QOTD on Moving to the Cloud

If you think it's tough managing identities, devices, malware, exploit attacks, mitigating software vulnerabilities, and conducting meaningful audits today -- you haven't seen anything yet compared to what's coming with the hyper-connected nature of data, people, infrastructure, devices, and applications in 'The Cloud.' -- George Hulme writing in Information Week
Src: Cloud Security Needs Its Rainmaker | InformationWeek [Tx georgevhulme]

QOTD on Data Handling

Commenting on a story in which Aberdeen Royal Infirmary lost a laptop containing almost 1,400 PII records, David Hoelzer, Director of Research & Principal Examiner for Enclave Forensics, wrote:
Somewhere in our information security program there needs to be an analysis of what data really needs to be where. The best way I've seen to do this is to develop matrix based policy that shows how each type of data may be handled. Something as simple as that should tell us very clearly that it's just never OK to have sensitive data of this level on a portable device. Organizations may consider selecting controls out of ISO-27000 that deal with management approval for movement of sensitive data.
Src: SANS NewsBites Vol 11 Num 33

Do you need a Twitter e-discovery Policy?

[updated to include quotes from a second source suggested by Stephen Northcutt, President of the SANS Institute]

Debra Logan, a Gartner Analyst, argues that while organizations may need a Twitter e-discovery policy, it should mainly be based on common sense as opposed to yet-another-policy-about-technology.
A well thought out, consistent policy, one that is enforced, for all electronic communications, is what you need.
As to whether you should be saving every tweet, the answer is that you'll have to read the original article.

Src: Debra Logan | Gartner Blog

Update:
After seeing my post/tweet, @StephenNorthcut, President of the SANS Institute, send me a link to another source by Christopher Danzig, containing more legal details and cases. This next article is definitely worth reading. Christopher points to the need to establish (and enforce) policies preventing the mixing of business/personal use of social networks -- they should be used for one, or the other, but not both.
There are no hard and fast rules or substantial case law at this point regarding admissibility and discoverability of online communications, but experts say legal departments should follow this guiding principle: If information is potentially relevant, then it’s also discoverable.
So, next time you're drafting a 140-character message, realize it is not private and may very well become part legal case.

Src: Messaging Mess | InsideCounsel.com

Privacy in the digital age

"Mobile phones thus constitute the world’s largest sensor network" writes Fred Crate in The Journal (UK). Writing about the erosion of Internet Privacy, Fred points to the amount of information we voluntarily disclose (e.g. photos on Flickr, MySpace and Facebook posts) and the information that government and businesses collect and share, often without our knowing.
Protecting privacy in the face of ubiquitous data requires many tools: technology, education, market pressure but most of all it requires strong laws that impose serious obligations on industry to act as stewards, not merely processors, of our data, and firm limits on government access to those data.
Can privacy concerns prevail, or even hold firm, in the face of national security threats? Seeing how some of the more privacy-minded governments around the world have swiftly disposed of their citizens' concerns and embraced the all-seeing eye of omni-present surveillance, we will likely see more erosion of our privacy rights, in the name of the greater good. Is it worth it? Only time will tell. 1984, here we come!

Src: Internet privacy: Mind your own business | The Journal.co.uk

The End of the University as We Know It

Graduate education is the Detroit of higher learning. Most graduate programs in American universities produce a product for which there is no market (candidates for teaching positions that do not exist) and develop skills for which there is diminishing demand (research in subfields within subfields and publication in journals read by no one other than a few like-minded colleagues), all at a rapidly rising cost (sometimes well over $100,000 in student loans).
I agree wholeheartedly. Traditional academia is a dinosaur on its way towards extinction. If you were to look around various institutions, you would find that most faculty are incapable of functioning outside of the bubble of the ivory tower as they often lack "real-world skills" that the marketplace requires.

