Very rarely do good things happen when technologists try to make public policy *or* when politicians try to dictate technology. -- John Pescatore, VP of Gartner Inc.Src: SANS NewsBites Vol 11 Issue 60
QOTD - Pescatore on Politicians & Technology
Dr.InfoSec assists with Fayetteville Public Schools ID Theft case
On July 29th, as I was following up on a story that flashed across my Twitter stream about 30 certified employees of a school district finding themselves victims of ID theft, I found something that should not have been there.
While looking for more information about the school district, I used a targeted Google search; it was a simple one, looking for pages containing the word 'certified.' While there were many search results, one in particular caught my eye: an Excel spreadsheet that appeared to contain Personally Identifiable Information (PII) including names, addresses, phone numbers, and social security numbers . Worse, it had been indexed by a major search engine, which meant that its contents had been cached for easier viewing, even after the file would be removed.
I placed a called to the school district right away and left a voicemail for the CIO. Within 20 minutes someone from the office had called me back. I shared with them what I had found and advised on short-term steps they should take to mitigate the problem.
While it may be tempting to lay blame for failing to properly safeguard sensitive data, this is not the purpose of this blog post. Instead, I wanted to share with the information security community and students that we can make a difference, even outside of business hours. In this case, I helped the school district identify one data leak. Was that spreadsheet the one used by fraudsters? It is simply too early to tell; the investigation is ongoing.
If you see something that is out of place, or poses a potential security/privacy risk, tell someone. It could help prevent 30 more people from becoming victims of ID theft.
Link: School District's Teachers Targeted In Identity Theft Scam | 4029tv.com
Link: Fayetteville Public Schools :: Administration
QOTD - DoD's Lentz on Cyberspace
We have to think of cyberspace as a global common that touches everything we do. Securing the global common is the joint responsibility of everyone. -- Robert F. Lentz, Chief Information Assurance Officer for the U.S. Department of DefenseSrc: Better ID assurance is essential for the new online world, DOD deputy secretary says | GCN
QOTD - Merrill on Security, Users, and Campus Sidewalks
Let users dictate enterprise security needs.He went on to give an analogy that I am very familiar with, that of campus sidewalks: the planners place sidewalks and grass; students create their own paths through the grass (usually the most direct route); planners have to put roadblocks (chains, planters) to keep students off the grass.
He said, "security companies will change from creating infrastructure boundaries to infrastructure resilience. If we can build security correctly, we make things easier, not harder."
Src: Former Google VP Suggests User-Based Security | The Industry Standard
So you want to be a Chief Risk Officer?
For the banking sector, John considers the CRO's responsibility to be "to forge a view of these risks that transcends the bank's individual departments to enable quick decisions based on an enterprise-wide view of exposures" and being able "to add the right nuances to the information so you can have a thoughtful conversation about it with other staff."
Ultimately, the CRO must be able to understand data:
how it's collected, its integrity, what it's being used for, its accuracy and making sure the right data management systems and technology are in place to make informed decisions based on portfolio, geographic and customer views.Src: The New Generals - 08..2009 | Bank Technology News
QOTD - Howard Schmidt on Data & Threats
Data is now the gold, the silver and diamonds of the online world and criminals see it as a low-risk way to steal money without going anywhere near the crime scene.Src: 'Crimeware as a service' set to increase over the next two years | SC Magazine UK
...
But even in today's financial climate and increased threat environment, we are better placed than ever before to meet these challenges – as long as we have the resolve to strengthen and invest in security rather than reduce it. -- Prof. Howard A. Schmidt, CEO of the Information Security Forum
QOTD on Cybersecurity Decisions
Src: Producing the New Cybersecurity Pro | GovInfoSecurity.com
How Twitter Wolfes Look for Easy Prey
However, what users often don't realize is that in aggregate, their tweets paint a picture about who they really are. Take for example those who tweet about hating their jobs. Using the search feature in Twitter, it is possible to gather scores of users who have recently tweeted on their negative feelings about work. This information is useful in the hands of someone looking to make contact with an insider, usually for nefarious purposes.
Another aspect of one's public twitter stream is whether (or in some cases how often) someone has fallen for a scam on Twitter, be it a phishing scam that they simply re-tweeted or a click-jacking attack that suddenly floods one's followers with tens or hundreds of dangerous tweets. Let's explore this item a little further.
Recently, several users fell prey to a scam promising to increase their number of followers. When they clicked on the link promising "tons of followers," users were asked for their username/password. This allowed the scammers to then use that account to spread their message onto more people.

