Out of control network

Like most IT people I've always disliked documentation. At least having to be the one to actually do the documentation. I know it's important and that it can save you and others lots of time when push comes to shove. This has hit me in the face hard since starting my new job. The company uses lots of contractors in the IT department and the network has been built and modified over the years by lots of different people. Documentation has been sporadic at best. So therefore knowing what is going on and why can be a challenge. Almost everyday someone on the team gets a "surprise". They either discover something new, different, unexpected, unexplained, or just plain unnecessary. It's almost comical at times, but when you think about it there are potential serious ramifications.

This has made my job quiet a challenge. It's hard to design a security program when the environment isn't well understood by those who have been there for a while and especially when I'm still learning new things about it. The good news is that we have managements blessing and understanding of how things are and how they need to change. We also have a good team assembled to make this work. I'm amazed at the level of knowledge and understanding that they guys I work with have. They are much smarter than most of the guys I've worked with in the past. These guys are passionate about what they do and they don't like doing shoddy work.

All that said the real purpose of this post is to emphasize the importance of documenting and understanding your network. Not only is it good for daily understanding of what you have and how it works it will come in handy in troubleshooting, DR situations, personnel changes and compliance. Many of the regulations that most of us have to comply with require you to have a well documented environment.

Technology will help you in your information security endeavors but it has to be complemented with documentation, policies, procedures and a well designed User Awareness program. Most of us focus on the technology part but if we want to expand our horizons and ensure that our environments are as secure as they can be it is a good idea to get familiar with the other areas.

• Look over your documentation and update it. This needs to be done at least yearly and especially anytime you introduce a change in the environment.
• Read your policies. Ask questions if you don't understand something or if you think something is incorrect. Remember, if your policy says you do it you better do it and be able to prove that you do. The Auditors will want to see the checklist, the archived logs, etc.. Don't be afraid to bring up inconsistencies to Management and to make suggestions.
• Review the procedures and guidelines that are published within your company. Again many regulations require you to have written procedures for how you deploy systems, handle new users and users that leave. They want to know that you know what is going on and again if your procedures say that you do something they will want to see proof that you do it.
• Sit in on a UA session or ask to see the material that is used. Make suggestions on ways to make it better and more understandable for the average user. Suggest new things that could be done to make the information easier to retain. People learn in different ways and maybe you have an idea on how to present something in a different format. You may even have the talent to make it happen. You could help put together podcast, videos, RSS feeds, email blasts, or whatever sounds good and works.

As I've said before security goes beyond the server room. It requires that the IT and IS groups work together along with Management, HR, Training and even the end users. We have the knowledge and skills to really make a difference beyond the technology side of things. We just have to get out there and make it happen. I don't think you will regret making the effort.

Final SunRocket Update

Something "official" finally happened from SunRocket. I received the email below yesterday telling me that it's over and that they enjoyed serving me. It also gives a few more details but nothing much.

The odd thing is that my sister still has not lost her phone service, my dad lost his on Wednesday and my service was restored last night.?????? Of course I have no idea how long it will work for. I still haven't decided what to do as far as my service goes. Do I continue with a similar VOIP provider (Packet8, ViaTalk, etc), go with my cable providers offering, go back to a land line provider.

Here is the email that SunRocket sent.

Dear Customers,

After significant effort by the Company to avoid this result, SunRocket is in the process of closing its operations and therefore will no longer be able to provide you with the phone service that you have been accustomed to. However, this email provides you with an opportunity to sign up with select service providers who we believe will offer outstanding replacement service

In order to assist you, we have entered into negotiations with a number of service providers. As a result of those negotiations, we have entered into agreements with 8x8, Inc., provider of the Packet8 service, and Unified Communications Corp., provider of Teleband service to offer you the best options and we are proud to recommend the following alternatives to you. Please make your decision to move to a new service provides immediately as future service is uncertain.


8x8/Packet8

The Packet8 Internet phone service incorporates patent protected technology from 8x8. Inc., a publicly traded company in business for more than 20 years. The service works in the same way as SunRocket.s and offers a virtually identical feature set.

. No Startup Costs
. FREE activation
. FREE equipment
. FREE shipping
. FREE first month of service
. Quickly port your number at no charge

A Savings of over $100!

Copy and paste the following link into your Internet browser: http://getpacket8.packet8.net/sunrocket/ or call 1-800-868-0068 and mention special offer code SUNROCKET


Unified Communications Corp./TeleBlend

The TeleBlend Internet phone service incorporates patent-protected technology from Unified Communications Corp., a privately held company in business to provide outstanding customer service and telephony products. Teleblends has been working behind the scenes already to restore and continue service for all Sun Rocket customers The service works in the same way as SunRocket.s and offers an identical feature set with our Unlimited Transfer Plan.
. No Startup Costs
. FREE activation
. USE your existing hardware
. FREE and Quick transfer of your current number
. No Need to port your number to another provider
. UNLIMITED calling to the US, Canada, and Puerto Rico

Copy and paste the following link into your Internet browser: http://www.myteleblend.net

It has been our pleasure to service you at SunRocket!

Correction on HotSec

It's not tonight it's next week on Wednesday 7/25/07. Sorry for the confusion. I was so excited that I moved it up a week. :(

Thanks for pointing this out to me Rothman.

HotSec Tonight

For those of you in the Atlanta area that can make it tonight is the inagural meeting of the Atlanta CitySec community. We are meeting at The Brick Store Pub in Decatur at 6:00. If you are in the area and can make it we'd love to see you there.

New SunRocket Update

I've found a little more info. This CNN article gives some news and Beau pointed me to this blog from a former SunRocket employee. He gives us tips on how to transfer our numbers.

I still don't have any clue as to why some service is up and some is down.

VOIP Woes

Update:

OK, I'm officially confused. I called my sister and my dad and they both have service. I thought that maybe SunRocket was forced to turn service back up until all current users can make other arrangements. So I called my house and I still do not have service.

________________________________________________________________

About a year ago I signed up for VOIP home phone service with SunRocket. They had been around for a while and seemed to have a good track record. Voynage was starting to have issues so I decided to go w/ SunRocket. NOT A WISE CHOICE!

Last night I lost service and decided to wait until today to see what happened. Then this morning I saw this post on O'Riley. I did a little more investigating including calling their support line. It was before 7:00am Eastern Time so I got their voicemail. I just called back and got the following message.

Thank You for calling SunRocket. We are no longer taking sales or support calls. Goodbye.

That's it. No emails telling us what we need to do to be able to retain our number. No word on what happens to those who paid a yearly fee and still had months remaining. Nothing.

I consider myself lucky in that I was close to the end of my first year and only lost a month or so of prepaid service. My sister, on the other hand, just signed up in May and my Dad signed up in January. What are they to do?

Anyone interested in buying 3 relatively new SIP enabled VOIP boxes? :) Just kidding. They may make good project fodder. Maybe the guys at Pauldotcom will write a book on hacking them.

You know better than that

I received a password protected document from a security company that we do business with. I did not know the password so I sent him an email letting him know that. I expected to get a phone call but to my surprise and disappointment I received an email with the password in plain text. Now the document was not of a highly sensitive nature but it's not something that is meant for the public eye.

Of course the sensitivity of the document is not the issue here. The issue is that the password was sent via email. An worse than that is the fact that it was a security professional that did it. Someone who really should know better. I realize that the chance of someone actually sniffing out connection at that moment and pulling the password is remote and that it is even more remote that he would have been able to capture the earlier email with the document attached to it.

It's just one of those things that gets my goat just a little. Of course shortly after I started writing this I received another email with a password in it. This one was from a friend and Security Professional. What am I gonna do with you guys! :)

Maybe he didn't really think this through.

A friend pointed me to this article about a student list at Texas A&M Corpus Christi that was "misplaced" for a few hours. The list contained the personally identifiable information of 49 students. The list contained names and social security numbers of the students. This is the second incident in less than 2 months for TAMCC.

This post isn't about the incident or how it was handled by the college. It's about a comment that was left. Here is the comment:

Posted by josegutz on July 12, 2007 at 1:24 p.m.

