Headwall Security - Thoughts and revaltations

growing up

noreply@blogger.com (Ian Burke) — Tue, 12 Jan 2010 16:40:00 +0000

My son and daughters have been talking a lot lately about "when they grow up". I always respond . . ."when I grow up I . . ." I have realized that there is so much to life that we never should stop growing up. we need to keep living life and keep looking forward to what comes next. Seek out every opportunity and grab each day when it comes. When I grow up I will have a big yellow SUV with a sticker that says "Life is Good!" I will play in the sun and I will run like the wind. When I grow up I will tell stories to my kids and to my grand kids and to my great grand kids. I will live each day to its fullest. Why wait?

Interesting Fall

noreply@blogger.com (Ian Burke) — Tue, 15 Dec 2009 17:32:00 +0000

This has been an interesting fall. With the loss of a leg I have learned the extent of the generosity and kindness of others. I have learned how loving a family can be. I have learned how strong a person can be.
People keep commenting on how I do not seem to be going through any kind of morning process with the loss of my leg. My response is that I did that seven years ago. What I am struggling with is the impact that this process is having on those around me. I watch how my wife struggles not with the burden of caring for the children and home but rather with the burden of those issues when reflected upon through the fear brought about by the implications and risks from my surgery. While she sees the optimism in me and can see the positive change, I know she fears the worst.
I watch my mother buckle in pain as she toils over my children, straining to help me in the effort to care for them while providing the space for my recovery. The recognition of the challenge of caring for two two-year olds, two three-year olds and an energetic nine-year old ever present in her mind, she approached her challenge as a task to accept while viewing my challenge as one to be managed and aided. Her generosity only superseded by her concern.
I see my mother-in-law sacrifice her family time again and again. Week after week she traveled to our home to support me with our children, often providing opportunities for me to retreat to my bed to elevate my leg for hours or to fall asleep in a chair without notice. Meal after meal was prepared; night after night she sat with my son at bedtime.
The kindness of these two women and the men who support them and also gave of their time, energy, effort and love has moved me. I am in awe of the self-sacrifice that these people have made as individuals and as couples. I appreciate it as a family member and as a person.
I have great concern for all of these people, my wife, my mom and dad, and my in-laws. They have each given of themselves in ways that has caused personal loss for my great gain. I do understand their personal choice and that their success is in part connected to my recovery and I am greatly improved by their sacrifice. But I do worry about those around me. My love and appreciation is profound.
My wife is an amazing woman. Through all of this she has had a unique challenge. My family was with me through my initial loss. My friends saw me lose my foot when it had the initial injury. My friends and family have been with me through the last seven years of struggle. My wife has only seen me through the last few years of decay. She has seen me walk and hike on my foot. She has seen me push strollers and carry children on my foot. She has also watched my foot change shades and sizes as the strain of a day caused bruising and swelling. She understood the pain but she never saw the loss. For her the grieving process is taking place now. She is struggling with the concept of my amputation being a choice. She saw me on my foot and struggles with the loss and this transition. As we move through this she knows things will be better as she saw the pain. She knew the pain as well as me as I did a poor job at hiding it from her. While I have been aware of it, she has never imposed her struggle on me. Through all of this she has come along with me and is readily awaiting my prosthetic.
I am amazed by those that I encounter on the street. I have spent ten months on crutches. I have talked with many who are bitter. But I have found the world around me to be kind and supportive. Every door has been held for me. People have gone out of their way to help me. That said I must admit that the structural world is ill equipped to accommodate the physically challenged with doors that are hard to open and bathrooms that are hard to use. Restaurants do not accommodate crutches, I fain to think how they would do with a wheel chair. But despite these inadequacies People go out of their way to over come them.
I have grown. I am still a short while out from having my prosthetic. I am five months out from my surgery and two operations away. I have fought off a major infection and healed some serious wounds, and now find myself looking forward to the next stage of this process. I have a new appreciation of how my body works. I understand my ability to motivate myself and my ability to sit back and take a pass. I know where my breaking point is for so many more things and when I am able to buckle down and keep going. There are so many times in these past few months when I wanted to step back and let others just take care of everything. To put up the crutches and say, “I quit!” but I have learned how to look inside myself, when it really matters, and decide if I have what I need to take the next step. I know I have a lot to improve. I am learning to look for my faults that can be changed and to move past those I can not change. I am setting goals for myself; achievable goals. I am even starting to set limits. So much of this is new. Much of this I have learned from those around me. Much I have learned from myself. Pain is a great teacher. Learning to manage pain is an even greater teacher. Living pain free is liberating. I am free for the first time in years. I am learning to love life like I did seven years ago.
I can not wait for what is next.