QOTD - Graham Cluley on Hackers, Tigers & Zebras
The hackers are targeting the social networks; frankly, hackers go where the users are. It's like tigers finding out where the zebras go to get their drink of water. They're going to chase after them and take advantage of them. -- Graham Cluley, Senior Technology Consultant for Sophos, speaking to SearchSecurity.com's Security Wire Weekly podcastSrc: Defeating hackers is hard (mp3 podcast) or YouTube Video (clip)
QOTD on Compliance
Compliance can be a good starting point for securing information infrastructure and data if an organization has not put anything in place previously, but it cannot be the end point of the conversation. -- John Pironti, President of IP Architects, speaking at the ISACA International Conference in Los AngelesThe article also reports Pironti as cautioning that a single-minded focus on "security by compliance" will result in more lapses of security as adversaries shift to more effective and damaging attacks.
Src: A Policy Dialogue Platform - Promoting Better Governance | eGov monitor
Primer on Security Metrics and their Pitfalls
It is not easy to find metrics for security goals like security, trust and confidence. The main reason is that security goals are “negative deliverables”. The absence of incidents for an extended period of time leads to think that we are safe. If you life in a town where neither you nor anyone you know has ever been robbed, you feel safe. Incidents prevented can’t be measured in the same way a positive deliverable can, like the temperature of a room.Src: Security Metrics | Information Security Management Maturity Model Blog
QOTD on Outsourced IT Supply Chain
Our national reliance on IT hardware and software from various non-pedigreed sources is a foundation for major cybersecurity risks having national security implications. The incident reports cited in this article further highlight potential risks ranging from logic bombs and self-modifying code, deliberately hidden back-doors to potentially fatal equipment failure and even foreign espionage...Src: Trust but verify: Security risks abound in the IT supply chain | GCN.com
As NIST advises, organizations must add “defense-in-breadth” to their strategy mix. While Defense-in-depth focuses on the operations phase of the systems development lifecycle, defense-in-breadth covers the entire lifecycle.
Thanks to the CyberWarfare Forum Initiative for bringing this article to my attention.
QOTD on Risk vs Threats
Most security people don't understand risk -- they understand threats. Threats are just one input into the risk equation. Others come from operations, strategy, and marketing. -- John Pironti, President of IP ArchitectsSrc: Security Boosted by Risk Management | ITManagement
QOTD - Gartner on Data Leaks and Pizza
Back in the day, watching the Dominos pizza delivery office closest to the White House in Washington DC was an information leakage path. Social network sites are the same thing - lots of worry in the military about loss of Operations Security because of all the tweeting and Facebook posting going on by active military and their families. -- John Pescatore, Vice President at Gartner, Inc.Src: SANS NewsBites Vol 11 Num 53
QOTD - Honan on preparing for the breach
We have to accept that at some stage our organizations will suffer a breach. How we react and respond to the breach will make the difference as to whether stakeholders, be they customers or shareholders, will continue to view the organization. This case shows that clear, open and timely communication from senior management is valuable for rebuilding trust. -- Brian Honan, independent security consultant based in Dublin, IrelandSrc: SANS NewsBites Vol 11 Num 49
Like Dominoes - The Anatomy Of The Twitter Attack
The same warning are applicable for bank accounts, phone records, insurance contracts, health records. Any account with sensitive information which uses a weaker account (e.g. most webmail applications) as a backup is likely to be a target of attackers looking for fresh prey and easy access to documents.
Src: The Anatomy Of The Twitter Attack | TechCrunch.com
QOTD - Ranum on the Thrill of Hacking
Hacking systems - the thrill of the illicit, penetration, and the (slight) chance of getting caught - is a very self-reinforcing behavior. It's a paradoxical form of adrenaline addiction: the attacker is hooked on the rush, but sociopathically hides behind the safety of anonymity. It's not hard to see why a lot of hackers find it very hard to quit once they get started. -- Marcus J. Ranum, CSO Tenable Network Security Inc.Src: SANS NewsBites Vol 11 Num 47
QOTD - Honan from bits and bytes to bullets and bombs
This case [International telecom hacker group busted] highlights the current threat posed by terrorism to computer systems worldwide. It is not to take these systems down but to raise money. The funds generated by compromising bits and bytes go to purchasing bullets and bombs. -- Brian Honan, independent security consultant based in Dublin, IrelandSrc: SANS NewsBites Vol 11 Num 47
QOTD - Pescatore on Lawsuits & Executives
There is always a hope in security circles that threats such as class action lawsuits or 'downstream liability' will cause a light bulb to go off in boards of directors' heads and they will say 'Aha - information security is important, increase the budget, promote the CISO!!' In reality, when boards hear 'liability' they tend to mostly make sure that the corporate Directors and Officers Liability insurance coverage is sufficient. The actual business damage of incidents is usually the bigger driver for action by boards of directors. -- John Pescatore, Vice President at Gartner Inc., writing about Aetna being named in a class action data breach lawsuit.Src: SANS Institute - SANS NewsBites Vol 11 Num 46
Information Security: The Good, The Bad and The Ugly
This article written by Kevin G. Coleman, Strategic Advisor with the Technolytics Institute, provides high level comments on the current state of information security and the relation to cybercrime and management.
