Is There a Point?
By · CommentsOne of the reasons I have had such a long break in between my writings is this. I’ve been rather tired of doing information security. The relentless discussions required to convince people they should worry about protecting the information they are working with.
When I was transitioning from my old company to new I consulted for others as time permitted. Tons of leg work, research on the businesses, and the presentations as to what should and could be done to protect the business. Even then, after all that time, clients don’t really want to worry about security. After all, it hasn’t been a problem for them up to this point. Why should they bother with the expense? Nowadays that is like asking if firemen are providing a useful service.
One could argue the point that since I was getting paid to consult what does it matter if they implement your recommendations? I’ll argue that it isn’t always about the money. Yes it helps. I like to think it is more about the satisfaction of helping the business do better business; helping them protect their customers data and information. I didn’t serve 20 years in the navy for the money. I have tried to work with the same beliefs and ethics I did back then.
In the end, I’m working a good a job for a good company. They seem interested in doing security. At least for now. I will do my best to pick up my writings. I also write for a nutrition blog in pursuit of other interests of mine. Maybe I do that to supplement my primary job in information security.
Common Sense in Policy?
By · CommentsI’m working on drafting a policy, er excuse me, standard for my company. Working up policies are something I don’t enjoy doing necessarily because nobody reads them. So I believe the trick is to create a policy that people will read, understand, and follow.
But the thing that seems to be missing from policy or standards is common sense. For example, a common sense policy would be something like this: “hey bub…don’t give your password to anyone. They might use it to steal us blind.”
Unfortunately, policies can’t be written like that. Legal and HR would have issues with it, and we shouldn’t talk down to people with this common sense stuff anyway. And, when you think about it, do you have to put into writing things stating the obvious?
Yes, you do. Mainly because there will always be someone looking to take advantage of those situations that are obvious to most. So, you need to have the policy so you have a means of enforcement. And if someone doesn’t want to adhere to the enforcement then you have a piece of paper that gives you justification to fire someone.
But, I suppose if common sense ruled the day, I could be out of a job. It’d be a shame if I had to use my intellect to better mankind instead of observing mankind for that moment in time they do somethinng bad.
Digital “Away from Home” Signs
By · CommentsHere is an excellent article by Anne Wallace Allen for the Associated Press. She talks about the pitfalls of using twitter to announce your every location and activity. It has the potential of giving your followers an idea of when you may be away from home.
The practice of updating your social networks with your current status could potentially be a bad thing. It gives people more information than you may be used to giving in the public domain. To me it is like leaving your newspapers collecting on the front stoop. You may as well hang a neon sign saying you’re not home…easy pickings.
Just a thought.
Invisible Shields Leak Sound
By · CommentsI returned from New Jersey Thursday night after visiting and meeting my new team. We’ll be working with vulnerability management. A job I look forward to doing. That wasn’t the most interesting point of my trip though. What really got my attention this time was the huge number of invisible shields I bumped into all over the place.You’re saying, “huh?”
I’m not sure what drew my attention to this phenomena this time out. I mean I travel frequently and wind my way through countless airports, around countless people. This time, I kept bumping into countless “Invisible Shields.”
Are you ready?
The invisible shields I’m referring to are the ones that seemingly materialize around people while they are talking on their mobile phones. You know the kind. As soon as a conversation begins, the shield drops down into place, surrounding the mobile phone user within a complete cone of silence. At least that is what the phone user believes. They must.
The range of topics I overheard (because the invisible shield was faulty) were countless. Aside from the usual banter about family where Aunt Helen just doesn’t understand why it’s not ok to treat the kids that way. It was the banter concerning business that caught my attention. I thought I would take the time to remind people about appropriate topics.
From a security perspective, it is not ok to discuss typical business topics in the open these days. You never know who is listening. Be mindful about the topic you are discussing and don’t trust the people standing around you within ear shot. The business topics I heard during my last travels were enough to make me shake my head. Financials, project schedules, deliveries, and personnel issues. Good grief people. When will you get it in your heads that the invisible shield really doesn’t work. More importantly, have the courtesy to go somewhere private with your calls. Even better, stop talking about your business as if your invisible shield is fully functioning.
