Gonzo's Garage - Computers and One-Liners

Recent Observations in Information Security:

2009-05-31T13:27:00.011-06:00

Seems like my computer security related articles are indeed getting fewer and far between. It’s not that I’ve been too lazy to write. On the contrary - I’ve been writing frantically about issues related to our freedoms, standing up for values and principles, and in particularly supporting gun rights efforts. Regrettably, I just haven’t had the chance outside of my full-time computer security professional life lately to concentrate on my “geek” side during my off time. In the time since the presidential inauguration, our administration of “hope and change” has been catapulting our country towards destruction at an extremely accelerated pace. We are marching towards what some say is socialism, I personally believe we are headed toward fascism and totalitarianism, greater government control – control which is even affecting the computer security profession. You’ll see what I am talking about shortly. I wasn’t made to be a socialist or a slave, so my endeavors have indeed taken me in other directions over the past year or so.

So, I thought I would make a fervent effort to make some time and finally get back to you about some [computer security] issues that I have been involved in lately. This article will be a smorgasbord of issues, but there really are a lot of things going on in our profession worth mentioning. So bear with me, be prepared to shift gears frequently, and just use these things as food for thought for your own IT environments.

Administrative Rights on Computers:

One thing that has become obvious: Users who operate their computers regularly with administrative rights are more likely to be infected with malicious software. One statistic given by a well known computer security organization indicated that of all the exploits out there, greater than 90% cannot infect a machine if the person logged in is running as a limited user. Considering the thousands of exploits out there, this is a significant number. I know that many people have expressed concern that they won’t be able to perform their jobs, or do simple tasks such as install printer drivers or other software.

My answer to that is to:

1) Create another user that has admin privileges on the computer, and only use that account when it is necessary to do so.

2) Use the “Run-As” function (if using Windows XP) wherever possible. You can “run-as” the user created in 1) above. In Windows Vista, the User Access Control (UAC) function takes care of this for you.

3) If you are in a large corporate environment and need to manage many users from a centralized location, consider using something like BeyondTrust Privilege Manager (http://www.beyondtrust.com/).

4) If you’re not willing to do 1) – 3) above, then don’t ever connect to the Internet ;)

I have been running without administrative privileges on my computers for a long, long time now, and I can tell you that I have not been inconvenienced one bit. I also haven’t been compromised or infected, either. After getting tired of my kids downloading stuff and getting infected with tons of viruses, resulting in countless machine re-imagings, I took away their admin privs also. Haven’t been bothered by them calling me because of another virus warning in quite awhile now.

Policies, Procedures, Documentation, and Auditing:

In my recent involvement in certification and accreditation of information systems, the most prevalent reason I am finding why systems are experiencing weaknesses in meeting information security controls is due to lack of documentation, procedures, and policies. It is not enough to simply “say” that you are doing something to mitigate information security weaknesses.

You must be able to prove that you have the following:

1) A policy in place telling you that a certain function is to be performed, how often to perform it, and by whom it is to be performed. This policy needs to be updated every time there is a change in the requirements, or a change in the technologies to get it done. Annual updates are a minimum requirement.

2) A standard operating procedure (SOP) that describes how to perform the procedure consistently. SOPs need to be specific and include detailed steps for the entire process form start to finish. The SOP will serve as a checklist to ensure consistent procedures are accomplished, and also as a guide for someone who is performing the procedure for the first time. Make sure to include references, acronyms, and definitions in addition to procedural steps. The SOPs need to be updated every time there is a change in the requirements, or a change in the technologies to get it done. Annual updates are a minimum requirement.

3) Documentation that shows regular security control test and audit results. You need to be able to show that your policies are being tested and followed, and that SOPs are being used. The actual test results need to be securely stored. Remember – these test results are a window into any weaknesses that exist in your environment. Only people with the “need to know” should have access to these test results.

4) Third party auditing. Do your own in-house testing, but periodically hire a third-party, independent entity to come in and evaluate your testing procedures and your testing results. In many organizations, such as the one in which I work, periodic third-party independent testing is required by law. This is known in my industry as “security certification and accreditation” (soon to be known as “Security Authorization” when NIST 800-37 Revision 1 is published). In health and financial organizations, they usually have similar laws. Security certification and accreditation is performed every three years, and in-house security self-assessments are performed annually.

Social Networking and Security:

There is an ever growing conundrum between the need to be secure and the need to use social networking tools to reach customers and co-workers. Even government agencies are realizing the benefits of using social networking sites such as FaceBook and Twitter to reach out to their constituencies. But corporate security teams are also fighting the security issues and the network bandwidth consumption issues that go along with it.

There are a number of things that need to be considered if these tools are to be used in the workplace:

1) User education
2) Making sure computers are patched and virus signatures up to date
3) Making sure your users are NOT running with admin privileges
4) Monitor your network for bandwidth consumption – if it gets to be too excessive, and can be attributed to traffic on these social networking sites, your management may want to rethink their decision to allow this in the workplace.
5) Monitor usage of other software. If your users get the message that social networking sites are OK, then they may also get the impression that file-sharing and peer-to-peer applications are alright as well. These tools can have devastating consequences on your network and security posture.

US-CERT has an excellent article on social networking: http://twt.gs/n8z4m

NetworkWorld Magazine has a good article with some slide shows on social networking security issues: http://twt.gs/75e1G

Cyber-Security in the White House?

Have to get back on my political soapbox for this one. One of the Obama Administration’s endeavors is to move certain tasks out of the departments of the experts who do these things and into the White House. For what reason is Obama doing this? I can only assume it is for the purposes of having more control. The census was moved from The Department of Commerce to the White House. President Obama wishes to move cyber security from The Department of Homeland Security (DHS) to the White House as well. I have no idea why. The DHS, of which US-CERT is a part, have an exceptional team of experts who monitor our Internet for malicious activity, and are in touch with the experts who can help us to mitigate damage caused by the many malicious processes out there. Are they going to move all these workers to the White House? I guess the regular Wednesday night pizza parties at the White House are going to really be hopping affairs. Wonder if the Obama kids will let the US-CERT folks play with the dog. As you can tell, I am adamantly against this. The White House is no more adept at managing computer security than they are at running car dealerships and banks. Now you know why I am spending so much time writing about political issues instead of technical issues. This administration is out of control, in my opinion.

Obama is about to appoint a new cyber-czar. You do the math on this one folks. 1. This is an appointed position, does not have to be confirmed. 2. This new “czar” (wasn’t czar a popular Russian title?) will answer only to the President himself. 3. This position is going to be strictly controlled by the White House. 4. The Obama administration wants to bring back the Fairness Doctrine to get all of the conservative talk shows off of the radio. 5. Talk show personalities such as Tammy Bruce have already started moving portions of their show to streaming Internet sites (Tammy’s weekend roundup show, of which I am a HUGE fan, will only be heard on streaming Internet beginning June 6, 2009. 6. Obama wants to control every aspect of these people’s ability to broadcast. 7. The Obama Administration has already deemed all conservatives and gun owners to be “Right-Wing-Extremists.” 8. The peaceful “New Revolutionary War” has already begun, and it is taking place with conservatives burning up the Internet with warnings of the dangers that going down this path is going to bring us.

Prediction: This new czar will have nothing to do with focusing on computer security, unless you consider censoring conservative blog sites, conservative streaming talk shows, gun clubs, the NRA and other pro-gun web sites, and tea party web sites as having to do with “security.” Gee – wasn’t this done in Germany quite awhile ago? Censoring freedom of speech and controlling information on the Internet is Obama’s sole agenda for this new czar. Stay tuned folks – this could get scary.

“Obama addressed concerns that the person might not have the budgetary and policy-making authority needed to force change. The coordinator, he said, will have "regular access to me."

Source: http://twt.gs/VJD6a

Wrapping It All Up:

Don’t be surprised if it’s awhile before I write my next computer related article. I will try my best to keep you informed, but things in our country are just moving too quickly. Much of my time these days is spent building my 9.12 Project’s web site, adding new technologies to my gun club’s web site, and generally burning up the Internet on Twitter and my [political] blog sites with my opinions on how Obama and his ilk are ruining our country. As much as I love my chosen profession, I am even more passionate about my country and getting America back on track. Popular rhetoric would have you believe that our country needs to be “re-made.”

Re-made into WHAT, exactly? I say that we need to RESTORE our country. If we don’t restore America to what she was designed to be, nothing else in this profession will matter, in my opinion. For all you fellow conservatives out there, keep up the good fight. And for all you slobbering Obama supporting progressive radicals out there – how are his policies working out for you? Well – you’ll get back to me when you’re paying federal sales tax on all your goods, can’t get to many Internet sites any more, are being told what kind/color of cars you can drive and all that right? By the way – congratulations to all you fellow owners of GM.

Why Patch Management is a Moving Target

2008-05-06T21:54:00.009-06:00

Whether you use a centralized patch management system for your organization or rely on less sophisticated measures such as manual patching, you will often find that patch management is a constantly moving target. Patch management is a fundamental security task, but yet it seems to be one of the hardest in which to achieve a consistently high security “score.” And patching is only part of the issue. Reporting metrics that allow you to see tangible results are not always easy to obtain.

The data required for many measures of Cyber-security health or “scorecards” is often more readily pulled from a centralized system, and often organizations wish to report how many nodes have 100% of their security patches installed. This includes possibly a very large number of devices, depending on the size of your organization, including servers, desktops, routers, and switches. It also makes sense to focus efforts only on patches that are 30 days old and older, and that have not been superseded or replaced. The reason for this is because you are still testing the newest patches, and if you are in a very large organization have not yet had time to fully deploy all the new patches. Additionally, the older the patch, the greater the risk if that hole is still not closed. Plus, it doesn’t make sense to include patches that have been superseded by newer patches, as your scoring metrics would give erroneous results if those patches were included.

The purpose of this article is to address an example of an organizational patch status improvement effort and illustrate findings of an experiment to improve these patch statuses. This project was specifically aimed at the Microsoft specific security patches for the Windows XP Professional operating system, and all references to patches in this article will be geared toward those patches. This report will discuss the findings of that project, and describe ways that other programs can use to improve their own patching statuses. The results and recommendations are geared toward a fairly large organization. Your mileage may vary.

The Project:

I and my team recently performed an analysis of patching statuses to determine how to improve patch statuses for our entire organization. We belong to a fairly large organization with many business units, each business unit having their own IT staffs that manage their computers. One of the goals of this project was to look at ways to improve patching statuses and to document specifics concerning any anomalies that were found. By pushing out specific types of patches, and analyzing the results of those patch deployments, I was able to put together some strategies to help others with their own patching efforts. The analysis of patching efforts was performed as follows:

1) Concentrate on the "low hanging fruit" by focusing on the Microsoft critical security patches that are greater than 30 days old, and with the highest incidences of "Not Patched" statuses. This was done in phases:

Phase 1: Push out the outstanding Microsoft Office Service Packs plus Windows Defender signature files. These were chosen because they represented the largest number of un-patched vulnerabilities in the environment, as seen in the image below:

Phase 2: Push out the new Office patches offered as a result of Phase 1 completion above. This is important because applying a service pack will usually result in the computer needing additional patches that apply only to the new service pack level on the machine.

Phase 3: Push out the top 5 "not patched" patches resulting from phases 1 and 2 above.

Phase 4: Push out any remaining patches as appropriate.

2) Identify patches that are deploying successfully, but are not showing as "Patched" in our patch management system. This will include verifying that the patch is applied by using Microsoft Security Baseline Analyzer (MBSA) and Windows/Microsoft Updates.

3) Compile a list of patches that are having deployment detection signature problems and submit to the patch management system engineering for assistance with detection signatures.

4) Identify computers on the patch management system that are not checking in to get their patches. This will include looking at deployment reports to see which computers have not checked in no more than 24 hours after the deployment has been sent.

Findings:

As shown in the image below, patching statuses tend to fluctuate dramatically from day to day. This can be caused by machines falling in and out of patch status due to new patches being released to replace older versions of the same patch. For example, the Windows Defender DAT files are released approximately every three days. Rather than releasing a new patch each time, our patch management system simply replaces the existing patch with a new revision of the same patch. As the new revision is released, the computers fall out of patch status because they have the older DAT files. As the IT staffs push out the DAT files, the patching statuses go back up.