noreply@blogger.com (Ian Burke) — Tue, 15 Dec 2009 15:27:00 +0000

Prioritites

noreply@blogger.com (Ian Burke) — Fri, 04 Dec 2009 12:17:00 +0000

I have been a way from my computer and blogging space for a while. My life has taken on new priorities and new insights over the past three months. With the amputation of one of my legs, I have come to understand a new balance in the way we do things. I have a large family and I have always held them as a priority in the scope of my work. But I now see that the security space that I work in is really about doing a job. I think that we all need to keep on top of security and make sure that the threats that we face are addressed head on, but, and I also send this message out to those that waist their time creating those threats, at the end of the day we need to make time for ourselves and our families. A good night sleep, time with the kids, sitting out looking at the stars are all important things we can not give up locked in server rooms and stale basements. Remember what is important in your life.

Piety

noreply@blogger.com (Ian Burke) — Wed, 01 Jul 2009 13:20:00 +0000

What is the meaning of innocence in a world that tramples the innocent
And lifts up the self-righteous?
All around us we see humble and honest people
Pushed to the bottom of the pile
While those that would manipulate others and the world around
Succeed and prosper. Is there a reword in this humility?
Is the comfort in piety the solace and serenity that will bring joy to the lives
Of these individuals? What of the after?
Will they be those that prosper and flourish?
Where is the balance?
Where is the judgment? Is it in each of us?
I ask this to find this balance in myself. My search is to find my own piety
Of which I have lost.
I search now to find peace and fairness.
Where are you?

Value of a parachute

noreply@blogger.com (Ian Burke) — Wed, 03 Jun 2009 19:38:00 +0000

A number of years ago I went through an exercise with a book called "What Color is Your Parachute?" It walked me through the process of figuring out what kind of people I liked to work with. What kind of industry I liked to work in, It covered all sorts of topics of this sort. When all was said and done it helped me to redefine my career and start down a new path. I find that this is a process that is worth going through on a regular basis as our goals in life change and our situation in life changes as well. I also find that the value of this parachute is un-measureable. Being adrift in a career or in life is a costly and painful place to be. having the support or knowledge of where you want to go in your life and knowing what your motivators are helps to drive you with everything you do. It helps make every action you take in every aspect of your day that much more rewarding.

When I did my first parachute I was a single professional looking for a good group of people to work with. While money was important to me it was not my primary motivator. Today I am a family man and income if a motivator for me as I need to be able to support my family. Benefits: health insurance, vacation, commute, and flexible schedules, all come in to play where I was more concerned about tuition benefits and co-workers before. I also find that my parachute is also looking to community and other aspects of my life where as before it was almost entirely job focused. I am now looking at what other aspects of my life need to be entwined into my career. My interests have changed and It is more important to consider what it is that my job is supporting.

As I think about all of this I realize just how important it is to look at my security and my focus as I shape my life moving forward. Our economy, our world is in a dynamic and exciting time. For many, myself included, it is full of stress and anxiety. This is an important time to look at where we are and where we want to be. Use this time to build the platform to be ready for what tomorrow will bring. Know yourself as best you can for only then will you be able to land on your feet as you step forward into this new era.

God's guidance

noreply@blogger.com (Ian Burke) — Mon, 11 May 2009 13:01:00 +0000

I often wonder how we manage to get through a day. I work in security and struggle with much of what i see around me. I have become a security engineer and have come to realize that I would be better suited in a smaller organization where i can focus on a broader spectrum of security issues. I have a family facing countless struggles but none that any other family might not face and I personally feel ill prepared to guide them through this chapter of our lives; yet they are needing guidance. i find myself apathetic to many aspects of my life. I drift through initiatives that require drive and motivation. With all of this I reach out now calling for the grace of God to lend his graceful guiding hand. With his guidance perhaps I may find new life, wisdom and enthusiasm to drive me forward with life's offerings. I challenge each of you to invite God to guide you through your challenge today.

