The New Yorker published a cartoon in 1993 which shows a dog sitting at a computer terminal saying to another dog, “On the Internet, nobody knows you’re a dog.”  A few years ago, I went to a talk given by one of the computer graphics experts who worked on Jurassic Park.  He was describing how they created many of the dinosaurs in the movie completely by computer.  He went on to say that within a decade, they will be able to create human beings on film completely by computer without any need for actors.  The power of Photoshop to recreate photographic reality is seen as magazines are caught digitally manipulating photos to meet their needs.

Over 15 years after the original New Yorker cartoon, there is still no widely deployed mechanism for verifying the identity of anyone or authenticity of anything found on the web.  As the web becomes the primary source of information for more and more of the world’s populace, it becomes harder and harder to discern truth from fiction.  The question is, “How do you know who to trust?”

Over time, as technology has evolved, new trust models have been developed to keep up.

• Recommendations through friends – This is perhaps the oldest method of establishing trust.  You simply ask someone you trust for a recommendation, e.g. you move to a new city and ask a colleague to recommend a doctor or attorney.  You believe a story because someone you know and trust tells it to you.
• Recommendations through trusted third parties – Restaurant, movie, or wine reviews in a newspaper are examples of this model.  Because you trust the judgment of the reviewer you trust their recommendations.  Gartner reports on IT products and vendors, and their ratings of consulting firms are an example of how effective this can be.
• Process creates trust – Traditional journalism requires the validation of a story from more than one source.  You believe what you read in the New York Times because you trust the vetting process they use before they print a story.  Wikipedia is also an example of this trust model.  You trust the contents of Wikipedia because you believe that the “crowd sourcing” process used is effective.
• Community ratings – Zagat guides demonstrate the effectiveness of this approach.   Rather than depending on a single trusted 3^rd party, you simply aggregate the opinions of a large number of people and use that as a recommendation.  Based on their success with restaurants, Zagat has extended their model to hotels, nightlife, movies, music and now even dating (& dumping).  This model has been dramatically extended on the Web to everything from local repair people to attorneys and doctors.
• Reputation systems – eBay’s trust model is perhaps the most novel.  With most eBay transactions, an auction winner sends payment to a completely unknown seller when the auction completes.  The seller then ships the product to the winner.  There is no formal recourse if the product does not meet the buyer’s expectations or even to complain if the seller never ships the product at all.  Within eBay, there is a system of community reputation in which buyers rate sellers.  For a prospective buyer, a seller with a high reputation score has lots of satisfied customers and therefore can be trusted.

However, as web information continues to explode and search engines now provide results which include Twitter and Facebook, clearly a new trust model is needed.  Recently David Pogue, the respected New York Times columnist, was accused of a conflict of interest by a number of Twitter posters.  One such Twitter post was from a Twitter user with the name “John C. Dvorak”, which also happens to be the name of another well respected computer journalist.  David Pogue gave an interview about the incident and took John Dvorak to task for his Twitter posts.  Unfortunately, the Twitter poster was not the computer journalist John C. Dvorak but someone else with the same name.  The journalist actually posts under the Twitter name “TheRealDvorak” and had made no comment at all about Pogue.  In this case even Pogue, an experienced New Times Reporter, didn’t realize he had mistakenly assumed he knew who the post was from.

Twitter has responded to the growing problem of mistaken identity by providing a program which tries to verify the identity of some Twitter users.   Unfortunately, the program is limited to a very small number of celebrities, and given the rate at which Twitter is growing and the company’s limited resources, this problem will likely grow as more and more people believe what they read on Twitter.

Solving this problem is one of the great challenges which will require significant new innovations to solve.  If you can’t tell who’s who, or what’s what on the internet, its value as an information repository will start to diminish.

Author: Sheldon Laube, Chief Innovation Officer

For more of Sheldon’s thoughts on these topics, check out his video interview on IdeasProject.

In a bit of fun and interesting timing it turns out I’ll be going to flocon in New Orleans this January.

