. Everyone asks for them from your insurance company to the phone company. Why does anyone other than our employer need our SSN? I've blogged about this before and had a poll about their use but I still don't have any clear answers.

Recently in the news we read about the breach at the Oak Ridge National Laboratory and one of the pieces of data that was stolen was visitors SSN's. Why did they have to give their SSN to visit? If we don't trust them enough to have "normal" identifying methods then why were we allowing them to even visit? Why wasn't this data encrypted? Why was it still in a state where it was easily accessible since the newest data was 3 years old and the oldest was 18 years old? This is just completely unacceptable for any responsible party to continue to have "vulnerable" data after all that has gone on in the last few years. The government should be leading the way in showing us how to secure and actually doing it. Not leading the way in showing us how to lose data.

The other thing that really gets to me is when companies want you to give out your SSN when applying for their service. WHY!!!!!! Why do they need to know my SSN just to hook up my phone or allow me to watch TV! Then when you object they act like they have no choice but if you push hard enough they will give you an alternative. What I want to know is why not offer the alternative as the only (or at least first) choice. Why not remove the choice of giving your SSN. There are other ways to prove a person's identity or their "risk rating".

I know that many have said that SSN's are so compromised that the only real choice is to throw them away and start over with something else. Some say why bother protecting yours because more than likely it is already publicly available. I say I DON'T CARE!!!!!!!!!!!!!! What if it is easy to find my SSN? IT'S STILL MINE!!!! I should be the one that determines who can and can't have access to it and use it. NOT THE PEOPLE WHOSE SERVICE I AM SEEKING TO PAY FOR!

We have to change our perspective on things. We have to quit having such a nonchalant attitude about our personal information and other things that matter to us. We have to quit rolling over and playing dead and acting like we have no other recourse but to give in. I know that SSN's are a US issue but other countries have similar methods of identification that are just as vulnerable and just as abused.

I had a conversation with a lady a few months ago who worked in IT for a school system and she was commenting on how many Latin students in the elementary school had SSN's. I said that they were probably born here by immigrant parents but she insisted that most of them had been here less than a year. Then I said that maybe that it was a ITIN (Individual Taxpayer Identification Number) since they look like SSN's and go in the same field on most forms. Again she insisted that they weren't ITIN's but real SSN's. If that is true then what does that say? Either they are stolen, their parents lied to get them one or SSN's have become completely meaningless and that getting one is no harder than filling out a form.

Maybe they have outlived their usefulness?

Incident Response Poll Results

The Incident Response Poll closed last week and I was out of town over the weekend so I didn't get a chance to write up the summary. Here are the results:

When it comes to Incident Response does Your Company

Have a formal and tested plan	8 (25%)
Have a plan that hasn't been tested	2 (6%)
Has a general idea what they will do	9 (29%)
Not have a plan	12 (38%)

67% of you answered either "Has a general idea what they will do" or "Not have a plan". That's not very encouraging. It shows that we have not done a good job in conveying the need to management. Perhaps you don't think that the need is that great. I live in a world filled with compliance and most regulations out there require an IR plan. That alone should be enough for you to take to management. Not to mention the sheer lack of understanding of what needs to happen to respond to a breach. If you don't have a plan then how will you know what to do? Do you disconnect the system from the network or leave it connected? Do you power it off or leave it on? Do you have to notify the police? The FBI? A financial institution? Your Customers? Your employees? The media? If you don't know now how do you think you will know when the time comes and you are in the heat of the moment?

A IR Plan details all of this. It tells you what to do and what not to do. It tells you who you need to notify and how to do so. It tells you how to stop breach from continuing and how to clean it up. All of these things and much more are included. Things that can make the difference in a successful incident response and one that is a dismal failure. A successful one is one that your company survives and continues on with little impact. A failure may mean that the company has to shut their doors and go out of business. It may mean that the company survives you you don't. It may drastically alter the way your company does business. That may be good or it may be bad.

If you yourself don't understand the need in a IR plan PLEASE, PLEASE, PLEASE!!!!!! do some research and discover the need. If you do understand the need but haven't been able to communicate it effectively to management PLEASE, PLEASE, PLEASE!!!!!! do some research and find someone who will help you be able to do that. The Security Catalyst Community is a great place to start with that. There are people there who will be able to help you understand the need and be able to communicate it effectively.

For the rest of you that have a plan I only have a little to say. First, congrats to you and your companies for seeing the need and doing something about it. Second, please ensure that it is kept up to date. An outdated plan is almost as bad as not having a plan. Third, if it hasn't been tested please talk to management about testing it. Even if it's just having several people review it and ensure that it makes sense that is better than nothing.

More from the "Great Thinkers" series

OK, so I don't have a great thinkers series but I think I'm gonna start one. One of my soap boxes is the need for IT and especially Information Security Professionals to quit thinking alike and start thinking about your specific needs and the best way to protect your company. That is key to really being successful. If you just follow best practices and the crowd you probably will be secure but you will never move beyond average. If that is what floats your boat then that's fine, but if you want to really make a difference and have the best chance to advance your career then you have to change the way you think. You have to keep on top of your game.

Rebecca Herold has a good post on her blog where she give advice on "elevator speeches". In essence she is telling us that we need to be prepared to sell our program, ideas, plans and such at a moments notice. We need to be prepared for the unexpected opportunities that sometimes come our way. It may be a ride in the elevator w/ the CEO when they ask you about your program. It may be that you get a call from your boss or your bosses boss. They want you to brief them on the status of your security program and they want it now or very shortly. What will you do? Have you thought about that possibility? Are you going to give them stats, charts and figures? Are you going to tell them about all the technology, policies, and such that you have in place? What about using this opportunity to give them a quick overview and at the same time sell them on the importance of the program and keeping it fresh and moving forward. If we tell them that we haven't had a breach and all is well then they may say "Great, Your doing a wonderful job. Keep up the good work!" Then they go on about their business and forget all about you. You don't get the funding you need for future projects and upgrades. You don't get the support you need to keep things going well. Then you get hit and it's your fault for letting it slip off their radar.

