As everything on the planet gets more connected, more sensors and more intelligent, everything is getting, well, smarter, some of these things have never been connected to anything before, whether it's transportation systems, water systems, power, oil and gas, and pipelines, and so on. All these things, as they get connected to be more efficient, have to also be focusing on being more secure. Because, now they are facing risks that they have never had before. And to me that is what cybersecurity is all about. It's about scope. -- Dr. Charles Palmer, Director of the Institute for Advanced Security and Chief Technologist of Cybersecurity and Privacy at IBMSrc: The State of Cybersecurity
Showing posts with label web2.0. Show all posts
Showing posts with label web2.0. Show all posts
QOTD on The State of Cybersecurity
QOTD on The Cloud
I’m a big proponent of moving things to the cloud, but doing it right. -- Howard Schmidt, White House Cybersecurity CoordinatorSrc: Howard Schmidt: “We will never have 100 percent security and still have an open society” | Executive Gov
QOTD Security Folks vs Risk Folks
A security person would say we would protect the data at all costs. A risk-oriented person would say let's try to quantify the business impact of this data and then protect the data that is absolutely critical to our operations. -- Rob Whiteley, Vice President and Research Director at Forrester Research Inc.This article is a worthwhile read as it addresses things that IT and Security staff can/should and can't/shouldn't try to control.
Src: Data has become too distributed to secure, Forrester says | SearchSecurity.com
Dr.InfoSec assists with Fayetteville Public Schools ID Theft case
As an information security professional, I always look for ways to be of assistance to others about the security and privacy of the data entrusted to them. This post is about exercising such an opportunity and in a small way, helping make a difference.
On July 29th, as I was following up on a story that flashed across my Twitter stream about 30 certified employees of a school district finding themselves victims of ID theft, I found something that should not have been there.
While looking for more information about the school district, I used a targeted Google search; it was a simple one, looking for pages containing the word 'certified.' While there were many search results, one in particular caught my eye: an Excel spreadsheet that appeared to contain Personally Identifiable Information (PII) including names, addresses, phone numbers, and social security numbers . Worse, it had been indexed by a major search engine, which meant that its contents had been cached for easier viewing, even after the file would be removed.
I placed a called to the school district right away and left a voicemail for the CIO. Within 20 minutes someone from the office had called me back. I shared with them what I had found and advised on short-term steps they should take to mitigate the problem.
While it may be tempting to lay blame for failing to properly safeguard sensitive data, this is not the purpose of this blog post. Instead, I wanted to share with the information security community and students that we can make a difference, even outside of business hours. In this case, I helped the school district identify one data leak. Was that spreadsheet the one used by fraudsters? It is simply too early to tell; the investigation is ongoing.
If you see something that is out of place, or poses a potential security/privacy risk, tell someone. It could help prevent 30 more people from becoming victims of ID theft.
Link: School District's Teachers Targeted In Identity Theft Scam | 4029tv.com
Link: Fayetteville Public Schools :: Administration
On July 29th, as I was following up on a story that flashed across my Twitter stream about 30 certified employees of a school district finding themselves victims of ID theft, I found something that should not have been there.
While looking for more information about the school district, I used a targeted Google search; it was a simple one, looking for pages containing the word 'certified.' While there were many search results, one in particular caught my eye: an Excel spreadsheet that appeared to contain Personally Identifiable Information (PII) including names, addresses, phone numbers, and social security numbers . Worse, it had been indexed by a major search engine, which meant that its contents had been cached for easier viewing, even after the file would be removed.
I placed a called to the school district right away and left a voicemail for the CIO. Within 20 minutes someone from the office had called me back. I shared with them what I had found and advised on short-term steps they should take to mitigate the problem.
While it may be tempting to lay blame for failing to properly safeguard sensitive data, this is not the purpose of this blog post. Instead, I wanted to share with the information security community and students that we can make a difference, even outside of business hours. In this case, I helped the school district identify one data leak. Was that spreadsheet the one used by fraudsters? It is simply too early to tell; the investigation is ongoing.
If you see something that is out of place, or poses a potential security/privacy risk, tell someone. It could help prevent 30 more people from becoming victims of ID theft.
Link: School District's Teachers Targeted In Identity Theft Scam | 4029tv.com
Link: Fayetteville Public Schools :: Administration
NIST Draft Definition of Cloud Computing
Peter Mell, Project Lead for the NIST Cloud Computing group has released a Draft Working Definition of Cloud Computing:
Delivery Models are listed as: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)
Deployment Models can be one of: private cloud, community cloud, public cloud, hybrid cloud.
Src: Cloud Computing | Computer Security Resource Center | Computer Security Division | NIST.gov
Definition of Cloud Computing:Essential Characteristics are listed as: on-demand self-service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured Service.