Some more specific examples of patching issues include:

Patches That Change Frequently:

The Microsoft Windows Defender DAT Files: These definition files are released by Microsoft approximately every three days. Since they are categorized as Critical-01 patches, they cause the patch statuses to fluctuate significantly every time they are released, and then again when they are subsequently deployed. This patch was the single largest reason why patch statuses greatly fluctuated from day to day.

Patches That Cause Other Patches to be Applicable:

Service Packs: Once installed, these patches tend to make the computer detect as needing additional patches. Some patches may only apply to a newer service pack level, and were thus not applicable to the machine until the latest service pack was installed.

Patches With Deployment Issues:

Microsoft Office Patches: These patches in particular were found to have a number of difficulties when deployed. In some cases, the patch is deployed, and completes successfully according to the patch management server’s deployment status. Even though the patch deployed successfully, the patch did not apply because it produced an error message that it could not find the Office installation files. In other cases the patch fails, for the same reason as stated above. Ensuring that the installation files have not been removed manually, or through the Disk Cleanup procedure typically resolves this issue. In some cases, it was necessary to uninstall and reinstall Microsoft Office, again ensuring that the Office Installation files are not removed.

Microsoft .NET Framework 1.1 SP1: This specific patch typically fails when being deployed. The reason for failure was found to have been on computers that also have the .NET Framework 1.1 Hotfix (kb928366) installed. The resolution is to go to Add/Remove Programs and remove this hotfix, deploy the .NET Framework 1.1 SP1 patch. The computer will then likely show up as needing the MS07-040 patch. Deploy MS07-040 if needed.

Patches With Detection Issues:

MS08-018 for Microsoft Project: This patch is not supposed to apply to versions of Project 2003 that have service pack 3 applied, but our patch management system incorrectly identifies the computers with Office 2003, SP3 as needing it. This is still an open issue with engineering and will hopefully be resolved soon.

Patch Management System Housekeeping Issues:

If you are using a centralized patch management system, and you are using the various reporting features to obtain your patch statuses, then it is important to take a look at housekeeping. One important thing I found in my testing was that simply deleting stale accounts out of the patch management system increased patch statuses.
The below image is an example of how much difference in patching status can be achieved just by doing housekeeping and nothing else. The patch status for the month of April was taken at the end of the month, and the patch status being shown for May was taken at the beginning of the month after clearing out all the dead computer accounts:

The result was that patching statuses for every business unit (BU) except one improved, with an overall improvement going from 42% to 58% just by clearing out dead computer accounts.

Recommendations for Improving Patch Statuses:

If you are a large organization, use a centralized patch management system. The ability to gather data on the whole organization is vital to enabling you to keep track of gaps in patching efforts.

Make sure that your centralized patch management system is being properly maintained, in terms of housekeeping. Get those stale computer accounts out of there.
Start small. Break your patching efforts into pieces, and go for the “low hanging fruit’ first. Look for the patches where the most computers need them, and start there. If you have a lot of these in your environment, break them up into groups and deploy them over several deployments if needed.

Test, test, test! If you are trying to bring an entire organization up from a dismal patching status, don’t try to push them all at once, and be sure to perform testing to make sure to discover if any patches break anything.

When pushing out service packs or roll-ups, be aware that installation of a patch of this type will often result in additional patches being applicable that were not applicable previously because of the new configuration.

Monitor patch deployments and subsequent detection results. In cases where patches deploy successfully but detect as still not patched, check to see what error messages are occurring during the deployment. In the case of Microsoft Office patches erring out, for example, ensure that the Office installation files have not been inadvertently removed from the computer.
Develop a patching routine and communicate this with your end users. Get them used to the fact that you will usually be pushing out patches the same night of the month (if they are in your central offices) and to leave their computers on that night. For remote users that receive their patches through your centralized patching system, make sure they are aware that patches will be coming to them on a certain day and give them instructions for how to properly receive the patch:

Example:

When coming in through the corporate VPN to replicate email or other databases, ensure they leave the computer on long enough to receive patches on the day you deploy them.

Other Follow-up Action:

Remember: Patch management is not something that you do once to get caught up then forget about. You have to treat patching as a constantly moving target, and always follow-up on patching efforts. Get into the habit of always keeping an eye on patch statuses and results of patch deployments.

Determine if an application is the mandated or authorized solution to be used. Sometimes you find that you are chasing patches for products that are no longer in use or maybe even not even authorized on your systems. Why patch a product that isn’t even needed? Removing it is more secure and less time consuming than patching it.

Continue to monitor patching efforts and publish lists of those patches which remain as the most likely to be causing degraded patch status.

Assist IT staffs with troubleshooting computer detection, discovery, and patch assessment issues that may exist. It could be that the patch assessments on a certain machine are out of date and not even accurate.

Monitor patch management and security discussion forums such as the patchmanagement.org listserv. If a particular patch is causing breakages or deployment issues, this is where you will find out about it the quickest.

Wrapping It All Up:

Getting a handle on patching statuses can be a real challenge for a large and geographically dispersed organization. A centralized patch management can greatly assist your efforts, particularly if you are in a large organization. Break your patching effort up into phases, and go for the “low hanging fruit” to get caught up. Be sure to continuously monitor deployments and patching statuses, and address issues where the deployments are not starting as they should, or the patch is not detecting as it should.

Laptop Security Starts with Physical Security

2007-08-19T10:37:00.000-06:00

There has been a lot in the news lately about laptops getting stolen, and the resulting exposure of personal and other sensitive information. Protection of personally identifiable information (PII) has become a very hot topic lately, and there have been many instances in the news where PII has been exposed because of a stolen laptop. In fact, the Office of Management and Budget (OMB) in 2006 released a memo requiring government agencies to implement procedures to encrypt all agency sensitive data on laptop and other portable computing devices. This includes PDAs, Blackberries, cell phones, flash drives, and other easily stolen removable storage media. This article will be primarily discussing the loss of sensitive or personal information due to a stolen laptop or other device owned by an employer. But we could very well be discussing personal laptops and devices as well, because these security measures will apply to anything that contains data, is small, and can be easily lost or stolen. And in many cases the loss of your own personal data can be just as devastating to you as losing something that contained the data of others.

Much of what is being discussed to solve this problem involves implementing technological solutions. For example, laptops can be encrypted using something as simple as Windows’ built-in file and folder encryption, Windows Vista’s built-in BitLocker tool, or a wide variety of other full-drive encryption solutions. Blackberries can already be password protected and encrypted, and many flash drives come with built-in software to encrypt them. But using these technologies, while providing an extra layer of protection, will help protect after the loss event occurs, they do nothing to prevent the loss. Data security is more about being proactive than it is about being reactive.

These technologies offer a valid and useful solution to this problem, to be sure. But I think people are overlooking a very fundamental non-technical solution that can really go a long way to preventing these exposures – physical security. I was talking with a colleague recently, and she brought up a very valid point – if people would just do more to prevent these thefts in the first place, then we wouldn’t be where we are today, with so many instances of people winding up in the news because they allowed a laptop to be stolen from them. She said, and I strongly agree, that physical security is completely being overlooked. In fact, I would go so far as to say that the advent of all these technological solutions is actually giving people more of a reason to be less careful about protecting their laptops and other devices from theft. And all these technological solutions protect you after the fact. What ever happened to being proactive and using some prevention to avoid the theft in the first place?

How many times have we heard that a laptop has been stolen from a car? “But the car was locked,” “I was only gone for a few minutes,” “It was hidden in the back seat.” It only takes a fraction of a second to smash a window. And the thieves are getting clever and using electronic devices to help them detect if a car has a laptop inside. They can then be very selective about their targets, and easily do a “smash and grab” in very little time. “The laptop was stolen from my house. The house was locked. What could I have done?” This looks like a less preventable issue than having it stolen from a car, but let’s takes a look at what they have in common, and what the underlying issues are. Then, we will come up with some methods that can be used to protect them in each case.

Standard of Care: To being with, let’s look at the fundamental issue – if you are going to wind up in the news, it is because you did something to allow the personal information about many people to become compromised, or you were careless with a company’s secrets. The media could care less if you had your personal laptop stolen and your checkbook register, latest term paper, and resume where the only things that got stolen. If you are carrying around a laptop or PDA with a lot of PII and/or a company’s proprietary information, however, it means that you either have a piece of equipment provided by your employer, or you were keeping that information on your own personal equipment. First, I’ll discuss the later – what do your company policies say about you storing business information on your own personal computer? They don’t have a policy? That’s another issue, and I won’t cover that in this article. But even if they don’t have a policy, what does common sense tell you about it? You shouldn’t do it, period!

Now let’s look at the former – your company provided your laptop and PDA for you, and you will need to surrender it upon request. It is provided for your use to perform company business. Your employer paid for it, and hopefully they have policies about your responsibilities towards safeguarding it. This is where the commonly heard term “standard of care” comes in. Your standard of care in protecting this equipment is far greater than the standard of care you most likely exercise in protecting your personal computing equipment. You are not only responsible for protecting the equipment itself, but you are responsible for protecting the data on it as well. This may be the data about thousands of people or the trade secrets about your company’s newest product! Losing it may wind up costing you much more than just the embarrassment of media attention. Your company can be sued, and you can be sued. Or worse – federal or other regulations may have been violated, and you and your employer could wind up facing criminal charges. Termination, jail time, fines, and a long miserable process of dealing with the unwanted attention are some potential outcomes. Those ideas alone should instill a new sense of urgency in your thoughts about “standard of care” and “due diligence.”

So what can be done? This is the relatively simple part because laptops, PDAs, flash drives, and such are small – they should be easy to protect. Here are some ideas that you may find useful while taking your laptop out and about, or even just leaving it in your home, hotel, or dorm room.

Physical Protection in the Car: A laptop is light – put it in a carrying case and take it with you – just don’t leave it in the car. Is it really that tough to have to take your computer case into Wal-Mart with you? If it is, then why are you running all these errands? Take the laptop home, lock it up (see the next section), and then go shopping. I know, I know: Wal-Mart is just on the way home, and with the high price of gas, it is much more economical to stop off on the way home and pick up a few things. That’s a decision you have to make – but remember what I told you about “standard of care.” You have an obligation to safeguard this equipment and the data on it. Be prepared to take the necessary steps to protect it.

My colleague had a clever idea: She said that if you absolutely must leave it in the car, buy a computer cable and secure it. I’ll add to that, put the cable in the trunk, secure it to the frame, then secure the laptop to the cable, in the trunk. The one thing to remember is that thieves who break into cars don’t usually have a whole lot of time to spend trying to get around physical security devices such as cables. They are looking for targets of opportunity – the “low hanging fruit” so to speak. If they smash a window in broad daylight, they need to get in and get out quickly. A cable presents a significant delay, and more chances for them to get caught. If it’s in the trunk they can’t even see it in plain view, making it that much more difficult. But again, do you really need to leave it in the car? I am now putting on my “electronics geek” hat and will tell you that leaving a laptop in a car in either extreme heat or extreme cold, or leaving it exposed to the sun, is just wrong on so many levels. Forget my 30+ years of experience working with electronics. You are damaging your computer, or at the very least shortening its life by doing that!

Physical Protection in the Home, Hotels, and Dorm Rooms: There are a variety of inexpensive cables and other devices you can buy to protect laptops these days. Cables that do everything from simply physically locking down the device, to emitting an alarm when cut or broken, can be purchased and easily installed. If you are going to leave that employer owned equipment in your house, secure it to the desk. Better yet, how about locking those things up? Remember, thieves look for the low hanging fruit. If they break into your house, they aren’t going to hang out finding ways to get into secured cabinets or safes, and wait for the police to show up – they need to get in and get out. A locked filing cabinet inside a locked office does not present them with an easy target, but it shows that you were practicing due diligence in protecting these items should some brazen criminal decide to take the time to break into those secured areas.

If you’re in a hotel, it probably means that you are on travel for your job. That being the case, it should be just a simple matter of fact that you are taking your computer with you when you leave for the day for your conference or other meetings. If you are in a hotel on a pleasure trip, then why, oh why do you have your computer with you? OK – you’re probably a workaholic geek like me. In that case, then the above applies. Or ask the hotel to lock it up in their safe while you’re gone. The standard of care is then at least partially on them.

College students – even though I have been primarily focusing on employer owned equipment and data, I just have to mention you in this article also. Many of you live in dorm rooms and have computers. While the level of sensitivity of your data isn’t nearly at the level of what I have been discussing so far, can you really afford to lose that paper that is due tomorrow, and that you have been working on all night? Does your dorm room have a steady stream of visitors? Do you know all the people who your roommate invites in? Get a computer cable and lock that thing to your desk! Even if it’s a big desktop computer – lock it!

