My wife called herself a “blog widow” this weekend. She says more and more often she wakes up in the middle of the night and finds my side of the bed empty. She investigates and finds me at my laptop in the living room blogging or researching for a blog post. I guess it is better than other things I could be doing on the Web…
Here are some t-shirts for your blog widow. And here’s a kinda funny story about the t-shirt. Hope the guy doesn’t get sued.
Vet
If you have me on your blogroll, can you make sure to change your link to the new domain when you get the chance? Trying to get my link count back up. Because you know it is all about me, right?
Thanks.
Vet
Roger Grimes has an article at InfoWorld about the size of passwords versus the complexity. I agree with Roger’s assertion that password length is the better than complexity. I have been told by many a security consultant to make the third character a special character, or make the fifth character uppercase, blah blah blah. This just does not work. I crack passwords as part of my security manager duties, and length has always trumped complexity.
The main reason is because of the good ol’ human factor, and Roger points out some of the issues below:
So what to do, what to do? Well, make the passwords longer. Enforce length, then tell people to simply use a sentence of over 10 characters. It could be “Bob is a big fat loser” (no, I don’t know who Bob is - maybe that damn AccountTemps guy), or it could be “I got my nails done on Tuesday”. Anything like that gives you what you need. Dictionary attacks are not going to work against that, and the sheer length makes brute force impossible.
Of course, I would like to get rid of ‘em all together, or at least get rid of passwords as they are today. They are a nuisance, plain and simple. Multi-factor authentication is one answer. I know it is susceptible to man-in-middle attacks, but how many networks are going to have this problem if other security measures are in place (dang defense-in-depth keeps coming back up every time I turn a corner!). I tend to favor the passive RFID card / PIN number combination over the active RIFD, smart card, or token / pin combo. It is simpler than the token (even though it seems really simple, users get so hung up on combining a six-digit number with a four-digit PIN - don’t ask me why), and it is more secure than the smart card of the active RFID (very limited range compared to the active RFID and typically contains no identifiable info compared to the smart card).
One limitation to RFID cards is remote users, but readers are getting more and more common in laptops. Or you can implement a smaller token-based system for those users, though administration may turn into a headache.
But here’s s caveat, no matter which way you go: you really need a single-signon solution backing up a multi-factor authentication implementation. This scenario seems to make a lot of sense for a few reasons:
I know it is not the end-all-be-all, but multi-factor authentication is definitely a strong layer in your defenses. Think about it.
Vet
I decided to start using Feedburner to publish my feed so I can try to track who is subscribing. If you are a current feed subscriber, I would appreciate it if you would switch your subscription when you get a chance. The new feed is at http://feeds.feedburner.com/AnInformationSecurityPlace. Or you can get the link from the RSS icon on the right sidebar.
Vet
For my blogging friends out there using Wordpress, take serious note of this post from Darknet. Seems like all versions of Wordpress below 2.0.3 are vulnerable (2.0.4 should be coming out very soon) to a flaw in the Subscriber functionality. If you require people to register before they can comment, then you need to make sure you turn off the “anyone can register” option and delete any subscribers you do not not know personally or who have never posted or have not posted for a long time (personally, I don’t require people to subscribe to comment - you might consider either turning off comments or not requiring membership untiol 2.0.4 comes out).
In Wordpress under the wp-admin page, go to Options and General. There is a Membership section where the choice is located. Uncheck and save, then wait for 2.0.4 and upgrade ASAP.Â
And don’t forget to backup before you upgrade. I use a plugin from here to backup.
Vet
Just got through reading this article at Security Focus. So basically, fuzzers are becoming more and more prominent in finding flaws in applications (they have been around a while, but they are now gaining notoriety with the general populace). More and more flaws are coming out on all sorts of applications, but the main focus is on Microsoft products, with the lion’s share being found on Office products.
This makes sense because Office is used so widely. People trying to make a buck are going to search for flaws on a widely used product, unless they have a specific target in mind and know what other apps they use. You could also say this makes sense because Microsoft makes such crappy products, and you would be partially correct. Fuzzers have been used to find flaws in non-MSFT apps as well (Flash, Shockwave, RealPlayer, etc.), so the threat is not just with Microsoft products.