What is the big threat

noreply@blogger.com (Ian Burke) — Fri, 01 May 2009 14:10:00 +0000

I still contend that all of the technology in the world is no good if we do not address the biggest threat that we face. Every organization faces it. It is an issue inside of security teams as well as throughout the rest of every organization. We need to address the mind-set of the user base. We need to change the way people view computers and how we use them. We need to change the way people interact with the data that we use, create, and manipulate every day.

People are very cavalier with data and computers. they have no problem moving data to the most convenient location and moving it back again. They download data from a production server to their local laptop to take home for an evening of data crunching and then upload it into the corporate database in the morning. They connect their personal SmartPhones to the corporate network, synchronizing personal and corporate mail systems and calendars. Corporate data can find itself left on the back seat of a car or in the overhead compartment of an airplane. A presentation containing confidential information can be loaded onto the pocket sized device of an individual and can land in the hands of a pickpocket on the train. With all of this mobility Users insist on ease and convenience. They rebel against encryption which slows down their system's performance or ask for an extra password. They object to security measures that prevent corporate data from being loaded onto mobile devices or local systems. Any system that might interfere with their old habits or personal method of doing business is not tolerated. Loopholes, shortcuts, and other failings in the security systems eventually lead to the break down in the system and vulnerabilities show up. People use these critical systems for personal pleasure further exposing the corporate data to other vulnerabilities and eventual breach.

If we have learned anything from history it is that every security measure will be broken with time. MD5 has been broken with collisions. 64 bit encryption keys are not strong enough. Every aspect of security is a fluid battle, back and forth between the good guys and the bad. No technology is going to be the great panacea that will win this war. The biggest vulnerability facing industry are those caused by incidental exposures; critical data sent clear text over the Internet or left on a laptop, servers left exposed to the public network, or passwords left posted in public view. If we do not get people to change the way they treat the data and reduce the initial exposure, reduce the number of opportunities for the bad guys, then all of the technology in the world will never make a difference. I once saw a picture depicting the most secure network. It showed a bunch of people standing around looking at a computer locked inside of a room with no way in. This is not the dynamic I am suggesting. I acknowledge that we need to work with the data. But we also need to respect the data. People need to be cognisant of what they are doing. Think about the exposure they might be placing on the data with their actions. Think about the safeguards that have been put in place and be sure that they work inside of them and watch for events that look out of the ordinary. In today's age every computer user should have some level of training provided by their employer so that they are aware of what normal computer performance should look like. They should all be aware of security issues and threats. We are all part of the security systems protecting our networks.

Security's place in an organization

noreply@blogger.com (Ian Burke) — Thu, 16 Apr 2009 11:43:00 +0000

Security sits in many different places in an organization. The larger the organization the larger and more autonomous security tends to be. In smaller corporations the roll of security often seams to be placed with networking or placed in the hands of the system administrator in charge of anti virus or LDAP/Active Directories. These roll clustering trends so often are due to budgets. As corporations grow the ability to fund a security entity grows; first within these same departments and then more prevalently inside of IT. In mid sized organizations you may actually find a security staff person or two. Commonly these individuals will report to the CIO or CFO. Much like the large organizations where you will find entire security departments reporting to a CIO or CFO.

The question becomes where does security fit in these organizations. I had a manager that once told me that security never brings good news. He was right. Security has become the necessary evil in every organization. They are an expense nobody wants to put money toward. An extra step in every project that nobody wants to take. Security is the entity that delivers all of the bad news of breaches, viruses, and vulnerabilities. They are also the new expert that informs all of the other segments of It on changes, updates and modifications that need to be made to their infrastructure. But security is also a user, a drain on resources. They have appliances in the fabric of the network that require updates and cause downtime. They require the services f the networking and server administration teams for maintenance on the security equipment. They require assistance from the help desk to deploy their client applications. an they require assistance from administration to deploy and enforce their policies.

