An Information Security Place

I am currently reading Michael Santarcangelo’s book Into the Breach (sorry it is taking so long Michael, just busy – I have 2 others I am supposed to be reading and reviewing as well).  This is not a review of that book (that is coming later).  I want to make some comments on a particular point he made in chapter 5, entitled "The Strategy to Protect Information".

In that chapter, Michael talks about how many people are shocked to learn where information is stored in their organization when the information discovery process is undertaken.  He states that people are so used to just copying the information wherever they need to get their job done that they didn’t even know that the data was stored in a central location.  This is very true, but this is not the point that I want to discuss.  The point I want to discuss is observation.

Michael has made an observation here.  He has studied people’s reaction to this step, and he had put it down on paper.  It may seem like a little trivial piece of information that will make you laugh when you tell your buddies over a beer – "That guy in payroll was clueless!  He copied the executive payroll data into a spreadsheet about 3 years ago onto his laptop and was paying them from the data stored there!  He was doing a lot of that work from home!  He didn’t even know that the new payroll system had been put in place a year ago!"  But in reality, that observation has huge ramifications.  That person COULD have been doing their job much more efficiently and SAFELY for the last 3 years.  The risk of him putting executive payroll data in a spreadsheet on his laptop and taking it home was huge.  But for some reason, he did not know that the new payroll system had been implemented.

But again, the point of this post is not that the payroll data was at risk.  The point is that I have seen that same reaction time and time again over the last 14 years I have been IT.  There have been numerous times when I pointed out to a user that they were using data from the wrong source.  Maybe they had thrown together a quick Access database on their PC after they took a local community college course.  That has happened so many times.  But I typically just pointed them in the right direction (or was advised to let them keep doing what they were doing because they got their job done).  It took me so long to actually see the ramifications behind that issue happening again and again over the years.  If I would have just stopped and thought about things earlier in my career in IT, I would have been able to see the forest a lot more clearly.  I would have been able to better handle situations like that more efficiently and more wisely at a much earlier point in my 14 years (maybe I could have written a book about it 10 years ago ).

So my basic point is this.  Use your observation skills.  Stop and think.  Don’t get so caught up in your day-to-day job that you don’t stop to observe and discern.  It can seriously impact the way you do your job, and usually in positive ways.  If you don’t pause to make sense of what is going on around you, you get swept up in doing everything in a less efficient way.  If you can’t see the underlying cause of problems, then you keep treating the problem as individual little slices of time instead of a systemic problem that could be causing larger concerns in your organization and in your industry as a whole.

Vet

CJ Kelly, a blogger at Computerworld, proclaimed yesterday that the Internet is safe from DDoS. She  says:

…maybe 5-8 years ago this was a possibility, but I don’t think it’s possible to do a large scale DDoS attack any more.

Man, I am so happy to hear this news. You can’t fathom the relief at hearing Ms. Kelly announce our new found safety. I am so indebted to Ms. Kelly for fixing the Internet yesterday right after she posted this announcement.

What was that?  What happened yesterday? Well, let’s see. A business web service provider called CrystalTech went down for four hours due to a DDoS attack (it happened the same day she wrote her post). I am glad that isn’t going to happen anymore.

Oh, and EveryDNS was hit hard last week with a DDoS attack that took them down for 1 1/2 hours. I am totally relieved that we won’t see that again.

I also seem to remember a company called Blue Security closing its doors in May because a nutty spammer decided to DDoS them and started causing trouble all over the Internet. Here’s a quote from the article:

The attacks not only disrupted Blue Security’s operations but knocked out the Web blog hosting service Six Apart and a handful of Internet service providers, including Tucows.

Man, I am so happy we are done with DDoS attacks.

OK, I guess that is enough. CJ Kelly’s post is nothing short of ridiculous. I mean, really. Does she write from a black hole where the only articles she can find to support her are Cisco press releases and product whitepapers? I’m not kidding. Look at her links to Cisco. It is friggin’ Cisco propaganda that she calls “informational pages”.

Holy crap, my head is about to explode.

Ms. Kelly, please do some research. Please read the news. If you are a “real world Information Security Officer” as it says in your CW bio, I beg you to better serve your company and the information security industry by informing yourself before you start writing.

Vet

…because you can read about it in the news, because it generally happens for the same reason (stupidity, mainly), and I get tired or writing about it.  And the same would be the case on this new VA stolen desktop (also read here), except that this is twice for the VA, and I think this one holds more importance.  Why?  Glad you asked!

1. Because this one, on the surface, seems like a targeted attack.  This was not an average house robbery.  This was stolen from a Unisys facility that was doing insurance collections for the VA.  Far be it from me to start FUD, but I think there was some definite desire for this desktop because of the data it held (why was the data on a desktop, anyway???)
2. This brings forward the point that you are just as responsible for your contractors security as you are your own.  The theft did not actually happen on a VA facility, but you can’t schluff off due diligence.

Vet

I am going to combine my security tip of the day with my series of advice for security admins and managers.  So here goes:

I can sum up this advice post in two words: due diligence.  It is obvious that due diligence is necessary in all aspects of security and other areas, but lets go over a few examples:

• Due diligence in your security solutions:  As a security manager, I get calls from vendors wanting me to buy their security products on a daily basis.  Many of them are big guys like Cisco.  Many are smaller shops like StillSecure (no offense Alan).  Now, the name recognition that comes with Cisco instantly draws me to them.  Cisco has a major role in my network (no surprise), so the familiarity with their product makes me instantly pay attention.  And I know as a busy security manager that I could probably buy their product without looking around and doing my DUE DILIGENCE and get a decent product that my boss is not going to gripe about.  But that goes back to the ol’ “good enough” discussion between Alan Shimel and Michael Wright.  Cisco does make some fine products, but they are simply not the best when it comes to security.  What I should do is take the time to look at other solutions, and then determine what the best solution is for my business.
• Due diligence in keeping your security measures up to date: Let’s look at an example.  Take the good ol’ IDS.  Many people proclaimed the death of the IDS years ago.  But I believe with the surge of SIM / SEM products out there, the IDS can be used in conjunction with an IPS to give some really good info as to what is happening in your network.  Of course, you have to tune your IDS, and you have to maintain signatures.  And you have to make sure your SIM / SEM is setup to alert on current attacks and maintained to recognize any new attacks or new devices in your network.  This type of due dilignece needs to be applied across the board.
• Due diligence in procedures: Policies are easy.  Procedures are a bear.  But they are infintely more important than policies because they define how the policies are applied.  Without procedures, policies are essentially worthless.

Practicing due diligence will make your network secure and your career successful.  Getting a reputation for being anal can sometimes be a bad thing, but in security it is an endearing term.

Vet