Subscribe: Security Space
Added By: Feedage Forager Feedage Grade B rated
Language: English
article  data  encryption  hard drive  information security  information  network  password  security  systems  users  work 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Security Space

Security Space

Relevant security links and random thoughts

Updated: 2018-03-06T06:34:07.817-07:00


A Master Plan for Taking Back Control of Your Life


Excellent article on ways to take back control of your life. Today we live in a society with constant forms of inputs and interruptions. Phone calls, text messages, emails, twitter feeds and news stores all coming to us from different sources. How do we get control?

You should read the entire article. I’m choosing to focus on only a few points I feel I need to get back into control. Self improvement to me is taking small steps that keep us moving forward until we become who we want and know we can be.

1. Make more of your behaviors automatic.

Interesting thought that we have limited will power. How often do we try to change a habit or begin a new routine only to fall back into our regular schedule? My resolve is to make the good habits I want to become more routine and automatic. If the become part of my regular schedule then I don’t have to motivate myself to do them. I expect myself to do it.

3. Whatever you feel compelled to do, don't.

What drives you to do something? When I’m compelled to really want to do something I shouldn’t do it?? Does this go against what most of us think? Is this what allows us to give into our lazy, impulsive self’s. How do you change what compels you? This is an area I need to think about and research and see what compels me and is that a good or bad thing. Goals, achievement, recognition, or just the feeling of accomplishment often compel me to improve myself. Is that a bad thing?

Improving Your Writing


This article on Likehacker made me think I need to update my blog more often. New goal at least weekly post on news, information or just stuff I find interesting.

Is the Internet replacing your own memory?


Of course it is.

To me the Internet is just replacing books and other printed material. I've also felt that it was more important to know how to access or find information than to store it. That is why we create notes in college. Some teacher feel that memorization is more important than knowledge. Some people can memorize and some people know where to get the information. I do have lots of useless information in stored my brain. A question like “is an ostrich’s eye bigger than its grain.”? I don’t know but I know I can find it in seconds with Google.

I just wish I had access to Google face recognition while at my next family or class reunion so I could remember all those friends from high school. No I will not add you as a fried on Facebook.

Encrypt That Hard Drive


SANS recently published a newsletter about encryption that is a good primer for anyone that wants the basic of encryption. The SANS Securing the Human project is a great resources for those Security folks looking for a way to jump start their awareness program. OUCH! Understanding Encryption

Now that a user knows all about encryption and have encrypted their hard drive, are they required to give up their encryption key to your company or the US Government? Is your key protected by the 5th Amendment? - Cough up the encryption key or else!

Why there are so many criminals in Russia


Some interesting thoughts on why there is so much malware code written in Russia. I like the analogy with the guys writing code for at Raytheon.

"Kaspersky said, it's not unlike the fellows working on missile technology at Raytheon in the U.S. They're not the one who will pull the trigger if the weapons are used. They just build it and have little idea of where their handiwork is later used.

For the typical Russian hacker, it's a similar mindset. They just write the stuff. They're not necessarily the ones launching the attacks and picking the targets."

Rogue software and Scareware


One of the latest attacks vectors from malcontents is the rogue anti-virus or sometimes called Scareware. Many users wonder how their computer was infect. They didn’t go to any bad site the just visit popular news or search sites. Many of these sites subscribe to ad service that populate pages with ads from various sources. A number of these ads have malware or rogue software that display a pop-up message saying your computer is infect click here to scan. This malware often looks like a Windows message or message from your anti-virus software. Once you click on the message the damage is done.

Norton’s (Symantec) web site has some great information on this topic.

A Norton employee wrote a three part blog article on what they do and how to recognize them.

2011 New Year's Resolutions


Work and personal life has been crazy the last few years. This year one of my new year's resolutions is to be more active with my blog post.

What is your information worth?


What is information about you worth on the street? Here is an interesting article about what information is worth on the street these days.

What is your stolen data worth?
Criminals and miscreants buy and sell your data today as you would items on eBay. 1,000 Debit cards with PIN number are going to the highest bidder. Criminal have done this for years with credit cards from your wallet now they can do it in mass thanks to the Internet. Online auction sites for you information are out there and being used. The criminal that often steals the data is not the one using it. TJX was a case in point with this. Most of those credit cards number were sold off to others that made the purchases.