So what is the role; where is the place for security? Are they the new manager for the network? are they the new cop on the campus? Should security be broken up into different groups that report to different sections of the organization; engineering to networking and analysis to the CIO and Intel to the CFO? I would suggest that perhaps it is a culture change that an organization needs to go through as a whole. Security should function as a big facilitator. I would propose that in a perfect world Security would not manage any equipment but rather that would all be left to the Server administrators and the networking group. Where security needed a new appliance they would order it and that would be left to IT to get and put in place. Patches would be managed by IT. and Security would not be a part of IT. IT should report to the CIO who should report to the CEO. Security should report to the CFO who should report to the CEO. Or there should be a CSO who reports directly to the CEO. but security needs to be separate from IT and as such needs to be a customer of IT. They should also be the IT consultant.

What am I implying. You could almost have billable hours going both ways; expectations on both sides of the equations. Security has systems in the IT infrastructure; severs appliances, PC's. These all require service and that service should come with expectations. Likewise security has knowledge that they possess and gain from experience and from their equipment that they need to provide IT. Their equipment also provides capabilities that they need to share with IT. Security can provide a service of which IT should have an expectation. This same service cascades out to the entire organization. this is where security can play the role of facilitator. One of the key services that security provides is to facilitate It in providing a more secure product and to facilitate the user base in the organization to demand and support the implementation of a secure product from IT. Providing services such as this help to reduce the bad guy image of security. Enabling the rest of the organization to produce secure solutions reduces the number of times that security has to inform the company of bad news.The more IT can feel like they are partners in these solutions the better things will perform. The more autonomous security is and the more customer based their relationship is with IT the more successful their mission will be.

Every organization faces resistance to the mission of a security program. Autonomy of security inside of an organization, separation from IT, helps with the success of that mission.

role based access

noreply@blogger.com (Ian Burke) — Sat, 07 Mar 2009 23:07:00 +0000

In an ideal world access to our critical assets would be decided by roles. By the function that each individual carries in their business application. There would be a set list of job classifications that would be defined; buckets that employees could be dropped into, and these would define security access to the network resources. This theoretical model works great on paper but when applied to true functioning business applications there are too many off shoots from those given role definitions, too many crossover roles between these job buckets, and too much change and shift on a continuous basis for a theoretical model such as this to apply and be truly secure.

Does that imply that a model such as this has no place in security? By no means. Strong theory will always lead to a better security design, and the narrower the definition of security access is for each individual the better the security will be for the entire organization. While you may need to shape and design you security model with flexibility to the needs of the business, the original design needs to be based on sound theory.

The biggest mistake

noreply@blogger.com (Ian Burke) — Wed, 04 Mar 2009 20:53:00 +0000

We all know that times are tough.We have heard about the housing crisis. We have heard about the banking crisis. We see every day at our jobs the strain on our own companies. As security specialists we need to be aware of the impact this is going to have on the vulnerability space. Our job is to ensure that these strains do not increase the vulnerabilities on our networks. Unfortunately often these times will increase the numbers, opportunities, and likelihood of internal threats to a network. The stress on an individual pushes them to fin opportunities to get ahead and when the ship is going down they often feel as though they have nothing to lose. So often companies, when they feel the need to tighten their own belts, tighten the noose around their employees. While this is a quick and easy place for a company to save some money, it is important for us as security professionals to advise administrators to find ways to keep the moral up among employees at the same time. Often you will see employers do things such as increasing the amount of auditing done to time keeping and payroll, or restrict vacation and sick time that employees have justifiably accrued. While these steps may give the appearance that they will save money, and they may catch one or two people that cheat on their time, they will draw down on moral and may insight that one person to breach internal security rules and compromise the network; costing the company much more then they might have saved.

Moral is an important asset to foster in a company. Loss of moral is often harder to get back that you might think.While there are little things that a company may do to save a dollar here or there in tight economic times, the need to way them against the tangential cost incurred by side affects of those cost saving measures. Even if a disgruntled employee does not breach security, loss of moral inevitably will drive away good employees and loss of talent always hurts a company. As security professionals we need to look at the risks to a company. We do not stop at the dollar amount but look beyond to the impact that a program, strategic plan, or application to the impact it has on the security of the data and network of the organization. Our job is to advise the stake holders of these impacts.