The University of Arizona has a great security poster that gives some good tips on security in the dorm room:

University of Arizona Security Posters:
http://security.arizona.edu/index.php?id=780

Physical Protection While Out and About: It is easy to let down your guard when going to the coffee shop, waiting for a flight in an airport, or just hanging out in the park. These settings all provide classic examples of how computers get stolen. In one example, a television commercial depicts a guy sitting in a coffee shop, turns around to look at a girl, then turns back – the laptop is stolen! The punch-line is “what now?!” What now, indeed? How many times do you go to the coffee shop, leave your laptop on a table, and go back to the counter to get your coffee and a donut? All it takes is for you to turn your back for a moment and for your laptop to then go missing.

You wouldn’t leave your wallet lying on a table while you go off to do something else, would you? As was stated in a 2004 Security Watch article by Robert Vamosi “…you should think of your laptop sitting on the table as a thousand dollars in cold cash; you wouldn't turn your back on that, would you?” Protect your laptop like you would your wallet or purse. Don’t take the thing out unless you are ready to use it, and you can be there to physically protect it. Robert also mentioned carrying laptops in non-descript bags. A great big black “Dell” bag is a good indicator that you are carrying a laptop. Use a padded backpack or something a little more plain.

Physical Protection While In the Office: We can’t discount security in the office or take for granted that just because your equipment is located in an office building it will be safe. First of all, just because it is in an office building, are you sure your employer’s policies don’t still hold you responsible for lost or stolen equipment? Start out by finding out what the policies are. Then, if they don’t already do so, ask your employer to purchase a security cable to secure that employer owned laptop. A number of recent articles have indicated that many, if not most, security threats come from within the organization. This can include coworkers or building custodial staff. How many people have access to your work area? If you are in a typical cube-farm, then nothing is secure. All of your work area is fair game for people to cruise around looking for easy targets.

If you are going to leave a laptop in the office or cubicle overnight, then lock as many things between public access and your equipment as possible. If it’s an enclosed office, and you are able to, lock the door. Secure the laptop with a cable or lock it in a file cabinet. Don’t lock it in one of those cubicle cupboards that someone can just lift off of the wall to get to the contents, but a file cabinet that is solid on all sides. Lock up any PDAs, flash drives, or portable storage units that you don’t take home with you. And since we’re talking about securing data in all of its forms, put away and lock up any paper, CDs, disks, or any other things that have sensitive information on it. Many organizations have a “clean desk” policy in place. And no, this doesn’t mean to take 409 and wipe down your desk every day. It means to put away and secure all items containing information: PDAs, paperwork, sticky notes, micro-film, secret decoder rings, everything!

An important note about those cables: If you do take your laptop home with you, don’t leave the cable just laying there on the desk with the combination dialed in. All someone has to do is come by, test the unlatching mechanism, and if it works, they can then look to see what the combination is. And dialing one of the numbers to one digit off won’t do it either. Set the dial to all zeros – don’t leave any clues at all. If you leave the combination dialed in, or close to it, on that cable, it doesn’t matter if you lock that laptop with the cable or not. The potential thief then has the combination and can just come back later. If you do use a combination lock instead of a key lock, change the combination periodically, just as you would change your network password periodically.

Wrapping It All up:

There are a wide variety of technologies now available to protect the data on your laptop or PDA should it get lost or stolen. But those things protect the data after the fact, provided they are in place and functioning. You still lose hours of hard work and an expensive piece of equipment. The real goal is to use some prevention and keep the asset from being lost or stolen in the first place.

Don’t be in such a hurry while running your errands that you leave an unsecured laptop in a car. Windows can be smashed and the laptop taken in seconds. Are you aware of your surroundings? When you leave the laptop on a table in a coffee shop, are you sure it will be there when you return? How about in hotel and dorm rooms? Are you sure the housekeeping staff is completely honest? Are your dorm room roommates having a lot of visitors? There are so many variables and so many possibilities to have equipment go missing.

Physical security is a preventive measure that should be taken seriously. Don’t rely solely on technologies to make data unobtainable through encryption – keep it from getting stolen and exposed in the first place. There a re a variety of low-tech to no-tech solutions to keep you from losing your equipment.. Cables, keeping the item with you, good file cabinets and locked doors will all add a significant measure of protection and security. It all begins at the lowest layer – physical security!

Additional Resources:

Security Watch: How to Protect Your Laptop While on the Road
http://reviews.cnet.com/4520-3513_7-5145310-1.html

Washington Post – “OMB Sets Guidelines for Federal Laptop Security”
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/27/AR2006062700540.html

Security Posters:
http://www.us-cert.gov/reading_room/distributable.html

Georgetown University Safe and Secure Computing Quick Start Guide:
http://www3.georgetown.edu/security/10574.html

University of Arizona Security Posters:
http://security.arizona.edu/index.php?id=780

IA Newsletter – Defense in Depth
http://iac.dtic.mil/iatac/download/Vol3_No2.pdf

Information Security Magazine - Laptop Security:
http://infosecuritymag.techtarget.com/articles/february01/features_laptop_security.shtml

SearchSecurity.Com - Elements of a Security Program:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1210562,00.html

NIST SP800-100:
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf

Types of Vulnerabilities and Their Impacts:

2007-07-04T09:21:00.000-06:00

With all of the different types of vulnerabilities and security warnings these days, one of the most often asked questions is in regards to what it is that all of the various types of attacks actually do. If we take a step back in time and look at what some of the early attacks did, it puts into perspective just how sophisticated and damaging the latest attacks have come. Attacks on computers and the data they contain have come a long way in a very short time. With most of our computers now networked and attached to the Internet, our data can be attacked from far, far away, and the results can be devastating. The attackers have also found that stealing data, finding weaknesses, and disrupting services are all lucrative endeavors that other thieves are willing to pay for. And if you haven't already, see my review of TechEd 2007 for more information on security and attacks.

A Look Back at Some Early Computer Attacks:

Let’s go way back to the day of the early PC when they were not yet networked to any great extent. The networking architecture back in the day was known as “sneaker-net” where the method of sharing files was literally by manually sharing floppy disks and physically handing them from person to person. “Sneaker-net” got its name because of the idea that you had to put on your sneakers to make the long journey to get the disk to the person who you wanted to share with. The most common type of attack at that time was the virus. WORMS and backdoors typically weren’t useful because of the lack of remote connectivity. Trojan horses were usually not in the form of remote access programs, but they did exist in the type that looked like usable programs, and they would perform some other hidden function such as corrupting files or erasing the hard drive.

In those days, viruses typically got onto a computer by someone putting an infected floppy disk into the machine. This was often by way of an infected game program, or someone using the same disks they used at school in their computers at home. There were a lot of viruses on college campus computers in those days, making it fairly common to catch a virus by using a computer at school. I remember when I took a computer hardware repair course at a local junior college back in the early 90’s: I built a completely separate computer at home to do all my labs and class homework, aside from the computer I used to do all my word processing and other work to prevent getting a virus on my main machine. There was also a lot of software swapping (today we call it piracy), and it wouldn’t be uncommon at all for people to pass infected disks to many people. I remember being called to check out one of the office PCs where I worked and found a computer screen displaying the message: “Your computer has just been Stoned.” The Stoned virus was a very common early virus and would format the hard drive, then display that or a similar message. I asked the person what they had been running, or particularly had installed on the computer lately, and the reply was (of course) “Nothing!” I looked beside the computer to see a floppy diskette containing a golf game. I scanned the floppy, and sure enough, there was the Stoned virus.

Back then the main damage caused by viruses ranged from an annoying pop-up message of some sort, to a complete format of the hard drive. Some viruses would go off randomly, some would go off on a particular day and time. The “Joshi” virus, for example, always went off on the day of the year of Joshi’s birthday - the virus writer had dedicated a virus to their dead son. Remember Michelangelo? Same type of virus – went off on a particular day. Since computers weren’t typically networked, and the Internet was not used by us common folk, the concept of the WORM did not yet really exist. Neither did the idea exist of people stealing data or damaging systems over a network or the Internet itself. But now, with networks and the Internet being such ubiquitous parts of our lives, “sniffing” network packets to steal passwords, intercepting and altering data before sending it on to the correct recipient, and even using tactics to deny access to certain web sites or databases are some of the very common attack methods.
Today, we have networks, the Internet, email, and a variety of other ways for computers to be attacked by others who may even be on an entirely different continent. I remember in 1990, there were fewer than 1,000 viruses. Last I checked there were over 50,000 viruses, including their variant forms. When I attended the recent Microsoft TechEd conference (see my review here), it was revealed that 82% of all email today is SPAM. Much of the SPAM out there these days contains phishing attacks and links to malicious sites.

Another startling fact that was mentioned was that there were currently 3,700 distinctly different malicious types of one particular type of image file that exploits the WMF vulnerability found in early 2006. There are also 38 million plus pieces of other potentially unwanted (PUP) software circulating on the Internet. We also have WORMS, Trojan Horses, backdoors, remote exploits, and a variety of other ways for our computers to be vulnerable.

So I wanted to take a look at some of the more common types of attacks and what kinds of impacts they can have. I am discussing the attack impacts in this article – but the attack itself can come in the form of any of the methods I just mentioned, as well as by attackers luring users to malicious web sites or convincing them to open an infected email attachment, in an attack method known as social engineering. The various attack vectors are too many to mention here, but I thought it important to at least discuss the impacts that attacks commonly present. The bad news is that this article only scratches the surface of what is out there.
Keep in mind that the objective of any of these attacks is to violate security. The three basic tenets of computer security are the three basic parts of the C – I – A triad as defined below:

confidentiality: not exposing personal or sensitive information to unauthorized people;
integrity: Not having data altered so that it is inaccurate, incorrect, or unusable;
availability: Being able to get to your data or information services when you need to.

An attack can be focused on one or more of those three aspects of data security, and can come in a variety of ways. So let’s take a look at some of the various impacts on malicious attacks:

The Methodologies and Impacts:

File transfer location tampering: This mainly exists of capturing data in transit and re-routing it to a location other than that which was intended. If someone is transferring financial or other sensitive data, the attacker can get a hold of data for identity theft, corporate espionage, or other reasons. It is obvious that the data falling into the wrong hands is often a devastating problem and can result in serious damage to an individual or corporation. The attacker may make their attack less noticeable by capturing the data then forwarding the data on to the correct recipient. The intent is not to prevent data from being correctly transmitted. The intent in this case is to simply steal the data and use the information for financial gain. The criminal can get more mileage out of this attack by making it less noticeable that it is happening. A variety of methods can be used for this, including ARP poisoning, and various other methods used for “Man in The Middle” attacks.

Elevation of privileges: This is a very common result of an attack, and can lead to other types of attacks or more serious outcomes. If an attacker can get administrator level privileges to a computer, then they can basically do anything they want. This includes taking control of the computer, installing other malicious software, deleting files, changing configuration settings, and doing many other high-level tasks that only an administrator can do. This is why it is so important to use your computer (especially while on the Internet) as a limited user. If you are on the computer as a user with no administrative privileges, it makes it much more difficult for malicious code to run and do damage. Windows Vista addresses this very serious concern by implementing a feature called User Access Control (UAC) and having Internet Explorer operate in a limited user capacity.

Remote code execution: You are probably starting to already see that many of these attack outcomes do many of the same things. That is true. Remote code execution allows an attacker to remotely take control of a machine, run code, execute programs, and many other things that can lead to damage, data loss, data theft, or other things to damage your system. But additionally, if someone can remotely use your machine to execute code, they can also turn your computer into a “Zombie” and use it to attack other systems. This often results in what is known as a “Distributed Denial of Service (DDoS) attack. See “Denial of service” below for more information. The Windows Vista UAC feature mentioned above also helps to address this type of impact.

Denial of service (DoS): Remember the three parts of the information security triad are “Confidentiality,” “Integrity,” and “Availability.” This particular attack outcome is that of taking away the availability of your system, or other systems’ ability to access other system resources. There are a variety of ways to do this: crashing a system, tying up a system’s resources so that they can’t process data properly, or creating huge amounts of network traffic so that others trying to access a system cannot get to the system because of the sheer volume of traffic. If a process can drive your CPU’s usage up to 100%, then your computer is almost useless and you have a hard time getting work done because it is so slow. If a web server is flooded with bogus SYN packets (part of the process that is used to request a connection with a web server), then the web server cannot provide the requested web pages or other data.