Researchers: Disk Encryption Not Secure


Here is some more information on this attack. The video is worth watching. It does make it look simply enough for the average consumer.

Here are some comments from PGP's CTO on the problem.

Take-a-ways from all of this

  • "Encryption is not magic pixie dust that makes everything okay"
  • Don't use sleep mode, shut down and turn off your computer.
  • If the Feds come to grab you computer turn it off first.
  • If someone has physical access and time on their hands they can break almost any security measures.
  • Hard drive encryption needs to move to the hardware level, or at least the key protection part.

Hard drive encryption


Many organizations today are starting to take laptop security and encryption more serious. Most are in some level or rolling out laptop or whole disk encryption. This can present many interesting challenges both technically and culturally. Most of the disk encryption vendors do not have clients for multiple OSes so duel boot machines with Windows and Linux are stuck with volume level encryption or some other options for now. Vendors are promising some type of Linux client but I've yet to see any deliver. Another problem is the recovery partition on most stock machines installed from the vendors. Once the entire drive is encrypted the recovery partition is no longer useful. Larger businesses may eliminate this with a standard hard drive image. In most cases they don't want the end user restoring their laptop to the vendor provided install.

Cultural challenges included shared or "check out" laptops. Trying to setup multiple encryption users and password on single machine can be complicated. It may be helpful to educating the user that no sensitive or confidential data should be stored or even accessed when using a shared laptop. While a shared encryption may help with laptop loss it may still expose sensitive data to an employee that does not have the proper clearance.

Full disk encryption will continue to grow in popularity as businesses attempt to protect data that gets stored locally. It can present it own unique challenges. While the software solutions available today are good I see encryption moving to the hardware vendor level over the next few years. Either the platform vendors (Dell, HP) or the hard drive vendors' needs to provide better ways to protect the data stored on portable devices.

Researchers find hard drive encryption's Achilles' heel

I think we all knew it wouldn't be long before someone discovered ways around disk encryption technology. As I read this research I couldn't help but ponder who would go through all this effort for a stolen laptop. The average criminal that picks up a laptop in a hotel room or out of the back seat of your car is not going to have the technical skills to figure this out. This sounds more like a great seen from the next Jason Bourne move.

Data breaches reach new levels in 2007


The year 2007 will be known for the unprecedented number of data breaches. The Privacy Right Clearinghouse contains a database of privacy breaches over the last two years. Of course the TJX breach was one of the more published. also provides a database of breaches called the Data Loss Database. Theft of laptops continues to lead the way for companies to lose data. While we and other entities continue to push the use of whole disk encryption there continues to be user resistance. Other aspect of security layers including user education and training need to be emphasized. At some point all of us will face the prospect of identity theft from a loss of data by some organization we once trusted. As security professional we must continue to work hard to ensure the data entrusted to our organization is well protected.

I’m Not the Sheriff


A recent article in the ISACA Control Magazine by Steven Ross called "I'm Not the Sherriff" (login required) talks about who is responsible for security control enforcement. He asks the question, is it Information Security, IS Auditor, Management, or technology's role to enforce security controls? To some degree I believe it is one group he left out the end users role. In most cases I'm amazed at how many of the violation are simply the end users just not thinking about the consequences? As we detect SSN being emailed in clear text often the user asks "is that a bad thing?" I guess only if it is not my SSN being emailed to the outside world.

Many vendors would have you believe that their appliance or latest software can enforce compliance. While it may help you detect a violation, often technical solution cause as many problem as they resolve.

Steve answers his question with what is always the best solution. All of these things working together are what ensures compliance with security controls. Your system can catch a problem but if management does not support the control in the first place then it does not really matter. So a combination of processes, people and technology are what makes for better security.

Ten Windows Password Myths


While doing research for our password policy I ran across this older article by Mark Burnett Ten Windows Password Myths.

The 10 myths still apply today.

