An Information Security Place

Cleanflicks has lost to the movie industry in this case. Basically, they can no longer edit the bad stuff out of movies and redistribute. What surprised me to a degree was the the movie industry did not use DMCA as an argument. Go here to see the likely reason why.

A few weeks back, I posted about what a security admin / manager should do to sell security to the execs and the general user populace at his or her organization. It contained no technical advice. Basically, it said to be social and was meant to be a first step in getting the people to know you so you can start down the path of security acceptance.

Once those execs know who you are, what’s next? This is where it gets real, folks. You actually have to define your job. Not just DO your job, but actually sit down in front of your laptop, desktop, writing pad, whatever, and get a solid idea of what you do. I am not talking about a job description. I am talking about the tasks you work on daily and weekly and monthly and so on. Tasks you have to perform to make your network secure and your information safe.

Make out your list ASAP. It will help you get organized. Then, print it out and slip it under your boss’s door. Maybe it will wake someone up (or it might just piss ‘em off – either one is OK).

Now I have to admit that it is often difficult to get started on a list like this. There are so many things that you do that it seems like it would be simple to put it down. But it sometimes is just not that easy. So, here’s a sample of what you might have to do as a security person. It won’t apply to everyone, of course, and I have also included some network admin and engineering tasks that many security people won’t do. It is definintely not exhaustive. But for those busy security admins who do double duty on the network, then some might work. Hope it helps. Feel free to comment and add more.

IPS Maintenance
Firmware Upgrades
Signature Updates
Tuning
Reporting

IDS Maintenance
Firmware Upgrades
Signature Updates
Tuning

SIM / SEM Maintenance
Firmware Upgrades
Tuning
Alert setup
Reporting

Email Gateway Maintenance
Firmware Upgrades
Real Expression Maintenance
Delivering blocked emails
Reviewing message logs for false positives and false negatives (tuning)
Checking forums for new spam / viruses that require expressions for filtering
Maintaining blocked extension database
Reporting

Corporate Firewall Maintenance
Firmware Upgrades
Policy setup
VPN setup and maintenance
User access setup
Rule auditing
Reporting

Remote Firewall Maintenance
Firmware Upgrades
Policy setup
VPN setup and maintenance
User access setup
Rule auditing
Reporting

Router and Switch Maintenance
Firmware Upgrades
Access maintenance
VLAN Maintenance

Servers
DNS Maintenance
DHCP Maintenance

Network Monitoring
Baseline configuration
Threshold alert setup

General Security
Password Auditing
Vulnerability Scanning
Rogue device scanning
Wireless device scanning

Telecommunications
DNS Maintenance

Router maintenance

Internet
Domain Maintenance

Extranet Maintenance
Firmware Upgrades
Group and User maintenance
Rules maintenance

Documentation
IP address list (public and private)
Network and security infrastructure drawings
Update acceptable use policies
Update security awareness presentation
Update DR policies and procedures
Update HIPAA policies and procedures

Training
Orientation
Security Awareness

Vet

I know many of you were waited with baited breath for my installment 2 of 2 of data classification, but I have decided to delay that for a while.  I want to look into some other things to write about, and since the announcement of the EMC acquisition of RSA yesterday, I am looking closely at that and the impact (if any) it may have on the data classification status.

What I am seeing so far from this is EMC basically leaving RSA alone so they can keep doing their thing.  Joe Tucci calls it EMC’s “string of pearls” approach.  Mike Rothman basically says the same thing in today’s Daily Incite:

“But historically, EMC leaves their big acquisitions alone – integrating technology where it makes sense, but letting them operate in the way they need to for their respective markets.”

This does position EMC perfectly for the wackos to come out of the wood work to start accusing them of trying to take over the world.  Just watch and see.

Vet

Looks like they found the missing VA laptop and hard drive.  They also said that the “initial FBI forensics tests indicate the data on the laptop and disk has not been improperly accessed.”  

OK, everything is better.  I am not at all worried now.  Vets, you can quit worrying.

Uh huh…

Vet

This is absolutely hilarious.  The Onion cracks me up.