Distributed Denial of Service (DDos): This is simply a case of all of the above attack attributes, mentioned in “Denial of Service,” being performed by many computers simultaneously. In fact, this may be a combination of the above attacks where some code has been planted on and executed from a compromised computer. These many “zombie” computers simply take commands from a central attacker to flood the network with attack packets and cause the target (web server as in the case above) to be literally flooded with connection requests, and no longer respond to anything. This means that the target is then unavailable, and thus “denying service” to all legitimate computers that try to connect.

Modifying information: This impact is specifically aimed at changing the integrity (the “I” in C-I-A). As in the case of file transfer location tampering mentioned above, the goal here is to intercept information before sending it on. However, the intent is to not just steal the information to use it for financial gain later. The intent of this type of attack may be for a few different reasons. In one example, the data may be modified so as to actually cause damage to an organization by making their data incorrect and therefore useless. The purposely injected errors may be extremely difficult to locate, causing extensive staff-hours of research to correct. Another example of the usefulness of this type of attack is to divert financial transaction amounts for financial gain. The easiest way to illustrate this is the case of someone billing you $100 dollars for goods or services that only cost $90 dollars. They input into the system that the services cost $90 dollars, that they billed you for $90 dollars, and that $90 was received from you. They then pocket the 0ther $10 dollars for themselves. You may have seen the movie Office Space” where the guys injected a so-called “virus” into the system that took the rounded interest (fractions of a penny) and diverted it to an off-shore account for themselves. To make a good plot, the plan backfired, and they ended up with way too much money and were in a position of being easily discovered. This is another aspect of this type of attack: To make the interception modification, and theft of data to be difficult to detect.

Spoofing: Simply doing any of the above, but making the attacker’s identity to appear as the identity of someone else is known as spoofing. This can manifest itself in a few different ways. One way is for an attacker to get your log in credentials, log in as (or appear to log in as) you, and perform tasks under your name. If Bob (the attacker) logs in as Gary, and deletes a bunch of files, the audit logs will show that Gary did it. Gary gets blamed and has a hard time proving it wasn’t him. Another type of spoofing comes in the case of DoS and DDos mentioned above, where requests for a web site, for example, are requested, but the return network address of the computer is purposely changed. The acknowledgement then gets sent to an address that either doesn’t exist, or is that of a computer that did not make the request. In the mean time, the web server is waiting for the remote computer’s acknowledgement to its acknowledgement (the SYN, SYN-ACK, ACK process in the TCP three-way handshake). This is one way in which DoS works – the target machine is tied up waiting for acknowledgements from a computer that doesn’t exist, and is then too busy to service legitimate requests.

Theft of sensitive information: As in the case of modifying file transfer locations, the primary purpose of this type of attack is as its name implies - to steal data. Remember, this is the “confidentiality” part of the C – I – A triad; exposing data to unauthorized people. Modifying file transfer locations involves intercepting data, stealing it, possibly modifying its contents, then possibly (or not) sending it on to its intended recipient. This is just outright theft. Many of the other previously mentioned impacts can contribute to a criminal’s ability to steal information. If an attacker can elevate their privileges on your machine, for example, they can browse all of the folders on your computer, not just the folders available under a limited user’s logon context. There may be a variety of reasons for stealing data from a computer, including using the data for identity theft purposes, stealing proprietary information, or stealing password files so as to crack them and use them to gain further system access.

Buffer overflow: A buffer is simply memory space used to temporarily store data. For example, your computer has buffers for receiving incoming communications until it has a chance to process it and put it into the appropriate place in memory for the working application to access and use to do work. This space is not infinite. If the buffer can purposely be filled up, in some cases the excess data will simply overflow (thus the term buffer overflow) out of the buffer and have unpredictable results. This type of attack simply involves sending a computer more data than it can handle so that excess data spills over into areas of memory used to execute code. One thing that attackers have found is that certain vulnerabilities exist that are susceptible to these buffer overflow attacks. They will craft a special package that contains a large amount of data, send it to your computer, the buffers will fill up, and the excess data will be overflowed to parts of memory where it can be executed. This code execution may result in things used to crash a computer, elevate privileges so that other attacks will work, or a variety of other undesirable things.

Wrapping It All Up:

Attacks come in many forms, and have many different purposes and impacts. These attacks are meant to do everything from being a minor annoyance, to disrupting service, to theft of data, and to outright destruction of computer information systems. As I mentioned in my review of the TechEd 2007 conference (see my article here), data thieves have found that personally identifiable information is worth money. Whereas the hackers of old just wanted attention, the bad guys doing the computer attacking these days are just criminals, plain and simple. They want to make a living either by stealing your data, stealing the data of a competing company, or interrupting service. When they find vulnerability and a way to exploit it, they can also sell the exploit methods for money as well. And they have found a variety of ways to conceal their attacks and make their consequences undetectable for a long time.

There is good news; many of the attack impacts mentioned here are preventable. Good antivirus software, malware protection, firewalls, and above all keeping patches up to date will help prevent many of the exploits. I have told people over and over abut the dangers of clicking on every single link they get in an email, especially when that email is from someone unknown to them. Even the emails from people whom you trust is susceptible these days, because attack methods can use your own address book and email client to send out mass emails without your knowledge, and the recipients will think it came from you. But that too is preventable; use diligence and awareness when browsing emails, and especially on the web.

Additional Resources:

Views From Microsoft TechEd 2007

2007-06-21T16:58:00.000-06:00

Day 1: 6/4/07

The first day of any event like this is always the most – well – hectic. People everywhere! Thousands of computer geeks all trying to go in different directions through a convention center, but at the same time all trying to get to the same place – the place where the food is and the opening keynote speech. Once the keynote was done, things sort of calmed down as people went to the various breakout sessions. This convention center is huge! They could fit a few football practice fields in this one building alone. In the main building where the breakout sessions were held, it is a quarter of a mile from one end to the other. And given that some sessions were on one end, and some on the other, we walked this quarter mile span several times a day. The images of the main expo area don’t begin to do this place justice, insofar as giving a good depiction of the size of this facility. The building we were in was around a million square feet, according to sources we asked. And it was carpeted from wall to wall. Had to be one big, honkin’ vacuum cleaner they use in that place!

There were a number of new tools being introduced and discussed in depth. The problem with this conference is that we geeks were like kids in a candy store – so many presentations, but how to decide which ones to attend was a real challenge. I think I changed my schedule a thousand times!

Day 2: 6/5/07

Two recurring themes are emerging from the sessions so far: User awareness and risk analysis are key elements of the security of any system. Many of the technologies that continue to surface still have the interesting aspect of the “man-to-man” factor. That is to say: no matter how secure any new software code developments have become, the weak link is still the human. For example, if a human still clicks on every email link presented to them, then they are still putting their systems and data at risk.

On a final note, Steve made an interesting point by asking the question: “Is email even useful anymore?” He gave a (not too surprising) statistic that stated that 82% of all email is SPAM - unsolicited email to either sell you something, or just discover if your email address is active. I might even classify the endless forwarding of jokes, hoaxes, and other misinformation in this category as well. I mean really – of the 20 or 30 emails I get at home per day, maybe three of them are information I can use, or are “real” correspondence from a friend or relative. I never really hear from people anymore – I just get forwarded jokes on a daily basis. Oh well – at least I know there are still alive and well, which is a bonus.

Day 3: 6/6/07

One of the most interesting presentations so far: “I Can Hack Your Network in a Day” by Marcus Murray. He gave live demonstrations of the various ways to infect a computer with a Trojan horse, take over a computer, and potentially an entire network. The striking thing about this presentation is that he demonstrated how easy it is to create a Trojan horse program, send it to a gullible user and get them to execute it on their computer. One of the big reasons I harp so much on the dangers of clicking on unknown links in emails, and opening email attachments. This is exactly how these attacks get perpetrated and proliferated. This also made a very heavy argument for patching. There are exploits for everything, and growing by the day. Keep your patches up to date, and stay on top of information about new threats. And quit clicking on unknown email attachments!

A presentation on Microsoft threat research by Vinny Gullotto revealed that 3,700 distinct malicious WMF files exploited the part of Windows fixed by MS06-001 patch. This really puts this in perspective, because I remember the scramble we went through in early 2006 to get this patch deployed as soon as possible. Vinny mentioned that 38 million+ pieces of potentially unwanted programs (PUPs) currently existed, which includes adware, viruses, remote control programs, Trojans, bundled software, and other modifiers. This is staggering, as it really illustrates just how big our job as security professionals has become. Some resource that Vinny mentioned are the Virus Information Alliance (VIA), the “Wildlist” for viruses, and the Anti Spyware Coalition (ASC).

Another extremely interesting and energetic presentation was given by Laura Chappell, using Wireshark for troubleshooting a slow network. Like the Marcus Murray presentation, she ditched the PowerPoint slides and showed live demonstrations of packet trace files and showed how to use the Wireshark packet sniffer to analyze packets to get to the bottom of network and computer communications problems. The presentation was extremely interesting and she did a good job explaining the tools and methodologies. It was amazing to find out how much traffic is being generated in the background by an infected computer, just during the boot-up process. Her methodologies illustrated how looking at TCP/IP traffic can tell a lot about what is causing problems with an individual computer, as well as those on an entire network.

Day 4: 6/7/07

Today started with a presentation to get an insight into how Microsoft deals with IT security internally within their company. With over 500,000 computers and 120,000 to manage, security is not an easy task, but Microsoft appears to have some sound strategies in place to handle it, whereby information security is process driven and based on industry standards. The IT security staff at Microsoft makes up approximately 4% of the entire IT staff. Much of what is done related to IT security within Microsoft revolves around the Enterprise Risk Management Framework and the Trustworthy Computing Initiative. Policies are published, and industry standards are put into place to ensure security. Executive sponsorship of the IT security tenets is very strong at Microsoft as well, which is one leading factor in the success of such programs. In many organizations, IT security is viewed as a “tax to the business.” That is to say that users view the security practices as burdensome and preventing them from doing their jobs.

Technology, such as implementing network access protection (NAP), BitLocker (Windows Vista’s encryption implementation) on laptops, and implementation of two-factor authentication are some of the things that are used at Microsoft to ensure security security. These technologies provide sound and secure methods to keep an environment secure, but still enable people to do their jobs.

What most impressed me about Microsoft’s internal information security stance was that they made their employees sign acceptable use policy acknowledgement statements, and that non-compliant (i.e. un-patched) machines were denied access to the network until they became compliant. If a company like Microsoft can implement these types of processes, then why are so many of our other companies having such a hard time doing it? I think part of the answer rests with the fact that many users are unaware, many users view the IT staff as the “network janitors” and many people simply view IT security as a tax (burden) on business processes.
Mark Russinovich presented a talk on the changes in the Windows Vista kernel. Some of the notable new features in Vista include user access control (UAC) and some features that provide better performance. This includes such things as the ability to delay services so that they don’t all try to start up at once. Many who run current and older versions of Windows can attest to the fact that all the services that try to start up at the same time can really make the boot process painful.

Day 5: 6/8/07

The final day of the conference! On one hand, I want to hurry up and get this over with so I can just go home. I have been on travel a lot lately – three trips (including this one) since the middle of April. Living out of a suitcase and eating at Denny’s is getting old. On the other hand, there were so many presentations I wanted to see, but didn’t get to because of conflicts with other presentations, and wanting to visit the vendor expo. The crowd has really thinned out by now, but there are still quite a few people here. I will be interested to find out how many people were in attendance this year – had to be well into the tens of thousands.

They saved the best for last. I attended a few Mark Russinovich talks on the internals of Windows Vista, and using some of his Sysinternals tools to troubleshoot systems. There are a number of free tools that fall under the former Sysinternals umbrella, but are now distributed by Microsoft. Mark Russinovich’s tools are extremely easy to use and leave a very small footprint on the system because they don’t get installed. By developing some troubleshooting skills and using these tools, the average IT technician should be able to better troubleshoot systems. Troubleshooting is all about investigating and trying to see what should or should not be happening. Process Monitor and Process Explorer give a much more in-depth picture of what processes are running, how much of an impact they are placing on resources, and even what malicious processes are trying to spawn processes that can harm your system. Many of Mark Russinovich’s presentations from past TechEd conferences can be found on the web (see resources at the end of this article. – definitely worth a look.

