An Information Security Place

Here’s what I usually listen too on late nights at work.

 

Cleanflicks has lost to the movie industry in this case. Basically, they can no longer edit the bad stuff out of movies and redistribute. What surprised me to a degree was the the movie industry did not use DMCA as an argument. Go here to see the likely reason why.

First, let me say that though I can definitely see some bad points to NetNeutrality, I am in favor of it. I am not a fan of new laws in general, especially the way our government tends to screw things up. But something in some form needs to be done to keep the big boys from running roughshod over the little guys.

However, people are saying Net Neutrality is needed because of the worry of large providers blocking traffic from small providers and carriers. I wonder if I am just naïve, because I really can’t see the big telecomm providers just outright blocking that traffic from their competitors. Mess with, screw up, delay, hold back, etc.? Yes, I see that potentially happening. They can do that with no real backlash because even if someone accuses them of it, they can deny it. As Ed Felten says in his Net Neutrality Whitepaper, “… it is often difficult to distinguish between performance problems resulting from undesirable forms of discrimination and ones due to other causes.” Basically, how do you prove conclusively that a large provider is discriminating? It would be difficult.

But if a large provider simply kills their competitor’s traffic, even if they are doing it legally, I see them being lambasted in the media and the blogosphere and losing customers. That is not fair play. Maybe I’m wrong here, but I just don’t see it happening.

[RANT ALERT!!!] So let’s argue for Net Neutrality on its real merits, namely that the large providers should not be able to control the Internet just because it is their routers the traffic is passing through. Ed Whitacre needs to get a grip and stop spouting that his competitors are simply using his “pipes free.” That is a load of bull. These guys pay telecomm providers millions and millions a year. If they need more speed, they buy it. You are getting your money, Mr. Whitacre. The only reason you are against this is because you don’t want legitimate competition for your future plans for fiber in every home. You want to have the lines and the play time with no threat of other services keeping you form making a couple of more bucks. Please…

Vet

A few weeks back, I posted about what a security admin / manager should do to sell security to the execs and the general user populace at his or her organization. It contained no technical advice. Basically, it said to be social and was meant to be a first step in getting the people to know you so you can start down the path of security acceptance.

Once those execs know who you are, what’s next? This is where it gets real, folks. You actually have to define your job. Not just DO your job, but actually sit down in front of your laptop, desktop, writing pad, whatever, and get a solid idea of what you do. I am not talking about a job description. I am talking about the tasks you work on daily and weekly and monthly and so on. Tasks you have to perform to make your network secure and your information safe.

Make out your list ASAP. It will help you get organized. Then, print it out and slip it under your boss’s door. Maybe it will wake someone up (or it might just piss ‘em off – either one is OK).

Now I have to admit that it is often difficult to get started on a list like this. There are so many things that you do that it seems like it would be simple to put it down. But it sometimes is just not that easy. So, here’s a sample of what you might have to do as a security person. It won’t apply to everyone, of course, and I have also included some network admin and engineering tasks that many security people won’t do. It is definintely not exhaustive. But for those busy security admins who do double duty on the network, then some might work. Hope it helps. Feel free to comment and add more.

IPS Maintenance
Firmware Upgrades
Signature Updates
Tuning
Reporting

IDS Maintenance
Firmware Upgrades
Signature Updates
Tuning

SIM / SEM Maintenance
Firmware Upgrades
Tuning
Alert setup
Reporting

Email Gateway Maintenance
Firmware Upgrades
Real Expression Maintenance
Delivering blocked emails
Reviewing message logs for false positives and false negatives (tuning)
Checking forums for new spam / viruses that require expressions for filtering
Maintaining blocked extension database
Reporting

Corporate Firewall Maintenance
Firmware Upgrades
Policy setup
VPN setup and maintenance
User access setup
Rule auditing
Reporting

Remote Firewall Maintenance
Firmware Upgrades
Policy setup
VPN setup and maintenance
User access setup
Rule auditing
Reporting

