Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.

Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.

If we look back and remember how networking has evolved over the years, we will notice a pattern.  Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.

When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.

What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.

We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.

Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency.

Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid.

But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed.

Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion.

The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say.

In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent.

Tips for Advertisers:

1. Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products.
2. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.”
3. Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts.
4. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes.

Tips for Advertising Agencies (especially Social Media):

1. Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability.
2. Tell Your Bloggers: See above.
3. Watch Your Bloggers: See above.

Tips for Bloggers:

1. Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality).
2. Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out.
3. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion.

It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$”

Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article.

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 4)

Chapter four wraps up the first part of Into the Breach with a candid discussion about the current approaches to managing risk – and why they are not working. Michael explains that risk management is based on curves, not continuums, then dives deeper into the three barriers to effective risk management: scale, perception and probability. While looking at each, Michael makes suggestions on how to overcome them, then introduces the concept of managing risk on the efficient frontier.

Go deeper Into the Breach with Michael Santarcangelo in November with EMC

In November, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. In fact, for this chapter, Michael explains why the current practices are essentially “risk reaction” and explains how he helps companies get results that harness the power of their people to inform and improve the risk management process.

This also sets the stage for the next part of the book, as Michael explains more about how to leverage his research and experience to get real results and prepare for a successful 2010. If you have a question about how to leverage the power of Into the Breach for your organization, please contact Michael to get the insights and guidance for success!

Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the November session.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. Learn more about Michael’s keynotes – and hire Michael Santarcangelo to excite, ignite and turn insiders into allies who reduce business risk!

Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks.  Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff.  One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources.  This is especially hard when you know those affected.  However it’s critical that this tough job be done.

The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure.  The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage.  Luckily, the Fannie Mae sys admin found the malicious script.

You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs.  [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]

Before the announcement

Just as in any project (and this is a project), planning and coordination are key.  Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process.  Delays increase risk to the organization.  While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management.  Security needs to know who is affected in order to know what needs to be protected.  Security can also help properly protect the “list” prior to the official announcement.

Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs.  On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive.  Security officers should be trained and ready to handle potential conflicts and workplace violence.

Information security personnel should identify single points of (security) failure and high risk areas.  This includes administrators with expanded ability, authority or access.  Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs.  Management should address these critical points well before the announcement to prevent any unexpected denials of service.

Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place.  This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences.  (No one likes to find out that their position is eliminated by having their network or badge access disabled.)  Also, this cannot occur too long afterward, for obvious security reasons.  Ensuring the correct timing requires pre-planning.

As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts.  This could be before the actual lay-offs.  Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.”  Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others.  This could occur on the network or off.  It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.

During the announcement

With your planning complete, it is now time to enact and follow those processes.  As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access.  The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN).  The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.

Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available.  This is to maintain contact with clients or customers.  Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access.  It needs to be reassigned to the responsible manager or his/her delegate.  Allowing permanent access is not a good idea.  There should be a set timeframe for this access to remain active before it is disabled.

Also, consider any shared accounts used by the separating employees.  Do they know the UNIX root or Windows administrator password?  Whether it’s that or any other password for a service account, make sure the password is changed ASAP.

Physical security personnel need to be watching and ready in case the affected people become upset.  Normally, you don’t need a physical security presence to escort them.  That can be accomplished by the manager and/or HR representative.  However, Security should be ready in case things turn ugly.  Additionally, they should be watching what property is leaving.

Part of your process should include the retrieval of any assets used by or assigned to the separating employee.  This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents.  When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization.  Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.

Lastly, while the separations occur, continue to monitor online access and activities.  You never know the mindset or attitude of those who depart.  The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites).  Your IDS/IPS should be watching those external network assets and you should be ready to take action.

After the separations

While the major threat may have passed when the laid-off employees have left, it is not completely gone.  There are specific post-separation activities that need to occur to ensure risks stay low.

One of the most critical activities is the inspection of online and paper files left behind by the employee.  Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed.  This can be time consuming and tedious, but it can’t be ignored.  The benefit is the freeing of storage space.

The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business.  This person also needs to determine the retention period for any material that needs to be kept.  This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.

Another post-separation activity is inspecting online files for potentially malicious content.  This is especially important for any systems administrators who were let go.  There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind.  Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs.  Failure to take this step could be devastating for the firm.

Lastly, use this time to document what went right during the process and where you have room for improvement.  Take time to learn from the experience and enhance the process.

Conclusion

Staff reductions are a part of corporate life.  As painful as they are, they are often critical to keep the organization functioning at full capacity.  Security needs to be an active participant in the lay-off process to ensure the risks are kept low.   The removal of access is only one of the many areas requiring the attention of Security.  They also need to be actively monitoring both the physical and on-line activities of the separating associates.  This isn’t to be intrusive, but to ensure the continual protection of the organization.

Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring.  The tips in this article will aid you in the development of your security model so you are ready when the time comes.

Checklist of Security Items to Consider with Lay-Offs

Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property

During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance

After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements

As we continue to discuss the Basic Truths of Incident Response Leadership, we’ve briefly gone over the three Basic Truths as well as done a deeper analysis of  “Succeeding By Planning to Fail”. This brings us to:

Basic Truth #2: Have A Workable Plan, or Else

As an Incident Response Leader, one of the most valuable parts of your role is to create, test, exercise, and (when called upon) execute Incident Response Plans (IRPs).  IRPs run the gamut from a Post-It note on the wall listing contact phone numbers, to plans that take up several 3-ring binders on a shelf somewhere.  Plans can be long or short, detailed or vague, paper or electronic, automated or manual…you get the picture.  What makes a good plan different from a not-so-good plan can be summed up in a few ways.

First, can you execute the plan using only the resources that you legitimately would have access to during the incident?  We’ve all seen plans that call for using network analyzers that aren’t accessible to the organization or that call for numbers of personnel that just don’t exist.  You may have written plans that assume that the responding team has skills and experience that your current team just doesn’t have (I have).  The key is to map out the current skills and capabilities of your team and employ them as best you can to meet the anticipated incident.

As you identify resources available to you, it pays to be creative.  Can other teams identify folks who could temporarily be available during an incident (think of it as an in-house “volunteer fire department”)?  Do you have relationships with designated outside incident response consultants? Do you have relationships with local, state, or federal law enforcement?  In today’s business environment, Incident Response Leaders need to be creative in identifying resources that can assist during a response cycle.

Second, you have to test the plan.  This sounds so intuitive, but many plans never get past the written-down stage before they are needed in an incident, because no leader stepped in to ensure that the plan would work as designed.  One of the most effective testing plans for an IRP is also the least expensive – the simple “Talk Through”, where all of the designated players sit at a conference table (pizza is optional, but highly recommended) and talk through the plan, noting any foreseen problems or issues.  The team needs to be encouraged to not only point out potential problems, but brainstorm solutions they can implement as-is since (as we talked about in Basic Truth #1) you can only plan on the resources you have, not the resources you want to have.

Plan testing needs to be redone each and every time the plan is modified, or at some regular interval (at least annually).  Testing can be announced or (my personal favorite) unannounced.  The time spent testing can help the Incident Response Leader assess not only the plan, but the team assigned to execute it.  The feedback loop should encompass applications, hardware, processes and procedures, as well as people.  Everything is fair game.

Lastly, you need to continually exercise your plan.  This, while not as intuitive as testing, is something that many organizations fail to do, claiming “it’s too hard” or “it’s too disruptive” or “it’s already been tested, why should I do an exercise?”  Having performed incident response on plans that have been exercised and plans that have not, I can tell you with complete assurance that plans that have been exercised are executed more smoothly, with fewer problems and a better resolution.

Exercises can range from a talk-through (similar to testing but without the constant feedback loop) to a full-on exercise using live equipment.  Talk-through exercises can help in quickly familiarizing a team with a new (or newly updated) plan.  Talk-through work will also quickly point out assumptions that, while seemingly accurate in testing, don’t fit the way the incident response team works.  All other things being equal, I believe that talk-through exercises offer the highest return for time spent in any aspect of prepping for a incident.

Full-on exercises, as powerful and complete as they are, can be very hard to accomplish.  Most organizations cannot fully replicate their production systems (even using virtual machines).  These exercises, when they can be done at all, are usually done in development or test environments and generate most of their value by allowing teams to actually assess and interpret adversary actions and data.  These exercises are an Incident Response Leader’s best chance to simulate the stress and activity of a real incident.

Taking all of this into account, it’s clear that the Incident Response Leader must be able to create, test, and exercise an IRP to be able to effectively respond during the inevitable incident.  By creating plans designed around available resources, qualifying the plans with testing, and regularly exercising the plan, you can ensure that you and your organization will be ready when the inevitable incident occurs.

But it’s not over yet. Once you’ve gotten this far you still have one vital task to accomplish.  We’ll cover that in the last article on the Basic Truths of Incident Response Leadership.

by Jeff Kirsch

Recently, my son told me a story about how he played chess with a friend at school. In his story, he said his friend executed a certain move; my son then asked me if I had ever tried that move. I was a bit confused; I’ve played chess on and off for at least 20 years, but I’ve never heard of this play. My son asked if we could play, and more importantly, if I could teach him. Looking at the clock, I thought about how I needed to get his siblings into bed, and that he needed to read a book for school.

He promised to read his book while I put his siblings to bed. After the other kids were in bed, I got him from his room (where he had read a chapter of his book), and we headed downstairs for his lesson.

I explained the chess pieces and how they moved; he remembered this from the last time we played. We began the game and I watched him bring his plan to fruition. I didn’t start with very much instruction, because I kne

w that the best instruction comes when you are “deep in the weeds”, so to speak. I took a few of his pieces, and the teaching began.

For each of his moves I helped him see what my next moves could be and how that would affect what he should do. With each move, he needed less and less instruction, but his questions became more complex. Of course, like most novice chess players, he still needed help remembering how the pieces moved (especially the knight). Looking at the clock, I realized it was just a few minutes till his bedtime, so I finally made an exchange of pieces I had put off for most of the ga

me. A few moves later he was in checkmate. He looked at me with a huge smile on his face and gave me a big hug. “That was fun, Daddy,” he said as I squeezed him tight. “I can’t wait to play again.” That is when two thoughts struck me, which I shared with him, and which I’ll share with you now.

In losing, you win

We hear all the time that most successful people failed, sometimes more than once, before

being successful. Even after those people “made it”, they still face bumps in the road. What came out of my mouth first to my son was, “In losing, you win.” I went on to explain that you have to lose a lot of games of chess in order to learn how to play the game. This came out almost automatically, but then I started to reflect on what I had said. I realized that I wasn’t just talking about the game, I was talking about life and all the challenges we face.

In information security it is easy to become overwhelmed. We always feel like we are three steps behind. We put together teams, we focus on security and secure practices, and try to funnel everything down to a few points where we can protect our vulnerabilities, only to find that someone left the back door open. To add insult to injury, we get raked over the coals because the one thing we forgot compromised everything we were trying to protect. However, until the day you forget to lock one door, you have no real concept of the consequences that await when you do fail. In that moment of failure we have the ability to learn the most.

A plan is good, but plan flexibly

My son went into the game thinking there was a defense he could set up in the beginning that would win the game. What my son didn’t take into account was that I would have a turn, and that I could attack his defense – thus also keeping him from the offense he had planned. He immediately understood his mistake and explained to me why he should have paid attention to what I was doing. I was again hit with the realization that the lessons from this game were more than just lessons about a game. If we only plan to defend our systems from attack, we fail to see the most critical vulnerability and fail to account for a possible offense.

Flexibility is critical not just in information security, but in all aspects of our personal and professional lives. People who plan ahead certainly can start out of the gate faster, but when they get a few miles down the road and their tire goes flat, how do they sustain momentum? If you can adjust your strategy not only to account for defense, but also to incorporate an offense, you double your chances for success. In the end, you even the playing field by using your strengths and understanding your opponents’ weaknesses.

In a moment of just playing a game with my son, I re-awakened the magic of chess and learned some valuable lessons. There are plenty of people who make fun of the game and those who play it, but there are just as many (if not more) who play it and get it. When you realize that it is not simply a game, but that it also has many lessons to impart, you find that “losing” really isn’t losing. But just as in chess, you’ll encounter people who don’t get what you do or why it is important. Instead of discounting them, find a away to convey what it is and why they should care. You aren’t going to convince everyone and it won’t be easy, but giving up before you start says a lot about your character and reflects the quality of your work.

by Wim Remes

Job interviews aren’t the core of my existense. If I’m going to be completely honest, I’d have to say I would love for someone else to conduct them instead.  But, like most of the things I do, I want to do it to the best of my ability. It’s difficult.  The best-case scenario is that we get locked in a room for 60 minutes. In that brief timeframe, I have to verify that your technical skills match the profile I’m looking for and that your personality is a good fit for our ‘culture’.  In that same timeframe YOU need to assess whether this is the job you’re looking for and whether this is an environment you can thrive in.  It is NOT easy !

First, let me set things straight.  If we are sitting face to face, I have read your resume. You can call it laziness, but I’m already assuming that you KNOW what you have put on there. I may throw you some fish to assess your technical knowledge, but these rarely influence the image I have of you.  Surprised? You shouldn’t be.  There is no way I will be able to see if you have earned every single certification you mentioned on your resume by studying books or by experience.  It may even be that I don’t have a clue what half of those TLAs mean. I’m sorry.

Then, where’s the beef? How can I really know whether you are the guy or gal I’m looking for ? Here are three questions I ask that give me a pretty good idea about you, the person I’m looking to have join the team. Because in the end it is all about you, as a person, adding value and allowing us to grow together.

What is the project or achievement you are most proud of?

On several occasions, I’ve thought about abandoning this question because you can’t imagine the number or people that just sit there with a blank stare on their face.  I can’t eliminate it because your answer tells me so much about your passion for what you are doing or, even more, your passion for life.  The catch is that, with this question, I don’t require you to answer with something work-related.  Your work helping out at the local homeless shelter, your world trip after you graduated, or something you did at your kids school all fit the bill.  However, if you can’t come up with even one thing you are proud of, things start to look grim.  But you still have a chance.

If I went out to have a drink with two of your best friends, what would they tell me about you ?

Don’t answer this with, “Nick is a cool guy,” “Frank can drink 10 beers in an hour and still drive home,” or “I don’t have friends.” I want you to tell me how you think other people perceive you, as a person.  Again, I frequently get lots of blank stares when I ask this question. The catch is that your answer tells me whether you are well-grounded and that you have a good perception of your strong and weak points and are not afraid to name them.

What do you do in your free time ?

This isn’t a question I always ask, but it does come up – and most often in interviews that are information security-related.  Let me be clear: I don’t ask you to work evenings or weekends, and I don’t want your availability on a 24/7 on-call basis.  Rather, I want you to spend time with your family and friends to recharge the batteries for when you come to work.  So why this question? In my humble opinion you can only do this job with passion. The field of information security is so wide and so deep that there is very little chance that the paycheck will be enough to keep you motivated to stay on top of it. I want you to be 100% in love with what you are doing.

After those 60 minutes and these three questions, I will have a pretty good view of who you are and what you stand for.  For your part, I do expect you to ask questions about me, our projects, and the company.  I want you to engage in the conversation rather than just answer my questions.  That also gives me a lot of information.

Then again, I read somewhere that the best decisions are made in the first few seconds.  I might just as well have hired you after we shook hands and went to get our coffee 60 minutes ago.

I was reading an article last week about social media and thought it would be a good idea to share it. The article is Social networking 101: Facebook and your digital reputation from The National Post.