Knowledge -vs- Intelligence

noreply@blogger.com (Ian Burke) — Wed, 25 Feb 2009 17:48:00 +0000

I was recently presented with an interesting complement. I was told I was smarter than another individual in my department. I had to stop and think about the statement for a while. I was puzzled as I find myself turning to them on a regular basis for help and advise. I soon found that I was not thinking about the comment in the context of myself and this individual but security professionals and their actions. We come at all different level of experience and a vast array of different back grounds. In my office we have gamers and programmers, college trained professionals and those that have just fallen into computers. I wanted to be a park ranger. Even went to school for it. But I worked my way through school in a computer store and found I was stuck in the field. I have taken classes and received certifications, but most of my training is in the field. No, I am not your technology wizard. I am no hack and no gamer. I spend my nights with my wife and kids. So what makes me, like all of the other successful security professionals, different. You see it in the classes we take. I am taking a forensics class and they, from day one, teach a process, a way of thinking, an Intelligence that as security professionals we need to apply to what we do. this is what sets us apart from the help desk tech or the network administrator. This is why the business administration turns to us when making difficult decisions. The Intelligence we apply to situations and that we use when making decisions, knot our technical knowledge, reflects the thoughtful process and analytics that we walk through with what we do. To be successful in security this needs to be reflected in everything we do; in our system design and our internal work to our investigations and our troubleshooting. This is the difference between knowledge and intelligence and this is what sets security apart. It is not about knowing something that the other guy does not. It is about using that knowledge smarter.

New sounds

noreply@blogger.com (Ian Burke) — Tue, 17 Feb 2009 16:26:00 +0000

I am one of those people who when I go to the bathroom in a public restroom I am as quiet as I can be and becomes super sensitive to sounds around me. I know I am not the only one. Well lately I have noticed a new sound in public bathrooms. No, don't think disgusting. It is a clicking sound. See, I work for a company that provides Blackberries for all of their employees and what I have observed is that people can not stop using these things. In meetings, at lunch, while they walk, and yes, while they go to the bathroom. People can not put down the phone. Whether they are texting, checking their email, or surfing the web, these little devices seem to be the next addiction for people both where I work and elsewhere. For me this raises the question of both reasonableness and etiquette.

I can not deny the usefulness of these tools. I had a chance to play with an IPhone the other day and was in awe of how powerful all of its features were. But when do we need to put them down and pay attention to what is going on around us. It reminds me of children with DVD players in the car; missing the scenery outside the window on the family trip. And yet these most powerful of personal data assistants have a place in a meeting where some use them to take notes and run presentations. How do we, as the users of these powerful tools, define what is appropriate. As we become a society driven by instant communication, decide who should always be in constant contact and who should not. When the President or the United States of America is stating that a Blackberry is an essential tool, how do we define the boundaries for such a tool; and for whom do those boundaries apply?

On a security front, these ever so mobile and multi-interfaced devices possess all new security challenges. Do you allow a user to have a voice and data plan on the same device? Do you allow a personal Smartphone on your corporate data network? Do you allow an individual to synch their smartphone or PDA with their corporate PC? Do you allow email synchronization but not data synchronization? do you provide a vlan for wireless mobile devices, separate from the rest of your wlan? These are just some of the security questions that need to be addressed when confronting the mobile device issue in your corporate environment. Developing a unified solution from the top administrative levels of your organization down will help to ensure that your plan will stay intact as it grows across your infrastructure. Plan for the future not for your needs today. Don't always start your first project with administration. Administrators are very busy and can not always give up the technology once they have adopted to it. You first pilot should be with users that are flexible and can use the technology, spend time with the administrators of the technology and give up the technology at any given point. remember the reason for a pilot is to test new technology. The implementation of mobile devices is new for most of us; especially when rolled across the entire organization.

You might as well jump into this technology feet first. It is not going to go away any time soon. And when it does it will only be because it is obsolete.

Approved Software

noreply@blogger.com (Ian Burke) — Fri, 13 Feb 2009 20:01:00 +0000

Many companies are now imposing software images for their desktop. They have a specific set of software that is allowed on a desktop and then, using software such as RAPID7 or some other vulnerability scanner, they then monitor the software on desktops and ensure that people do not load unapproved software on their systems. My question today is what is an appropriate way to approve exceptions. I work for such a company and they had not thought to have an alternate CD burning package approved or to have a hash generating package approved. I ran into a need for both of these. I check the MD5 hash on every update I load onto my equipment. My windows box did not come with a hash utility so I downloaded one. this seemed fair and reasonable. The problem I ran into was that the exception process for software exceptions to the approved exception list is not well defined. There is a form but it goes to my department. and is approved by who knows. My manager maybe? If you are going to have a policy limiting software on a system, should there not be a process, tracking changes and exceptions. Should there not be a list of qualifications and guidelines for what is a valid exception? How is a decision made? Is there a review process of competitive software?