Router and Switch Maintenance
Firmware Upgrades
Access maintenance
VLAN Maintenance

Servers
DNS Maintenance
DHCP Maintenance

Network Monitoring
Baseline configuration
Threshold alert setup

General Security
Password Auditing
Vulnerability Scanning
Rogue device scanning
Wireless device scanning

Telecommunications
DNS Maintenance

Router maintenance

Internet
Domain Maintenance

Extranet Maintenance
Firmware Upgrades
Group and User maintenance
Rules maintenance

Documentation
IP address list (public and private)
Network and security infrastructure drawings
Update acceptable use policies
Update security awareness presentation
Update DR policies and procedures
Update HIPAA policies and procedures

Training
Orientation
Security Awareness

Vet

I just discovered David Bianco’s InfoSec blog, called Infosec Potpourri , via a post on joatBlog. I like Mr. Bianco’s technical posts. He gives some good info on network monitoring. From what I have read, it seems to be a practical security blog with good advice and pointers.

As I was reading, I came across his recent post about laptop encryption. My comment to his post is below. You can read it here or view it on his post.

Mr. Bianco,

I must ask that you clarify who you are speaking to in the last paragraph of your post. I can somewhat gather from the next to last paragraph that you may be speaking towards execs, owner types, sales guys, etc. (and possibly lazy “security” guys who don’t bother with due diligence), but you also speak directly to the security pro in the first sentence of that paragraph by saying “If mobile users need access to data in the field, make them VPN back to the corporate network and work on it there.”

I am seeing no thought or exception for those security pros who work for cheap or brainless execs / owners who see no reason for the measures of which you are speaking. If you are referring to all security pros, including those who have fought the battle but have lost, then you are really beating up on the wrong people. Yes, those security pros can leave that brainless company, but that is not always an immediate consideration. Many companies bring in security guys to make themselves look like they are serious about security, then they don’t give them any resources with which to do their job. There are those of us who fight this day in and day out and cannot make a dent. Sorry if I sound like I am whining, but the truth is the
truth.

I really don’t mean this as an attack. I just want to make sure that people know the difference between lazy security admins and those of us who fight and fight for stuff and can’t get it.

Vet

I know many of you were waited with baited breath for my installment 2 of 2 of data classification, but I have decided to delay that for a while.  I want to look into some other things to write about, and since the announcement of the EMC acquisition of RSA yesterday, I am looking closely at that and the impact (if any) it may have on the data classification status.

What I am seeing so far from this is EMC basically leaving RSA alone so they can keep doing their thing.  Joe Tucci calls it EMC’s “string of pearls” approach.  Mike Rothman basically says the same thing in today’s Daily Incite:

“But historically, EMC leaves their big acquisitions alone - integrating technology where it makes sense, but letting them operate in the way they need to for their respective markets.”

This does position EMC perfectly for the wackos to come out of the wood work to start accusing them of trying to take over the world.  Just watch and see.

Vet

OK, I just have to think about this one for a while. I’ll get back to you…

Looks like they found the missing VA laptop and hard drive.  They also said that the “initial FBI forensics tests indicate the data on the laptop and disk has not been improperly accessed.”  

OK, everything is better.  I am not at all worried now.  Vets, you can quit worrying.

Uh huh…

Vet

I have been seeing articles and blog posts about HIPAA having no teeth. I posted something about it last week. Mike Rothman mentioned my post in today’s Daily Incite (welcome back, Mike), and he correctly interpreted my post as stating that HIPAA is basically useless when it comes to enforcement (at least, so far). But Mike went a step farther by saying this:

“…healthcare organization[s] continue to invest in security, but it’s to protect private information (to avoid the negative brand impact of a breach) and also to improve patient care (identity management and SSO stuff), but it ain’t because of HIPAA.”

