Where has the time gone?

I can't believe that I only posted one thing last week. The 2 or 3 weeks prior to that weren't much better either. I haven't been overly busy just nothing has caught my attention enough to blog about. My days at work have been full and my attention has been focused on several projects that I'm working on, but not any busier than usual. I guess it's a case of bloggers block.

I've another personal story of sorts along the same line as my last weeks "flat tire" post. This weekend I was turning onto a main road and went to wave at the car that let me in. As I waved my hand hit the frame of the door and I dropped my new Blackjack cell phone. Of course the car behind me didn't see it and ran over it. :( Believe it or not it still works, sort of. The LCD screen is less than usable and people say that it has lots of static when I talk. So needless to say I'm looking for a new phone. I had to revert back to a old Nokia that I had from 2002. It only works on 850 band networks so at least I get coverage even if it's less than stellar.

Tomorrow I leave for Cincinnati, OH to spend a few days in Cisco training. I'm going to their MARS class to learn how to get the most out of it. I've got friends up there and am looking forward to spending time with them and catching up on all that's going on.

In terms of information security (I guess I should write something about it). :) XSS and CSRF have been dominating my thoughts lately. I'm not sure just how many sites, especially ones that are commonly used by me and those I know, are actually affected by these. I do know that lots and lots and lots and lots of sites are vulnerable and that bothers me. It bothers me because they still haven't been fixed and it bothers me because that means that there are lots of opportunities for them to get pwned and for others to get hurt by them. I've been reading Jeremiah Grossman, RSnake, and other sites about it. Jeremiah and RSnake did a good job of talking about them at BalckHat and on a webinar that was sponsored by WhiteHat Security. Paul and Larry of Pauldotcom Security Weekly have a really good discussion about it in episode 82 of their podcast. Then of course there is the latest news about the Google "Unholy Trininty" that was made public today. I haven't had time to really delve into it, but I hear that one of the affected things it their poll plug-in for blogger. So I'm not going to put out a poll this week just to be safe.

Well, I'd better get to packing for the trip. Hopefully this will clear my mind and refresh my blogging spirit so I can get back to regular posting.

Would you buy Security from this guy?

My good friend and local Atlanta resident Mike Rothman has announced the Pre-Sale of his new project "Security Mike's Guide to Internet Security". This is good news for mom and pop computer user.

I have not actually read the book yet, but I know Mike and his passion for security and his knowledge of how to secure a system. I know this will be well worth the cost. Shoot, just one "non-call" from your friends and family will more than pay for the cost of the book.

You can find out more here, here and here.

Systems Maintenance

I mentioned yesterday about the importance of maintaining your systems. Things like keeping your AV, HIPS, OS Patches, software, etc... up to date. If they are left alone in time either a vulnerability will be found in them or someone will break them.

It's also important for companies to realize that just because something is old and now widely know anymore doesn't mean that they can ignore it. Here is a perfect example. A 13 year old boot sector virus was shipped on MS Vista laptops with AV installed on it. The virus got past all of Vista's protections and the AV scanner missed it. I don't know the details, but it sounds like it's a case of the forgotten virus coming back to bite you in the boot sector. :)

Microsoft "Patch Hole" Poll

Here is this weeks poll.

The Microsoft "Patch Hole"

1) Big deal that must be closed
2) Not a big deal, let it be
3) I'm a Mac
4) Linux rules!

I'll tell you my vote right up front. This is a big deal and Microsoft must close it. This is nothing less than a back door into our systems. It is irresponsible for any company to do something such as this. In this day in age with hackers being smarter than ever there is NO excuse for this.

Security Purchases Poll Results

Voting was way down this week. Either it was a lousy question or not enough people voted early on and forgot about it. It could also be due to my lack of posting last week. I know traffic to the site was down.

Here is the question and answer choices:

In your Organization are most security purchases based on

1) Reaction to an event or scare 30%
2) Cool Toy "C" level wants to implement 13%
3) Careful Research 30%
4) Good sales pitch by vendor 17%
5) Other (Please leave comment w/ details) 8%

I was glad to see that careful research was up at the top. It wasn't as high as we would like to see it but at least it tied for first. The fact that many purchases are based on a "reaction" isn't surprising but a little disturbing. It's sad that many companies won't take reasonable steps until something bad happens then they often end up buying the wrong solution or buying something that isn't the best fit for their environment.

I also wanted to thank Alex and Dr. Anton for pointing out a couple of options that I left out. I had them in my mind when I wrote the first option (Reaction to an event or scare) but failed to put them in their own category. They are Risk reduction and compliance. Two of the biggest factors in our decisions (or should be) and I forgot them. That's what happens when you try to do something quickly.

I'll have a new poll out shortly. I know you can't wait. :) Please vote this time!!!!!

Travel, training and technology

Over the last couple of weeks I've been to two different "free" one day classes. The first one was put on by TechTarget's Searchsecurity.com and focused on Data Protection and Storage. It consisted of 3 or 4 sessions talking about various aspects of security data and a couple of round table discussions. This is the second free TechTarget seminar I've been to and I have to say that both of them were pretty good. Especially for the price. :) They both have been informative and I've either learned something new or they spurred some thoughts and ideas that have proven to be helpful to me.

The second class was done by Foundstone. It was a one day mini class of their Hacking Essentials class. The presenter was Carric Dooley and he spent the day covering basic hacking essentials. He discussed some of the threats, attack methods and ways we can protect against them. It was a good day but I don't think that I really learned anything new. Again, it did spur some thoughts and I met some good people that I look forward to getting to know better over the next few weeks. I must say I'm glad that Carric is on the good guys side. He is a smart guy that I wouldn't want trying to break into my network.

Hopefully I'm going to be in Cincinnati for a couple of days the week of the 24th. I'm planning on taking some Cisco training up there. If anyone is in the area let me know and maybe we can meet up. Then in October I'm going to Orlando for a day or two to meet with the other members of the Symantec Advisory Council and some of Symantecs team, including John Thompson. That will be a whirlwind trip, but hopefully it will be beneficial. The Symantec Council has been pretty much inactive since the beginning but they now seem to be on the road to getting it going. I know that Santa members who are also members of the will be there and I'm hoping that a couple of my buddies from the SCC will also be there. Michael Farnum, Alan Shimel, and Kurt Wismer are all SCC members who are also on the Symantec Council. I'm not sure if they will be there or not but I hope that they are so we can meet face to face. I've enjoyed the interaction I've had with them in the SCC and via email and our various blogs.

Lots of exciting things going on in the next few weeks. I hope that I have time to update you on what's going on and adding insight as I can.

When It Rains It Pours

It's always good to be prepared. I try to be prepared for situations that may arise both in my professional and personal life. I look at potential threats and issues that may arise and see what I need to do to be prepared. That's part of any good security program. Having controls in place to prevent a breach or reduce it's impact are important in securing a network, web site or application. Doing preventive maintenance on your systems (patching, monitoring, etc) will help ensure that they are in shape to prevent holes that can be compromised.

Similarly at home I check for leaks around windows and doors. Change my HVAC filters, maintain my vehicles to ensure that they run properly. There are many, many things that need to be taken into consideration to ensure that you prevent problems and are prepared in case they occur.

On Friday I had an incident happen that I wasn't prepared for. I had left work about 2:45 in the afternoon to ensure that I missed the bulk of the terrible Atlanta Friday afternoon traffic. I'm traveling up the interstate when I hear a loud roar coming from my Jeep. I immediately turn of my radio and start checking for smoke or flying parts in my rear view mirror. I quickly pull to the side of the road and discover that I have a flat tire. So I get out my jack and lug wrench and start removing the flat tire. I get it off and grab the spare (one of those crappy temporary tires) and the first thing I notice is that it is also flat. Oh yeah, I forgot to mention that by this time it is now raining VERY hard. So I'm getting soaked while changing one flat for another.

