Archive for the ‘Commentary’ Category

Holy Toledo! The iPod did it!

Saturday, February 17th, 2007

Unbelievable.  It’s even more unbelievable because I live near the community of Oregon, Ohio where a police detective called a student’s iPod a “criminal tool”. 

In an article in the Toledo Blade,  Robin Erb describes an incident in which a former Clay High School student was charged with a felony for accessing school employee and student records.  Not only did he access them, he downloaded them to his iPod.  In addition to being charged with unauthorized use of a computer, he was also charged with possessing a criminal tool–i.e. the iPod.  Nice police work, Oregon.  Will I still be able to carry my iPod concealed when I cross the city line?

Although the former student used a school computer lab to access the sensitve records, no mention was made in the article about how this was even possible.  It probably didn’t take much cracking of system security if access was gained in a classroom with High School staff supervision.   Instead of vilifying the venerable iPod–or any other mobile storage device for that matter–it might be better to ask serious questions about how this was even possible.  What steps is the school system taking to ensure this doesn’t happen again?  Or will the school board simply add mobile storage devices to the list of criminal tools so it can assure parents and teachers that their information is now secure?
 

Calling endusers stupid isn’t helpful

Saturday, February 17th, 2007

I was reading a Tim Wilson article at Dark Reading this morning in which he asked the question, “So are users hopeless?  Are they inherently brainless and/or evil?”  My first reaction to the question was raucous laughter.  When I finally regained my senses, I read the rest of the article in which Wilson makes a lot of sense.

As a security director, I have days when I believe the users are all out to violate as many security policies as they can, either intentionally or because they are brain dead.  But this attitude isn’t helpful.  I agree with Wilson that most end users are intelligent individuals who want to do the right thing.  Keeping that in mind, helping users help themselves is a key element in any security program.

For years I’ve been a proponent of user education as a first step.  If there is chaos in the halls of security compliance, then part of the blame usually lies with the lack of effectiveness of an organization’s security awareness efforts.   This is always the first step, but it isn’t enough.

Employees will always make mistakes.  Yes, they’re human beings not robots.  So there are steps security professionals must take to mitigate the impact of those mistakes.  Content monitoring for data transfers, locking down the desktop, and Internet access controls are three good places to start.  Not only will this help stop the bleeding from an accidental incident, it will also help minimize the probability of malicious activities.

Wilson does finish his article with the assertion that end users are hopeless.  OK.  Maybe.  But IT security shouldn’t be. 

 

 

Writely: A great product with questionable security

Friday, March 17th, 2006

For those of you not familiar with Writely, it’s an online beta word processing service that provides the following services:

  1. Create documents online
  2. Upload documents from Word
  3. Publish to the web
  4. Post to your blog
  5. Participate in online collaboration with people you specify

Yes, it’s a great product with fantastic potential.  And now that Google has purchased the company, Upstartle, things could get very interesting.  There is just one catch; there are no safeguards to protect the content of documents during editing or viewing.

On February 27, 2006, in the Writely blog, Jen, an employee of Upstartle, responded to a thread in which users questioned why SSL protection was not provided. 

 [QUOTE=Jen]OK, now I have to reply ;-}

We don’t have SSL definitively planned as part of a premium service, although that’s certainly possible. SSL will definitely slow the service down, which is why we would likely not make it the default in the basic service. Yes, I know this response is vague, but it’s only because our plans are not final![/QUOTE]

As I posted to the Writely blog, it’s irresponsible for an organization to provide a tool like this without any apparent regard for safeguarding the activities of its users.  I hope that Google takes a different approach with this innovative and, in my opinion, much needed service.

 Author:  Tom Olzak
 

Listen to our Podcasts –> add to my PodNova

Free security training available at http://adventuresinsecurity.com/SCourses

 

Political Risks Associated with Personal Information Storage

Thursday, March 2nd, 2006

When we think of risks related to malicious hacking, we usually list financial ramifications.  But as global information delivery changes, the risks are increasing in severity. 