Here’s the question: Will healthcare exec’s actually continue to invest in security if they see that HIPAA is not a real threat to them or their organization, even with the concerns that Mike states?

I know from personal experience that IT is typically not a healthcare executive’s favorite place to spend money. They would (somewhat justifiably so) rather spend it in the clinical areas, where they see the money being made. With HIPAA not being enforced and non-government compliance agencies like JCAHO not really looking at the IT side of things (unless you have an EMR (Electronic Medical Records) system, what is the incentive? I know many state (and likely federal soon) governments are forcing companies to notify when they have a breach, and that is a serious consequence, but I am not convinced that it is enough.

So have healthcare security pro’s ridden the HIPAA train as far as it will go?

Vet

This is absolutely hilarious.  The Onion cracks me up.

Articles like this frankly scare the hell out of me.  

Is centralized IT killing innovation?  Are we working against our employees by keeping them in boxes and limiting their maneuverability?  Are we inhibiting productivity by not allowing our employees to have access to tools that could help them get their job done faster?

What this reminds me of is the days when Microsoft gave not a crap about security and included every single little whiz-bang gadget in Microsoft Office and Internet Explorer without any real way of locking down what the users could do.  So what happened?  A flurry of activity by users who wanted to play with every tool available, a absolute nightmare for IT trying to support all these tools and the questions from every user trying to use them, and a mess of security holes and attacks caused by these same toys that we are still living with today.

I’m sorry if I want my network to be secure and not have to scramble to help my users figure out every little doohickey available in Office.

Ray Ozzie says, “IT’s requirements needn’t be inconsistent with end users’ desires.”  Well Mr. Ozzie (you just have to love that name), I have a question for you:

Why do we want to meet the user’s desires?  We must meet their needs!  Now, if they NEED to have a tool to get their job done and we can make it reasonably secure, then so be it.  If they want to download Weatherbug, then NO!

Mr. Ozzie (*chortle*), if you come out with a new toy that all my users want (PLEASE don’t bring back Clippy), then you better make it secure.  And even if it is secure, I am not going to just run out and get it on everyone’s desktop.  I have a job to do that does not include making all my users’ wildest dreams come true.  Pedro I ain’t!

Vet

I received my digital version of InfoSecurity magazine this morning, and it got me thinking (it hurt because I usually don’t start thinking until the afternoon). The article was about Australian computer crime statistics and how their computer crime was about money more and more and less and less about bragging rights. They made this statement in the article:

Attacks that use trojans and rootkits rose to 21% of all attacks, says the report. Many are able to switch off computer defences and evade detection. In addition, 60% were undetected by current defensive software until discovered “in the wild”. This means actual infection rates may be much higher.

You would think that my mind would move in the direction of computer crime and how the rate of mass-mailing worms has gone down so much since last year and the year before, and blah blah blah. However, if you have read my blog for any length of time, you know my mind works in strange and distorted ways. So it actually made me start thinking about compliance of all things!

So, after making you read all that (and I am assuming someone out there is still reading my post at this point), I’ll let you in on where my warped brain went.

The quote above said that 60% of the malware was not detected by current defensive software until they were discovered in the wild. Here is my scenario:

• You are a security manager in healthcare (just like me)
• Some PC’s on your network become infected by a trojan and information is stolen
  ID theft occurs due to the breach
• You do some investigation and find the trojan, but it turns out it was unknown (not find in the wild) and was targeted specifically at your organization
• You report the incident and follow incident-handling procedures and clean the trojan and any other malware found
• You report the trojan to your anti-malware vendor, who disseminates the info and writes signatures along with everyone else
• Because of the breach and the subsequent ID theft, your hospital has a HIPAA complaint filed against it
• The HIPAA police come out (not likely to happen, but you never know) and find out that you have some problems with your HIPAA compliance, but nothing that is directly related to this incident

My question is: do they still prosecute, slap fines, etc? In other words, during the course of the investigation, they find problems in another area of you HIPAA compliance that is not directly related to the incident. They conclude that you had proper policies, procedures, and safeguards in place for this incident (your safeguards simply couldn’t pick this up because it was not know in the wild). Can they still hold you liable for the problem they did find?