  1. My Password Hashes Are Safe When Using NTLMv2
  2. Dj#wP3M$c is a Great Password
  3. 14 Characters is the Optimal Password Length
  4. J0hn99 is a Good Password
  5. Eventually Any Password Can Be Cracked
  6. Passwords Should be Changed Every 30 Days
  7. You Should Never Write Down Your Password
  8. Passwords Cannot Include Spaces
  9. Always Use Passfilt.dll
  10. Use ALT+255 for the Strongest Possible Password

While I could comment on several of the myths the one I like is "Passwords Should be Changed Every 30 Days". Time and time again, I've seen the more often you force users to change their passwords the weaker it gets. If you force users to have complicated passwords and change them often they are written down on a sticky note. Part of the reason users have simple passwords is to remember then. Teaching them to have longer passphrases is going to enhance password quality more than changing them often.

Recently one of our agencies came up with what I felt was an innovative solution to solving the problems of users not changing the original password they were given. While most systems force a user to change the password the first time they log in not all systems do that. For those systems the agency uses a thirty character hash as the original password. The user only wants to type those 30 characters once and quickly change their password. Making it so the easiest thing to do is the right thing will get users to follow the rules more than force.

Security Statements you don’t want to hear.


Jon Espenschied's 8/14/07 Computerworld article, 10 Claims That Scare Security Pros,:

  1. "We have a culture of security."
  2. "IT security is information security here."
  3. "That doesn't apply to the boss."
  4. "Our information security officer is on the IT staff."
  5. "We have a password policy."
  6. "Our managers have copies of all passwords."
  7. "The Web app only runs if we … "
  8. "Brand X is our standard."
  9. "Hey, where'd that come from?"
  10. "We sent the firewall rules out to …

While many of these I agree with there are a few I would question.

The role of the information security "officer" can be debated for ever. Is this a technical role assigned to IT or a business person that audits IT controls? My experience shows that in most companies Information Security is seen as a role of IT. Right or wrong that is just the reality. Most of the time the "security person" grows out of a network or system administrator who has a desire to delve into security. The debate of if security is the responsibility of one individual or something everyone does. I feel that when it is everyone's responsibility then no one really focuses on it. While every system administrator has a role in security if it is just one of fifty hats they ware it often gets low priority until there is a problem.

Passwords continue to be a major security issue. Not just end users but often system administrator and developers use simple to guess or no passwords at all. Or as we have found out the same password on every computer they touch.

Fit to be Tied


This recent article in Government Technology by Chad Vander Veen, peaked my interest because it hit on two of my big workplace pet peeves.

The neck tie, why do we have them? Do they serve any purpose other than to shut off blood circulation to some manager's heads? I wear one almost every day and have often wondered what their purpose is. Why do we dress so formal at work? I have read studies in the past that claim companies that have a dress code of neck ties create a more professional environment. The dotcom era seamed to show that the more casual the better. Isn't it interesting how a new boss can set the dress standard without even saying anything? When our new CIO came on board wearing a white shirt and tie every day it was fun to watch how many managers suddenly starting wearing white shirts and ties. Was it part of his plan to change the culture or just his personal clothing style?

The other subject the article addresses is the 40 hour work week. It is a relic of the past. I know when I worked a few years at a start up there was no such term. I've always felt that people should work until the job is done. My wife tells me if I did that I would never come home because I never get everything done I wanted to. The reality is with today's technology working any time any place may allow us to spend more time with family and friends. It has always interested me that the schools teach our kids these concepts. Kids are given an assignment and sent home to work on them. Remember homework? They aren't instructed to work from eight to five on an assignment. They are told the assignment is due on Friday and late work is not accepted. Once we become adults and enter the work place we get away from this. Instead it seems most manager's think if you stay in your cube eight hours a day and look busy you are a good employee. Late work is not only accepted but often expected. Maybe we should look to the education communicate for a few more managers.


Base Rate Fallacy


Recently, I attended a seminar put on by the local chapter of the ISACA. It was a great seminar with various speakers and topics. One of the speakers was from Oakley Networks and he talked about Base Rate Fallacy as it relates to security. He used examples from Bruce Schneier Security Blog. I reviewed his post on Terrorists, Data Mining, and the Base Rate Fallacy, while I agree with the overall premises I think he missed the entire point of why they use data mining to find terrorist. Like any data mining project you are looking for patterns to narrow down your results to something you can manage. Also I would have to believe that the NSA would not use only one source to form an opinion. The NSA may use data mining to target 30,000 people then use other methods to validate and verify the assumptions. Any good law enforcement officer, scientist or security guru would use the same processes.