But the point here is this: if the baddies are concentrating their fuzzing efforts on Microsoft products, where is the news that Microsoft has started actively using fuzzers to find flaws in their code? Where is the news that the giant has hired HD Moore to start an active campaign to find flaws in their products so they can start fixing the issues before they are used by baddies?
Look at this quote from the article:
Moreover, the flaws reported to date are only due to a limited amount of effort using fuzzers, TippingPoint’s Dhamankar stressed. Researchers do not typically have access to the detailed information about file formats for Microsoft’s Office, so their efforts to date have been limited.
Does this mean since the good guys can’t find the flaws that the baddies won’t either? No. The flaws will be found eventually. It means that Microsoft has the opportunity to find the flaws before anyone else because they know more about the code than any one else. Microsoft needs to step up and start finding and fixing more flaws using other tools besides their own.
Vet
When I first started blogging, I searched around the Web for advice on how to be a success. One of the keys, so I was told, was to post often. Another bit of advice I found was to NOT apologize if you don’t post for a while.  But I am going to ignore the above advice and apologize anyway. So,  I humbly, sincerely, and profusely apologize for the extended amount of time between posts these last few days.
As to why I have not been posting, I have been on vacation. I travelled to to see my parents and other family in the dark depths of back woods south Mississippi, where the fastest Internet connection is a 26.4 baud dialup to the local ISP (who has a strangle hold on the local area, by the way). I tried to check mail, and it turned out to be a 20 minute ordeal just to get connected and have the screen fully load. I did manage to post on Sunday, but that was quite painful as well.
Now, as to the new blog site, I think I finally have the theme where I want it.  I have learned a lot about style sheets, Wordpress tags, etc. (a lot more than I wanted to know, to be honest). Also, I have done some back end work to get my site stat trackers and other stuff pointed to the new location. I have also noticed that the new location is popping up now when I perform a vanity google, so things are coming along.
One thing I thought was funny and a little frustrating was that I finally obtained a good Google rank (Google bar shows 5 of 10) at my Blogger site (I don’t know when that actually happened). So now I will have to build that back up.  Oh well.
So let me know what you think of the new site and the theme. I have had people tell me that it is easier to read, and I have to agree. I would like this one to have more of an edge, but I don’t want to go overboard. Also, I want to make some kind of logo for the title. I have a friend (David Nester of Spidynamics) who is going to be helping me with that and with working on the home site page (infosecplace.com), but if you have any suggestions on a logo, let me know.
Thanks for reading.
Vet
Bear with me here.
I drove a tank in my Army days, and one of the things I learned was that the M1A1 Abrams tank was built with a low profile so it would be less visible to the enemy. But notice one word in that sentence: enemy. You don’t build it with a low profile to be less visible to your allies because you don’t expect them to be shooting at you.
The same principle is true in security. You build your infrastructure with a low profile so as to avoid attacks. You shouldn’t rely solely on a low profile, but it is a good layer. And again, you are putting these measures in place to protect against baddies, not your friends.
Now, in the first scenario, friendly fire sometimes happens. You put things in place to minimize this from happening. In the second scenario, this type of friendly fire happens when an insider unmaliciously screws up. You also put up defenses in a network to protect against dumb users.
But what happens when you are maliciously attacked by your “friends”? Well, good commanders make sure they have defenses against this as well. But you really don’t put in major defenses against this scenario. It is not a common enough occurence on which to spend a high amount of resources. (A point to note: in war, if an ally becomes a turncoat and shoots at their own side, it is not termed “friendly fire”)
Here’s where I am going with this. Martin McKeay linked to this article in this post. It is the nightmare of nightmares for a security manager: Asking the powers-that-be to invest in security then getting fired because they didn’t invest and your security got breached. Bad, bad stuff.
But in the very first comment to the post, a commenter said, “He pushed too hard to do the right thing and made himself too visible and unpopular.” High visibility may have got this guy fired. Only that security manager and the CEO know whether this is actually what happened. But that doesn’t matter. What matters is that the advice the commenter is basically giving is to keep your head down and do your job. This flies directly in the face of some of my recent advice on my series for making yourself a more successful security manager / admin.