Maybe that is spelled out in the rule, but I haven’t seen it in my research. And since HIPAA has not really been tested in court (and who knows when it will be tested), I don’t know if / when we will get an answer to this or any other hypothetical question regarding this legislation.

Vet

I really liked this article (PDF) by Marc Prensky.  It talks about how kids today (D-Gen) are fundamentally different in their thinking and learning styles because of growing up in the digital age.  Good stuff, whether or not you believe it.

Vet

Amen

What are you protecting? What is on your file server? What is on your database server? What is on your web server (hopefully nothing much)? What is on your SAN / NAS / DAS? What is on your tapes? What is on your individual PC hard drives? What is on your PDA’s? What is on your thumbdrives? What is on your CD’s, DVD’s, floppies, etc?

Those are some scary questions. How did you answer them? Do you REALLY know where your data resides, and do you REALLY know how your data should be classified? Do you even have a classification scheme for your data? Do you know what data can be open to everyone, what data should be closed to only those who definitely need to see it, and all the data in between?

If you don’t, then get prepared for one hell of a project. Controlling your data by knowing where it resides is not easy. Users copy data everywhere they can. Laptops, hard drives on their PC, CD, thumb drives, floppies, etc. It is going to take time to pour through Word docs, Excel spreadsheets, and Access databases to find out what is where, then finding out what is what. This is a task that will likely take months and months of steady work, and could take even more time depending on how big you are.

But no matter how much time it will take, it is a must-do project. There is no alternative. And believe me, I am not preaching. This is a struggle for me as well. I work and struggle with this everyday. I was talking to a coworker yesterday about this, and our eyes starting crossing and our brains started smoking just thinking of the sheer amount of work that this was going to take. Nevertheless, we know it must be done.

So here is some advice:

First, if you have the budget, consider outsourcing this, at least in part. So many of us work for small IT shops in SMB’s, so we simply don’t have the bandwidth for this.

Second, come up with a data classification scheme (here is one that you can adapt to your organization). That way you can classify data while you are looking at it rather than coming back after the fact. Some data will not be obvious as to what classification you should give it, so you will inevitably have to backtrack. But you cut that time down if you get the scheme in place first.

Third, after you get a scheme together, get executive management buy-in. This helps in two ways: 1) they see your efforts and know what they are paying you for, and 2) you lessen your chances of them coming back and changing things later. That doesn’t mean it won’t happen, but a thorough explanation of what you are trying to accomplish and how you are going about it will really help. Actually, you should probably get them in the loop before you even start the first step, and then come back to them on this step.

Fourth, get some tools, even if you outsource. They will help cut your project time and cost down considerably. Arkivio is an information lifecycle management company, and they are supposed to have some good tools to help with the initial classification. I don’t have any experience with their stuff, but I have heard good things. You can also script searches to find obvious stuff (patient ID numbers, social security numbers, etc) and thrown the data into certain buckets in a report.

And while you are looking, don’t forget about the places where data can hide. Namely, recycle bins and email (mailboxes and .pst files). These are place that many administrators and managers don’t think about when they start down the classification project path, but these are often repositories for very sensitive data.

Now that you have your data located and classified, what do you do with it? I’ll talk about that in my next installment.

Vet

Here is episode 4 of my podcast. Just as fair warning, I tried adding some music to the podcast in the beginning and the end. I think it is a bit loud in the beginning, but I was having trouble getting the volumes right. Basically, turn down your speakers, headphones, whatever in the beginning and the end of the podcast, and adjust as necessary. Also, let me know if the volume of my voice is still too low.

The subjects I talked about tonight were somewhat varied. I did a self-plug about my Computerworld blog. I am really excited about it, so I had to say something about it.