What's this gotta do with Information Security you may ask? In areas such as Computer Science and Information Technology, faculty often teach classes without spending much time (if any) discussing the implications of writing insecure code. How could they since they themselves lack the interest and/or motivation to embrace information security.
Once tenure has been granted, there is no leverage to encourage a professor to continue to develop professionally or to require him or her to assume responsibilities like administration and student advising...
Colleges and universities should be able to reward researchers, scholars and teachers who continue to evolve and remain productive while also making room for young people with new ideas and skills.
My own career path has been markedly different from that of the traditional faculty. I consider myself a hybrid, one equally at ease talking with ivory-tower colleagues, but also very much at ease interacting with fellow information security practitioners or business executives. I do not view my Ph.D. as a "terminal degree." Instead, I view it as a lifelong commitment to learning, as evidenced by my later accomplishments including several leading certifications and engagements within the field of InfoSec.

Src: Op-Ed Contributor - End the University as We Know It | NYTimes.com [tx to the other Dr. Veltsos for this link]

RSA Keynote live blog - The Shadow Factory: The Ultra-Secret NSA by James Bamford

Last keynote of 4/22, The Shadow Factory: The Ultra-Secret NSA by James Bamford
[I'm attempting to follow in @kriggins' shoes... he's done a great job live blogging the keynotes]

NSA had 4 major revolutions:
Rev 1, 1970s NSA loses monopoly over encryption. NSA tries scaring them off by patent warnings.
Rev 2, 1980s switch from analog to digital... making it hard for NSA to eavesdrop on packets.
Rev 3, 1990s information overload, then clipper chip
Rev 4, 2000s revolution in telecom delivery (away from satellites towards fiber optics)

NSA found out about 9/11 from TV as opposed to via their own eavesdropping efforts.

BinLaden passing orders to two of his lieutenants; NSA had been eavesdropping where they lived. NSA missed the call about the WTC. Late Dec 99, got clue about 9/11, passed it on to CIA. CIA lost them in Bangkok.

NSA liked to sit on info instead of sharing with CIA. Terrorists lived in various states in the US, like CA and MD. Terrorists actually lived within 2 miles (in Laurel, Maryland) of NSA. For 6 weeks, NSA and terrorists were side by side and NSA didn't realize it; even ate same places.

After 9/11, NSA pushed to cast large eavesdropping net, including in US. Had three major listening posts in the US instead of putting listening posts in shaky countries. NSA Texas, NSA Georgia, NSA Hawaii.

After WWII, NSA had operation "Shamrock" to eavesdrop on telegraphs. US was off-limits as of 1952. FISA was created to prevent President to engage domestic eavesdropping. Created FISA court to look if legitimate reason existed to eavesdrop in US.

After 9/11, President Bush ordered NSA to eavesdrop domestically again, violating FISA act. Ashcroft had to sign a "it's ok to eavesdrop" form every 90 days. Eventually Ashcroft was convinced it was a bad idea to keep signing this. Tensions rise between white house and AG.

Eavesdropping into fiber optic cable is harder than copper wire or satellite transmissions. Decision was made to create terrestrial Echelon system, tapping into fiber. Agreements made with telecom companies to grab domestic traffic.

[Cute logo: AT&T - Your world. Delivered. To the NSA.]

NSA outsourced some of the eavesdropping to little known companies with foreign connections.

NSA really making use of Geo-location today as finding out the content of the communications is harder due to pervasive use of encryption.

NSA facing data overload. Names on terrorist watch list in 2001: 20. In 2009: 500,000. NSA reportedly working on building new data center.

- the end -

HHS issues guidance on protecting PHI

The HITECH Act requires the US Department of Health and Human Services to provide guidance on the technologies and methodologies to protect "unsecured protected health information" (UPHI) by making it unusable, unreadable, or indecipherable to unauthorized individuals. By protecting UPHI, covered entities and their business associates can avoid the breach notification requirements of the Act.

