Wednesday, November 28, 2012

Georgia Tech's Cyber Threat Predictions for 2013: Ho hum, Yawn

I don't know if George Tech is first to 'market' with 2013 cyber threat predictions, but this is getting like political polling. New York Magazine ran an interesting piece about polling, and the fact that anyone with a computer can now create a 'poll' and a voracious media will publish the results. Not to slam Georgia Tech, but first, how many predictions can we digest, and why do predictors think we need so many? I guess it likely doesn't matter because so many of the predictions are similar. In fact, if one is reasonably well read, the predictions are obvious.

Friday, November 16, 2012

Battle for information security 'is being won'

... according to  The Global State of Information Security Survey 2013 published by PwC in conjunction with CIO and CSO magazines.

Cautious optimism or delusional optimism?

Monday, November 12, 2012

Huawei too dangerous to do business with?

Here's more on the supply chain security thing from John Dix, editor of Network World.

Last week, three US service providers came out in support of the Chinese companies. (Sorry, I can't find or recall the reference for this.)

In March, the GAO found that defense agencies claimed to have no supply chain security issues, and discovered that DOD had suspect components.

Is this just New Cold War posturing?

Wednesday, November 7, 2012

Volunteering Falls Short on Threat Information Sharing

This is strange, really. I'm surprised that companies don't share information with each other. Many participte in the MITRE progams, such as CVE.

I can understand why they don't want to share with government agencies whose attitude toward sharing is all one-way: you give to us and we'll horde it all.

For more on this, read Threat Intelligence: What to Share?

Friday, October 26, 2012

Half of U.S. adults said Internet service is the most important utility in their homes

A Harris Interactive survey for Verizon found that more than half of about 2,300 U.S. adults said Internet service is the most important utility in their homes.

So, neither fresh water, electricity, sewer systems, nor even television is important. Amazing. How's this set back Maslow's hierarchy of needs? Then, there is the earlier report that Internet access is more important than sex. Are these people all lreading candidates for a Darwin Award? I think we have to worry for the survival of the species.

Monday, October 8, 2012

Chinese firms draw fire in House Intelligence report; Cisco cuts ties to China's ZTE after Iran probe

Well, of course the Chinese firms would call the charges "baseless."

Seems like the House Intelligence Committee did something right. Reuters reports  that the committee is recommending that Huawai and ZTE be barred from buying US companies because of fears that they could be used for cyber-espionage. Of course, depending on who wins the Presidential election next month, the committee's recommendation has a good chance of being ignored. I'm suprised we allow them to sell kit into the US, or at least the defense establishment. As I said before, cyber-espionage is still esponiage. Is it any easier done over networks than by coopting employees of target companies or government agencies? I'd be more concerned about cyberwarfare. And didn't India ban Chinese telecom firms from selling into the country because of security concerns? Frankly, I'd be as worried about French and Israeli providers.

10/9/12 -- According to Reuters, Cisco cuts ties to China's ZTE after Iran probe. Shall I rest my case now?


Wednesday, September 19, 2012

Facebook, Twitter Begin Slide into Irrelevance

I don't always agree with Networkworld's Mark Gibbs, but he's seldom boring. This week he riffed on Facebook's and Twitter's dependance on advertising. Coming from magazine publishing, he's sure to know how fickle that proposition is.

Basically in exchange for free content and ads, users sell their souls, otherwise known as PII. Fair exchange? I think not. But users are selectively cheap. They're been conditioned to expect online content and services for free, although the cost of accessing the content and services isn't free. What ISP doesn't exact a monthly fee for access? If Google is so intent on free access information, why doesn't it supply ad-free search, and provide payments to content creators?

This perspective may be influenced by my role as a content creator, but it bothers me that users expect free online content, but these same freeloaders expect to pay for Starbucks and slacker chic.

Denny Hatch, a curmudgeonly DM commentator, and others have suggested that Facebook, Twitter, and their ilk charge $1/month for use. Do the math. That's billions a year, and for $12/year we won't have to provide PII and suffer invasive ads. Of course, there's a risk to building a paywall in that someone else can offer that service for free. It wasn't so long ago that mobile service providers tried to keep users in walled gardens. How Apple continues to do this is beyond my ken.

Tuesday, September 18, 2012

National Cyber Security Hall of Fame: Where's Hal Tipton?

First Inductees to National Cyber Security Hall of Fame Unveiled

While I'm certain that everyone named to the hall of fame is deserving, and knowing most of them either personally or by reputation, they are, I still can't believe that Hal Tipton wasn't included. Hal's history is like the history of information security. And, the number of people he's influenced has to be legions. Hal was a true pioneer, visionary, and doer.

Thursday, September 6, 2012

"No Easy Day"

I finished the book last night. It was okay, and I'm sure the movie will be, too.

I'm still struggling to figure out what was "classified," and why the witch hunt. The story didn't seem too much different from the Time article published last Spring. You'd think, though, that the Pentagon would be looking at all the leaks about the operation in its aftermath. It didn't take long for details to emerge.

Wednesday, September 5, 2012

No Easy Day: Day 2

So now the Pentagon claims the book reveals classified information. There are also rumors reported in the NYTimes that the author wrote the book because he was pissed off at how he was treated. Is this the start of a slur campaign?