It seems like it is an issue with the IT department at TAMUCC.
They need to ban all key or flash drives from being used if they cannot get that security measure together about using SSN's for identity purposes. They should do a PKI access after all they use access cards for Identity when enrolling at the University. Banning these thumb drives would minimize the security risk of someone walking off with all of this information. I don't want to get in too deep about all this technical garb since it seems that one would have a hard time to comprehend such a concept.

Here is my issue with the comment:

1. This has absolutely NOTHING to do with the IT department.
2. This has absolutely NOTHING to do with flash drives.
3. IT does not dictate whether or not the university uses student SSN's as identifiers.
4. PKI would not have prevented a student from walking off with a SHEET OF PAPER.
5. PKI is not an easy technology to implement or manage especially is a university environment where my nature of what they do the network needs to be open.
6. Banning thumb drives would not have prevented anyone from walking off with a SHEET OF PAPER!

This comment just set me off for some reason. Maybe it's because I have friends who work in IT and security for several universities. Maybe it's because the person tried to blame the IT staff for this and IT gets enough of a bad rap as it is. Maybe it's because the comment really didn't serve any constructive purpose except to put blame on someone without having all, no wait, ANY of the facts. Maybe it's because this person probably works in IT. I say that because the average person does not know what PKI is or how it works. Apparently this person doesn't really have much of an understanding of PKI either. If he did he would have realized point 5 above.

Now that I have ranted let me try to add value to this.

1. Yes, it is a bad idea to use students SSN's as identifiers. I have it on pretty good authority that this is going to change in the very near future.
2. Yes, PKI can help mitigate the risk associated with storing PII. It can be used to prevent it from being accessed by unauthorized users. It can be used to enforce security policies that could prevent copying data to removable media or prevent documents from being printed. But it has to be used in conjunction with other technologies to be effective.
3. There is no reason for the SSN's to be on the class roster that is given to the professor. But it is not the fault of IT or Security that this happens. Even if there are policies in place they have to have the support from Management in order to be enforced and true enforcement would require other technology to be implemented.
4. Security is not just the responsibility of the IT or Security. It is something that has to be embraced by everyone (or most everyone) in the environment. The professors have a share of the responsibility even more so than the IT department does.
   

Then my final point. If you really want to blame someone for all the problems that SSN has caused us, blame President F.D. Roosevelt and the U.S. Congress of 1935. They are the ones who gave us Social Security Numbers. :)

The Slow, Blue Poop Security Model

The other day I was on the TCC Silc channel and mad a comment about security being considered a four letter word at some companies. Well true to form James Costello and Larry Pesce both chimed in with several four letter words: slow, easy, blue, poop, none. The the conversation went south from there. Some how Larry coined the term "Slow, Blue Poop Security". I knew there was a blog hidden in there somewhere. Well here it is.

What does a SBP security model look like? It looks a lot like what you may have seen at your company or a company that you once worked for. It the security model that does just enough to get by. The security that keeps you from having you network owned by every hacker in the world but not enough to really offer protection. It provides just enough to make you feel like everything is OK but you really don't know what is going on. What is happening with your clients and servers? Just because AV doesn't report anything doesn't mean there isn't anything to report. Richard Bejtlich has a post today about something very similar. The SBP Security model doesn't let you know what is really going on on your network.

Sometimes the SBP model even looks good to the casual information security professional. The network has many tools and devices that look good and provide lots of pretty blinking lights. But there is no real plan behind them. These are devices that allow them to check boxes on their compliance audit. They have a device for each check box, yet there is still gaping holes in the network.

The point of all this is to say that there is no room for the SBP Security model in today's world. SBP security only causes things to be less secure in the long run. It keeps compromised systems on the network and allows them to still spew their SBP to the rest of the world. It gives the bad guys a cloak of privacy to do their bidding without being discovered because SBP makes you feel good.

That's where our job comes in to rid the world of SBP networks. To build our case for building networks that are really secure and that actually provide our companies, users and customers with the protection, privacy, and security that they really deserve.

And to quote Sun Tzu.................. Just kidding Amrit. :)

Larry, bet you didn't think I could do it.

Learning Security

There is an interesting conversation going on over at the Security Catalysts Community that I wanted to point you to. It's about employees using ICMP tunneling to get around web filters. It is just an example of the many different topics that are discussed in the SCC.

For those of you who may not be familiar with the SCC it is a gathering of passionate security professionals who want to have a place to interact with others who are of like mind. It consist of forums, a silc channel for secure chat and other resources to help you do security better. There are other things in the works also that will be coming down the pike soon. The best part is the interaction that goes on between the members of the community. We have people from all different industries. Financial, educational, government, private industry, the public sector. Our members work in different disciplines in security. Beginner Techs, programmers, researchers, penetration testers, administrators, managers, policy and compliance, and even CIO's, CSO's and CTO's. Many of these men and women have become my friends and I value what I have gained from the community.

I say all of this to invite you to stop by and take a look. You can spend time just looking around or apply for membership. It's all up to you. If you have a passion for security and want to join a group of people who are working towards changing the way we practice security then you are the type of person the SCC wants and the SCC is probably the place for you.

ATLSec

It's official Atlanta is starting a CitySec gathering. According to Thomas Ptacek (CitySec site Administrator and Matasano Chargen) the official name for Atlanta is HotSec but for some reason someone has branded it HillyBillySec. :)

It will be held Wednesday July 25th at 6:00 PM at The Brick Store Pub in Decatur. It's open to all Atlanta area Information Security and Computer professionals. I look forward to meeting y'all there! If you want to join in the conversation check out the posts at the CitySec site.

Writing Policies

Information Security involves many different disciplines. Some are technical, some are administrative, some are managerial. A good security professional will gain and retain skills in all of these areas as he/she moves through their career. I've spent most of my career on the technical side of things with some administrative and managerial thrown in. My new job has me focused primarily on working with policy at this time. I've been updating old policies, writing new policies and looking into just how PCI is going to affect us and what we have to do in terms of policy and technology to ensure that we are compliant. This is not an easy process, especially when you are new to a company. I still am learning how various parts of the network connect and interact with other parts. I'm still learning what it is that Management wants and what we have the technology and infrastructure to support. Then there is the decisions that were made just prior to my starting with the company. Some of them were done because it fits well with the direction that the company is heading and some of theme were made because it allowed us to put a check mark in a compliance box. If you have been reading my blog for very long you know how I feel about that.

Anyway, I digress. My point in this post is to talk about policy and how to write an effective one for your company. Of course I'm not the expert on this and I don't have all the answers and am still learning much. Much to my delight I ran across a site the other day that does a much better job than I can do. The site is The Trusted Toolkit Blog. They have declared July to be "Policy Month" and they are writing about how to create a security policy and even giving sample policies for you to download. I recommend that you keep you eye on this site this month because even if you never have to write a policy it will benefit you to have an understanding of how a policy is written and the steps involved in creating one. Not to mention that the focus on learning some "soft skills" will benefit you in the long run.

Security Urgency

There is a trend in information security (actually in IT and life in general) to tackle the urgent issues first. These are the issues that users are screaming about, management is on you about, auditors have written you up about and then things that get you noticed. No one gets noticed for the security flaw or vulnerability that they found, patched and as a result prevented a breach. You get noticed when you put out a fire that other people see. Even if that fire is in the middle of an field and is surrounded by a mote full of water. People see you out there jumping up and down putting out that fire and they applaud you. This is where the security professional needs to make a change.

How do we do this? We can't stop fighting fires because if we do then we will lose battles that we can't afford to lose and we need others to see us succeed. We have to be proactive and plan. We have to know our environment and what the threats to it are. We have to put together a plan to protect our data and get management buy in. Being proactive and getting buy in can be our biggest challenges (next to time) but they are crucial to success. Not only success in getting our plan implemented but being successful in getting out of the "Tyranny of the Urgent" cycle.

This problem is multiplied for those who are either solo IT/Security departments or part of a small shop. Fighting fires can and often does take most of your time because they are always there. That is why it's important for management to realize that just because it's a fire doesn't mean that it's a priority. You need to have a policy in place that defines what is priority and what isn't. A problem that affects only one user or doesn't impact business is not as important as getting a patch deployed that will prevent a breach. Sure the fire is visible and puts off heat where as the patch is not seen by anyone but you but it is important and has to be done.