I talked about Martin McKeay’s post about server room security and the implications of not properly building and securing your server room.

I tackled Microsoft’s foray into the security world and how they are committed to the course.

Another subject I commented on was a CNN article with an irresponsible tagline and opening paragraph about the VA laptop theft.

Go listen and let me know what you think.

Vet

Here is a great server room security post by Martin McKeay at his Computerworld blog.  Martin points out the issues with thieves starting to target servers.  But are they stealing the servers for the hardware or the data on the server?

If it is for the hardware, then there are many measures to lock down a server room.  Locks, cameras, racks with locks, etc.  Martin gives a good rundown of the security measures and points out that taking design of a server room seriously is crucial.

If it is for the data, then the thief has to have considerable intelligence on what servers have the data they want.  And that means that security by obscurity is also a valid concept in physical security.

As I have said before, thieves go for the weaknesses.  We have to look at security holistically.  All areas need to be secured, not just the attack vector de jour.

Vet

I recently accepted an offer at Conputerworld to be a weekly security blogger. I am not leaving my personal blog. In fact, Computerworld is very receptive to me having a personal blog and linking between the two to create more traffic. That will allow me to keep my personal brand and still have a more widely known venue to get my opinions out there. So basically, I am happy to be working with Computerworld, and I appreciate them bringing me on board.

My first post is here. Take a look, and look for my posts every week. I am still forming what I want to do at Computerworld. Since it will be weekly, I am thinking of making it a multi-issue post where I comment on multiple newsworthy security issues from the week. Let me know what you think.

Vet

I haven’t had a chance to look at this as far as the depth and detail, but it may be a good resource.

Vet

“Bill Gates’ drawdown of daily influence at Microsoft, the company he co-founded more than 25 years ago, won’t alter its course on security, analysts said Friday.”

This is from this story at Searchsecurity.com. Ummmm, ok. Did anyone think it would? Microsoft is actually being taken halfway seriously on security for the first time ever. Why would they think about changing that strategy? They have the power and the money to back up their security initiatives. They are going to be a major player in this market, no matter what anyone says.

The juggernaut has started foward momentum, people. Get used to it.

Another quote says:

It isn’t like Gates got hit by a bus. He’s still very much there for the next several years; he’s just signaling that the day will come when he won’t be, and planning an orderly succession.

This came from Jonathan Eunice, founder and principal IT advisor at Nashua, N.H.-based consultancy Illuminata Inc. Exactly! And he will still be plucking the strings of MSFT for years after he “steps down”.

Vet

This is exactly what I was talking about when I admonished Pete at Spire Security on his post about the VA data theft not being a big deal and that we should not worry.

First, you have the VA Secretary James Nicholson telling Congress that the harddrive on the stolen laptop was most likely erased because it fits the modus operandi of laptop thefts that had occured in the area.

So the VA Secretary wants to ease the minds of the people by telling them that the data was likely erased. Well, I guess that is his job, and it verywell may be true. It still does not ease my mind.

But the bigger point is the the title and first paragraph CNN used for the story:

Agency chief: Data on stolen VA laptop may have been erased

Thieves may have erased personal data on millions of veterans that was on a laptop they stole, the secretary of veterans affairs said Thursday.

“Man, that’s a relief! I’m glad I don’t have to worry about that anymore!” That was what the busy veteran said who did not have the time to read the entire story. But if he had read just one more paragraph, he would have read this:

At least, that’s the burglars’ modus operandi, Secretary James Nicholson said at a hearing before the House Government Reform Committee.

Not so reassuring now, is it? The beginning of this article is very deceiving. I am not saying it was done maliciously. It was simply designed to grab attention. Everyone was writing stories about the theft. People were getting bored with it. But write a quick blurb about the fact that the data may have been erased, and you get people to go to your page and maybe click your ads. Nothing wrong with catchy taglines, but this really can cause problems by making people stop putting pressure on the VA.