I go ahead and put the spare on and then walk back to the drivers side of the car to get in. I had forgotten that my windows was down so now my drivers seat is also soaked. I then call the Georgia Department of Transportation to inform them of my situation. One of the good things about living in Atlanta is that they have incident response trucks to assist stranded motorist.
After about a 45 minute wait my HERO (Highway Emergency Response Operations) arrives and puts air in my tire and I'm on my way home. Of course now I have to sit in traffic because by this time it's about 4:30.

So, what did I learn? It's the little things that can bite you. Not keeping an eye on the air pressure in my spare cost me time and a headache. What is there at work that is possible being overlooked that may come back to bite me in the butt? Unfortunately I don't know what it is right off but I'm going to start looking at those little things a little closer.

Security boundries

A constant struggle many of us face is getting users to understand that security does not stop at the firewall. That mindset is so ingrained in users that they just can't grasp how something that is not directly exposed to the internet needs to be worried about. Then when we finally convince them that we still need to worry about the security of internal systems they tell us that their systems aren't vulnerable because the users can't get to them w/o going through 2 or 3 different authentications or levels of security. What they fail to realize is that even though we have a defense in depth we still have to protect everything.

This came up this week during a change control meeting. The last few meeting there have been lots of request for new reports that have to be created and put out for the users to access. I asked them if these reports were viewed via a locally installed app or a web browser. That's when they started on about it didn't matter because the database can't be directly accessed. They just couldn't grasp the concept that if the web server being used as the front end was compromised that it was just a matter of time until the back end was compromised. Even though I explained it 6 ways to Sunday they had a mental block that kept them from grasping it.

That got me to thinking about how important internal controls are to an organization. Even if you don't have malicious users who will hack you from the inside you still have users who don't understand the dangers and may get you through ignorance. If we don't have sufficient internal controls in place to prevent "accidents" then we might as well take down our firewalls. Security needs to be implemented at every level and not just at the "high" points. In a perfect world we would all have them money and support to protect everything with the best technology possible. We don't live in a perfect world so we have to be pragmatic about how we decide where to spend our money and energies. We have to focus our resources on what is important and not just what is sexy, cool, or the hot topic of the day.

Sure we need to protect our perimeter. We need to have firewalls, IDS, IPS, DMZ, etc... but we can't let our focus be lost there. We can't limit our internal controls to AV and OS patches. We have to take a good hard look at what we are doing inside our perimeter and how we are ensuring that the good guys don't hurt us unintentionally and that the bad guys have a harder time getting to the company jewels if they get in.

Scanning, monitoring, ACL's, VLAN's, HIDS, HIDS, etc... All of these are key to an overall security program that will help keep your data, systems and users safe. Knowing what is going on in your network will help you to know how top best protect your assets. Ensuring that new systems and technologies (hardware or software) are secure prior to being introduced on the network will go a long way to preventing accidents.

We often focus on scanning the perimeter to ensure that we can't get in but we neglect to scan the interior to ensure that the same vulnerabilities aren't present on the inside. A XSS or SQL Injection vulnerability that can cause problems on the outside are also places for problems to exist on the inside. Just because we have multiple layers of defense doesn't mean that we ignore some areas because we feel that the rest is secure enough. Once someone gets a foothold in the ignored area it's just a matter of time until they are able to move to the next.

Remember, security is a 360 degree process. It doesn't focus on just one area or even just a few. It looks at the whole environment and starts at the key areas and grows out and in from there. It encompasses technology, policy, process, procedures, education and maintenance. Don't forget maintenance. Without that even the most secure environment will eventually fall prey to decay and advancement in hacker skills and newer technologies.

New Poll is Up

I just put up my new poll for this week. Here is the questions and answers to choose from.

In your Organization are most security purchases based on

Reaction to an event or scare
Cool Toy "C" level wants to implement
Careful Research
Good salses pitch by vendor
Other

If you select Other please leave me a comment and let me know how your company decides on what to buy.

Information Security Poll Results (SPAM)

The poll regarding SPAM and who has done what has ended. Just as a recap here is the question and the answer choices.

Have You or anyone you know actually bought something sold via spam or gotten a virus due to clicking on a malicious email link?

Yes, I bought something. (0%)
Yes, I know someone who bought something. (7%)
No, I have not bought anything nor no anyone who has. (45%)
Yes, I have gotten a virus via a malicious email link. (11%)
Yes, I know someone who has gotten a virus via a malicious link. (54%)

No, I have not nor do I know anyone who has gotten a virus via a malicious email link. (27%)

Obviously the totals add up to more than 100% because you could choose more than one answer.

I like the honesty of those who admitted to getting a virus because the clicked on a malicious link. That's something hard to admit especially when you are in IT or Information Security.

What is really interesting is that only 7% of you even know anyone who has bought something via SPAM. It still boggles my mind that anyone would actually buy something via a complete stranger because they received an email. Just think of the possible dangers. 1) You have now given them your address. 2) You have given them your Credit Card or Bank Account information. 3) Even if they don't do anything malicious w/ the first two you are taking the chance that they will bill you and never ship the product. Unless you are using a 3rd party that guarantees you some sort of protection you are out that money. I guess though that if 7% of all SPAM that is trying to sell you something is acted on that is a whole lot of sales. I don't know what the average actually is but I'd venture to guess is quiet a bit less than 7%.

That is bad enough but to me the real danger here is the potential of getting your machine infected or owned by clicking on a malicious link in and email. Getting a traditional virus or worm is bad but today the real likelihood is that you will get botware that turns your PC into a SPAM bot or allows it to be used for other nefarious purposes. Worse than that is getting a rootkit or keystroke logger that is used to steal your identity and all of your user ID's and passwords for online banking, trading, etc... This can really cause nightmares in real life.

Thanks again for taking my poll and I'll have another one posted soon.

Security Catalyst Community

I know that many of you that read my blog also read Michael Santarcangello's blog and are members of the SCC. For those who didn't get the word and for those who forgot :) I wanted to remind you that the SCC web address has changed. Now to get the the SCC you need to go to:

www.securitycatalyst.org

The look has changed somewhat but the functionality and content are still the same. I encourage all of you to check it out and give serious consideration to joining. Those who participate quickly learn that this isn't just another forum. It's truly a community where people are excited about changing the way we do information security and how we protect data. I don't think you will be disappointed.

Being a CISSP

There is a lot of talk around lately about the CISSP and it's value as a certification and how it compares to other security certifications. Martin (here and here), Michael, Daniel (here and here), and Rich have all chimed in and I'm sure others that I've forgotten about. The common theme is that each cert has it's own value and that value differs for each person.

This post is not about whether or not the CISSP is the best certification as some think it is. It's not about whether or not it's technical enough or whether or not it still holds value as some have argued for and against. This is about what being a CISSP means to me and how it has helped my career.

I first decided about 3 years ago that I wanted to become a CISSP. At that time I was still doing lots of hands on technical work and was spending my spare cycles learning technology and decided to hold off on pursuing it. Around January of 2006 I decided that it was time to start getting serious about pursuing a vendor neutral security certification. I took a long hard look at what I felt would help my career the most. I was considering the CISA, CISM or the CISSP. I talked to people who held these certs and some who held a couple of them. I asked them about what value they held for them, how the felt that they benefited from them, what was involved in getting them and so forth. I also did lots of research on them and felt that the CISSP was the cert that held the most value for me.

I must admit that when I got the email telling me that I had passed the test I was VERY excited. Even though at that time I had talked to a few people who are CISSP's and they were very unhappy with ISC2 and the direction that they felt the Organization was heading. For me it was a big deal. It was the culmination of lots of hard work preparing for the test (plus it meant that my employer would reimburse me the $600 test fee). It meant that I now had a leg up on some jobs that I would not even be considered for without either the CISSP or the CISA or CISM.