Since I’ve spent the past 2-3 years doing business risk and security architecture, national sector level strategy, policy, etc….but now find myself getting into the technical details of building a CERT (ICS-CERT, specifically)…it’s suddenly time to get more up to speed on flows and how people are using them these days (Especially since I’d previously spent most of my time with firewalls and IDS data and not netflow / SiLK stuff).

My work on and release of pkviz this past weekend has helped a bit to get me re-focused on data analysis and playing with correlation tools and methodologies, but I’m still finding it odd going back to my earlier technology-centric security role  – which I’d thought I’d given up.  My head space has to be completely different than it was and I have to work around what some have called my fatalistic belief that technical security measures and analysis are doomed to fail in the face of our complete lack of interest in doing business risk architectures.

What scares me a little, though, is when I’ve been talking to people and doing research lately, it seems the state of the art of IDS, Flows, SEMS, SIEMS, network data analysis, etc. hasn’t changed all that much in the past few years. More vendors have sold more products, but they still do the same (questionable) things it seems. What gives? Am I off base?

Still, I’m pretty excited to get back into this type of thing and about the con. Who’s going to be there?

Why I Don’t Share the Name of Client on First Recruiting Call

When I am recruiting for an open Security Job that is not a retained search, I usually do not share the name of my client with a cold called candidate for several reason,  until we have talked in detail.

First, I interview many candidates daily, and unfortunately I must tell several that they are not a match for “this job”.  Perhaps future jobs, but not this one. It does not mean that are not a good security candidate, just not a good match for this job. Sometimes, they on the other hand, feel that they are a great fit and want to proceed with the interview process. When I explain that the client wants and expects me  to pre-screen heavily so as only to present dead on matches, they get upset.  I have had these people try to go directly to the client themselves or call other recruiters and ask them to present them. If the company name has not been discussed, it protects me.

Also, I have had some very good intentioned people that knew my client name simply mention  to a friend or co-worker that I called and discussed a great opportunity with them at XYZ company and the friend or co-worker simply goes directly to the company without thinking about me. They did not mean to cut me out, they just did not realize they should call me to present them. After all, I am dealing directly with the hiring authority and can make things happen.

Please be aware that I do share the client name as soon as we (you and I) determine that it is a good match and worth proceeding forward with the process.

Since this is how I earn a living for me and my family please don’t be insulted by the process and my guarding my client name until we agree it’s a match.

Happy Holidays,

Wils Bell – Security Recruiter

Bell (at) SecurityHeadhunter.com

SecurityHeadhunter.com, Inc.

SecurityHeadHunter.com

Desk: 407-365-2404

I’ve recently read with much interest a Reuters news dealing with the software code that the controls the F-35. According to the article, a senior Pentagon program official has affirmed that no foreign partner will be granted access to the source code of the Joint Strike Fighter. Even if it is not clear which computer hosts such an important code, the 8 million lines software code (!) will not be made available to any of the 8 partners that have co-financed the F-35 development (Italy comprised) told Reuters Jon Schreiber, who heads the program’s international affairs. Instead, the US will set up a reprogramming facility, most probably at Eglin AFB in Florida, where F-35 software will be developed in order to provide the required upgrades.
New aircraft largely depend on software. The Italian Eurofighters are among them. The Italian Typhoon fleet is made by single seaters F-2000As and two seaters F-2000Bs in many different configurations: Block 1, 1B, 2, 2B, 5, 8 and 8B. Aircraft of different Blocks are much similar one another externally, as the main differences deal with the software releases. Functionalities evolve in terms of production software packages (PSPs): the manner in which the aircraft fight, employ the weapons, communicate and exchange data with other assets, largely depend on the PSP software version. However, “new” is not “better”: some of the aircraft hosting the old version of the software are more efficient and capable of the new aircraft coming with the “beta releases”, as the old software has been completely developed while the new one is in the early development stages. That’s why Italian Tranche 1 Typhoons are currently more mission capable of the recently delivered Tranche 2 examples.

Whew. I can relax.