Symantec Internet Security Threat Report released


Symantec has released it semi-annual threat report. After reviewing the document here are a few items I found of most interest or highlights.The government sector accounted for 25 percent of all identity theft-related data breaches, more than any other sector.The government sector was the sector most frequently targeted by DoS attacks, accounting for 30 percent of all detected attacks. Symantec observed an average of 63,912 active bot-infected computers per day, an 11 percent increase from the previous period.ItemAdvertized Price US DollarsUnited States-based credit card with card verification value$1–$6United Kingdom-based credit card with card verification value$2–$12List of 29,000 emails$5Online banking account with a $9,900 balance$300Yahoo Mail cookie exploit—advertised to facilitate full access when successful$3Valid Yahoo and Hotmail email cookies$3Compromised computer$6–$20Phishing Web site hosting—per site$3–5Verified PayPal account with balance (balance varies)$50–$500Unverified PayPal account with balance (balance varies)$10–$50Skype account$12World of Warcraft account—one month duration$10You can get your own copy of the report at Other interesting links in the report [...]

Cost of a Security Breach


By now most of us have heard the Story of TJX and its security breach involving 45 million credit cards. And I’m sure none of us would want to be in their Security Officers shoes right now.

Trying to determine the actual cost of a data breach may be near impossible. Developing a method to be used to determine a security breach seems to be a popular news story. Many news stories like to report large figures like US Department of Justices cases in 2006 determined the averages loss per incident was $1.5 million or the Ponemon Institute survey that figured the average at $4.8 million.

A resent Forrester report on Calculating the Cost of a Security Breach has some great information and background on what to include in your calculation. A few interesting point I pulled from the article include

$50 per record for Notification. Think about the 45 million credit cards TJX has to notify on.

Visa levied fines of $4.6 million to it acquirers for mismanaging customer data in 2006.

Estimated cost of a security breach can range between $90 and $305 per record.

Even the a small incident of several thousand credit card records could cost you company a lot of money. Now we have to work on getting management to believe it could happen here.

How To Spot Insider-Attack Risks In The IT Department


A recent survey by the Secret Service and CERT Coordination Center/SEI indicates that 86% of internal computer sabotage incidents are perpetrated by tech workers.

Two weeks after your trusted UNIX administrator leaves all your major UNIX database systems go down for a day. Coincidence? Often the most trusted employees in the organization are those in our IT group. They have the keys to the kingdom. They know all the right passwords, which systems contain which data and where the companies’ real weaknesses are.

What are some measures you can take to protect your organization?

Hire Smart
1. Do background check
2. Check their references or other professional groups they may belong to
3. Search the web to see if they have blog or Myspace type web site.
a. What does it tell about their personality?

Separation of Duty
Sounds simple but in most organization it is tough having enough staff. So often companies count on one of two people to run the show. The employees know it and can often hold company hostage rasies or discipline actions. As a manager I’ve had employee tell me “you can’t get ride of me I’m the only one that understands the system”. That was when I realized I needed to change they way I managed things.

Know your employees
Sometimes employees get them selves in to trouble because of external forces in their life. Knowing when employees are going through a divorce, death in the family, bankruptcy or other live changes events can help you know when there is am increased risk.

As Ronald Reagan said "trust but verify".

See related post Would you hire a hacker?

Banks could pass on phishing losses to customers


This could be a bad precedent, other fee that banks will pass on to customers. It does bring up the interesting question of who is responsible to protect your data. Clearly if you give out your PIN or Password you are responsible. If your credit card is taken are you responsible for the protection of it. If you leave your wallet unprotected on a city bench and someone picks it up and uses your credit card are you responsible? You didn’t adequately protect it. If you didn’t keep your anti-virus or anti-spyware up to date and you get a Trojan that steals your password who is responsible?

Henry said the Bank of America has adopted the attitude that a Trojan on your PC is "your problem".