Not to mention the fact that the “At least” paragraph is bogus, since Secretary Nicholson also says the theives “may have been the same ones who committed similar burglaries in the area.”

Do not relax, people! Do not relax, VA! Fix this problem. Don’t give me a bunch of political crap. I want visible results!

Vet

Since I love the USA Network show “The 4400“, I keep wanting to make a joke here. But I won’t, since everything I can think of sounds pretty weak.

Anyway, Oregon had a government worker surfing porn and got a trojan. Now you have up to 2,200 Oregon taxpayers information compromised. Seems like typical stuff. But what I want to know is this: how did this worker get to porn in the first place? Why wasn’t this being blocked? Was was the website this trojan came from? Has this website been reported to the authorities and the major security companies and whoever is hosting the site? Was it actually a website, or were they getting porn from an IRC channel? have they checked for further infections? Was this a known trojan that should have stopped by anti-malware on the desktop or the server? Was it an unknown trojan that has been reported to the major anti-malware companies? Where are the big details here?

There is too much left out of this story to make me comfrotable. I am not an Oregon resident, and I have only been there once, so I am fairly certain I am not in trouble here. But some details need to come out to make sure this is not a new threat out in the wild. And more people than the employee need to be held accountable. Some government IT managers and execs need to be held to task for not blocking this type of traffic.

Vet

Microsoft and SANS are reporting a zero-day exploit (here and here) in Excel.

Martin McKeay has posted that phone tapping is not as effective as human intelligence, and I have agreed. But I also pointed out how difficult it is to get intelligence from traditional tactics with this type of enemy. It is not the same as gathering intelligence from communist governments, etc. I talked about this some more in my podcast.

Now Martin has replied to my previous post, and I have to say that his post is daunting. He is definitely passionate about this debate, and I agree with him on a number of points. I agree that phone-tapping is not a replacement for HUMINT.

But I have to take this debate a little farther. The NSA is not limiting itself to phone tapping. Bruce Schneier posted a link to this article this morning. It looks like the NSA is gathering information from MySpace and other social networking sites. Like Bruce, I don’t find this surprising. And to boot, it is not illegal. Anybody can grab this stuff from these sites. The NSA just happens to have more technology than most small countries, so they can be more effective at it. If people are crazy enough to let so much of their private lives hang out in public view, then they are going to have to deal with the consequences.

So what does the NSA hope to get from this data? Is it really effective as an intelligence tool? When you consider the sheer amount of data out there, the Internet would seem to be an ideal hiding place. And these social networking sites have added so much clutter to the Internet, it would appear to be impossible to gather any real, usable intel.

But I would say that it is effective, even with the high volume of data. Canada’s latest terror bust proves that website and Internet monitoring is effective at catching terrorists. This NY Times article (registration required) points out that the Canadian Security Intelligence Service “began monitoring Internet exchanges, some of which were encrypted” in 2004. The Canadian Broadcasting Corporation also reported that “the investigation began as security officials monitored traffic to extremist-related websites.”

And here is another point. Martin, have you considered that gathering data from social networking sites really is HUMINT? Many of these social networking sites have replaced coffee houses and the like. By using the Internet, a terrorist cell does not have to risk all its members or multiple members being captured by meeting at the same place. They can gather in relative anonymity in many places. It provides some safety. But it is still HUMINT to monitor these sites because they serve the same purpose: collusion to perform heinous tasks.

And on the subject of gathering intelligence on our citizens: if we limit intelligence gathering to non-citizens, aren’t we leaving out a huge number of potential suspects? Many of the terrorists have been citizens of the countries they have attacked. The CBC article mentioned above says, “All of the suspects were either born in Canada or were long-time residents. Luc Portelance, the assistant director of operations for the Canadian Security Intelligence Service (CSIS) called it a case of ‘home-grown terrorism.’”