For the past 2-3 months, I’ve been working on my first real Objective-C project (my iphone app is still going, it just took a back seat to this): An application that will read tcpdump output and animate the packets over time using their inherent byte / packet structure

And now…it’s up and in beta-ish quality. (Meaning it works, though some error checking and minor features arent quite where I want them.)

You can download it here for free: http://sintixerr.wordpress.com/pkviz-packet-visualizer-and-animator/

See it in motion here:

This project was important to me and has been a long time coming. I’ve wanted to write a packet visualizer since I first started working with data viz 5 or so years ago at NetSec and was using Advizor. That tool cost thousands of dollars per seat, didnt really animate (at least the way I needed), and only parsed CSV or databases. The free tools – like GnuPlot, just weren’t up to the task at all.

I also wanted something that could plot out data in interesting, pretty ways for some art projects I have in mind.

So, I originally started this time around on a quest to write a short python parser for tcpdump ascii hex output to put into <some generic viz tool> just to get started…but somehow I ended up writing a full-fledged visualizer (my first GUI project ever, I might add!). The learning process was a blast – I feel like I’m a much better coder for it – and I’ll be able to extend/expand on this to use for other art and security projects that are on my plate or are coming up.

I’m pretty excited about it. To see this finished through after years of whining to myself about it, procrastinating, and genuinely not having enough time, is pretty awesome. I’ve even already created a couple of cool shots that I’m happy to call “art” (granted, there is some photoshop processing here, but they’re both true to their originals!):

Anyway, Mac Users, check out the tool and let me know what you think!

One of the most important IT business practices that every company large and small should engage in is IT asset management. To ensure your various software and hardware assets are both visible, and measurable over their useful life – generally the use of automated tools to manage the discovery of these types of assets is very important. The ability to establish a complete and accurate picture of your current base of information technology assets not only will have an impact on your ability to properly support your current base of users, but it will also have a direct impact your ability to identify and remediate any type of previously unidentified vulnerabilities.

One of the key steps that necessary to take relative to the implementation of a good IT asset management methodology is the ability to define a measurable process to manage these assets from acquisition through final disposition. This process should include the following components:

Item 1 – Establish a clear set of policies around the acquisition and appropriate use of these type of assets. This process should include a means of tracking existing software and hardware assets, capturing, at a minimum, product name, version, and manufacturer. Additionally, this information can be used to proactively determine software license compliance – which should be measured annually.

Item 2 – Once the asset(s) (software or hardware) have been acquired, you’ll need to implement some form of automation to track their status – from their initial deployment to their disposition. Considering the frequency by which systems and applications change, this type of “best practice” will help optimize the use and performance of these assets throughout their useful life.

There was an excellent article published recently titled, “Back to Basics: 5 Things IT Could Do Better in 2010” – that does an excellent job touching on the importance of asset inventory management. The author and I agree – we both firmly believe that asset inventory management is important security best practice.

http://www.technewsworld.com/story/Back-to-Basics-5-Things-IT-Could-Do-Better-in-2010-68662.html?wlc=1258469771

Other advantages that can be realized from a well throughout IT asset management program centers around:

Help Desk / Support Reduction – The asset management information you able to garner is invaluable in terms of diagnosing individual system problems, as well as minimizing end-user downtime. Help Desk or Client Support should have access to individual system details directly from whatever system you put into place – which will certainly help improve support levels via a more accurate diagnosis of the problem.

Risk Reduction – These days, with the sheer number of vulnerabilities on the rise, the ability to accurately assess your inventory of both software and hardware go a long way towards helping you reduce risk. It’s very difficult to protect yourself from things that your unaware of…thus (again) the importance of good automation to assist with the process.

In summary…by better understanding the types of assets you currently manage, you’ll quickly realize a much greater level of efficiency, as well as reduce your potential for risk.