So what is it that needs to change. Our policy? Our plan? Our mindset? Ensuring that all three constantly updated and evolving is a good idea but our definition of urgent and our priorities are key to keep us out of trouble and keep us from stomping out fires in the middle of a field surrounded by a mote full of water.

Bye Bye Data

Wouldn't this just tick you off? You make one mistake and get a virus. That is bad enough. If you are lucky it's just a mass mailer and none of your data is at "real" risk. Maybe you get something that does a little damage to an app or some files. It could be worse. You might get infected with a bot program or a keystroke logger. Not pretty. Yet if you don't do any financial related work on your PC even that isn't so bad. What could possible be the worst thing is a virus that actually deletes files from you machine. Especially one that deletes OS files. Now you are hosed. You have to rebuild and for many that means losing data because they don't back up and don't know how to recover what may be left on the system.

Oh wait, it can get worse. Not only does the virus delete your files it tells you it's doing it and taunts you as it happens. That is one cold hearted virus writer.

Let Freedom Ring

I usually try to keep this completely Information Security related but today is a special day and thus I will detour from my normal format.

231 years ago the men who signed the Declaration of Independence took a stance for what they believed to be right and the best course for the colonies. They risked their lives and homes and many of them paid a very heavy price. Loss of life, family, land, possessions. They were willing to make the sacrifice for freedom.

Since then men and women have served this country in the armed forces and many have lost family, possessions, homes and their lives. They did this not because they were forced into it. They did it not because they wanted to be heroes. They did it because they believe that freedom is worth fighting for and that preserving freedom in America is worth the cost. They did it because they too believe in the same things that fueled the fires of the American Revolution.

I want to take this time to personally thank everyone of them for what they have done. Thank You for the sacrifices that you made for us. Thank You for serving your country.

I also want to lift up in prayer those who are currently serving our country. Especially those who are in Iraq and Afghanistan. These men and women are facing danger every day for us. It doesn't matter what your opinion on the war is these soldiers need our support. Lets give it to them.

GOD BLESS AMERICA!!

User Awareness Training in Action

All of you know that I feel strongly that UA training has great value in keeping us more secure in our online and work network lives. I've caught flack from some for my hard line stance on it but this story just goes to show how effective it can be. I'll say it again, "a good information security program includes UA training and daily secure practices from the IT staff." The best part of this is that it was done in day to day life and not via classes and boring material. If all IT professionals practice security around their users, take time to talk to and explain secure practices to their users then this is what can happen. Rebecca Herold tells the story of awareness from her kids.

Security Mentoring

How do you become a "Security Expert"? You can take classes in high school, college and trade school. You can attend "vendor training" or security related classes offered by many different organizations (Global Knowledge, ISC2, New Horizons, etc). You can attend seminars and conferences such as BlackHat, ShmooCon, SANS, etc. You can read books and practice with your own computer, home network or use some online labs. You can participate in forums (security catalysts community, friends in tech, etc). You can read blogs and "security" websites (Andy ITGuy, Tao Security, SearchSecurity, etc). You can join in on chats using IRC or other Instant Messaging type clients. You can join organizations such as ISSA, InfraGard, ISACA.

All of these are good and viable ways to learn about information security and how to practice it and do it. Of course the best way is OJT. On the Job Training. The school of hard knocks. Working side by side with other security professionals who have already been there and learned things by experience. It has been said that experience is the best teacher. This morning on my ride into work I was listening to Chuck Swindoll speak about learning through confrontation. He said that he thinks that the best teacher is "guided experience". I must agree. You can learn a lot from experience but if you don't have someone there to help you understand all that the experience has to offer then you are missing out. If you don't have someone there who will challenge your experience and more importantly, the lessons that you think you are learning then you are missing out on a valuable resource.

Chuck said that "the difference between experience and guided experience is confrontation".
Not confrontation in a arrogant, mean, way but in a way that is meant to challenge and lead. That is what makes a really good security professional. Someone who learns from others as well as on their own. Now please don't misunderstand me and think that I'm saying that w/o a "mentor" you can't and aren't a good security professional. That is not what I'm saying. But it will make you a better one. In order for that to happen you have to have someone who has the knowledge and the desire to pass it on. They have to be willing to be tough without being mean. Then you have to be willing to learn. Listen to what they say whether you like it or not. Take it to heart and make the change.

The security landscape changes too quickly for any of us to know it all and continue to know it all. It changes too fast for us to go it alone. We need mentors to help us along the way. Hopefully you will get the chance to actually work with others who can guide you and hopefully you will get the chance to guide others. If for some reason you don't have that opportunity (all you SMB IT and security guys) then look for ways to hook up with someone in your area. Look into some of the links above for organizations, blogs, training offerings and such that can guide you through the maze of information security.

FTP is Secure?

I'm a really nice guy and usually don't point out what is HOPEFULLY just an oversite on someone elses part but this is just TOO ridiculous and WRONG to let go.

This article on ComputerWorld.com starts off in very wrong way. To quote:

For years, file transfer protocol has been the standard for file transfer security. While FTP still offers the gold standard in security over the Internet,

Since when did FTP become the gold standard in security? Since when did FTP offer any form or security?

I really, really, really hope that the writer meant SSH or SFTP instead of FTP. I really hope that he wasn't quoting from a press release that was sent to him by the company who has finally solved all of our file transfer woes. I really hope that he retracts this statement and corrects this error.

An Open Letter to Marketers

Dear Marketing Professional,

I often receive press releases from you about various new offerings that are coming out from this vendor or that vendor. I probably will never blog about one of them just because this blog is not for advertising. If I use something and really believe in it then I will write about it. Just as if I use something and it is a really bad product I will also write about it.

I'm not asking that you stop sending me the press releases because I do like reading about these products (usually). What I am asking is that if you are going to send me something DO NOT attach a .pdf or anything else to it. That is one sure fire way of not getting your release read or published. In todays world of rampant malware being spread in every conceivable way I will NEVER open an attachment that I receive from some random marketer.

As you probably can tell I did receive just such an email today. Not only was there an attachment with it but the person didn't even have a signature beyond a name. I am a security professional and if you are marketing to security professionals you probably should NOT employ the very practices that we preach and rant about.

Sincerely,

Andy ITGuy

Incident Response Response

Things happen all the time in the digital world. Often they go unnoticed for a long time and sometimes things go our way and we are aware of something going awry early on. When this happens we need to be prepared. We need to have a plan in place to deal with all that is involved in tracking a cyber criminal. Now I'm not a forensics guy for that you need to talk with Harlan Carvey
or The Security Monkey but I do know enough to realize that there are some best practices that you can employ to make the job of IR and forensics much easier. The nice people over at Network World have even put together a good article for you on how to be prepared for your next hack.
It covers many things that you need to do to ensure that you are covering the bases. Many of the things that they talk about can be easily forgotten in the heat of the moment but they are crucial in the investigation process.

Successful Security

I'm really tempted to copy and paste this entire article here. Hoff nails it right on the head with this one. It's a no holes bared quick look at what we as Security Professionals need to know and understand. If we want a successful program then we have to look beyond the day to day things that often occupy our time. We have to move outside our self imposed little boxes and look at the big picture.

He gives a nod to Rothman's P-CSO in the intro to this and it does contain a lot of the same principles that Rothman and others (including myself) often preach.

Some of the Key points that I liked are:

• Measure something - like it or not if you can't measure it chances are that it won't last long or it will never get implemented. Management demands measurable results.
• Don't be a technology crack whore - technology is not the answer to everything. It may be fun to play with and it may look cool in the data center but if the processes aren't in place and the people don't understand them then technology will not work.
• Shut Up and listen - Our job is to secure and enable. We can't do this if we only tell the users what we want we have to listen to what they need.
• Learn to say yes by saying no and vise-versa - We often have to say "no" but we don't have to me rude about it and when we say no we need to explain why in a way that makes sense to the users.

Hoff, great job.