This week, Google moved its search records from its Chinese site to the United States.  The reason stated for the move was the possibility that the Chinese government might access those records without Google’s consent.  This was a responsible move by Google, given the potential reprisals against individuals whose searches cause concern within political circles in Beijing.  But is the data safe in the U.S.?

I wrote in a January 26, 2006 blog article about a successful attempt to acquire U.S. Military secrets by alleged representatives of the Chinese government.  A foiled attack against the British government prompted the article.  What prevents these same attackers from breaking into databases in other countries to search for evidence of dissident activity in China?

I don’t know what the solution is.  But I do know that maintaining information that can be used to reconstruct an individual’s Internet habits is becoming a bigger problem than the privacy issues touted by many Americans.  It’s important for Internet companies to understand that the emergence of a truly global Internet requires vigilance that many organizations operating within democracies may find difficult to comprehend.  Business intelligence isn’t a good enough reason to store search information or other personal data that might be compromised by a foreign government for political purposes.

Author:  Tom Olzak

Listen to our podcasts

add to my PodNova

Sorting through the Security-in-the-cloud Debate

Friday, February 24th, 2006

There’s a lot of talk these days about security-in-the-cloud.  Security-in-the-cloud is generally defined as protection provided by Internet Service Providers (ISP) that results in only “clean” packets arriving at a subscriber’s perimeter.  Positions on the topic range from “it’s a bad idea” to “give everything over to a managed service provider.”  Based on my experience as a Director of Security, I have sort of a middle-of-the-road position.  In this article, I explore both sides of the managed services debate.  I’ll also explain why I believe the most effective solution lies somewhere between the two extremes.

(more…)

Laptop Encryption: Reasonable and Appropriate?

Monday, February 20th, 2006

Senior U.S. District Judge for the District of Minnesota, the Honorable Richard H. Kyle, ruled last week that companies don’t have to encrypt their data as a requirement of the Gramm-Leach-Bliley Act of 1999.  The GLBA places a set of constraints on how financial insitutions should handle customer information.  There’s been plenty of coverage on this issue since the ruling.  But I’d like to look at this from a different perspective; given HIPAA, SOX, GLBA, and the standards of ethical behavior, what actions should be considered reasonable and appropriate when protecting sensitive consumer information?

(more…)

Goodmail Systems CertifiedEmail: What is it, and why all the fuss?

Tuesday, February 14th, 2006

Last month, AOL announced it was beginning to use a certified email system designed by Goodmail Systems.  Basically, the Goodmail solution attaches an encrypted token to business/marketing email from certified businesses.  When AOL sees the token, and validates it, the email is treated as a non-spam message.  The catch for the sender is a small fee per message.  The impact on AOL email users is an increase in email with no other purpose than the delivery of unsolicited marketing material.

In this article, I’ll explore how Goodmail’s CertifiedEmail works, what the implementation of this solution means to business, and what users of AOL email services can expect.

(more…)

An Intrusion Defense Solution

Tuesday, January 31st, 2006

Rather than write another piece on security in general for today’s post, I’m going to share my team’s experience in selecting an intrusion defense solution that expands on our existing firewall perimeter defense.  During the past several weeks, my team and I struggled with the new infrastructure and management design to support our enterprise security strategy.  We looked at IDS and IPS.  We looked at SIM products.  And we assessed each solution based on the following criteria:

(more…)

Cyber-espionage: How vulnerable are we?

Thursday, January 26th, 2006

Hacking activities thought to be related to the theft of government secrets are a real threat to national security.  In a January 25, 2006 article in ComputerWorld, John E. Dunn reported that email containing an exploit for the Microsoft Windows WMF vulnerability was sent to recipients in the UK House of Parliament.  

According to Dunn, over 70 PCs were targeted on January 2, 2006 with messages intended to install keyloggers.  This was confirmed by MessageLabs Ltd – the government’s message filtering company.  Luckily, the messages were identified and stopped before they could reach their targets.  The most disturbing piece of information coming out of this incident is the source of the attack – Guangdong Province in China.