Martin has said that I have come over to his side, and I agree that I have moved my thinking to a huge degree. Between Martin, Ira Winkler, Alan Shimel, and Bruce Schneier, I have received a healthy dose of reality. Couple that with the sheer amount of data being gathered, and I have almost totally changed my mind on this issue. I agree that this amount of intelligence gathering can lead to abuse. I hesitate to say a police state is in our near future, but I can follow the tracks into the future far enough to agree that it can happen. I don’t like it. It scares me. The capturing of so much info on so many people really makes my hackles rise. This has changed our country considerably, and in a short time.

I also agree that our intelligence gathering agencies have been hamstrung in many ways, and I think they should be built back up to a high level of effectiveness. That is and always will be our most effective tool at fighting these baddies. But Martin, the terrorist threat is immediate. What do we do until then? There is where I have problems. I just don’t know how to effectively deal with the threat until then. I am not disagreeing. I just haven’t heard an alternative from anyone. And I am not saying I have one either. This is the ONLY reason I have not completely condemned these methods.

Sheesh…

Vet

[In case you see a couple of versions of this post (my RSS reader shows updated versions as separate posts), I must tell you that I have updated this post a couple of times due to some poor wording and garbled sentences. The message has not changed, just the wording. Thanks to Martin for pointing it out.]

I just discovered the Security Curve Weblog. Looks likes some good commentary. The most recent post is about McAfee and their announcement of getting back into vulnerability discovery. I liked the thoughts that were given, and the writing style is good.

And since I just posted a question about using my comments on other blogs for my own blog postings, I am going to go ahead and post my comments from the above post:

This issue has been looked at from some time now, with the conspiracy
theorists saying McAfee and Symantec hire hackers to create viruses to gen business. I never believed those allegations, but this is in the same
vein. However, now it is explicit, so it brings it out even more into the
public eye.

The concepts of ethical hacking and hiring greyhats to
find vulnerabilites have always been lightning rods for security pros.
Will a hacker always be ethical? Who’s to say a greyhat won’t sell McAfee a vulnerability then turn around and sell it to someone else for malicious purposes?

I also find it somewhat interesting that people tend to explicitly trust the motivations of those who find vulnerabilites on their own and report them to the proper organizations. But that is another conversation.

Vet

I often find that my best blogging is done as comments to other blogs. Is it wrong to take your own comments from other blogs and post them on your blog? They are my words, and I get most of my inspiration from other people’s writings (yes, I do have original thoughts – sometimes I just need grease to lube the gears).

I don’t think there is anything wrong with it, but I don’t want to cross any blogging lines that I am not aware of.

Vet

I just finished recording the third episode of An Information Security Place Podcast. It is considerably longer than the previous podcasts, mainly because I talk about multiple subjects rather than just one of my posts, and I expound a little more than usual. If you have comments, suggestions, gripes, complaints (if I make your ears bleed with my incessant droning), please let me know.

In this episode, I talk about a few things. The first thing I talk about is the ongoing discussion Martin McKeay and I are having on the NSA spying. My previous post goes into Martin’s argument about how HUMINT is more effective than phone tapping. As he points out in his announcement of episode 31 of his podcast, the ball is in his court.

I also go into virtualized appliances and some of the discussion Alan Shimel and Chris Hoff are having (go read Chris Hoff’s “smackdown” posts - quite the read!).

I talk about my practical advice post and what it takes to sell security to execs. Thanks to Mike Rothman for linking to that article, BTW.

And finally I talk quickly about my general annoyance of why people can’t spell “HIPAA” correctly.

So take a listen and let me know what you think. I need some feedback on quality of content and quality of sound. I don’t have a hookup like Martin has, so I need to know how this sounds like this, or if I need to start some investing.

Also, I have created a podcast archive area on my right toolbar (I only have one, but it IS on the right) for easy access.