Questions to be answered in court I’m sure.

LINUX: Over 34% more geeky than any other operating system


You will spend countless hours figuring out how to do the simplest things. What could be more fun?

Once again I attempted to switch my desktop system from Windows XP to Linux. While the install of SLED (Novell SuSE) was very simple the configuration and getting it to do what I wanted is taking hours. Simple task in Windows XP seem to take forever to get to work in Linux. While this may be great to the average technical person, I have to question my productivity loss in this latest attempt to make the switch. The newer versions of desktop Linux have come a log way and the user interfaces are greatly improved. However, I still find myself opening up a terminal session and issuing commands. Much like I did in the old Windows 2000 days. I don't consider myself an expert in Linux but I can get it to do what I need to. It is just figuring out the right command to do it.

One of my employee sent me this great link that sums up my experience with Linux on the desktop.

Network (Internal Network Layer)


This layer contains methods to protect the network by monitoring traffic types and segmenting traffic via different security models.

These methods include:

  • Intrusion detecting and alerting in place to identify proactively respond to problems
  • Intrusion prevention systems to allow for automated response to potential security breaches.
  • Network traffic shaping and flow to determine patterns and identify potential risks.
  • Network segmentation:
    • Separated network via agencies and security levels.
    • VLAN used to separate traffic and limit access between agencies
    • MPLS to tag traffic from individual agencies.

  • Access control lists (ACLs) that block traffic and ensures that only those individual IP addresses can access systems and services.
  • Non-routable IP addresses are used where possible to keep internal State services from exposure to external networks.
  • Internet and Web filtering to protect users from accidentally surfing to inappropriate or hazardous Web sites.
  • Network based anti-virus software to eliminate virus and worms before they reach other layers
  • Regular vulnerability assessment and testing of network services

Would you hire a hacker?


Several weeks ago while doing a presentation at a local university; I was asked by a student “Would you every hire a hacker?” My immediate response was “no” and then I went on to explain why.

A recent blog posting on CSO by Ken Pfeil express some of the same concerns I have.

The comments are of interest as well. Information Technology and IT security in general is all about TRUST. It’s not about certifications, labels or other things. It comes down to do I trust this person with the information they come across every day working in IT. Most corporations do background and reference checks to get some level of assurance that this person does not have previous criminal or malicious behavior. Would you hire a tax consultant that had previously been convicted of tax fraud? Of course not.

Hiring someone who can hacked a systems does not #1 make them smart and #2 make them a good employee. In fact, if they got caught by someone wouldn’t you be better off hiring the person that caught them?

In my mind, the difference between a “hacker” and a security administrator is permission. We do penetration testing and vulnerability assessments all of the time, with permission of management and the information system owner. The hacker accessed someone else system, break several laws and more important compromised some basic principles of society. What is their level of integrity and respect for some one else’s property, including the company that just hired them. Poor behavior tends to repeat its self.

Are Security Blogs a Security Risk?


A recent post on a blog on CSO magazine addressed this issue. I think blogs like this and other can present some security threat by giving out information about security products or strategy. They can also embarrass a company, it employees or officers. So with any type of blog you must consider your words wisely. I hope I’ve been able to do that here. Provide basic sound information about security while not embarrassing my self or my employer.

Perimeter (First Line of Defense Between the Internet and Internal Networks)


This layer is the border between the external world and the internal network and systems. The perimeter service acts as the hard outer shell that protects all that is inside. This layer must allow traffic and commerce to take place while eliminating as many threats as possible. Methods include:

• Perimeter firewall protection.
• Firewalls between the company assets and the Internet are essential.
• Logging, analysis, and reporting of access.
• Elimination of clear text and other services that can expose internal systems to external threats.
• Encryption of incoming network traffic destined for more secure internal systems, such as:

o Secure Shell

• Bastion host and proxy services funnel services and limit exposure.
• Proxy cache and other technologies to limit the exposure of internal systems to external services.
• Authentication of employees accessing the network.
• DMZ and filtered networks are in place to only allow external traffic to specified areas and zones.
• Regular vulnerability assessment and penetration testing done to identify weakness and proactively resolve potential problems