Protecting our most valuable gifts

Children are the most precious gift we could ever receive. It is our job to protect them, and arm ourselves and our children with the knowledge needed to keep them safe. Protecting our children on the Internet is only one aspect of their overall safety and security. Below are links to sites that promote the education of both children and their parents on various safety and security issues.

Various Internet Safety links for parents and children
http://www.netsmartz.org/
http://www.ConnectSafely.org
http://www.safekids.com
http://www.safeteens.com
http://www.kidswatch.com/

Wireless routers with filtering software built-in
http://www.pcmag.com/article2/0,1759,1619375,00.asp
http://tech.yahoo.com/blogs/devlin/5684
http://www.netgear.com/Products/RoutersandGateways/SuperGWirelessRouters/WGT624SC.aspx

Fire Safety for the home
http://www.firstalert.com/tundra_fire_extinguishing_spray.php
http://www.usfa.dhs.gov/kids/flash.shtm

Great sites about auto safety, and other safety items for kids
http://www.kidshealth.org/kid/watch/out/car_safety.html
http://www.aap.org/healthtopics/carseatsafety.cfm
http://www.nhtsa.dot.gov/portal/site/nhtsa/menuitem.9f8c7d6359e0e9bbbf30811060008a0c


Teen Driving
http://www.nsc.org/issues/teendriving/guide.htm
http://www.skipbarber.com/driving_school/mazda/new_driver.aspx

Encryption and Security Awareness – it’s the law!

Several states are jumping on the information security and privacy legislation train, and it is leaving the station at full speed. Similar to the data breach laws that are now in place for 44 states now, we can expect a similar rush by states to initiate similar laws calling for specific security measures to be enacted to protect personal information, and liability for companies that have breaches

Massachusetts for example passed the following legislation, which calls for some very specific controls and measures to be enacted to comply with the state law.

201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth

This regulation is applicable for entities who “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts”.

According to the regulation personal information and records are defined as such:

"Personal information," a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

“Record” or “Records,” any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.


Two of the more interesting and detailed requirements are:

“The encryption of all personal information stored on laptops or other portable devices, and “to the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly”

“Each covered entity must train employees on the proper use of the computer security system and the importance of personal information security.”

Nevada has similar legislation that went into effect on October 1, 2008, which prohibits businesses from transmitting unencrypted personal information on consumers on external networks.

So how can your organization begin to comply with this type of legislation?

• Consult internal and external counsel on these matters and ensure you have someone specialized in privacy & data security law.


• Ensure you have a written information security plan that uses a published industry standard to use as a guideline (ISO, PCI, etc.). Most of the legislation is based on using “reasonable” security measures that cover (and this is the de facto language) administrative, technical, and physical safeguards.


• Once your standard is in place in your program – work to achieve that standard, by performing a risk assessment against the organization so you know where to start, and where to properly spend money and resources.


• Know where your important and confidential data is within the organization, and how people are using it. Get line managers that are responsible for this type of data together and ask them in a very non-accusatory manner how the organization is using and protecting this type of data.


• Exercise control over service providers and require them to contractually protect your data and follow your standards, as well as auditing them to ensure they are doing so.


• Have a plan ready in case none of this work and you have to report a breach.

Obviously, these are all very high-level requirements and are by no means an exhaustive list. Every organization is different and requires different controls and processes. The more you understand the data flows, and the risks to the organization the better you will be when the worst happens.

One quick note - in the definition of person, the commonwealth intentionally left any of their agencies out of this definition so they wouldn't have to abide by this legislation - NICE!