Things I'm quickly looking at

I've been super busy lately and haven't been able to keep up with my feed reading like I'd like to. Obviously my posting has slowed quiet a bit also. Today I've got a little breathing room so I decided to post links to several articles that I saw that I quickly looked at and found to be of interest or value. If you haven't already done so check them out.


More UA fodder. Good article on DarkReading about how people are the root of the problem and thus why they need training.
http://www.darkreading.com/document.asp?doc_id=127294

Another good DarkReading article. This one is on the value of having a well trained IT staff.
http://www.darkreading.com/document.asp?doc_id=127295

DarkReading is our winner today with 3 straight awards in my picks of the day.
http://www.darkreading.com/document.asp?doc_id=127289

Rebecca Herold is quickly becoming one of my favorite bloggers. Today I discovered that in addition to her Realtime Community site she has another site that is also loaded with great information regarding privacy.
http://www.privacyguidance.com/

Cutaway jumps in with both feed talking about how Universities need to take care to secure and protect sensitive information.
http://www.cutawaysecurity.com/blog/archives/156

The Liquid Matrix blog rings in about the woeful state of DHS. Maybe they should call it the Department of pwnedland Security.
http://www.liquidmatrix.org/blog/2007/06/20/dhs-acknowledges-own-computer-break-ins-800/

Finally I'll leave you with some "lite" reading from the guys at Matasano. They make my head hurt.
http://www.matasano.com/log/885/exploring-protocols-part-1/

Why do security?

I've got mixed feelings regarding compliance. On one hand I like it because it is forcing many companies to do things that they wouldn't normally do to better secure their network. On the other hand too many companies are only doing what they have to do to pass their compliance
audit. They are checking the boxes on their compliance checklist and missing a hole somewhere because that area isn't on the compliance "watch list". They may be making the auditors happy for now but what about next year when they come back? What about next week when the bad guys find your vulnerability? After that happens you are going to then be forced to take action to fix the problem. Only it may be more expensive and difficult to fix than if you had done it when it should have been done. Not to mention the clean up costs.

Compliance is not the reason to secure. You secure because what you have on your network is worth something to your business. You secure because a breach will hurt your business and possibly destroy it. You comply because you have data that is valuable to other people. Things such as customer and employee data, credit card numbers, social security numbers, etc... All of these things are "protected" by your compliance checklist, but if a hacker gets into your network through some venue that is not on the checklist it doesn't really matter what is checked and what isn't.

When considering security for your network you have to look past compliance and look at the "real" picture not the one painted by GLBA, SOX, HIPAA, PCI or any of the others. Listen to your IT Security staff (or those who have a clue), listen to consultants, VAR's, Vendors etc... Don't just cast them off as either trying to get all the cool toys to play with or trying to sell you more than you need. Yes, those things happen, but you should at least consider what they have to say and look at it with an eye towards gaining knowledge on what will really make you secure.
Too often companies look at the bottom dollar and what will fill the check boxes. The only problem is that the check boxes keep increasing in number and the bottom dollar can't been seen because of hidden costs that you can't know about.

My Security RoadTrip

Martin asked several of us to tell our Security story again. I told it here (which was an updated story from earlier) and this time I'm going into a little more detail. Hope you enjoy it and I promise no Sun Tzu quotes Amrit.
____________________________________________________________________

I've mentioned before about how I got started in IT and sort of moved into Security but as I look back at what I wrote I didn't go into much detail about why and how I made the change.

I used to think that security meant a firewall and AV. The company I worked for never patched machines and I don't think that we even put AV on all machines (can't remember for sure). We ran MS Proxy Server 2.0 for a firewall and that was the extent of our security.

When we built a new data center we decided to "upgrade" our infrastructure we put in a Cisco PIX and MS ISA 2000 server. We put in McAfee EPO to manage AV. It was then that I started monitoring the firewall logs and ensuring that all our machines were updated with AV and we even started some patching. It was around this time that Code Red (or some high profile virus/worm) hit. It was then that I realized the implications of having a secure environment. I was also noticing attacks that were being attempted on our network from the outside. Several projects that I was involved in required me to do lots of research and talk with vendors about their offerings. I started realizing that there was lots of cool "toys" out there that allowed me to see deeper into the network and do things to mitigate the risks that I was starting to see.

My Boss was pushing me to upgrade my CCNA to CCNP. I had decide that I wanted to focus more on Security and asked him if he would object if I pursued what was at the time the equivalent of the CCSP (I think it was call CSS I and CSS II). He agreed and I started studying for it. Shortly after that I was laid off and my next job was a consulting position where I was hired to be the Security Specialist for the companies clients. I did network surveys to look for security weaknesses in their environments. Of course Security awareness was still in it's infancy (especially in small town USA) and most companies didn't want to pay for the service or the recommended changes to their environment. So I spent lots of time doing network monitoring and maintenance.

Until a month ago I had never held a pure security position. It was always just part of my job as a Network Engineer. I personally took the initiative to make it my priority and primary focus. As I was looking at what direction I wanted to take my career I decided that obtaining the CISSP over vendor certs would benefit me more. Since I was on my own for training, study, paying for tests, etc I had to choose carefully. Thus even though I'm qualified to work with several vendor devices I'm not certified on any of them.

There it is. My story. Long winded as it may be.

Scott Wright at the SecurityViews blog has a good post where he gives his take and analysis on the Pfizer laptop breach incident. He said that he make this into a series. I hope he does.

He makes some good points about what went wrong, what could be done differently and what the implications are. My favorite on for a couple of reasons is this:

Get serious about security awareness in the organization. Policies are no fun to read, and just having them doesn’t make them happen automatically. Security awareness training and regular updating is essential. But it doesn’t have to be tedious, and people need to be kept up to date on what to watch for.

I like this because right now I'm in the middle of reviewing, updating and creating new policies for my company. They are dull and it's hard to stay away while doing this at times. Unfortunately if you make them fun then legal whines and they rewrite them in a way that no one can understand. I also like it because it re-enforces my belief that security awareness training is a KEY piece in a security program and maintaining a secure environment.

I just turned to todays entry of my handy "The Art of War" calendar and what do you know Sun Tzu has an appropriate comment for this very thing.

If your own army is hesitant and confused, you bring trouble on yourself, as if you were to bring enemies in to overcome you.

If we don't have effective security awareness training then our "army" will be hesitant and confused. They don't know what is and isn't safe to do because they don't live this stuff like we do. We have to train them. We have to give them the knowledge and understanding of what is going on so that they are not hesitant and confused. How many "average" computer users know the dangers of file sharing software? Their friends use it and their computers haven't crashed. What about the dangers lurking on sites such as My Space and porn sites. Do most people really think that by surfing for porn that they are possibly giving bad people access to their online banking credentials? No they don't. They aren't aware of the problems.

That is why a good security awareness program at work will not only benefit the company but the employee and their family and friends also. When they know the reality of this they will share it with others. Information Security may be focused on the corporate network but it expands way beyond the borders of our firewalls. Someone posted a comment on my "Why IT doesn't really get security" post where he said that he had all but given up on security awareness because ... well I'll let you read it here, it's a bit long. He has some good points but as I've said before we can't give up on security awareness training. We can't quit our users. Technology can only do so much. People have to do the rest.

Let's be careful out there,

Andy ITGuy

Sarcasm, bad passwords, and Dilbert under a Southern Moon

Since it's so 1990's to use The Art of War for security analogies or to use Dilbert to explain management principles I'll just point you to a Dilbert cartoon for a security analogy.

Why IT doesn't really get security

Since I've started my new job I've there have been four (4) different occasions where members of the IT staff have given me their USB thumb drives to transfer data to. These are guys that I work with daily but I don't know them and they don't really know me. One guy even gave me a U3 drive.

Now I take all the normal precautions against getting owned this way. Autorun is disabled and I have HIPS and AV installed on my laptop. While 3 of the 4 stood by while I copied the data to their drive the other one gave me his drive and walked away. I had it for over an hour before he came back for it. Those who did stay with me weren't paying attention to what I did. I could have copied data from their drive to my laptop or copied more than they expected to their drive.