So far, there's been nothing exciting in the book. The usual stuff about how the auther was born to do this, complaints about too much training and too little action, anecodotes about missions in the Middle East, ...

I've heard the training complaint before. The son of a friend is in Delta now, and has been for five years or so. He's only deployed to Trashcanistan once. The other years were spent either as a trainee or a trainer, both here and overseas.

As I continue to read, maybe we'll get to the actual assault and take down of bin Laden.

A Vulnerable Network Can Cost Your Business

Did you know that a vulnerability scanner can save you money? If you look at the various reports that have come out regarding the costs of security incidents, you will find that the per incident cost can range from a few thousand dollars to several million.
Last year, a Bloomberg report cited a study by the Ponemon Institute that found that the costs of security incidents involving credit card or social security number breaches cost an average $7.2 million per incident. Even on the low side, a report co-sponsored by HP put the average cost of a security incident at $416,000. When you compare this to the costs of identifying and properly securing a company’s vulnerabilities before a breach occurs, it seems obvious that securing your systems is the most economical approach to take. But before we look at how to approach this, consider the longer term impacts of a security breach.
A vulnerable network can cost your business in more ways than one. The expenses associated with cleanup pale in comparison to the costs from a damaged reputation. Lost business, reduced consumer confidence and the long term press coverage that comes with any security incident will have a financial impact that can last years beyond the actual event. While it is impossible to attach an accurate dollar amount to what might have been, you have to consider the revenue lost because a potential customer chose your competitor in part because they weren’t sure about entrusting their business with a company that has had a security incident.
The sad thing most businesses find out too late is that the costs of remediation would have been far less. Whether your costs are on the low end or the high, the simple fact is that practically all security incidents are avoidable, if you know where to look. And that is where a vulnerability scanner comes into play.
A vulnerability scanner is a tool you use to assess the state of your workstations and servers. When you use a vulnerability scanner, you examine all the systems connected to your network. This assessment will not only tell you what state your systems are in, it also gives you the same sort of information malicious attackers will have into your systems.  
You can use a vulnerability scanner to assess their patching level and the services running on them. You can also check for common misconfigurations that can lead to security incidents, and other vulnerabilities such as weak or default passwords. A vulnerability scanner provides you with the information you need to go about securing your systems, addressing configuration issues, and ensuring that you computers are secure.
Use a vulnerability scanner regularly, update your scanner’s definitions each time you use it, and scan your systems both from the outside and within. Regular scanning ensures that as new systems are brought online or configuration changes are made, you will detect any new vulnerabilities that are introduced or discovered on your network. By scanning externally, you can see things the way attackers over the Internet do, and by scanning internally, you can get a feel for your exposure to inside threats, whether those are malicious or merely curious users, malware, or other potential threats.
The costs of a vulnerability scanner are a fraction of the costs associated with even a minor security incident, and the money you will save remediating issues before they become incidents will repay you many times over. Start using a vulnerability scanner today to save money, protect your reputation and to help secure your customers’ continued loyalty.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging need. Learn more on what to look out for when choosing a vulnerability scanner.

Tuesday, September 4, 2012

"No Easy Day" Coming Soon to a Torrent Website?

I couldn't wait to get "No Easy Day."  As soon as I got off the train, I headed straight for Posman Books, the bookstore in Grand Central, and bought copy. As I was paying, I couldn't help wonder how soon free copies will proliferate through the Web. Well, I did a quick search on "'No Easy Day' torrent" and got lots of hits, which answered my question.

Being a publisher, I'm not happy about this. Publishers, authors, musicians, and ultimately all of loss from this.

Wednesday, August 29, 2012

Hotel Keycard Lock Hacker Questions Firmware Fix

"... guests literally reaching for their deadbolts."

Deadbolts won't help when you're not in the room. I recall a conversation about this at an ASIS conference a few years ago. Then it was more of a privacy issue; for example, the management systems records when the door was opened, and by whom. It's not unlike using EZPass to record who goes where and when, or mobile phone GPS data to track movements. Law enforcement and divorce lawyers have a field day with this.

Because hackers can  unlock and start cars, not to mention hijack drones, why should we be surprised they can spoof keycards?

Tuesday, August 21, 2012

WeKnowYourHouse.com and PleaseRobMe.com

This is amazing. WeKnowYourHouse.com and PleaseRobMe.com. This is social media openness run amuck, and gives new meaning to "openness." Remember stories of robbers checking for wakes, funerals, and weddings to determine when no one will be home, and use that information to rob those houses. Why anyone would broadcast, or narrowcast, his or her location using something like foursquare or any location-based service is beyond me.

I'm also hearing stories of how people claim they're safe because they don't use social networking. Then, someone checks their kids Facebook page and see that daddy's going to Bentonville, Arkansas, Well, there's only one reason to go to Bentonville, and this knowledge could be corporate intelligence.

We're publishing a book on data anonymization, which deals with this from an enterprise perspective, particularly PII and PHI. Supposedly, 87% of US citizens can be linked using zipcode, data of birth, and sex. So, by using publicly available information such as voter records and supposedly clean data on health insurance, it's possible to identify and tie an individual to a health record. There are many good reasons why PHI, for example, needs to be private. Yet, it's remarkedly easy to get it.