I will stick by my advice: make yourself visible, let others know what you are doing. I have never said push until you piss someone off, but that will happen sometimes. It may have got this guy fired, but if he had not pushed and documented that he pushed, do you think he would have a chance in H-E-Double-Hockey-Sticks to bring suit against his previous employeer? Nope.
So, protect against the attack, remain visible, and watch your back. Don’t try to get along just to keep your job. I would rather DO my job than just kEEP it. But that’s just me.
Vet
OK, I am usually fairly impressed by InfoWorld’s articles and other writings. I get the magazine, I subscribe to their news feed.  But this InfoWorld article read like it should be in the Times or something. They put a title of “Hackers Striking Databases in Record Numbers”, give us a couple of stats, and then go on to explain SQL injection attackes. Who is InfoWorld’s target audience? Â
Here’s something from the “About” section of InfoWorld’s website:
InfoWorld Media Group delivers in-depth coverage and evaluation of IT products for technology experts involved in major purchase decisions for their companies. InfoWorld reaches the most influential readers through its integrated online, print, events, and research channels.
Â
InfoWorld provides specialized IT coverage for the CTO, senior-most company executives who are deeply steeped in technology expertise and experience.
I am not usually one to attack, but this is ridiculous. If you are a “senior-most company executive” who is “steeped in technology expertise and experience”, then you know what a SQL injection attack is. This article really does not give any useful information.  Couldn’t there have been some more in depth detail on some of the attacks? It just felt like the top paragraph was written, then there was a cut and paste from some other article.
Vet
So the question is this: who is to blame when a crime is committed? Do you convict the gun or the crook when he robs a bank? Do you convict the crowbar or the crook when he pries open the door to a home and steals the jewelry? Do you convict the brick or the crook who uses it to smach a window in a store and steals a TV?Â
We know the answer to those questions. The crook is the criminal, not the tool. So bravo to Alan Shimel for this post where he stomps a mudhole in some folks for blaming Open Source code for security problems. Yes, Open Source tools are easier to come by than commercial products, but does anyone really think that script kiddies and other baddies would have no means to get those commercial products if Open Source tools were not available? Please…
Vet
I have posted a couple of times on how to be a successful security admin / manager (here and here). Well, here is another one (ok, enough of the groans).
So, here is today’s advice: stick with the tried and true security. There are methods of security that have been tested for quite a while now and have proven to be very effective strategies. A few examples of this are defense-in-depth, risk management, and security awareness. Let’s look at these a little closer:
Â
Risk management: The optimal allocation of resources to arrive at a cost-effective investment in defensive measures within an organization. Risk management minimizes both risk and costs.
Risk assessment:Â report that shows assets, vulnerabilities, likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection. A “risk analysis” is the process of arriving at a risk assessment, which is also called a “threat and risk assessment.” A “threat” is a harmful act such as the deployment of a virus or illegal network penetration. A “risk” is the expectation that a threat may succeed and the potential damage that can occur.
So, why did I bother to put down these definitions? Let me explain. There could be a number of reactions to these definitions, but let’s focus on two:
If you fall into camp 1, then you are probably pretty young or you have just started into security or both. You fall squarely in the camp of those who believe the perimeter is dead and you may think that there will come some day soon (if if it isn’t already here) a device that will once and for all secure your network and let you relax a bit. You probably think that many of the old security ways (including above) are not needed. Just throw some money and security devices on the network and you are doing well.
Then there is the second camp. You saw some old, familiar, comfortable definitions that really speak to you as central tenets of security. You say, “hell yea!” when you see another example of these methods paying off. You do you due diligence and either fill the gaps that appear in an assessment or you mitigate in other ways when the risk is not too high.
For the first camp, I say that you need to start paying attention to these old geezers. These methods have not been around for this long for nothing. UTMs are not the end-all-be-all. NAC and NAP are not god-sends. Many of these new security appliances fill gaps that exist.  But they are meant to do just that - fill the gaps. Not be the whole of your security. The perimeter is not disappearing. It is still there, but it has started to become flexible. Old school security guys really don’t have an issue with that. But when you move all your defenses in the network and drop the external firewalls, then you need to be prepared for the consequences. And they are coming. The baddies follow trends, just like the good guys.