The guidance document released on April 17, 2009, covers all data states, with all but the first requiring proper handling by encryption or destruction:
  • data in use: data in the process of being created, retrieved, updated, or deleted
  • data in motion: data that is moving through a network, including wireless transmission
  • data at rest: data that resides in databases, file systems, and other structured storage methods
  • disposed data: discarded paper records or recycled electronic media
For encryption, the document warns of the need to properly select the encryption algorithm and to properly secure the decryption key(s). For data at rest, the guidance refers to NIST 800-111; for data in motion, the guidance refers to FIPS 140-2 (including NIST 800-52, 800-77, or 800-113).

For destruction, the document states that electronic media must have been "cleared, purged, or destroyed" according to NIST 800-88 to prevent retrieval. For paper media, it should be shredded or destroyed such that it cannot be reconstructed.

Src: HHS Releases Guidance for Securing Health Information and Preventing Harm from Breaches

QOTD on the Importance of Internet Identity and Anonymity

It's so easy to be anonymous on the Internet, that people can launch the equivalent of cyberwar and cyber-terrorist attacks from their living room, anywhere in the world, and with complete anonymity...
We are seeing this in sociopolitical and geopolitical hotspots. Organizations are reaching out individuals, telling them that if they install attack bots on their PC, that their system will be used to wage war. People can go to terrorist Web sites and download and install bots on their own. And those that are installing these applications built to attack will do so in total anonymity. -- Andrew Storms, Director of Security Operations at nCircle
The importance of internet identity, and anonymity | Threatpost [tx to @GeorgeVHulme and @digiphile]

QOTD - Brian Honan on Fire Alarms

I often see people argue whether the [fire] alarm is real or not; me, I have that discussion outside the building. -- Brian Honan of BHConsulting.ie
replying to one of my tweets about a 2am fire at the Hotel I happen to be staying at.

QOTD on Security & Psychology

As systems get harder to attack, the bad guys attack the users instead
...
We now know that most information security mechanisms are too hard to use, being designed by geeks for geeks. We urgently need to introduce bright ideas from psychology and human computer interface design. -- Prof. Ross Anderson, Professor of Security Engineering at the University of Cambridge's Computer Laboratory
Src: Applying psychology to computer security | NewElectronics.co.uk

QOTD - EnCase, FTK, and Hammers

EnCase Enterprise is not “court validated.” FTK Enterprise is not “court validated.” And they never have been. In competent hands, computer forensics is not a black box, pushbutton art, so the integrity of process hinges on the carpenter, not on the hammer. -- Craig Ball
Src: "We're Both Part of the Same Hypocrisy, Senator" | EDD Update [tx @robtlee]

QOTD - Schultz on Conficker vs Academia

Sorry, University of Utah, but saying that patient information was not compromised is by no means any kind of moral victory or assurance to the public. How could this university be so naive to think that somehow a vulnerability for which a patch was available *last fall* could not cause damage and harm to medical patients and experimental subjects? -- Eugene Schultz, CTO of Emagined Security
Src: SANS NewsBites Vol 11 Num 29

QOTD - Liston on unencrypted laptops

Almost every week, we have stories of laptop theft that contain the phrase, "...the data was not encrypted." Wake up people! If you have sensitive information on a machine that is DESIGNED to be carried off, you NEED to encrypt that data. It isn't all that hard, it isn't expensive, and I think we're to the point now where it should be considered negligence if it isn't being done. -- Tom Liston, SANS ISC handler and Senior Security Consultant and Malware Analyst for Inguardians
Src: SANS NewsBites Vol 11 Num 29

VMware exploits - just how bad is it?

This SANS ISC post has a link to a video showing the guest OS able to open the calc application in the host OS. Escape from the Matrix is looking increasingly plausible.

Here's what Kevin Riggins of the InfosecRamblings.com blog had to say about it:
If you allow virtual guests with different security characteristics to live on the same host, you might want to rethink that decision.
Src: VMware exploits - just how bad is it? | SANS ISC

QOTD - Northcutt on Incident Response

The majority of security appliances report what happened, but not who was behind the activity, historical information about that system or similar events.
...
With log monitoring, nothing succeeds like success.
...
Logging, which is usually considered dull and boring work, becomes exciting. -- Stephen Northcutt, President of the SANS Technology Institute
Src: Whodunnit? | SearchSecurity.com

QOTD on Default Settings

Don't assume default privacy settings are appropriate or sufficient.
is one of the 10 tips listed by the Sidney Morning Herald to protect yourself on Facebook (and other social networking sites). It seems that the security community is once again having to reinvent the "secure by default" wheel.