I don't know why it's so hard to increase users awareness of the dangers of the Web, and their willingness to barter PII for free access. I guess it's the free part. 

Saturday, August 4, 2012

Cyber-security Measure Fails to Pass in Senate; RIsk Management Webinar

First, does anyone really expect anything to pass in the Senate or the House? Second, why do we need this anyway?

Dan Swanson's next  Webinar on Risk Management for Directors and Officers is scheduled for August 28th.

Thursday, August 2, 2012

Dropbox Admits Hack, Adds More Security Features

Strange, but last week I was discussing Dropbox, along with many other topics, with Tom August, who's Director of Information Security at SHARP HealthCare and co-author of The CISO Handbook. He mentioned that he's hearing that increasingly corporate data being stored at Dropbox, instead of on laptops or thumb drives, so people can work at home, or worse. Yet another attack vector created by users run amok.

Monday, July 2, 2012

3 Risks of Failing to Monitor Internet Usage

Could your business cope without Internet access? Would you still be able to do business? It is unlikely that you could survive for long without an Internet connection. Yet, few businesses understand the risks of failing to monitor Internet usage.

Employees downloading files, social engineering attacks, bandwidth consumption and negatively impacted productivity can all result from the misuse of employee Internet access privileges. Many of these risks can be mitigated by using software to monitor Internet usage over your network, and to apply proactive security measures to stay secure.

Let’s take a look at the three most common pitfalls and how they can be avoided by Internet monitoring software.

Decreased Productivity
Not all employees understand the concept of “Internet privileges”, and some may interpret it more loosely as “carte blanche to surf the web all day.” In addition, some employees like to use high-speed corporate networks to download large files, such as movies. Not only does this activity put the company at legal risk, but large downloads can also devour bandwidth and cause a loss of productivity across your network.

Good software can allow you to monitor Internet usage, providing the granular management of Internet access controls for your employees. This allows you to control their browsing habits and prevent abuse to ensure your system runs at peak performance. In addition, Internet monitoring software can also allow you to set bandwidth thresholds and block streaming media to ensure you retain control of Internet traffic passing through your network.

Malicious Files and Viruses
Unauthorized downloads and malicious websites can result in infected PCs. Not only does that put your confidential data at risk, but it can also result in system downtime to clean out the infection and restore your network to a secure state.

Employees may also attempt to download and install patches for work-related software, which could destabilize your network if those patches are not tested and approved. Compatibility issues can arise with your existing setup, resulting in administrator resources being used to fix a problem that shouldn’t have arisen in the first place.
By using software to effectively monitor Internet usage you can control which files can be downloaded by users. Software can also be used to scan files that are allowed onto the system with multiple antivirus engines, thus ensuring they are safe. In addition, sites that are off limits can be blocked, keeping your network safe from a variety of attack vectors.

Phishing Attacks
Websites that are masquerading as legitimate sources can lure employees into a false sense of security. They may be tricked into revealing confidential information, or even inadvertently give away access codes that could leave your system open to attack.
By filtering websites and monitoring HTTPS traffic to prevent malware masquerading as safe software, you can keep your network better protected against such risks. In addition some software that can monitor Internet usage will also block access to known phishing websites based on updateable databases of known attack sites.

By failing to monitor Internet usage you can leave your company exposed to considerable risks. Few businesses can afford a loss of productivity, or having their bandwidth resources gobbled up by employees making personal use of the network. Worse still, infection from malware or viruses as a result of failing to control downloads can leave your system completely down.

By deploying software to monitor Internet usage you can keep a careful eye on your network and control its usage to ensure it always runs at peak performance, while also providing an extra layer of protection against attack. The question now is, is it worth the risk to remain without it?

**********
This guest post was provided by Peter Wisner on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about why you need to monitor Internet usage.

Friday, June 29, 2012

GAO: Cyber Threats Facilitate Ability to Commit Economic Espionage

Another day, another warning, another restatement of the obvious. In the summary, it's noted that in past reports the GAO has made hundreds of recommendations to better protect federal systems, critical infrastructures, and intellectual property. The implication is that prior warnings have gone unheeded, and little's been done about these threats and vulnerabilities from both technology and personnel.

Thursday, June 21, 2012

New Android Malware Is Disguised as a Security App

Nothing really new here, is there? Just some old scam moved to a new platform. We should expect this. Sometime soon, in order to make these appear more legitimate, will these apps carry a price tag and require payment?

Thursday, June 14, 2012

Turtle Crossing

Just too strange. We're zipping down Route 6 toward Herring Cove Beach in Provincetown when someone said, "look at that sign. It says 'Turtle Crossing.'" Then, we saw a turtle crossing the road. What are the chances? Not wanting to see the turtle flattened by some speeding vehicle, we doubled back to help it. By the we made the u-turn, the turtle was gone. I guess it got to the other side. What's this got to do with information security? Nothing.

Wednesday, June 13, 2012

World IPv6 Launch Day

Well, I was on vacation last week, and realized upon my return that I'd missed World IPv6 Launch Day on June 6. Gee, 6/6. Good thing it was 2012 and not 2006 (666). I wonder if anyone did something special to celebrate. Based on sales of books such as Security in an IPv6 Environment and Handbook of IPv4 to IPv6 Transition: Methodologies for Institutional and Corporate Networks, either no one cares or it's very simple.