This is just a sampling of part of the problem that the average IT guy has when it comes to really understanding security. They may get some of the more obvious security concerns such as what to do to secure a router or how to properly secure data on a shared drive. They may even understand some of the risks associated with various activities, but if they continue to pass around USB keys to people that they don't really know (and walk away!) then there is a problem. I think that many IT professionals do things such as this because they figure that they can trust one another and hopefully they can, but carelessness in one area will eventually lead to more carelessness unless they are very aware of their actions.

Another problem is that many IT departments are understaffed and they are always working in crisis mode. Even if they want to implement best practices in regards to security they don't have the man hours to do so. It's patch things together and then plan on coming back to fix it later. Unfortunately too often later never comes. Then if the department isn't understaffed they have the problem of lack of communication. One department is working on an initiative and another department is working on their project and they never meet to discuss how they may affect one another. They you have 2 projects that work against each other instead of together. Any security measures that one may have could be voided by the other.

I could keep going on and on with this but I think you get the point. Security doesn't come naturally for end users or most IT guys. It's something that has to be fought for. That's our job.

Info Security goes beyond the data

I've written before about how you need to be careful about what you say when you are in public places. You may be overheard talking about company secrets or just "gossip" that doesn't need to be out in the open. The same is true for using your laptop in public. People are curious and often will look to see what you are doing. I was riding home on the bus last week when I noticed the guy in front of me typing an email that contained info that I'm sure he didn't want the world to know. Yet there it was for all to see on his laptop.

We also have to be careful not to disclose too much information when talking to reporters. Just ask Terrell Karlsten. She is a spokesperson for Yahoo and she gave out a little too much information in an interview with InformationWeek. A hacker named Danny read the article and promptly used the information to find the flaw and write an exploit for it. Now before you come down too hard on Ms. Karlsten you need to consider what she had been told. Was she properly briefed on what to say and what not to say? Was there even a reason for her to know enough to be dangerous? Maybe she just needed to know that there was a vulnerability that involved a buffer overflow. Maybe she just needed to know that there was a vulnerability. Did she have any real idea as to what the implications of her statement were? I doubt it. Thus, another reason for a good security awareness program.

Good security covers all areas not just the data whether it be at rest, in transit or in use. It looks at the whole infrastructure and the company culture. It finds ways to work with everyone for the good of the company.

At least Yahoo was quick with a fix so hopefully the damage was contained. Makes me glad that I use Pidgen instead of Yahoo Messenger. :)

More Security Wisdom from The Art of War

"When your strategy is deep and far-reaching, then what you gain by your calculations is much, so you can win before you even fight. When your strategic thinking is shallow and near-sighted, then what you gain by your calculations is little, so you lose before you do battle."

This sums up the role of the Security Professional. You have to keep your eye on the big picture and not let the little things distract you. You can't let apathy set in.

P-CSO Bootcamp Revamp

As you know I spent Wednesday with Mike Rothman and the other brave adventurers on the Maiden Voyage of the Pragmatic CSO Boot camp. As I said it was a day well spent. Especially considering the fact that I just moved into a new position where I am in charge of security for all practical purposes. I'm not the CSO but it's up to me to ensure that we are secure. If I fail it's my head. Since I'm new here I have the opportunity to implement the steps in the P-CSO methodology from the very beginning so the timing was right.

We started at 9 and went until around 4. It was a small group (I think 10 is the most that Mike wants at one time) which was good. It allowed us all to share and learn from one another as we went over each of the 12 steps. The background of the guys that attended was varied but we all had the common understanding of security principles. We talked about what worked and what didn't work. Told stories about being hacked and cleaning up after the hack.

Mike took us through each step and allowed us to interact and ask questions. He didn't push us or force us to hurry onto the next section. The material was what is in the book and then some. He has some "freebies" that he gave us that adds value. He was able to expand on some topics based on his own experiences and on feedback that he has received from others.

Now I'm gonna dust off my copy of the book and take it, the materials and new knowledge I gained from the boot camp and prepare to kick butt in my new job.

If you get the chance plan on attending the next time he offers this. It's well worth it for CSO's, Security Managers and techies. Something for everyone.

Where is your malware?

The F-Secure Blog has a good post on where to look for malware launch points on windows boxes. The looked at thousands of samples of malware to see where they were hiding themselves in the registry to ensure that they were launched when the machine is rebooted. They have a nice graph and a list of the top 10 registry keys to look in to see if you are unknowingly infected.

Something to Talk About

I just read an article in Fast Company Magazine that made me think. The article had nothing to do with Information Security, IT or computers. It had to do with marketing (which I dislike immensely). Yet marketing can make all the difference in a security program. (See my post about Selling Security). How we package and market our program can make or break whether or not we get the funding and approval to do what we have deemed as necessary to protect our environment. Do our policy recommendations get accepted? Do we get to implement this technology or this program that will improve our security posture? How we market and sell it may make all the difference.

In the FC article they talked about making your product “stick”. What is it that you do the makes your product stand out from the crowd? What makes people talk about your often sub-par product? (I'm not suggesting that we try to sell sub-par security) We have to think about our image to build and maintain credibility within the organization. We have to ensure that the security group is viewed positively within by management as well as by the end user. We have to adopt a positive posture of security and do all we can to eliminate the negative attitudes that WE have created over time. Our attitude towards end users, management, the company culture and our jobs has to be positive if we are to develop a positive security mindset within the company.

Yesterday I attended the maiden voyage of Mike Rothman's Pragmatic CSO Bootcamp. It was a day well spent. We talked about this very thing on and off through out the day. It seems that most every step in his 12 Step Security Master program came back to this in some form or fashion. In security it is all about image and credibility. If we are viewed as the group that wants to make it hard for the users to do their job or as the guys who don't want us to have any “fun” then we are developing a negative image. That image will spread throughout the entire organization if we are not careful and it may well come back to haunt us when it comes time to secure funding for projects.

At my previous job the marketing group branded the IT department as the “Red Tape” department (now you know why I don't like marketing). That came from the fact that every time they wanted to do something we put the brakes on them. Often we did it in ways that didn't help our image. They would say that they wanted to do such and such and we said NO!!!! and then walked off. They would ask to implement this technology and we would make them jump through hoops to justify it. Sometimes just because we could. Pretty sad, huh? I have to admit that I participated in that. Sometimes out of a spirit of being ornery and in a position of “control”, sometimes out of a spirit of joking around (I'd come back later and tell them it was approved just to irritate them) and sometimes because it was just a bad idea that affected security. After they branded us the “Red Tape” department it made me stop and think about our image in the company. I didn't like being the bad guy. If it is necessary to be the bad guy to remain secure that is one thing, but to be the bad guy because of an attitude is something else. So I decided to change that attitude. Not because I wanted to be liked but because I knew that a negative attitude affected the whole program and the company.

So what do you do to make your IS program “stick”? What do you do to make it stand out and be seen as a way to enable secure business practices? What things are going on that encourages a negative or positive attitude within your group, department and company? How can you make changes to improve the image of security within your company? It doesn't matter whether you are the CSO or your are the new guy who is stuck with the most boring security job in the company (log review) you can start with changing your attitude and how you react or respond to things that happen. It may not be easy or fun (after all making fun of dumb things that users do can be very funny at times) but it WILL make a difference over time.

Singing the PCI Blues

Back in December I posted about being happy that I had finally been able to get an answer to my question as to whether or not my then current employer was subject to PCI/DSS. The answer was that they were not and I was happy.

Now that I'm in my new job PCI is a part of my daily life. I'm now having to refresh my memory on PCI (I boned up a little in the past just in case) and am having to start the process of checking out what we are doing and what we still need to do. I like it though. It's new ground in some ways.

This position is much different than my past jobs in that I'm doing less hands on with the network devices and more security support work. Things such as working on updating policies, reviewing configs and change request, reviewing results of a 3rd party Pen Test and working to ensure the issues are corrected. After I get my self firmly planted here and get many of these projects either well under way or completed I am supposed to take over some hands on jobs. I'll have to see how that works out. There is lots to do here and I'd like to see this continue in a position where I continue to focus on moving us into a more secure direction and let others do the hands on under my guidance. But then again I the "geek" in me doesn't want to get too far removed from the 1's and 0's.