An isolated, one-time attack might be passed off as just another malicious individual flexing his muscles.  But this is at least the second incident in which Chinese attackers have targeted foreign governments.  

On November 1, 2004, attackers located in Guangdong Province launched an attack against the U.S. Army facility at Redstone Arsenal.  But this attack is thought to have been successful.  It is believed that U.S. military secrets, including aviation specifications and flight planning software, were stolen.  It is also believed that the intended recipient for this information was the Chinese government.  This successful breach of U.S. Government security is part of an on-going attempt by the Chinese to hack into government computers.  U.S. Officials have named the hackers Titan Rain.

So just how vulnerable is the U.S. infrastructure to cyber attacks by other nations or terrorist groups? 

  1. During a 2004 FISMA required audit of security implemented by entities within the Federal government, seven departments failed to achieve a passing grade. Included in the list of failed departments was the Department of Homeland Security (DHS).
  2. Congress and the Bush administration cut by 7% the 2005 DHS budget for cyber security programs.
  3. In February 2005, The Presidential IT Advisory Committee (PITAC) completed a report entitled “Cyber Security: A Crisis of Prioritzation.”  The following findings and recommendations were presented to the Bush Administration:
    1. Finding: ”The Federal R&D budget provides inadequate funding for fundamental research in civilian cyber security.”  Recommendation: The NSF, DHS, and DARPA budgets should be increased significantly.
    2. Finding: “The Nation’s cyber security research community is too small to adequately support the cyber security research and education programs necessary to protect the United States.”  Recommendation: Double the size of the civilian cyber security fundamental research community by the end of the decade. 
    3. Finding: “Current cyber security technology transfer efforts are not adequate to successfully transition Federal research investiments into civilian sector best practices and products.”  Recommendation: The relationship between the Federal government and the private sector must be strengthened.  Lines of communication and cooperation must be developed and maintained.
    4. Finding: “The overall Federal cyber security R&D effort is currently unfocused and inefficient because of inadequate coordination and oversite.”  Recommendation: The Interagency Working Group on Critical Information Infrastructure Protection should become the focal point of R&D efforts, coordinating and priortizing all activities.
  4. In December 2005, the members of the Cyber Security Alliance expressed to the Bush Administration its frustration with the lack of progress made in addressing online crime.  The Group - including organizations like Computer Associates, McAfee, Symantec, and RSA – believes that the lack of support and leadership shown by the Federal Goverment threatens the economy and national security.

We should not expect the Federal goverment to solve all our problems.  But we should expect leadership when national security and the overall public welfare are threatened.  Congress and the President must change their priorities when addressing cyber security within the context of overall defense and social spending.  If this does not happen, hackers will continue to outstrip our ability to protect our national infrastructure; terrorists and foreign governments will find us a soft target.

 

Author:  Tom Olzak 

Sources:

Security experts lift lid on Chinese hack attacks

Tech Group Blasts Federal Leadership on Cyber-Security

PITAC Report on Cyber Security, February 2005

Your email:  
subscribe unsubscribe  

Security?

Monday, January 23rd, 2006

Picture this.  A security manager sits quietly contemplating the previous several months.  No known successful attacks against her network.  No loss of revenue or productivity due to system failure/recoverablity issues.  Her team flawlessly executed two disaster recovery tests.  Her boss is happy, telling everyone that the network is secure due to her efforts.  Life is good.  What’s wrong with this picture?

There’s nothing wrong with it if the security manager and her boss understand that this period of calm is temporary.  As attackers come up with new ways to penetrate and compromise business networks, security teams must remain flexible, continuously working to adjust safeguards to keep the network safe. 

Too often these periods of safe computing are perceived by management as an end state.  In other words, security efforts have achieved their objectives; it’s time to move on to something else.  This is dangerous thinking.  

Security management is an ongoing process.  It requires continous monitoring, analysis, and adjustment to maintain information asset protection at an acceptable level.  It’s the responsibility of the security professional to educate her peers, subordinates, and executive management of this fact.  Failing to do so will inevitably result in a weakened network defense, and an eventual attack causing significant business loss.