I'm not saying that you need to use FUD (Fear, Uncertainty, and Doubt) to keep them "afraid", but you need to know not only the status of your program but also what you need to keep it in good order. You need to think about how to best sell your program or at least keep it on the radar of management.

BREAKING NEWS: MAJOR DATA BREACH!!!!

I was just informed by one of our IT guys that there has been a massive data breach at TJX, the parent company of several "discount" department stores. It seems that someone was able to penetrate their wireless network............................... wait, what was that? This happened last year?

That was the gist of a conversation that I had this morning. One of the guys I work with came to me and asked if I had heard of the TJX breach. He just found out about it last night while watching 60 Minutes. I was stunned.

A couple of things clicked in my head after this. One, this explains why they have continued to have good sales numbers. Either people don't care or don't know.Two, this shows how easy it is to get caught up in your own little world and not realize just how uninformed the public can be. Three, we really need to do a better job in getting the word out about such things. Of course I'm not sure what we as IT and Security Professionals could do about this. It's been all over the news and multiple media outlets. Yet there are still some who are unaware of it. I don't understand how someone could not know. I guess in this case there is an exception to the saying "no man is an island unto himself".

Happy Thanksgiving!

To all my USA readers I hope that you have a great Thanksgiving Day and that you get to spend time with those you really care about.

For those of you outside of the USA I hope that you have a great day at work or whatever Thursday finds you doing.

Thinking Again

The SANS Storm Center has a really good piece today on thinking about what we do and why we do it. I'm a big proponent of not just doing but thinking about what and why and if there is a better way than the "best practice". It's good to see others doing the same.

Say What?

She didn't realize that I knew who she was. I had seen her picture and as soon as I over heard her conversation I was able to determine who she was. I was on a bus riding from the city back home to the burbs. She sat across the isle from me and was talking to someone about a legal matter. She got off the phone and proceeded to call a friend to say Happy Thanksgiving. She should have stopped there.

As she talked w/ her friend she brought up the legal issue with her. She started the conversation with "I'm not supposed to tell anyone this". Then she proceeded to tell not only her friend but at least 5 or 6 other people sitting nearby. Since I am friends with the person that she is having legal issues with I know that her side of the story is riddled with flaws, inconsistencies, lies and all sorts of other things. Once I talk with my friend I think his case will be much stronger.

The above is not exactly true. I don't know any of the parties involved in this dispute, but I did hear way too much information about the case. Especially since she wasn't supposed to talk about it. As far as she knows there may have been someone on the bus who was familiar with this case. Her need to talk put her at risk of losing a court case. If she would do this with something this personal and of a private nature what is to keep her from doing the same thing with sensitive company information? This is just another example of the old saying "loose lips sink ships". You need to think about where you are when you are having private conversations.

Ethics Quiz

Update to my quiz answers.

Matthew posted a comment to this original post asking for some clarification on the conditions on my answer to question #3. In his comment he mentioned something about "breaking government law" and my willingness to do so. It kind of caught me off guard so I went back and re-read the question and realized that it said "You are aware state law prohibits". I had made the incorrect assumption (due to not carefully reading the question) that the question was the same as #2 except it dealt with uninstalling software instead of installing software. Shame on me for not being more careful. So, that being said my answer is still D. Document the request and refuse to remove the software. I retract my conditional statement that follows. In this case there is no reason that I would uninstall the software and break State Law.
____________________________________________________________________

Matthew Rosenquist, the blogger who wrote the article that I referenced in my post "Are You Ethical?" wrote me a comment today and asked if I'd be willing to answer his questions and post them to the blog. So here it goes (my answers are in red).

• 1. You are conducting a confidential investigation of Employee ‘A'. An employee outside the team, asks "Are you investigating Employee ‘A'?"

You Answer:
A. Yes, we are
B. No, we are not
C. Maybe
D. I'm not sure/I don't know
E. Other: I can't/won't comment on any investigation that may or may not be going
on.

• 2. Policy prohibits any team member from installing software on Server ‘A'. In an emergency situation, senior management instructs you to install a critical piece of software on Server ‘A' to benefit the company.

You cite policy and:
A. Install the software
B. Refuse to install the software
C. Document the request and install the software
D. Document the request and refuse to install the software
(This is my answer based ONLY on these 4 choices)
My real answer would be dependent on exactly what the situation was, what the purpose of the server is, what the requested software is and what the implications of installing verse not installing it is.

• 3. You are aware state law prohibits any team member from removing software on Server ‘A'. In an emergency situation, your management instructs you to delete a critical piece of software on Server ‘A'.

You cite state law and:
A. Delete the software
B. Refuse to delete the software
C. Document the request and delete the software
D. Document the request and refuse to remove the software
(This is my answer based ONLY on these 4 choices)
My real answer would be dependent on exactly what the situation was, what the purpose of the server is, what the requested software is and what the implications of installing verse not installing it is.

• 4. Your manager instructs you to do something which is contrary to normal operating procedures. What do you do?

You cite the normal operating procedures and:
A. Do what is asked and report the incident to senior management
B. Refuse to do what is asked and report the incident to senior management
C. Document the request and do what is asked
D. Document the request, refuse to do what is asked, and report the incident to senior management
(This is my answer based ONLY on these 4 choices)
I chose to follow the request because this time it goes against SOP no policy. SOP has room to wiggle policy usually doesn't.
My real answer would be dependent on exactly what the situation was, what the purpose of the server is, what the requested software is and what the implications of installing verse not installing it is.