I received my digital version of InfoSecurity magazine this morning, and it got me thinking (it hurt because I usually don’t start thinking until the afternoon). The article was about Australian computer crime statistics and how their computer crime was about money more and more and less and less about bragging rights. They made this statement in the article:

Attacks that use trojans and rootkits rose to 21% of all attacks, says the report. Many are able to switch off computer defences and evade detection. In addition, 60% were undetected by current defensive software until discovered “in the wild”. This means actual infection rates may be much higher.

You would think that my mind would move in the direction of computer crime and how the rate of mass-mailing worms has gone down so much since last year and the year before, and blah blah blah. However, if you have read my blog for any length of time, you know my mind works in strange and distorted ways. So it actually made me start thinking about compliance of all things!

So, after making you read all that (and I am assuming someone out there is still reading my post at this point), I’ll let you in on where my warped brain went.

The quote above said that 60% of the malware was not detected by current defensive software until they were discovered in the wild. Here is my scenario:

• You are a security manager in healthcare (just like me)
• Some PC’s on your network become infected by a trojan and information is stolen
  ID theft occurs due to the breach
• You do some investigation and find the trojan, but it turns out it was unknown (not find in the wild) and was targeted specifically at your organization
• You report the incident and follow incident-handling procedures and clean the trojan and any other malware found
• You report the trojan to your anti-malware vendor, who disseminates the info and writes signatures along with everyone else
• Because of the breach and the subsequent ID theft, your hospital has a HIPAA complaint filed against it
• The HIPAA police come out (not likely to happen, but you never know) and find out that you have some problems with your HIPAA compliance, but nothing that is directly related to this incident

My question is: do they still prosecute, slap fines, etc? In other words, during the course of the investigation, they find problems in another area of you HIPAA compliance that is not directly related to the incident. They conclude that you had proper policies, procedures, and safeguards in place for this incident (your safeguards simply couldn’t pick this up because it was not know in the wild). Can they still hold you liable for the problem they did find?

Maybe that is spelled out in the rule, but I haven’t seen it in my research. And since HIPAA has not really been tested in court (and who knows when it will be tested), I don’t know if / when we will get an answer to this or any other hypothetical question regarding this legislation.

Vet

Amen

Here is episode 4 of my podcast. Just as fair warning, I tried adding some music to the podcast in the beginning and the end. I think it is a bit loud in the beginning, but I was having trouble getting the volumes right. Basically, turn down your speakers, headphones, whatever in the beginning and the end of the podcast, and adjust as necessary. Also, let me know if the volume of my voice is still too low.

The subjects I talked about tonight were somewhat varied. I did a self-plug about my Computerworld blog. I am really excited about it, so I had to say something about it.

I talked about Martin McKeay’s post about server room security and the implications of not properly building and securing your server room.

I tackled Microsoft’s foray into the security world and how they are committed to the course.

Another subject I commented on was a CNN article with an irresponsible tagline and opening paragraph about the VA laptop theft.

Go listen and let me know what you think.

Vet

I recently accepted an offer at Conputerworld to be a weekly security blogger. I am not leaving my personal blog. In fact, Computerworld is very receptive to me having a personal blog and linking between the two to create more traffic. That will allow me to keep my personal brand and still have a more widely known venue to get my opinions out there. So basically, I am happy to be working with Computerworld, and I appreciate them bringing me on board.

My first post is here. Take a look, and look for my posts every week. I am still forming what I want to do at Computerworld. Since it will be weekly, I am thinking of making it a multi-issue post where I comment on multiple newsworthy security issues from the week. Let me know what you think.

Vet

“Bill Gates’ drawdown of daily influence at Microsoft, the company he co-founded more than 25 years ago, won’t alter its course on security, analysts said Friday.”

This is from this story at Searchsecurity.com. Ummmm, ok. Did anyone think it would? Microsoft is actually being taken halfway seriously on security for the first time ever. Why would they think about changing that strategy? They have the power and the money to back up their security initiatives. They are going to be a major player in this market, no matter what anyone says.

The juggernaut has started foward momentum, people. Get used to it.