A new threat to security

I ran across this story today and it sends chills up my spine. A new wave of attack technology. DARPA is implanting chips in moths that will allow them to be controlled remotely and possible infiltrate enemy camps and beam back A/V signals.

What are the security implications of this for us? Are we now also going to have to be exterminators? I know this sounds ridiculous, but if this gets into the wrong hands it could prove to be a real problem. Imagine a moth watching you enter you password or sending video of your security configs to a hacker. What about listening in to conversations about security plans or board meetings?

This gives a whole new meaning to "shoulder surfing". I gotta go get a can of bug spray. :)

Get Your Malware!!

I was browsing ha.ckers.org today when I ran across this post. Do people actually do this? Why not just invited a hacker to dinner and let him use your computer for a few hours while you are in the other room watching TV?

Selling Security, It's our job

It's good to hear someone else from time to time get on the same rant as me. I'm talking about my regular "We need to quit bashing users" routine. Pete Lindstrom rants about how we need to pay closer attention to the business needs and not whine and cry about how Management doesn't understand or care about us. Now Pete is talking specifically about a podcast that Marcus Ranum did where apparently Marcus does just that. I have not listened to the podcast and so I can't comment on the specifics, but suffice it to say that whether or not Marcus did "whine" or not isn't the point. The point is that often Management does NOT get security (or IT at all) but it's not their job to get us. It's our job to explain ourselves and why we are important. They are business people and we need to sell them on the business of security. I don't mean try to scare them with FUD, compliance or horror stories. I mean we have to present a business case to them for security. Why is it important and what kink of ROI can be gained from it. How we can implement it without making the users life miserable. How it can make the company money. That's what they care about. Management is about the business being successful. If we can convince them that a secure business is a successful business then we have done our job (or an important part of it).

Now, before I start getting comments and emails about how most security professionals aren't business people. How they need to stay focused on technology in order to be good at what they do. I know that and I'm not suggesting that we should all make a run for the board room, but as an industry we have to take the steps to prove our worth and value. Many companies implement security just to get the auditors and compliance people off their backs. They hate security and think it is a waste of time, money and resources. We can continue to wallow in the basements of industry or we can take it upon ourselves to change the attitude of not only the "stupid user" that we all so often complain about, but also the "Clueless C's" that often complain about us. Management isn't going to come to us until they see a clear benefit to the company. We have to provide that clarity of vision.

New Blackjack

For the last 4 years my previous employer supplied me with a Blackberry. It was my first "smart phone" and I loved it. I started out with a 6510 which was old when I got it. Then I upgraded to a 8703e which I really liked. Color screen, pretty fast data speeds, more memory, etc... When I left that job I had to leave my Blackberry and get my own phone and calling plan. As I was looking at what carrier to use, what plan to get and what phone to get I kept looking at the free and low (under $50) phones. What can I say I'm cheap. As I looked at them I just couldn't get past the fact that I was losing so much functionality by going with one of those phones. Not to mention not having a full keyboard. I HATE having to push the 2 key three times to type a "C". I also dislike the fact that most of these phones don't allow you to associate more than one number with a contact and many of them don't give you a place to add email addresses or notes. Then there is the whole ordeal of having to manually add contacts to many of them. So I decided to go with a Samsung Blackjack. I didn't even get a data plan so I'm not using many of the features, but just having the "key" features that I'm used to is VERY nice. It's a little different than the Blackberry but close enough that there was not much of a learning curve. Overall I like it. The call quality is really clear and the features on it are useful. There are a few things that I don't care for but they are mostly semantics and I'm sure I'll get used to it. Now if I'd just get a little less cheap and subscribe to a data plan I'm sure I'd be thrilled. Maybe once I go permanent with my employer I'll take the plunge.

Becoming a Pragmatic CSO

Unless something happens between now and then I'm planning on attending the "Maiden Voyage" of the Pragmatic CSO training next week. I have to take unpaid time off since I'm new and since I'm on a contract for the time being. That stinks in terms of training and such. Until I go full time with the company I have to foot the bill, including not getting paid, for any training. Not a big deal for a single day event but it shoots me in the foot for anything such as BlackHat or DefCon. I know that the content of the P-CSO will be well worth it so I'm willing to go w/o pay for a day. I think Mike still has one or two seats available so if you want to go this is the opportunity. You will never get a price this cheap.

Hope to see you there!

Pushing without testing

My first week at work was pretty exciting. Several things happened that allowed me to jump right in and start putting my training to work. I'm not going to go into any details obviously, but there is one incident in particular that I want to talk about.

Our network is quiet extensive. It seems to have been well thought out in it's design and although security wasn't always a top priority they have done a pretty good job of implementing policies technologies to mitigate threats and to "shore things up". We have several partner networks that connect back to various segments of our network and one of them went awry this week. It wasn't exactly a security issue but easily could have been.

The partner, which maintains a important aspect of our business, pushed out an upgrade and it caused all sorts of problems. Fortunately this segment is completely separated from our core network and it is not accessible from the Internet in anyway. What if it wasn't though? What if we had an Internet facing interface that was affected by this. What if we didn't have an air gap between this network and our core?

The potential for a breach would have been very great. Either from the Internet or from the partner network. This just goes to show that diligence pays off in designing security for your network. I know many small and medium sized companies that would not have been so diligent in ensuring that the design of this was secure and that the proper controls were in place. Why? Lack of staff, knowledge and money.

How could this have been averted in our case? Obviously the vendor needed to do more testing before pushing out the upgrade. The biggest thing is that they pushed it all at once. Every location was upgraded at the same time so the problem affected all locations. If they had pushed it to one or two locations and then let it run for a day they would have discovered the problem and rolled back, fixed it and averted a big problem.

Other than that it was a quiet week. The other issues mentioned earlier were nothing compared to this. They just required some changes in the way a couple of things were configured and in how a couple of things were done. It does feel good to make a difference on your first week. Especially when it doesn't require me to be up all night working on something that broke. I think I'm gonna like this. :)

User Awareness Awareness

I had to go to a training session yesterday for an app that is used for special purposes within my new company. It is used by several different groups some are regular computer users and some are not so savvy. The training went pretty well for all concerned up to the point where he was trying to explain the password policy for the app. It uses complex password requirements. You know Uppercase, Lowercase, number, special character. The problem was that it was explained poorly.

This is the problem with user awareness training that I'm always harping about. We take a subject that may be somewhat confusing for many people and make it even more confusing. Then we blame it on the user and call them stupid. These users aren't stupid. If they were they wouldn't be in the positions that they are in at work. They are very competent at their jobs. Also this goes back to poor security policies over many years. Users are accustomed to simple passwords. Having complex passwords that are poorly explained compounds the situation.

So what's the answer? First, when we plan our training (or explaining) talks we need to make sure that our examples make sense to not just us and others who are technical and regular users. We need to have someone who isn't so computer literate give us their input on how we explain the concept. Secondly, we need to work to change corporate culture on passwords and security. It may take a while and we may have to take "baby steps" but that is better than nothing or better than going from simple to complex and having the help desk flooded with calls because we took too big a step too quickly.

Thrown in head first

Two days on the new job and I have been thrown in head first. Not that that is a bad thing. I like it that way. They are giving me time to get adjusted and acquainted with the network, but they have already filled up my plate.

My title is Senior Security Engineer. I'm responsible for overseeing all aspects of network security. I don't have to do all of the work my self but I'm responsible for ensuring that it gets done and that it follows best practices, company standards, etc... I've spent the 2 days looking over network diagrams, device configs, Pen Test results and policies. The Pen Test and Policies are my first "major" projects to complete. I'm also trying to get up to speed on some of the devices that they use that I've not seen much of. The firewall and IDS systems are ones that I've not used before. That's not a big deal though.

So far I've seen both good and bad (imagine that) in how things are done. The best part is that they are aware that they need work and they have an idea as to where they want to go. It will be my job to refine that vision and make it happen.

All in all I'm happy with the position and where I think it will go.