The Conference in Review:

So what do most computer geeks take away form conferences like this? Well, I took away some very important ideas from this year’s TechEd conference: 1) The attackers, as well as their motivations and methods have changed; 2) Everything in security must be approached from a risk analysis and economic standpoint; 3) People are still security unaware and must be educated; 4) Microsoft is (still) not the problem, as I have indicated in my blogs a number of times.

The attackers have changed: Notoriety and getting attention used to be enough for the bad guys. They just wanted to inflict damage, interrupt people’s lives, and get noticed for it. But they figured out that this kind of deviant behavior pays, so they are out to make a buck by finding vulnerabilities, writing exploit code, and stealing data.

Risk analysis is everything: It isn’t enough to simply say that you want to be secure. It is important to find out how high a priority your risks really are and implement appropriate protections. Security professionals have said it a million times: “Don’t protect a $10 dollar horse with a $50 dollar fence.” And in order to pursue projects to put appropriate protections in place, it is important to illustrate to management to economic benefits of these protections. Otherwise, they will just view security as another expense for which they won’t realize any benefit. As Steve Riley and Jesper Johansen mention in their book “Protecting Your Windows Data From Perimeter to Network”: You are implementing security "so that nothing will happen." Meaning that the goal is for nothing to happen to your data, other than it being safe and accessible.

People are security unaware: It’s not that people are blatantly against doing the right thing, it is mostly a case of them not knowing what the right thing is. Further, they need to know how being secure will benefit them, not just that security is a mandated process. If people have some insights into why they need to be secure, the benefits and consequences to them personally, and how to do it, it will be much easier to get their buy-in.

The TechEd experience was unique. Not that I will be anxious to do it again (once is enough), but it was time well spent, and very informative. I got to see live presentations from some well respected names in the computer security biz, and had a chance to see some of the new technologies that Microsoft is producing.

To read the full review, find additional resource links, and see pictures of the convention center, read the full article here.

Security Tips To Keep You Safe While Traveling

2007-05-04T18:26:00.000-06:00

As we approach summer, more and more people are once again thinking of traveling, both for business and for pleasure. TechEd is in June, and a variety of other techie conferences are not far behind. School will be out soon, making way for family vacations – although with the ridiculous price of fuel, I’m not sure how many people will be traveling. Even when only traveling for pleasure, many business professionals, as do I, take their laptops and PDA devices with them to be able to do work during a few “down” moments on their trip, or at the very least to have a way to keep tabs on their email and events at work. We geeks are such workaholics, aren’t we?

On a recent business trip to the east coast, I had the opportunity to once again enjoy my hobby of just sitting back and observing people. I was again reminded of just how complacent folks are about their security when it comes to using computers and other information technology enabled devices when on travel. This seemed to be especially true when using computers in public places – either their own laptops, or computers in hotel business centers. I am not sure if people are just in a hurry, or if they just really are not aware of the potentials for exposing themselves (in a “data” sort of sense, that is) while out and about.

There are a number of things I will talk about in this article having to do with ways to keep yourself (and your data) more secure when away on travels. Some of these things are as simple as using fundamental physical measures to shield your computer screen from curious eyes. Others involve the act of just taking the time to clean up after yourself when using a public computer, and yet other measures I will discuss simply involve the use of technology that is already built in to the devices that you are using. There really is very little to no cost involved in protecting yourself with these measures, but the cost of giving away your data can be huge and devastating. So let’s take a look at a few of the vulnerabilities we face everyday when on travel and some solutions for protection.

Shoulder Surfing:

If you are flying, your potential for vulnerability begins the very minute you get to the airport. Many people find that they have to arrive at the airport a few hours early just to make it through check-in and security, in order to make their flight on time. There is often a lot of “down time” here, so many people, as do I, pull out the laptop and the Blackberry, and do some work. In this setting, we are often in very close proximity to other people. Once we board the airplane, it is even worse. Unless you are lucky enough to be in First Class, you are sitting with your elbows right up against someone else’s, and their wandering eyes are just a foot or two north. Even if you aren’t flying, or have arrived at your destination, the local restaurant and the corner coffee shop are no different. When you sit down in that comfortable chair to enjoy your latte and do some work, there are countless wandering eyes trying to figure out what you are doing.

There are two main problems here. First of all, your neighbor (who is usually NOT minding their own business) is looking at your computer as you type in your username and password. If they can see your log-in box, they can see your username, and if your computer is joined to a corporate domain, they can see the domain name. As you type in your password, unless you are lightning fast, they can see you type the characters. I’m one of those “two-finger wonders” (I don’t touch type) so this is a particularly big problem for me. A devious person with intent on harvesting such information (and they are everywhere, trust me) will be very good at following your keystrokes and will be able to obtain all the credentials needed to log in to your corporate network. They now have your username, the name of your corporate domain, and your password. All they have to do is get access into that domain, and they are in. Your username and password exist on the domain, and are only cached on your computer, which means that they can access your account from any computer that can get access to your corporate domain, such as a VPN or other remote connection. Another danger is that if they are able to steal your laptop (more on this later), they will have access to the data on it. Remember – these people are everywhere. And if they are shoulder surfing to get your log-in credentials, they are also following closely to look for an opportunity to grab your laptop as well.

The second (and more common) problem with being in close proximity to others is that they are often able to view what is on your screen. Are you working on a document with sensitive personal or company information? Composing an offline email that you really don’t want others (especially strangers) to know about? How about that PowerPoint presentation chock full of corporate proprietary sales or engineering data? Whatever it is, you have to either make sure you are only working on things that are completely dull and unworthy of your nosey neighbor’s interest, or make the screen un-viewable. In other words, either pick non-sensitive stuff to work on during these times, or find a way to hide the screen. For example, I usually pick some low-level instructional or procedure guide to work on while I’m flying, or just do some professional reading. For example, I keep a lot of pdf white papers and “eBooks” from various online sources on my computer for reading while on the plane. My job is such that professional reading and just keeping are large parts of my work anyway – so it’s not like I’m goofing off.

Solutions: For the password problem, if you are on a computer that is joined to a corporate domain, use a local account on the computer (that does not have administrative privileges), and set a temporary password that will only be good for the duration of your trip. Of course, if you do this, you will have to make sure you know where to browse to on the computer to get to your documents in your “real” account, because the profile you log in with will have a “My Documents” folder in a different location. I get around this by accessing only documents that I have placed on a flash drive. If you are not joined to a domain, then just set a temporary password, and set it back to your actual password when you get home. One of the best solutions for this is to simply get a small finger print scanner to use to log into the machine. Many are small, portable, and just plug into the USB port. The newer laptops and tablet PCs even come with these built in. See my article on biometric devices for more information.

For the “prying eyes on the screen” problem, there are a variety of filters you can buy that will obscure the screen when someone tries to view it from other than looking at it straight on. This particular solution will also help to obscure your username and other login credential information as you log in. If they can’t see your username, the password will do no good. But again, don’t give them any pieces of the puzzle if at all possible. As I always tell people: “If they have even just your username, they then have 50% of the information they need to access your computer.”

Of course, being the wisenheimer that I am, if I notice someone trying to “catch a wave” on “shoulder beach”, I simply open a document, set the font to a larger size (to make sure they can easily read it), and then start typing in some juicy “official looking” verbiage. After a paragraph or two, I start a brand new paragraph, and type in “I think the nosey person sitting next to me is looking at what I am writing. I hope they enjoyed my previous two paragraphs. Now GO AWAY!” I have seen a red face or two resulting from that prank.

Using Flash Drives:

Flash drives are portable and can store a lot of data. Many people have resorted to using them because if they know they will have access to a computer at their destination, all they have to do is put their documents on the flash drive and leave the computer at home. Many cell phones and even iPods can be used for this purpose as well. The problem with these small flash drives is that they are easily lost or forgotten. It isn’t uncommon for someone to use them in a public or borrowed computer and then forget to take them when they are finished. A lost flash drive means lost data. Lost data can mean something as frustrating as losing work and having to do it all over again (if you didn’t have a backup copy somewhere else), or as devastating as putting sensitive information into a stranger’s hands.

Flash drives are cheap these days. If you lose the flash drive, you can just go get another one. But what about the data on the flash drive? Is it replaceable? Will it cost you if someone else has it? Another issue surrounding the ubiquitous nature of these things is that some people seem to have a whole lanyard full of them around their necks. Do you have a good inventory of how many you have? If one came up missing, how long would it take for you to notice? Kind of like the movie “Home Alone” where the family had so many kids that they didn’t notice little Kevin missing until they were in France!

Solution: The manufacturers of many of these drives have solved part of this problem for you. Flash drives have the ability to be encrypted, and the software to do that is often included with the flash drive itself. Typically, this encryption works by having you set up a password in order to access the data. You can encrypt all or only part of the flash drive’s contents. If someone gets a hold of your flash drive, they can access anything that is not encrypted, but will need to know your password to access the encrypted data. In some cases (depends on the drive and the encryption software), you can set your encryption such that if a number of unsuccessful password attempts occur the data on the drive will be erased. Know how many you have and keep track of them. If traveling, take only what you need – leave the other ones at home and in a safe place. I promise – they won’t miss you.

Using Common Area (Business Center) Computers:

Many hotels have business centers with computers to allow their guests to access the Internet and their web based email. In fact on my recent trip, I had full Internet access at the office I was visiting, but had to pay for Internet access if I wanted to use my laptop at the hotel. The only thing I needed after hours Internet access for was to check my personal email, and I wasn’t about to pay $10 just for 5 minutes of use. My remaining option then was to use the business center, since using those computers was free of charge.

A few problems present themselves in this scenario, however. One is that people use these public computers and often leave their surfing tracks for all to see. The other is that some people forget to just close out of their applications, and yet another is leaving those little flash drives plugged in for someone to come along and retrieve later. In fact, while in the hotel elevator on my most recent trip, I heard a woman telling her colleague that when he finished using the computer in the business center, he had left his email open, and she could have gone through all his email. Worse, she could have launched a few questionable emails in his name. This is truly a dangerous situation. What if it had been a stranger, and not a trusted colleague? That person could have read email, sent a few of their own (under the email account owner’s name), looked at the address book to get a list of names of people at the company, and just in general could do some serious damage. All this done under the name of the person who owns the account. How do you prove that it wasn’t you who did those things?

When I used one of the business center computers, I got curious and opened the browser history. I saw a plethora of email sites and surfing history. Wouldn’t be too hard to put together a few patterns and find out where some of these email servers existed. Depending on the cookies still on the machine, going to one of those sites may not even require me to log back in to access the account. The cookie would remember that I (or more accurately the email account owner) was just there and just let me right back in. This is especially true if the previous user had left the web browser open.

On a really malicious (and hopefully rare) side of things, a devious person could sneak into the hotel business center and put a keystroke logging dongle on the back of the computer between the keyboard and the computer, or in a USB port. Such a device is used to capture everything typed into the keyboard. Which means that they can get the URL to your banking site, the username and password for your banking site, and the contents of an email or anything else that you type into the computer. These key loggers have legitimate investigative purposes, but are inexpensive and can be obtained by anyone – including thieves. I say that this is (hopefully) rare, because most hotel business centers require a room key card to access – a person would (theoretically) have to be a paying guest in order to do this. But many public computers often do not offer such access protection as that provided by hotel business centers.

Solutions: For the reasons mentioned above, it is very important to pre-inspect the computer before and clean up after yourself after using a public computer. It takes a few extra minutes to do this, but you can’t put a price on the time it would take to straighten out the mess after you have been exposed because you didn’t have time to prevent these vulnerabilities. Here are some important steps to take when using public computers:

Do a quick inspection of the back of the computer and any USB ports to look for key logging devices. If you find something, and are not sure, contact the management immediately and have them investigate.

Never select the option to have “Windows remember me on this computer.” Do not allow the computer to store your username and password on the machine. Some web based email applications such as MSN will give you an option to tell it that you are on a public computer and not remember anything about your session.

Delete browser history, all temporary Internet files, and all cookies when you are finished using the computer.

Make sure you are logged out of any sites that you visited. Just closing the browser is not good enough. You must click the “Log out” link on the web site before closing the browser.

Close all instances of the web browser and all applications.

Make sure you take your flash drive when you leave.

Being the cheapskate that I am, however, my solution is that I try my best to only patronize hotels and coffee shops that provide complimentary Internet access to their guests. That way, I can avoid public computers altogether. But sometimes that just doesn’t work out, and I end up staying somewhere that makes me pay additional fees for access. In which case, the above solutions are a must.

