Tuesday, March 27, 2012

National Security-Related Agencies Have No ITC Supply Chain Risks?

Last week, the GAO said that defense-related departments have a security problem because of software, hardware, and components sourced or manufactured overseas, especially China. The departments in question don't track these items, and maintain that no threat exists, or the cost of monitoring exceeds the cost of the risk. This is disingenuous at best.

Now, today, the GAO reports that suspect counterfeit electronic parts can be found on DOD supply chain Internet purchasing platforms.

I recall Whitfield Diffie addressing a RSA conference state that one of his greatest security fears is components calling home (to China). This type of threat has movie written all over it, but this doesn't make it any less real.

Australia has no such qualms, however. It's blocked Huawei from bidding on gear for its National Broadband Network. It seems that foreign governments, especially in Asia, are much more aware of these threats. At least the US Congress has blocked sale of some US high-tech companies to Chinese enterprises controlled by the PLA.

There are other IT security lessons that Australia can teach us.

Monday, March 26, 2012

Hackers breached 174 million records in 2011. Did it make the Guinness Book of Records?

Verizon's breach report notes that hackers breached 174 million records in 2011. This seems like a lot of record, but is it a world record? I wonder what would happen if the hackers of the world decided to go for a world record? Would competition and one-upmanship drive the numbers ever higher?

Thursday, March 22, 2012

If we didn't have Google to kick around, I'd have to create it

Well, Google's back in the news, although this is more about the Puzzle Palace (NSA pressed to reveal details on Google deal following Chinese attack).

At this point, Google is still battling Amazon for the top slot on my list of companies I love to hate. Remember when the world hated Microsoft because of its dominance in desktop computing and LANs? They look absolutly altruistic when compared to the undisguised rapacious behavior of Google and Amazon. For a long time I hated Barnes & Noble for putting independent, especially technical, bookstores out of business in the 1990s. Now, I'm praying for its survival under the offensive launched by Amazon on the entire book publishing industry. I still hate Walmart for its business and labor practices, and pioneering the decline of American manufacturing. Channeling this disgust at the "be evil" company and Amazon is cathartic, though, even though I'm spinning my wheels.

What's this go to do with information security? Not much. But it was cathartic.

Wednesday, March 21, 2012

Patch Management the Easy Way

Patching is one of the most critical system admin activities, but it is also one of the most frequently neglected. The stated reasons may vary, but usually come down to a simple lack of patch management strategy, and an application to make patching easy. To get from a bad/non-existent patching strategy to a sound and successful patch management strategy, like so many others, starts with a single step.

Decide Patch Management Is Important
IT needs to patch, but they also have to want to patch. It’s far too easy to push patching off, especially when most patches require reboots, and no one wants to stay up until 3AM on a Saturday. Security needs to patch, because many exploits take advantage of flaws that have been patched. Management needs to patch because patched systems are more stable and reliable, and have better performance against SLAs. Everybody knows patching is important, so you all need is to agree to it, and senior management needs to support that. With senior management support, the rest of the steps are easy.

Implement a Patch Management Solution
That senior management support must include funding for a patch management solution. One of the biggest reasons why patching is so painful to many is because they try to do it manually, or with a combination of WSUS and scripts, or other home-grown solutions. A good patch management solution can automate all the work, letting you approve and schedule patching, and then just check on status when it’s done.

Include Third-Party Applications
Patching operating systems, but not third-party applications, is like locking all the windows and leaving the front door open. These are the applications that are what the users interact with, and that process data submitted from the web, and these must be patched just as diligently as your operating systems. Good patch management solutions can patch third-party apps just as easily as operating systems.

Commit to Testing
The vendors do a lot to test their patches, but ultimately it is your responsibility to test patches before deploying them. Testing requires users to run patches on their workstations, and on test versions of your application servers, and to run things through their paces to ensure there are no issues. Senior management needs to allocate resources to perform this testing each month. Your patch management app should be able to deploy patches to a set of test machines to make it easier to evaluate patches before pushing them to all of production.

Have a Way to Rollback
Even with testing it’s possible to encounter an issue with a patch, so make sure your patch management solution can automate the rollback of a patch.

Assess, Log, Report and Audit
The biggest risk with manually patching is that something will be missed. Patch management applications should be able to assess all systems, log all patching, generate scheduled and on-demand reports, and you need to audit these to ensure all machines are patched and compliant.

Respect the Window
Establish a patching window and make sure everyone knows what that is. Make that window one that takes priority over other actions, and set the expectation that the business will have to work around patching, and not vice-versa. Again, you will need senior management support to get this through, but you don’t want to delay critical security patches just because the marketing team wants to update the content of the website.

Patch with Confidence
With a good patch management application, the support of senior management, a sound testing plan, and windows where you are able to patch, proceed with confidence. Patching is a good thing and shouldn’t be a cause of pain or suffering. Leave that for when patches are missed, because it’s a safe bet that if you miss a critical patch, the pain and suffering will come.

If your IT organization and senior management see that patching is important, advocate patching within the organization, allocate a modest amount of resources to patching, and then set the expectation that patching will be done, you will soon find that patching is a normal and easy part of systems administration activities. Take that first step with your patch management process and you will be well on your way.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.

To learn more about patch management, read

5 Reasons to Establish a Patch Management Policy


Security Patch Management: Getting Started

Tuesday, March 13, 2012

Facebook social engineering attack strikes NATO

When you think about it, it's really surprising there are so few of these attacks. As a company, we're putting a big push behind social networking for marketing, with editors and marketers creating and posting to many sites. Is going to make us more vulnerable?

Friday, March 9, 2012

IT security neglect helps Anonymous: a deliberately contentious statement?

"IT security neglect helps Anonymous." Is this a deliberately contentious statement? Trashing people tasked with the thankless job of administering and securing a network and data isn't helpful. Thanks to the asymetric nature of the threats, it's relatively easier for someone with nothing better to do than attack a network than it is for someone for whom securing a network is just one of many, sometimes onerous, tasks. It's not like infosec people want to make it easy. If anything, the fault lies with whomever makes the decision to make every app Internet-facing. So, it's probably more accurate to state that it's managment neglect that abets hackers.

Monday, March 5, 2012

GOP senators introduce another cyber security bill: SECURE IT

So, another cyber security bill. The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (SECURE IT). At least they didn't decide to attack Iran. If they stay busy and diverted with useless infosec legislation, maybe they won't create any real mischief.

And, who comes up with these acronyms? SECURE IT. Is there someone with a full-time job in Congress to come up with these? And I thought the headline writers for the NY tabloids were clever?

Friday, March 2, 2012

Google Privacy Changes: 6 Steps To Take, or 1

I really like step 6, which is live in a cave. If you don't want to get off the grid, the next easiest way to escape Google is to not use it, disable cookies, and use one of the many excellent alternative search engines.

"Hurt me once, shame on you. Hurt me twice, shame on me."

The real problem here is how deeply we've let Google insinuate itself into our lives. I have to admit, I use Blogger, a Google product, for this blog. I use Google Analytics for Web site analysis. I've undoubtedly shared photos using Picasa, and I'm certain none were embarrassing. It's hard to beat free and good and available, and I'm sure there are equally good alternatives that are slightly less intrusive but I haven't found them. So, it's shame on me.