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three delivery models, and four deployment models.
Delivery Models are listed as: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)
Deployment Models can be one of: private cloud, community cloud, public cloud, hybrid cloud.
Src: Cloud Computing | Computer Security Resource Center | Computer Security Division | NIST.gov
QOTD on Laws & Technology
We are still living in a world where we have literally Gutenberg-era laws and businesses are using Star Wars technology... [However] New technology does not absolve an organization from its obligation to retain, produce, or manage data in any way. -- John Bace, research analyst at the Gartner GroupSrc: Compliance Week: Compliance Week: Cloud Computing Vs. Internal Controls
Zero Day Threat, the book
As I wrap up reading Zero Day Threat, written by USAToday's Byron Acohido and Jon Swartz, I wanted to share with you one of the paragraphs that best outlines the current mess of the US (and beyond) financial system. [emphasis is my own]
As security professionals, we must engage in critical evaluation of the risks to the data we are entrusted with. This book is sure to generate many lively discussions among security pros, and one would hope, executive management, about the nature of the threat, the drivers, and the baseline security that ought to be implemented.
Src: Zero Day Threat official web site
Src: Cybercrime Book Excerpt: 'Zero Day Threat' | Wired.com
Src: You won't guess who's the bad guy of ID theft | USAToday
In the fast emerging cybercrime industry, hackers and scam artists morph and advance magnitudes of order faster than the banking and tech industries have been willing to shore up basic security. From corporate America's point of view, convenience and speed are the drivers of the business models of the new millennium. Security is a perception challenge.I highly recommend this book to anyone charged with safeguarding data. It will open your eyes to a system of actors (banks, credit bureaus, scammers, drug-addicts, and malware authors) revolving around maximizing profit at the expense of the consumer. The book links the murky world of the "exploiters" with the ingenious capacity for "expediters" to generate new and better malware, while the "enablers" sit mainly idle, unwilling to commit to much-needed enhancements to secure consumers' financial records and credit histories.
As security professionals, we must engage in critical evaluation of the risks to the data we are entrusted with. This book is sure to generate many lively discussions among security pros, and one would hope, executive management, about the nature of the threat, the drivers, and the baseline security that ought to be implemented.
Src: Zero Day Threat official web site
Src: Cybercrime Book Excerpt: 'Zero Day Threat' | Wired.com
Src: You won't guess who's the bad guy of ID theft | USAToday
RSA chief: The job of security guy is not to be 'Doctor No'
The job of the security guy is not to be "Doctor No." It's not to say "you can't do stuff," but rather how you can embrace these technologies and how you can do it securely. You can never do security perfectly, but if you do it in the context of risk, you can minimize your exposure... Your job then is to shift from protecting the container to protecting the data and information itself. -- Art Coviello, RSA presidentI've said it before and I'll say it again: one too many "No!" and your users will start getting IT business done without IT or security's involvement.
Src: RSA chief: The job of security guy is not to be 'Doctor No'
5 Free Ways to Track Online Leaks of Information
This article highlights tools/services that companies/governments/individuals can use in order to track data of interest to them (e.g. intellectual property, good reputation, employee comments on social networks, etc). Keep in mind that the ways presented in the article are reactive by nature and are unlikely to expose a determined attacker (insider, hacker, or industrial spy).
Last year, I set up a Google Alert to report on some terms and mentions that I wanted to keep track of, a very useful tool at the reach of any Internet user, not just security pros or investigators.
Src: 5 Free Ways to Track Online Leaks of Information | ComputerWorld
Last year, I set up a Google Alert to report on some terms and mentions that I wanted to keep track of, a very useful tool at the reach of any Internet user, not just security pros or investigators.
Src: 5 Free Ways to Track Online Leaks of Information | ComputerWorld
Cloud Computing: The Dawn of Maneuver Warfare in IT Security | Government Cloud Computing
Until now, IT security has been akin to early 20th century warfare... The resulting IT security infrastructures and procedures typically reflected a “defense in depth” strategy, eerily reminiscent of the French WWII Maginot line... Often described as an “arms race”, the IT security landscape has settled into ever escalating levels of sophisticated attack versus defense techniques and technologies... Cloud computing represents an evolution, strategically it represents the introduction of maneuver warfare into the IT security dictionary. -- Kevin Jackson, writing for GovCloud.Utilizer.comThis is a well written article with a profound message: one does not have to fear the cloud as it provides new opportunities to defend against attacks. While I agree with many of the points made in this article, I find that it fails to address some cases: e.g. a single compromised server containing thousands or millions of records.