Src: Information Security: The Good, The Bad and The Ugly | TMCNet.com
When BIOS updates become malware attacks
If you performed the procedure above, your machine may still be infected. The reason? The malware may have rooted itself deeply into the hardware itself, the BIOS, and not simply residing on the drive.
This is a fascinating and developing area of active research (both by hackers and security researchers such as those at Core Security) and a story that all information security professionals should be aware of.
Next time a machine is acting strange, wipe the OS and reinstall, but only after you have also flashed the BIOS.
Src: When BIOS updates become malware attacks | SearchSecurity.com
It's the compiler's fault - how good source code becomes a vulnerable implementation
Brad Spengler, a security researcher, has created an instance of code where the compiler's "smart" logic actually degrades the overall security of the resulting binary by introducing a vulnerability that until now seemed un-exploitable.
After reading the SANS ISC post below, you might just be right to claim that it was the compiler's fault: "the compiler will introduce the vulnerability to the binary code, which didn't exist in the source code."
A someone who has helped grow generations of students into programmers, the suggested fix is not acceptable as it puts the burden on the programmer to know how the compiler will optimize the code. A "smart" compiler should not penalize a programmer for being extra careful with his/her code.
Src: A new fascinating Linux kernel vulnerability | SANS ISC
QOTD -- Fox on Cyber Warfare and Attribution
War has not changed. The weapons of disruption, corruption, and destruction reflect only the evolution of human creativity and innovation. We must understand the conflicts that drive their use, be they individual, corporate, or international. Without this insight, we are doomed to cyber attrition.Steven Fox, Principal Consultant & Founder, SecureLexicon.com, writing about Cyber Warfare.
Cyber Warfare and Attribution | CSOOnline Blog
QOTD - PrivacyProf on Data Aggregation
We are more than just the strict sum of a few pieces of information that may point to us.Rebecca Herold, The Privacy Prof, blogging about the privacy threats of data aggregation, i.e. when it is possible to aggregate individual pieces that are not private to form a picture that can uniquely identify somebody.A topic that is important and interesting to think about is how non-PII items, when combined with certain other non-PII items, can actually become PII. In other words, aggregating non-PII to form PII. In case that sounds fuzzy, think about it, very simplistically, this way...
Consider a zip code, first name, and birth year.
If you look at each of these separately, it would be hard to say you can link each of them to a specific individual. However, if you look at the three items in combination, you could very well be able to identify a specific individual. Especially in more sparsely populated geographic locations. So, does this combination of three items, as a group, represent PII?
It often takes just two pieces of information to be able to identify a specific individual. Once identified, finding out more information about that individual is trivial, and the stuff that criminals' dreams are made of.
What is PII? How About Groups Of Otherwise Non-PII? | Realtime IT Compliance
QOTD on CEOs & Cybersecurity
only 3% [of CEOs] cited malicious hackers as the top threat for their company's data security--about a fifth as many as the lower level employees who cited cybercriminals as the most important threat.Src: What CEOs Don't Know About Cybersecurity | Forbes.com
NIST Draft Definition of Cloud Computing
Definition of Cloud Computing:Essential Characteristics are listed as: on-demand self-service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured Service.
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three delivery models, and four deployment models.
Delivery Models are listed as: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)
Deployment Models can be one of: private cloud, community cloud, public cloud, hybrid cloud.