Dave Eike

Shavlik Technologies

A blog for avouding bad practices in the Information Security and IT Governance

Last week ICANN (Internet Corporation for Assigned Names and Numbers) Which is the International body responsible for, among other things, administering the domain name system (DNS) announced that Countries can now apply for website domain names and TLDs “Top Level Domain Names” that are non-Roman characters. With countries like Egypt, China , Israel and Russia already applying for Arabic ,Chinese , Hebrew and Cyrillic respectively. marking the true beginning of IDNs (International Domain Names).

Experts expect the new breed of URLs to surface within a year, ICANN Chairman Peter Dengate Thrush noted in a statement, “The IDN program will encompass close to one hundred thousand characters, opening up the Internet to billions of potential users around the globe.”

“This is the biggest technical change to the Internet’s addressing system – the Domain Name System – in many years,” said Tina Dam, ICANN’s senior director of Internationalized Domain Names. “Right now, it’s not possible to get a domain name entirely in, for example, Chinese characters or Arabic characters. This is about to change.”

My Comment :
I think its a good step to increase the accessibility and usability of the Internet but it’s unlikely to come without a cost.

There is no way that we can properly manage this new system without DNSsec, which must be an international priority now.

DNS Security measures will need to be taken very seriously. The incidental difference between BankofAmerica.com from BánkofAmerica.com is just a small example of how criminals can exploit the new system.

Not to mention the foreseeable technical challenges in properly identifying the new breed of Phishing sites and SPAM Servers…etc, to sum it up this will be the biggest challenge to date facing the internet critical resources.

Former ICANN CEO stated back in 2006 that “There are 37 possible characters that can be used in domain names, but if non-English letters are allowed, this number would rise to 50,000 or more, ( My Comment: Actually more like a 100,000 ) said Twomey. He added that this could create problems where, for example, a character in Urdu looks identical to one in Arabic. This would confuse the system and make it difficult to direct users to the right website every time.

ICANN Announcement: HERE

Overview

Throughout the last couple of years, scareware (a.k.a. fake security software), emerged quickly as the single most profitable money-making strategy for cybercriminals to leverage on. Due to aggressive advertising practices used by the cybercrime syndicates, thousands of users fall victim to the scam on a daily basis, with the syndicates themselves earning loads of dollars in the process.

What is a Scareware?

Scareware, also known as rogueware or fake security software, is a legitimately looking application that is delivered to the end user through the internet traffic derived from compromised web sites, malicious advertising, or keywords hijacking in order to serve scareware. It’s objective is to trick the user into believing that their computer is already infected with malware, and that by purchasing the application will help them get rid of it.

Once executed on a computer, some scareware will not only prevent legitimate security software from starting, but it will also prevent it from being updated. This is to ensure that the end user will not be able to get the latest anti-virus updates. To worsen the situation, it will also make its removal a cumbersome process by blocking system tools and third-party applications from executing.

There had also been cases where scareware with elements of ransomware that encrypt an infected user’s files, and demanding a purchase in order to decrypt them.

How to spot Scareware?

As scarewares are usually used by syndicates, they tend to use a standard template for distribution. Hence, scareware sites all share a very common set of deceptive advertising practices, which can easily help you spot them before making a purchase.

For instance, most scareware sites try to make their sales pitch more realistic and credible by using “non-clickable” icons of reputable technology web sites and performance evaluating services, such as PC Magazine Editors’ Choice award, Microsoft Certified Partner, ICSA Labs Certified,  Westcoast Labs Certified, Certified by Softpedia, CNET Editors’ Choice, and ZDNet Reviews. None of the real services are aware of the scareware’s existence.

Another popular social engineering tactic are the fake comparison tables or charts, where the scareware clearly outperforms some of the leading security companies’ software.

Since most end-users won’t really go about double-checking these claims, and with the impulsive buying urge created by a potential warning of data loss, most end-users fall into the trap of installing the fake security software. The attached screenshot shows how three different scareware brands (Virus Shield 2009, Windows Security Suite and Malware Destructor 2009) are all using the same template claiming their superiority over legitimate security software.

The wide range of tactics used leads us to the most common fear-driven social engineering tactic of simulating a real-time antivirus scanning in progress dialog, which in reality is nothing else but a static script pretending to be running a real virus scan.