In my opinion, in terms of reputation, there seems to be very little concern in the general population regarding the use of social networking sites. Most people simply go ahead and post a considerate amount of detail about their lives without worrying about the possible consequences.

Over a period of time – a few days, weeks, or even months – it’s difficult for anyone to gain an accurate picture of what’s happening in a person’s life. All this personal information is just given away, without hesitation, for anyone to see, judge, or otherwise interpret as they see fit.

Social media is an in the present technology. That means it is all about current events happening now. People’s posts often reflect their emotion or mood at that specific moment in time. Most of the time, posts include pictures or video clips that may have current event context associated with them. However (and this is the problem), context usually doesn’t continue over time. Remember the pictures of your ex that you posted? I bet it seemed like a good idea at the time, but now you wish you could take them back. How can anyone expect to have control of past information, especially when the context has passed?

This brings up the others factor. This factor is just as important because we usually don’t have any control over the information that others post about us. What they say and how they describe us at that specific moment in time will probably change over time. Once again, this is the problem with in the present technologies. Social media is a great tool for the present… but lacks the context of the past. What happens to posts when the context associated with that information disappears? This is when problems usually occur.

So watch your privacy settings and be responsible about what you post. Your reputation tomorrow may depend on what you post today.

A friend of mine recently had a very Dilbertesque experience at work.  The company my friend works for has been acquired twice in the last three years and all of the dust seemed to be settling.  Sort of…

Locally there were four offices under the corporate umbrella, each a legacy of the acquisitions that had occurred over the last several years.  The parent company decided to consolidate three of the offices and scale down the most remote office by moving some of the staff from that office to the new centralized office.  This was reasonable, and most of the staff saw this as a good business move.  Most of those who did not see it as a good move were from the remote office and would have to drive farther to get to work.

Planning for the move had gone on for a couple of months and was finalized about two weeks before the actual move date.  The new seating chart was printed, offices were assigned, and additional requests were made.  Here is where we take a turn for the weird:

Treating your people like they are worthless: Elimination of a position announced through the new seating chart.

One of my friend’s coworkers found out by looking at the seating chart that he was not going to have a job in two weeks.  Rather than approach this individual before the release of the seating chart, the office manager chose to let things work themselves out a la “Office Space”.  Fortunately, the Milton in this case chose not to resolve the issue with fire but by talking with HR, but this left a bad taste in a lot of people’s  mouths.

Generate a menial or pointless task.

Actually, this one is a little worse than pointless, it is counterproductive.  Time tracking is a part of a lot of people’s workdays. I did it every day when I worked as a consultant, so that we could bill customers for my activities.  This is not a diatribe against time tracking; however, my friend was asked not just to start tracking time, but to go back to the beginning of the year and track all of the time since January 1.  The company wanted real data for that entire time.  Do you remember how you spent your day in fifteen minute increments 6 months ago? 6 weeks ago?  6 days ago?  As a group, the team that was asked to do this questioned the logic behind generating data that would contain a lot of errors and inaccuracy that would then be the basis of the next three years of projections.  They were told, effectively, not to worry about it and that the data analysis team would take care of it.  To me, dear reader, that is like saying, “Create firewall logs for the last 9 months that we can then use as the basis for the upgrade of the existing firewall and Internet connection, even though you only put in the logging system this week.”  Yes, you will have a smaller set of data to work off of but it will be more accurate, and your people will feel better about their work.

So what can you do to avoid putting yourself or your coworkers in such a situation – aside from not working where my friend works?  Treat your coworkers with respect and dignity. If you know of something that is going to have a direct impact on their lives, they need to be made aware of the upcoming change in as timely a manner as possible.  If you are implementing a new system that employees are going to be using, get their feedback and review what they have to say.  Don’t make decisions in a vaccum. If it impacts people, get their input.  Running a business depends on the people that work there; if they don’t feel valued, then the business won’t be valued.

by Dennis Kuntz

The government spends billions in research every year. Quite often the goal of that research is to create more effective fighting machines and mechanisms, better survival techniques, better gear for soldiers, etc. The array of researched technologies is huge, and wartime in particulate can spur a ton of research.

Also quite often, the results of that technology end up being used for civilian purposes. Researchers and scientists in World War II alone created and/or had significant impact in the areas of radar, jet engines, computers, synthetic rubber – the list goes on and on. It’s obvious today how those technologies, invested in by the military and the government primarily for the sake of the war, have been applied to our civilian lives.

Another thing to note about all of this is that the benefits of those government/military technologies have not been limited to the countries in which they were created. As peacetime would creep in, and alliances form where hostility once reigned, technology would be shared. Not to mention that even when those alliances didn’t form, the opposing sides would still have access to enemy technology (captured vehicles, interrogation, etc.) to get a foothold in implementing those technologies themselves.

This brings me to a question about malware. Malware is bad – hence its name. The folks who create it and apply it (as opposed to security researchers that create it for purposes of research) are at the very least not the most scrupulous bunch. There are legions of anti-malware researchers and malware analysts digging into these rogue pieces of software, poking and prodding at them, and figuring out how they work.

This piqued my curiosity: What technology (or use thereof) resulting from malware/anti-malware research has hit the “mainstream civilian” computing world? And no, I don’t mean Sony’s rootkit. I mean application of what has been learned – in obfuscation, more efficient coding techniques, remote distribution applications, etc. – in a way that is useful, but not necessarily matching its intended “wartime” purpose (you cannot make me say the “c—-war” word).

The closest thing I could find – yes, aside from Sony’s blunder – was a paper by Microsoft researchers discussing a “friendly worm” in terms of patch delivery. This is generalized by Bruce Schneier as “benevolent worms”, and which he calls a “stupid idea”.

Despite their ethics, the malware writers are very, very smart. The anti-malware researchers and the malware analysts are also very, very smart. So I pose the question to all of you – what useful applications of what has been learned in the battle against malware are waiting to be used?

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 3)

Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet, improve leadership and engage individuals. A pivotal chapter in the book, designed to create a fundamental change in the way organizations and individuals protect information.

Go deeper Into the Breach with Michael Santarcangelo in October with EMC

In October, join Michael Santarcangelo for a live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will:

• Reveal the ideas and concepts that may have been pared from the chapter you just listened to
• Expand upon or update the elements in the chapter you just listened to
• Answer questions in a candid and direct style – focused on delivering insights that lead to results

Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get reminded to join in for the September session.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV (working on Dallas, Phoenix and San Francisco, with a likely stop in Atlanta and maybe Charlotte)

My career has now spanned almost 12 years, and it still amazes me how so many managers and executives consistently make bad decisions and then are surprised by the results.  As the economy has gone bad, you’d think that people would be a little more judicious about how they spend the small budget they have remaining, but that’s turning out not to be the case.  Surprisingly, I think the vehemence with which we’re shooting ourselves in the foot has increased as the budgets have shrunk.  Now that the economy has bottomed out and is (supposedly) on the rebound, is there any chance of changing some of the behaviors before the upswing takes hold?

Let me ask you a different question: If you lived in Chicago and your house needed a new roof, would you just go out and buy the one recommended by your buddy out in San Francisco, because he’s thrilled with his new roof?  Hopefully, the answer to this is no.  You may take a look at it, but I’d hope that you would confirm that the structural integrity is insufficient for the added wind, cold, and snow weight that Chicago roofs experience.  Once selected, would you allow the contractor to cut corners on your roof installation just to make a specific deadline?  Is a permanently leaky roof worth a couple of weeks?

If you wouldn’t blindly purchase something for your own home based solely on the recommendation of a friend, why would you purchase a product for your company based on the recommendation from a vendor, a colleague in another industry, or a conversation on the golf course?  How can you justify the potential risk?  What happens to your reputation when the product in question doesn’t perform as expected?  Where does the budget come from if you end up having to replace the entire thing?

When budgets are tight, there are better things to purchase with what little you have than bullets for your foot, and there are three very simple rules that can keep your munitions purchases at bay:

1. Don’t ‘ decide’ on a due date, calculate it.  Implementations take time and resources.  As much as you might want something in production by the end of the quarter, it might not be possible to do in a reasonable way.  Before committing to a date that’s just not feasible, spend a little time to determine the effort involved and lead-times for any purchases/installations that may need to be made, and to assess the availability of the resources required.  Then calculate a plausible due date based on the reality of the work effort and be sure to document the consequences of cutting corners, should that still be desired.  Sure, there will be instances when time is of the essence, but those are not as frequent as most people think.  When you consider long-term support costs and the massive adjustments that are usually needed to make a quickly installed product work, the calculated ROI is rarely met, and the costs to reputation and morale are higher than many would like to admit.
2. Don’t ‘make up’ budget numbers, calculate them.  We all instinctively have assumptions about how much something should cost.  Some of us are better than others at guesstimating accurately.  Most of us underestimate – significantly!  So before publishing a number that just doesn’t make sense, do the math.  There’s truly nothing to be gained by setting the expectation that the desired work can be done for half the actual cost.  If the true cost is prohibitive, then the negotiations need to start, and the consequences should be documented and accepted for each item cut.  But if you’ve dug yourself a hole before the negotiations have even started, you’re in for a world of hurt.
3. Don’t fit your problems to a pre-determined solution, pick a solution that fits your problem.  No matter how nice the vendor is or how much you value your golf buddy’s opinion, the product they’re pushing may not be the right one for your company.  The only way to know for sure is to gather requirements first, based on the actual needs, desires, and roadblocks currently being faced by your company.  Then you can assess whether the desired product fits the bill.  If it doesn’t, don’t buy it!  If nothing fits the bill, pick the best option, or consider waiting for future developments.  In any case, be sure to document the trade-offs, and get agreement that they’re acceptable.

Simple, right?   But if we were all doing this, I wouldn’t be writing about it.  The problem is that it has become acceptable to ignore the rules, and anyone who doesn’t follow suit is viewed negatively.  The real challenge is for each of us to take the personal responsibility to follow the rules, regardless of our position in the company.  Only then will we change the expectation and make it unacceptable to ignore the rules.

“Unconferences” (hat tip to identitywoman) are great opportunities to network, gather and share information.  They attract bleeding-edge leaders on emerging problems and technologies. My most recent unconference was Congress Camp 2009, organized by the Open Forum Foundation. The gathering focused (broadly) on social networking tools and Web 2.0 for government. It was well attended by advocates who want to reach Congress, and over-worked hill staffers who use IE6 and must cope with information overload. We also got a preview of GovLuv.org. If you have an interest in social networking and government, I highly recommend looking at some of the blog articles.

Here’s my report: Don’t hold your breath for Congress to go Social-Web crazy in the immediate future.

I hosted a discussion on developing a Privacy Commons framework for government. In short, Privacy Commons will be a series of Privacy Policy Frameworks: A list of required, optional, and prohibited subject matter for privacy policies. Each framework will be tailored to particular industries (i.e., medical, financial, goods and services, social media, government, etc.). Adoption of a Privacy Commons Framework will require that your Privacy Policy address all subject matter in the framework, and make certain high-level disclosures in the form of iconography (i.e., a “$” symbol to indicate that you sell personal information to third parties).

I already knew that a government Privacy Commons policy would have to include disclosures about how personal information may be transmitted to other federal agencies, for example. But I was surprised to hear from staffers that Congressional privacy policies should also disclose how personal anecdotes may be used. Many constituents e-mail their elected representatives with poignant personal stories that often support draft legislation. Staffers must decide whether they can or should use the stories in a press release, on the House or Senate floor, or whether they can use the story and change the names.

A government Privacy Commons framework will also need to address the different rules that elected officials and their campaigns must follow. Elected officials must follow strict rules governing sharing personal and contact information. In contrast, campaigns (which may run full-time, even after an official is elected) can do almost anything with personal information. The distinction between “Congressman Jones” and “Congressman Jones’ Campaign” may be lost on the average constituent; but the effects on privacy might be substantial.

As I make the transition to full-time attorney (after I pass the bar… wish me luck), I’ll be able to continue developing Privacy Commons. In fact, at Congress Camp I hooked up with the ECitizen Foundation, which might help host Privacy Commons working groups. Stay tuned.

Recently, I had an experience in the “non-tech” world that I think has parallels to many people’s experiences with technology, so I thought I’d share it with you.

Several weeks ago, my husband and I decided that we had had enough of our mattress; it was only four years old, but it was a memory foam mattress that developed a distinct body impression on my husband’s side. It was uncomfortable, to say the least. The furniture company that sold it to us is a store located here in town, so we had them come out and take a look at the mattress to see if it was defective. Sure enough, when they inspected it, they determined that it was, and that they would reimburse the purchase price of the mattress (with a store credit, of course). At this point we needed to buy a new mattress, and this is where the story goes south.

We already knew we wanted to purchase a “traditional” mattress, and not another memory foam mattress (we might be slow learners, but we’re not THAT slow). When we entered the furniture store, we were imediately pounced upon by a salesperson, who escorted us to the mattress department and asked us what we were looking for. We explained the situation with the store credit, and told him that we had decided to purchase a non-memory foam mattress because of our recent experience.

At this point, I should explain that we were not entirely against a memory foam mattress. If we could have found one with a good warranty and reliability, we might have purchased it. But instead, the salesman proceeded to try to “hard sell” us a $3,000 mattress (which was $1,300 above the amount of the store credit). When I indicated that we wanted to try to stay close to the amount of the store credit and that we weren’t entirely sold on “newfangled” latex foam, considering our last experience, the salesman made an obnoxious remark about latex actually being an old technology (since it’s been around for thousands of years). At that point, if the store credit situation hadn’t forced us to buy the mattress at that store, I would have gone to a different store and they would have lost my sale (which ultimately turned out to total around $2,000).

So what’s the lesson here? It’s obvious – regardless of whether your job is to sell technology to the public or to provide IT services to your organization, DON’T HARD SELL. Believe me when I tell you that your client will recognize this tactic from a mile away, and will run in the opposite direction.

But what is a “hard sell”? According to Wiktionary.com, it’s “a sales technique of pressuring the potential buyer to agree to a purchase”. It implies that, instead of providing customers with valid reasons for making the purchase, and helping them understand how the product will improve their jobs or their lives, salespeople simply subject customers to high-pressure tactics to get them to agree to the sale.

We’ve all been victim of the hard sell. Our society has even developed a stereotype of the hard seller: The car salesperson. Most of us recognize when we’re being pressured to buy something, and our first instinct is usually to run the other way. It doesn’t matter if the salesperson is an expert in the field; we don’t like being made to feel as though we “have to” do something by another person (even if we really do have to do something). It might be our contrary nature, but it doesn’t matter if the salesperson knows more than the us (or just thinks he does); it doesn’t even matter if what we’re being sold is something we really do need. We will walk away from a hard sell.

So how do you avoid making a hard sell? Explain, explain, explain. Even if what you’re dealing with is a highly technical product, and the person you’re selling it to isn’t very technologically savvy, there are always ways to explain something in a way the customer will understand. Follow the therapeutic mantra, and “start from where the customer is”. Remember that when you don’t do this; when you instead attempt to pressure a client into a sale because you “know better”, I can guarantee you one thing:

Apply pressure tactics, and you can kiss that sale goodbye.

How often do we take a drive and realize what we see around us? I know I can drive to and from work, or to a familiar destination and never see what is around me. I am not talking dangerously oblivious, mind you, but sometimes you miss the details of what you pass. Then one day you take some time, for whatever reason, to look and actually see. Typically the phrase “I don’t recall seeing that before” comes to mind in these situations. This behavior isn’t just limited to driving, but to any task we may do that could be considered mundane or repetitive. If this becomes commonplace in our routines, it can affect how well we perform our jobs, and potentially lead to critically missed opportunities.