In my case my product was free so the business justification was not a financial one. But it did have a strong security and performance implication. When you are providing a justification for something like software it needs to have financial, security and functional justifications. The entire reason for limiting software on a desktop boils down to support from the helpdesk and threats from a malicious download, and cost. A justification needs to address those issues. your process for an exception needs to address those issues as well. I do not see that happening at most locations. There focus seems to be on any one of the components. Either the focus in on the security and lose track of the support issue and financial issue or the lock in on the cost and allow people to load anything under a certain cost. Their needs to be a balance of all three.

A colleague of mine pointed out to me the other day that Security is truly becoming the great facilitator of business. Our role is not just to protect the data but to protect the business processes. more and more it is our job to ensure that the systems our kept up to date which requires that the budget process stays on track which requires that the planning cycle is working correctly which requires that the core product development team is working together, and they need to work with us to protect their IP. It is all connected and it all is impacted in part by our gentile coaxing. We play a role in every department. We can come across as the brute squad or as the great ally. We manage access, connectivity, file sharing, policy, audits. We have access to more information than any user on the network. This gives us the ability to take a process such as an approved software list and expand it to a full business process. Help the Help desk to improve their support functionality. Build business functionality by supporting the budget process and reducing cost with a building comparison process in the justification process. and increase security by preventing erroneous downloads and rouge software. Build a process that leverages our cross business functionality and supports the entire organization.

I should add to my last thought

noreply@blogger.com (Ian Burke) — Tue, 10 Feb 2009 14:41:00 +0000

It is important to know, to identify all of our data. Data loss prevention is a hot topic these days. One of the first steps in DLP is Data Identification. Whether as part of a DLP project or simply as part of a security plan, data identification is always an important step in any security process. If you do not know what you have how can you know how to protect it and what to protect. Simple example, PCI information needs to be protected in specific ways. PII needs to be protected in other specific ways. Do you need to invest the cost and expense needed to protect this information across your entire data center and restrict access to all of your resources? If you know your data and know what is where then you can section off your data and protect the right data to the right level. With that you should also know the regulations and standards that govern your data.

Security in our heads

noreply@blogger.com (Ian Burke) — Tue, 10 Feb 2009 11:39:00 +0000

I often joke that we should have no secrets and that we should share all information. that this would be the answer to security issues. I was thinking about identity theft the other day and realized that those with more secrets are bigger targets than others. When you think about it a person who can not get credit is never going to be a victim of credit theft. Like wise a person with no health record does not need to worry about a HIPAA violation.

The reality is that all of us have some medical record or some credit, however small, and businesses have information to protect. But have we inflated security so big that it is self perpetuating. Are we making targets for the bad guys.

My wife watches those gossip TV shows on all of the celebrities. They are always complaining about the privacy of the mega stars, Tom Cruze, Meg Ryan and the others. (Point to note I do not know who is hot these days. I don't even know the last flick that I saw. I know it was rented.) I understand not wanting to have every aspect of your life on camera, but these people perpetuate the drama and we, as consumers, perpetuate the market for that drama.

This is the same cycle that exists for other information that people try to protect. Big businesses put major fortifications around their most critical data. Yet they provide public access to portions of that information for research or on-line sales. If a company wants to protect their information why not keep it secret, remove access to it, bastion it off in its own silo away from the public. I understand that you need to pull information from the outside in and from the inside out. There can be conduits for this, channels that still protect the sanctity of that inner silo. Build a VPN to your internal network that connects the outside facing network with the inner network.

There are simple ways to protect what we hold most valuable. I think that we sometime make things bigger than we need to, more complex. Are we building our own security threats? Are we compounding our our security vulnerabilities? Are we enlarging the complexities of our security solutions? All of these are questions that we need to ask. Most of all we need to ask is the security target in our head? Are we trying to protect something that is not even there?