The scanner’s results are fake and in fact the software had absolutely no access to your hard drive. Therefore the claims that “You’re Infected!; Windows has been infected; Warning: Malware Infections founds; Malware threat detected” should be treated as a fear generating tactic.

Another key trait of a scareware site is the professional site layout, as well as the persistent attempts to rebrand the template and divert the end user’s attention from the previous brand’s increasing bad reputation across the web. When combined, these would result in an efficient social engineering scam that continues entrapping thousands of victims on a daily basis.

What can I do to avoid Scarewares?

1. Use legitimate internet security softwares. TotalVirus.Com is a good website that maintains a list of recognised legitimate security softwares. Never use a security software that you’ve never heard before, regardless of its price or recommendation on the Internet. My personal choice is Norton 360 which you can also get online ( USA version | South Asia or Singapore version ).
2. Always reject an offer from the Internet or email to scan your hard drive for malicious codes or viruses. If you have installed a legitimate security software, you have full control on when you want to do a scan. There is no necessity to accept any offer to have your hard drive scanned.
3. Always make sure your legitimate internet security software has its real-time auto-protect scanning feature turned on. This is one way to ensure stoppage of 99.9% of scareware infections as no one internet security software is perfect.

What can I do if I have been attacked by Scareware?

1. If you managed to realise it at the point of time when the fake security scanning just started, shut down your web browser immediately and unplugged your network cable ( if on wireless, turn the WiFi switch off ). Chances are the infection may not have commence.
2. If you are not able to shut down your web browser, or your apps aren’t responding, you might be infected by the scareware already. Try typing the keys [Alt] (holding the key down) and [F4] together on your web browser. If this doesn’t work, download and unzip this Windows shortcut onto your Windows desktop. It can be a handy tool to force shutdown your Internet Explorer when you suspect an infection in progress.
3. The following free resources can provide tools and advice you will need to attempt removal.
   • Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.
      
   • 411 Spyware – a site that specializes in malware removal. I highly recommend this site.
      
   • Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.
      
   • SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

I’m working as an Information Security Manager and studying for an MSc in Information Security by distance learning through the Royal Holloway University. This Blog is an outpouring of my thoughts on issues or subjects encountered through both work and study. Or anything else that I think is Blogworthy.

We often field questions from our clients regarding the risks associated with hypervisor / virtualization technology.  Ultimately the technology is still software, and still faces many of the same challenges any commercial software package faces, but there are definitely some areas worth noting.

The following thoughts are by no means a comprehensive overview of all issues, but they should provide the reader with a general foundation for thinking about virtualization-specific risks.

Generally speaking, virtual environments are not that different than physical environments.  They require much of the same care and feeding, but that’s the rub; most companies don’t do a good job of managing their physical environments, either.  Virtualization can simply make existing issues worse.

For example, if an organization doesn’t have a vulnerability management program that is effective at activities like asset identification, timely patching, maintaining the installed security technologies, change control, and system hardening, than the adoption of virtualization technology usually compounds the problem via increased “server sprawl.”  Systems become even easier to deploy which leads to more systems not being properly managed.

We often see these challenges creep up in a few scenarios:

Testing environments – Teams can get the system up and running very quickly using existing hardware.  Easy and fast…but also dirty. They often don’t take the time to harden the system or bring it up to current patch levels or install required security software.

Even in the scenarios where templates are used, with major OS vendors like Microsoft and RedHat coming out with security fixes on a monthly basis a template even 2 months old is out of date.

Rapid deployment of “utility” servers – Systems that run back-office services like mail servers, print servers, file servers, DNS servers, etc.  Often times nobody really does much custom work on them and because they can no longer be physically seen or “tripped over” in the data center they sometimes fly under the radar.

Development environments – We often see virtualization technology making inroads into companies with developers that need to spin-up and spin-down environments quickly to save time and money.  The same challenges apply; if the systems aren’t maintained (and they often aren’t – developers aren’t usually known for their attention to system administration tasks) they present great targets for the would-be attacker.  Even worse if the developers use sensitive data for testing purposes.  If properly isolated, there is less risk from what we’ve described above but that isolation has to be pretty well enforced and monitoring to really mitigate these risks.