Src: Case of stolen online identity - Technology | smh.com.au

QOTD on Web Application Security

CAUTION - This machine has no brain use your own
is quoted in this blog article about a reminder that should be provided to users of web applications. Gunter Ollmann also introduces an interesting concept, that of "security ergonomics."

Src: Ignorance is bliss (in Web application security) | Technicalinfo.net Blog

Go ahead and steal this database

Adopt a hacker's mentality and assume that your employees might be tempted to pilfer information.
was the message in a recent article in Forbes.com on data masking, which modifies the data to remove its sensitive nature. The main drivers for this technology are the changes in compliance regulations and the need to ensure the security of the data given that outsourced software development is essentially "surrendering company databases to unknown, and possibly unvetted, programmers at home and abroad..."

Src: Steal This Database | Forbes.com

QOTD - Shostack on Security

Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes. -- Adam Shostack, author of The New School of Information Security
Adam correctly points out that beyond the process, we need to measure the outcomes of our security efforts in order to validate that they are truly valuable.

Src: Security is about outcomes, not about process | Emergent Chaos

Meta-Data: Don't Spill the Beans

This is a place-holder for information which will be released during my presentation at Secure360 2009.

Tax time is NO time for surprises

Having used tax preparation software for many years, I find the process of compiling and checking my tax returns to be more relaxed and less error-prone. But a security professional, I also have to balance the need for access to data with the need to protect the sensitive data; I'm very keen on protecting my tax files, both the data files and any PDFs (usually generated for filing and/or backup purposes). After all, tax documents contain all the information an ID-thief would need in order to damage your good credit.

So imagine my surprise when I clicked on File -> Print -> PreviewPDF and noticed that my tax software had created a brand new, "temporary" (really, the file is named "2008_temp_pdf_file.pdf") PDF document in a folder other than where the data file is stored. Even more infuriating is that this supposedly temporary file is not removed, even after shutting down the program.

Why is this a big deal? In an era where spyware runs rampant on many users' machines, leaving documents containing tax data on your machine can be the fastest way to ruin your credit. If the tax software saves additional files without the user's knowledge, he/she will be unable to protect or remove this information.

QOTD - Honan on Cybercrime and the courts

The fight against cyber crime will continue to be an uphill struggle if courts continue to signal to criminals that cyber crime is not treated seriously. -- Brian Honan, member editorial board of SANS NewsBites & independent security consultant based in Dublin, Ireland
Src: SANS NewsBites vol 11 Num 28

Four functions of social media

Leave it to the US military complex to come up with one of the best characterization of social media and strategies for taking advantage of it. A report to come out later on next week entitled "Social Software and National Security," will outline the four functions the military intends to capitalize on when it comes to its Web 2.0 presence:
  1. inward sharing of information within agencies
  2. outward sharing of internal agency information with other governmental entities
  3. inbound sharing government getting input from the public
  4. outbound sharing to communicate with stakeholders outside the government
Src: WTF? Military Web 2.0 Report Actually Making Sense | Wired.com

QOTD - Pescatore on the State of Security [or Biz vs malware]

The total number of attacks or malware is meaningless - its all about the percentages.
...
Technology, threats and businesses are not going to stand still and users are not going to become security experts in the cyber-world any more than this has occurred in the physical world.
...
Its all about getting more efficient (consuming less resources) to deal with the old threats and getting more effective (applying resources more quickly) in dealing with emerging threats - that’s how we get things back to an acceptable level of impact to the business bottom line. -- John Pescatore, Vice President, Gartner, Inc.
Src: John Pescatore | Gartner Blogs

When your data centers vanishes

Your company has SLAs in place, servers and databases hosted in a reliable data center with redundant power, many days/weeks of backup generator fuel, etc. You're set, right?