I hate to break it to those of you who insist on protecting your conversations with this invisible cone of silence…THEY DON’T WORK!!! Your corporate intelligence is being shared with everyone around you. Is this the kind of security you want for your company? No, it isn’t.
By the way, I overheard another conversation saying the next generation “invisi-shield” is coming out soon. Just keep an eye out for it.
Everything Takes Control
By · CommentsI’ve been dealing with the “patching” mayhem for years and have come to take it for granted. I know places like Microsoft and other high end vendors have been rolling out automated patching processes with the hopes that it would simplify the whole ordeal. Maybe it has.
What gets me is the same “cut and paste” crap that is included in the patching bulletins and other security alerts. In the end it all means the same…patch your system or apply this update…if you don’t you’re stupid. At least that seems to be the implication here. For everyday people whose job it is to implement security, they get it. The rest of the world doesn’t get it and frankly, I don’t think they give a damn. That’s why attacks are so successful. I will always stipulate people expect computers to work like an appliance. Turn it on and it better work. I’ve written about that before.
Think about it. I did a bunch of queries against the National Vulnerability Database. When I read the bulletins in there I find the following terms:
- allows local users to cause a denial of service
- allows remote attackers to __________ (fill in the blank)
- heap-based buffer overflow
- overwrite kernel memory
- gain privileges
- memory corruption
- cross-site scripting vulnerability
- inject arbitrary web script
- possibly execute arbitrary code
Looking at Microsoft security bulletins directly, I first looked at TechNet. TechNet is for IT professionals and systems administrators. Of course, I found similar phrases in their reports:
- could allow remote code execution
- resolves privately reported vulnerabilities in the Windows kernel.
- remote attacker could redirect network traffic
I expect this information here. If it wasn’t, the folks would scream that there wasn’t enough information. Yet, my point is, who cares? It’s the same crap every single time a bulletin is reported. Do we really think we’ll get something new here?
Then on the Microsoft Security at Home site, they’ve dumbed it down to the point the average user just won’t care either. All of the March 2009 bulletins had the phrase, “addresses a vulnerability” in them.
Adobe is no different, and I suspect all security advisories are like this. Their latest one says “would cause the application to crash and could potentially allow an attacker to take control of the affected system.”
Really? The whole point of all these bulletins is to let people know their system could crash or be taken control of by someone else. I’d like to see the bulletins released with this simple explanation.
We apologize for the inconvenience once again. People internally and externally have found yet another flaw in the software you spent good money on. Leaving this flaw un-patched could lead to the typical outcome of you losing all your data or someone taking control of your system. When installing the patch, please fill out the reimbursement form completely. We’ll send you a check for $5.00.
or
Hey, there’s another potential security flaw in your software. Just install the patch and shutup.
I know, enough ranting.
Personally Identifiable What?
By · CommentsSo, folks, it has been a long while since I’ve posted. I won’t bore you with the reasons for that, except to say there have been a crap-ton of life changes going on. I’m finally coming up for air after regrouping on my priorities. Of course I’ve been keeping an eye on the news and a lot of the chatter going on with the Heartland issues. It makes me sit back and think about securing information again and trying to look at the whole thing from a small business perspective.
To start with, any business has to know what they are protecting. I’ve covered data classification topics before. Today, let’s pick on one that should be at the top of any businesses list for data protection. That is PII, or Personally Identifiable Information.
What is PII? To answer this question, the NIST details it in Special Publication 800-122 “Guide to Protecting the Confidentiality of Personally Identifiable Information (Draft). I found this to be a great document discussing many aspects of PII data, what it is, how to protect it, and what do when there is an incident. Some examples detailed in this publication include:
- Name, full name, maiden name, mother’s maiden name
- SSN, passport number, driver’s license number, taxpayer ID, patient ID, financial account, or credit card number
- Street address or email address
- Networking information that links to a person or small-well defined group of people. IE. IP or MAC address
- Telephone numbers, including mobile, business, and personal numbers
- Personal characteristics, including photographic images, X-rays, fingerprints, or other biometric image or template data.