So, similar to Martin's comment most of these are very situational and not exactly black or white. I do believe that many situations are black and white but when dealing with technology and keeping a business safe and running situations play a big part in lots of issues. Ethics are still VERY important, but sometimes policy is wrong or hasn't taken into account every situation.

Compliance and Audits

I just finished reading a post by Rebecca Herold on something that most of us don't think about or even realize can be an issue. It's a compliance related issue that I wasn't aware of and I spent 3 1/2 years working for a company where 95% of the employees had to fill out I-9's. Not only that but 99% or our customers were also not citizens of the USA. Still this was something that I never thought about and the company never brought up as something that I needed to be aware of. That makes me wonder what else am I not aware of? What other regulations are there out there that I, as the Information Security Officer, need to be aware of? I thought I was doing a pretty good job of keeping up with the various regulations but this one slipped under the radar. I hope that there aren't others, at least not too many others.

Keeping up with these things can be a full time job and if you don't have a legal department or an HR department that is on the ball then you had better be. I remember back in 2002 or 2003 when I first really became interested in compliance related issues. It was when HIPAA was approaching a big deadline for providers. I was tasked with becoming the HIPAA expert for the consulting firm that I worked for. At that time I decided that I would try to keep up with all appropriate regulations that affected the company that I worked for and any that may prove helpful (the knowledge of not the regulations themselves since we know that most are not helpful in the least bit) in the future.

I recommend reading Rebecca's post (and her blog). It is full of good and useful information.

Another good post I ran across today was from the Security Monkey (he looks really familiar). In it he gives some really good information on how to handle yourself during an audit. If you have never been through an audit, or been an active participant in on, then you may not realize how important an audit is. Not only that but how important it is that you conduct yourself in a proper manner. I have been lucky (OK, so I'm not being totally honest) to have been through several audits. At first they scared me to death. I was afraid of saying the wrong thing and so was my boss. I was lucky in that I received some good advice on how to handle myself early on and it paid off. That doesn't mean that I lied or hid the truth, I just learned to answer the questions that were asked and not the ones that I thought were asked. I recommend reading this post if you are required to participate in audits. It may well safe your tushie. :)

New Poll on Incident Response Plan

I've just posted a new poll about company Incident Response Plans. This is an area that is often over looked and under planned. Many companies don't even realize that there is a need for an IR plan and have no real idea what they would do if an incident occurred. In this day of legal and compliance issues having a plan is no longer just a good idea. The lack of one could cost your company lots more than the cost of clean up. You need to have a plan of attack for a variety of different incidents. The way you would handle a virus outbreak is different than how you would have a server compromise that exposed financial or customer data.

If you don't know where your company stands in regards to an IR Plan don't just take it for granted that they have one. Ask your boss and if there isn't one inform them of the necessity and importance of one. Be prepared to either volunteer to help or be volunteered. :) Do your homework and you may come out smelling like a rose.

Here is the question and the possible answers to choose from. You can find the poll itself here.

When it comes to Incident Response does Your Company

	A. Have a formal and tested plan
	B. Have a plan that hasn't been tested
	C. Has a general idea what they will do
	D. Not have a plan

Ethics Poll Results

The polls have closed on the Are You Ethical Poll. Pretty good turn out for the first poll in a few weeks. Here's how it breaks down.

When it comes to company policy do you:

A. Follow all the rules	5 (11%)
B. Have work arounds that are necessary and approved	26 (61%)
C. Break the rules how ever I can	2 (4%)
D. We have Security Policies?	9 (21%)

It turned out about like I thought it would. What surprised me the most (although I'm not sure why) was the number of you who answered D. We have Security Policies? This shows that lots of companies do a poor job of communicating the policies that they do have. Maybe it's because they were created and haven't been seen since. I don't think giving a new hire a book full of documents or a link to an intranet site is a good way to inform them of security policies. But I guess it allows companies to say that they have done their part.

To those of you who answered A. Follow all the rules, I say LIAR!!!! Just kidding. I know that there are those who do and I wish that there were more. It's not an easy thing to do. There are too many things that are easy to get around and really don't cause any harm. They just happen to be against policy. For those who do get around things w/o approval, or even those who do get approval, be careful. Not so much because it can allow bad things to happen (you're a security professional you know better) but because if end users know about it then it can harbor bad attitudes towards IT and we don't need any more of those.

It's good to know that education and hard work have finally paid off

All of us have received many different phishing, scam, and junk emails. I get them ranging from the real SPAM ones to the Nigerian bankers widow and all sorts of them asking for an "updated" version of my resume along with my bank account number so they can deposit my pay check. Today I think I got the one that may well top the list as my all time favorite. I'm including the body of the email so you can read it.

My favorite part is the highlighted sentence. It's good to know that all my IT and security training has paid off and that they think so highly of my resume.