Companies who had used a data center called Core IP Networks, recently raided by the FBI, are suddenly finding themselves with nothing. No data center, no servers, no backups, no data and a therefore a lot of angry customers (who may not remain customers for long).

Matthew Simpson, CEO of Core IP Networks said: "If you run a data center, please be aware that in our great country, the FBI can come into your place of business at any time and take whatever they want, with no reason."

Lesson of the day? Check your options before putting all your eggs in the same basket.

Src1: Company Caught in Texas Data Center Raid Loses Suit Against FBI | Wired.com
Src2: FBI Defends Disruptive Raids on Texas Data Centers | Wired.com

QOTD on Data Hoarding

The apparent ease of accumulating masses of data can hide enormous costs due to user dissatisfaction, security breaches, time-consuming subpoena requests, and privacy and free speech firestorms.
...
Any data collected should be purged in its entirety after it is no longer necessary.
Src: Privacy & Free Speech: It's Good for Business (quotes from PDF document)

QOTD - Pescatore on Decentralized Control

If you can't have centralized control, then you at least need a federated governance approach. Just being "decentralized" is often no different than being "chaotic." -- John Pescatore, Gartner Analyst, commenting about a recent report critical of the lack of security controls at the US Govt's Interior Department.
Src: SANS NewsBites Vol 11 Num 27

QOTD - Schultz on Mandatory Security Standards

Like it or not, mandatory security standards are inevitable in the US at some point in time. Without them, the US will continue to have too many weak links in its critical computing infrastructure. -- Dr. Eugene Schultz, CTO of Emagined Security
Src: SANS NewsBites Vol 11 Num 26

QOTD - Ranum on The Anatomy of Security Disasters

Marcus Ranum, CTO of Tenable Security writing (and speaking) about security disasters:
If we are fixing things only in response to failure, we can look forward to an unending litany of failures, whereas if we are improving things in advance of problems, we are building an infrastructure that is designed to last beyond our immediate needs.
Marcus goes on to say that while senior security staff tries to inform management of the security risks associated with various business ideas,
the result has less to do with security and more to do with whose meeting-organizational skills are superior, or who’s better at explaining their viewpoint. I’ve seen major security-critical business decisions get made based on whose golf buddy runs what business unit...
Read it today, before your next security incident, or more likely, before your next meeting with management.

Src: Ranum's Rants - The Anatomy of Security Disasters | Tenable Network Security Blog

Conficker leaves security industry looking clueless

[See update at the bottom of the post]

Eric Orgen of SearchSecurity.com has a good write-up about the Conficker hype and the subsequent lack of activity since April 1. Conficker provided the security industry much publicity, getting picked up by the mass media, guaranteeing the attention of millions of netizens (Internet users).

Burried inside Conficker's code was a piece of code checking the date which would enable a new mechanism for the malware to update itself starting on April 1. The security industry warned the public of the dangers of Conficker and the threats posed by this new mechanism for updates (i.e. calling home and asking "what do you want me to do now?").

But April 1 came and went, and instead of the predicted bang, Conficker has so far behaved more like a dud. This behavior, or lack thereof, leaves the security industry looking like a bunch of greedy geeks crying wolf in order to sell their wares. Of course, security vendors are not the only ones deserving blame. The media itself jumped on the opportunity for sensational stories like "The Internet is Infected" (I will not name the usually respectable TV program which produced this segment). But the obvious hype and the uncoordinated (until the last minute) response from the security industry beg the question: what can we, the security industry, learn from this event?

Eric's article asks three basic questions related to the fallout of the Conficker hype:
  1. How can we not know what happened?
  2. How can a vulnerability that was patched 6 months ago be leveraged by the widest spread malware in history?
  3. Why does the security vendor response seem so amateurish?
We can't afford to lose the public's trust or respect because the next malware attack may just cause the kinds of massive infections and disruptions that we know can happen.