Spotting bogus e-mails using grammar checking

Bogus E-mail from Microsoft


isc.sans.org and several other sites are reporting a bogus e-mail from Microsoft containing malicious code, an example of which is below. In addition to the various technical measures that can be taken such as blocking executables in e-mail, effective spam filtering, A/V protection, and endpoint protections, users should also be reminded to be on alert for these types of issues. Besides telling them to never click on these types of items, and not giving them the local rights to accomplish this, I believe we can go further in order to promote more security conscious activities at home, and hopefully reduce the number of zombied systems available for bot herders. In this example it is easy to spot the poor grammar in the e-mail as a sure giveaway that this is bogus. OK, my grammar is not exactly perfect either, but that is not the point. Now Microsoft or any company would most likely never distribute updates in this manner, but hopefully any valid communication from a company of this size would certainly not contain as many errors as I have illustrated below in bold, and that is exactly one of the items I point out to end users in classes I teach. My guess is that someone for whom English is not his or her native language wrote this – a former or current Russian state would be my guess.

Dear Microsoft Customer,Please notice that Microsoft company has recently issued a Security Update for OSMicrosoft Windows. The update applies to the following OS versions: MicrosoftWindows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft WindowsXP, Microsoft Windows Vista.Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.Since public distribution of this Update through the official websitehttp://www.microsoft.com/ would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users. As your computer is set to receive notifications when new updates are available, [how do they know that?] youhave received this notice. In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine.
In that case,at this point the upgrade of your OS will be finished.We apologize for any inconvenience this back order may be causing you.

Travelers Privacy Protection Act of 2008

A bill has been introduced into Congress that would finally put protection and requirements in place before the Customs Service could confiscate your laptop, or perform an inspection of the data on the laptop without reasonable cause. The act further defines specific periods the equipment can be maintained and requires a warrant to be issued before a device could be seized. The bill also prohibits profiling and sets privacy requirements while the Customs Officials are looking at your computer or electronic device. I believe this is a step in the right direction, and a small return of our privacy and dignity that travelers lose every time they enter an airport, supposedly in the name of security. Our constitutional rights should not be thrown out the door in this current purgatorial zone of legality that currently exists at every US airport, and the comedic security measures that are taken, like removing your shoes, are doing little if anything to reduce the risk to the country or the particular flight you happen to be on. However, they are visible and easy, and that seems to be the mantra for the TSA – but I digress.

I still don’t believe you can legally be compelled to reveal your password, and the cases that have been tried have had so many other circumstances that had the person simply refused to divulge their password they would have probably prevailed. There is no judicial precedent on this matter, but it seems to be ill conceived on so many levels, not the least of which is the 5th amendment. Laptop computers and other electronic devices contain too much personal or corporate confidential information on them to simply let a government employee have complete access and copies of that data. Strong encryption and just one judicial precedence will hopefully end this matter for most of us law abiding citizens, and I’m sure the law breakers would never think to store this information in e-mail, or some other Internet storage application they can send back and forth across most borders without any checks.

But perhaps that is the government's next priority into our lack of privacy – let’s hope not.

Information Security and Privacy Class

Thanks so much for everyone who attended my class on Tuesday. I have published notes and links at the Class Notes link below. Please let me know if you have any questions, or need additional information.

Chris

Class Notes

What can be learned from data breach reports?

I need to thank the people at Attrition.org who are maintaining a database of data breaches that I refer to on a regular basis. I believe the information in these types of breach databases are very valuable as a research tool into good measures to spend your time and money in order to keep your company off of this list. Of course we have to make several assumptions about the data contained in the reports, and of course “you don’t know what you don’t know”, but even so, this is probably as good of a starting point as any survey we’ve all seen, and of course your risk appetite as well as the specific risks of an organization will also have to be considered. Now for the numbers

The database covers the period from January of 2000, until July 31 of this year and includes 1051 breaches. Here is a breakdown of some of the interesting facts after removing a couple which show disputed in the type of breach.

87% of the breaches were not due to a loss from a third-party. Another report from Verizon claims that 39% of their breaches are from a third-party. I believe there may be some under reporting of this statistic here due to the third parties reporting, and their customers not reporting the same incident.

The distribution of breaches amongst Business, Government, Education and Medical were 34%,24%, 30% and 12% respectively.