Whether or not you feel that it has merit, value or is a big waste of letters it has been very good for me. It has gotten me interviews that I would not have gotten otherwise. When I was laid off in May of this year the recruiters were knocking down my door to talk to me because of those 5 little letters after my name. It also played a big part in getting me the job that I currently have. They were looking for someone who was a CISSP. That was one of their requirements even if they weren't really sure why. If I had been a CCIE I may have gotten another position with the company but not the Security Manager position.

So being a CISSP has been very good to me. I'm still proud of the fact that I hold this certification and that it opens doors for me. I'm proud that being a CISSP still does mean something in many circles (even if they aren't all security circles). I'm glad that I chose the CISSP over the other 2 I was considering. Unless something drastic happens in the next few years I will make sure that I pay my yearly dues and get my yearly CPE's to maintain it. I hope that those who have concerns about the ISC2 and it's direction get some answers that they like and that the CISSP continues to hold value to all that obtain it.

The CISSP is not the cert for everyone. It depends on what your career goals are and where your interest in security are. It may be the best thing that you do for your career or it could be just another bunch of letters after your name. I think a lot of it's value depends on you and how you use it.

E-Cards are evil!

Ok, maybe they aren't evil, but they are pretty scary. I arrived at work this morning after a 3 day weekend to discover that an employee had sent an e-card to lots and lots of our users. We have about 5000 employees most of which have an email account. The user doesn't have access to the global email group but was able to send it to a lot of people by selecting different groups that they did have access to plus individual accounts.

As I said, when I saw the e-card in my inbox and noticed that it had also gone to lots of other users I got that sinking feeling in the pit of my stomach. My initial reaction was to send out an email to everyone telling them not to click on the link to view the card. Then I noticed that the card was sent Friday afternoon around 3:30. Too late. If this was malicious then the damage was already done. The good news was that I had not heard of any thing going awry over the weekend. Of course, since lots of people cut out early on Friday there was a good chance that this morning would be the time to fear.

Before I reacted rashly I decided to check out the link to see if it was malicious or not. I did a search on the e-card company. It was one I was not familiar with. Nothing bad came up. I then went to the site and looked around. It looked OK. Then I took the next step and put in the e-card number to view it (all of this was done in a safe environment). Whew, nothing evil appeared. It was a Thank You card for something that the company had done for her.

Of course there is a "dark" side to this. We don't state in our email policy that it is against the rules to send e-cards but we do state that email is to be used for "business purposes". So the user did "break policy". What is really bad though is this.

• By doing this the user (who has a supervisory role) has told their subordinates and others that it's OK to do this thus increasing the likelihood of others doing the same.
• By doing this they are teaching the users that clicking on an e-card that seems to comes from someone you know is OK, even at work.
• By doing this they are reducing the effectiveness of company policies. (Unless something is done which is out of my realm of responsibility).

Something so seemingly innocent and nice really has a negative effect on information security. A simple email saying thanks would have sufficed and would have been much less damaging.

The good thing is that this will give me opportunity to ensure that this and similar issues are addressed in a way that ensures that all understand the importance of following policy and practicing safe computing. Plus it will add to my UA Training listing.

Spam Attack

This weekend my wife and I took our 2 girls to the Atlanta Children's Museum. They had a special exhibit that was a recreation of Sesame Street. Both of our girls watch Sesame Street and of course my wife and I both grew up watching it. We were pretty excited about taking the girls to see and experience it. When I was checking into it I was kind of surprised to see that tickets were $11 each for everyone one 2 years old. That meant that we had to buy 4 full priced tickets. I had a feeling that it wouldn't be worth $44 dollars but it was for the girls so I was willing to do it. It did turn out that it wasn't worth it. It would have been better if we hadn't found out how to get to Sesame Street.

We got there and it seemed like every kid in Metro Atlanta was there. Plus the each had at least one if not both parents there. My wife described it as "stay at home mom hell". Kids were running around everywhere screaming, laughing, pushing, shoving and just generally acting crazy. Just like kids are prone to do.

I was checking my email over the weekend and I noticed that not only was I getting lots of spam but lots of spam was getting past my filters. That means that I was checking my email I was having to sort through lots of JUNK! People wanting me to act as their US representative and share millions of dollars with them. I've won the UK lottery at least 25 times in the last month. Enough grass seed spam to turn the earth into a "lush tropical paradise". I could even grow hair on Santa's head. :) Then there are all these people who think that I need to be a few inches taller. I just don't understand.

Then it hit me that our experience at the Children's Museum must be similar to what an email server experiences with all that spam. (OK, I know I'm really reaching here but it did occur to me) The museum was set up in a particular way to handle a certain number of kids in an organized fashion but when the attendance exceeds expectations then chaos occurs. Just as an email server is set up to do a specific function then you add a spam filter to help keep out the junk. As email comes into the system in greater quantities then it makes it more difficult for the system to function as it was designed. Just as kids run amuck and cause chaos all of the spam causes chaos on the server. Then spam gets through the filter and into your inbox.

Then just as with more and more kids running around someone is bound to get hurt. I saw 2 or 3 minor injuries occur and one of them involved my youngest. I didn't see it but my wife told me that a mother knocked her down and turned and said sorry and went on chasing her kid. As more and more spam gets through our filters the likelihood of someone acting on one of them increases and as that increases the likelihood that a virus, worm, rootkit or keystroke logger is going to get installed on your network or home system.

Unlike the museum where I at least understand why parents bring their kids there and allow them to run amuck I still don't understand why people actually act on these emails. Why they buy stuff advertised in them. Why they click on links promising them great pictures, the latest movie, the best price or the greatest deal on improving their whatever.

That leads me to this weeks information security poll.

"Have You or anyone you know actually bought something sold via spam or gotten a virus due to clicking on a malicious email link?"
A. Yes, I bought something.
B. Yes, I know someone who bought something.
C. No, I have not bought anything nor no anyone who has.
D. Yes, I have gotten a virus via a malicious email link.
E. Yes, I know someone who has gotten a virus via a malicious email link.
F. No, I have not nor do I know anyone who has gotten a virus via a malicious email link.

In this poll you will be able to choose more than one answer so please answer all that apply. If you do have a good story to tell please take a moment and leave me a comment about it. I'm sure some of you have great stories to tell.

Information Security Poll

My latest information security poll was a hit with y'all. It received more votes than the other 3 combined. I was very pleased to see the response. I have to admit that I did solicit a couple of votes towards the end of the poll. I was in a chat room with some of the other members of the Security Catalyst Community and since I was just a couple of votes shy of 100 I asked any of them who hadn't already voted (and shame on my friends for not being the first) :) to go ahead and vote to push me over the 100 vote mark.

I have to admit that I am quiet surprised at the results. I honestly expected about 95 to 98 percent of the votes to go to the last 2 options (Slightly or None). While they did receive the majority of the votes it was only about 73% of the total vote. The second option (Mostly) received about 26% of the vote and the first option (Completely) received 1% of the votes. My first glance says that some of you were not being completely honest (yes I'm talking to you who voted for option 1). But then Cutaway pointed out to me that there were a couple of different ways to interpret the question and the response could vary depending on your interpretation. As I looked back at the question I see how that could be so I take back what I said of you who voted for option 1. :) Then there is the possibility that those of you who voted for option 1 were talking about yourself. Maybe you are your user.

If the results of this poll really do show that a full 26% of you trust your users to act securely and there was no misunderstanding of the question then that is quiet encouraging. It tells me that y'all are doing a good job in getting the message of security out to your users and that they are listening. I would love to talk with some of you about what it is you are doing that is working so well for you. Please drop me a note either in the comments or via email.

As usual I don't have a question for the next poll yet, but I'll have something in a day or two. Monday is a holiday here in the US so it may be Tuesday before I have something up. I'm hoping to spend most of the weekend enjoying spending time with my Wife and daughters and not blogging or coming up with another poll. Yet, you never know. I am up earlier than them most of the time and that's when I try to catch up on reading and blogging.