Dear applicant,
Having carefully investigated your resume we would like to employ you to work with our company as an administrative assistant. Monthly salary of $2000 is guaranteed for 10-15 hours of work per week. Our company was established in 2003 in Birmingham, Great Britain, and we have a number of branches in Eastern Europe and the United States. Our main trading specializations involve products sale and resale, as well as auction drop off.
Our task is to guarantee effective cooperation between sellers and managers, which ensures beneficial sales. Our operation involves maintenance of auction services, which allow anyone to sell unnecessary goods, using the services of professional sellers.
Why selling on an auction?
Using auctions is very convenient, because it allows people to sell their goods at the optimal price. We provide comprehensive support, examination of the item, and stressing attention on its positive features, as well as making professional pictures of the goods. After that, we fill in the listing form and post the information about the item in the necessary auction category. We also try to determine the best time for the start of the auction. We notify the clients about the start and end of the auction. In the course of the auction we advice buyers, receive payments and return change when necessary. Our other duty is to pack the item and deliver it to the buyer, along with some other things that are necessary for a perfect sale.
Who sells the items?
Our clients can reside anywhere. In anyplace of our world. These people are professionals with a great experience of 98% of successful deals. The majority of them are qualified to work on Ebay, Qxl, and Amazon online auctions.
Where are the items dropped off?
The items are sold on the different online auctions as Ebay US, Amazon Auctions, Big Deals, Ebay, QXL(UK Auctions), etc.
What items are usually sold?
The most popular selling categories are watches, silver and golden wares, collectibles, electronic appliances.
What are my duties as an administrative assistant?
Administrative assistants are mediators between sellers and buyers. This job is vital, in case if a person, living in {Moscow, Saint-Petersburg, Kiev}, want to sell his/her goods to Australia. Our assistant can make this operation possible. Administrative assistants are responsible for collecting and keeping all sales records in his/her region, and should also receive payments from clients. The assistant's duty is to draw up daily, weekly and monthly statements and keep record of incoming and outgoing mail to representatives of the management and sales department.
Will I be directly involved in sales? How will I find out that a deal has been made?
You do not need to sell or buy anything. Your task is to accept payments in your sales area and send all the relevant mail to the administration. If a buyer is not satisfied with the item, there is no refund. The only way is to exchange the item. In this case the seller and the buyer will settle this matter on their own. After the transaction is complete, you will be sent an e-mail with the purchase data, including the price of the item sold and its buyer's name.
What bonuses will I have as an employee of your company?
All the workers have a right for two-week paid vacations twice a year. After first three months an employee may take up his/her first vacation. We also offer {great,huge} discounts for our employees. They are listed in a catalog, which will be sent to you. Moreover, after receiving an invoice (at the end of each month) - we will pay all your taxes, reported in your tax returns.
How much should I invest to start working with you? How will I receive my pay?
No expenses initial payments are needed. All money, that may be invested by you will be returned by the company. Your monthly salary can reach up to $1,800-2,300. You will receive a 5-percent commission from each deal managed by you. A minimum salary is $2,200. If your salary does not amount in this sum - you will receive the amount of the shortfall by check or bank transfer.
For details, e-mail us at: xxxx@xxxx.com

Best Regards,
Leslie Nolan.

So I guess once I accept this I'll stop blogging. Hey! Wipe that grin off your face. I'm not gonna stop. :)

Dilbert's CIA Triad

Here is a great Dilbert comic about the conflict between security and usability. Hopefully not too many companies go quiet this far.

ISC2 Board of Directors Election

For all of you who are voting eligible members of ISC2 tomorrow morning at 8:00 am the Polls open. See the included email for information. I encourage All of you to check out the candidates, find out who they are, what they stand for and vote for the ones that you feel are most qualified and will add the most value to the group.


Dear Members,

It's election time again. Let your voice be heard!

Voting for the (ISC)2 2007 board of directors election starts at 8:00 a.m. EST on Friday, 16 November 2007. Only members in good
standing as of 19 July 2007 are eligible to cast their vote. Don't miss your chance to impact the direction of (ISC)2! On 16
November, you will be able to log on to the member Website at http://members.isc2.org and register your vote. We'll provide voting
instructions next week. Voting will close promptly at 5:00 p.m. EST on Friday, 30 November 2007.

Because we are undergoing some changes to the Website, please log on to the member Website, well in advance of the election, to
ensure your logon works. Should you encounter any issues or have any questions, please contact us at registrar@isc2.org.

For general information about the election ballot, please visit https://www.isc2.org/cgi-bin/content.cgi?page=1325.

As always, we strive to ensure a fair and convenient voting process. Should you have any questions about the election or any of the
candidates, please feel free to send an email to boardelections@isc2.org.

Thank you for your support!

Sincerely,

Dorsey Morrow, CISSP
Corporate Secretary
(ISC)2

My Lunch with Farnum

As Michael said in his post last night he and I met up for lunch yesterday as he was passing through town. Rothman was supposed to be there but apparently he didn't have his head on straight and was unable to make it in person but showed up in spirit. Thus the picture of He and Farnum. What Farnum didn't know was that I had a "secret picture" taken that got all 3 of us. Now Farnum had just drive from the Atlanta Airport to my Office in Buckhead so he was a little steamed as we know driving can make him. My "special" camera caught a different view of him. I sure hope the rest of his drive to SC was better so he didn't scare the people he was going to see.

100% of People Read My Blog

I did a little research the other day and asked 10 people that I know if they read my blog. All of them said that they did so therefore I can assume that 100% of the people read my blog. At least that's true if I follow the premise of the Times Online. They took a study by Sophos that said that half of the respondents of a survey said that they had piggybacked off of some one's open WiFi connection. They then translated that to say that 1/2 of computer users steal WiFi. Makes sense doesn't it?

Along those same lines there is the guy who did port scans of 1,000,000 IP addresses and discovered that 210 of them had unprotected databases exposed to the web. He then decided that that means that there are 500,000 unprotected databases on the Internet. Now I understand statistics and such but I think these are a little far fetched. Your sample has to have rhyme and reason to it and I don't see that in either of these cases.

What statistic I do see that isn't pretty is Montana State University having 3 data breach disclosures in ONE day. That has to hurt. At least the number of exposed records is small (272) unless you are one of the 272 then it becomes a much larger number. What got me about this is this comment

According to university spokeswoman Cathy Conover, the data on the USB storage device was not encrypted. Following the incident, the university has initiated steps to remove all personal information from portable storage devices to mitigate the risk of something similar happening again, she said.

Once again we see organizations reacting instead of being proactive. In today's world this needs to be something that is already in place or at least being actively pursued. It should not be an after thought.