Stolen data was the highest reported breach type at 37% followed by “hack” which is classified by Attrition as “computer-based intrusion, data not generally publicly exposed” came in second at 21% followed by web-based intrusions at 15%.

NebuAd hauled down to Capitol Hill

WASHINGTON -(Dow Jones)- The chief executive of an Internet advertising start- up admitted Thursday that his firm could track peoples' activity on multiple Web sites without their express permission.
NebuAd CEO Robert Dykes said at a House hearing that the Internet service providers with which his company partners send their customers letters 30 days before any tracking begins.
The letters, which Dykes described as "robust," tell subscribers how they can opt out of the monitoring. If the customer doesn't respond, however, NebuAd begins collecting data on their browsing activities to offer ads relevant to their interests.

Yep - you can opt out alright, then they will place a cookie in your browser that will prevent their technology from performing its dastardly deeds. Of course if you ever get rid of that cookie, you are right back in the mix.

Another ISP caught with their NebuAd down

The Washington Post is reporting a story today that Embarq, an ISP in Kansas has been using the same technology that Charter Communications was pressured to drop just weeks ago. Apparently Embarq didn't tell their subscribers about this, and Congress is fast considering this and similar uses of deep packet inspection technology to perform these types of actions wiretapping. They have a link right on their home page listed "your privacy rights", but apparently that is just for show.

This is the first of their "five privacy principles" that apparently allow them to look at where their customers travel on the web.

EMBARQ creates, obtains, and uses your personal information to provide you the products and services you order, and to present you with product and service offerings that we believe may interest you

This is their definition of personal information.

Personal information is information that is directly associated with a specific person such as his or her name, address, telephone number, e-mail address, activities, and personal preferences.

We collect personal information about users of our products or services in the normal course of our business. This is how we know where to send you a bill for service...

Or an ad for something you may want.

All of their references to cookies in the privacy policy relate to cookies on the Embarq site, and mention nothing of the types of cookies used in the NebuAd realm. I am usually the last one to think that congress does much effectively, but perhaps this will be the nail in the coffin of this technology and stop other ISP's from getting the same idea. These types of privacy mishaps where companies had a privacy policy not outlining these types of activities, but thought it was their god given right to do so have gotten several companies in trouble with the FTC for unfair and deceptive trade practices, and a nice visit form the auditors biannually for the next 20 years. I'm hoping Embarq is next, and it serves as a lesson to other ISPs.

Verizon data breach report

Verizon Small Business Services released a study of more than 500 data breaches that they were consulted in from 2004 to 2007 entitled 2008 DATA BREACH INVESTIGATIONS REPORT. Whether you can take the findings in here to be an accurate barometer of the state of information security or not is up to you, but I am much more impressed with this report, that anything else I have seen over the last several years. The sample size is a little small, and I have some concern over the source, since I didn’t even know Verizon did this type of consulting. So I am either out of touch, or other people in similar size organizations don’t know this fact either. They did report that 26% of the companies in the survey had at least 1001 employees. The actual segment states 1001-10,000, but since that is a little broad, I will go with my previous assessment and assume most of them are on the low end of this range.
What this report tells us about the state of Information security is that what we are doing, and where we are spending our money is not working, and that although you can write all of the policies you want, you had better make damn sure someone is reading them and following them. Now for my rambling thoughts and highlights of the report.

The report covered a period of 2004 to 2007 and covers 500 incidents. Of course these are only public incidents, and are only incidents where Verizon was involved, so all assumptions are made knowing that this may or may not be representative of the population as a whole.