Src: Cloud Computing | Computer Security Resource Center | Computer Security Division | NIST.gov
QOTD - RSA on Nature of Threats
It is now a common mantra in security that the nature of the threats has changed. Gone are the days of script kiddies looking for fame and notoriety; now enterprises face a very sophisticated worldwide fraud machine run by organized crime; with many players, each having their own niche. This system is very adaptable, changing tactics quickly to outwit any attempt to foil their operations. -- RSA report "Charting the Path: Enabling the 'Hyper-Extended' Enterprise in the Face of Unprecedented Risk"Src: RSA, The Security Division of EMC
QOTD - Garfinkel: Privacy Requires Security, Not Abstinence
When someone can wreak havoc by misappropriating your personal data, privacy is threatened far more by the lack of a reliable online identification system than it would be by the introduction of one. And it is likely that it would cost society far more money to live with poor security than to address it. -- Simson Garfinkel, associate professor at the Naval Postgraduate School in Monterey, CASrc: Privacy Requires Security, Not Abstinence | MIT Technology Review
Predicting Social Security Numbers from Public Data
we only used publicly available information, and ended up discovering, based on that information, that the randomness [used in assigning SSNs] is effectively so low that the entire 9 digits of an SSN can be predicted with a limited number of attempts. -- Alessandro Acquisti and Ralph Gross of Heinz College, Carnegie Mellon University.One lesson we can draw is that what was once thought to be secure (or secure enough) is no longer (or not enough). The other lesson is that we need focus mitigating the risks created by the types of fraudulent transactions that are often based on easy-to-obtain credentials like SSNs (see Bruce Schneier's article in Forbes).
Src: Predicting Social Security Numbers from Public Data - FAQ
QOTD on Laws & Technology
We are still living in a world where we have literally Gutenberg-era laws and businesses are using Star Wars technology... [However] New technology does not absolve an organization from its obligation to retain, produce, or manage data in any way. -- John Bace, research analyst at the Gartner GroupSrc: Compliance Week: Compliance Week: Cloud Computing Vs. Internal Controls
QOTD - PrivacyProf on tracking PII
Most business leaders, especially in business units, and in the legal office, just assume that all storage locations for PII are known and that there is a 100% complete inventory for it somewhere. Infosec, IT and most privacy practitioners know the real deal; it is rare that PII is formally defined, and even rarer to have an inventory of all PII. Considering the ease with which PII can be copied and distributed literally thousands of times with just one press of a button, and stored in any number of mobile devices and outside storage locations, it is very hard to have a complete PII inventory. But, it must be done. And doing so will help to determine the controls and other safeguards that need to be placed around PII to keep from having it stolen, leaked or lost.Rebecca Herold, The PrivacyProf, blogging about the news that the University of Central Missouri didn't know that two printed reports (w/ 7,000 student names, SSNs, addresses, and birthdates) were stolen from a location on campus.
I have had similar findings in many of the information security assessments that I conducted in that management was often shocked to hear about the various sources and destinations of sensitive information throughout an organization. Until an organization traces the flow of sensitive data generated and consumed, management cannot hope to have an accurate inventory that data, its location, or whether it has been properly disposed of.
[Note: emphasis is mine]
Src: Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen - Realtime IT Compliance
QOTD - Rafal Los' Dose of Security Reality
In a typical company where risks are a-plenty, and IT is up to its eyeballs in delivery issues it's a little difficult to suddenly step in and talk about security vulnerabilities like they're somehow more important than the 10,000 things that are already on fire. When the whole forest is on fire... which tree do you save first?Src: [RANT] Call Me a Realist | Digital Soapbox - Preaching Security to the Digital Masses
Enterprises and SMBs alike are looking to save money, cut corners (whether they want to admit it or not) and unfortunately security sometimes falls off the docket. Whether it's the security team's fault for not properly articulating the issue or the CIO's for simply not understanding the risks... the result is often the same. Somewhere in your business are thousands of lines of insecure, exploitable, and very lucrative code. Worse yet - that stuff has been there for years and now when you review a small snip that's changing and find that the whole thing has to be re-done... no one wants to pony up the money to do the work - right? --Rafal Los, IT Security Risk Strategist, blogger at http://preachsecurity.blogspot.com/
Zero Day Threat, the book
In the fast emerging cybercrime industry, hackers and scam artists morph and advance magnitudes of order faster than the banking and tech industries have been willing to shore up basic security. From corporate America's point of view, convenience and speed are the drivers of the business models of the new millennium. Security is a perception challenge.I highly recommend this book to anyone charged with safeguarding data. It will open your eyes to a system of actors (banks, credit bureaus, scammers, drug-addicts, and malware authors) revolving around maximizing profit at the expense of the consumer. The book links the murky world of the "exploiters" with the ingenious capacity for "expediters" to generate new and better malware, while the "enablers" sit mainly idle, unwilling to commit to much-needed enhancements to secure consumers' financial records and credit histories.
As security professionals, we must engage in critical evaluation of the risks to the data we are entrusted with. This book is sure to generate many lively discussions among security pros, and one would hope, executive management, about the nature of the threat, the drivers, and the baseline security that ought to be implemented.
Src: Zero Day Threat official web site
Src: Cybercrime Book Excerpt: 'Zero Day Threat' | Wired.com
Src: You won't guess who's the bad guy of ID theft | USAToday