Thursday, May 31, 2012

The 7 Qualities of Highly Secure Software

We just published The 7 Qualities of Highly Secure Software by Mano Paul. Providing a framework for designing, developing, and deploying hack-resilient software, this book uses engaging anecdotes and analogies—from Aesop’s fables and athletics to architecture and video games—to illustrate the qualities needed for the development of highly secure software. Each chapter details one of the seven qualities that make software less susceptible to hacker threats. Filled with real-world examples, the book explains complex security concepts in language that’s easy to understand to supply readers with the understanding needed to building secure software.

This excerpt discusses the need for building security into software. Building security in is about proactively designing and developing appropriate security controls into the software. The quality of building security in that will result in highly secure software can be achieved by addressing the people, the process, and the technology components in the software engineering process.

Wednesday, May 23, 2012

86% Say No to ‘Dial High Club’: Travellers against Phones on Planes

Well, travellers are apparently on the side of sanity and good sense. I know it's too much to expect the same from carriers. Just because you're able to do something, doesn't mean you should. We can only hope that they somehow require access charges as they do with WiFi, and that the charges are exorbitant. At least there's a "quiet car" on my commuter train, although it should be just one "loud" car, leaving the rest of us in peace and contemplation. "Make the pain go away!"

Friday, May 18, 2012

"Loaphobia." I wonder what the Diagnostic and Statistical Manual of Mental Disorders says about this?

Loaphobia (Lack-of-Application-Phobia), I learned today, is fear in the workforce of not being able to hit deadlines, missing promotions, or losing their jobs due to inabilty to access an applicatoin. This fear is apparently well founded because recent research found that 19% have missed a critical deadline as a result of being denied full access to an application, 14% lost a job and 6% missed a promotion. Just when you thought it was safe to close your eyes and sleep at night.

Thursday, May 10, 2012

Just Say No?

It wasn't easy to do when Nancy Reagan wanted kids to reject peer-pressure to try drugs, and it's apparently even harder to say no to users intent on BYOD.

The same people who want to create more security threats now want more security. I wonder what they'll think about more security when it'll require installation management software on their digital toys, and maybe have to submit to intense awareness training?

Monday, April 30, 2012

Patch Management the Easy Way

by Casper Manes on behalf of GFI Software Ltd.

Patching is one of the most critical system admin activities, but it is also one of the most frequently neglected. The stated reasons may vary, but usually come down to a simple lack of patch management strategy, and an application to make patching easy. To get from bad/non-existent patching strategy to sound and successful patch management strategy, like so many others, starts with a single step.

Decide patch management is important
IT needs to patch, but they also have to want to patch. It’s far too easy to push patching off, especially when most patches require reboots, and no one wants to stay up until 3AM on a Saturday. Security needs to patch, since many exploits take advantage of flaws that have been patched. Management needs to patch since patched systems are more stable and reliable, and have better performance against SLAs. Everybody knows patching is important, so you all need is to agree to it, and senior management needs to support that. With senior management support’s go ahead, the rest of the steps are easy.

Implement a patch management solution
That senior management support must include funding for a patch management solution. One of the biggest reasons why patching is so painful to many is because they try to do it manually, or with a combination of Windows Server Update Services (WSUS) and scripts, or other home-grown solutions. A good patch management solution can automate all the work, letting you approve and schedule patching, and then just check on status when it’s done.

Include third-party applications
Patching operating systems, but not third-party applications, is like locking all the windows and leaving the front door open. It’s the applications that are what the users interact with, and that process data submitted from the web, and these must be patched just as diligently as your operating systems. Good patch management solutions can patch third party apps just as easily as operating systems.

Commit to testing
The vendors do a lot to test their patches, but ultimately it is your responsibility to test patches before deploying them. Testing requires users to run patches on their workstations, and on test versions of your application servers, and to run things through their paces to ensure there are no issues. Senior management needs to allocate resources to perform this testing each month. Your patch management app should be able to deploy patches to a set of test machines to make it easier to evaluate patches before pushing them to all of production.

Have a way to rollback
Even with testing it’s possible to encounter an issue with a patch, so make sure your patch management solution can automate the rollback of a patch.

Assess, log, report and audit
The biggest risk with manually patching is that something will be missed. Patch management applications should be able to assess all systems, log all patching, generate scheduled and on-demand reports, and you need to audit these to ensure all machines are patched and compliant.

Respect the window
Establish a patching window and make sure everyone knows what that is. Make that window one that takes priority over other actions, and set the expectation that the business will have to work around patching, and not vice-versa. Again, you will need senior management support to get this through, but you don’t want to delay critical security patches just because the marketing team wants to update the content of the website.

Patch with confidence
With a good patch management application, the support of senior management, a sound testing plan, and windows where you are able to patch, proceed with confidence. Patching is a good thing and shouldn’t be a cause of pain or suffering. Leave that for when patches are missed, because it’s a safe bet that if you miss a critical patch, the pain and suffering will come.

If your IT organization and senior management see that patching is important, advocate patching within the organization, allocate a modest amount of resources to patching, and then set the expectation that patching will be done, you will soon find that patching is a normal and easy part of systems administration activities. Take that first step with your patch management process and you will be well on your way.