26% were at organizations from 1001-10,000 employees
22% had 101-1,000 employees, and 30% had 11 to 100 employees

73% of the cases involved external parties as the source of the attack, 39% were the result of partners, and 18% was the result of an insider. The numbers are somewhat skewed in that some cases were a combination of those three leading to a number higher than 100%. I would assume from that that 30% of the cases involved a combination of all three, if my logic and math is correct here. This seems to go against everything we have always heard about insiders causing the largest percentage of losses. I still believe this may hold true and is not reflected in a large number of reports because there is no evidence of insiders performing these breaches, and the companies may not even be aware of them. The more interesting statistic is the high number of breaches due to partners, and when the report looked at the number of records compromised with the probability of compromise, the partners were the biggest risk here, although closely followed by internal employees - 73 to 67 respectively. So we need to have more controls, contractual obligations and monitoring around partners, but the internal threat, when you look at the numbers of records compromised is still a big threat. When the report calculated the number of records compromised form external sources it was dramatically lower than for internal employees (30,000 vs. 187,500). And what was the source of the internal breaches you may ask. 50% of the breaches were caused by IT admins. For the partner breaches, the report stated

“Partner-side information assets and connections were compromised and used by an external entity to attack the victim’s systems in 57 percent of breaches involving a business partner. Though not a willing accomplice, the partner’s lax security practices—often outside the victim’s control—undeniably allow such attacks to take place.”

What is needed here is controls and monitoring of partners, but how much of this will be effective? Making them change their passwords every x days wouldn’t have helped (see previous entry on this from 7/15), and perhaps monitoring wouldn’t have caught this either. What about serious liability statements in the contract with monetary penalties? If vendors are on the hook for not only their losses, but yours as well, might we be able to prevent some of these? Another interesting statistic is that in 16% of the cases where partners were the source of the breach, the deliberate, malicious actions of remote IT administrators were the cause.

One of the most interesting results from the report for me is in figure 12.which illustrates patch availability at the time of the breach. In 71% of the cases, a patch was available for more than a year, and in none of the cases reviewed was there a breach where a patch was available for less than a month. In only 4% of the cases was a patch available for 1 to 3 months. So all of the meetings on the second Wednesday of the month to review the recent Microsoft patch releases are a waste of time, and we should instead be focusing on whether patches are being applied or not across the board. A simple calculation of vulnerability to host ratio will suffice here, and the number should be decreasing over time.

Another stat of note is the review of common attack pathways. In 42% of the breaches, remote access and control was the cause of the breach, and Internet facing systems were the pathway in 24% of the cases, so we again seem to be spending money and time on the wrong thing here. Simply changing vendor default passwords would have most likely prevented most of these attacks.

So once these companies were attacked it took 63% of them months to discover the breach, and 70% of the breaches were reported to them by third-parties, employees ranked second at finding them (12%), event monitoring (4%) and third-party audit (1%). Interestingly enough in 82% of the cases, the victim had the information to detect the breach, but weren’t monitoring the events carefully enough to find them. This tells me that we need to spend more money on security awareness, and develop the monitoring as well as the collection of logs. I would like to know how many of those companies had expensive SIM products in place.

So what can we glean from this report.

1. We need to spend more on basic controls and procedures, and make sure they are being followed
2. We need to make sure employees know where and how to report suspicious activity because it is cheaper than monitoring events and three times as effective
3. If you do collect logs – have some automation in place to alert you
4. Patch as much as you can across the board regardless of when the patch came out
5. Watch your partner connections
6. Know where the data is (66% had breaches of data they didn’t know was on the system)
7. Ensure procedures and policies are being followedMonitor IT admin activity and ensure background checks are performed

Authentication in a B2B environment

I have had a running discussion with a colleague of mine concerning the use of password expiration for B2B sites. We are talking here about partner sites accessed through the Internet to some type of web portal. My argument was that for a B2B site without mission critical or very sensitive data, it does not make sense financially or from a security perspective to require the external organizations to change their passwords or force two-factor authentication. Let's step back for a minute not to the nine solutions, which are running through your head right now, bit to the question of what we are trying to prevent - the question.

We are trying to prevent one of the following:

• An unauthorized person at the partner organization from accessing someone else's account and information, or performing some type of fraud with someone elses account.
• An unauthorized reckless wrongdoer on the Internet from accessing the partner's information, or accessing the target system and doing bad things that cost money to either side.
• Someone leaving partner firm A and going to work for partner firm B and still having their account active.