Src: Cloud Computing: The Dawn of Maneuver Warfare in IT Security | Government Cloud Computing
Twitter Search Yields Email Addresses
The blogosphere has been abuzz with reports of spammers using Twitter's own search feature to grow their spam databases. A simple search with "@gmail.com" or "email me" will return pages of people broadcasting their email addresses to the public timeline. Is this bad? Yes, but those users should know better than to broadcast their thoughts in the public timeline.
What bothers me the most about Twitter's search feature is that once a tweet has been posted to the public timeline, it can't be removed from it. It can be deleted, but it will still show up in the public timeline for weeks to come. As a proof of concept, I refer you to my earlier blog post on the subject.
Src: Spammers harvesting emails from Twitter - in real time | ZDNet.com
What bothers me the most about Twitter's search feature is that once a tweet has been posted to the public timeline, it can't be removed from it. It can be deleted, but it will still show up in the public timeline for weeks to come. As a proof of concept, I refer you to my earlier blog post on the subject.
Src: Spammers harvesting emails from Twitter - in real time | ZDNet.com
Study: Users will route around firewalls
Application developers are making it easy for users to negate corporate firewalls, and users are happily taking advantage of this, while corporate IT networks are constantly playing a cat and mouse game with these users.I've always been of the opinion that IT needs to work with users instead of trying to "control" them. One too many "No!" and a user will find his/her own way for getting things done.
...
A lot of the risks detailed in this report could be managed rather easily by giving users access to a comparable set of approved tools.
Study: Employees Will Find Ways to Route Around Corporate Firewalls | ReadWriteWeb [tx @security4all]
QOTD on Moving to the Cloud
If you think it's tough managing identities, devices, malware, exploit attacks, mitigating software vulnerabilities, and conducting meaningful audits today -- you haven't seen anything yet compared to what's coming with the hyper-connected nature of data, people, infrastructure, devices, and applications in 'The Cloud.' -- George Hulme writing in Information WeekSrc: Cloud Security Needs Its Rainmaker | InformationWeek [Tx georgevhulme]
Four functions of social media
Leave it to the US military complex to come up with one of the best characterization of social media and strategies for taking advantage of it. A report to come out later on next week entitled "Social Software and National Security," will outline the four functions the military intends to capitalize on when it comes to its Web 2.0 presence:
- inward sharing of information within agencies
- outward sharing of internal agency information with other governmental entities
- inbound sharing government getting input from the public
- outbound sharing to communicate with stakeholders outside the government
Researchers can ID anonymous Twitterers
Those who still think they can use social networking sites and be anonymous should read this article about research done at the University of Texas Austin. Arvind Narayanan, one of the researchers said: "The more of a person's network you can map out, the easier it gets to de-anonymize someone in the future."
Src: Researchers can ID anonymous Twitterers | InfoWorld [tx @geekgrrl]
Src: Researchers can ID anonymous Twitterers | InfoWorld [tx @geekgrrl]
Move over LinkedIn - Hello Twitter [v1.2]
Last updated:
03/09/09: added more categories of infosec folks to follow
02/23/09: added a top 10 of the who's who in infosec on Twitter
For InfoSec folks, Twitter's where the action is. While LinkedIn is touted as the meeting space for professionals, Twitter allows for much more open, instantaneous interactions between information security folks, regardless of one's credentials or professional baggage. For example, a former student of mine now regularly exchanges tweets (i.e. twitter messages) with one of the top SANS author and instructor. In LinkedIn, such interactions would require finding a common discussion forum, or harder yet, to establish a direct connection between parties, with all of the prerequiste level of trust implied.
However, this open playground for the superstars of InfoSec may not last forever. As one's following grows, they are less likely to follow back in order to stay focused. I find myself in this position, having to resist following back in order to be able to focus my attention on those that I wish to learn from. That is not to say that those that I do not follow have nothing to offer, but that I have to manage my time to make the most of it. I have gone through several rounds of pruning in the past weeks, and still end up with over one hundred (100) security folks that I want to follow.
There are also possible changes looming on the horizon, stemming from Twitter's own survival and its need to make money out of the social networking space.
This is a unique moment in time, a gathering of sorts, so if you are in (or interested in) Information Security, embrace Twitter and join this cohort of security veterans and novices.
Update1:
To encourage some of my security colleagues to join Twitter and get instant value added, I created a list of ten security folks to follow on Twitter. This is of course only a start and I welcome any additional suggestions along with reasons to follow.
Thanks to all for your feedback. Here's an extended list:
03/09/09: added more categories of infosec folks to follow
02/23/09: added a top 10 of the who's who in infosec on Twitter
For InfoSec folks, Twitter's where the action is. While LinkedIn is touted as the meeting space for professionals, Twitter allows for much more open, instantaneous interactions between information security folks, regardless of one's credentials or professional baggage. For example, a former student of mine now regularly exchanges tweets (i.e. twitter messages) with one of the top SANS author and instructor. In LinkedIn, such interactions would require finding a common discussion forum, or harder yet, to establish a direct connection between parties, with all of the prerequiste level of trust implied.