Look Who's Talking Now

I started my new job today. I'll post a little about it in the coming days, but for now I want to talk about my commute. I live about 35 miles away from the new job so I decide to take public transportation. I take an express bus into town and then hop on the subway and get out right at my office building. I like this for several reasons. One, it's lots cheaper than driving 70 miles round trip in Atlanta traffic. Two, it gives me time to read, think, listen to my IPod or nap. Three, it keeps me from going to jail because if I had to sit in traffic for an hour or more every day I would go mad and do something really stupid.

From time to time I would look up from the book I was reading or wake from the nap I was taking and look around at the people on the bus with me. You wonder who they are, what they do, who they work for, etc... and if you listen close enough you can hear their conversations, phone calls, or see what they are reading or working on. The same thing is true for those who travel by air regularly. People just let the whole world in on what's going on with them. It doesn't matter if it's public, private, personal or professional. People just don't pay attention to what they are doing or saying.

Then today I ran across this article on Bankinfosecurity.com that talks about this very thing. The article requires you to register on their site for free, but the jest of it was that just by listening the author was able to glean lots of information about the bank that this person worked for. Name, phone number, part of an account number, etc... All because this person didn't take simple precautions while working and talking during a commute on public transportation.

It's easy to get caught up in the moment and forget about your surroundings, but if you are dealing with sensitive information you really need to pay more attention.

My new gig

I'm excited to start my new job tomorrow. Not just because it brings in a pay check again, but because it will be interesting to see things from a different perspective. This will be my first purely security job. No more network admin responsibilities and no more trying to piece together free technologies to make a make something work as I want it to. I'll be working in an enterprise environment for the first time also. No more "small shop blues". I will finally have others at work that I can bounce ideas off of and talk to about concerns regarding security. I can get feedback from real live people instead of via email, posts and forums. I will get to experience what it's like to be in an environment where they have real tools to use. Where security is (at least in perception) taking seriously.

I read this post which pointed me to this post and it got me to thinking about my last job and how things would be different at my new job. Or will there be and difference? I sure hope so, but you never know.

When I left I had been preparing for this for about a week. I knew that this was a highly likely possibility that I would be laid off. Then as I wrote in my post about being laid off the morning that I was laid off I knew it just as soon as I walked in the door that day. I had spent the week getting things in order. I had ensured that I had backups of all data on my laptop that I needed. Not company data but personal things. I could have easily taken copies of ALL data on the network if I so desired. I had the access rights to EVERYTHING and if something had been set up so that I couldn't access it casually with my admin level rights I had the account info to get access to it. Obviously I had access that only myself and one other person had, but there wasn't any "real" protections in place to prevent the average user from taking anything that he/she had access to. It wasn't because we didn't want or have a need for it, but because we didn't have the money or staff to implement it.

Now that I am going into an enterprise environment it will be interesting to see what kinds of data protection they have in place. Will it be just as easy for someone to walk out the door with what they want or will there be things in place to either prevent it or at least make it VERY difficult. Unfortunately these are things that I probably won't be able to blog about. I'd love to be able to tell the story, but by doing so I will be giving away too much info that could be used against us. I'll have to see what I can do, but don't count on hearing much about it.

My vacation is over

Just wanted to let y'all know that my vacation is over and I start a new job on Monday. I really hoped that this wouldn't be a long break and it worked out to be 9 working days. After I get settled in and learn more about what I can and can't do I'll blog about the new gig. If may not be able to say much, but I'll do what I can.

Thanks to all of you who sent me notes and left comments on the blog. I appreciate your concern.

I hope I don't forget to set my alarm Sunday night. :)

Identity Theft on the rise

One of my biggest fears is to have my Identity stolen or my financial data compromised. I'm careful about what I do online and when I do transact financial business online I'm careful to do it only from a PC that I trust and feel confident is free of malware. I check the URL to ensure that it's using a valid SSL cert and that it is the actual URL of the site I want it to be and not a phishing site. I only deal w/ reputable sites. I never give credit card info to those I don't know. If they won't accept PayPal then I don't buy from them. I don't click on links in emails that point me to financial sites. I always go to the site and navigate manually to the page that I need.

When it comes to physical transactions (ATM cards, Debit Cards, POS, etc) I check to ensure that the terminal is properly installed (as much as a visual inspection can do). I check to ensure that it's not a "face plate" over the real scanner that will capture my data. I ensure that I enter my PIN in a way that is not easily seen by others. I shred my receipts and others paper documents that may be used to steal my ID or financial data.

I take all of these precautions and still am in danger of being "tricked" into having my data stolen. This article from PC World points out that the crooks are getting better at getting our data. Of course this has been known for a long time, but now they have card terminals that are identical to those you use at WalMart and other stores. The only difference is that they have a circuit board that captures all card data. Then the crooks come back and get their terminals and your data.

Obviously this isn't easy and it takes skill and planning. It works because it looks and works the same. So now retailers and vendors have to step up their security to ensure that this doesn't happen. They have to develop and put measures in place to ensure that when a "rogue" terminal shows up on the network that it won't work. I don't know what they would be because I don't know the specifics of how they work, but I'm sure something such as encryption keys or activation keys that have to be entered prior to them coming online is a reasonable possibility. There must be some way of identifying each terminal and not allowing them to come online until they have been "approved" and entered in the system.

The key here is that if we are going to win this war vendors have to design their products in such a way that the plug and play mentality won't work. Making things easy is great but it doesn't work. It makes us less secure and makes the lives of the bad guys that much easier.

10% of web pages host malware according to Google

Did you see the article about Goggles research that said that 10% of web pages are hosting malware? Pretty scary stuff. Especially the part about most of it coming from banner ads and such. That means that the web site owner may not even know that they are hosting it.

Most of us aren't even fans of banner ads and this is another reason to not like them. I understand that the web site owners make money off of them and that allows them to do what they do without charging the site users a fee to visit the site, but we still just don't like banner ads.

Now for the security implications of this. Any time you post code on your site that points to another server you are opening yourself and your visitors up to potentially being compromised. How do web masters deal with this? What do they need to do to mitigate the risk associated with something like this?

Obviously the first thing is to do a review of the site that is being referenced as well as the code that they give you to put on your site. Then you have to be diligent to keep an eye on things to ensure that nothing changes over time. Just because it is (or appears to be) secure when you check it doesn't mean that it won't change.

Banner ads won't go away for a while so just as with everything else we need to be careful. Users need to be wary about what ads they click on. Stay away from those ads that take you to the "darker" side of the Internet. Stay away from those that go to places that you aren't familiar with. Just because it looks pretty doesn't mean that it is pretty.

Again I have to go back to education being a big part of the answer. Site owners have to be educated on how to operate a safe site and users have to know how to surf safely.

Time to think

I've taken the last week off from blogging and spent it focusing on my job hunt and career. I've spoken with several recruiters and friends. I've been on interviews and spent time online researching companies. Then on Friday we got a call from my wife's sister that she was ready to give birth so we went to Ohio for the weekend and saw our new nephew. We just got back in late last night and I'm ready to start the week off with more interviews and calls to potential employers.

I didn't pay much attention to the news in the security space last week so I don't have much to say about anything along those lines. What I do want to talk about is the importance of being prepared for something unexpected. As security professionals we often spend our days doing our best to mitigate risk, preventing breaches from occurring and being prepared in case they do occur. Many times it can take all of our time just to do this and when we get home the last thing we want to do is spend time on our career focus. So our resumes go untended and don't get updated with our latest accomplishments and achievements. We don't spend time developing other aspects of our career such as learning a technology that we don't use in our day to day work, learning a different aspect of security such as Risk Management, system assessment, policy creation, etc... Things that help make us a little more well rounded.

I say this because I have done some of this and some I haven't done. My resume was up to date and that was a big time saver since I had people requesting it right away. I have tried to learn new things but obviously I can't learn it all. As I've been looking at positions and talking to recruiters and hiring managers I realize just how much I don't know. It puts into perspective just how big the security space is.

In this day where lay offs are common place and companies are outsourcing jobs more and more it is wise to be prepared. To know what you want to do today and in a few years. Do you want to move in a different direction down the road? If so you had better start preparing now. If you don't you will not be ready when you are ready to make a move.