There are probably several I cannot think of right now, but let's concentrate on these for a moment, and break them down into several risks and address them.

Risk 1 - password cracking by someone internal or external to the partner firm guessing the password.

If the account locks after several attempts, then this will be largely ineffective, and if it doesn't they would be able to script a password cracker that would most likely break the password long before the password was due to change anyways. That is unless you are going to have them change their password daily (good luck with this one). But just use a token you say, then they wouldn't be able to break their password. This is certainly a good solution for very sensitive data, but for a large group of users it gets very expensive, and usually results in the token being taped to the monitor, perhaps with the code attached to it as well. Certificates are another solution, but are not as portable as most people would like and are a bitch to manage and revoke. The more you force a user, especially someone at an external firm who probably doesn't care much about their own company's security and even less about yours to change their password, the more likely the password will be written down on their monitor, or in the clear in a spreadsheet shared by everyone in the company.

Risk 2 - person leaves partner company A and goes to work for partner company B and their account is not disabled.

If the accounts are disabled after x days of not being used then this will have the same effect without causing heartache, and I would argue less security for the people that are logging in.

For what it is worth, here is my take on this, but I would appreciate any feedback on differing opinions.

1. Force users to pick passwords that are forced to be complex (contain no dictionary words, have a suitable length, Upper/lowercase, special characters, etc.)
2. Disable accounts that have not been logged in for more than x days
3. Lock accounts after 5 invalid attempts
4. Only use tokens for very sensitive sites with a smaller number of end users. Since two factor or ten factor authentication won't prevent the trojan installed on Partner A's system from letting the user logon and piggybacking on that connection the whole way to your site.
5. Audit authentication events and trigger alerts on things like several invalid attempts for several accounts being accessed from the same source, or a large number of attempts in a short period of time

In my opinion we either need to force users to change their passwords hourly or not at all. Passwords are ineffective for truly good authentication, but the alternatives are either too expensive, too difficult to mange or both to make good business sense. Furthermore, the strong authentication solutions are ineffective against today's threat, and their advantages are often circumvented by end users due to their difficulties. We need to make it easy enough for users to use without needing to circumvent the controls in place, and use risk analysis to ensure we are placing controls at the correct points to mitigate the problems mentioned earlier. Additionally, when you look at the reports from the Anti-phishing Workgroup, the FFIEC mandates that went into effect at the end of 2006, that included amongst other items, strong authentication has had no effect on phishing.

Targeted web ads

Charter Communications decided against using advanced web ad technology this week that would have allowed Charter to spy on where users were going on the web, and then sell that data to a company called NebuAd so it could provide targeted web ads to Charter subscribers. Of course Charter made this decision because of an outcry from privacy advocates, customers, and Congress. From what I understand of this technology; it is a device that NebuAd places in the ISP's stream to gather data on it's users, and then uses that data to deliver web ads targeted at what they are searching for and what kind of sites they visit. Unlike third-party cookies that you can control on your PC, these would be completely invisible, and would be controlled by the ISP, and the Marketers at these companies. This should definitely scare you a little, and you should check your ISP to make sure they are not contemplating the same, since it would most certainly be a very inexpensive, if not free way for the ISP to make more money on your traffic, as well as invade your privacy. HTTPS would be safe from the prying eyes of this technology, but even then, they could still tell what site you were on, and it is not beyond belief that an ISP would install a certificate into your browser, and set the proxy to their proxy when the nice guy from Craptastic shows up to install the cable modem, and talks someone into installing their CD, on the grounds that "I can't install the modem unless you run this". Once the certificate and proxy was configured, it would allow them to peek into the HTTPS traffic. Marketing folks will say that this is not a big deal, and they are improving the experience for people by only delivering ads they are interested in, but what if a computer is shared and the previous person had been researching medical conditions, mental health information, or some other private matter.

#$%^&*!

Sorry, I fell off the soapbox, and it is getting late.