For more on patch management, see Security Patch Management.

Tuesday, April 24, 2012

Tech groups push for cyberthreat information-sharing bill. Great idea. It's worked real well with Federal agencies.

So, now industry wants Congress to legislate what it won't do volunarily. So far, there's as much trust between companies as there is between government agencies. They're all willing for a one-way exchange. This isn't going to change in government, and it won't in industry. Which reminds me. Didn't Congress legislate sharing between agencies? That's working real well, isn't it.

Monday, April 23, 2012

Mac trojan fallout: Apple security glory days gone?

There are cults in IT. UNIX is one; Macs is another. These cultists fervently believe their OS is superior to others, and, by extension, they're superior to everyone else.

When it comes to vulnerability to attacks, though, UNIX was always an easy target. Macs are so safe and secure. Of course, until recently there weren't many of them, and they weren't in the enterprise, and so they were not as attractive a target as, say, Windows. Now that there are more Macs, making them an attactive target, the myth is staring to explode. Still, zealots being zealots, all's right in their world. Koolaid anyone?

Friday, April 20, 2012

"You can't patch stupid." House committees approve 2 cybersecurity bills

One of the best phrases I've heard lately is, "You can't patch stupid." This speaks to the ongoing threats to security posed by users. Now it appears that Congress again is trying to legislate what can't be fixed by legislation. I think "You can't patch stupid" is more easily applied to Congress.

Thursday, April 19, 2012

PWC Survey: "... majority of executives ... are confident in the effectiveness of their organization’s information security practices."

According to the results of the 2012 Global State of Information Security Survey®, the majority of executives across industries and markets worldwide are confident in the effectiveness of their organization’s information security practices.

Doesn't this fly in the face of fact? With reported breaches on the rise, and fears of fraud, APTs, and supply chain security, among other threats, increasing, why are these executives so confident?

Friday, April 6, 2012

Hurrah! There's a silver bullet for information security

Gene Spafford was supposed to give the Infosecworld opening keynote, but called in sick. He was replaced by Dave Kennedy. He started by restating the obvious, that we're throwing hardware, software, consultants, and ineffective pentesting at the problem and none of it is working. He described some interesting attacks, cloned a Website, discussed some social engineering attacks using information from LinkedIn and Facebook to impersonate an employee, and recounted connecting a device inside a keyboard that generated information to own the system. Then he said effective pentesting is the key to information security, and that the usual pentestsm are useless. I don't know how much distance there was between him as pentesting evangelist and salesman for his employer's Diebold's pentest practice. Kennedy is employed by Diebold and conducts pentests for a living. It sounded as though the only one who conduct pentests correctly is Diebold. (Kennedy's also involved in the Penetration Testing Execution Standard (PTES).)

While it's a reach to think that pentesting is the be all and end all of infosec, later in the conference a panel discussion between some enfants terrible made a different claim. After telling the audience that it was stupid and ineffective, they said that the solutions to the problem lie in hiring smart people, thinking outside the box, and reading log files.

A general theme was that risk trumped infosec; that is, determine what most needs to be protected, then protect it, rather than trying to protect everything. There's a trend toward the creation of Chief Risk Officers, with infosec reporting to them instead of CIOs, thereby removing some conflict of interest. Awareness continues to be important because "There's no patch for stupid." Good luck with that one.

Tuesday, March 27, 2012

National Security-Related Agencies Have No ITC Supply Chain Risks?

Last week, the GAO said that defense-related departments have a security problem because of software, hardware, and components sourced or manufactured overseas, especially China. The departments in question don't track these items, and maintain that no threat exists, or the cost of monitoring exceeds the cost of the risk. This is disingenuous at best.

Now, today, the GAO reports that suspect counterfeit electronic parts can be found on DOD supply chain Internet purchasing platforms.

I recall Whitfield Diffie addressing a RSA conference state that one of his greatest security fears is components calling home (to China). This type of threat has movie written all over it, but this doesn't make it any less real.

Australia has no such qualms, however. It's blocked Huawei from bidding on gear for its National Broadband Network. It seems that foreign governments, especially in Asia, are much more aware of these threats. At least the US Congress has blocked sale of some US high-tech companies to Chinese enterprises controlled by the PLA.

There are other IT security lessons that Australia can teach us.

Monday, March 26, 2012

Hackers breached 174 million records in 2011. Did it make the Guinness Book of Records?

Verizon's breach report notes that hackers breached 174 million records in 2011. This seems like a lot of record, but is it a world record? I wonder what would happen if the hackers of the world decided to go for a world record? Would competition and one-upmanship drive the numbers ever higher?

Thursday, March 22, 2012

If we didn't have Google to kick around, I'd have to create it

Well, Google's back in the news, although this is more about the Puzzle Palace (NSA pressed to reveal details on Google deal following Chinese attack).

At this point, Google is still battling Amazon for the top slot on my list of companies I love to hate. Remember when the world hated Microsoft because of its dominance in desktop computing and LANs? They look absolutly altruistic when compared to the undisguised rapacious behavior of Google and Amazon. For a long time I hated Barnes & Noble for putting independent, especially technical, bookstores out of business in the 1990s. Now, I'm praying for its survival under the offensive launched by Amazon on the entire book publishing industry. I still hate Walmart for its business and labor practices, and pioneering the decline of American manufacturing. Channeling this disgust at the "be evil" company and Amazon is cathartic, though, even though I'm spinning my wheels.