CIS 2007 Update

You may remember that a few weeks back the folks that run the CSI 2007 conference were kind enough to offer me and 2 readers free admission to the conference. Unfortunately I was not able to attend but was able to give the 2 free passes away to readers. I asked them to send me a short synopsis of the event so I could post it for those who are interested in reading it.

The 2 winners were Sajeev Nair and Patrick Harrison. Sajeev attended and has included his report below. Patrick's registration apparently got messed up and when he got there they said "I know thee not, depart" So he went to work. Luckily he lives and works in Arlington, VA where the conference was held.

Here is Sajeev's report.

The conference was really good with great sessions and exhibitions. There was lot of opportunities for networking with peers and that is one of the primary reason I choose to attend such events. It is always good to know how others are doing and compare them with you practice and I think that is the best education you can get. The sessions covered pretty much all areas of Information Security but the ones I liked the most was on developing security metrics, it is one of the hot areas in Information Security and it was really informative. I also liked the session on "choosing Information Security as a career" where the speaker talked about different areas in Information Security and how to grow within this field. Information Security is becoming more and more of a business issue and one need to have the business skills to survive in this industry and this was one of the main difference I noticed in the CSI conference (from other security events), they not only had sessions on the technical areas of Information Security but also on the business areas like risk management, metrics, compliance etc. On the product front, I really liked the product from Gigamon.

Again, thanks for letting me attend the event and hope to meet at some other events.

Sajeev

I've Been Profiled

My blogging buddy Kai Roer, who has profiled lots of security bloggers, has now chosen me as his target. You can find the profile on his blog here.

PLEASE excuse the really bad picture of me. I didn't have anything so I took it myself w/ my camera phone sent it to him. I didn't realize just how bad it was until I saw it this morning on his blog.

Knowing What You Are Protecting

Our job is to protect stuff. What exactly is that stuff? Networks, data, systems, web sites, physical equipment and locations, etc.... As information security professionals what we protect often depends on what our jobs are. Some of us are responsible for protecting everything and some are responsible for specific areas. So what we protect can and does vary and therefore so does how we protect them.

What I'm wondering is even within your specific area do you really know what you are protecting? I guess this question really is directed more towards those who are tasked with protecting data. What I'm talking about is the data stored on your systems. Do you protect everything? Do you protect everything equally? Do you even know where all the data is that needs protecting? Is it all stored nicely on network drives and in databases? Oh if that were the case. If it only that simple and easy.

Unfortunately even though the data may very well be in those places the question is "Where else is it?" Is it on desktop and laptop hard drives? What about USB sticks, IPods, CD's, employees home computers? Did it get emailed, printed and removed from the building, ftp'd off site?

OK, lets not go there for this post. Let's keep it simple. Let's assume that you have DLP or some other solution in place that has eliminated all of the above. Do you still know where your data is? Do you still know what really needs to be protected? All data does not have the same value to the company and therefore unless you have a very simplistic network protecting everything equally is not easy or necessary. Obviously you want to protect you entire network, but you want to protect financial data, PII, and information of a sensitive nature more than you want to protect Andy's ITunes library backup.

So again I ask do you know where all of he data is? You do? Great! One more question. Do you know what it is that needs to be protected? Has management determined what really is important and what really needs an extra measure of protection. Rebecca reminds us that if we (the organization and management) haven't identified what is considered to be PII then there can't be an expectation of protection.

If you, as the company security professional, don't know the answers to these questions then you need to get answers quickly. You need to meet with your manager, department managers, the CIO, or who ever it takes because you can't adequately do your job if you don't have all the information. Being tasked with "just protect everything" isn't good enough. You have limited resources and time so you need to be able to make wise decisions on where to invest them.

The Polls are Open!!!

I've decided to start my information security polls again. This one relates back to my last post on ethics and the information security professional.

When it comes to company security policies do you:
A. Follow all the rules
B. Have work arounds that are necessary and approved
C. Break the rules how ever I can
D. We have Security Policies?

I have no way of tracking who you are so you can answer honestly and truthfully (of course if you don't then are you really ethical?) :) Something to think about.

Are you ethical?

I ran across an interesting post this morning regarding ethics and information security. Most of us can remember the surveys that have come out in the last year or so that talk about how many IT and IS professionals actually act in an unethical way. I've blogged about it as well as many others. It's sad and both surprising and unsurprising at the same time. It's surprising because you expect people in positions of trust to do the right thing and unsurprising because everyone has their own idea of trust and what is right.

The Intel blog post linked above has 4 questions that pose hypothetical questions about ethics and what you would do in areas that are often considered gray. Take a look at them and be honest with your answers.

I'd also challenge you to think about other things that you do that many don't think about as possibly being unethical. What do you do on the internet that is against company policy? Do you allow yourself access to internet based resources that the rest of the company is blocked from? What does company policy say about that? If it allows it because of the nature of your job then it's one thing. It's another if you have punched a hole for yourself that isn't "approved" by policy and management.

Things such as this are what either gives us credibility or takes it away. In my last job the company DBA bought me a tee shirt that said "I read your email". (That's read as in present and future tense not past tense) It's a funny tee shirt that got me lots or laughs but it wouldn't be funny if I actually did read everyone else's email. Yet, lots of email admins and security guys do that very thing. They want to keep up on what management is talking about and the latest gossip or love affair in the office. Even though things such as that are blatant and obvious unethical acts they aren't the only ways. Ethics has to be at the core of who we are and what we do if we really want to succeed in life and in our careers.

I'm reading a great book on that very subject right now. It's called "High Performance Ethics" by Wes Cantrell. He was the CEO of Lanier Office Products for several years and he lead Lanier in modeling High Performance Ethics in how they conducted business. I highly recommend reading it. It's also kind of cool because Wes and his wife teach the Sunday School class that we go to at Church.