Where Does the Buck Stop

Dr. Anton asks the question "Where do you draw the line: Security Responsibility?" Well this time the answer isn't "It depends". The way I read the question after reading his post is, Where does the buck stop? The buck stops here. It stops with us. It is our job to secure the environment and part of that job is to ensure that the users know how to practice security.

It would be ridiculous for IT or Security to have 100% responsibility. If we did then things would be locked down so tight that the users couldn't get anything done. If we gave them all of the responsibility then we might as well pack up and go home. That is unless you want to spend your days playing PC clean up or pushing out new Images every few days.

We shoulder most of the burden. It's our responsibility to make sure that the systems are hardened and that the controls are in place and that the policies (both written and system) are effective and to get as much information to the users as possible so that they can do their job (and even their play time) securely. If you have done all you can with what you are given and a system gets owned then it's not your fault (your boss may think otherwise, just tell them to talk to me). If you haven't done all you can and you get owned then it doesn't matter what the user did you are responsible. Users are like little children. We can't send them out into the big bad world without preparing them and expect them to escape unscathed.

So how does Dr. Anton's equation really look? Probably something like Security=85%, IT=10% and Users=5%. We build the security program, create the policies, train the users (and IT), set the rules. IT follows the policies and procedures that come from us. They build the systems according to spec and ensure that the infrastructure works as it should. Then the users do their part and the users do their part and play it smart and safe. Then we are all happy, safe and secure. That is a recipe for information security ala mode.

Staying Fresh

Rebecca Herold has a good post on her blog about keeping your security, privacy, or compliance program fresh. She makes a good analogy between how your program can slowly become ineffective over time due to lack of attention and how running shoes can slowly become less effective over time. I can't relate to that because I bought my new running shoes in April and they haven't had as many miles put on them as hers gets in one day. Try as I may I just can't get into a running frame of mind.

I've seen fist hand how programs start strong and slowly erode or die over time. They don't get the TLC that they need to stay alive. They are put in place to satisfy a audit or a new boss and then they end up in a closet or on a shelf only to be given a passing glance from time to time.

I recently did a review and update of security policies for a company. What they had was between 4 and 8 years old. They had been created (mostly just changed the company name on a template) and filed away. As I looked over them I started asking questions about them. Is this really what is done? Where is the ??? to back this policy up? Where are the ??? that this policy states is happening? Blank Stares and hidden smiles met me. They weren't being followed. They were just there to satisfy a whim.

These documents and programs are living. They are meant to be reviewed regularly, followed consistently and changed as needed. They are not static documents that are just to satisfy an audit. When I create a policy program or a security plan I make sure to write it in such a way that those who are entrusted with it know that it is a living document. I include regular review schedules and then I encourage those who are entrusted with them to go ahead and put reminders in their calendars to review them. I can't make them do it unless they report directly to me, but I can try to make it easy for them to do.

Another area that gets ignored is log review. Most people hate to review logs. Especially if they don't have a SIM, SEM or some other method for automating it. I've done it before. I've had to sift through thousands of entries to try and find the "bad" stuff. It's no fun. Unfortunately it has to be done and you need to be able to prove that you are doing it. If your policy says that you are doing it then the auditors are going to want to see proof. How many times have you or someone you know spent a day or two prior to an audit "falsifying" log reports. Going through and checking off that they were checked when they haven't been looked at in days, weeks or months.

It's important to remember that these things are crucial to the success of your information security program. If you let them get sick or die then your program will do the same. Security Professionals need to follow the policies and those in management need to ensure that they are being followed. Those who are tasked with keeping the policies or program alive need to be proactive in doing so. Don't wait until the last minute and try emergency CPR. If you will schedule a little time weekly or monthly to check on them then they will stay healthy and your program will be more successful.

Is Telecommuting safe?

An article on DarkReading tells us that Federal Information Security Chiefs don't think that teleworking is a security risk. Sounds like a good poll for next week to me.

When I first saw the headline "Federal Security Officers Say Telecommuting Is Safe"my initial thought was "these are the same guys who regularly get D's and F's on their security reviews and they are telling us what is safe and what isn't safe!" Not sure I really want to listen to them on this. I'm not saying that telecommuting is or isn't safe. A comment such as that can't be made carte blanche. The answer to this is again "It depends". It can be safe provided that the right controls are in place.

If you give a user a laptop with admin privileges, a T-Mobile Hot Spot account and tell him to go work where he wants then I'd have to question the security of your telecommuting program. If done correctly I believe that a user can work remotely from most places and still remain secure.

Here is my list of what needs to happen to make telecommuting as safe as possible. This is assuming the use of a company provided laptop. If we get into using personal systems then things get a little more complicated.

• User has user level access only.
• Laptop runs AV, HIPS, Personal Firewall that can't be disabled by the user.
• When connected to company network a security posture of the laptop is done via NAC. This is true whether it's via VPN connection or direct (wired or wireless) connection on site.
• USB ports and CD/DVD copying is disabled.
• Autorun is turned off for CD/DVD drives.
• Wireless radios are disabled when connected to wired network.
• Bluetooth is disabled
• Use a 3G, EVDO or similar card for access when not on a company approved secure wireless network.
• Train the user on how to be secure and reinforce this on a regular basis.
• Ensure that you have the proper security policies in place to CYA when the user manages to do something that you can't protect against.

I know that there are more things that can be done. Some of you will think that this is too much and some will think that it's too little. But remember, there has to be a trade-off between security and usability. If you go too tight then the user will be unproductive, calls to the help desk will be frequent and the user will try to find ways around your controls.

New Security Poll

I meant to tell you about this in my last post but I got so irritated and on a rant roll that I completely forgot.

My Information Security Poll for this week will deal with How much do we trust our users to act securely. Here is the question and the answer choices. Go to my home page to take the poll.

How much can you trust your users to act securely?
A. Completely
B. Mostly
C. Slightly
D. Not at All

Users don't care about security threats

It seems that most mobile workers think that security should be completely left up to the IT department and that they should be able to do what ever they want. This article from Information Week gives the details.

I saw this earlier in the week but was too busy to really look at it or think about it. It was brought to my attention today as I was looking at this weeks SANS News Bites newsletter. For those of you who aren't familiar with this newsletter typically it has stories about this weeks news and the editors will comment on it. It was one of those comments that got my attention today. After reading the story about how mobile workers think that security is IT's job and that they do things that they know they shouldn't without a care the editors started in. They talked about things like how sad this attitude is and how UA training has failed and how people are just stupid enough (my words not theirs) to believe that they really won the UK lottery or some other something. Then Johannes Ullrich, who is Chief Technology Officer of the Internet Storm
Center, made a stupid comment. He said

Why shouldn't users expect IT to take care of securityy? I think we (IT / Security professionals) expect too much if we expect office workers to worry about security. Perhaps we can ask them not to leave their laptop unattended. But beyond that, it's our job!

Before I start ranting..... He is correct that security is OUR job. That's what we get paid for. But unless companies are going to hire a Security Professional for every worker, to stand behind them and look over their shoulder and physically stop them from opening emails, clicking on links, going to porn sites, installing unauthorized software, etc... then we have to put some measure of responsibility in their hands. Information Security technology can only go so far and do so much. Users have to be responsible for their actions. They have to use common sense and follow company policy. They have to learn to be careful with their actions. It's not their laptop. It's not their data. It's not their company to take such risk with. They need to realize that their compromised machines don't only affect them. The data they lose affects the company, the customers, the investors, the partners. The malware that they install on their machine causes the rest of us to be at risk because of their actions. They should be charged with SWS (Surfing While Stupid) and be taken off the information superhighway. They should, in some cases, be fired or put on probation. Mr Ullrich, and those who promote reckless computer use should be charged as an accessory prior to the fact and given similar sanctions.

When technology gets to the point where everyone surfs in their own little virtual world and they can't hurt others by their stupidity then I will quit promoting quality UA training and will happily let users do what they want. Until then I will continue to promote and practice good security. I will work to make sure the technological controls are in place and the users are trained properly. I will also rant when people make ridiculous comments like this.