What's this go to do with information security? Not much. But it was cathartic.

Wednesday, March 21, 2012

Patch Management the Easy Way

Patching is one of the most critical system admin activities, but it is also one of the most frequently neglected. The stated reasons may vary, but usually come down to a simple lack of patch management strategy, and an application to make patching easy. To get from a bad/non-existent patching strategy to a sound and successful patch management strategy, like so many others, starts with a single step.

Decide Patch Management Is Important
IT needs to patch, but they also have to want to patch. It’s far too easy to push patching off, especially when most patches require reboots, and no one wants to stay up until 3AM on a Saturday. Security needs to patch, because many exploits take advantage of flaws that have been patched. Management needs to patch because patched systems are more stable and reliable, and have better performance against SLAs. Everybody knows patching is important, so you all need is to agree to it, and senior management needs to support that. With senior management support, the rest of the steps are easy.

Implement a Patch Management Solution
That senior management support must include funding for a patch management solution. One of the biggest reasons why patching is so painful to many is because they try to do it manually, or with a combination of WSUS and scripts, or other home-grown solutions. A good patch management solution can automate all the work, letting you approve and schedule patching, and then just check on status when it’s done.

Include Third-Party Applications
Patching operating systems, but not third-party applications, is like locking all the windows and leaving the front door open. These are the applications that are what the users interact with, and that process data submitted from the web, and these must be patched just as diligently as your operating systems. Good patch management solutions can patch third-party apps just as easily as operating systems.

Commit to Testing
The vendors do a lot to test their patches, but ultimately it is your responsibility to test patches before deploying them. Testing requires users to run patches on their workstations, and on test versions of your application servers, and to run things through their paces to ensure there are no issues. Senior management needs to allocate resources to perform this testing each month. Your patch management app should be able to deploy patches to a set of test machines to make it easier to evaluate patches before pushing them to all of production.

Have a Way to Rollback
Even with testing it’s possible to encounter an issue with a patch, so make sure your patch management solution can automate the rollback of a patch.

Assess, Log, Report and Audit
The biggest risk with manually patching is that something will be missed. Patch management applications should be able to assess all systems, log all patching, generate scheduled and on-demand reports, and you need to audit these to ensure all machines are patched and compliant.

Respect the Window
Establish a patching window and make sure everyone knows what that is. Make that window one that takes priority over other actions, and set the expectation that the business will have to work around patching, and not vice-versa. Again, you will need senior management support to get this through, but you don’t want to delay critical security patches just because the marketing team wants to update the content of the website.

Patch with Confidence
With a good patch management application, the support of senior management, a sound testing plan, and windows where you are able to patch, proceed with confidence. Patching is a good thing and shouldn’t be a cause of pain or suffering. Leave that for when patches are missed, because it’s a safe bet that if you miss a critical patch, the pain and suffering will come.

If your IT organization and senior management see that patching is important, advocate patching within the organization, allocate a modest amount of resources to patching, and then set the expectation that patching will be done, you will soon find that patching is a normal and easy part of systems administration activities. Take that first step with your patch management process and you will be well on your way.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.

To learn more about patch management, read

5 Reasons to Establish a Patch Management Policy


Security Patch Management: Getting Started

Tuesday, March 13, 2012

Facebook social engineering attack strikes NATO

When you think about it, it's really surprising there are so few of these attacks. As a company, we're putting a big push behind social networking for marketing, with editors and marketers creating and posting to many sites. Is going to make us more vulnerable?

Friday, March 9, 2012

IT security neglect helps Anonymous: a deliberately contentious statement?

"IT security neglect helps Anonymous." Is this a deliberately contentious statement? Trashing people tasked with the thankless job of administering and securing a network and data isn't helpful. Thanks to the asymetric nature of the threats, it's relatively easier for someone with nothing better to do than attack a network than it is for someone for whom securing a network is just one of many, sometimes onerous, tasks. It's not like infosec people want to make it easy. If anything, the fault lies with whomever makes the decision to make every app Internet-facing. So, it's probably more accurate to state that it's managment neglect that abets hackers.

Monday, March 5, 2012

GOP senators introduce another cyber security bill: SECURE IT

So, another cyber security bill. The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (SECURE IT). At least they didn't decide to attack Iran. If they stay busy and diverted with useless infosec legislation, maybe they won't create any real mischief.

And, who comes up with these acronyms? SECURE IT. Is there someone with a full-time job in Congress to come up with these? And I thought the headline writers for the NY tabloids were clever?

Friday, March 2, 2012

Google Privacy Changes: 6 Steps To Take, or 1

I really like step 6, which is live in a cave. If you don't want to get off the grid, the next easiest way to escape Google is to not use it, disable cookies, and use one of the many excellent alternative search engines.

"Hurt me once, shame on you. Hurt me twice, shame on me."

The real problem here is how deeply we've let Google insinuate itself into our lives. I have to admit, I use Blogger, a Google product, for this blog. I use Google Analytics for Web site analysis. I've undoubtedly shared photos using Picasa, and I'm certain none were embarrassing. It's hard to beat free and good and available, and I'm sure there are equally good alternatives that are slightly less intrusive but I haven't found them. So, it's shame on me.