The Chinese are coming The Chinese are coming

First the story:

WASHINGTON — A congressman said Wednesday the FBI has found that four of his government computers have been hacked by sources working out of China.
Rep. Frank Wolf, a Virginia Republican, said that similar incidents — also originating from China — have taken place on computers of other members of the House and at least one House committee.

Entire Story

Now some guesses as to what might have happened:

Someone found spyware calling a server in China, and have jumped the gun, jumped the shark, and has the opportunity to make a story out of nothing.

Someone found probes from China in the firewall logs, and there were viruses caught on Capitol computers that same day - That's it, we've got them now!

There really was an attack from a Chinese source to a government computer, and knowing the government's record on information security - they somehow managed to breach the security measures in place - shocking!

Not to worry though because

"Wolf plans to introduce a resolution that he says will help ensure protection for all House computers and information systems"

I think we can all sleep a little better now

Security Requirements for Software Development

I bought a new car last year, and being the way I am, I had a list of requirements and repeatedly ran sever cars through the requirements list until I narrowed it down to 5, of which I made my final decision. Things such as: it had to have 4 doors (for the princesses), it had to do 0-60 close to 5 seconds, it had to handle well, look good, and have lots of cool toys inside to play with. Some of theses requirements are easy to evaluate, while some are more subjective. Which brings me to the Information Security connection. In software development projects we are always asked to provide security requirements to the devleopment team that is either in-house or contracted.

"Make sure there are no vulnerabilities that can be exploited" is always one of my favorites, but it is a little vague, and they always seem to want something more concrete. Over the years, I have kept a running list of the items I usually include in those security requirements, so for those of you that are interested, I am including it here. The list is derived from things I have seen in projects and a lot of great external sources such as OWASP, Common Criteria, etc. This list is not meant to be an exhaustive or comprehensive list, but a list that can be used as a base to draw upon when completing these types of requests. you will still need to perform threat modeling, and in depth analysis of the project, and to check that the requirements are being met in the SDLC. If anyone has any updates, suggestions, or corrections, please let me know, and I will update the list.

The link below directs you to a Google Docs page with the doc.

Security Requirements

Thanks

Software vulnerabilities and updates

The Flash vulnerability last week that was initially thought to be a zero day, but was eventually categorized as a known issue that was already patched in the latest flash version got me to thinking. I know what you are going to say, and yes there was initially some smoke, and a slight headache, but eventually I recovered. OS patches are usually up to date on all of my systems, but there are so many ubiquitous applications on systems that there should be an easy way to check if they are up to date. Well Secunia has one. For those of you that don't know about this organization, they have for several years now delivered top notch vulnerability and patching information for any OS or application I can think of for free. Now they have leveraged that database of known insecure programs into both a personal and corporate edition of what they call a software vulnerability scanner. The personal edition is free, and uses their database to check applications on your computer to see if there are known vulnerabilities. The software does not perform a vulnerability assessment, it checks for known vulnerable versions, and in most cases provides a link to download the latest version. The software tries to launch in startup by default, but this is easily changed. Give this a try and you will probably be amazed at the vulnerable applications residing on even the most up-to-date system.

Crane collpases and Information Security

There was another crane collapse in NYC today, killing one person and critically injuring two others, according to CNN. This brings the death toll to 8 people in the last two months just in New York City due to crane collapses. These events are tragic, and they make the issues that we as Information Security and Privacy professionals seem minor by comparison. However, there is a connection between the people in New York that strive to reduce these types of incidents and us. Somewhere in the various departments and agencies in NYC that regulate and inspect these cranes, there are probably several people who have made the argument time and time again that they are understaffed or under budgeted, or that there are not enough controls in place to prevent these types of incidents. Unfortunately, it takes one of these incidents to obtain increased funding and controls that should have been in place in the first place. The same thing happens in InfoSec and Privacy. We all tell management (and anyone else who will listen) things like:

We need to install x to reduce the risk of y
We need to do x to minimize the risk y
We need a review or addition of controls
We need more staff
We need more budget

Unfortunately, it takes an incident like this to produce change and to get enough attention on a topic that something is done. There is one other constant between these subjects. Whether it is a crane collapse, or a DNS takeover for a giant cable provider - there will be a fall guy to blame for both of these.