There are also risks associated with vulnerabilities in the technology itself.  The often feared “guest break out” scenario where a virtual machine or “guest” is able to “break out” of it’s jail and take over the host (and therefore, access data in any of the other guests) is a common one, although we haven’t heard of any real-world exploitations of these defects…yet.  (Although the vulnerabilities are starting to become better understood)

There are also concerns about the hopping between security “zones” when it comes to compliance or data segregation requirement.  For example, typically a physical environment has a firewall and other security controls between a webserver and a database server.  In a virtual environment, if they are sharing the same host hardware, you typically can not put a firewall or intrusion detection device or data leakage control between them.  This could violate control mandates found in standards such as PCI in a credit card environment.

Even assuming there are no vulnerabilities in the hypervisor technology that allow for evil network games between hosts, when you house two virtual machines/guests on the same hypervisor/host you often lose the visibility of the network traffic between them.  So if your security relies on restricting or monitoring at the network level, you no longer have that ability.  Some vendors are working on solutions to resolve intra-host communication security but it’s not mature by any means.

Finally, the “many eggs in one basket” concern is still a factor; when you have 10, 20, 40 or more guest machines on a single piece of hardware that’s a lot of potential systems going down should there be a problem.  While the virtualization software vendors will certainly offer high availability scenarios with technology such as VMware’s “VMotion”, redundant hardware, the use of SANs, etc., the cost and complexity adds up fairly fast.  (And as we have seen from some rather nasty SAN failures the past two months, SANs aren’t always as failsafe as we have been lead to believe. You still have backups right?)

While in some situations the benefits of virtualization technology far outweigh the risks, there are certainly situations where existing non-virtualized architectures are better. The trick is finding that line in the midst of the hell mell towards virtualization.

–Tyler

Several people have mentioned the 60 Minutes episode that aired last Sunday night.  I watched it and was fascinated by a lot of it.

First, it’s very rare that the government will talk about possible threats against its infrastructure.  To hear people talking about how you could manipulate the programming of a power generator to get it to self destruct was much more information than I’m used to seeing on tv – especially prime-time.

Second, the discussion about how other governments have very likely already infiltrated our government’s systems was amazing.

I agree that all of this has very likely already happened, but I was surprised to see it discussed so openly.  I’m torn – is it a good thing to raise awareness about these types of issues?  Maybe.  I suppose it might help increase the funding around protection mechanisms, etc.  Is it better to not talk about it?  Maybe.  That means the attackers don’t know what we know and it also makes it more difficult for new attackers to identify these vulnerabilities.

My opinion is that these vulnerabilities and potential exploits need to be kept somewhat secret.  There are a select set of people who could help defuse the problem if they are “in the know”, but making it public is very risky.  I look at what happened around the Kaminsky vulnerability and, more recently, the SSL MitM hole.  For a while, these issues were kept very secret while a select set of organizations and individuals labored to resolve them. Obviously, they didn’t stay totally secret.  But I think something along those lines is the better way to handle these threats than to expose them on tv.

In case you want to see what the government is talking about on tv, you can watch the 60 Minutes video here.

Excellent Lessons Learned from Major Incidents

There is a saying that no leader will live long enough to learn from their own mistakes, so great leaders learn from other people’s mistakes too.

As I was reviewing titles from the November issue of Security Management (an ASIS publication) and on the lookout for lessons learned, I came across the following title:  Aligning Security and Company Risk

I clicked on the link and read an article that featured two major security/compliance incidents and what steps leaders from General Dynamics Corporation and Providence Health & Services took after major incidents occurred at their organizations.

The article really got my attention when I read the first paragraph:

After a major incident, companies often decide that they need to purchase new security products to prevent a recurrence of the problem. But sometimes the solution may be nontechnical: to better align security and business risks and to enforce existing policies.