And new security people: don’t call us old school folks closed-minded. A better term is experienced.
Vet
Â
Â
You may see the theme of the blog change a few times in the next weeks. I am experimenting still over here, but I just didn’t have the patience with or the faith in Blogger with all the issues they have been experiencing. Please have patience with me. If you have any advice on a good theme, let me know!
I have to make some comments on this post I found on a law blog I peruse. I know this is not directly related to Information Security, but it related to security in general, so I have to make some comments.
Basically, the author of this post (Dan Filler) is making the argument that the cost of shoplifting should be shifted to the retailer. Specifically, he looking at WalMart since the post started out with a comment about how they are shifting their policy to not prosecute first time shoplifters younger than 18 and older than 65 when taking merchandise with a value under $25. That is WalMart’s right to do, and it might actually be a good idea for them.
Read the post all the way through and look at Mr. Miller’s ideas about this. Here are my comments.
Yes, it is a crime. But I have a huge problem trying to shift the cost of enforcement to the retailer is ridiculous.
Â
First, many retailers already employee most if not all of the measures you say they should employee. What else can they do? They already have to catch the crook. They don’t bring cops in to patrol the stores! If the security guard is a witness in the case, the retailer should pay him / her for the time they appear in court.
Â
Second, when they catch the criminal, they call the cops for prosecution. That is how our system works for CRIMINALS. You are trying to change the system for a particular crime just because some cops don’t want to do their job. That is beyond ridiculous, and the cops that have that attitude and react slower to these types of crimes should be kicked out of the force. That is why WE pay them.
Â
Third, how is it fair to the retailer to shift the cost of prosecution to them when they are the victim? They are simply trying to run a business and are already losing millions and millions a year due to these crooks. Why should they be taxed further? Do you tell a rape victim to pay for the prosecution of her attacker? Come on.
Sheesh
Â
Vet
Â
The Success of the UTM
I have been on a kick about what security admins and managers have to do to sell security. And I posted a huge list the other day to help those same admins and managers start their own list of duties so they could get organized and possibly show the boss all the stuff they have to do day in and day out. (BTW, forgive the formatting of the list. The Blogger people royally screwed up some of my formatting during some maintenance they were performing today, and I am just too dang lazy to go fix it!)
So when you look at that list, you wonder how you can get it all done. Alan Shimel asks the same question here. I think the one fact that security admins and managers have so many chores and tasks and jobs to take care of is the biggest factor in UTM success.
Look at Chris Hoff’s post on UTM’s. One line from his post is, “If ‘good enough’ security is good enough, you have lots of UTM choices.”. I contend that the UTM is so attractive because “good enough” is what many (not most, but maybe not far off) security people are looking for in their security because they are strained and pulled and stretched and yanked in so many directions that “good enough” is all they have time for. Call it lazy or whatever, but the truth is there.
What Chris wants is for the good ol’ days of risk management to come back, where you identify your risks, you determine what your tolerance for each risk is, and then you determine what measures to put into place to mitigate those risks. I agree with Chris wholeheartedly. But the reality is that it just ain’t always possible, unless you want to work about 80 hours a week.
So, UTM looks good to that overworked (or oft times lazy) admin or manager, and they want their auditors and execs to see a cool piece of hardware that they can grab some reports from. So UTM it is.
That kinda leads into my next point.
Goverment Regulation Can Actually Hurt Security
I am sure someone has written about this, and I did find this post with a very quick Google search. It didn’t exactly address my point, but oh well. Anyway, my contention is that compliance with HIPAA, SOX, GLBA, etc. can often do more damage than good to the security posture of organizations. Now, this totally depends on some of what I mentioned above, namely whether or not the security admin / manager is lazy, overworked, etc. But basically, here’s the reason compliance can hurt more than help: it often causes the security department to reach for compliance INSTEAD of reaching for actual security.
Look at HIPAA. It has not one shred of actual technical advice. Most people say that is good because it allows for flexibility in the security approach. I agree. But if I am a lazy security guy or an overworked security guy whose boss tells him to make sure the company is compliant, then I may look at compliance in another way.