Rock On

Stupid security trick of the month

The following story was reported by the Memphis News. Hopefully, some lawmakers in Nashville will ask their 12 year old about the Internet before creating anymore useless legislation that deals with technology.

[Memphis News]
Starting July 1st, Tennessee sex offenders are required to report their e-mail addresses, user names, and screens names to Tennessee’s Sex Offender Registry. Lawmakers created the new requirement for sex offenders during this year’s legislative session in Nashville. Police say the requirement will make it easier for them to spot sex offenders trolling for prey online.

Anti-virus not keeping up?

According to Panda Software there was a tenfold increase in the number of new malware strains detected in 2007 compared to 2006. More than 3,000 per day were detected in 2007. I don't have to tell you that with that many new malware strains, each day that your A/V software will, well, "strain" to keep up. The days where A/V signatures could be updated daily, or every couple of hours are simply gone, and even if you could update them every 5 minutes, the signatures simply aren't there to cover all of the new threats. Never mind the impossibility of updating signatures across thousands of systems on a network constantly. Some companies are working on behavioral based A/V like ISS. They take all of the common traits found in viruses and malware and try to stop the code based on behavior. In theory you would then only have to update the behavioral signature when a new malware strain does something you have not seen before. Almost all of the thousands of new malware strains a day do basically the same thing, but thanks to morphing and subtle differences, they are not always detected by traditional signatures. The behavioral model is not perfect either, since it suffers from false positives, just as IDS/IPS signatures do.

So what to do?
Defense in depth is called for here.

Systems need to be patched to minimize the attack surface
System administrators need to minimize the places users can get one of these files through the web, e-mail, IM, etc. by using content filtering.
Reduce or remove the number of local administrative users
Watch what is entering and leaving the network
Run IDS/IPS on endpoints as well as the network
Run A/V and update it often
Watch for registry changes
Run virtualization, so cleanup becomes much easier, and infections become temporary (hopefully)

REAL ID

I have sent several e-mails to DHS to protest the REAL ID system. For those of you that don't know, it is a system that will require more documentation to obtain a driver's license, and will store all of this information in a huge database that the Government will control and centralize. If you just did a shiver, congratulations you have a pulse and a brain. DHS announced today that they are pressing ahead with this, despite the opposition of several states. I urge everyone to send their comments to DHS at oscomments@dhs.gov with the docket number of DHS-2006-0030 in the subject. You can also check whether your state has, or is considering legislation against REAL ID at http://www.realnightmare.org/actioncenter/15/

My arguments against REAL ID are below.



It WILL NOT make us more secure.

The REAL ID can and will be forged, likely within hours, and the documents used to obtain one can be forged as well. None of the 9/11 hijackers, the Unibomber, or Tim McVeigh would have had any issues obtaining one, or they would have simply stolen the identity of someone else and obtained one. We should be spending money on awareness for security individuals at the airport so they can identify real security issues, and make sure there are solid procedures in place to prevent the breakdown of the physical protection systems.

Having a large database with all of this concentrated data in one location will make it much easier for an external hacker or an insider to obtain the data nicely in one location.


Identity does not equal security
Knowing who someone is, does not make it any easier to determine their intentions


There are more important issues we can spend money on that WILL make us more secure. Most of the arrests and "prevention of another terrorist attack" have been the result of good intelligence and good police work. We should instead spend our money on intelligence and our police departments.