However, this open playground for the superstars of InfoSec may not last forever. As one's following grows, they are less likely to follow back in order to stay focused. I find myself in this position, having to resist following back in order to be able to focus my attention on those that I wish to learn from. That is not to say that those that I do not follow have nothing to offer, but that I have to manage my time to make the most of it. I have gone through several rounds of pruning in the past weeks, and still end up with over one hundred (100) security folks that I want to follow.
There are also possible changes looming on the horizon, stemming from Twitter's own survival and its need to make money out of the social networking space.
This is a unique moment in time, a gathering of sorts, so if you are in (or interested in) Information Security, embrace Twitter and join this cohort of security veterans and novices.
Update1:
To encourage some of my security colleagues to join Twitter and get instant value added, I created a list of ten security folks to follow on Twitter. This is of course only a start and I welcome any additional suggestions along with reasons to follow.
- @securitytwits - gathering of security folks from all walks of life
- @stiennon - former Gartner analyst, now independent speaker and prolific blogger
- @rmogull - former Gartner analyst, co-host NetSecPodcast
- @kriggins - jack of all trades, and from nearby Iowa
- @edskoudis - master SANS instructor, and co-founder InGuardians
- @PrivacyProf - top-rated privacy speaker, from nearby Iowa
- @jeremiahg - web-app vulnerability researcher and CTO of White Hat Security
- @alexhutton - risk management
- @catalyst - all around governance and staying positive
- @BrianHonan - European (Ireland) security perspective, member SANS NewsBites advisory board
Thanks to all for your feedback. Here's an extended list:
- Infosec Podcasters:
- @mckeay & @rmogull: Martin McKeay & Rich Mogull of the Network Security podcast
- @pauldotcom: Paul & Larry of the PaulDotCom Security Weekly podcast
- @riskybusiness: Patrick Gray of the Risky Business security podcast
- Security vendors (a select few):
- @SANSInsitute: Official updates from SANS - useful security tips
- @SANS_ISC: SANS Internet Storm Center - stay current
- @CoreSecurity: Often provides goodies for followers, including direct links to webcasts and slides
- More to come
How to Use Twitter for Informatin Mining
Lenny Zeltser of the SANS Internet Storm Center provides insights and warnings for those using Twitter about the amount of data and connections that can be mined from your Twitter activity.
Src: How to Use Twitter for Informatin Mining - SANS Internet Storm Center
Src: How to Use Twitter for Informatin Mining - SANS Internet Storm Center
Social Media Defined
A fellow Security Professional, Martin McKeay, asked Twitter users to define social media. Here's my perspective on this revolutionary concept:
Social media is the convergence of technology and freedom of expression, allowing instant publishing of one's thoughts and opinions free of editorial control.
Social media tears down the last barrier to communication - distance. Its users enjoy the freedom of expression, the instant delivery of content and feedback, and the ability to connect to countless others, making us one small world in a great sea of humanity.
Dr. Christophe Veltsos, January 19th, 2009
It's time to start issuing PC licenses
Known as the Cyber Cynic of ComputerWorld, Steven J. Vaughan-Nichols, recently wrote an article arguing for the licensing of PC users. Here's what Dr.InfoSec had to say:
A hybrid approach of licensing PC users and providing virtualized desktops may be the best approach.Src: It's time to start issuing PC licenses - Computerworld Blogs
Imagine a $100 device that would be instantly on, where you could not save anything (including malware taking over) and where the user would be brought to his/her virtual desktop with all of the enterprise-class protections that are considered best practices today.
So where does licensing fit in this picture? If you have a need to use a *real* PC (is there such a thing anymore), you would need to be licensed in safe computing (much like your state or country licenses safe drivers). If you are found to be in violation of safe computing practices, your license may be revoked and you will be brought back to the virtual desktop environments.
(Under)mining Privacy in Social Networks
Three Google employees have written a paper about the dangers to your online privacy due to the amount of information available from social networking sites, their activity streams, and the potential for connecting the dots (linkages) which would allow some users (or their connections) to be identified by merging social graphs (i.e. connection patterns).
Here's an excerpt of the paper's introduction:
Direct link to paper
Here's an excerpt of the paper's introduction:
...we point out three distinct areas where the highly-interlinked world of social networking sites can compromise user privacy. They areSrc: Could your social networks spill your secrets? | New Scientist
• lack of control over activity streams,
• unwelcome linkage, and
• deanonymization through merging of social graphs
Direct link to paper
Subscribe to:
Posts (Atom)