Another quote says:

It isn’t like Gates got hit by a bus. He’s still very much there for the next several years; he’s just signaling that the day will come when he won’t be, and planning an orderly succession.

This came from Jonathan Eunice, founder and principal IT advisor at Nashua, N.H.-based consultancy Illuminata Inc. Exactly! And he will still be plucking the strings of MSFT for years after he “steps down”.

Vet

Since I love the USA Network show “The 4400“, I keep wanting to make a joke here. But I won’t, since everything I can think of sounds pretty weak.

Anyway, Oregon had a government worker surfing porn and got a trojan. Now you have up to 2,200 Oregon taxpayers information compromised. Seems like typical stuff. But what I want to know is this: how did this worker get to porn in the first place? Why wasn’t this being blocked? Was was the website this trojan came from? Has this website been reported to the authorities and the major security companies and whoever is hosting the site? Was it actually a website, or were they getting porn from an IRC channel? have they checked for further infections? Was this a known trojan that should have stopped by anti-malware on the desktop or the server? Was it an unknown trojan that has been reported to the major anti-malware companies? Where are the big details here?

There is too much left out of this story to make me comfrotable. I am not an Oregon resident, and I have only been there once, so I am fairly certain I am not in trouble here. But some details need to come out to make sure this is not a new threat out in the wild. And more people than the employee need to be held accountable. Some government IT managers and execs need to be held to task for not blocking this type of traffic.

Vet

Martin McKeay has posted that phone tapping is not as effective as human intelligence, and I have agreed. But I also pointed out how difficult it is to get intelligence from traditional tactics with this type of enemy. It is not the same as gathering intelligence from communist governments, etc. I talked about this some more in my podcast.

Now Martin has replied to my previous post, and I have to say that his post is daunting. He is definitely passionate about this debate, and I agree with him on a number of points. I agree that phone-tapping is not a replacement for HUMINT.

But I have to take this debate a little farther. The NSA is not limiting itself to phone tapping. Bruce Schneier posted a link to this article this morning. It looks like the NSA is gathering information from MySpace and other social networking sites. Like Bruce, I don’t find this surprising. And to boot, it is not illegal. Anybody can grab this stuff from these sites. The NSA just happens to have more technology than most small countries, so they can be more effective at it. If people are crazy enough to let so much of their private lives hang out in public view, then they are going to have to deal with the consequences.

So what does the NSA hope to get from this data? Is it really effective as an intelligence tool? When you consider the sheer amount of data out there, the Internet would seem to be an ideal hiding place. And these social networking sites have added so much clutter to the Internet, it would appear to be impossible to gather any real, usable intel.

But I would say that it is effective, even with the high volume of data. Canada’s latest terror bust proves that website and Internet monitoring is effective at catching terrorists. This NY Times article (registration required) points out that the Canadian Security Intelligence Service “began monitoring Internet exchanges, some of which were encrypted” in 2004. The Canadian Broadcasting Corporation also reported that “the investigation began as security officials monitored traffic to extremist-related websites.”

And here is another point. Martin, have you considered that gathering data from social networking sites really is HUMINT? Many of these social networking sites have replaced coffee houses and the like. By using the Internet, a terrorist cell does not have to risk all its members or multiple members being captured by meeting at the same place. They can gather in relative anonymity in many places. It provides some safety. But it is still HUMINT to monitor these sites because they serve the same purpose: collusion to perform heinous tasks.

And on the subject of gathering intelligence on our citizens: if we limit intelligence gathering to non-citizens, aren’t we leaving out a huge number of potential suspects? Many of the terrorists have been citizens of the countries they have attacked. The CBC article mentioned above says, “All of the suspects were either born in Canada or were long-time residents. Luc Portelance, the assistant director of operations for the Canadian Security Intelligence Service (CSIS) called it a case of ‘home-grown terrorism.’”