Update: My good friend over at the Blackfist security blog (@bfist on Twitter) reminded me that he and I had a discussion around this very subject on April 2. I would be remiss if I didn't point out his blog entry on the subject, where he quotes another friend, @marcusjcarey:
In my opinion, the best twitter advice on conficker came from @marcusjcarey: "Security Professionals must remember the 'Little Boy Who Cried Wolf' ie. manage expectations #conficker". If only it were the security professionals faults.
In my opinion, the security industry is, at least partially, at fault in its lack of coordinated response. While many security vendors were honest in their portrayals and genuinely tried to calm the frenzied media, several engaged in less-than-honorable practices. The security industry should be careful not to behave like the "snake oil" vendors of the past. After all, software security still has a long way to go; users should be able to trust their security vendors and, by extension, the security community.

Src: Conficker leaves security industry looking clueless | SearchSecurity

CISOs should cozy up to CEO

At the Forrester EMEA Security meeting in London, Khalid Kark, principal analyst at Forrester Research, said that CISOs should get closer to their CEO in times of shrinking budgets. He even argues the need to create a "business liaison" role to ensure that "there is clear communication, and so that IT security and the other departments are working towards the same goals."

Src: Forrester tells CISOs: get closer to CEO as security budgets tighten | ComputerworldUK

Twitter #FollowFriday Recommendations

[Last updated 5/8/2009]

Someone asked me for a list of influential security people. A few weeks ago, I decided to try a new style of #FollowFriday recommendations, listing a person's twitter id followed by a one word (one-word is hard to stick with) description of their topic.

Here's the list so far (sorted alphabetically):

Twitter #FollowFriday Recommendations
@alespe:rising*
@amrittsering:buddha
@andrewsmhay:ossec
@angelinaward:syngress
@anton_chuvakin:PCI
@beaker:cloud
@bfist:FDE
@BillBrenner70:CSO
@BrianHonan:Irish
@carnal0wnage:metasploit
@catalyst:positive
@cultsec:sec_culture
@cyberhiker:guidance
@danphilpott:news
@daveshackleford:f00
@DidierStevens:pdf
@digiphile:latest
@dojosec:TV
@edskoudis:DOSfu
@ekistics22:IDtheft
@gattaca:commuter_humor
@gcluley:sophos
@geekgrrl:cool
@GeorgeVHulme:news
@ghostnomad:life+infosec
@hal_pomeranz:unixFU
@hdmoore:metasploit
@IBMFedCyber:blue
@jth:MN
@kevinbehr:vis-ops
@kriggins:fair
@lennyzeltser:malware
@lithium:PandaLabs
@marcusjcarey:dojosec
@mckeay:podcast
@mfratto:InfoWeek
@mygeekdaddy:Mankato
@njdoc:med+tech
@ONSITE3:e-disc
@pauldotcom:podcast
@pfoty:OS
@PrivacyProf:privacy
@quine:connect
@RafalLos:soapbox
@riskybusiness:podcast
@rsaconference:2010
@ryanaraine:breaking
@sans_isc:emergency
@Scamtypes:scams
@security4all:Belgium
@securitytwits:connect
@Shpantzer:rising*
@StephenNorthcut:SANS_EDU
@stiennon:analyst
@tolzak:blog
@vcuinfosec:EDU

QOTD on the Value of Non-Tech Mindset

Rafal Los (aka @RafalLos) has a good post on the value of seeing things from a non-technology mindset; he terms it "crossing-over." Here is an excerpt:
We technologists get a tunnel-vision for technology solutions and everything begins to look black and white. Every problem is either solvable, or it's not. The network is either secured by the firewall, or it's not. The server is either patched or it isn't. Things are either secured... or they're not. Black or white. Yea... that's mostly wrong.

What we consistently fail to see is the middle ground out there, the gray areas, the good enough that eludes our technical genius.
and
Often times the correct answer for the business is absolutely the wrong answer for technology and security - but it's got to be done.
Src: Crossing Over | Digital Soapbox