Why become a Information Security Professional? (part 3)

So far in part 1 and part 2 I've talked a little about the whys and why nots of becoming an information security professional. Now I'm going to talk a little about what to do once you have decided to make the move into information security. This is the same basic advice that I give when I get an email from someone asking for advice. Obviously, if I know more specifics it's easier to give more specific advice, imagine that. :)

The first thing I would recommend is that you learn the basics of security in general. Why do we need it, have it and what is the purpose of it? How does it work? Learn the basics of TCP/IP since it is the heart of most networks. Learn the basics of networking and web services. When you get these things down you have a pretty good foundation to build on. No matter what area of security you choose to go into these will help you. They are the core of almost every business.

Next try to figure out where your talents are. Are you good at coding, routing, servers, windows, Unix/Linux, strategy, what? What are you passionate about when it comes to security? This is the area that you most likely will find the most success and satisfaction in. Do your research on various disciplines. Talk to others who are in security. Read blogs, books, etc that cover security and the various disciplines.

Lots of times people ask if their current job is a good learning ground. I say Yes! It doesn't matter what your job is. Learn about how security affects it and how it can be used to improve and protect it. Anything that you can learn can be applied to various disciplines. Don't get too narrow minded and focus only on the technology side. Learn about physical security also. It helps to train you mind to think outside of your little corner of security.

Once you have made a decision to focus on a specific area then practice all you can. Set up a home network using VMWare and free security tools. If you have access to spare systems and such then use them. Check out online resources that will allow you to practice your skill. There are sites (some free but most are pay) that will give you access to routers, firewalls, servers, etc. You can hammer away on them and also practice securing them. Then again read books specific to that field and talk to others who are in that field. Join online communities (my favorite it the Security Catalysts Community) where you can interact with and ask questions of others. Also take advantage of any training you can or local security focused organizations like InfraGard, ISSA, ISACA, etc...

That should get you on your way. Good Luck!

The list of lists

Update: Please forgive the really bad title. I was taking this in a different direction and then decided to change and forgot to rename before posting. Oh well....

Lots has been going on lately. Things at work are still busy but I've been able to take some time and attend several good vendor presentations and the Atlanta InfraGard meeting. In the past week alone I've attended a WhiteHat luncheon where I got to meet my fellow Security Catalyst Bill Pennington. I went to the local InfraGard meeting, attended a Cisco Security Presentation and later today I'm going to a physical security event put on by Stanley (yep the tool guys).

It's actually been a pretty good use of my time even though it's also been a lot of my time. Of course in addition to the information that you get from listening to the talks the networking is always good. I've met lots of people who are either implementing something that I'm considering or who have experiences in something that I am working on. For example I met a lady who has gone through a very similar experience to my current work position and turned her organizations security program into one that is looked at as a leader in that industry. Of course her industry and mine are miles apart, but her experiences and insight will be an asset to me as I continue to evolve our security program.

On a completely non-security note I did have a bit of good fortune at the Cisco event yesterday. They were giving away a door prize (as most always happens) but it wasn't the typical IPOD or USB key. They were giving away a Roboraptor remote control dinosaur. My name was drawn and I won! What a cool toy! I haven't played w/ it yet but I did do a little research on it and WOW! If this thing is a fun as it looks...... Of course I have decided that instead of keeping if for myself I'm going to give it to my nephew for Christmas. Although my daughters really like it. I think they may change their minds once it's out of the box and my nephew chases them around the room with it. :)

There is some pretty exciting things going on at work that also has me pumped. Management has decided to get behind security and I think that some of the ideas and plans that I have will have a very good chance to be implemented over the next year. That always brings a smile to my face. Also there were some pretty big changes made that has solidified the network infrastructure team. That will be key to many projects that we have on tap. All of which I get to get my hands on in one way or another.

One last thing, I found a new blog today thanks to Andrew Hay. It looks pretty interesting and I wanted to pass it on to y'all. It's part of the MSDN blog lineup. What caught my eye was the series on Web App Security. Imagine being concerned about that. :)

Oh yeah, a couple more "one last things". I had an opportunity to talk with both Andrew Hay and Rebecca Herold recently about some things that are going on in the Security Catalysts Community and I wanted to say that talking to them really pumped me up. I love talking to people who are passionate about what they do, especially when Security is what they do. While I'm speaking of passion and security I can't help but think about my friend Michael Santarcangello. While he has been very busy with his company and quiet on the blog front lately he has put out some good stuff in the last few days. I'd encourage you to check out his latest podcast and blog post on email privacy. You can find both of them here.

Why become an IT Security Professional? Part 1

I get a fair number of request from people asking me to give them advice on how to either get into security or career guidance on how to best move into a specific area of security. Since often these questions come from readers I decided to do a couple of posts on this topic. I'm going to try and cover it from a few different perspectives. The "Why to", the "Why not to" and some of the "How to". I hope you find them informative and useful. And as always if you see something that I'm totally missing the boat on just let me know. :)

It seems that lots of people want to become information security professionals. I guess they consider it to be the "holy grail" of IT. The problem is that it isn't. It's a great field to be in if you have the skills and passion but it's not the ultimate place to be.

I think that lots of people think that if they break into security that they are on their way to financial nirvana. That too is a myth. Don't get me wrong there are those in security who do quiet well for themselves. Yet they are kinda like the people on the exercise infomercials. They start off 40 lbs over weight and after 8 weeks of this "miracle exercise" they have lost all the weight and their abs are well defined and all the world wants to be like them. What they don't show you is that this person worked 50 times harder than everyone else and they were committed to this. They also don't show you the other 100 people who only lost 5 pounds and went back to their old lazy ways right after the trial period was over.