SSN Poll Results

The polls just closed on the SSN question. Overwhelmingly most people said NO! There is no valid reason for a company to keep you SSN on file. I am a little baffled because there were a couple of you who voted Yes. WHY? I'm having a hard time understanding that. Now I realize that I don't know all the in's and out's of how and why every industry does things the way they do, but I would love to know why you voted yes. Please leave a comment and tell me why.

I was also please to see that the total number of votes increased drastically. I don't know if that means that more people liked this question or if it means that more of you are finding the site or more of you decided to participate. Either way I'm happy.

I'll have another poll up soon.

Incident Response belongs to everyone

Harlan asks "who decides what best practices are" in regards to Incident Response. Harlan is a forensics guy and has written an excellent book (I've only read 1 chapter but many others have told me how good it is) on Windows Forensics Analysis. Obviously forensics plays a part in many Incident Response scenarios. His answer to the question of who decided best practices is "It depends". And I agree.

Dr. Anton asked how PCI can be both complex and basic security. He asked that based on the fact that my PCI poll (as scientific as it was) said that 40% of you said that PCI is complex and 40% said that it was basic security. My take on that was "It depends".

On the Security Catalysts forums someone asked if NAC had any real value due to the fact that there are ways around it. My response again was "It depends".

Security depends on your company, your environment, your level of risk and risk acceptance. It depends on the level of competency of your IT and security staff. The level of competency of your end user employees. What partners, contractors, visitors, etc that are allowed to connect to your network. What controls you are willing and able to put in place. What policies you have and enforce. What level of buy-in you have from management. What does your IT environment look like. Is it new, old or a mix? It is small, medium or large? Is it complex or simple? Do you have lots of different apps or only the core ones required to do business. How big is your Internet facing presence.

This list could go on and on and on and on. There are too many variables to give a concrete answer to these and other similar questions. So the real answer is that it doesn't matter what your idea of the answer is. Your job, as a Information Security Professional is to do the best you can with what you have and plan for the worst. That is where the concept that IR belongs to everyone comes in.

Many companies have IR teams that jump into action at a moments notice. But what happens between the time a incident is discovered and the team is able to take action can make all the difference in the outcome of the teams work. The rest of the company, from end user to IT/IS needs to know what to do in the event of a incident. If they don't then they will invariably do something wrong that will hinder the investigation and fixing of the issue.

I've written too much so I don't have time to go into details here but suffice it to say that IR goes way beyond the team. It has to be dealt with at ALL levels if success in dealing with an incident is your goal.

Light on Posting

I've been light on posting lately because I've been heavy on busyness. Between work and family life it's been quiet hectic. I've got LOTS of projects going on at work plus we just finished our yearly IT Audit last week and that has spawned a few more.

One of the tasks that I've been given here is basically creating a information security program from scratch. It's a great challenge and opportunity but it's also a great time consumer. Luckily I've got some good friends who have given me some insight on what direction to take. I'm currently re-reading The Pragmatic CSO because it is basically about building a security program from scratch. I'm also working on a User Awareness Program, several new technical controls are being rolled out for which I have primary leadership responsibility. Luckily I won't have to do all the work on them. I have a VERY talented team of engineers to assist me with that.

I'm also still learning the environment here. There are lots of things going on in the network that are not documented. It's a weekly thing to discover new ones. Talk about a Security Professionals (dream, nightmare, challenge) You pick your favorite answer. :)

I also had a good scare and laugh yesterday. We have a partner that has a connection to our network and they have a DFS share that we access. They have been having problems getting people to connect to it lately. They have tried several things and finally found the answer. Their firewall was blocking some of our subnets. So they fixed the problem and then their server admin got the idea that it would make life much easier on us if we didn't have to "reauthenticate" to access the share. So he decided that since he had several new users to set up access for he would just have them give him their domain username and password. Of course we had a couple of users who did do this before I found out about it. Needless to say I made a phone call to him IMMEDIATELY. As I politely explained to him why this was not an acceptable solution to the problem he said that he understood and was only trying to make it easier for us. Then he said that he too was very security conscious and understood my position on this. OK, if you are so security conscious and really do understand then WHY did you do this in the first place? This just reinforces my stance that much of our User awareness training needs to focus on the average IT staff person.

Well, I've spent enough time here for now. Got to run and get back on these projects. I'll try to post a little more regularly from now on.

More on User Awareness Training

User Awareness is one of my favorite topics (like I had to tell you that). There are a couple of different camps when it comes to this. Those who think it is a vital part of a Information Security program and those who think it is a waste of time. I fall in the first category (again, like I had to tell you that).

In my opinion the problems with UA is that many programs are close to useless. They cover the topics but they do a poor job. Even if the information is correct the delivery is bad. Poorly written, delivered, boring, etc... This is the challenge in creating an effective UA program for your company. I have been a participant in a few UA classes in the past. They all have lived up to their reputation of being a waste of time. Now I'm in the process of designing a UA program for my company. I'm excited to have the opportunity. Now I will be able to put into practice some of the things that I truly believe will make UA effective. I'm going to work with some good friends who have been doing UA for a while and have created successful programs. Depending on budget and such I will possibly enlist them to provide content and counsel or possibly just allowing me to bounce ideas off of them. Then of course I have the resource of the Security Catalysts Community to draw from. Between their participation in programs and creating or having input into them I will have a rich pool of information and creativity to draw from.

Why do I bring this up now? Well, my thoughts turned back to here when I saw these two posts from Tom Olzak on the ITT Blog (here & here). The first one talks about how the bad guys are starting to turn their focus from firewalls, servers, etc to end users. Why? Because of a couple of reasons. There are lots of new attack vectors that work well and are easy to do. They attack the browser or other popular applications that are used frequently on the Internet. Java, Quicktime, Windows Media Player, JVM, JRE, Adobe Acrobat, Silverlight..... This is just a small sample. Many of these attacks require nothing more than the user visiting a web site that has a malicious add on it. This article from Brian Krebs at Security Fix has a good example of this.

The second post by Tom talks about how we need to start teaching Security Awareness in high school. Start the education before the users get into the workforce. I like that idea. Not only will it help when they do enter the workforce but maybe it will help at home. Maybe what they learn they will then teach to their parents. Hopefully by doing this we can spread the word outside the work place and get it into the homes where it needs to be.

I'm not sure if all of you are aware of how easy things are for the bad guys now. Hopefully you do, but if not I'd like to point you to a couple of good posts that Jeremiah Grossman pointed us to a few days back. They are here and here. Check them out to learn more about some of what is going on or at least what is possible.

Also if you want to learn more about putting together a good Security User Awareness Program you can talk to Michael Santarcangello, Rebecca Herold, or The guys at NoticeBored.com. All of them can help you with your program.

Sun Tzu got this one wrong. :(

I finally ran across an Art Of War quote from my handy calendar that definitely does not apply to information security. Even if vendors try to convince you otherwise.

If you carry on alliances with strong countries, your enemies won't dare to plot against you.

Alliances with strong countries (i.e. security vendors) will NOT protect you from the attempts of the bad guys to get into your network, application or systems. I would even venture to say that for some of the black hats they consider it a challenge and the stronger the defense the harder they work to penetrate it. Especially if they think that there is something worthwhile waiting on the other side.

Sun, I'm sorry to say that you have let me down on this one. I can see Amrit smiling now. :)

New Information Security Poll

Yesterday I asked a few guys on the TCC SILC channel for ideas for a new poll. The first suggestion had to do with keeping SSN's. I thought it was ironic because there was a thread on a PCI mail list asking that very question. They guy on the TCC channel that suggested the SSN question was completely unaware of the PCI mail thread. Then when I got home I had a letter in the mail telling me that a company that has access to my PII had had it compromised. It was sold by an employee to a marketing broker. Who knows what happened to it after that. Part of the information that they had was my SSN. How lovely. Then on top of that I remembered a friend who works in a university environment that has had a couple of SSN incidents lately. So all of that combined made me think that a Poll on the validity of companies keeping SSN's was in order. So here is the question and you can rush to my web site to take the poll.