Stick a Fork in it

Occasionally my family decides to have pancakes for breakfast, but more frequently we have them for dinner. My kids favorite of the three varieties I make are chocolate chip. I make three different kinds because you never know when someone is in the mood for one type, and if you make just one or two you are more than likely going to disappoint someone. In addition to the favorite chocolate chips, I also make blueberry and plain. Since the crucial ingredients are not thrown in until the batter is on the griddle it is very easy to make “custom” meals.

Recently, my oldest son decided he likes both blueberry and chocolate chip. It seemed like any other meal, and we had just had pancakes the previous weekend. I made them the same way, all the while to the chanting of three little voices saying “we want chocolate chip” and one little tiny voice saying “dadadadada”. I brought the plates to the table full of pancakes and everyone claimed their favorites. As I was helping my daughter get some pancakes on a fork I heard a sudden surprised exclamation from my oldest son on the opposite end of the table. As I began to turn I could see a look of surprised laughter on my wife’s face. She was trying to hold it back, but as I completed the turn to look at my son I couldn’t help but laugh out loud. All over his face was blueberry, in little speckles indicating something had burst. “I just stuck my fork in it to cut it and it exploded” were his first words. The whole table burst into laughter and we continued to eat our meal, but with caution.

Take it In

When we talk about technology and information security, we know that the landscape for threats is always changing. A person responsible for maintaining systems could sing the horrors of having to make sure all systems are properly patched. Likewise, those who are responsible for monitoring threats to the technology receive new information continuously about areas most at risk. In this fast paced world we try to keep up, but find we are always one step behind. We are left to maintain and defend from the known, while someone plans the unknown. Do we just give up, throw our hands in the air and walk away? Perhaps we need to take in all that we have missed while fighting the fires of the day.

In the information security community, we need to put our fears aside and see all that is around us. Putting ourselves in the mindset of someone who wants what we have can make us feel uneasy but it gives us a new perspective. It helps us identify areas others might want to try as an attack vector, and then makes us evaluate the risk and implement a strategy based on the threat. I know that taking time away from our responsibilities seems like a fantasy, but what we may find is that we streamline our everyday tasks by attacking our own thinking. We marvel at how fast technology moves and lament when we don’t get the features we desire now. For all the lamenting, we tend to keep our thinking a few technologies behind. There will come a time, if we continue on that path, where something will blow up in our face. Better to take in what’s around us at least once in a while to see what we are missing. We might possibly get the upper hand.

Recently, I had to justify a vacant opening for a security analyst responsible for policy and awareness.  This article is the position paper from that effort.  Feel free to use it if you ever need to justify this position.

“The position of Security Policy & Awareness is the key to the success of the Security program at [our company].  This employee sets the policies and standards for security across the enterprise.  They ensure those responsible for enacting or following them know of their existence.  The role facilitates multiple groups to ensure the policies developed are rational, affective, and visible in order to protect our employees, clients, and shareholders. It establishes the expectations of behavior for employees and the establishment of controls to ensure the confidentiality, integrity and availability of company assets.

We need an employee who can focus on ensuring our policies are well-written, up to date, and have been coordinated across the enterprise.  If this position where not filled, then the chances are high that our Policies would stagnate with very little improvement.  In addition, it would be much more difficult to develop new Polices, therefore leaving potentially critical gaps.  This would potentially increase our security and compliance risks.

We also need an employee to promote Security’s Policies, Standards, and best practices.  We cannot leave it up to employees, Managers, or anyone impacted to find the security policies and to follow expected secure behavior without someone leading the way.  Without a person dedicated to Security Awareness, our employees will not be able to follow not only policies, but also the best practices that keep us all secure thereby greatly increasing the risk of a security breach.

If it is in the best interest of the Company to continue without this position, much of the activities will be delegated to the affected parties (IT, HR, Compliance, Legal, and the Business Units). The Security team will continue to lead many of the functions, but will be forced to take a minimalist approach and will only be able to accomplish the most critical tasks.  The current Security manager could perform some of the duties of a Policy and Awareness Analyst, but many of the functions would be left incomplete.

Most organizations the size and breadth of [our Company] in our sector have at least one employee dedicated to the activities of Security Policy and Awareness.  Security pundits across the globe have spoken out for this need as well.  This is because the lack of this position creates a gap in the whole security program that cannot be fulfilled any other way. Lastly, without this position, we are in danger of violating laws and regulations established for the protection of personal information (See Attachment 1).

It is my recommendation that [our Company] allow us to fill the position of Security Policy & Awareness Analyst.  It’s in the best interest of all involved including Security, our employees, and our business partners.

Attachment 1 Laws, regulations, and industry best practices stating the need for Policy & Awareness position:

Payment Card Industry (PCI) Data Security Standard (DSS) Requirement 12, “Maintain a policy that addresses information security for employees and contractors.”
ISO/IEC 27002
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Operating procedures should be documented, maintained, and made available to all users who need them.
COBiT v4.1
Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date.
ID Theft Red Flag rule
Section 114 of the FACT Act directs the Agencies to prescribe joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines, to identify possible risks to account holders or customers or to the safety and soundness of the institution or ‘‘customer.’
The regulations also enumerate certain steps that financial institutions and creditors must take to administer the Program. These steps include obtaining approval of the initial written Program by the board of directors or a committee of the board, ensuring oversight of the development, implementation and administration of the Program, training staff, and overseeing service provider arrangements.
FFIEC Information Security Handbook
Institutions are required to establish an information security program that meets the requirements of the 501(b) guidelines. Information security polices and procedures are some of the institution’s measures and means by which the objectives of the information security program are achieved.
Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management.
HIPAA
An overall requirement to implement policies and procedures to prevent, detect, contain, and correct security violations.
A security awareness and training program for the entire workforce must be developed and implemented.

Today, you are all very lucky. I am going to share my secret recipe when it comes to choosing passwords. I have been using this method for several years. It has served me well over the years and at this time, I feel it has passed the test of time (well, over 8 years). The formula is simple, effective and the result is a unique strong password every time you use it. This is how it works.

First, choose a word that contains a minimum of 8 characters. This secret word must not have any meaning, relation, association, etc. that can connect back to you, to a website or to an application. This means no maiden names, pet names, birthdays, etc. Same rules as before for choosing strong passwords. For this example, the secret word will be elephant.

Second, choose a secret 4 digit pin. Again, this secret pin can not have any meaning to you. This is important, we don’t want anything that could be easily guessed. For this example our 4 digit pin will be 1234.

Third, pick one special character such as a punctuation. We will use the @ character.

Let’s say we need to come up with a password for a website. We’ll use www.paypal.com as an example.

1. drop the www and the top level domain (.com). We end up with paypal
2. pick a letter position in the result word as a key. This must be the same every time. To keep this simple, let’s use the first letter. Match the first letter (key) in the domain (p) with the first corresponding letter in your secret word like so ele(p)hant.
3. replace that letter with your secret pin ele1234hant
4. capitalize the remaining letters after your secret pin like this ele1234HANT
5. add your special character anywhere you want ele1234HANT@

The resulting password is: ele1234HANT@

What you end up with is a 12 character unique strong password that contain letters, numbers, at least one upper-case letter and at least one special character. All you have to do is remember one formula instead of several distinct passwords. Works for me.

In addition, this method will provide you with a password that most likely will not be part of any dictionary or rainbow table. I like that.

Should the letter for the domain or application that you want to create a password for not be part of your secret word, just continue to the next available letter in the alphabet. Instead of paypal let’s use www.bank.com. Since there is no letter b in elephant. I would have to use the first e as the first match when going through the alphabet. The result in this case would be 1234lephant@

I know there are no capital letters but 3 rules out of 4 isn’t bad. Besides, you could easily add a capital letter anywhere should you really want to.

Hope this helps when choosing strong passwords. No more passwords on post it notes!

There was a little bit of a buzz recently regarding an article on Slate called, “Unchain the Office Computers! Why corporate IT should let us browse any way we want”. It’s basically a litany of complaints about how the IT department, “that class of interoffice Brahmans,” decides “ridiculously and capriciously, how people should work”. Very clearly it wasn’t going to win a bunch of fans from the Security Twits lurking around on Twitter’s infosec community.

The author’s rants run the gamut from legitimate beefs to notions that would make the most incompetent infosec employee cough up a hairball. He also seems to be completely unaware of the myriad legal, HR, and compliance bogeymen that serve as drivers of so many security policy restrictions. All of that coupled that with what seems to be a disrespect (or at the very least a disregard) for the skills, responsibilities, and intentions of your friendly IT worker would certainly make him a difficult customer.Who wants to deal with that?

A lot of the reactions to the author’s opinion were expected and understandable. If I recall correctly, “clueless” and “dangerous” were at least two of the words used to describe it. I don’t necessarily disagree with this either. The point of this post is more about what comes next: Do we, as those “interoffice Brahmans” simply thumb our noses at a very rash and simplistic view of the whys and hows of security-and-policy-minded restrictions, and tell the author to get the USB key that he found in the parking lot out of his PC and get back to work so that we can get back to saving the world from the l33t h4×0rs whilst doing the Dew? While not everyone would take that tack, let me suggest a different approach anyway.

The author, Farhad Manjoo, represents reality. He’s a real person who uses real technology in the real world. And he’s frustrated. He also represents a pretty wide view. In a Cisco-commissioned study on leakage prevention (get the papers here, and a decent summary here), it was discovered that:

“The majority of employees in eight of the 10 countries surveyed indicated that they believed their company’s security policy was unfair or impeded their ability to do their job. Employees with more access to collaborative Web 2.0 applications and social networking sites, video and mobile devices, expressed that they increasingly used these technologies in the workplace but were frustrated with rigid or outdated IT security policies that limited their use. “

With that, we need to accept that he and people like him are our customers. Rather than slough off Mr. Manjoo’s opinion as just being one of the uneducated masses, I contend that it’s our job to listen to his opinion and address it appropriately:

• If the reasons for a particular policy are draconian or reactionary, they should at least be reviewed, if not changed/updated or eliminated.
• If the reasons are justified (“justified” here does not mean “because we, the Brahmans, said so”; it means a very real, pragmatic justification for which there is not a reasonable alternative in order to protect the data/assets), then they need at the very least to be explained. Education and continued relationship- and awareness-building would be even better.
• If the policies really cause them to not be able to do their jobs (which does indeed happen), our job – and one of the aspects of it that makes what we do so cool, challenging, and fun – is to think creatively of how to allow them to do their jobs while keeping the data/assets safe.

I say let’s bump things up a notch: Make it a point to seek our your own personal Mr. Manjoos, embrace them, and convert them. Difficult customers, once converted, can become some of your greatest supporters. They might even spring for the Dew.

Several years ago, one of my clients asked me to write a security policy for them (since I was the “Security Guy” at the consulting company they employed).  I spent a couple of hours looking at various templates and examples on the Internet.  What I found were a lot of carbon copies of the same few templates with “insert corporate name here”. Regardless, I created a security document for them; my client was happy to have something and I was able to help them out, but I was not really satisfied with what I had written and wanted to do better.

Recently, I’ve been working with a team to rewrite the security policies for my current employer; policies that look exactly like the one I put together for my client years ago. The review of the current documents made something clear to me: No one likes to write these documents, so they use templates as a quick way to get the job done.  Unfortunately, the template-based policies can be difficult to read through for people who need to work on them, and will most likely be unread by the employees who will be most affected by them.

So what can we do, dear reader?

I am going to start by defining policy this way:  A policy is a set of rules that supports an overall vision. This policy is developed using a set of standards, which are incorporated into procedures to implement the policy. For example, if the concept is that the company’s wireless network should be secure, the policy would state that technologies will be used to secure wireless communications on corporate sites. The standard would be that the general public would not be able to connect directly to the corporate network via wireless networking. The procedure would be to use WPA2 configured on the access points.  If a new technology comes out that proves to be more secure than WPA2, the policy does not need to be rewritten; just the procedure.  There can also be multiple procedures for the same policy, e.g. the procedure to implement WPA2 on Windows is different from the procedure to implement it on Linux.

It’s simple: The vision is the overall goal. The policy supports the vision, the standards measure how the policy relates to the vision, and the procedures support the policy.  Procedures should not typically be included in a policy document because they can be more dynamic and will change more often than the policy will.  In my current organization, policies have to be approved by the Executive Management team, and it can take as long as a month for one sentence to be approved.  Instead, procedures should be established at the team level and reviewed by direct management, so that changes to the procedure can be implemented quickly while still supporting the existing policy.

One of the best references I have found for this policy style are the PCI-DSS documents.  Vision, policy, and standard are established, and the procedures are left up to the individual companies.  The documents are easy to read and reference, and can be a great starting point for companies to examine how their own security policies are written.  Not everything in the PCI-DSS documents will be applicable to every organization and I do not necessarily agree with everything in them, but they are quite useful for readability and review by non-IT security staff.

The simple steps to follow to build your own company’s security policy:

1. Establish the vision.
2. Write the policy to support the vision.
3. Develop standards to measure the policy, and finally
4. Create the procedures to implement the policy

As a privacy and consumer advocate, it ruffles my feathers when otherwise legitimate companies force the public to disregard common-sense online safety practices in order to use their services. Among the many safety tips are:

1. Only give confidential personal information to people you affirmatively contact, never to anyone who spontaneously contacts you.
2. Don’t click on URLs in unsolicited e-mails.
3. If you want to click on an e-mail link, never click “dishonest” links – links that don’t match the displayed URL.

Bad Practices

American Student Assistance (ASA) is a non-profit organization which helps students keep track of their student loans. It’s also an example of a legitimate organization with some irresponsible privacy practices.

Earlier this year I received an unsolicited e-mail from the ASA. I had never heard of the ASA, but the e-mail insisted that they were “the guarantor of [my] federal student loans.” To this day my bank has not introduced me to the ASA. Of course, this spontaneous contact from an “authoritative” organization made me suspicious. Red Flag 1: Unsolicited e-mail claiming to be from an authoritative source.

The letter instructed me to follow a link to log in with my FAFSA PIN. I was also notified that I have a “Profile,” and was invited to Update my profile by clicking on a link. The link took me to an insecure and unbranded website which automatically filled out my name, e-mail address, and indicates that I have been opted-in to receive a newsletter. Red Flag 2: Unsolicited authoritative e-mail, requesting that you “log-in” using sensitive information on an unsecured, no-name server. Spam newsletters are a bonus.

But before clicking on the links, I moused over each of them to see where they led to. A link which purported to go to “www.amsa.com/bor” actually links through “http://click.email-asa.org/?qs=33c40ef691b275c8d3b7e7d0430ce34d0980241c6c7eb313b745465bb515d8d5″. In fact, each of the eight links in the e-mail were “dishonest,” in that the actual URL was different from the displayed URL. Red Flag 3: Dishonest links.

This e-mail screamed “Phishing Scam,” so I called the toll-free phone number listed in the e-mail. A woman answered the phone. She immediately asked for sensitive personal information. I gave her my first and last name, but refused to give her any additional information since they had contacted me and I had no way to verify who they were. Red Flag 4: Unsolicited third party requesting personal information over the phone.

ASA’s Privacy Policy contains the following promises:

We do not disclose any nonpublic personal information about you or our other current or former customers, except as permitted by law…. We restrict access to nonpublic personal information about you to our employees, contractors, and agents who need to know the information in order to provide service to you…. We maintain physical, technical, and administrative safeguards in compliance with federal regulations to safeguard your nonpublic personal information. (Accessed August 27, 2009.)