The article offers lessons learned from two organizational leaders who realized their security, compliance and business management efforts needed to be better aligned and that no technology solution was going to “fix” their problems, gaps and weaknesses. 

Are you organization’s security, compliance and risk management efforts aligned?

Does your organization have policies and procedures that help all appropriate personnel understand how your organization’s business processes are aligned?

Do all appropriate personnel understand their specific roles, responsibilities and obligations with respect to Security Management?  Compliance Management?  Risk Management? Reputation Management?

Does your organization need to modernize outdated, fragmented or manually intensive efforts that are making your organization vulnerable to expensive risks or a major incident?

In my experiences performing risk, vulnerability, compliance, safety and continuity assessments…most organizations can definitely learn from other leaders’ and other organizations’ mistakes sooner than later.

If you consider the subject of vulnerability management, which is quite broad – there are two specific areas that present the most likely potential for risk. They center around the ability to ensure that your various systems (be it servers or workstations) are properly patched and properly configured.

If you were to conduct a random vulnerability assessment of most any corporation these days, the mix of vulnerabilities that you would discover would be quite consistent. Based on research that is supported by the broader analyst community, and personal experience, what you should expect to discover (on average) is as follows; 50% of the vulnerabilities would be tied systems that were poorly patched, 40% would be tied to systems that are poorly configured, and the remaining 10% would be tied to a set of medium grade vulnerabilities…that were more nuisance than anything else. So what does this tell us…well, it suggests that 90% of your potential for risk centers around either systems that are poorly patched or poorly configured. By injecting a set of well defined policies, process and automation into the mix…you can shield yourself from the vast majority of the critical vulnerabilities that could affect your environment.

So what should you do? Well the first thing you need to consider is the development of a good patch and configuration management methodology. This would include the following:

• The development and implementation of a policy that is both enforceable and measurable.
• You should also factor in some form of testing – to ensure that prior to actual policy enforcement / remediation, that nothing breaks in the process. This has become far easier to accomplish…especially with the advent of VMware.
• You should also include an adequate level of automation. Look for technology that will help you establish a solid baseline – for both the patch and configuration posture you’re looking to maintain. This type of automation should provide you with the ability to accurately assess for risk (vulnerabilities), enforce (or remediate) any discovered vulnerabilities…as well as provide a means of measuring what you’ve established as policy.

There was a great example of this (specific to the patch management process) that was illustrated in a recent article written by Eric Schultze. The title of the article is “Structuring Patch Management in Seven Steps”. The link to the article is as follows:

http://searchenterprisedesktop.techtarget.com/tip/0,289483,sid192_gci1373373,00.html?track=NL-1108&ad=733390&asrc=EM_NLT_9811497&uid=4164928#

So to summarize…by applying the approach I outlined above, you’ll be well on your way towards limiting your risk!

Dave Eike
Shavlik Technologies

Click here to read article on SC Magazine website.

The intro tune to the TV show, “Monk”, features a song with the catch line “It’s a Jungle out there” to introduce our favorite obsessive-compulsive detective.  This line is appropriate when describing the dangers that are pervasive on the internet.  Not to be too alarmist, but basically anywhere you go on the internet can be dangerous to your computer, and thus to the information stored therein.  If you visit the wrong site, click the wrong link, or open the wrong attachment, you can find yourself unwittingly hosting kiddie porn, part of a botnet that’s launching a coordinated cyber attack on a sovereign country,  and/or without any money because the hacker just cleaned out your bank account using YOUR password harvested from a keylogger.  There are SO MANY different ways to get compromised, it’s nearly impossible for the standard user to keep up with them all.  That’s why I’m here. I want to provide a service to the community at large by providing information that will help you secure yourself as you navigate the “Jungle” that is the internet.

A survey, which canvassed nearly 1,900 senior executives in more than 60 countries, shows that 75% of respondents are concerned with the possible reprisal from employees who have left their organizations.

The 12th annual Ernst & Young Global Information Security Survey also reveals that lack of adequate security budgets and resources are becoming major concerns for senior IT professionals.