One of the things that I'm doing to prepare for the future is working with Michael Santarcangello. He has a program called "Career Compass" that helps you to focus on what you want out of a career and where your strengths are. Hopefully I will have a new job before I've completed this but I know that it will be beneficial for the future. Even though I know where I want to go this will help me to focus more and take the right steps.

So my advice for the day is "be prepared". Take some time to update your resume and think about your future. Then start taking steps to make you future a reality.

When Things Don't Go As You Plan

Last week the company that I worked for hit a major road block that threw it for a loop. It really hurt financially and caused them to go into "emergency survival" mode. Part of that involved cost cutting and layoffs. Yesterday I became a causality of the cutbacks. My boss called me in at 4:00 and told me that he had pulled all the strings that he could to save my job, but had lost the battle. I saw it coming. I knew last week that it was a possibility so I started getting my house in order. Then yesterday morning when I came in I knew that something wasn't right. I could just feel it and I was right.

A few things happened that made me smile in spite of the "dreariness" of what was happening. First, it was obvious that my boss was not happy to have to lay me off. He told me that he had spent the last 3 day working every possible angle to prevent this from happening. Once he realized that he couldn't win he started working his network calling people and telling them that he had someone that they needed to hire. He called about 15 people trying to either get me another position or get some leads for me.
Second, as we left his office and went to my cube to collect my laptop my phone rang. It was a local Recruiter calling to talk to me about a position that they needed to fill. I have an interview tomorrow at 4:00. :)
Third, my only cell phone is a Blackberry that the company provides and pays for. He agreed to let me keep if for a couple of days while I got a new phone and transferred my number. One thing that he had to do though was disable my network and email account and then he was going to initiate an "erase" of my Blackberry via the Blackberry Enterprise Server. So he disabled my account and sent me a test email. It appeared on my Blackberry. He then told the BES server to erase my Blackberry. Nothing happened. He tried it again. Still nothing. This went on for about an hour as I was packing my office. He eventually gave up and just deleted my account from the BES server so I couldn't send or receive email on the Blackberry. Even the network didn't want me to go. :)

Anyway, I'm looking for a position if any of you are hiring or know someone who is. I'm in Atlanta, Ga and that is the place that I'm looking first. I'm open to relocating also. Lexington, Ky or Cincinnati, OH are my first choices, but I would consider other locations as well.

Here is a little about my work experience. I'm a CISSP, and my background is networking and security in a Windows environment. I'm experienced in WAN and LAN technologies, project management, team leadership, working with vendors from first meeting to negotiating contracts, physical security, systems analysis. I'm experienced in dealing with end users and Upper Management.

Hopefully you already realize that I have a passion for security and making it understandable for everyone. I like talking about security and helping others see it from a different perspective if possible. I also want to help those in the security profession understand their users better and learn how to relate better to them and understand where they are coming from.

Thanks for letting me "ramble" and I'd appreciate any help that any of you can give me. I'll probably post my resume online soon and I'll post a link here once it's up. I'd also like to say thanks to the guys in the TCC of the Security Catalysts Community for all of their words of support and encouragement during this time.

No one is exempt

I ran across this article this morning. The author and some people he interviewed seem to have been under the impression that corporate networks were almost immune to bots and similar malware. At first I thought "how naive" but then I remembered that I used to think that also. That is until I thought about all the different attack vectors that a network is susceptible to.

Years ago, when malware was sparse, a firewall and AV software was all many companies (even large ones w/ big budgets) needed and used. Virus' popped up from time to time when someone took a floppy disk home and got it infected and then used it at work. Then email started being used more frequently to spread them but they were mostly limited to doing little "real" damage and could be contained fairly easily. The malware writers got smarter and the advent of the Internet as a critical tool of business for both home and business use raised the stakes.

Now a corporate network can be secure at the perimeter, secure at the end point (as secure as is reasonably possible) and secure on the wire, yet still be open to attack from many points. Machines can get infected and the protections in place are often totally in the dark that anything has happened. You can get infected by doing things you shouldn't be doing and you can get infected by doing things that aren't inherently dangerous (browsing a legitimate site that has been compromised). The corporate network may be adequately secured to prevent this (at least we like to think so) but your home network, the coffee shop, the book store and other open wi-fi hot spots are ripe for the picking. These are the places where many users get infected and then they often bring the infection back to the office.

I'd dare to say that most corporate networks are not equipped to notice this unless something really unusual happens to trigger and IDS/IPS or they happen to stumble across it. Michael at mcwresearch gives us a great example of this. I also tell a story here of a time when I "stumbled" across something at a client site.

This is what is so scary about today's malware. It's easier than ever to get infected and harder than ever to be detected. That's why it's so important that security professionals continue to work diligently in all areas to protect their little corner of the network and Internet. Everyone from the Security Researcher down to the desktop guy is important in the fight. No one is better than anyone else and no one is more important than anyone else. We all have to work together if we ever hope to win this battle.

The ineffectiveness of technology solutions

Amrit thinks that user awareness training is a waste of time and money. I think he is wrong. I think ineffective user training is a waste of time and money. I also think that if we follow his line of thinking on this that we should abolish user training and all technology designed to secure our networks. After all we spend lots of time and money on them and they still have vulnerabilities that allow the bad guys access to our systems.

I know he has been listening to lots of people gripe about "stupid users" lately and he has experienced his fair share of them in his life. I know I have and they are very frustrating. But statements like his regarding it being a waste are VERY unproductive. He said "As security professionals let’s focus our efforts on developing, defining, and implementing technical and procedural controls that are transparent to the end user and have as limited an impact on their computing experience as possible," That's all fine and good, but it's not something that we can all do. Not all of us are in positions where we can do these things, but most of us are in a position to teach someone how to be more secure. Not to mention that until the time comes that we have these "technical and procedural controls" in place we still have users who need to be trained. It's
unreasonable to think that a session (probably quiet boring) of UA training and a few emails, posters, and (more boring) documents to read will change a behavior that has been going on for years.

User Awareness training has to be relevant and interesting in order to be effective. Different people learn in different ways and to expect them to all fit into the same mold is unreasonable. We adapt spam filters and firewall rules and IDS/IPS signatures to various attack styles, why aren't we willing to adapt UA training to various learning styles?

Now all that said I do want to be fair and let Amrit finish the quote above. "that doesn’t mean that no awareness training should be performed but in an enterprise it should probably consume 1% of 1% of the total security budget, of which on average is 4-8% of total IT budget." He isn't against user awareness he just doesn't like the current state of it and thinks that there are better ways to spend time and money. Fair enough. I just think that before we go off making statements like this in a public forum we need to think about them more.

Finding bots and learning from them

Michael at mcwresearch.com has a good post about finding a bot infected machine on his network. He outlines how he was alerted to the problem, the steps he took in investigating it, how it was resolved and lessons learned. Go check it out.

Tip of the Day - Write it down

I don't plan on making this a daily habit, but a few things have crossed my mind and keyboard lately that has made me want to write about something that is often overlooked. One of the things that started this was a thread on the Security Catalyst Community about password policies. A comment was made about the need to use different passwords for different service accounts, the need for complexity, using things such as PWSafe to keep them organized etc... Then the comment was made

Need I say that you should NOT write them down anywhere.

I replied that writing them down is a good idea as long as they were secured in case of emergency. In this particular case the guy who started the thread is the only IT guy for his company. The loss of these passwords could prove costly to the company. I know of a couple of instances where the lone IT guy left under bad circumstances and refused to tell anyone the passwords for the systems. They were able to recover them, but it wasn't easy or cheap.

Then this morning I was looking at the SANS @Risk Newsletter and it listed all the vulnerable apps. As I was looking at the list it occurred to me that many of these were small apps that are often installed unknowingly w/ other software or they are small apps that you install and forget about. If these do not have auto update features then when they become vulnerable you are at risk and won't even know it. Having a list of ALL apps on your system and doing regular Google searches for updates or checking their web sites for them is a good idea. If you don't write them down then you won't remember them and they will remain unremembered or at least you won't think of checking for updates.

Using things such as the freeware Belarc Advisor (free for personal use only) will greatly simplify your search for installed apps. There are also others out there that will give you a good snapshot of just exactly you have installed.