But ASA’s privacy policy didn’t translate to privacy practices. After I refused to share personal information the lady on the phone asked, “Is your name Aaron [X] Titus, or Aaron [Y] Titus?” Uncomfortable, I replied, “Aaron [X]…” She asked for my date of birth. When I refused to give it to her, she read it to me over the phone. When I refused to give her my address, she  repeated my full address including street, number state and zip code.   She told me which school I attended and that she had access to my social security number on her screen. Red Flag 5: A representative sharing sensitive personal information over the phone without first authenticating.

Since I had no idea who this organization was I asked, but never got a straight answer. She and her supervisor variously described the organization as a “government agency,” “not a government agency,” “a non profit government agency,” and a “non profit organization which receives federal funds.” They relied on some relationship with the federal government to gain credibility. Red Flag 6: A fishy and inconsistent story designed to earn your trust.

My Advice: Quit it

After filing a complaint with the company, I talked with ASA’s Privacy and Compliance Director, Betsy Mayotte. Ms. Mayotte was kind enough to apologize for the behavior of her organization, and convinced me that the ASA is a legitimate organization, albeit one with uneducated and dangerous privacy practices. Apparently the representative was re-trained. But they did not plan to change anything else.

The dishonest links were designed to measure click-throughs: A common marketing practice. The unbranded and insecure server which asked me to update my “profile” was the result of bad practices, laziness or poor training. The other blatant violations of their privacy policy and outrageous behavior by the representative was more of the same.

I wish I could say that this is an unusual event. But unfortunately I’ve seen similar behavior by my bank, and even former employers. When legitimate companies force consumers to be irresponsible, the online public becomes irresponsible. Forcing consumers to ignore common-sense safety practices may save you a buck in the short run, but they make your customers irresponsible and erode overall online public safety. So here’s my advice to legitimate companies who behave like phishing rings:

Quit it.

Seriously, stop training the public to be irresponsible. If you want to track click-throughs for an e-mail marketing campaign, set up a virtual redirect on your main server. If you got sensitive personal information through a third party, make sure to have that third party introduce you to the customer. Don’t send unsolicited e-mail, and don’t cold-contact potential customers to request that they share personal information. Once and for all, encrypt your website. If your marketing department isn’t all that tech-savvy, hire someone who is. Train your customer service representatives never to give out personal information without first authenticating the identity of the person on the other end of the line.

Privacy policies are not just legal boilerplate which you can write and forget. Make sure that your privacy policy matches your privacy practices. This means that your customer service representatives should be as familiar with it as your general counsel.

by Martin Fisher

As we looked at the first two of the three Basic Truths of Incident Response Leadership (“Assume You Will Fail” and “Have A Workable Plan”), we focused on activities that the Incident Response Leader does with the incident response team being led.  The final truth involves the other direction on the organizational chart…

Basic Truth #3: Communicate Your New Posture To Your Boss

Once you’ve changed your mindset about getting compromised, and you’ve reviewed, tested, and (hopefully) exercised your plans, you are going to enter what is, for some people, the most challenging Basic Truth – explaining what you’re doing to your boss.

Now, to be honest, you should be regularly talking with your boss.  Organizations rely on middle level managers to have frank, open, and honest discussions with more senior leaders so that the organization’s efforts are aligned with the overall direction of the business.  The role of the Incident Response Leader is to not only train “down” the organizational chain but to educate “up” the chain as well.  The best way to do this is through regular conversations.

The potentially tricky issue is that you may have to “un-do” years of senior leader assumptions about the incident response approach of the organization.  As difficult as you may have found it to “Assume You Will Fail”, your boss – who is probably much less directly connected to the daily realities of incident response – is going to potentially be much more resistant to change that assumes that problems will occur.  Hopefully you’ve been hinting, nudging, guiding, and educating your boss during this process, and this will not come as a surprise (because as a general rule, surprises to your boss are a bad thing).

As you educate your boss, you may need to back up and re-teach some of the the basics of information security and risk management.  Your boss may need some catch-up on risk management and analysis.  If so, you’re in luck because there will be that much less to un-learn.  Over several meetings, take the time to ensure that your boss understands the “why” of what you’re doing before you start into the “how” of what you’re doing.  Take the time to demonstrate to your boss that you not only understand the business of Incident Response, but that you understand the business of the organization and your role in it.

Take the time to talk through the benefits of “Assuming You Will Fail” by pointing out that the organization cannot afford “perfect” security, but can afford a quality incident response team to respond to and mitigate any issues.  Through discussion you can reframe, redefine, and provide your team with realistic goals and objectives that senior leadership understands and will buy into.

This conversation sets you up for the key discussion – formalizing the performance expectations of you and your team; setting up and documenting exactly what you will do and how you will be measured; and how (most importantly) the organization will define your and your team’s success.  If you do this well, you will have turned what previously would have be considered a failure into what is a significant win for the organization, your team, and you.

Accepting and acting on the Three Basic Truths of Incident Response Leadership will enable you to better serve your organization, your team, and yourself.  I’d love to hear from other IR leaders to see how this works for you.

Episode 3: Into the Breach: Chapter 2 (People Just Want to Do Their Jobs)

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 2)

Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles  – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it. With a focus on individuals, Michael explains, “Compliance is not a video game” and reveals that a common approach of “exclusion” is creating more harm than good. The chapter wraps up with a discussion of “the human response to pain” – with a common example played out in organizations everywhere.

Go deeper Into the Breach with Michael Santarcangelo on September 16th

On September 16^th, join Michael Santarcangelo for a live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will:

• Reveal the ideas and concepts that may have been pared from the chapter you just listened to
• Expand upon or update the elements in the chapter you just listened to
• Answer questions in a candid and direct style – focused on delivering insights that lead to results

Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get reminded to join in for the September session.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV (dates now in Alaska, NYC and working on Dallas, Phoenix and San Francisco, with a likely stop in Atlanta and maybe Charlotte)

I had a very insightful meeting with my CIO last week about quality.  One of the questions I asked him is his advice on how to prioritize among many possible tasks when they are all of similar difficulty and impact.  This is the challenge we’ve been facing with improving quality – there are many things that could/should be done, but each one has fairly localized impact, and none of them solve the bigger problem.  His response was that that’s what happens when you take a bottom-up view, and he suggested looking from the top-down instead.  He recommended looking at instilling accountability at the right levels, and all of those many smaller things would take care of themselves.  He’s right, of course, and we’re looking into ways to build that accountability.  In parallel, I’d like to start down this path in an organic fashion, too, by challenging everyone in IT to identify areas of quality that impact them (or where they impact others), and working to improve them.

“Yeah right, Ioana, I don’t have time to do that,” you say.  And that’s really the crux of the quality problem, isn’t it – time.  The biggest reason for not doing an adequate level of quality seems to always be time.  But is it really true that we don’t have time?

I’ve been playing with time lately in my personal life, because I was finding that I’ve been killing my Saturdays with house chores.  I’d let everything build up during the week (even opening mail) because I didn’t think I had time, and then I’d have to deal with it all on Saturday.  No single task takes very long, but ten minutes to water plants, fifteen to sort the mail, thirty to deal with the kitchen, and it adds up.  All told, my husband and I were each spending about 2 ½ hours each Saturday getting all the chores done.  Once finished, we’re too tired to do anything else that day.  So we ended up wasting an entire day – half a weekend! – for a lousy 2 ½ hours’ worth of chores.

Since maid and yard service are not currently in the budget, I thought I’d try something a little different: rather than letting it all pile up, how would it be if I spread it out?  What if I spent just 30 minutes every weekday?  But that still seemed like a lot – I’m too lazy and undisciplined to do 30 minutes of chores every evening, so I tried breaking it up even more.  I’ll spend 5 minutes each morning emptying or filling the dishwasher or wiping down the kitchen counters.  I deal with the mail as soon as I take it out of the box every day.  While my dinner is heating I’ll fold a load of laundry or brush the dogs.  By the end of the day, I find that I got through my list, and I didn’t even notice the time spent.  Sure, sometimes I really don’t feel like doing even the 5 or 10 minutes, but my incentive is a free Saturday, and it sure feels good when I get there.

Ultimately, quality is just one of the many chores of our collective work life.  It’s those extra little things that can make a big difference at the end of the day, but as long as we look at them as big chunks of work, we’ll always think we don’t have time.  But you do have 15 minutes, don’t you?  It’s just a quarter of an hour – 3% of your work day.  That’s all you need to start.  The first step is to brainstorm some things you can do to improve quality in ways that will result in saving yourself or others some time.  I’m sure you can come up with several good ideas in 15 minutes.  Here are some suggestions:

-        Support/Operations:

• List one or more procedures that you should know better to avoid escalation or repeating problems
• List one or more “band-aid fixes” that regularly take your time to apply, that have a fairly straightforward permanent fix
• Identify procedures that are not clear or that need to be updated

-        Engineers/Architects:

• Identify where you or your peers are “re-creating the wheel” because one or more standards or processes isn’t documented
• Identify old standards or processes that need to be updated, or placed in a more accessible location

-        Project personnel:

• Identify documentation templates/artifacts that don’t make sense to fill out, and explain why they do not meet your needs and how to modify them to make them better
• Identify and escalate risks to quality on your project, such as missed requirements or skipped reviews, making sure to articulate the risk in terms of potential cost or consequences

Once you’ve come up with your list, pick an item from the list that you could fix within a month if you spent just a quarter of an hour a day on it.  Discuss this with your manager, and commit to getting it done.

There are about 1500 of us in my IT department – how many are in yours?  And if each person gave a quarter for quality every day for a month, what could be accomplished?  Will you commit to blocking off 15 minutes in your calendar every day in the month of September to make a difference?  Send me an email to let me know that you will, and tell me about your plan.

Although at times I complain about it, I do truly enjoy my status as the only person in the Catayst writers’ group without a formal background in IT. I believe that it does, as Michael tells me time and again, give me a unique perspective on the field.

It is from that perspective that I write my articles; none more so than today.

Recently, I had the not-so-pleasant experience of trying out different software for my blog. I run a personal website that I’ve recently expanded from a simple blog to a source for information on cooking and food preservation. Not only did I have some immediate needs for the new information I was puttting on the blog, but I also anticipated having needs that my current software (Wordpress) would not be able to fulfill (things such as fillable forms, searchable lists, and more). At least, not in any easy or elegant way.

So the search began. I investigated two other website-building options: Joomla and Drupal. Well, to be perfectly honest, I only truly investigated Drupal; I looked into Joomla briefly and determined that it wouldn’t fit my needs. More precisely, I tried Scribd and found that it was too difficult for me to grasp quickly (of course, this is just my own experience; others may find they absolutely love it).

I spent an entire day exploring Drupal; I downloaded it and installed it on my server, and then began building my website.

Twenty-four hours later, I’m back on Wordpress (much like a misbehaving spouse, grateful to their partner for giving them a second chance after having strayed: “Oh Wordpress, I’m so sorry and it will NEVER HAPPEN AGAIN.”), and appreciating it more than ever.

So what have I learned from this experience that you could learn from (because really, why else woud I write about it if not to help all of you out)?

First, I learned that “more complex/difficult/advanced” does not necessarily mean better. I thought that the increased flexibility (and as a result, increased complexity) of Drupal would be an advantage to building my website, but this is not always the case. Think of this phenomenon as occurring on a curve; not enough flexibility will hinder you, but more flexibility is useful only to a certain extent. After that point, more flexibility/complexity will begin to get in your way just as much as not enough of it will.

Second, I learned (firsthand) the adage about test-driving software on a local host (such as your desktop computer) before installing it on your server (and deleting your old software). If things don’t work out, you’ll have a LOT less work to do. Think of this as a safety net, just in case you need to change back. I would have easily saved myself four or five hours of work, even though some of the work was unavoidable because I changed my theme.

Third, I learned that failure is always an option. Specifically, I learned not to be so tied to the success of any new venture that I can’t admit that it’s not working, and that I need to try something else (or even return to my old software). Perhaps a better way to think of it is not as failure, but as a way to explore and determine the best option for you and whatever you’re developing. Would it have been better for me (and my website) to stick with Drupal, becoming increasingly frustrated with my own inability to grasp it (and becoming increasingly vociferous about it on Twitter, which really helps no one)? In this case, giving up the Drupal experiment was the best option (for me and for all 1800+ of my followers on Twitter).

Finally, I learned the best lesson of all: Try it, try it all, because it’s the only way you learn. I may have switched back to Wordpress from Drupal, but I’ve taken the lessons I learned from my Drupal experience and used them to improve my website on Wordpress. And ultimately, isn’t that the lesson we should learn in all our endeavors – on- and offline?

by Wim Reimes

I often wonder whether it is me or ‘them’. It’s been too long that I’ve given ‘them’ the benefit of the doubt and, unfortunately, the day has come to fulminate against those who voluntarily or unknowingly abuse language.

Language, whichever is your mother tongue, is a gift. It has been created, improved, and nourished to enable human beings to communicate with each other. To make clear what cannot otherwise be understood, to transmit a message that cannot otherwise be transmitted.

It’s a given that English is not my primary language; in fact, it’s not even my second. This doesn’t hold me back, whenever I’m using it, to use it to the best of my ability. Yes, I might be somewhat of a perfectionist, but the main reason is that I have the utmost respect for the person who chooses to spend some of her valuable time to sit down and read my musings, much less listen to them. And that, my friends, is the crux of this message.

I admit that IT people usually don’t have a strong affinity for communication, but in my (extremely) humble opinion, the use of language is what sets apart the “better” from the “good”. Any poorly written offer, documentation, web page, customer testimonial, or e-mail shows your lack of interest in the person who will have to read it. It sends cold shivers down my spine.

Some tips to make your writing better:

The power of the written word is limitless. It can backfire just as hard …

(credit for the picture to Kriss Szkurlatowski.)

As security professionals, it’s hard to admit to to our bosses (and ourselves) that all of the work we’ve done to prevent compromise sometimes isn’t enough. We don’t like to think about the possibility that the money and time invested in technology might not prevent an incident from occurring. That’s why I proposed, in my previous article, the following basic truth for Incident Response Leadership:

Basic Truth #1: Assume You Will Fail

One of the issues we face in Incident Response is how we frame success and failure. Too often we define our success with phrases like, “we’ve never been hacked” or, “our systems have never been breached”. These phrases fly in the face of the fact that no system is 100% secure. They dismiss the fact that a sufficiently motivated (or lucky) intruder can get in.

So, re-framing and redefining “success” is key to actually being successful. How do we do that?

First, we have to publicly acknowledge to our bosses, peers, and team that we expect that some small percentage of hosts and devices on the network will someday become compromised. It could be malware, it could be an intrusion; it could be almost anything. We need to help our teams and bosses realize that it’s not only okay to find these flaws, but that it’s actually a vital part of keeping our environment secure.

Second, we have to have a set of plans, procedures, and technology in place that allow for continuous monitoring and detection of problems in the environment. As leaders, we need to push for thorough and repeated examination of our environments and celebrate each and every compromised system our teams identify, contain, and eradicate. We must inculcate a philosophy that finding “nothing wrong” is more a sign that detection systems and processes need improvement, than it is a sign of successful prevention.

Lastly, and most importantly, we have to build the right networks of people, processes, and capabilities to make the most of the monitoring and planning. As Incident Response Leaders, our most critical mission is to build effective individuals and teams that can stand up to the pressures of Incident Response.

But, you ask, how do I do this? It isn’t easy – but Incident Response Leadership rarely is…

To start the process, you need to sit down and honestly assess your network. Bring in some trusted outside advisers if you need to. Are you really keeping anti-virus updated on all of your systems? Are you deploying operating system and application patches in a timely fashion? Are your IDS/IPS systems workable? How much screening do your firewalls really do? If you put on your blackhat – how many ways could you penetrate your network?