PDAs/Blackberrys/Cell Phones:

Many of the same problems that exist with flash drives exist with these devices as well. They are small, easily lost, and can really store a lot of information. A Blackberry, for example is a phone, email client, and PDA all rolled into one. Emails, contact lists, to-do lists, documents, and personal journals are just a few of the things that can be kept on these devices. A lost phone device can not only give away sensitive data, but can give someone access to a free phone. And watch what you are discussing. What you say can be as revealing as anything else – especially if you are one of those people who puts everything on speaker phone, even when in public.

Solutions: Just as you can do with your flash drives, you can password protect and encrypt the data on your PDA as well. On my Blackberry, for example, I can password protect access and encrypt the contents. Not only that, but my Blackberry is set so that if someone types in an incorrect password ten times, the Blackberry erases all of the contents. Then, for added security, the data is encrypted, so that even if someone takes apart the Blackberry, and somehow gets the data off of the chip, the data is encrypted and unusable. Don’t discuss anything on your phone that you don’t want others in close proximity to hear. If you are sitting next to me on the plane, just don’t use your phone – period! I have no interest in what you have to say ;)

Laptops:

Saving the best and biggest for last: Laptops (and the data on them) need a lot of protection. They can carry a lot of data, and are very attractive to thieves. Keeping the laptop from being stolen is a job in and of itself, but if it does get stolen, there is more to worry about than just losing an expensive piece of hardware. Keeping the data on it from being compromised is the really important issue at hand, and if someone can access the data, they can potentially do a great deal of damage.

A big part of this problem is that even if they can’t log into the computer itself, and if they have the computer (physically), then they can remove the hard drive and put it into a computer that they can access. In fact, many data recovery techniques rely on taking the hard drive out of the failed (or in this case inaccessible) computer and “slave” it into a working computer. The working computer’s primary hard drive allows it to be booted up, and the slaved in hard drive contains data that can then be accessed. More clever people have freely available tools such as Knoppix (Linux on a CD) that they can use to boot up the computer, bypass the security on that computer, and access the data on the hard drive. In fact Knoppix can even be used to change the administrative password on a computer so that access can be gained through the more conventional method of booting up and logging in.

Solutions: There are some basic measures that will protect against access to a computer, but only if the computer is not stolen. In other words, these measures will work if you can keep the computer from being stolen. But once the computer is in unauthorized hands, these measures can be quickly bypassed. You can set a BIOS password that will prevent the computer from being booted into the operating system. But this is bypassed by simply taking the hard drive out of the computer and putting it into a different computer. Strong passwords for the operating system itself should also be used. As mentioned above, consider using temporary or “disposable” passwords. Small biometric devices, such as fingerprint readers, are fairly inexpensive, and many laptop and tablet computers have a fingerprint reader built in. Unfortunately, this can still be bypassed by putting the hard drive in another computer, or using a tool such as Knoppix to access the hard drive’s contents.

Encrypting the hard drive contents will help a great deal, even if the computer is stolen. Windows XP has the ability to do this using a built in feature. Windows Vista has a built in tool called BitLocker. Technologies such as that which is built into the BitLocker feature, for example, have the ability to protect data even if the hard drive is transferred to another computer. The downside of that is that you need to make sure you remember your password for logging into the computer, or set up what is known as a “recovery agent,” or you will lose your encrypted data.

Wrapping It All Up:

There are many other dangers that I haven’t mentioned here, such as accessing wireless networks while on the road, but that is a topic in and of itself. Wireless encryption, making sure you are not accessing an “evil twin” wireless access point, and a few other issues will be discussed in an upcoming article.

But for the purposes of this article, I wanted to focus mainly on the more ”physical” aspects of being secure on the road, as well as using built-in technologies to protect your data. Shielding your laptop screen from roaming eyes and preventing laptop theft are important ideas. If your laptop is stolen, knowing that you took measures to prevent the data from being usable by unauthorized people is also a very important idea. Other technologies, such as flash drives, cell phones, and PDAs represent things that are small, easily forgotten, or easily stolen. Those items contain sensitive data as well, and must have data security measures proactively applied. Once the data is in unauthorized hands, it must be assumed that it will be used for malicious or illegal purposes. Even if you retrieve your items, it must also be assumed that the information was copied and will be used – unless you took measures to make it useless in the event that a loss occurs.

It is easy to be complacent when traveling. And, unfortunately, there are plenty of people out there willing to take advantage of this fact. By taking a few extra moments to think about what needs to be protected, take inventory of your technology rich possessions, and take the extra time to protect your data, you will ensure a more worry-free travel experience. If I ever go into a hotel business center and see that you left your email open – man – I will hunt you down! (After I email a few jokes to your whole company, that is)

Additional Resources:

Web Surfing in Public Places is a Way to Court Trouble: http://www.nytimes.com/2006/08/22/technology/22secure.html?ex=1313899200&en=dbe69b7dfa41df22&ei=5088

Mobile Computing: Traveling Without a Notebook: http://www.pcworld.com/article/id,127595-c,notebooks/article.html

Theft tracking tools

http://www.absolute.com/

http://www.stolenlaptop.com/

http://www.lojackforlaptops.com/default.asp

The 3M Notebook Screen Privacy Filter: http://www.thetravelinsider.info/2003/0131.htm

Encrypting files and folders

http://www.iopus.com/guides/efs.htm

http://www.practicalpc.co.uk/computing/windows/xpencrypt1.htm

http://www.microsoft.com/technet/security/smallbusiness/topics/cryptographyetc/protect_data_efs.mspx

http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx

http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true

http://www.winmagic.com/tech_support/efs.asp

http://technet2.microsoft.com/WindowsVista/en/library/ba1a3800-ce29-4f09-89ef-65bce923cdb51033.mspx?mfr=true

Article: Laptop Security Part 1: http://www.securityfocus.com/infocus/1186

Article: Laptop Security Part 2: http://www.securityfocus.com/infocus/1187

The First 90 Days of an Operating System

2007-05-02T21:46:00.000-06:00

People who know me know that I often complain about Microsoft systems because of the constant vulnerabilities they seem to have. "patch Tuesday" is always an interesting time for me, as it typically provides a lot of work. But I read a recent article that outlined the vulnerabilities that occurred within the first 90 days of the life of various operating systems. It was funny to see that of all the operating systems discussed in the article that Red Hat Enterprise Linux 4 Workstation Reduced actually led the way with the most vulnerabilities in the first 90 days. Also mentioned were Ubuntu Linux, Novell SLED 10, and MAC OSX 10.4, all of which had more vulnerabilities than both Windows XP and Windows Vista combined.

It appears that 1) Windows Vista has made great strides in plugging security weaknesses, and that 2) The Linux folks need to reassess their stance on just how much more secure Linux is than Windows. A thought from someone who tests and deploys patches on Windows systems from month to month: I still see a lot of work to be done, but this article really makes us security professionals step back and realize that security vigilance is important, no matter what OS you are working with.

I guess what I am trying to say here is that there is a lot of stereotypical information about where the problems are. As I mentioned in a p revious article: Microsoft is really not the problem. The problem is in that people get so wrapped around the axle on making assumptions about that which they are familiar with. For example, the Linux people will swear that Linux is flawless, and the Novell people will feel likewise. Much vigilance gets lost regarding educating users, and just keeping up on the day to day maintenance of the systems you do have. Educate your users, keep your systems patched, and at the end of the day, you Windows users will have an environment that is every bit as safe as that which the Linux folks claim to enjoy.

Article Link: http://www.csoonline.com/pdf/Vista_Vuln_Report.pdf

Federal Information Systems - Information Assurance Reference

2007-05-02T18:26:00.000-06:00

I wanted to take this opportunity to post a quick "cheat sheet" on the various resources needed for the certification and accreditation (C&A) of federal information systems, as well as some other related resources. A number of federal C&A things are changing. For example, rather than using the NIST 800-26 self assessment questions, C&A will be done by making assessments against the NIST 800-53 controls. Some organizations use NIST 800-53, and some use 800-53, Rev 1. Here is a quick list of the publications and regulations that apply to federal systems. Enjoy.

National Institute of Standards and Technology (NIST):

SP 800-100
Information Security Handbook: A Guide for Managers

SP 800-12
An Introduction to Computer Security: The NIST Handbook

SP 800-14
Generally Accepted Principles and Practices for Securing Information Technology Systems

SP 800-18
Guide for Developing Security Plans for Federal Information Systems

SP 800-23
Guidline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products

SP 800-26
Security Self Assessment Guide for Information Technology Systems

SP 800-27
Engineering Principles for Information Technology Security (A Baseline for Achieving Security)

SP 800-30
Risk Management Guide for Information Technology Systems

SP 800-31
Intrusion Detection Systems (IDS)

SP 800-34
Contingency Planning Guide for Information Technology Systems

SP 800-36
Guide to Selecting Information Technology Security Products

SP 800-37
Guide for Security Certification and Accreditation

SP 800-42
Guideline on Network Security Testing

SP 800-47
Security Guide for Interconnecting Information Technology Systems

SP 800-51
Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

SP 800-53
Recommended Security Controls for Federal Information Systems

SP 800-53 Rev 1
Recommended Security Controls for Federal Information Systems, Revision 1

SP 800-53A (DRAFT)
Guide for Assessing the Security Controls in Federal Information Systems

SP 800-55
Security Metrics Guide for Information Technology

SP 800-56
Recommendation on Key Establishment Schemes

SP 800-57
Recommendation on Key management

SP 800-60
Guide or Mapping Types of Information Systems to Security Categories

SP 800-61
Computer Security Incident Handling

SP 800-64
Security Considerations in the Information System Development Lifecycle

SP 800-70
Security Configuration Program Checklists Program For IT Products - Guidance For Checklists Users and Developers

-------------------------------------------------------------

Federal Information Processing Standards (FIPS):

FIPS 140-2
Security Requirements for Cryptographic Modules

FIPS 199
Standards for Security Categorization of Federal Information and Information Systems

FIPS 200
Minimum Security Requirements for Federal Information Systems

-------------------------------------------------------------

Office of Management and Budget (OMB):

OMB Circular A-123
Management's Responsibility for Internal Controls

OMB Circular A-130
Management of Federal Information Resources

OMB Circular A-130, Appendix III
Security of Federal Automated Information Resources

-------------------------------------------------------------

Laws and Regulations:

FISMA
Federal Information Security Management Act of 2002

-------------------------------------------------------------

Other Publications and Usefull Information Assurance References:

CNSS
Committee on National Security Systems

Common Criteria
Common Criteria for Information Technology Security Evaluation

Common Criteria - An Introduction
Brochure: An Introduction to the Common Criteria Project

DIACAP
DoD InformationAssurance Certification and Accreditation (will replace DITSCAP)

DITSCAP
DoD Information Technology Security Certification and Accreditation Process

GAO-05-231
Emerging Cybersecurity Issues Threaten Federal Information Systems

Mitre
Common Vulnerabilities and Exposures

NIACAP
National Information Assurance Certification and Accreditation Process

NIAP
National Information Assurance Partnership

NIATS
National Information Assurance Training Standard for System Administrators

NIST and SDLC
Brochure: NIST and the Systems Development Lifecycle (SDLC)

US-CERT
United States Computer Emergency Readiness Team

-------------------------------------------------------------

Topic Reference:

Security Certification and Accreditation
SP 800-37
NIACAP
DITSCAP
DIACAP

Security Controls
SP 800-53
SP 800-53 Rev 1
SP 800-53A (DRAFT)

Security Categorization (C-I-A, High, Moderate, Low)
FIPS 199
SP 800-60

Online Predators – A Security Risk to Our Homes and Families

2007-03-24T16:33:00.000-06:00

I am going to take a break from enterprise information security and talk about computer security on the home front for a bit. The security aspects of online predators, children, and the Internet are yet again getting a huge amount of publicity, and are worth discussing. In a recent news article in Denver, “Police crack down on Internet predators,” police are using online chat rooms to lure predators into a situation where they think they are going to meet a child for sex, and they then actually get arrested. The article goes on to list the names and personal information about these worthless scum for all to see.

First of all – Good on the cops and law enforcement agencies nationwide who are cracking down on these worthless animals that prey on our kids. Bad on the liberal morons who are criticizing this effort and saying that these people getting caught are victims of entrapment. The predators are making the conscious decision to pursue their uncontrolled urges online. The cops are just acting as the decoys for the predators to go after instead of the predators going after our kids. One predator going after a decoy means that one less kid is becoming the next victim. Kind of like why we use “honey pots” on our corporate networks – to give the bad guys something to attack so as to keep them distracted, and so that they won’t attack our real servers, right?