That's the way IT security can be. There are the few rock stars. Those who are really good and who have a passion for what they do. They work hard, they learn all they can and they succeed. They make a name for themselves and make good money. A few make really good money. The rest, well they spend their days doing what they like doing. They protect networks and data. They look for vulnerabilities and shut them down. They scour code looking for a way to make it safer and they develop tools that makes the rest of us look good. They also make just enough to keep them going. They pay their bills and maybe have some to put away, but they are not getting rich by any means.

So, reason number one to NOT become an IT Security Professional, MONEY!! If you are doing it for the money you are doing it for the wrong reasons. Chances are you won't make nearly what you think you will make.

Why become an IT Security Professional? Part 2

Yesterday we talked a little about why you should NOT become an Information Security Professional. It was only one of the reasons why not to, but it's one reason that I hear people list as to why they do go into information security. Other reasons not to are things like, it's a glamorous job or it's the hot thing right now and you are likely to land a job quickly. Ask someone who spends their days monitoring IPS or firewall logs just how glamorous it is. :) Also you don't want to do it because it's something in technology and you like technology. If that's the case find out exactly what it is about technology that you like and do that.

So why should you consider becoming an IT Security Professional? Do it because you really can't see yourself doing anything else. Do it because you can't not do it. Do you have a passion to secure technology? Then, by all means, become an information security professional. Do it because you have a passion for it and because you are good at it. Passion is necessary (in my humble opinion) but by itself it won't do the job. It's like most any profession. You may have a passion for it but not be any good at it. So make sure you are good at what you do. Your niche may be network security, systems security, application security, database security, web security. It may be compliance and policy. Maybe it's white hat hacking. What ever it is that is what you need to focus on. If you are good at it and have a passion for it then chances are you will be successful at it and you probably will make good money doing it. While you're at it learn what you can about the other disciplines within IS so you will be well rounded.

It's not always what it seems to be

It's kind of ironic that after seeing and posting the Ziggy cartoon about the Nigerian email scams that The Register has an article about a HUGE loss due to email scams.

This reminds us of the importance of being very diligent in how we deal with what seems like legitimate emails. We all get them. More often than not they are SPAM or scams. They are getting more and more realistic now. I received one the other day pleading for money to buy Bibles for Christians in Russia or somewhere. I receive similar emails that are legitimate so that makes these hard to detect. The look of an email will go a long way in determining who will or will not act on it. This is true in business and in scams. The bad guys know this and they are starting to pay more attention to it. They are spending more time polishing their emails so that they will get looked at. That's half the battle. If they can get someone to open the email then there is a much better chance that they will take action on it. Hopefully that action will be to delete it, but often enough it is to click on the link, reply to the plea and then get infected or have their ID stolen or bank account emptied.

We must be careful with all email even those that we receive from people we know or think we know. The incident with SuperValu is a great example of how "blind trust" can really hurt. The emails looked legitimate. The seemed to be from a known and trusted source. Yet it cost the company more than $10 million dollars. All because internal controls broke down. All because everything "looked" right.

You could argue several positions on this. Lack of a good User Awareness program was at fault. Not having good internal policy and controls played a part in this. Having both of these in place could have gone a long way in preventing this but nothing works as well as common sense and due diligence to ensure that things are as they seem.

So, what do we learn from this? Have the proper framework in place. UA program, policy, controls and encourage your people to think. Thinking is the thing that really can make a difference and prevent something really bad from happening.

Ziggy found the scammer

Here is a great Ziggy cartoon that we all can relate to. At long last the identity of the Nigerian Bankers widow is revealed!

Who would have thought?

Who would have thought that a new smart phone that was shipped out in October of 2007 wouldn't have the new DST time change patch already applied? I guess this shows why making an assumption is not a good thing. Especially when dealing with technology. My new BlackJack notified me on Sunday morning that it had updated the clock to reflect the change from DST. I didn't think much of it but was a little annoyed. So I just changed the time and went on.

That was mistake number two. I should have also gone in and changed it to ignore DST because when it next checked in with the tower to get it's time updated it changed back. I didn't notice it until this morning when the alarm went off to wake me up. I usually get up at 4:45 am so I can catch a 6:00 am bus into the city. Of course this morning it was really 5:45 am even though my phone thought it was 4:45 am. Oops.

Needless to say I missed the bus and had to take a later one. Not a big deal just a little annoying. so when I got here I applied my patches and all seems to be well.

CSI Ticket Winners

Congratulations to Pattrick Harrison and Sajeev Nair for being the lucky recipients of the CSI conference passes. Both guys get free admission to the full conference including all sessions. This is a $1695 value for each of them.

I forgot to post is my original message that there is also a $100 savings code that any of the rest of you can use if you are attending and have not already registered. Just enter CSI2007 and you can take advantage of this savings.

Here is their promo blurb that I also failed to include in the last posting. I'm getting forgetful w/ age apparently.

CSI Annual Conference 2007
November 3-9, 2007
Hyatt Regency Crystal City
Arlington, Virginia
www.CSIAnnual.com

CSI 2007, held November 3-9 in Arlington, VA, delivers a business-focused overview of enterprise security. 2,000+ delegates, 80 exhibitors and features 100+ sessions/seminars convene to provide a roadmap for integrating policies and procedures with new tools and techniques. Register now using code: CSI2007 and save $100 off the conference or get a Free Exhibition Pass at www.csiannual.com.

We aim to make CSI 2007 a significant & stimulating gathering of security professionals and it would be great to have you as part of this endeavor.

Tickets! Get Your Tickets!