Once you’ve completed the process of seeing exactly how secure (or insecure) your environment really is, take a deep breath. The natural response to this kind of in-depth assessment is to think that the world is collapsing and that only huge amounts of effort can ever fix it. Remember, you aren’t here (necessarily) to fix those infrastructure issues right now; you are here to develop the ability to respond to incidents right now.

Now, take the list of perceived weaknesses and map out, using existing resources, how you intend to respond to this kind of incident. Don’t develop detailed plans right now – that comes later. Just identify how you can respond with what you’ve already got. A quick spreadsheet should do the trick here.

Next, invite your boss to have a cup of coffee with you. Let the boss know what you’ve been doing and the relative assessment of the network (remembering that the sky, more than likely, isn’t really falling). Show the boss how you intend to respond to the potential incidents using your map. The key to this meeting is being calm, professional, and not sounding like a) Chicken Little or b) you are about to ask for a ton of new resources. You need to show how you are going to realign your existing resources (which have been good enough so far, right?) to meet the challenge.

The key part of that conversation is to start the process of setting realistic expectations with the boss. Share the truth that you’re doing everything you can; that a lucky and/or motivated adversary could still compromise the system; and that, being the Incident Response Leader that you are, you are going to develop the plan and the team to identify, contain, and eradicate any and all intrusions.

Once you’ve got buy-in from your boss you’re ready to tackle the next Basic Truth: Have a Workable Plan. But that’s for the next article.

Do you know THE Goal of your organization?  Why does it exist? What’s its purpose?

Even if you work for a “security company,” its main goal is not security (or at least it shouldn’t be).  I know that this sounds like sacrilege, but its not.   The main goal of most private sector companies is to make money.  In most companies, providing security doesn’t make money.  It’s an operational expense or an investment.

I’m currently reading The Goal, A Process of Ongoing Improvement by Eliyahu M. Goldratt.  It has reminded me of the importance of knowing the goals of your company.  All activities of the company should be moving it toward its goals of being profitable.  “If the company doesn’t make money by producing and selling products (or services), or by maintenance contracts, or by selling some of its assets, or by some other means … the company is finished… an action that moves us (the company) toward making money is productive.  And an action that takes away from making money is non-productive.”

My impression is that many security professionals lose sight of their company’s goals.  It’s happened to me. I’ve gone through the motions of securing stuff without realizing how it moves the company toward making money.  In my enthusiasm for security, I’ve been guilty of non-productive activities that could harm my company.

Security professionals live in a world of paradox.  Too much protection and our people can’t be productive.  Not enough and the business takes too much risk, which can also cause non-productivity.  With the right balance, we can move the company toward profitability.  The challenge is determining that balance.

Here are three tips for maintaining a balanced security program that will meet your organization’s goals:

1. Know your organization’s goals.  You need to collaborate and ask questions to determine what makes your organization tick.  Understand how it makes money.  For public or non-profit organizations, find out the reason for its being.  If you don’t understand your organization, then how can you properly secure it?
2. Know your organization’s risk appetite.  This next step is to understand the amount of risk your organization is willing to take.  This is a business decision, not a security decision, and should be based on the organization’s goals.  If your organization is in the manufacturing sector, they very well may be willing to take many more risks.  On the other hand, financial sector businesses with an Internet presence may have a very low tolerance for risks.   The only way to determine this is to ask
3. Create a security program based on the organization’s goals and risk appetite.  Your security program should move the organization toward productivity and making money, not away from it.  The protections you recommend, implement, and maintain should always be driving the organization toward its goals.  They should also be in-line with their risk appetite.

In everything you do, ask yourself, “Is this moving us toward or away from our goals?”  If it’s away, then reconsider your actions. The security protections you have may be appropriate in your mind, but are they really right for the organization?  This can be a humbling experience, but it can also win you a lot of respect when you’re willing to compromise.

If you remember The Goal, your security program will go far.

And remember, “By working together, we all become stronger.”

In my 13 years of experience as an auditor, I have found that the people I audit do not tell the truth.

That’s right; they tell me what they think I want to hear, they encourage me to believe they are honest, and then when I investigate further I always discover it’s all lies. So I’ve come to the conclusion that the best thing to do when asked questions is to lie right back.

Auditing is not about making friends or helping improve the controls of a particular environment. Auditing is simply about finding out what people screwed up, and raking them over the coals until they cry out for mercy. Of course, the word “mercy” does not exist in the auditor’s dictionary, so instead you’ll need to humiliate the people who erred until they quit in shame.

Defensive Audit Techniques

Audits begin with a meeting between the auditor and those who are to be audited, otherwise known as auditees. This term is useful in depersonalizing your relationship with the auditee into a meaningless, unemotional concept. The first meeting is the perfect opportunity to set the auditee up for potential failure, or at a minimum to begin to establish trust by assuring them that they can tell you “the dirt” without fearing retribution. It is recommended you use phrases such as, “I am here to help you improve your environment.” Another of my personal favorites to lay on the auditee is,”We are not here to play ‘gotch’a”. Of course, make sure you say this with a thinly-veiled evil grin that you attempt to pass off as compassion and sympathy. Make sure you also throw around confusing audit term such as “compensating controls” and “scope creep” to throw them off.

Since you know that the auditee will not be honest, you must resort to established tactics to obtain accurate information. For example, if you need configurations from a system, request a meeting with the newest staff member under the guise of corroborating evidence. Since new staff members have not been jaded or burned by a previous audit, they are more willing to give you what you want without asking questions. If this is not an option, try stocking your request for information with several items you know will draw more attention than you really want. In their effort to vet the more complex stuff, auditees usually overlook a seemingly benign request for configurations.

Once you have the information, the auditee will want feedback as to your findings. This is a trap, especially when it happens early in the audit process. Telling them you found something wrong that is potentially significant, will immediately shut off access to more information that you might need. In these situations it is best to use phrases such as, “I am not sure if that is a problem, I need to talk with my manager.” This accomplishes two goals. The most obvious is that it shifts the blame to some unseen, and probably non-existent, person. Shifting blame is crucial to keeping the thin veil of trust pulled over the auditee’s eyes. Secondly, you postpone your potentially career-ending findings until after you have all the information you need. Dropping failures on the auditee at the last minute minimizes their chance for survival.

The final act of finesse is delivering the report. You are going to have an ongoing relationship with the auditee, usually not by their choice, which means you need to eliminate any chance that the people you are humiliating will be around for the next audit. Approach the meeting with an expression of deep concern for the environment, and stress that what you found isn’t personal. “You are working with what little resources you have, and it is difficult maintaining a control environment under those conditions,” always lets the people who will still be around know you understand their plight. Making the auditee’s who remain believe that you just saved their careers will greatly increase your chances to play “gotcha” in future audits.

Retrospective

In my 13 years as an auditor I have found that people are afraid of what they don’t understand. Auditors have gained a reputation, either justly or not, as people who are out simply to find every flaw they can. Auditors test to ensure controls are in place and operating effectively, but need to report when they find controls that fail. An audit is intended to help strengthen controls and give the company assurance that the controls you have work. We can move through our day thinking that what we say happened is what actually happened. But what happens to your credibility, and the reputation of your company, when you suddenly realize you were wrong? Having a good relationship with your auditor does not mean you have to be friends, but it does mean you need to find common ground to share trust. As an auditor I cannot ignore a failure in the control environment, but I can work with the auditee to make sure my understanding of the control environment is accurate. After having a conversation about findings, the auditor may find there are other controls mitigating the impact of a failure.

My satirical portrayal of the “evil auditor” was an effort to evoke emotions you may have during an audit. It is there to help you consider what type of relationship you and your auditor have, and give a push to start a dialogue. Working together with your auditor is  not always fun, especially after eight-hour interrogations, but in can be a process that helps your organization and you achieve better results. But the next time an auditor knocks on your door, wait until after they leave to curl up under your desk – seeing that tends to inflate their egos.

Most folks who work in information security are well-aware of the concept of the “insider threat”. There has been quite a bit of press about the fact that while hackers get so much of the notoriety from the popular press (especially when they fit the stereotype), insiders actually pose a greater threat to important data.

As well, many information security practitioners are at least conceptually aware of the idea of “Threat Risk Modeling”, i.e. focusing resources toward those risks that are actually more likely to happen, with the emphasis being on those that are most likely to happen and pose the greatest potential for loss/damage.

Putting those two together, one would reasonably assume that many responsible for information security are putting a good amount of their resources and efforts into countering that inside threat, right? But even if that’s the case, is stopping a malicious insider really the best and most effective place to put countermeasures?

In an interesting post by Nicki Wallace on RSA’s “Speaking of Security” blog, she discusses the differentiation between the insider threat, and insider risk:

“Deliberate insider threats are caused by employees who actively set out to exploit an organization’s security vulnerabilities, to cause harm or for personal gain….[However,] organizations cannot afford to turn a blind eye to the wider insider risk from employees who accidentally or negligently cause vulnerabilities to data or system security. [Emphasis mine]”

She links to a survey by CompTIA that finds that human error and negligence are actually – or should be – bigger concerns to companies. These situations are generally where the intentions of the insider can actually be noble: bringing the work with them so that they can get more done. In doing so, the laptop, USB key, or some other media containing sensitive data is lost, misplaced, etc.

Michael Santarcangelo addresses this specific concept in “Into the Breach” and follows through with methods for increasing security awareness with the individuals who “own” the data, which is very often not the IT security guy/gal. He talks about how companies can make those data owners more aware and responsible for their actions, which ultimately will minimize those same individuals putting themselves into situations where these oversights can occur.

That all being said, where are you focusing your efforts and resources? Are you and/or your company still focusing on using the traditional technology-centric means of dealing with threats – internal and external – while possibly missing out on where the real risks may actually be?

In April of this year, I was assigned to lead a Quality program for all of IT at my company.  Meaning, I and my team are supposed to significantly improve the quality of IT’s deliverables in the next couple of years.  This improvement in quality is supposed to reduce support costs, reduce incidents and downtime, speed delivery through the creation of reusable materials, ensure we have proper testing environments, etc.  Of course a lot of this implies the need for training and behavior changes, which opens up the people change management can of worms.  It still makes my head spin when I think about our scope.

I also still ask myself, why me?  Why is an InfoSec Manager with expertise in identity and access management being asked to make changes that impact the worlds of (just to name a few) project managers, testing, delivery, operations, and support?  What do I know about these things?

When I asked the leadership this initially, the responses I got were things like, I have a good perspective on customer service, I’m familiar with the support and infrastructure teams, and I have a reputation for getting things done.  OK, I buy that.  I think they also wanted an impartial outsider – since I’m not part of any of the organizations impacted by the work, I’m more likely to be impartial.  I buy that, too.

What I really wonder is if they realized just how much my InfoSec background really plays into this new role – am I slow in discovering what they’ve known all these months, or is it just an interesting coincidence?  The reality is, it’s SCARY how similar quality and security are.  I was reading a Gartner presentation on aligning InfoSec with the business a few days ago, and realized somewhere in the middle that I could replace the word “security” for the word “quality” in the entire presentation and the statements would be just as true.

Think about it:  what is security?  Security is the set of practices, processes, and technologies that for the most part no one wants to deal with.  They’re often viewed as extra work.  Most people buy into security only because it’s required and because if they don’t, bad things happen.  But what happens when you do good security?  Nothing.  No denial of service attacks, no lost data, no hacks, no unexpected downtime, no firedrills, no audit findings, no… you get the picture.

And what is quality?  Quality is the set of practices, processes and technologies that for the most part no one wants to deal with.  They’re often viewed as extra work.  Most people don’t buy into quality because it’s not required but when they don’t do it, bad things happen.  And what happens when you do good quality?  Nothing.  No unexpected downtime, no rework on designs, no missed requirements, no customer complaints, no 3am support calls…  See what I mean?

In one way, security is easier than quality because there are legal requirements for it.  But quality is easier than security in that the consequences of bad quality are much more visible and easy to understand than the consequences of bad security.

So now what?  In my last blog post, I pointed out that the unintended consequence of rewarding too much speed is getting not enough quality.  Interestingly, when it comes to something like project delivery, customers continue to reward speed at the expense of quality even after having numerous bad experiences.  Why?  Well, for one thing, speed equals money and it’s hard to argue with that.  We’re also very much an instant gratification culture – “wait” is a four-letter word.  But the key issue is that the customer experience is negative.  Remember – it’s the positive experiences that drive the behavior, not the negative ones (this is very true in InfoSec, too).  This brings us back to Nothing.  Once we can demonstrate to the customer base that good quality leads to Nothing, they will reward Nothing, which will in turn encourage quality.

It would seem that my job is once again to sell everyone on the virtues and benefits of Nothing – in a bad economy no less.  *sigh*

Then again, Seinfeld made a lot of money on Nothing, so maybe I’m sitting on a gold mine and just don’t know it yet.

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 1)

Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected.

A personal invitation to go deeper Into the Breach with Michael Santarcangelo

In two weeks, join Michael Santarcangelo for an insider’s perspective and live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will:

• Reveal the ideas and concepts that may have been pared from the chapter you just listened to
• Expand upon or update the elements in the chapter you just listened to
• Answer questions in a candid and direct style – focused on delivering insights that lead to results

Did you miss the in-depth discussion with Michael about the Introduction? If so, go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded session and get reminded to join in for the August session.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV

The principle of least privilege is quite simple. The concept is to provide users with just enough privilege to perform their duties. But how do you apply this guide in a home environment?

For the home user, the least privilege principle is applied by using a normal, basic user account (not an administrator account). With this method, people can effectively limit the potential damage should that account get compromised or otherwise infected with malware. This is possible because normal users are limited with their access to non administrative areas of the operating system.

The concept or principle has been used in Unix and Linux for a long time. In fact, the Unixes have always had the benefit of the “root” super user account for performing administrative tasks. Users login using their regular account for everyday duties and only switch when they need to increase their privilege to complete an administrative task. They SU (switch user) to the super user (root) temporarily to complete the necessary administrative task.

On the Windows platform, users should also use a normal, basic user account for everyday use. Since the release of Vista, Microsoft has introduced this principle via User Access Control (UAC). This is a new feature in Windows and one that has caused many frustrations among Vista users. The reason behind this frustration is before the release of Microsoft Vista, most Windows users were able to run everyday tasks with elevated privileges such as the local administrator on the computer. With the introduction of UAC , this is now impossible, for every user is run with limited privileges. When a user attempts to perform an administrative task, a pop-up is presented with a dialogue requesting the password for the currently logged-in user before permitting a more elevated privilege mode. This pop-up is the kind of dialogue that users who are not familiar with the least privilege principle find frustrating and annoying. They didn’t have to deal with it before, and don’t fully understand the security benefits.

UAC in general is actually a very good thing. It’s designed to prevent malware from installing itself without user intervention. It also provides the user with a mental pause to perhaps help prevent mistakes before they are carried out. I hope people will learn to appreciate and understand the importance of the least privilege principle.

As our clients and customers naturally become more computer savvy, we often assume that they know (and remember) the basic tenets of security, including good “password hygiene”: Ensure that your password is difficult to guess, that it is never given to an unauthorized party, and that it is changed on a regular basis. But something happened today that reminded me that even the more knowledgeable among us can forget to be cautious when we are online.