The survey finds that 42% of respondents are already trying to understand the potential risks related to this issue and 26% are already taking steps to mitigate them.

It says allocating adequate budget to information security continues to be a challenge in 2009, with 50% of respondents ranking this as a high or significant challenge — a notable increase of 17 percentage points over 2008. 

Despite this level of concern, the survey says, less than half (40%) of respondents plan to increase their annual investment in information security as a percentage of total expenditures, while 52% plan to maintain the same level of spending.

The survey also reveals that regulatory compliance is a top priority for information security leaders and continues to be an important driver of information security improvements.

When the survey asked how much their companies were spending on compliance efforts, 55% of respondents indicate that regulatory compliance costs account for moderate to significant increases in their overall information security costs. 

Only five percent of respondents plan on spending less over the next 12 months on regulatory compliance.

Due to a heightening occurrence of data breaches, data protection is at the forefront of many information security leaders’ minds. Implementing or improving Data Leakage Prevention (DLP) technologies — the combination of tools and processes for identifying, monitoring, and protecting sensitive data or information — is the second-highest security priority in the coming 12 months.

Forty percent of respondents rank this as one of their top three priorities.   

According to the survey, one of the most startling findings is how few companies encrypt their laptops. Only 41% of respondents currently encrypt them, with 17% planning to do so in the next year.

This is surprising, says the survey, given the number of breaches that have occurred due to loss or theft of laptops, that encryption technology is readily available and affordable and that the impact to users during deployment is relatively low.

The survey fieldwork was conducted between June and August 2009 and findings were revealed Tuesday, Nov. 10. The results were primarily collected through interviews held with executives from organizations across major industries.

We have all heard the wise old saying….’One man’s trash is another man’s treasure’ and potentially we have yet another lesson learned for organizations who are obligated to protect their client’s personal information.

In this lesson learned from Ohio, three large storage bins were stolen from outside of three different bank branches in three different cities.  Each of the three large storage bins contained paper that was waiting to be shredded and at least one of the storage bins contained personal documents of bank customers.

A few questions this incident brings to mind:

• Should personal data be stored outside of buildings?
• Should trash/storage bins be removable?
• Should trash/storage bins be monitored by video cameras?
• How should data waiting to be shredded be handled and secured?
• Does your organization have policies and procedures for data waiting to be shredded?
• Does your organization have information handling agreement with shredder vendors?

When it comes to protecting customers’ personal information, many other questions come to mind and many risks and issues have been discussed in previous Lessons Learned Blog entries.

Oh! And don’t forget this lesson learned provides yet another ‘red flag’ that should be added to your FACTA Red Flag Rule program and communicated to all appropriate personnel.

As I’ve said before, one of the main things I love about information security is the need to keep learning ~ the field keeps expanding, Big Bang-like and it behooves one to stretch themselves, out of their comfort zones and in new directions.

Friends of mine had been recommending I learn more about IT auditing, to gain a better perspective on how controls are applied, and why.  To that end, I took a three-day Certified Information Systems Auditor (CISA) training course from CertTest in early November.

Wow, that was pretty cool!  I learned a lot of new stuff and reviewed things like NIST SP-800-53 and ISO 27002 that I knew something about, but not in the same depth.  So, I’m now embarked on a study cruise towards the June 2010 CISA exam from ISACA.  Maybe I’ll work as an IT auditor, maybe not, but either way, I’ll know a lot more about the business side of the proverbial ‘house’ and it’s GRC drivers.

All this dovetails with my ongoing study of CobIT 4.1, NIST SP-800-53, and the ISO 27K series ~ I’m focused on becoming the best Governance, Risk Management & Compliance professional I can be!

If you have any helpful hints, suggestions, study advice, please ping me.

Shouts-out and props to Dave Cannon at CertTest for being an awesome and inspiring instructor!

And, I ate some Serious ‘Que at the Hard Eight in Irving TX with my CertTest classmates…

Later friends!

http://suspiciousminds.wordpress.com/