- Information identifying personally owned property, such as vehicle registration or ID number, title numbers and related info.
- Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, or employment, medical, education, or financial information).
The bottom line here is data that can be used to identify someone or be connected to someone, which leads to an identification.
Business is faced with the added challenge of protecting this information. And you can’t protect it if you don’t know you are using it. Then you have to figure out where it is stored. Have you ever given thought to a form you might have a customer fill out when they come into your business for products or services? That seems like something we all take for granted. Isn’t it our responsibility to protect this information? You bet it is.
Keeping this information safe should become second nature. Take the time to train your employees on how to properly handle this. Practice it. Never, never, never take this information for granted anymore. Don’t put your company into the “Nationally Identifiable Stay Away From” category. Your customers will never forget.
New Business Part 3 – Know What Your Attack Surface Is
By · Comments
Hiking near Ely, MN
I’d like to move the discussion past the data and information point, and on to one of the other, most overlooked aspect of information security. That is knowing what your attack surface is. What I mean by that is this: You must know where every computing resource is, how it is used, and what data is on it in order to understand what the scope of information protection and security is. If you don’t, I submit you don’t truly know what you are protecting. At which point, you may as well leave the front door open.
I experienced this lesson the hard way a few years back. One of my charters was to ensure our physical computers were protected properly. Each should have the usual complement of anti-virus/spyware/malware software running. Each operated in various areas of the enterprise. Laptops, of course, had their own issues and needed an extra level of education. I’ll save that for another story. In addition to security, it was important to know the physical quantity of servers, desktops, and laptops to ensure adequate and proper software licensing was in place. As you know if you have too many licenses, it can be a waste of money. Conversely, too few licenses can be costly if violations are pressed by the vendor.
New Business Part 2 – Networks and Computers
By · Comments
Relaxing on a dock in Ely, MN
In part 1 of this series I talked about the importance of knowing your data and information. For a new business, this is a critical component to setting up shop. Your next step will be deciding what type of architecture or network and computer framework you’ll need to support your operations.
I want to touch on a couple of scenarios–a new company with just a few computers; and a new company with a handful of employees (20-50).
There are probably a dozen or more routes a new business can go with building out their computers and networks. The thing to keep in mind is this…whatever you build out today must be able to grow with you tomorrow. Lay out your requirements for deciding what type of systems you should use. A couple of requirements might be:
New Business – What is your Real Asset?
By · Comments
Off the Sakahtah Trail near Mankato, MN
We all go into business for one reason or another. We start out selling products or providing services. Money is coming, the customer base is growing, and before you know it, the business has gotten bigger. Along the way there have been challenges. The computer systems have grown in scale and the network larger. Employees somehow keep the wheels of business rolling, each managing their own piece of the information puzzle.
Then one day, your customers start calling with complaints. There orders aren’t correct. When your team tries to look their information up, they discover some of the customer data is missing or incomplete. It’s also been realized the inventory database is missing, along with all your supplier information. All of this information is critical to the success of your business. How will you recover it? How could this happen? Then your worst nightmare is here. Your strongest competitor begins pulling your customers away. How did they know who your customers are?
This scenario could happen to anyone. I believe one of the most overlooked aspects of beginning a new business, and often something thought of too late for existing businesses, is the realization that the most important asset of a business is the data.
New Series
By · Comments
State Park south of Eagle Lake, MN
I’m working up a new series of postings. The series, INFOSEC for a New Business, will take a look at the importance of information security for prospective new businesses. I’m taking the approach of just being asked the question, “We’re starting a new business. What do we need to keep in mind about security as we work to build our business and services?”
I’m speaking from the experiences I have encountered over my career, both in the navy and out. It is amazing, to me anyway, how comparable the two worlds are. I’ve owned a business, aside from my current one, and have started an INFOSEC program and retooled other INFOSEC programs for medium and large telecommunication companies. See my linkedin profile for detailed history.
I hope you will enjoy the series and I encourage comments along the way.