Is there a valid reason for companies (other than employeers) to ask for and keep SSN's?

This is a hot topic in the world of Information Security. Many think that there is no valid reason for any company to ask for them and definitely not to keep them. Then there are those who think that there is a valid business reason. Others argue that it depends on the industry. In my opinion SSN's and ANY PII (personally identifiable information) should only be used when absolutely necessary and storage of them should be kept to an absolute minimum and guarded like it was financial information. Customers are the life blood of any business and need to be treated as such.

What's wrong with this statement?

I saw this article on Network World today regarding VOIP (in)security. This statement caught my eye. See if you have the same thought that I did.

Much of the notoriety of VoIP vulnerabilities come because the technology is relatively new and its code wasn’t necessarily written with security in mind — a problem that plagues many new technologies.

What do you see wrong with this statement? Shouldn't newer technologies be written with security in mind? I can see where ethernet and IP and such didn't take security into consideration when they were created. Security wasn't hardly even on the radar then. Now it's everywhere! There is no excuse for any technology that has come about in the last 10 years to not have security as a primary design consideration. I know that even 10 years ago security wasn't big but anyone who had any foresight would have seen what was coming.

I haven't ranted in a while about how software companies have to put more work into shipping secure products. This mindset of sacrificing security for "speed to market" has got to go.

PCI Poll results

My newest information security poll on the PCI/DSS ended yesterday and it looks like we almost have a tie. Out of the thousands of votes (OK, maybe not quiet thousands but at least 10) the results were 55% said PCI was basically common security 101 and 45% said that it was complex and costly. There were 5 possible answe

1. Too Complex 40%
   
2. Easy to Understand 30%
3. Too costly for most 20%
   
4. Too time consuming 0%
   
5. Basic Security 101 40%

Now I know that the numbers don't add up but voters were allowed to select multiple answers and the percentage is based on the total number of voters.

So I guess it goes back to my original thought that the level of difficulty that PCI compliance involves depends on the shape of the network you are working with. Large or small if it is a poorly designed network you are going to have a struggle. If it is a securely designed network then your job will be much easier. The issue isn't understanding what is required it's putting the requirements into practice.

I'll have another poll soon. This week has been all audit all the time so I've not had a chance to think of another question and nothing in the RSS feed has jumped out at me. If any of you have any suggestions let me know. And lets get more involved with the process. Poll response has been less than steller. Consider it practice for the November election. :)

Shunned by the WSJ

After my letter to the author of the WSJ article "Ten Things Your IT Department Won't Tell You" I was contacted by the author. She thanked me for my comments and told me that she would do a follow up article and asked for my input. The topic was to be something along the line of what the IT department wants users to know. I decided that since I was quick to criticize I would also give my input on how to be a better user.

After thinking about it I decided that my advice was to basically ignore the advice given in the original article. I was a little more tactful than that but that was the essence of it. I pontificated on the virtues of NOT trying to skirt company policy and why it was a bad idea for security reasons and such. Well today she published her new article and lo and behold my advice was NOT included. Why? Is it because she had better advice from others? Possible. Is it because it didn't fit with the nature of the article? Possibly. Is it because I told everyone to ignore her first article? Hmmmm.

Of course I probably will never really know why and it's very possible that it has nothing to do with that, but I will always wonder.

Great Awareness Video

Roger over at the Infosecblog links to a great video on them importance of "thinking" before posting something on the internet. Once it's there it's there. This is true for what you say, what pictures and videos you post and comments you make. Remember, what happens on the internet stays on the internet. And one day your parents, spouse,child, boss or potential boss may find it. That may not be a good thing.

Egg on you FaceTime

Even security companies make mistakes. It's just a little more embarrassing for them than the rest of the world.

ComputerWorld reports that FaceTime Communications applied some patches to their web server that reset defaults on some folders. This allowed the contact information for people who had downloaded whitepapers to be exposed on the net. I don't really blame FaceTime for this. It was an innocent mistake that anyone could make. What we need to do is learn from their mistake.

As I've mentioned before we are in the middle of rolling out a new Change Management system and our users HATE it. They like the old way of little or no accountability and having the freedom to do things their way. I don't know if FaceTime has a Change Control procedure in place or not but either way they do need to revise their test scripts. They need to expand what they test and also go back and check to ensure that unexpected changes don't happen. You can never be to careful when applying changes, especially to public facing systems.

1 year and 275 posts

One year ago today I started my blog. I did it as a way to say somethings that I wanted to say. At that time I didn't have much interaction with IT and Information Security Professionals on a day to day basis. I was the lone IT guy at my company and was tired of talking to myself so I started blogging. I have to give credit to a couple of those who gave me some inspiration. I read their blogs and thought "hey, I can do this to". Martin McKeay, Michael Farnum, and Michael Santarcangello. These were guys a lot like me that were blogging and telling stories from the trenches and giving good sound advice. Now I count each of them as a friend that I can turn to with security, technology and life advice. I've only met Santa face to face but in todays world of the internet it doesn't even matter anymore.

Since then I've made lots of other friends because of my blogging. I'm involved in the Security Catalysts Community as a Trusted Catalysts and this has allowed me to interact with some of the brightest guys in Security. I've also gotten to know several people who are well known and well regarded in the blogshepere and in Security in General.

I hope that all of you have found something of value in my rantings, questions, concerns, and comments. I guess you have or you wouldn't keep reading. I've heard from lots of you and it amazes me that people from all over the world actually read what I have to say.

I look forward to this next year and the fun times ahead. :)

Oh yeah, one other thing. I discovered a few days ago that my friend and Art of War and User Awareness nemesis, Amrit Williams, also started blogging one year ago today. I found that rather amusing considering the number of times we have butted heads over these subjects. But I must say Amrit is a great guy and I wish him all the best on his next year of blogging.

Viva VM!!

Good news! According to my latest completed poll Virtual Machines are not doomed to failure. The potential problems do not out weigh the benefits and users are still confident that VM technology will provide their needs with adequate security. OK, so I read into the results a little but I'm allowed because it's my blog and my survey. :) Not a single person said that VM was on it's way out and only one said that they wanted to "wait and see" on how the research and technology played out. Obviously most think that even though we are starting to see issues with VM technology that we can stay well enough in front of the curve to keep pushing on.

This weeks survey is about PCI. I'm still crafting the question and answers to pick from, but it will have something to do with your thoughts on PCI complexity or lack thereof.

PCI and your network

Many of us work for companies that have to comply with various regulations. HIPAA, SOX, GLBA, FISMA, PCI, and on and on. For me in my current position it it PCI. I am familiar with the basics of most of the above mentioned regulations and know enough about them to tell you that many of them are vague (which may or may not be good) and difficult to interpret and understand. PCI is NOT one of those that falls under that category. PCI is pretty clear and does pretty much everything except tell you what brand of equipment to use and what vendor to buy it from.

I read a couple of articles today by Rebecca Herold and Ben Rothke at CIO.com that got me to thinking a little about my own PCI woes today. Both of these articles assert that PCI is not a complex monster like some would lead you to believe. It is fairly clear and straightforward. Yet lots of people complain about it and talk about how much it costs to comply and how much work is involved and how long it takes. Which is true to some degree. It can be long, costly and time consuming, but it is still just basic information security sense.

Between the stuff that you can find at the PCI Security Standards web site and a little ask.com searching (still not using Google unless I have to) you can find just about everything that you need to put together a plan to be compliant in short order. That doesn't mean that there will be some areas that you need clarification and direction on. There will be questions that you have no clue how to answer. But it's not rocket science. I think Ben Rothke nails it on the head when he says.