I was on Twitter this morning (my username there is @Astrogirl426, if you’d like to add me to your follower list) when I began seeing tweets about a new service called “Twitviewer”. This service offered to let Twitter users find out who had recently viewed their Twitter page. Curious, I clicked the link and was sent to the Twitviewer home page, where I was prompted to enter my Twitter username and password.

Hopefully, this is the point at which anyone with a moderate amount of experience online would stop and think, “Hmm, this might not be a great idea. Let me wait and see if this service turns out to be legit.” Let me state here that there ARE some legitimate Twitter services that require you to enter your username and password to access them (TwitPic is just one of several). However, a brand-new service that requires your login information should always be approached with caution – if for no other reason that to see if any reports of “suspicious activity” surface.

Unfortunately, over the next few hours I saw quite a few of the people I follow on Twitter using the service (I knew this because the service sends out an automatic tweet from the individual when they use it for the first time). Sure enough, later in the afternoon I began reading warnings from Twitter against giving Twitter login information to this service.

So what did I learn from this? What can YOU learn from this? That even as people become more sophisticated about computers in general, and security in specific, we need to revisit the basics with them from time to time to remind them that these lessons are still important, and still relevant. And if you were one of those who used the Twitviewer service – change your password!

An organization might spend hundreds of thousands of dollars to implement just one security infrastructure. Millions of dollars can be spent creating a security environment that provides an extensive defense against all nature of attacks and threats. But the true value of that substantial investment can never be realized until one relatively low-cost – but critically important – item is addressed: Incident Response Leadership (IRL).

Incident Response Leadership is the primary task of the management of incident response teams. IRL begins with the creation of incident response plans that minimize the impact of any given incident to the management and leadership of the actual response team during an incident. IRL continues through the recovery/cleanup process by assessing where the incident response plans can be improved.

Effective Incident Response Leadership also recognizes three basic truths. Until your organization embraces these truths, there will be an artificial ceiling on how effective the security program can be…

Basic Truth #1: Assume You Will Fail

Ask yourself this quick question: “How many compromised hosts are on my network?”

If your first gut response was “none” then you might have some rethinking to do. It’s natural to develop a sense that all of the money, effort, and resources it took to build your security environment will keep all of the evildoers at bay. But if you (and the team you lead) begin to operate under the assumption that nothing bad can happen, you will either miss it or react inappropriately when the inevitable incident occurs.

Compromised hosts can take many different forms. It may be a file server that’s functioning as a SPAM relay, it could be a workstation that is part of a bot network, it may be a database server that has a rootkit installed. There are a multitude of methods and techniques to identify and locate hosts using firewall logs, DLP, anti-virus, and so forth. It’s a major IRL responsibility to allocate resources to this work.

Basic Truth #2: Have A Workable Plan, Or Else

How many of us really do regular exercises of our incident response plans? Exercising workable plans that give your team the direction it requires and the flexibility it needs is a low-cost, high-payback activity that builds esprit de corps and keeps your team sharp and ready. Lack of a workable plan will delay your response, make forensic investigations more difficult, and cost you time and money you didn’t need to spend.

There are always challenges to the drive to exercise plans. “Why waste time on this?”, “We’re too busy.”, and peer leaders not making matrixed resources available are a constant refrain that IRL needs to overcome.

Basic Truth #3: Communicate This To Your Boss

Telling your boss you are assuming you will fail can be a tough conversation. The only way to survive it with any sense of dignity and professionalism is to create a series of dialogues with your leadership to explain your incident response program, methods, and assumptions. You can make this a career enhancing discussion by demonstrating your knowledge of the needs, objectives, and goals of the business. You will be able to set realistic expectations for your team and be able to clearly communicate what it will take to move your team to the next level. Demonstrating the fact that success is defined by effectively leading your team through the entire range of security tasks (prevention, detection, response) and not by simply  saying “don’t get hacked”, will enable you to truly succeed to the benefit of your organization.

Over the next several articles we’ll dive deeper into each of these Basic Truths, and show realistic steps and obtainable objectives to improve your Incident Response Leadership.

by James Costello

I would bet that you have someone in your life who “survives” out of the vending machine at the office. You know them:

1. Their desk is surrounded by potato chip bags, candy wrappers and soda cans.

2. They are the first one to get the new item out of the machine.

3. They consistently return to the same choices, but especially love new packaging even if the insides are still the same.

4. They base decisions on what is in the machine.

5. They purchase items because they have money in their pockets.

Do you know of companies that treat their security purchases like a trip to the vending machine?

1. They buy items with the prettiest packaging (or possibly the prettiest sales person). Don’t laugh; I’ve seen it happen.

2. They purchase items just based on the fact that it is either new or a new version. And we all know that “new” means it’s good, right?

3. They purchase items just because it’s in the machine or their sales representative presented it to them.

4. They buy the same product that they bought last year because they are not comfortable with change.

5. They buy because they have leftover budget for this year, but are not sure if it is something they really need.

So how do we, dear reader, avoid/prevent others from making purchases from the security vending machine?

1. Determine your corporate goals and work toward them. Okay, so that’s a bit clichéd, but I see this everyday as a project manager. When there is not a clear idea of what is wanted out of a project, it will drag on and possibly never get implemented to anyone’s satisfaction.

2. Identify your needs and purchase accordingly. What traffic are we trying to monitor? If you are more concerned with blocking inbound access than monitoring, then an IDS solution may not be the best use of funds. What data are we trying to protect? If all of your proprietary data is kept on one or two servers, hardening those servers will make the most impact. What services are we offering to our clients? If you are not offering any services locally, inbound traffic should be denied

3. Don’t let your budget burn a hole in your corporate pocket. Are you with an organization that determines next year’s budget based on how much you spent this year? (I know this would not fly at my house; why does this work in business?) Work with your financial group to create the budget. This sort of spending is foolish, especially in the current financial situation.

4. Don’t spend all of your budget at once. Plan for spending over the course of the entire year. I am reminded of my friends who are teachers for school districts in my area. They get paid once per month and have to budget for the entire time. My friends like to tell stories of first-year teachers who see this great big paycheck (well, for a teacher) and go out and spend it without realizing it will be another 30 days before they will get paid again. What is humorous for me is that they all admit to doing the same thing.

5. Just because something is shiny and new does not mean I have to have it.

When I was a senior in college 15 years ago, I needed a car to drive back and forth from college campus and the school district where I was going to be student teaching. I needed a car and it was going to be my first major purchase. I had $3500 to make the purchase and I could look anywhere I wanted. I could have taken my time to get the most car for my money, but I wanted to get it done and I knew I could spend all of the money I had on this car. (I failed to plan, I did not determine my needs, and I allowed the amount of money I had determine when I would buy) A day after I withdrew the money from my savings account, I drove off the car lot of a friend of the family with a car with no trunk space, a short back seat, and not enough horsepower. This car would barely do 60 mph (not so good for a college student who needed to drive 40 miles each day and was still on college time), I could not haul anything in it (this made moving out of the dorms when school was done, next to impossible), and finally it developed a habit of not starting when it rained (this was lived with for about a year as I had to make money to get it fixed, since I had spent all of my money on the car). I look back on that now and wonder how I survived, making those decisions.

I bought from the vending machine. Are you or your company doing the same?

by Dennis Kuntz

This blog post is late – very late. In fact, it’s weeks late. I let myself get caught up in other parts of my life and completely forgot about some of my responsibilities. When that happened I backed it up by making a completely wrong assumption. You see, writing posts for this blog is a privilege for me – a big one. I was honored when Michael asked me to be a contributor and continue to feel that way. When I had already missed the deadline – and one reminder – I just considered myself out of luck for being able to have a post in July.

Which is where I screwed up again.

You see, as honorable as my assumption may or may not have been in thinking I was the one missing out, I failed to communicate what I was doing with Trish Smith (the Security Catalyst Blog Editor), or Michael Santarcangelo. I also failed to take into consideration what my continuing to delay a blog post for July would do in terms of making things difficult for scheduling posts.

So, before going on, I’d like publicly to apologize to Trish and Michael –I do indeed still feel honored to post on this blog and thank you both for all of the work that you do.

Once I had decided to write about taking responsibility for what was described above, I started to think about taking responsibility in general. I started to think about how I might handle taking responsibility for more dire things, like a lapse of responsibilities that might lead to financial losses – or worse.

I’d like to think that I would have the courage to step up and do The Right Thing. But would I? When my job might be on the line? My career? The income on which my family relies?

Taking responsibility can be a frightening thing – whether you’re a kid who left superglue open next to your father’s presentation papers (and have siblings on which to blame it), or you’ve just deleted all of the email templates on the production servers (I did not do the first one; the second one, however…alas that was long ago).

Once you’ve decided to take responsibility for something, you’re not only left feeling naked, but naked standing at the edge of a cliff wondering if you’ll get pushed – and knowing that you may deserve it. That’s a hard situation in which to put yourself voluntarily – the rawness of the truth coupled with the anxiousness of awaiting any severity of consequences.

Once you get used to accepting responsibility, however, there’s a kind of epiphany. You know there will be consequences, but you also know that it’s the quickest route to getting things cleared up. It becomes cathartic to take control over your own situation as much as possible and to be the source of how your own culpability is communicated. You may even find that being forthright and honest will get you less severe consequences than if you had hidden the truth. At the very least you will be doing The Right Thing and establishing yourself as trustworthy even when your own hide is on the line – which is great equity to have.

So, is there anything for which you haven’t taken responsibility? Or even worse, is there something for which you’ve allowed someone else to take the heat? At some point in our lives, we could all say yes to both. But luckily it’s never too late to step up and do The Right Thing.

Well, it has happened once again. Those folks over at the EDUCAUSE Center for Applied Research (ECAR) have stolen yet another of my research ideas straight from my head before I had a chance to move forward. As always is the case, the result of their mindreading theft is far beyond what I could have accomplished. This most recent case of cranial theft resulted in the ECAR occasional paper titled “The Career of the IT Security Officer in Higher Education”. I want to take a moment to issue a big thanks to Marilu Goodyear, Gail Salaway, Mark Nelson, Rodney Peterson and Shannon Portillo for taking the time and effort to author this amazing paper.

The paper itself is a collection of statistical information gathered from survey responses and follow-up interviews with individuals tasked with IT and Information Security within institutions of higher education. The paper looks at three main sets of issues around the IT Security Officer function at colleges and universities. These sets are: “The Position and the Person”, dealing with reporting lines, previous positions held and demographics; “Responsibilities, Skill Sets and Professional Development”, dealing with responsibilities, job announcement analysis and reaching out for advice; and “Authority, Challenges and Program Strategies”, dealing with authority within the institution, common challenges to authority, and security program strategies. While only 53 pages in length, there is too much information in the paper to fully cover here. Instead, I wanted to focus briefly on a few of the more interesting takeaways from each area.

The Position and the Person

One of the most interesting things I found in this section is that only 64.7% of IT Security/Information Security Officers (the two terms are used interchangeably in the paper) still report to CIOs within their organization. On its face this may not be interesting, but the next most common reporting line is the CTO, although granted, only 8.1% responded thusly. Given the inherent conflict that exists between operational IT (“We need this working and working now”) and IT security (“We need to take time to fully vet the system before production”), I find it odd that just under 1 in 10 (1 in 12.5 if you must) ISO/ITSOs still report to the individual responsible for technical operations. While this arrangement can work, it often does not as operational issues tend to take precedence over security concerns.

Another quick takeaway is that the typical ages of ITSOs/ISOs tend to be younger than I would have expected, with almost 19% of respondents ranging between 30 and 34 years old. Additionally, over half of the respondents reported to being in the ISO/ITSO role for three years or less.

Responsibilities, Skill Sets and Professional Development

Personally, I think that the largest potential shock for non-security professionals in the ECAR paper comes when looking at the average areas of responsibilities. Instead of being filled with a long list of highly technical areas, common responsibilities instead focus on management-level activities such as incident management, training/awareness, policy development/administration, risk assessment, regulatory compliance efforts, etc. In fact, when looking at technical security areas such as IAM, access controls, network security/firewall management, etc. the majority of respondents only listed that they had a “support” role. This is indeed an excellent development within the higher education field as it signals a much needed shift in thinking about IT/Information Security away from the “network security” box it has been in for far too long.

Other interesting takeaways include that despite what was said above, technical knowledge/expertise was listed as a critical need skill in 69.5% of the ITSO/ITO job positions wihtin higher education. Also, while only a minority of ISOs/ITSOs (41.8%) report having control over a dedicated security budget, these individuals cited this budget control as a key component in improving security at their institution.

Authority, Challenges and Program Strategies

Another positive trend shown in the ECAR paper is the fact that a vast majority of the respondents indicated that they have been vested with the authority necessary to perform their jobs. In fact, over 78% of the individuals surveyed responded they had the authority necessary to enforce policies and ensure policy compliance, monitor networks and systems, and authorize the removal of equipment and access rights if necessary. Hopefully, this marks the end of the dreaded cheerleader ITSO/ISO who has been given all the responsibilities for IT/Information Security but none of the requisite authority, and thus is doomed to wander the ivy halls of academia impotently shaking fingers at problems, and hoping against hope that this time the problem will be addressed.

A few more takeaways of note from this section include the fact that while faculty are the most common group on campus to challenge ISO/ITSO authority, such challenges only occur occasionally. Even better is that the single most common method deployed by ITSOs/ISOs when challenged is not pulling rank or blustering about, but is instead rational and reasonable discourse to explain the reasons behind the request.

Fortunately for everyone without an ECAR membership (myself included), this occasional paper has been released to the public. I urge everyone to take a short Internet trip to the ECAR site and give the full paper a read-through.

Network validation is an important step or tool for designing or hardening a network. Something else that’s just as important to have is a valid, accurate and up-to-date network diagram. The act of correlating a network diagram against the actual network wiring is network validation.

Why bother with validating a network? The short answer is: to make sure that a network is wired according to how the network diagram says it is. This is important. Why is this important? A network diagram is exactly like a blueprint for a building. When architects create a blueprint for a new building, they do so following construction laws, regulations, standards, etc. These laws and regulations are required to make sure that our buildings are built according to proven and safe standards. They are there to protect us and make us safe. The result we get for following these rules is that they provide for us a reasonable expectation that our buildings are safe and secure. Sound familiar?

What does validating a network mean? For starters, it means that a network diagram should be designed before any actual wiring begins. Many networks are built without a network diagram to follow. This simply opens the door for costly and unnecessary mistakes or network flaws. If someone is responsible for a network without a network diagram, one is still required. It also means that the person in charge of a network should be able to validate every physical connection to that network in 10 minutes or less. This validation process should also be performed on a regular schedule.

Many organizations do have network diagrams, but how accurate are they? The importance of keeping a network diagram accurate is crucial. This is often one of the first thing that will be sought for investigations or for the prevention and detection of network breaches. Remember that without this key piece of information, where does one start?

Do you know how the firewall is connected to the network? Do you know if someone temporarily hooked up the database server to the DMZ? Why is the proxy server unplugged? or plugged in the wrong switch? Do you know how the network connects to the internet?

The answer to these common questions can only be reliably answered by conducting a complete network validation using an accurate and up-to-date network diagram. It’s a pretty simple concept to understand. However, somehow, this remains overlooked by many organizations. These organizations cannot reliably answer, or they do not know how to answer, these simple questions.

So please, validate your networks and keep accurate and up-to-date network diagrams. It’s rule number one.

Taking pride in your service or product really gives your customers a sense of what they are getting. Getting past the sales pitch and seeing true emotions helps ease the mind of decision makers. It lets them know there is substance behind your service or product, not just show. But too much pride, seen as arrogance, can turn a customer into an enemy faster than bad service or poor quality. It gives a person a reason to find fault, and more motivation to speak out against you.