Now – in my opinion, there are two parts to the solution for deterring would-be predators. One strategy being that which is already being done by our law enforcement agencies, as cited in the article. Shows like Chris Hansen and Dateline’s “To Catch a Predator” are giving high visibility to these pathetic people, and showing these perverts getting busted publicly, exposing them for who they really are. Chris Hansen and John Walsh (“America’s Most Wanted”) are two of my biggest heroes. They are making a difference, and are truly positive forces in our society today. Good job guys – you are two of the true heroes of our time.

The other part of this solution is that parents need to be more proactive in protecting children from these online perverts, and in fact protecting children from their own inability to protect themselves. Children are immature, lack experience, and just don’t have the knowledge and logical thinking tools developed yet to allow them to rationally deal with these types of situations. This is through no fault of children themselves – that’s part of being a child, right? Many will argue that parents should not censor their children’s activities. There is a fine line between censorship and protecting them. True, children can indeed think for themselves on many issues. But their thoughts are often not logically constructed, and tend to be rather impulsive at times. Of course, I could say the same for many adults! Children often do not know any better, believe what they are told, and these animals have become so good at disguising themselves that it is easy for a child to be deceived. Children think that they are hiding behind the anonymity of the Internet, and often feel very uninhibited when chatting online. They then get pulled into the webs spun by these scum bags.

Parents don’t need to hover over their children’s shoulders every minute that they are on the computer to be god parents. Rather, they can take some very easy technical and low-tech steps to protect their children’s Internet usage. All they have to do is be a little pro-active and put a few safeguards in place to show their children that they care about them.

Enforce Internet Hours:

Much of what the experts will tell you about how to prevent your children from venturing into dangerous waters on the Internet has to do with not allowing them to be up all hours of the night chatting. Even if you have the family computer in a common area as suggested, how do you monitor usage if it is late and you are already in bed? If you have broadband service, you can use your router to specify hours of operation. Even if you have only one computer (and think you don’t need a router), people have heard me say over and over that you need to have one of these routers anyway - for the other security measures that they offer, such as firewall protection. I am harping on people yet AGAIN to get one because the broadband router can also help you protect the people that use the computer, not just the data on the computer. Most broadband routers allow you to set hours of operation for all or certain specified computers. The computer will still work as it normally would - allowing your children to print, access files on another computer, and do their homework. Should they be up all hours of the night doing it is your concern, but at least the Internet access will be turned off. If you have multiple computers, you can limit Internet hours to some, but not necessarily all. Many times I am in my office late at night researching something (during a bout of insomnia) and need the Internet to be accessible. But the kids can't use my computer from fear of death, or at least my strong password gets in the way :)

Use Parental Controls:

Just like the V-Chip on your television, your broadband router has the ability to help you sign up for and put parental controls in place. You can specify and allow only content that is appropriate for your family, protecting them from questionable material and web sites that cater to a variety of offensive content from pornography to web sites that contain hidden malicious code. These sites are also often used for phishing and other identity theft scams. Much of what is being discussed as far as the dangers of online predators is the idea that children are often lured to seemingly innocent web sites or chat rooms, but are then exposed to all kinds of things that can lead to, among other things, identity theft - theirs and yours. By signing up for the parental controls services, you can leverage the ability of the service by knowing that they are keeping their definitions up to date and monitoring for the many new dangerous sites that pop up so that you don't have to worry about constant upkeep. You can also specify your own list of prohibited web sites using your router's built-in functions as well.

Use Protection Software:

There are also a wide variety of software packages out there that will allow you to permit and restrict web sites that your children can visit. NetNanny is one such product. There are many others - the Internet Filter Review web site provides a wealth of info, as well as software comparisons. Many of these types of software allow you to prevent access to suspicious web sites, monitor chat room and email activities, and even send you alerts of suspicious activities that are taking place.

Even the more sophisticated personal firewall software has the ability to restrict application access to the Internet. ZoneAlarm, for example, has the ability to allow or disallow any application of your choosing access to the Internet. If you feel your children's usage of their favorite chat program has gotten out of hand or is suspicious, simply turn off access, talk to them about it, and then come up with a strategy for safer usage.

For those of you who use Comcast broadband Internet service, McAfee Personal Firewall comes to you free of charge. I use McAfee, although I have been a ZoneAlarm fan for many years - because it is free with my current service. The McAfee product provides a very robust set of features to allow protect you and your system from harmful activities.

Upgrade to Windows Vista:

The parental controls features of Windows Vista allows parents to more tightly control what and when their children use the Internet. Parents can set hours for computer use, set sites as off-limits or even limit browsing to only a few sites, and even monitor what sites their children are viewing. Easy to confuse this with censorship, but we are talking about children, after all. It is (in my humble opinion) the parent's job to keep children from things that will hurt them or bring liability for illegal activities onto the parents. This allows for a more granular setting of computer restrictions. The other thing I personally like about it is that the parental controls block what you specify, but give a reason why - letting the kids know that you are taking an active interest in their computer activities.

A Low Tech Approach to Web Site Access Prevention:

Within your computer is a low-tech way to prevent the computer from accessing questionable web sites and sites that host chat rooms called the HOSTS file. When you type in a web site address or click on a link in your web browser, you have just told your computer you want to visit an address somewhere on the web. We as humans can only think in terms of plain English names, like www.wflinn.com or www.google.com. Our computers, however, only think of this in terms of addresses known as Internet Protocol (IP) addresses. An IP address looks like the form 192.168.1.1. For instance, what you know as www.wflinn.com is actually located at address 66.226.64.9. When you type in the plain English name, your computer has to do what is known as "name resolution" to find out what IP address you need to go to. The HOSTS file is a file that your computer looks to first to find out the IP address of a web site's location. If it doesn't find a suitable address in the HOSTS file, it goes out to what is known as a Domain Name Services (DNS) server to get the address. Therefore, if you put an entry into your HOSTS file to tell your computer the address of a specific site, it will look no further for the address.

So - you fake your computer out by telling it that the address of a questionable web site is 127.0.0.1. The address 127.0.0.1 is a special address - it is the loop-back address of your own computer. Regardless of what address your Internet Service Provider assigns you, your computer's internal address is always 127.0.0.1. When you tell the HOSTS file that the address of a questionable web site, such as www.myspace.com is actually 127.0.0.1, your web browser will try to go to that address, find out it is not a web server, and simply display the plain white "Page not found" error that you get when you try to go to a web site that doesn't exist. I'm not necessarily trying to pick on MySpace, by the way - but they have been singled out lately as one of the most popular sources that many online predators look to for victims, so I have chosen to outright block all access to that site from all of my computers.

This method, by the way, is an easy method for preventing all those annoying advertising pop-ups in your web browser. There are many web sites where you can obtain entries to copy and paste into your HOSTS file - so you don't have to do the research to figure it out and type them all yourself. The good news is that this method is easy, no cost, and works very well. The bad news is that it must be updated, and if you r kids are computer savvy, they can can find this file and erase the entries to give them back access to web sites that you have blocked.

Summing it all up:

The Internet has exploded into a virtually unlimited resource for finding things and getting information. Unfortunately, it has also brought out the worst in some people. A recent news article made mention of the fact that most of these online predators wouldn't be able to carry out their abhorrent behaviors if not for having a computer and access to the Internet. It was interesting when one young girl on the news article said that parents tell them not to talk to strangers and such - all things related to being safe outside the home. But now, the Internet has brought certain dangers inside the home and can affect your whole family.

There are many ways to protect your kids, from outright prohibition of certain things, to allowing access to everything, but helping them make wise choices. As I said, I am not going to get into this whole debate about what is and isn't censorship and invasion of privacy - that's up to you as parents to decide for yourselves. I will, however, tell you that you can use technology to help enforce your choices, and I encourage you to explore and use the various technologies at your disposal to do so. Not only will you be ensuring more safety for your family, but you will be adding to your overall computer security posture as well.

See my article on my web site from last year for a repeat of this information with images to help you configure the items mentioned in this article :

http://www.gonzosgarage.net/computers/archive0506.html

Thought for the day: Stupid people suck, but worthless predator scum suck even more!

When “Smart” People Make Stupid Security Decisions

2007-03-22T21:40:00.000-06:00

Warning: Here’s the deal – I have had a week consisting of four “Mondays” in a row. Bad drivers and stupid people have been working my last nerve, so I gotta vent! This is an angry rant about stupid people. If you are a stupid person and you are easily offended, then you should turn away now. Maybe go play on a porn site for awhile. Either that or get some brains and rational thought, and you can join us for some intelligent conversation.

Here’s why I’m angry - I read an interesting article recently that highlights the folly of allegedly “smart” people who show their information security ignorance and make stupid decisions when they don’t even understand the most fundamental of technologies and reasoning behind information security requirements. Then, when someone with intimate technical knowledge of what the issues are and how to solve them steps in, they are instantly rebuffed when even daring to mention the problems. I have experienced this type of thing my whole working life: I see people go through college, get a degree in underwater basket weaving, then somehow get into the pipeline to become managers. Either that or they drink their way through college, become lawyers or doctors, buy beemers, and act like spoiled children the rest of their lives. I had to laugh when I read the following line in this article:

“The attitude among the legal staff was, ‘This is my computer and my network; you’re just a computer janitor.’”

To give a quick synopsis of the article – there are a bunch of attorneys in a District Attorney’s office (city unknown). These lawyers are the very buffoons behind creating an environment which operates with a wide open network, wide open access to data, and confidential data exposed to anyone on the network (and possibly outside the network) who wanted it. Additionally, there were malware and peer-to-peer applications installed on numerous (most) computers throughout the office. When a network support person in the IT department mentioned the dangers of this existing environment, he/she was presented with numerous roadblocks – arguments from lawyers rationalizing how their activities (mostly music file sharing via Napster) were acceptable. Lawyers, after all, are great at making an argument to support ANY position, no matter how lame or morally wrong it may be. It appears from this article that they expended great energy to make their attitude toward information security seem justifiable instead of facing the fact that they were putting their network and data at grave risk. Essentially, non-technical people were allowed to dictate the standards for technical systems, and all because they didn’t want to be inconvenienced and have their toys taken away. The network support person was later fired for being insubordinate to his/her “betters.” In other words – he/she told these cry babies how it is, what it would take to fix it, and they didn’t like it. Need I remind you – this was allegedly a District Attorney’s Office. I sure wouldn’t want to be that District Attorney when the network gets breached, the data gets stolen, and even ends up getting distributed though the peer to peer sharing network. Notice that I didn’t say “if,” I said “when” because it is going to happen unless they fix it and fix it quick, fast, and in a hurry. What a story that would be in the national news! Of course it wouldn’t be the first time a top lawyer was found to be criminally negligent of something, now would it?

That is why this article seemed to call out to me because I hear of and even see the same thing everyday. The attitude that:

“Your computer security mumbo-jumbo is fine for everyone else, but don’t you dare inconvenience ME!”

It’s all about “ME” and it’s all about the fact that these people are so very important that inconveniencing them would be the most heinous crime committed against humanity.

And this “ME” attitude is coming from people with master’s degrees, doctorates, professional status, and high power positions. Seems the richer they are, the more spoiled and whiny they are. The lawyers in this article are perfect examples. But not only are these types of people complaining about security that keeps them from playing with their toys on the corporate network, some managers these days are complaining about security measures that are revealing large numbers of vulnerabilities and security problems. It’s not even that there are problems that need to be fixed – it is that the numbers are making them look bad. It’s all about the numbers, and it’s all about looking bad. No thought is given to the fact that they look bad because they ARE bad. If they want to look good, then why not just fix the underlying problems? Is that so hard?

(This is the part where I rant about the bad drivers) This is the same population of people, no doubt, who are claiming the roadways as their own as they carelessly drive their beemers with no regard for others. While keeping a cell phone glued to their heads, they are then complaining that the speed limits and laws of common sense are keeping them from totally owning the road for themselves. In fact just today, one of these morons couldn’t find a parking spot at our building, so they parked their car in the motorcycle parking – how stupid is that? Justice was served – the campus police slapped a parking ticket right on that Mitsubishi. Hope the laziness was worth it. (Bad driver rant completed).

In many cases, it all comes down to this:

“Your security reports are making me look bad, so my management is giving me heat and withholding my budget until I fix the problems. So why don’t you come up with a way to make me not look so bad?”