Martin has said that I have come over to his side, and I agree that I have moved my thinking to a huge degree. Between Martin, Ira Winkler, Alan Shimel, and Bruce Schneier, I have received a healthy dose of reality. Couple that with the sheer amount of data being gathered, and I have almost totally changed my mind on this issue. I agree that this amount of intelligence gathering can lead to abuse. I hesitate to say a police state is in our near future, but I can follow the tracks into the future far enough to agree that it can happen. I don’t like it. It scares me. The capturing of so much info on so many people really makes my hackles rise. This has changed our country considerably, and in a short time.

I also agree that our intelligence gathering agencies have been hamstrung in many ways, and I think they should be built back up to a high level of effectiveness. That is and always will be our most effective tool at fighting these baddies. But Martin, the terrorist threat is immediate. What do we do until then? There is where I have problems. I just don’t know how to effectively deal with the threat until then. I am not disagreeing. I just haven’t heard an alternative from anyone. And I am not saying I have one either. This is the ONLY reason I have not completely condemned these methods.

Sheesh…

Vet

[In case you see a couple of versions of this post (my RSS reader shows updated versions as separate posts), I must tell you that I have updated this post a couple of times due to some poor wording and garbled sentences. The message has not changed, just the wording. Thanks to Martin for pointing it out.]

I often find that my best blogging is done as comments to other blogs. Is it wrong to take your own comments from other blogs and post them on your blog? They are my words, and I get most of my inspiration from other people’s writings (yes, I do have original thoughts – sometimes I just need grease to lube the gears).

I don’t think there is anything wrong with it, but I don’t want to cross any blogging lines that I am not aware of.

Vet

Martin McKeay posted an interesting take on the NSA stuff. He argues that HUMINT (human intelligence) is a much more effective tool for stopping terrorists. I agree with Martin on this point, but I think the premise is a tad bit naïve. I have to ask if he has considered how difficult it is to infiltrate these types of organizations. The US intelligence services have a very hard time getting moles in those places. The culture differences alone are vast, and we are not talking about a political difference similar to the Soviet Union where people became disillusioned with what their government was doing to them. We are talking about seriously ingrained, whacked out religious ideas that have been drilled into these people since childhood. They just don’t tend to switch sides.

Another point is that the sheer amount of time it would take to get people up the ranks in organizations like Al Qaeda would be substantial. Organized terrorism has really only been around in this type of force since the late 60′s and early 70′s. Even if we could get someone in there, they would just be getting up in the ranks, even if they had managed to stay alive this long.

A third point is what type of person would switch sides to give intelligence. Typically, moles in many organizations and governments we wanted to infiltrate were in it for the money and the thrill it gave them. Your typical terrorist doesn’t crave these things (well, maybe the thrill). They are doing it for their god. The type of person who is going to switch sides would have to experience a fundamental shift in their life view. The atrocities they would have to commit to not give themselves away would be staggering. How do you convince someone like this to keep beheading people and planning major attacks that will kill innocents just to gather intelligence?

So I agree that the typical HUMINT gathering is a better tool than gathering phone numbers. But you have to look at how it could be done, and I just don’t think it is possible with this type of enemy, at least not to any large degree.

Vet

Alan Shimel posted about my short blurb on the FCC getting a positive ruling on the issue of requiring broadband providers and IP telephone service providers to comply with US wiretap laws. Since he took issue with my post (dang him!), I felt the need to clarify. Here is my response to his post:

Alan,
I feel the need to clarify this blog post, and I was actually going to do so on my blog later today. I guess I will just copy this comment into my blog since you have forced me into action.
I really meant this to be tongue-in-cheek, but I wrote it a little early, so I might not have been fully awake, so it obviously was not very effective.
If the government is going about this legally, if the courts uphold their position, and if the tap is justified, then I support it. I have posted that I have concerns that the government was not using warrants before (this is a change in my earlier position), and Martin McKeay and I had a discussion about that (should be in his podcast tomorrow).
Of course, many would argue that it is still not right to do it and civil disobedience is justified, but I don’t believe that in this case. Hope that clarifies my position.

I agree with Alan on this one. If the government goes about the tap legally and in full compliance with the law (warrants, the whole bit), then I have no issue with this ruling and the use of the law to catch the baddies.

I must point out that the InformationWeek article had a negative tone to it.

Vet