The issue really is that these merchants have created their networks with little to no thought to security and privacy. They have placed minimal controls on their users, given no direction to their application developers, nor documented required procedures for their administrators on how the network should be managed. Merchants are not noncompliant due to PCI DSS; they are noncompliant because they never developed their security programs in the first place.

These Tier 1 and 2 merchants and many of the smaller merchants have large complex networks that are old and were designed with ease of use and administration in mind and not security focused. They put in the basics to keep the passive snooper out but not the aggressive hacker. They are complaining because they did not do a good job and now they have to go back and clean it up. That is why it is expensive, time consuming and complex. I know this first hand because that is what I'm up against. I'm having to retro fit security into some areas that should have had it in the first place. I'm just lucky that I'm working with a standard that is cut and dry or I'd really have something to complain about.

I'm confused (or one of my readers is)

When I started blogging I decided that I would not be a "fan boi" for a vendor and that I would speak my mind and always try to get my facts straight before I wrote about anything. I also decided that I would post all comments provided they weren't spam or of a obscene and vulgar nature. Well I received a comment today on my "Open Letter to the WSJ" post and I've decided not to post it in the comments section. I'm going to post it here. I'm doing that for 2 reasons. First, whoever wrote the comment decided to submit it anonymously and secondly it makes absolutely no sense what so ever. I thought maybe some of you could add some insight into what in the world he/she is talking about.

Yes, I'm certain that our having casualties over there is entirely the fault of the Post and the Times outing every operation (or Geraldo on Faux News), and has nothing to do with our military and our government simply not having sufficient planning or men involved to properly control the dismantling of another country.

If the 'secret details' they inform us about happen to be against the law, or violations of our civil rights, then they are doing what they should, making the citizenry aware of inappropriate behavior on the behalf of their government. Are you guys all for such behavior?

That's just like encouraging people to skirt the rules, precisely what you are castigating this reporter for doing. Yet you are applauding the government for doing it?

• I can vaguely understand the connection between papers posting reports about troop movements and the WSJ posting ways to subvert network security.
• Apparently the reader assumes that I and most of my information security and blog friends are in favor of the war and think alike regarding it and politics. I can assure you that there are many of my security/blog friends that are on opposite sides of the fence from me in regards to politics, the war, social issues, etc..... (I'm getting this from his comment "Are you guys all for such behavior?")
• It seems that the reader thinks that I am being double minded in regards to media coverage of political events and such. I applaud them when they say what I want and chide them when they say something that I don't like. I may be wrong but I don't think I have ever written about anything political. I make a very conscious effort to not do so.
  

If anyone has any insight into this please let me know. If the person who wrote this wants to clarify I sure would appreciate it. At first I thought that maybe he/she meant to post it to some other site, but I don't think so.

I'm also making a modification to my comment rules. I will continue to post all comments, positive or negative, as long as those who have negative comments (especially off the wall ones) will identify themselves. The way I look at it is if you have something negative to say and you don't want to identify yourself then you can find another place to make negative comments.

We're All #1

I've received 2 comments from others who checked their Technorati ratings after reading my post and they also were number 1. One of them actually just registered his site with Technorati after reading my post and immediately went to number 1. I guess he was a instant best seller. Shortly after I posted the Technorati site went down and when it came back up I had gone back to my usual ranking. Actually I even fell a little into the 38000's. Oh well, glory is short lived.

I'm #1

It's been said that bloggers blog to feed their own ego. I have to admit that it does my ego good as I get to be known by more and more people. Honestly that isn't why I blog but I do keep track on my Technorati ratings and do "vanity" searches from time to time to see who my be linking to me.
Today I checked my Technorati ratings and got a complete shock. I'm sure that there is some sort of an error but it shows me as being #1! I had to do a screen shot of it and save it for posterity. I know it can't really be right because I know roughly how many readers I have and when you click on the "Top 100" button I don't show up. Usually I'm around 37,000 or so and I imagine that I will be back there as soon as they fix whatever is causing this error but it looks good. :)

Lots of good stuff to read

This is my "semi occasional" (yes, that's my own made up word) link post. I've been too busy to write much and today I'm playing catch up. There is so much good stuff out there that I can't do separate posts on them all so I'm just gonna link and make quick comments.

http://securitybuddha.com/2007/08/04/trends-in-information-security/
This "State of Information Security" report of sorts from Mark Curphey is gives his take on several issues regarding security.

http://taosecurity.blogspot.com/2007/08/black-hat-usa-2007-round-up-part-1.html
Richard Bejtlich gives us "no hope" in getting ahead of the game when it comes to securing our networks and systems. Unfortunately he may be right, but I'm not ready to give up yet. I also thing that even though he is "depressed" Michael Farnum isn't ready either. Of course Richard isn't a total pessimist either. He promises some defensive strategies in the near future that will brighten our outlook.

http://www.realtime-itcompliance.com/information_security/2007/08/the_many_languages_of_security.htm
Rebecca Herold has some good points on Security Awareness Training. This is one of my favorite topics, especially since I'm in the middle of creating a program for my company. I look forward to seeing more details on her upcoming offering.

http://security-awareness-training.com/2007/07/23/best-practices-for-security-awareness-training/
This is another good post on SA Training.

Now for the awards!
Blog post that I am MOST sick of seeing. I've seen this sooooooooooo many time in my Google blog search listings that I am really ready to delete the search and just rely on other blogs that I read keeping me linked to the new and good stuff out there. I'm also so tired of seeing it that I'm not gonna link to it I'll just give you the post title. I'm sure all of you have seen it. Welcome, Postini Team.

Best story of the week has to go to the one about Michelle Madigan getting kicked out of DefCon for trying to get video of the event w/o registering as press. It would have been so much easier for her to do her story if she had just stayed on the up and up. Of course that would not have made for very exciting coverage.

What are the boundries of security?

I read this from Bruce Schneier and it wasn't the article he referenced that got me to thinking it was this comment.

The real issue here is that people don't understand that an airport is a complex system and that securing it means more than passenger screening.

This comment holds true for Information Security as well. The issue is that a network is a complex environment that involves many different systems, applications, connections and users. Securing it means more than traffic screening at one level.

I was speaking with someone the other day and she commented that we didn't need to worry about security on her project because nothing was internet facing. That statement might have held some truth in it a few years ago but not today. The average user doesn't realize all of the attack vectors into a system. They think that if you secure the perimeter or stay off of it then you are safe by default. Unfortunately there are still some IT professionals who feel the same way.

At my company we are in the middle of rolling out a change control system. We have had a policy and manual process for years but it was always just a formality. Someone would request to make this change at this time and it was approved. The focus was to keep 4 groups from making major changes at the same time in case something went wrong. Now we are starting to make the requestors justify their request and give full documentation as to who, what, where, when, why and how. Most of the users do not like this. They whine and complain constantly. Luckily we have someone in control of the process that sticks to his guns and hold them accountable.

This is the same mentality that we need in all of IT/IS. We need to ensure that our users understand the where and why of security. That way they will understand that security belongs everywhere in the network and not just at the border.

On Open Letter to the WSJ

This is an email that I sent to the WSJ writer and her editors regarding the article "Ten Things Your IT Department Won't Tell You"

You can also read some more good thoughts on this article here, here, and here.
__________________________________________________________________
Ms. Vara,

Isn't it good to live in a country where you have the freedom to be an irresponsible reporter? You don't have to live with the consequences of your own actions here. You can just speak your mind, reveal your little secrets and move on to your next assignment. Maybe your next article can tell people how they can steal confidential company data. Oh wait, you did that in this article.

As a security professional my days are filled with trying to protect the assets of my company. I strive to educate my users to practice safe security and not do things that will put the network or the company at risk. Your article has just thrown lots of work out the window. I realize that you have a "The Risk" section for each trick, but that doesn't diminish the fact that you are telling people how to break the rules, policies and procedures that are in place for security. This will put the company at risk and the offending persons job at risk. Not to mention the fact that people will use the work-arounds that you suggest even if they know better because now they know how.