ISP filtering for copyrighted material

The New York Times is reporting today that "several representatives from NBC, Microsoft, several digital filtering companies and telecom giant AT&T said the time was right to start filtering for copyrighted content at the network level" the report came from a panel discussion at CES 2008. James Cicconi, senior vice president, external & legal affairs for AT&T reported in the story that “What we are already doing to address piracy hasn’t been working. There’s no secret there.” Really! -well I know from experience that most ISPs are no good at preventing a DDoS attack either, so why don't you get your people to start there, and once you've conquered that, you can try the music thing. ISP's are unable or unwilling to take any measures to prevent Botnets form running on their network or computers on their network from sending spam or DDoS attacks, but they are interested in preventing the downloads of music. I guess there is just not enough money, or the possibility of increasing their bandwidth to worry about truly malicious traffic on their links. Either of these prospects would be almost impossible to architect on a scale that the backbone operators run at, and I would definitely not want to be the person managing the false positives for either. The music industry is changing, and the old delivery methods will someday be a thing of the past. the music industry and the ISP's that will be the delivery method of the content need to come up with a less Draconian means of meeting the needs of their customers besides capturing their traffic and deciding if it's "OK". What's next, banning nude pictures, banning executables that may or may not be pirated software. The Internet Police will pull you over "OK Mr. Comedian, do you have a key for that version of Word".

One more note - encryption will take care of any filtering they are planning to use, or are they planning on banning that too?

Risk Assesments and Crying Wolf

The issue with the Iranian Revolutionary Guard and the US Navy got me thinking about an article I wrote several years ago regarding how little risk Iraq posed to the United States. In summary, Iraq posed little risk to the United States, and if George Bush, and Congress made these decisions based on a risk assessment and had to prove that expenditure dollars would be spent in the areas that posed the highest risk to our country, we wouldn't be in the situation we are now. I am not saying getting rid of a dictator who killed his own people is a bad idea, it was just sold to us in the wrong way, and did not need to risk as many young lives as it has. Now we find ourselves in a similar situation with Iran. Iran definitely poses a threat to its neighboring nations, and they need to determine the risk to their countries, and enact controls and countermeasures to reduce that risk. Going back to the risk assessment for our country, I would argue that Iran poses little threat to our country due to the distance, and our countermeasures - see Jane's directory for current US arsenal. The issue on Tuesday of this week DID pose a real threat to the US ships in the area, and they had every right to turn the boats and the people aboard into shark hors d'oeuvres. I won't comment on whether the event really happened, was staged, or any of that because there are very few people that actually know, and I am not one of them. This now brings us to the point where the President is claiming that Iran is a threat to world peace and everyone needs to realize that. Hmmmm where have we heard this before, and why don't I believe you. I truly hope that Iran is not a threat to the world, and does not take any actions to make itself so, but if they are, it is going to be much harder for us to sell this to the World given our current track record with threat analysis.

Now comes the tie to Information Security.

Solid risk assessment and only remediating and professing the need for money to address high risk issues first ensures our words are heard and respected. Anything else makes us the Boy who cries wolf, and dilutes the message and importance.

2008 the year of documentation and processes

Over the last several years in Information Security, we have all heard the year of's

The year of PKI
The year of Identity Management
The year of Intrusion prevention
OK - you get the point

These all sound so good, and easy, just install x and all of your problems will be solved. However, we all know it is never that easy, and that most "silver bullet" solutions require that the underlying processes, and information they are meant to protect must first be understood, documented, and classified form a risk perspective. This is where most of these solutions fail to provide the protection and ROI that the salesperson will tout in their presentation. Ignoring the boring and long process of understanding where the data is that we need to protect, and how that data is used will certainly lead to security dollars being applied incorrectly, or over or under spent in certain areas. Documentation is not fun, and it is not as impressive to present to management as product x, which can be much easier to illustrate - see Mr Chairman, it is right here in this box with the pretty lights. However, only by understanding where the data is and how it is used, can we set about protecting such a valuable asset. Process documentation and procedural adherence to the processes and policies, has a measurable impact on the organization:

• It keeps the auditors happy
• It makes IT, and the business as a whole more efficient
• When something does break down in the process, it is less of a mystery to discover what broke

So I am proposing that 2008 is the year of documentation and processes - now doesn't that sound exciting?