The Pitch

Deciding to take some time for ourselves, my wife and I decided to have someone watch our kids so we could go out for a casual dinner. We decided to go casual because we couldn’t get over the idea that someone might try to Stir the Potatoes again. We selected an Italian style restaurant, some place we hadn’t been to before. As we waited for our table we enjoyed the atmosphere and observed the people around us.

We were seated in a nice corner booth and our server came over to introduced herself. She explained all the nooks and crannies of the menu, including the restaurant’s special oven-fired chicken. While taking our order the server was delighted at my wife’s decision to mix and match things from the menu, since she had suggested “customizing” the meal. Her mood soured when I placed my order for the chicken parmesan. “Wouldn’t you like one of our oven-fired chicken meals instead” she asked, to which I indicated I did not. “But that is what sets us apart from other restaurants,” she insisted, to which again I responded no thank you. “You can get that anywhere,” she scolded, at which point my wife stepped in and suggested, “But it is better than any other place, right?” The server’s response was a resounding “No”, and she shook her head and walked away.

I looked at my wife and wondered how things went so wrong. “You made her mad,” my wife said. After eating our meal, our server returned with a desert tray. She had calmed down and was at ease describing the sample size deserts, highlighting which were her favorites. Of course I took one and my wife the other, ensuring the happiness of our server for the rest of the night.

The Sale

I was told by a good friend to start with a question, and so I ask, “What was she thinking?” Anyone who has worked with customers knows the mantra, “The customer is always right.” The truth is the customer wants to be right, and telling them they don’t know what they want so bluntly does not endear them to you. In information security, we have to sell something that on the surface most people don’t want. We are selling something they don’t see, something they can’t touch or taste. We tell them they are safe and to trust us, but how we often sell it is with a club.

As an IT auditor, I have unfortunately done the exact thing I’m saying you shouldn’t do. I believe at some point we all make this mistake. We are so enthusiastic about our work that we are blinded to what the customer’s point of view may be. It isn’t until you see that look on their face that you realize you need to brush up your “pitchman” skills.

Perhaps we need to step back after we are convinced the product is the right thing, and remember what gave us reservations in the first place. We can then work our way forward step by step, understanding where the “sale” may hit a snag. At those points, list what sold you on moving forward and put those ideas in your customer’s language. Removing yourself as a hurdle to selling security brings us that much closer to the finish line, and will restore the trust your customer needs to feel. The last thing you want to do is walk away asking yourself, “What was I thinking?”

Image based on Three Poppies by Federico Ferrari.

by Aaron Titus

In late June, 2009 I attended the Privacy Bar Camp DC (Twitter: @PrivacyCampDC) organized by Shaun Dakin with support from the Center for Democracy and Technology, and conducted at the Center for American Progress. I confess that I attended primarily to aid my job search (psst… that was a shameless, self-promoting plug), but ended up having a great time. Bar camps have an ingenious format which promotes a high degree of participation, interaction, and brainstorming. They have nothing to do with a state legal bar, nor camping. And the genius is, they don’t have an agenda.

About 50 people showed up Saturday morning, and after a brief round of introductions, everyone interested in leading a discussion pitched their ideas to the group. Then each discussion was placed on a grid schedule with four rooms, each with four sessions. The “camp” ran all day, and each attendee chose which combination of the 16 sessions they wanted to attend. Each session was highly interactive, spontaneous, and collaborative.  The topics ranged from Government and Web 2.0 to “Empowering Big Brother,” to Open ID, to lock-picking (my personal favorite). Thomas “cmdln” Gideon and I hosted a session on “Personal Information as Property and the Platform for Privacy Preferences (P3P).” During the discussion, the concept of “Privacy Commons” came up, and several of the session participants agreed to work on the idea.

Privacy Commons

We soon had a group interested in developing the idea, and have been working on it since. Modeled in the spirit of Creative Commons, Privacy Commons (PC) aims to help individuals and organizations clarify privacy expectations, practices, rights, and mutual responsibilities by providing a series of comprehensive model privacy policies.

I admire what the Creative Commons movement has done for copyright. With its easy-to-understand concepts and clear iconography, Creative Commons is successful because it embodies commonly held cultural notions of intellectual property and copyright, which are otherwise absent from the law itself. Creative Commons fills the gap between what the law is, and what many think the law should be. Likewise, Privacy Commons will be successful only when it can identify, articulate, and empower under-served cultural expectations of privacy with easy-to-understand concepts and clear messages.

The Need for Complete, Informative, and Enforceable Privacy Policies

Privacy policies in the United States suffer from several deficiencies. First, they are often unsophisticated and incomplete. They often fail to protect an appropriate scope of information or individuals. Second, many privacy policies waive, rather than confer, privacy rights. But most importantly, courts have consistently interpreted privacy policies as unbinding notices, rather than contracts. In other words, privacy policies are unenforceable, and a victim of a privacy policy breach usually has no enforceable rights. As a result, privacy policies can have the unfair effect of creating an expectation of confidentiality, privacy, special technological protections, or even fiduciary responsibility even where there is none.

Protecting Personal Information via Contract vs. Intellectual Property

Intellectual property (IP) law is not an appropriate legal framework to protect personal information because nobody owns personal information. Personal information are facts, which are not copyrightable. Unless a person is famous, a name or SSN can’t be trademarked. An address probably does not qualify for trade secret protection, and a date of birth is certainly not patentable. Even if some sort of property right accrued to personal information, it would most logically belong to the originators of the information. For example, parents would logically “own” a child’s name and date of birth, since they created them. The government creates social security numbers, and the credit card companies create credit card numbers. The post office creates addresses, and the phone company creates phone numbers. Even third parties create gossip (beneficial or harmful), and it would be difficult to draw a line distinguishing a person’s ownership interest in gossip or other third-party-created personal information.

In contrast to Creative Commons (which operates under IP licensing law), Privacy Commons is structured around principles of contract, where two parties can bind themselves to mutual obligations through offer and acceptance. Each model privacy policy would exist between a Data Steward (Steward), and a Data Subject (Subject). A PC Policy may be converted into a contract when the Steward and Subject formalize the policy through contract principles of offer, acceptance, and consideration.

What do you think?

There is an ad-hoc working group and a Privacy Commons Wiki, which is starting work on the project, and has already published a few articles on mission, scope, and approach. The wiki is closed (to prevent spam), but logins are liberally granted with a simple e-mail. I, for one, find the project pretty exciting.

What you’ll find in this segment

The Introduction explores the nature of the challenge faced by organizations around the world. As we prepare for the journey “Into the Breach”, it is revealed that breaches are only symptoms, and the real challenge is described as a human paradox. Setting the stage for a shift in thinking necessary to get results, three common myths are exposed and addressed. A powerful strategy to protect information is shared, and the clarion call to engage, empower and enable people is sounded.

A Private Invitation to Engage with Michael Santarcangelo

Build on your experience. Sign-up for exclusive invitation-only conversations [click on the link to sign up now for your invitation] with Michael Santarcangelo, hosted by EMC. Join Michael for a live conversation two weeks after each chapter is released where he will:

• Reveal the ideas and concepts that got cut from each chapter
• Expand upon or update the elements in the chapter you just listened to
• Answer questions in a candid and direct style – focused on delivering insights that lead to results

The discussion centered around the concepts revealed in the Introduction is scheduled for Thursday, July 16th. Visit http://www.configuresoft.com/securitycatalyst.aspx for more details and to get your invite!

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV

Then I got the first dogs of my adult life, and learned to train them.  In many ways, training dogs is much more difficult than training people because there is no common language and dogs and people perceive the world in very different ways.  Now, before anyone gets offended, I’m not trying to compare people to dogs.  I am, however, trying to compare training methods – there are some interesting differences and similarities that are very educational, and training either species can have unintended consequences.

One of the most popular methods of training any species of animal is called clicker training.  A clicker is just a small plastic thing that makes a clicking noise.  You associate that noise with a treat, and the animal (in this case a dog) learns that the noise means something good is about to happen.  When the dog performs a desired behavior (like sit), you click at the moment that it performs, and follow up with a treat.  Because of the precision of clicking just when the behavior happens, the dog is clear on what you want, and learns a lot faster.  In fact, most dogs figure it out pretty quickly and will start to “offer” the behavior in the hopes of more treats.  This method is also used successfully with human athletes that have to do complex aerial moves like gymnasts and divers, to help them understand when to start or end a tuck or a twist.  The key message here is that immediate positive recognition for doing the right thing is the fastest way to ingrain a behavior – in any species.

The more interesting side of dog training is the unintended consequences.  Unlike with humans, you can’t just explain to a dog what you’re after.  You have to figure out how to guide (“lure”) the dog into doing what you want, but even then it might not understand.  If it doesn’t, you have to wait around and let it do the behavior by itself, and “capture” the behavior by clicking and treating when it happens.  The problem with luring and capturing is that sometimes you reward things that you didn’t mean to reward – thus the unintended consequences.  Here’s an example with my husband’s dog, Kozmo. We rented a house last year that was down the street from a school.  Kozmo decided it was a good idea to get up at 7am, run into the yard, and start barking at the kids walking by.  So every morning for about a week I got up when I heard him, went out with him, called him in when he started barking, and then went to the kitchen for a treat.  By the end of the week, he stopped barking outside.  But then he started doing something new.  Every once in a while, he’d get my attention, and walk toward the dog door, ensuring that I was still watching.  Then he’d rush outside, bark a couple times, rush back in, and go sit in the kitchen and stare at the treat cabinet.  In short, I was trying to teach him “don’t go outside and bark” but he learned “If I go outside and bark when mom’s around and immediately come back in, I get food and attention.”  To this day if he wants attention when we’re around, he’ll go outside and bark a few times, then come back into the house, expecting praise.

So what’s my point in all of this?  When we collect metrics in the customer services space and use them for performance assessments, we are effectively training our employees – if you score well on the metrics, you get a raise.  If you score poorly, you could get fired.  But measuring the wrong things can have unintended consequences – we think we’re rewarding delivering good service, but we’re actually rewarding behaviors that deteriorate service.  A very common example is when we measure speed of service instead of quality of service.  Speed is much easier to measure than quality, and it’s something that can be system generated: how many tickets closed per week, how many minutes spent on each call, etc.  On the surface, it also makes sense: if we’re closing calls and tickets faster, we’re completing more calls and tickets sooner, so the customers aren’t waiting around for service, and that’s good!  But what actually happens?  If an employee gets a gold star for being the fastest, that individual will do his best to continue doing so – at the expense of the customer.  The ticket will get closed with the work not being completed, or the call will end and the customer still hasn’t received the help they needed, or they’ve been passed along to someone else – wasting both the customer’s time and the time of the person they were passed to.  Meanwhile, the employee is getting rewarded for having been the fastest.  Measuring speed without measuring the underlying quality, has the unintended consequence of deteriorating service, when the intent is to improve service.

How do you measure quality in ways that reward good service?  More on that later…

Often, we’re our own worst enemy.  We do things that make us a likely target for blame.  In other words, we’re on the suspect list.  We receive the blame when something goes wrong because of our actions or the access we maintain.

The best strategy is to keep yourself and other off of that list.  First of all, it disrupts the investigation into finding the true source of the problem.  Second, it causes others to distrust those on the suspect list, even if they’re innocent.  The best way to prove innocence is to have a clear name from the onset.

Often security professionals and IT managers have access to many systems, applications, or facilities. They believe it’s required because of their position or responsibilities.  The problem is that having access often puts them automatically on the suspect list.  Many times I’ve been accused of involvement when there were network issues.  “Were you running one of your security scans again?” is a common question aimed at me just because I have the ability to run scans, not because I necessarily did.

Often, other activities may add us to the “suspect list”, such as browsing the Internet, transferring documents from home to work and vice versa, clicking on links in email, or installing freeware or shareware applications on a work computer. While they’re not always bad activities in and of themselves, these actions do have potentially dangerous consequences.

Here are five things you need to do to keep yourself off of the suspect list:
1. Limit your access.  This is the concept of least privilege.  If you don’t need it or don’t use it every day, disable or delete your access to it.
2. Only use administrator privileges when you administer the system.  If you’re always logged in as an admin, then you’re just asking for trouble.
3. Freeware isn’t always free and shareware may mean you’re sharing more than the program.  Finding programs on the Internet may save money in the short run, but they occasionally contain hidden malware than can take down your system.
4. Think before you click.  Be aware of where you go on the Internet.
5. Keep your secrets secret.  If you allow others to use your login id or badge, then that person is you and you’ll be on the suspect list if something goes wrong. Badges and passwords are like kleenex; it’s not cool to share.

Security’s objective is to keep people off of the suspect list.  We know that the great majority of our work force wants to do what’s right.  We want to help you.  Like the police, our objective isn’t to get you into trouble, but to keep you out of trouble.  Consider what you should do to keep yourself and others off the suspect list.  It will make your life much easier.

by Wim Remes

Once upon a time in the land of milk and honey, Jack and Charles, 2 hard-working dwarves, were strolling through the magic forest. They had been walking for a while now and they were getting tired, but Mike, their boss, had instructed them to bring home 10 stones and they had only found six.  Jack, being the senior dwarf, carried the backpack with the stones and regularly sent Charles between the trees to retrieve a stone.  Charles would diligently comply, and when he actually found a stone, he would put it in the backpack, quickly going back to searching for more stones.

What looked like an easy task turned out to be quite difficult: There’s more wood in a forest than there are stones, you know.

Jack was sweating heavily, his legs hurt, and he was slowing down. Charles, however, looked like he hadn’t done anything yet. He was dancing through the forest, quickly running left and right to look for stones.  “Hey Jack, should I carry the backpack now?” he asked. “No, keep searching, it’s about time you found some stones” Jack replied. He was not amused with the situation, feeling the skin on his shoulders being ripped to tiny pieces.

As the sun was falling toward the horizon, Jack and Charles reached a river. Charles quickly picked up four stones and put them in the backpack.  Jack was happy, and so was Charles. “Hey Charles,” Jack said “do you see that apple tree across the river?” Charles saw the shiny, juicy apples and he suddenly felt how hungry he actually was.

As Jack and Charles crossed the river together, Jack sank to the bottom and drowned.  Charles didn’t look back and moved on to stuff himself with tasty apples.  On his way back across the river, he slid the backpack off of Jacks already chilly shoulders. He walked home and delivered the stones to Mike who, of course, was very happy. He awarded Charles with an extra portion of porridge and Jack, well, nobody ever remembered who Jack really was.

Jack is a dead man! Why? Because he refused to share his knowledge (the stones) with Charles. He thought it was alright to boss Charles around, instructing him in exactly what to do.  He also got angry at Charles because he thought Charles was better off. After all, it’s not as though Jack had to carry that backpack. Charles wanted to because he felt it was his responsibility, which it wasn’t. As the senior dwarf, it was his responsibility to get the both of them home safely, with 10 stones.

Do you ever behave like Jack ? What gets you, your team and your company forward is the fact that you are open to share experience, ideas and knowledge. Refusing to do that might have you end up on the bottom of a cold river. Rest assured that your seat will not be empty for long.

It was a dark and stormy…

All right, it was a sunny morning in April when the first event to inspire this article occurred. I was walking back to my car after dropping off my daughter at school. As I walked around to the driver side I noticed a battered USB thumb drive sitting on the ground behind one of my tires

My first thought was “Oh, great. I dropped mine and it got run over.” I quickly realized that dropping it and running over it was nearly impossible and that it was not even one of the brands that I use. So I had four options:
1. Leave it were it was
2. Take it back into the school and leave it in the front office
3. Take it with me and try to determine the owner so that I could return it to them.
4. Throw it away.