Vet

Link to podcast

Martin McKeay’s Network Security Blog

Alan Shimel’s Blog

Chris Hoff’s Rational Security Blog

Mike Rothman’s Security Incite Blog

Martin McKeay posted an interesting take on the NSA stuff. He argues that HUMINT (human intelligence) is a much more effective tool for stopping terrorists. I agree with Martin on this point, but I think the premise is a tad bit naïve. I have to ask if he has considered how difficult it is to infiltrate these types of organizations. The US intelligence services have a very hard time getting moles in those places. The culture differences alone are vast, and we are not talking about a political difference similar to the Soviet Union where people became disillusioned with what their government was doing to them. We are talking about seriously ingrained, whacked out religious ideas that have been drilled into these people since childhood. They just don’t tend to switch sides.

Another point is that the sheer amount of time it would take to get people up the ranks in organizations like Al Qaeda would be substantial. Organized terrorism has really only been around in this type of force since the late 60’s and early 70’s. Even if we could get someone in there, they would just be getting up in the ranks, even if they had managed to stay alive this long.

A third point is what type of person would switch sides to give intelligence. Typically, moles in many organizations and governments we wanted to infiltrate were in it for the money and the thrill it gave them. Your typical terrorist doesn’t crave these things (well, maybe the thrill). They are doing it for their god. The type of person who is going to switch sides would have to experience a fundamental shift in their life view. The atrocities they would have to commit to not give themselves away would be staggering. How do you convince someone like this to keep beheading people and planning major attacks that will kill innocents just to gather intelligence?

So I agree that the typical HUMINT gathering is a better tool than gathering phone numbers. But you have to look at how it could be done, and I just don’t think it is possible with this type of enemy, at least not to any large degree.

Vet

Nothing is inspiring me greatly in the security world today.  I just don’t want to talk about what everyone else is talking about.  So, I decided that I would throw down some practical advice from a security practitioner.  Here goes:

Be SOCIAL!  

Here is a clue.  Many executives and board members think you are throwing money down an ever-growing hole that never shows return.  DO NOT let your pride get in the way of making yourself visible to that CEO, CFO, COO, etc.  Let them know what you are doing.  How do you do that?

First, hire a hacker buddy.  Next, open a hole in your firewall.  Third,…wait, that’s not right.

Sorry about that.  OK, here we go:

DO…

• …make personal appearances at company functions.
• …make eye contact
• …say hello to people in the hallway.
• …eat lunch with your coworkers.
• …talk to people at the water cooler.
• …put up pictures of your kids.
• …talk to people about your kids.

DON’T…

• …sit in your cubicle lined with Wargames memorabilia and mumble to yourself that you are doing a good job and that you don’t have to justify your existence while thinking of how Picard is a better Enterprise captain than Kirk (here come the flames).

Let ‘em know you are a person.  Then, and only then, can you expect to start giving them some info on what you actually do in your job.  Think about it.

Vet

Alan Shimel posted about my short blurb on the FCC getting a positive ruling on the issue of requiring broadband providers and IP telephone service providers to comply with US wiretap laws. Since he took issue with my post (dang him!), I felt the need to clarify. Here is my response to his post:

Alan,
I feel the need to clarify this blog post, and I was actually going to do so on my blog later today. I guess I will just copy this comment into my blog since you have forced me into action. I really meant this to be tongue-in-cheek, but I wrote it a little early, so I might not have been fully awake, so it obviously was not very effective.
If the government is going about this legally, if the courts uphold their position, and if the tap is justified, then I support it. I have posted that I have concerns that the government was not using warrants before (this is a change in my earlier position), and Martin McKeay and I had a discussion about that (should be in his podcast tomorrow).
Of course, many would argue that it is still not right to do it and civil disobedience is justified, but I don’t believe that in this case. Hope that clarifies my position.

I agree with Alan on this one. If the government goes about the tap legally and in full compliance with the law (warrants, the whole bit), then I have no issue with this ruling and the use of the law to catch the baddies.

I must point out that the InformationWeek article had a negative tone to it.

Vet