Your attempt to justify your position by calling in hacking and security pros does little to nullify the bad advice that you are giving to people. It's NEVER a good idea to encourage people to do things that they are not supposed to do. Just because either you or anyone thinks that Security is being too strict or that it's just easier to do it at work does not justify such actions. Your attempt to say that if you take work home then you should be able to take home to work is also a very weak argument. If you take work home it should only be because you have a legitimate business need and it has been approved by Management and Security. Not to mention that your home network and PC should also be checked and approved before use. Carelessness such as this only leads to problems.

Sincerely,

Andy Willingham
http://andyitguy.blogspot.com
http://www.linkedin.com/in/andyitguy

Virtual Machine = Virtual Vulnerability?

Paul and Cutaway both write about the latest research in VM escaping and it's not pretty. The research that is not their writing.

It seems that Ed Skoudis and team have come up with a way to really escape a VM and run an exploit on the host system. This is still "shaky" in terms of it's not perfect and it's not complete but the potential consequences of this is pretty severe. VM's are used quiet heavily today for many different things. One of the biggest being malware testing. The bad guys have already figured out a way to make that more difficult but this makes it even worse. A VM is used because it can be blown away and reloaded in a matter of minutes so if it get hosed it's no big deal. If the bad guys can cause the VM to crash and then exploit the host machine then that puts AV research in a bit of a bind. VM's are also used by companies to save space, hardware and time. Lots of security software runs on VM's and this has the potential to put all of that at risk.

Read the articles by Cutaway and Paul and do some research yourself and let me know your thoughts. After you have become informed check back on my site and take the new poll. "Are Virtual Machines days numbered?"

The debate continues

I just tallied the results of my first poll (we actually they were automatically tallied). It looks like the jury is still out on Security ROI. There has been lots of good debate going on lately regarding this and both sides have good points.

The question was "Whether real or perceived, does security provide ROI?"
46% said Yes, it does provide ROI
54% said No, it does not provide ROI

Obviously the No's have it, but the results are fairly close. If I were a statistician and figured in a margin of error of 3 or 4 percent then the results could be much closer.

People much smarter than me have written on this and have sound arguments for their positions but here is the final word (I can say that because it's my poll) :)

In the strictest sense of the term security does not provide ROI but when you look at it in the big picture and take into account things that you can't really measure (and that is what happens in real life business everyday) then yes it can and does provide ROI. Money not spent because a breach didn't happen is a form of ROI. Savings realized because of time saved due to a security measure introduced is a form of ROI.

Now I know that many of you will take issue with this and go back to the "literal" definition of ROI but this world isn't literal when it comes to technology and security. If it was then my guess is that most of us would not be employed in this field because our "literal" inability to completely protect our networks and data 100% of the time would push us out the door. The Information Security field would be reduced to a very small group of people in a "literal" world.

You can never be too careful

You would think that me being a Information Security Professional that I would always be extra careful in what I do. That way I save face and ensure that all of my systems are safe and secure. Well as an act of humility I'm gonna tell you about something STUPID AND CARELESS that I did yesterday morning. I started to write about it but forgot. Then I read this post by Ravi Char this morning and it reminded me.

You have heard my rants and woes about SunRocket. (just a quick update, my service was restored for 2 days then went away again. My sister still has service w/ them even though she has signed up w/ another company. She is just waiting on the equipment to arrive so she can complete the transfer.) A couple of days ago I signed up w/ another company for phone and internet service. I saved the order info to a pdf on my laptop. I then emailed it to myself so I could get it at work. I was in a hurry and didn't pay attention to the address that I selected. I accidentally sent it to a group list that I had that was named Andy. So the details went to about 15 friends. Luckily there wasn't any "sensitive" info but a careless mistake like that could cause real problems. So lesson learned? Pay Attention!!!

Legimitate Uses for Encryption

Robert over at the Errata Security Blog writes about a fear that he has. He read a post that made him start to worry more about the possibility of encryption being used against you. I think I agree with him. Our rights are being eroded almost every day. A new law is passed or a judge with an agenda makes a ruling that makes it illegal for the average person to do something that is completely harmless. Already in some countries rights have been taken away all in the name of "security". Handguns have been banned and made illegal, encryption keys are required to be given to law enforcement, etc...

Robert has a method that he suggest that all of us use to do a couple of things. One will make it much harder for law enforcement to determine what is actually encrypted data and what is just random "junk". The other will make the daily use of encryption more acceptable and "normal". The purpose is to increase the use of encryption so that it is considered something that the normal person would do. Kind of along the line of the "Reasonable Person" rule used in many legal cases.

I like the ideas but the method is not for the faint of heart. Many IT and information security pros would have difficulty making sense of his plan unless they are very familiar with cryptography. So it is out of the question for the "average Joe". Not to mention many would have moral and religious issues with carrying around a DVD full of encrypted Porn. :)

My suggestion is that we, the IT and Security community, need to do a couple of things. First, we need to make sure that we use encryption on all of our personal systems. It's a good idea from a privacy and security perspective, but even if you don't have anything to hide use it just to increase the number of people using it for normal and legitimate reasons. Second, we need to encourage and teach our friends and family how to use it. There are several free and low cost options for encrypting our disk or data. Third, we need to create a plan to get the word out to the rest of the world. We also need to create some easy to understand guides that we can make available to anyone. They need to be done is such a way as to be usable by most anyone without them needing assistance from someone who understands encryption.

This is a big challenge, especially number 3, but I think we can do it. How is the question. I have posted this question to the forums over at the Security Catalysts Community also. So between them and us we can come up with a plan.

Someone Beat Me To IT

I knew that I should have quit procrastinating and started writing. But it looks like Scott Watson beat me to the punch and wrote "The Art of War for Security Managers". I've already put it on my Amazon Wish List and will get it soon. I may even get 2 copies. One for me and one to send to Amrit. :)

HOTSEC is Tonight!! (this time I mean it)

For those of you in the Atlanta area that can make it tonight is the inagural meeting of the Atlanta CitySec community. We are meeting at The Brick Store Pub in Decatur at 6:00. If you are in the area and can make it we'd love to see you there.

Learning from the Pros

My Out of Control Network post has generated a lot of discussion on the Security Catalysts forums. The reason I'm telling you this is to point you to a resource that will give you lots of useful information and advice. These information security and IT pros took my few comments on documenting your network and expanded it into a firestorm of advice for what to document to ensure that your network is a fine tuned machine. At least from a documentation point of view. Check it and the rest of the useful information out.

Web Poll

With all the discussion going on regarding ROI and information security and the fact that blogger has just released a polling option I have decided to take a poll on my site. For those of you who read via RSS please take a minute and go to my site here and take the poll. It is on the right hand side of the page just under the subscription links.

It's a simple and short poll. Whether real or perceived, does security provide ROI? I'm not asking to get into the true definition of ROI. For You and your organization does it provide ROI?

I just changed primary search engins

Like many, many people I use google a lot. I have a gmail account, I use Google calendar, Google docs and spreadsheets, Google reader, Google blogger, Google maps, Google earth and Google search. I, also like many others, am concerned about the amount of information that Google is able to gleen about me from my use of their tools. Not enough to really do anything about it because I don't do things that I want or need to hide. I know that there is much more to it than just that, but that is how I feel currently. Now I don't use any of them as my primary tool except for blogger, reader and search. Now the search is going to change. At least for a while. I saw this ComputerWorld article this morning that has made me switch to Ask.com for my search needs. Why? Principle if nothing else. I like the fact that they are willing to really do something to address the concerns and needs of their users. Although I don't have anything to hide in my searches I like knowing that I can do them anonymously and, even more so, that Ask.com cares that I may want to. I sure seems that Google doesn't care. Even though they are implementing a new 2 year policy on cookie life Martin McKeay, of The Network Security Podcast and Blog, tells us that this is really useless because the cookies are "renewed" every time you visit a Google site. Can you say "tomorrow never comes"?