The first option didn’t sit well with me; the next person to come along might do something malicious with it. The second option only works when the office is open (which it wasn’t, as my daughter was attending day camp during spring break). That left me with options 3 and 4. I decided to combine 3 and 4 into option 5:
5. Take the drive with me and throw it away later.

Fast forward in time three weeks…

I am once again in the parking lot of my daughter’s school staring at a smashed USB thumb drive of the same brand as the prior unit. Repeat thought process above. I was a bit suspicious and a bit curious. Two similar drives in the same parking lot. Was someone just very unlucky and lost two drives? Were there possibly two such unlucky individuals? Was someone trying to use the USB keys as a means to penetrate the school district system?

I decided that I would take a look at the new drive when I got home that evening, but I was going to take precautions. Plugging it into my computer could expose me to viruses, malware, and pictures of an inappropriate nature. What could I do to protect myself and my computers while looking at this drive?

1. Boot of BackTrack CD and mount the drive and look at it there
Advantage – lives in memory, low chance of infecting my hard drive
Drawback – this might not be a recommendation for others

2. Launch a VM on my computer and connect to the drive
Advantage – no need to reboot my hardware, I already have the VMs in place
Drawback – there could be malware that breaks through that VM software and infects my host system.

3. Boot a separate system that I do not mind rebuilding
Advantage – system can be rebuilt if there is malware on the drive
Drawback – not everyone has spare systems lying around to do this.

I chose to use an older Toshiba laptop to look at the drive because it runs Linux (lower chance of infection) and it has a USB 1.0 connector on it (older, slower, and not likely to run U3). Fortunately (or unfortunately) this drive was too damaged to operate, so it followed its predecessor into the electronic recycling bin.

Then I got to thinking. What if that drive was mine? Do I keep any data on a USB drive that, if I lost, could be used to steal my identity or perform credit card fraud? Would I want someone else going through it to find out if it was mine?

So what can you do to protect yourself losing your thumb drive and your data?

Keep physical control of your thumb drive, by keeping it on a key chain,  on a lanyard around your neck, or at home. Protect the data on the drive, via encryption (there is a mobile version of TrueCrypt that works on USB drives). Alternately, don’t put anything on your drive you wouldn’t share with your neighbor, such as tax data, your social security number, your date of birth, or your mother’s maiden name. Don’t share your drive with anyone else, and don’t carry your data with you. You can leave it at home and email any information you need to yourself using your company’s mail system (not from your home account, but through webmail) if that is allowed by your company. Make sure you find out what your employer’s policy is for USB drives before you bring them in.

This “case “ was fairly interesting for me, and I hope you found it interesting, dear reader. The next time you come across a thumb drive laying around, think of this story and my thoughts. Now go out there and be safe.

I recently returned from yet another amazing time at the EDUCAUSE Security Professionals Conference. Out of all of the different security conferences that I have had the good fortune to attend, and out of all of the conferences that have taken pity and allowed me to talk, the SPC continues to be one of my favorite events. Not only does the SPC boast outstanding presentations, but the hallway conversations, informal roundtable discussions during meals, and Birds of a Feather gathers offer unparalleled opportunities to meet other security professionals in higher education and learn new, unique ways to address issues. I strongly urge all security professionals in higher education to beg, argue or barter for the funds needed to attend this yearly gathering.

The conference lineup this year was interesting. While there were the usual technically-focused talks, the majority of the talks did not center on specific technical topics. Instead, much of the conference was focused on building and maintaining a strategic information security program within higher education. There were sessions on building risk management programs, using frameworks to build information security policies and programs, creating standardized and measurable procedures, and even talks on how to leverage internal resources such as internal audits to help improve security posture.

Like many industries, information security grew up out of the IT departments at most colleges and universities. Unfortunately, many educational institutions still equate “network security” with “information security”, and information security is often still viewed as a technical issue. However, the presentations at this year’s conference clearly indicate that the viewpoint on information security is quickly changing at colleges and universities.

This shift in how information security is viewed within higher education speaks to the maturation of information security programs at many colleges and universities. Thankfully, the industry seems to be moving away from the misguided view that all institutions need is one staff member “doing security” to be secure. This type of growth and maturity of information security programs within higher education is a great sign that perhaps I will soon have nothing to report on Education Security Incidents.

Here, in no particular order, are the top three presentations out of the sessions I was able to attend. “An Auditor’s Perspective on Frameworks for Information System Security in Higher Education” by Erwin Carrow and Brian Markham were useful in teaching me that internal auditors can, in fact, be your friends. “Using the EnCase Field Intelligence Model in Assisting with Forensic Examinations” by Yu Chang, Tammy Clark, and William Monahan were useful in showing how Georgia State University handles requests for forensic investigation. “Mapping the Shifting Landscape” by Phillip Deneault and Brain Smith-Sweeney were useful in providing excellent quotes such as “Ready-Fire-Aim” and Brian’s poorly rendered yet still amazing image on the drivers and functions of an information security program.

Congratulations and thanks are in order for this year’s SCP program committee. These folks did an outstanding job.

Image used with permission from FreeDigitalPhotos.net

As adults we like to have some sense of order. We get into a routine; get up at the same time, take the same route to and from work, eat our meals, and head to bed all on a schedule. Sure, we like to think we add some randomness to our lives by not going to eat at the same place each day, but we go to eat at those “different” places at the same time every day. It’s not bad to have a routine; that is what gives you a sense of control in what sometimes seems like a chaotic world. The question is, how much tolerance do we have for randomness?

Me vs. Random

I have a morning routine that helps me get the kids ready so I can leave on time. Part of that morning routine is feeding my daughter. Recently she decided she likes to eat bananas. She also prefers to have the banana cut in half, and this is what turns out to be my demise. I go through the rest of the morning routine and lean over my daughter’s high chair tray to give her a kiss goodbye. I give a kiss, hug, and high five to my sons, and then I am off to work. A few hours into work, I push back from my desk and happen to look down to find a giant banana stain on my shirt. I came to work and walked around the office with this very noticeable stain on my shirt, without ever having realized the spot was there. As I wash the stain off my shirt I contemplate my options to avoid this situation in the future.

A few days later, my daughter was again eating her banana. As I leaned in to kiss her, I bent in a way that ensured she couldn’t get me with her banana.  I gave a kiss, hug, and high five to my sons, then I went off to work. As I walked into my office building, I noticed my reflection in the window. Lo and behold, there was something on my pants around knee level.  I looked down to find a nice banana stain just above the knee. I let out a sigh and headed up to the office, making a quick stop at the restroom to wash off my pants. I realized my strategy has not worked, so I began to reformulate a plan to ensure I didn’t continue showing up with stains on my clothes.

A week later I gave my daughter her morning banana, but this time I cut it up into small pieces. My thinking was, if I give it to her in small pieces she can’t jab me with it, and if she throws it I’ll notice. I went through the routine thinking I won this round – even though my daughter has already won the first two rounds. I saw she was done and walked over to get her out of her highchair to get her dressed, and that’s when it happened. First, let me tell you that the last thing I do before leaving for work is to put my socks and shoes on. I can’t say why that ends my morning routine, but it does. So as I walked over to my daughter in my bare feet, I stepped right into a minefield of banana pieces my daughter had thrown on the floor. Game, set, match. My one-year old just beat me three games to none.

Ordered Randomness

As IT professionals, we spend our time planning for the random event that could take down our critical systems. We design our systems and find order in a mostly random world, but we always know there is still the unknown. So it all comes down to how well we handle the response. By designing a program that balances order and randomness we prepare for suprises. If our first response to random events is to be disorderly, our designed responses will fail. However, if we maintain order while responding to random events, the chances of containing the event and minimizing the potential loss increases. My response to the situation presented by my daughter was meant to add order to the randomness. Perhaps the better response would have been to check my clothes before I left for work. Detecting random events early, maintaining order, and executing the response is how we avoid the banana minefields.

“Seven out of ten companies overspend on IT expenses without improving security or becoming compliant.”  Computerworld

What causes this phenomenon? One would think that overspending on security would be a good thing.  It’s not.  Overspending in some areas causes underspending in others that may have greater value to the business.  This practice often detracts from focusing on those risks that are really the greatest for an organization.

One of the causes is the introduction and promotion of “pet risks” by decision makers.  A pet risk is a threat, vulnerability, or solution that solves an apparent problem in the minds of IT or Security managers.  It’s their favorite risk, which is the center of their attention and therefore is allocated an overabundance of resources.  It’s like a person who’s so fearful of having their car stolen, they spend hundreds of dollars on an anti-theft system even though they’re driving a ‘96 Ford Contour.   The cost of mitigation is out of balance with either the asset value or the real risk.

It’s a common occurrence in many large organizations, where decision makers decide that they need a specific solution to prevent an apparent risk.  IT and Security leaders in the organization spend many dollars and staff hours to address their pet risks.  However, the Return on Security Investment (ROSI) isn’t readily apparent and often, the expense isn’t worth the apparent risk.

The decision maker has the position and influence to make it happen.  He or she is able to get the funding and personnel to address their pet risks.  They are a danger for many organizations because they cause an imbalance in the risk equation and often cause undue spending on risk mitigation.  Whether those risks are critical for the organization is debatable.

An example is data leakage protection (DLP).  The risk is that employees could place company information on a USB drive or CD and it could be stolen or lost.  Management may be convinced that they need to stop this at all costs.  They look for a DLP solution to prevent employees from using USB drives or CD burners. In this case, the pet risk is data leakage.   While it may be an issue, data leakage may not be the organization’s biggest problem.  It may be a pet risk of a decision maker and therefore one that’s addressed ahead of others.

How do you solve the problems caused by pet risks? The solution isn’t a product or service that you can buy.  What you need is an honest assessment of risk.  Addressing and quantifying risks allows for their ranking and prioritization based on the needs of the business.  Collaborating on the risk analysis also reduces the possibility of pet risks eating critical resources without increasing security or providing compliance.

Three ways to prevent pet risks from causing you to bark up the wrong “security tree” are:
Conduct a risk assessment;
Collaborate on the results with all stakeholders;
Be open and honest on the best ways to protect the business.

In the DLP case above, decision makers should look at all of their risks and determine where data leakage occurs.  They should address the potential impact and probability of data leakage.  Is it an irritant or could it be a major issue?  How likely is it that critical data can and will leak out of the organization?  They need to collaborate with others on their risk assessment to see how it affects the business.

Pet risks are an irritant caused by closed-mindedness.  Open your mind to address all possible risks to your organization.  Talk to others to get their honest opinion.  Get outside help when needed.  Don’t be the owner of a pet risk.

By working together, we all become stronger.

I received a response to my blog titled “End Users: IT’s biggest barrier to good customer service” that I found particularly interesting. The responder wrote, “Some users tend to think that IT is here to serve them. To a point we are, to keep computers/servers/printers/etc running and functional. However, some think that if anything has to do with the computer, then we should be the ones taking care of it. As an extreme example, that IT should be responsible for ordering paper, since paper goes into a printer, and a printer can be hooked to a computer, so it is up to IT to order it.”

Although this is indeed an extreme case, it’s an interesting example and it does bring up a valid point: is it sometimes not our job to provide service to the customer? And do we tell them this?

The answer is, as usual, it depends. The reality is that IT professionals are generally better paid than their business counterparts, and although having IT personnel performing non-IT tasks may occasionally benefit an individual or even a small group, it ultimately hurts the bottom line of the company. So sometimes, it really is in the company’s best interest for IT to not provide the requested service. That said, when faced with such a situation, telling the customer no or not providing the service is not beneficial, either.

So now what? Handling a situation like this really depends on who the customer is. I think there are three categories of customer here:

- A “general” customer – i.e., someone with whom you do not have a current relationship, and whose motivations are unfamiliar to you

- A “VIP” customer – i.e., someone with whom you already have a relationship that you want to build further, or a senior executive of the company

- A “repeat offender” – i.e., someone who is a known pain in the rear or who consistently circumvents the process

Let’s take a look at each case, continuing with the “IT being asked to order paper” theme…

For a general customer, it’s worth it to do some root cause analysis: why are they asking you to order the paper for them? I’d be willing to bet it’s because either they don’t know the official process, or because the process doesn’t work. If they don’t know the process, you can provide excellent service and build a new relationship by helping them learn. Don’t just do it for them – take a little extra time to teach them how to fish. If there’s a form to fill out, show them where to find the form, and help them fill it out. If there’s a person to call, provide the name and phone number of the person, and then call them for the customer. For the single instance, the added time does cost more than just doing it for them, but it will be more than made up if the customer doesn’t have to ask you again.

If, on the other hand, the customer is circumventing the process because it’s cumbersome or doesn’t work, then a little process re-engineering is in order. Depending on who you are in the organization, you may or may not be in a position to facilitate this yourself. In this case, help the customer through the red tape, and at a minimum escalate the situation to your manager and suggest some potential solutions. If you can effect change, be sure to follow up with the customer to let them know.

For a VIP customer, the initial action is just to order the paper for them. To improve the level of service for this group and be cost-conscious for the company, the best thing you can do is coordinate proactive ordering with the right person or department. If the paper replenishes itself, the VIP customers will be happy because they no longer need to worry about it, and they won’t have to ask you to place the order anymore.

In the case of a repeat offender, it may be worth it to do a root cause analysis. If the process is tedious, you could repair a not-so-good relationship by helping to improve the process – or at a minimum, you can get this person out of your hair. If there’s nothing wrong with the process and the person just can’t be bothered with following it, well, that’s why management gets paid the big bucks – to deal with people like that.

How to avoid being a target?

The quick answer is to move all essential, business critical or operational workstations and servers to a less targeted platform. If you’re less of a target, then the likelihood of a compromise significantly decreases. That’s all, folks; simple enough, huh?

Okay, it’s not quite that easy, but let’s compare for the sake of it. We’re going to stipulate that all configurations, settings, installations, etc. on all platforms have been completed following best security practices and that everything is fully patched and secured. So what do we have left to do?

The Windows solution is the most targeted platform for both the home and the business user. In order to successfully deploy the Microsoft Windows operating system for use on critical systems, a considerable amount of maintenance and dedication is required. The fact that this platform is the most popular and the most targeted platform of them all makes the attentiveness for this solution a must in order to prevent a compromise. Failure to do so is asking for trouble. The minimum required maintenance includes the following:

1.Keeping the OS fully patched.
2.Installing antivirus software and keeping it up to date.
3.Installing a software firewall for workstations at minimum.
4.Installing other various malware solutions and keeping them up to date.
5.Ensuring that third party software such as Java, Flash, Acrobat Reader, etc. are also all kept up to date.

These five steps are the bare minimum that is required to deploy an operational, critical system and to keep it safe. Anyone or any organization that is not ready or willing to spend the required amount of time and effort to continuously monitor and stay on top of this maintenance will, sooner or later, become compromised in some way. It’s simply a matter of time.

Or maybe it’s time for a change.

Moving your essential, business critical or operational workstations and servers to an alternate platform such as Linux, Mac or any other UNIX variant could possibly save a considerate amount of time and effort. Think about all the time it takes to continuously loop around the five steps above. Thought about it? This newly saved time could well be used to actually enjoy using a computer for work or play. Maybe this extra time could be better spent improving your business or customer relations. The fact is that a server or workstation that isn’t as much of a target will keep a significant amount of malware away. This is how computing should be – without malware.

Remember, these other platforms also have to be kept updated as necessary. However, they are not the most continuous target. That’s the difference.