First, I do some research and find that many of these regs don’t have any real enforcement to them. I don’t tell the boss that because my job just might go flying out of the window. So, I write (or find on the Web) some policies and procedures that are HIPAA, SOX, whatever compliant, then I put in some security measures that look cool and give nice pretty reports, and then I can step back and say, “That should convince the auditors.” I have not hired a third party to come out and do a risk and gap analysis. I have not taken a look at what I am trying to secure and where best to place security measures. I don’t even really know what risks are there, so I have no idea what the companies tolerance for them are.
It basically becomes a game to LOOK compliant so you fool the auditors. Since you really don’t expect the HIPAA, SOX, GLBA police on your doorstep any day soon, why should that concern you?
But let’s look at this one more way. I have to honestly say that this does not just apply to lazy or overworked security admin / managers (though most of us are overworked). It soon simply becomes a realistic view. Maybe you are a hardworking security guru, and you are going to do your dead level best to secure the network, come hell or high water. So, you do the risk analysis with a third party, you determine your risk, you fill all the gaps as best you can, and you come out with a secure network that will stop a hacker dead in his tracks. But you stopped worrying about the reg-de-jour a while back, just like everyone else. And you have no regulation specific policies and procedures in place, even though you followed every ISO standard even remotely applicable to security since the history of man. And someone decides to give some teeth to the reg. What happens when eve your strong, secure network gets breached? You get busted.
Man, what a drag.
So, what’s the answer? To both problems above, the answer is more staff, more money, and more training put directly towards security. Executives, LISTEN UP! Let your people do what they need to do. Dedicate the resources on the front end, let the security people get your network secure from a practical and regulatory standpoint, then just keep it going. Your costs will decrease to a great degree after the initial push is complete. Yes, risks change, but not every risk will change at the same time. Yes, technology needs to be refreshed, but that is true of IT in general, and it is usually every three or four years. Yes, new regulations come up, but the infrastructure will be there to meet those. Get it done, and you will be secure. You will be able to flex and move with all these changes. Make the investment now. Please.
Vet
Here’s what I usually listen too on late nights at work.
Cleanflicks has lost to the movie industry in this case. Basically, they can no longer edit the bad stuff out of movies and redistribute. What surprised me to a degree was the the movie industry did not use DMCA as an argument. Go here to see the likely reason why.
First, let me say that though I can definitely see some bad points to NetNeutrality, I am in favor of it. I am not a fan of new laws in general, especially the way our government tends to screw things up. But something in some form needs to be done to keep the big boys from running roughshod over the little guys.
However, people are saying Net Neutrality is needed because of the worry of large providers blocking traffic from small providers and carriers. I wonder if I am just naïve, because I really can’t see the big telecomm providers just outright blocking that traffic from their competitors. Mess with, screw up, delay, hold back, etc.? Yes, I see that potentially happening. They can do that with no real backlash because even if someone accuses them of it, they can deny it. As Ed Felten says in his Net Neutrality Whitepaper, “… it is often difficult to distinguish between performance problems resulting from undesirable forms of discrimination and ones due to other causes.” Basically, how do you prove conclusively that a large provider is discriminating? It would be difficult.
But if a large provider simply kills their competitor’s traffic, even if they are doing it legally, I see them being lambasted in the media and the blogosphere and losing customers. That is not fair play. Maybe I’m wrong here, but I just don’t see it happening.
[RANT ALERT!!!] So let’s argue for Net Neutrality on its real merits, namely that the large providers should not be able to control the Internet just because it is their routers the traffic is passing through. Ed Whitacre needs to get a grip and stop spouting that his competitors are simply using his “pipes free.” That is a load of bull. These guys pay telecomm providers millions and millions a year. If they need more speed, they buy it. You are getting your money, Mr. Whitacre. The only reason you are against this is because you don’t want legitimate competition for your future plans for fiber in every home. You want to have the lines and the play time with no threat of other services keeping you form making a couple of more bucks. Please…
Vet
A few weeks back, I posted about what a security admin / manager should do to sell security to the execs and the general user populace at his or her organization. It contained no technical advice. Basically, it said to be social and was meant to be a first step in getting the people to know you so you can start down the path of security acceptance.