I have been given a press pass to the CSI Annual Conference 2007 this year and unfortunately will not be able to attend. I also have been given 2 FREE full conference passes to give away to anyone who may be interested in attending. It's a pretty sweet deal if you want to go. The conference registration cost is $1695 so it will save you a pretty penny. I've never been to CSI but from what I hear it's a great conference. So if you are interested in attending let me know and I'll give you the information to get the free passes. The conference is in Arlington, VA Nov 3-9, 2007. Here is a link to their site so you can get more information. CSI 2007

It looks like there will be some really good sessions and speakers this year. Just a quick mention of a few names that you should recognize:
Window Snyder
Jeremiah Grossman
John O'Leary
Pete Lindstrom
Ben Rothke

Not to mention the benefit of ISC2 CPE's for those who need them.

Just shoot me an email. My address is on the left side of my blog page. Yes this is a shameless plug to drive traffic to my site. :)

Keeping your system updated

I was looking at the latest issue of the SANS @Risk newsletter and it mentioned something that we need to keep in mind. I know that it's not something that I do regularly but I really need to do.

The four most critical vulnerabilities this week touch just about every
Windows user: Internet Explorer, Outlook Express, Word, even Kodak Image
Viewer.

The Kodak threat highlights a useful, but unpleasant fact. Microsoft
patched this product because it was distributed with Windows, but most
of the other products you add to your computer are not patched
automatically. Many vendors expect you to check with their web site to
learn about flaws that need patching. The criminals know that - hence
the new wave of attacks against applications.

All of us have software on our systems that requires us to manually check for updates. This brings up several questions that we must answer.

1. What software is on our systems? Do you know?
   Make a list of all the applications that are on your system.
   
2. How often do you check for updates manually?
   Bookmark the support page for each and check it regularly. Set a calendar reminder to ping you monthly.
3. Do you use all the applications on your system?
   Uninstall all apps that you don't need or use.
4. Where did you get your software from?
   Shareware/Freeware are great, but make sure you know and can really trust the source. The bad guys are putting our free software that looks really cool but packs a punch when it comes to owning your system.
   
5. Did it come preinstalled on your system?
   Lots of the software that comes preinstalled on your system are trial versions that only work at partial functionality or expire after a period of time. If you are not going to pay the license fee to make it a full version then uninstall it. Even dormant software can be exploited.

OK, I know that for most of you this is common sense and you are already doing much of this, but I just wanted to put it out there that all software is a potential vulnerability and we need to pay attention to the little things.

Measuring Security Effectiveness

Pete Lindstrom wonders if Information Security Professionals really can make a difference for the company that they work for. He wonders if any IT savvy person can complete the tasks that are typically assigned to information security professionals.

Put another way, if multiple individuals were given the same set of constraints within an organization - time/money/FTEs/assets/culture - do you think that some people would be more successful than others at reducing risk?

It almost insults me to have my skills called into question but I don't think that he is implying that what we do is just another task that anyone can accomplish. I think what he is trying to do is help us to think about what, why and how we do what we do. Sound familiar? What I like is that he doesn't just question and move on he asks for examples. What is it that you do to make a difference? What sets you apart from the average IT or security professor?

Put another way, if multiple individuals were given the same set of constraints within an organization - time/money/FTEs/assets/culture - do you think that some people would be more successful than others at reducing risk?

I think that the answer to this is pretty obvious. Yes, just as in any profession information security professionals vary in skills, knowledge and ability to adequately secure their environment. If you set up 10 identical labs and took 10 different security professionals you would get 10 different ways to secure it and all 10 would have their strengths and weaknesses.

The key isn't how you do it but that you don't just follow a checklist and that you do what is needed for your environment. Example, the same 10 lab environment mentioned above would require 10 different security postures depending on the company that they were securing and their individual requirements. I think that a good security professional would set them up 10 different ways. Someone who doesn't really understand security but who knows how to secure a network would set them all up identically. That is not security. That is work that could be done by lots of different people.

So, back to the question of what makes the difference between a real security professional and any other person who calls themselves security professional? It is the ability to adapt and think and to take each situation and analyze it and secure it in the way that it needs to be secure, not just a way that may make it secure.

Why do faster computers make us more impatient (or how technology has made us lazy)

Mitchell has answered my answer to his posting on Automatic Security. Mitchell has some valid points and I agree with him. Security software has to be user friendly. It has to be easy to use, understand and mostly not annoying or intrusive. But we still have to educate the user. If we focus on taking them completely out of the picture in making decisions then we have done nothing to benefit them or the rest of us. Our current model teaches them to click OK. So when the get a pop-up that asks them if they want to install this "add-on" they say yes. When they are asked if they want to allow malware.exe to connect to evilhacker.com they say yes. When they they are asked if they want to trust an unvalidated certificate they say yes.

We don't need to take those decisions out of their hands we need to explain to them what they mean and why answering yes may be a bad thing. One point that Mitchell made was that the default behavior for many security apps is to ask the user what they want to do. This is true, but as I said some vendors are changing that. They are looking at how the OS and various apps work and what they need to do to be useful and instead of asking "do you want to allow IE to connect to the Internet?" they are automatically allowing it to connect. They are looking at apps that are signed and allowing them to do what they are designed to do without asking the user. Another point that Mitchell made is that security software doesn't know what the user is doing or the context in which they are doing it. Again, he is exactly right. That is where we need user interaction and that is where the user needs questions and answers that are in plain English so they can make a informed choice. The software vendors have got to quit thinking like techies and start thinking like the average person when it comes to this.

Over the last decade computers have gotten faster and faster and we have gotten more and more impatient with them. They have gotten smarter and smarter and we have gotten lazier and lazier. That is the other byproduct of poorly designed technology. Just as it has taught us to click yes it has also taught us to be lazy. It has been too complex for the average person to learn so they don't even try. We have taught them that they have to sacrifice security for convenience because we have made security inconvenient without explaining it to them.

I keep going back to this over and over because there are too many out there who think that the users are never going to learn or change. As long as we make change difficult then they won't change. We need to quit expecting the worst out of them and work to make them make the right choices and learn why each choice is right or wrong.