Monday, February 27, 2012

5 Hot Security Worries at RSA

As reported by InformationWeek, the top infosec worries are

1. Securing employees' smartphones and tablets
2. Stopping Advanced Persistent Threats (APTs)
3. Curbing social animal attacks
4. Securing Big Data
5. Getting better at stopping hacktivists

What's missing? Who agrees? Disagrees?

Social animal attacks is a new one for me.

If anyone wants to write on BYOT, APTs, or Big Data, let me know.

Friday, February 17, 2012

Developers say Apple needs to overhaul iOS user information security; jailbreak apps access user data far less frequently than Apple-approved apps in the App Store

There are really two stories here. One is the continuing litany of security-challenged apps for various personal devices. Surely, a threat for getting BYOT under control. The second story concerns a reference to a study that determined that jailbreak apps are more secure than the approved apps sold on the Apple store. As Col. Klink would say, "Very interesting."

Tuesday, February 14, 2012

Mobile payments will boost crime

Well, here's another "dog bites man" story. Is there any technical advance that won't boost crime? Don't all these advances become challenges to those with a criminal bent, or just curious? I'm not at ease with this, even though I use online banking. I'm still not sure how banks allow deposits based on a photo from a smartphone. Seems like that's ripe for abuse, too.

Friday, February 10, 2012

Jesse Varsalone to lead ethical hacking and systems defense seminar

Jesse Varsalone, author of "Defense Against the Black Arts" and the forthcoming book "Intrusions: How Hackers Get In and the Evidence They Leave," is giving a two-day seminar on ethical hacking and systems defense on June 9 and 10.

Thursday, February 9, 2012

CIO's Guide to Security Incident Management

We just signed an agreement with Matthew Pemble and Wendy Goucher of Idrach Ltd. for a book entitled, "CIO's Guide to Security Incident Management." You can read Matthew's blog here.

Thursday, February 2, 2012

Google calls Microsoft privacy claims 'myth'--spare me, please!

Clearly a case of "the pot calling the kettle black." I don't know who's worse, Web companies' recriminations, or politicians'. Regardless, enough already.

Monday, January 30, 2012

BYOD, BYOT, IT Consumerization: A Burning Issue

I've been beating the bushes looking for someone to pen a book on BYOD, without success.

Sometimes I think I have a hard time separating media and conference hype--the need to cover something and create some level of FUD--and reality, or what people in the trenches think. Frequently, media-generated FUD is backed up by survey data, which may or may be valid, fueling the fire.

So, not I ask, "Is BYOD, BYOT, IT consumerization, or whatever you call it really a burning issue?

Friday, January 27, 2012

World IPv6 Launch. Yawn.

The World IPv6 Launch takes place on June 6, 2012. IPv4 addresses have run out, although workarounds exist, and new top level domains have been created. There's no easy migration path from IPv4 to IPv6. With the growth of M2M, IoT, and Smart Grid, the need for new IP addresses seems obvious. So, does anyone care? Based on book purchases, I'd say no. What's the next step?

Thursday, January 26, 2012

Is Network Security an Oxymoron?

As recent events have clearly demonstrated, no matter how highly-defended a network is, someone will find a way to penetrate it. If RSA and Symantec can’t keep intruders out, and APTs (an euphemism for Chinese-sponsored attacks?) continue to plague public, private, and government systems, what hope is there?

Remember PPT—people, process, and technology? We can throw technology at the problem and achieve middling success. If we are eternally vigilant and paranoid, we may realize great success. But what about people and process?

Despite comprehensive signed policies and awareness training, users still click on email attachments or embedded links, and willingly provide their user IDs and passwords to people calling from tech support. And this is without the burgeoning BYOD and BYOT problem. Who know what users are introducing to the network when they connect their USB drives, tablets, and smartphones to their desktops?

What’s the solution? Jim Tiller, now Head of Professional Services, Americas at HP Enterprise Security, suggests that regulations and compliance, and now insurance, are trying to do what PPT couldn’t. He thinks that government has accepted that because we have been doing hasn’t worked, then increasing the regulatory burden will. So, has network defense become notification and remediation once an organization has become compliant? Yes, it’s a loaded question.

Under this scenario, security becomes strictly a cost/benefit analysis. If the cost of an intrusion is, say, $1 million to cover notification and remediation, and the cost of preventing the intrusion is $1.5 million, then an organization would decide to accept the risk of an intrusion rather than take actions to prevent it. And now that an organization can obtain insurance, the insurers will determine the risk, instead of using the standard infosec risk formulas.

Assuming the organization was compliant with all regulations, then it’s done all it’s required to do to protect its network and information. It no longer has to compete in an ever escalating arms race against hackers of all ilks, from privately to government sponsored.

Of course, an enterprise could simply disconnect critical systems and employees from the Internet, which would prevent intrusions from the outside, but do little against insider threats. (It still amazes me that SCADA and other ICS are Internet-facing, and that things will inevitably get worse as M2M and the Internet of Things creates more points to attack.) As Jim concludes, efforts to protect and defend networks won’t go away, but response may well take precedence.