The condition of our medical care

noreply@blogger.com (Ian Burke) — Mon, 09 Feb 2009 18:47:00 +0000

My background is in Healthcare. I started as a net admin for a hospital and went on to be s security admin for a hospital. I am always thinking about the care and security of our health systems. I recently encountered a major flaw in our health care system. One that struck me personally because it not only impacted my care but also because I could see the security parallel. In security we are concerned about access to the data. Data loss prevention has become a big topic and when I talk to people that are focussing on this topic they not only are worried about data leaving the network but also about losing access to data or losing data all together. In my recent experience with my healthcare providers, my insurance company forced my to a specialist 2 hours north of where I lived; I live in a rural state. normally this would not be a big deal, but I work in the opposite direction by an hour and a half. not only is this a day off from work, but it limits my access to my healthcare provider and to my healthcare information. It limits the access of healthcare information held by this specialist by my other providers and generally makes this a loss of care and services. While it did provide me access to a higher level of expertise for that particular service, by preventing me from going to the specialist closer to my home I lost the quality of care provided by the continuity of care and information flow. When it comes to our data we always need to authenticate who has control over the information. Why do we not do this with our health care systems. We are too willing to let the Insurance providers dictate who has that control. HIPAA states that it is our information that we own and control. and yet we still seem to let this information be managed by other people. I challenge the healthcare industry to give control back to the patients. I challenge the insurance industry to redesign their models for business. I know it will never happen but I still throw out the challenge.

noreply@blogger.com (Ian Burke) — Fri, 06 Feb 2009 18:44:00 +0000

When there is a power event in a region that effects an data center what does that mean to a security operations team? I have known teams that walk a facility to ensure that every system is performing as intended, backups are secure, and that know physical breach has occurred. I also have known a team that cheered hoping to go home and walked out of the SOC to go get a cup of coffee with no regard as to whether systems we on line. So what is the right response? Is it a question of scale? Is a power event an issue for the networking and facilities group in a large organization and not something for security operations to worry about while in a smaller organization it is key for security to be a part of the triage of a power event? These are decisions that need to be answered in the security response plan for any organization.

A power event impacts data handling in any organization and while it may be the responsibility of a system owner to ensure their system is up and running, it is the responsibility of security operations to ensure the integrity and security of the data. A system owner may not have the tools, knowledge or faculties to attest to whether a sneaker attack or some other malicious event took place at the time of the power event. Their concern is whether their system is on line, which may simply involve a remote ping. They may not even notice an IP spoof or the drop of a couple of packets from their host. at the time of the event. A power event also provides opportunity for data to walk without notice. System owners will not notice tapes or thumb drives missing which might have caused an alert at other times.

Security Operations for any organization need to have a plan for managing events like these and for holding departments or individuals accountable during a power event or other interruption to normal operation. How does your organization manage these types of events?

Challenge - paperless

noreply@blogger.com (Ian Burke) — Tue, 03 Feb 2009 13:48:00 +0000

I saw a version of this the other day and it intrigued me. I am working toward this and I encourage others to try it as well. This has environmental, psychological, and security benefits all wrapped up in one little package.

Step one: get yourself a small, portable scanner. You will need it.
Step two: compile all of the loose paper around your desk, office, life and scan it into organized locations on your computer.

Step three: organize your computer to contain and manage all of your digital life. Plan on that digital information growing exponentially as you remove paper from your life. Include a method to backup and restore data from your systems as needed and be sure to scale this system to the appropriate level in your life. If you need to include office and home, do this. If you need to include family or business partners in your network, do this. What you include in your digital life should include what and whom ever you interact with on a daily basis.

Step four: organize portability with your life so that you do not need to take paper with you to all of your meetings but you can easily connect dates and notes from meetings and conversations back to your computer. If that can be done with a Blackberry or some other mobile device, great; if you need a laptop or netbook, get one. If you do have information on paper be sure to scan that into your computer promptly.

Step five: subscribe to online versions of all of those magazines you get. If you can not get one and you do not read them, get rid of them. If you do read them, pass them along when you are done with them. Make digital notes of the stuff you need and then get rid of the rest. Don’t keep them sitting around for weeks, months and years at a time.