Once those execs know who you are, what’s next? This is where it gets real, folks. You actually have to define your job. Not just DO your job, but actually sit down in front of your laptop, desktop, writing pad, whatever, and get a solid idea of what you do. I am not talking about a job description. I am talking about the tasks you work on daily and weekly and monthly and so on. Tasks you have to perform to make your network secure and your information safe.
Make out your list ASAP. It will help you get organized. Then, print it out and slip it under your boss’s door. Maybe it will wake someone up (or it might just piss ‘em off – either one is OK).
Now I have to admit that it is often difficult to get started on a list like this. There are so many things that you do that it seems like it would be simple to put it down. But it sometimes is just not that easy. So, here’s a sample of what you might have to do as a security person. It won’t apply to everyone, of course, and I have also included some network admin and engineering tasks that many security people won’t do. It is definintely not exhaustive. But for those busy security admins who do double duty on the network, then some might work. Hope it helps. Feel free to comment and add more.
IPS Maintenance
Firmware Upgrades
Signature Updates
Tuning
Reporting
IDS Maintenance
Firmware Upgrades
Signature Updates
Tuning
SIM / SEM Maintenance
Firmware Upgrades
Tuning
Alert setup
Reporting
Email Gateway Maintenance
Firmware Upgrades
Real Expression Maintenance
Delivering blocked emails
Reviewing message logs for false positives and false negatives (tuning)
Checking forums for new spam / viruses that require expressions for filtering
Maintaining blocked extension database
Reporting
Corporate Firewall Maintenance
Firmware Upgrades
Policy setup
VPN setup and maintenance
User access setup
Rule auditing
Reporting
Remote Firewall Maintenance
Firmware Upgrades
Policy setup
VPN setup and maintenance
User access setup
Rule auditing
Reporting
Router and Switch Maintenance
Firmware Upgrades
Access maintenance
VLAN Maintenance
Servers
DNS Maintenance
DHCP Maintenance
Network Monitoring
Baseline configuration
Threshold alert setup
General Security
Password Auditing
Vulnerability Scanning
Rogue device scanning
Wireless device scanning
Telecommunications
DNS Maintenance
Router maintenance
Internet
Domain Maintenance
Extranet Maintenance
Firmware Upgrades
Group and User maintenance
Rules maintenance
Documentation
IP address list (public and private)
Network and security infrastructure drawings
Update acceptable use policies
Update security awareness presentation
Update DR policies and procedures
Update HIPAA policies and procedures
Training
Orientation
Security Awareness
Vet
I just discovered David Bianco’s InfoSec blog, called Infosec Potpourri , via a post on joatBlog. I like Mr. Bianco’s technical posts. He gives some good info on network monitoring. From what I have read, it seems to be a practical security blog with good advice and pointers.
As I was reading, I came across his recent post about laptop encryption. My comment to his post is below. You can read it here or view it on his post.
Mr. Bianco,
I must ask that you clarify who you are speaking to in the last paragraph of your post. I can somewhat gather from the next to last paragraph that you may be speaking towards execs, owner types, sales guys, etc. (and possibly lazy “security” guys who don’t bother with due diligence), but you also speak directly to the security pro in the first sentence of that paragraph by saying “If mobile users need access to data in the field, make them VPN back to the corporate network and work on it there.”
I am seeing no thought or exception for those security pros who work for cheap or brainless execs / owners who see no reason for the measures of which you are speaking. If you are referring to all security pros, including those who have fought the battle but have lost, then you are really beating up on the wrong people. Yes, those security pros can leave that brainless company, but that is not always an immediate consideration. Many companies bring in security guys to make themselves look like they are serious about security, then they don’t give them any resources with which to do their job. There are those of us who fight this day in and day out and cannot make a dent. Sorry if I sound like I am whining, but the truth is the
truth.
I really don’t mean this as an attack. I just want to make sure that people know the difference between lazy security admins and those of us who fight and fight for stuff and can’t get it.
Vet