Wednesday, January 25, 2012

How to Use a Vulnerability Scanner

Vulnerability scanners can do so many different tasks that not having a clear strategy how to use them on your network can result in a lot of wasted time. So how does one use a vulnerability scanner?

A vulnerability scanner will search your network for various vulnerabilities and it does this by analyzing a number of things, including:

• Open Ports
• Applications
• Configurations
• Scripts
• Devices
• Users
• Shares
• Groups
• Ports
• Security Software

Once a vulnerability scanner finishes analyzing a particular machine it will use the data collected to determine and report on vulnerabilities and potential vulnerabilities. There is an important distinction to be made here.

If your vulnerability scanner were to detect a user who hasn’t logged on in quite a while, this will be reported as a vulnerability. While this could certainly be the case, there may be a legitimate reason for it and it is up to the administrator to decide which reported vulnerabilities are to be acted upon and which can be ignored for business purposes (potentially incurring minor risks).

After a scan the administrator now has a list of vulnerabilities sorted according to what needs to be done and what level of risk wehave to accept because of legacy elements in the system and other reasons.

The vulnerabilities we want to act upon require a straightforward approach. The vulnerability scanner will most likely provide an explanation on what the issue is and suggest resources that the administrator can refer to for more details and how to solve the problem.

Sometimes not all vulnerabilities can be fixed and the administrator must decide whether the benefits outweigh the risks. Vulnerabilities may be left untreated for various reasons: it may be due to legacy applications that have known vulnerabilities but are considered important for the business or system configurations and protocols with known insecurities are required. The administrator’s role is to identify what the risk is and find ways to limit the risk without compromising business operations or security.

For example, let’s say that for legacy purposes you need to support SSH protocol Version 1, which has numerous known vulnerabilities. The application you are using that requires SSH 1 support has no viable replacement and is critical to the business. In this example, you have no choice but to leave the vulnerabilities in the system. However, although you cannot really avoid using a vulnerable application or protocol, you still need to do something to minimize the risk.

You need to analyze how the application is used and, where possible, restrict its use and access. If you need to support SSH 1 for a legacy application make sure your firewall only allows exclusive access from the location where the application is runningand blocks any other source.

Security is a process. A vulnerability scanner is not simply a matter of running a program and following the onscreen instructions; you could miss out on important details and create additional risks. As an administrator you need to ask: how do you use your vulnerability scanner? How do you tailor the security process to your needs? Once you have the answers to these questions you can effectively secure your environment from a huge range of threats.



This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs.

Tuesday, January 17, 2012

Why should Bradley Manning defend himself?

The Christian Science Monitor ran a piece suggesting how Manning may try to weasel out of his alleged actions.

Sure, let's play good defense and muddy the waters. The question is whether or not he purposefully leaked classified documents. It doesn't matter whether or not they should have been classified, or if the leak did damage. There was a rule; someone broke it; someone should pay. If Manning is guilty and wants to be a counterculture hero, then he should man up. If he's not guilty, then make the plea and prove it.

Kierkegaard writes about a knight of faith who knowingly acts counter to law to achieve what he perceives is a greater good, and he takes responsibility for the act. A knight of faith is an admirable character regardless of whether or not one agrees with his actions. No snivelling cowardice allowed. If Manning did what he's accused of doing, he's now baser than a scrawny little runt who teases the bigger kids and then runs to hide behind his mother.

Monday, January 16, 2012

Does cyber insurance offer IT peace of mind?


It was only a matter of time.
The real challenge is for security organizations to get too big to fail, and let the citizens underwrite the risk.

Friday, January 13, 2012

Book Review Went Viral, but Do Books Matter?

This is about Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It. Jesse Varsalone and Matthew McFadden wrote it, we published it, Ben Rothke reviewed it, and the review went viral. I love it when that happens, but it doesn't happen too often.

Speaking of which, is anyone reading this still reading books? Buying books? Downloading pirated copies of books? Do books play any role in your working life?

Monday, January 9, 2012

Symantec says some source code stolen, no customer information exposed

As reported on VentureBeat, a group of Anonymous members based in India has stolen the source code for Symantec’s anti-virus software. Is nothing sacred? If major security vendors are getting hacked, is it lights out for the rest of us?

Wednesday, January 4, 2012

ASIS-ISAF research pinpoints move towards security convergence

There's long been talk about security convergence. As the physical security world became more digital, it made sense that the prototypical security director, a former cop with black shoes, white socks, and a crew cut, would have to cede his domain to his information security counterpart. This, of course, hasn't happened, and likely won't. While it takes IT guys to install and maintain access controls, surveillance cameras, sensors, etc., there's still the physical world of guards, fences, and walls. This survey only addresses access controls.

Monday, January 2, 2012

Chinese government to crack down on phishing schemes

It was a busy weekend, with new hacks of commerical and political sites.

A couple of recent items (here and here) highlight China's attempts to protect its citizens from the evils of phishing. Maybe they should dial back their espionage, IP theft, and cyberwar efforts instead. China's apparant ham-handed approach to everything is a wonder to observe. Why do something subtle when you can use a cudgel? Sitting on top of all that money, they really don't care what the world, or its citizens, thinks. If the money threat doesn't work, there's always the new carrier-killer missles.