Step six: Get rid of post-it notes and scraps of paper. I saw a person use a digital picture frame for their reminders the other day. They had things they had to remember and instead of putting up a scrap of paper on the side of their cubical they added a jpg to their scrolling picture album. Outlook has to do lists and you can get note pads for most computers and PDAs now. Keep a text document open to scratch down thoughts or paint to draw a quick picture.

Spend six months working really hard at this before you give up. Some things that help are having either dual monitors or two systems, perhaps a Linux and a Windows system. Or if you have a PDA with WIFI, keep it handy so you can use it as a web look up tool or a notepad if your PC is getting busy. Keep a folder to keep your paper documents in. Don’t let yourself get more paper than you can keep in one folder. If someone gives you a document, ask them to email it to you or give it to you on thumb drive.

Good luck. I have been able to do this at work for about a month but have not been able to incorporate this at home yet. Still working on it.

noreply@blogger.com (Ian Burke) — Thu, 29 Jan 2009 16:47:00 +0000

Found this on a Google search the other day.

Always love places that are eager to sell vulnerabilities. I wonder what else they sell? I could use a good worm or phishing poll

noreply@blogger.com (Ian Burke) — Tue, 27 Jan 2009 20:20:00 +0000

When you boil it down there is a simplicity to it all. It is like the natural systems that make up the world around us. like an animal that develops a bad infections, viruses and other parasites infest the animal and slowly the animal dies. When its immune systems are strong it might be able to fight of the infestation and again become healthy. Our computer systems are very simple. They too develop infections, vulnerabilities that become subject to viruses and other parasites Worms, Trojans and other infestations are slammed into our systems; into every vulnerability that they might have. When their immune systems are strong they have a reasonable chance at fighting off the illness of the day. Firewalls keep out the blatant attack. IPS and IDS systems help to stop and immunize against the more aggressive vulnerabilities. Vulnerability assessment solutions are like physicals for your systems helping to patch and secure the weaknesses in the defenses of your network. Then, on the inside, we watch. like the dutiful parents we are we read our logs, watch our network traffic, and educate our users. We maintain our HIDS and Anti-virus;; all making sure that everything stays healthy and quiet; ready when the cold breaks out. It is simple, when all the systems work.

So why is it so hard. Yes, users sneeze, bringing viruses in behind the defenses. But we watch the inside and should spot that. Yes, we have millions of attacks a day. But our defenses our strong. Yes there are regulations managing every aspect of everything we do. But if everything is managed properly the regulations should be easily in compliance. Yes the networks are large and complicated and managing all of the systems is a daunting task. But if you scale your defenses accordingly you should be able to manage the task. The problem is all of it. It is scaled complexity that everyone tries to manage. What is that rule, "KISS". That is right keep it simple stupid. don't over complicate it. Stick to single solutions. and best of breed. When a solution does not work, replace it. Do not phase out, replace. When you phase a solution out you will never get rid of it and you will end up managing multiple solutions adding to complexity and making the task more complicated weakening your defense. Use best of breed. That does not mean the most expensive and that does not mean that the best is the same for every company. Cisco may be the best IPS for one company but another company bay be better off with a Sourcefire solution in their environment. Best of breed means do the homework and find the solution that works best for your environment and your level of expertise. Ask for help. not every company has a large SOC and a large Security staff. not every company has all of what they need all of the time. Contract out, hirer professional services, and higher additional staff when needed. finally have a short term and a long term plan for development and health. You need both plans one to eventually have full coverage of all components of a security plan and one to keep your security plan healthy.

Remember it is simple. That is why we all get the common cold every year.

noreply@blogger.com (Ian Burke) — Mon, 26 Jan 2009 19:51:00 +0000

To much techno geek in a security team can make the focus get away from the reality of what is really happening in the threat arena. Security is so much more then just cyber attack! most threats are done by real people that know the technology and can think outside of the box.

A New Day

noreply@blogger.com (Ian Burke) — Mon, 26 Jan 2009 19:35:00 +0000

It is a new day and a new way to approach security. With intel coming from all angles of the world and not just the high end security equipment but from every corner and every user available. tools like blogs, micro-blogs, search engines, and the news are now becoming valuable tools for the SOC just like the SIEM and Firewall. any type of knowledge, from any corner aides in preventing the next breach.