They will try to rationalize how the data needs to be collected a different way so that the numbers (of problems) look better. My answer to that: Rather than waste so much time and energy trying to manipulate numbers to make you look good, why not just fix the problems and it will make you be good – for real! Manipulating numbers and hiding vulnerability problems is one way to make it looked fixed, but taking real action will actually fix it. But, as one of my graduate professors often said: “Figures don’t lie, but a liar sure figures.”

Another clever issue evasion strategy: the smoke screen. When faced with data that clearly shows that their area has problems, the management will ask irrelevant questions and demand explanations in order to throw off or divert effort. They have no idea what they are asking in many cases, and often look like jack asses because their questions show their glaring ignorance of information security concepts. These activities will often tie up security professionals for days while they make every effort to ensure that they are explaining the justification for valid and relevant security measures. Security people shouldn’t have to do this – it is a waste of time and keeps them from the business of keeping networks secure. Security professionals shouldn’t have to agonize how to explain something so simple to allegedly intelligent people. This is more like explaining to your small kids why they can’t run down the hall with scissors.

But time after time, these people want to send us off to find an answer that will appeal to their twisted sense of logic. It may not be the right answer, and it may not be the one that is actually going to solve the problems. This is what an acquaintance of mine refers to as a “find me a rock” exercise. Someone will tell you to go find a rock, and when you bring one back, they say: “No! That isn’t the kind of rock I wanted! Go find me another one.” These types of senseless tactics are meant to waste other people’s time and buy the stupid people some time to think up another excuse. And these people are making decisions! Wow – no wonder so many companies are in trouble.

OK – so let’s bite the bullet and see what it will take to do something about this. In the case of the lawyers in the story above, or even the situations I have described here, it is going to take some work - a lot of work - up front. It is going to take a huge amount of effort and many staff hours in the beginning. But the interesting thing I have found is that if a methodical plan is put into place, and some reasonable time given to remediate the problems, they will eventually get fixed or at least minimized to a tolerable level. If some well-spent time is dedicated up front toward attacking the problems, then the rest of the effort simply becomes a continual maintenance routine. If there are a lot of security problems, it is a matter of prioritizing them in order of severity, tackling the most serious first, cleaning up the rest, then putting a plan in place to keep them under control.

New security issues will always come up as new attacks are discovered, and patches from vendors are released. But if the bulk of the serious issues are already taken care of, then tackling these new issues will be a fairly simple exercise.

But in order for any of this to work, people’s attitudes toward information security have got to change. IT people are not janitors, the computers and network that people in the work place are using do NOT belong to the workers, and these are not toys simply put in place for their enjoyment. Being negligent about information security can get people in trouble – big trouble. So before a plan is put in place to tackle the technical issues, perhaps a plan should be put in place to teach security awareness. Teach people why security is so important, how to be secure, and how they will be held accountable for non-compliance. The touchy feely attitudes have got to give way to terminating buffoons who refuse to comply. If you were a CEO, and your employees continually put your company’s finances, data and reputation at risk, just how long would you put up with it?

My closing Thoughts:

Computer Janitor – indeed! My last tax return I reported income from salaries and earned military pensions in the $$$,$$$ range (six figures for you folks who didn’t get it). Many of my colleagues are pulling down similar salaries, and they are so far from being janitors – to make a statement such as that, or even think such a thing is just so wrong. I don’t know too many janitors who make that much money and have post-graduate educations. But I see all too many instances where otherwise smart, educated people feel and behave just that way – they feel that the equipment and resources that they use on the job don’t belong to anyone but them, and that the IT people are just there to help them when they can’t figure out how to copy a document from one folder to another, or their mouse isn’t doing the little “clicky” thing like it should. Heaven help anyone who should inconvenience these poor babies by telling them that they can’t run Napster un-abated on the corporate wire. Give me a break! Maybe there is a lot of validity to Nick Burns’ (Saturday Night Live) attitude toward users. Automatic drink holder giving you problems today?

Ooops – gotta run. Time to get out the Swiffer and get after those viruses. And by the way… You’re Welcome!!!

Reference: “When Lawyers Use Napster At Work” (Anonymous, InfoWorld, 2/27/07)

What do you call 350 lawyers resting at the bottom of the sea? A good start!

Stupid people – you can’t live with them, and there are only so many of them that you can cut up and stick in an ice chest.

Hey – my rat terrier is smarter than your CEO.

Hey you in the beemer – hang up and drive!

There is en epidemic in America - Fools! (Mr. T)

Why are Some Software Vendors So Security Unaware?

2007-03-19T21:10:00.000-06:00

It seems odd to me that software vendors are releasing products that have vulnerabilities, and that they do not do anything to patch them. In fact in some cases, patching the host operating system breaks certain of these errant applications, and the remedy from the software vendor is to put the original, vulnerable file right back in its place. For example, a security patch is released from the operating system vendor. The minute it is applied, another third party application that relies on these files breaks. Instead of the software vendor releasing a patch for its own product, it relies on a “self repair” method that just restores previous, vulnerable versions of the files that need to be fixed.

Clearly, the software vendors are not talking to each other. Or they just don’t care that they aren’t fixing their applications to keep up with the threats. Either way, these companies are causing more work for IT department security people, and they are putting systems at risk. In Part 2 of my series on investigating false positives and other security anomalies, I discussed just such an instance - where a manual, self researched, and self developed fix had to be applied because the software vendor had no intention of fixing their product. This was clearly a case where the vendor did not care that they were injecting vulnerabilities into my environment. Good thing I'm not mentioning who it is here, eh?

Investigating False Positives and Other Security Anomalies Part 2

2007-03-19T18:58:00.000-06:00

In Part 1 of this series, I talked about investigating vulnerability scan results where the scanner alerted on something and further investigation revealed that the vulnerability was a leftover file from an upgrade. For example, the computer was upgraded from Microsoft Office XP to Office 2003. As far as Windows/Microsoft Updates and the enterprise patch management system are concerned, the computer is running Office 2003 completely patched for the installed software. An in-depth investigation was performed which involved going into the scanner session logs and finding out which file caused the scanner to alert on the vulnerability. Indeed it turns out to be a left over file from Office XP that Office 2003 doesn’t even use. Renaming or removing the file fixes the vulnerability, and Office continues to work normally, so all fixed, right? After all, it was a pretty straight forward fix – we knew that a Microsoft product was upgraded, the new Microsoft product didn’t clean up after the old version, and a vulnerability was left on the box. The entire solution of renaming an old Office file seemed logical and one thing was related to the other.

Not so fast! Let’s move on to the next type of scenario in the investigative process that is even a little more difficult to troubleshoot. The vulnerability scanner alerts on something that experience showed was easily remediated by renaming a file or removing it. The vulnerability was related to a left over file, and getting rid of it resolved the vulnerability – for the time being. Later on, the computer is scanned again and the same vulnerability has returned. Nothing had changed. Noting new was installed, and the same versions of the Office software are still on the machine. So let’s take a more in-depth look at this type of scenario and see what happened.

Scenario 3: A scan is run, and the now much discussed vulnerability related to MS Office products has appeared on several computers. The previously developed fix of renaming or removing a vulnerable left-over file proves successful. Later, these same computers are scanned again. Many of them show that the vulnerability has been successfully remediated, but on a few of them, the vulnerability has reappeared. Investigation into the scan session logs shows that the previously renamed vulnerable file is again the culprit causing this vulnerability to appear. Physical inspection of the file system on the target computers verifies that the renamed file is still in its renamed form, but now another copy of the original vulnerable file is on the box. One thing interesting is noted about these computers: They all something in common – they all a have a piece of third-party software (not Microsoft software) installed. The software title and vendor is not important here, and I don’t want to be accused (or worse) of name calling and accusing on the Internet, so I just won’t get into a name-calling session here.

Further in-depth troubleshooting reveals that again renaming the vulnerable file, and performing an immediate scan shows the vulnerability remediated. Now for the next step: verifying that all of the software works. MS Office works fine, the corporate email client works fine, as do the web browser and other normally used applications. The computer is scanned, and the machine is still clean of the vulnerability. Since all of the computers with this problem had in common another piece of software, this particular application is tested last. The application in question is started up, and produces an error. The error is that there is a corrupt or missing DLL file, and is prompting the user to install the original software CD for this application. This is done, and the software repairs itself. The application now runs normally. Another scan reveals that the vulnerability is now present. Looking at the folder on the computer where the vulnerable file resides, we see that sure enough the renamed file is still there, but the original vulnerable file has returned.

In this case, it is clear that another piece of software (not from Microsoft) is related to, and interacting with, the Microsoft native files for an MS Office installation. Not sure what to make of this, a call to the vendor’s tech support reveals that the suspect Microsoft DLL may be used by their software, but they are not sure. This will have to be investigated further with the software developers. There are some known versions of the DLL file that are not vulnerable, so the hypothesis was that replacing the offending DLL with a non-vulnerable version will fix the problem. Replacing with a non-vulnerable version allows the software to operate normally and error free. A re-scan of the computer now shows that it is vulnerability free also.

Note: As of this writing, the software company in question has no intention of fixing this vulnerability in their software. I was in communication with them today and the tech support person I spoke with stated that the company will not be releasing a patch for this product - it is Microsoft's problem, evidently. This brings up the issue that a piece of third party software is latching onto a known application (Microsoft Office) for its functionality, and the vendors are not keeping up on the security ramifications of their software installing known vulnerabilities onto a computer.

Investigations Start with Patch and Scan Testing Process:

It is quite clear from the events discussed in the two parts of this article that a proactive strategy for patching and scanning is in order. Such a strategy will ensure that vulnerability scanning is built in to the patch testing process so that 1) patches will be verified as being applied and that they do not have adverse affects on the system, and 2) the vulnerabilities that the patch is meant to target are actually being remediated. Testing the patches as they are received will ensure that they apply properly and do not break applications. Then a follow up of deploying patches to a pilot group will give the patches more rigorous testing in a real environment, and allow IT staffs to clear up any problems quickly before deploying to the full production environment. Once this is done, a follow-up scan on those same pilot computers will verify whether or not the applied patch mitigated the vulnerability. If it does, then the desired goal was achieved. If it does not, then it is time to have an investigative process to find out if 1) the patch is not doing its job, or 2) the scanner is alerting on a false positive condition. This process will allow for the discovery of scanner alert anomalies as soon as possible, and a fix to be developed before the scanner hits the full production environment.

It is important to note that testing patches and developing vulnerability remediations can be tricky in that hidden causes will sometimes not be found right away. This was evident when scenario 4 as described above brought to light newly discovered problems for a situation that was thought to be previously resolved. For this reason, it is important to carefully choose those users who will be in the pilot group for the second phase of patch testing. They should be fairly computer savvy users who know how to properly respond to error messages, and that they also know how to carefully document any problems that they run into. This is the group of people that will know that these errors are possibly going to occur, and won’t fly off the handle when they do. They will know to calmly notify their IT support staff, and won’t panic and click through all the error messages until the IT staff has had a chance to see them and work the issues. So having said all that, let’s take a look at the chronological steps that would take place in this whole testing and investigative process.

The Steps (in chronological order):

The new patches are released from the vendor and the new cycle of patch and scan testing begins.
Non-production machines in a lab and/or virtualized environment are scanned and verified clean of all vulnerabilities before patch testing begins.
All discovered vulnerabilities are remediated on the designated test machines before patch testing begins. Those that cannot be remediated are documented with the reason why they cannot be resolved (ie false positive, etc.).
The new patches are first tested on the non-production machines in lab or virtualized environment.
All applications on the lab machines are tested for proper operation, and that no errors are experienced on the machines.
The scanner profile is verified to have the proper checks for the latest patches and other newly discovered conditions.

Note: This often happens after the new patches are released, and it can sometime take a few days for the new scanning profiles to be configured on the scanner. However, steps 1 – 5 can be performed prior to the new scanner profiles being configured. Step 7 and beyond, however, are dependant on the scanner being configured to look for the new patches that are being tested in this phase.

A test scan is performed on the lab machines to verify that they are free of vulnerabilities. Any vulnerabilities found are investigated and resolved.
Patches are deployed to the designated pilot group of production users.
The designated pilot users are to use their computers for a pre-determined testing period. Three days to one week is recommended for this testing period.
A sample of this pilot group is selected for another verification scan, and the scanner is run against these machines to verify that the machines are clean of the vulnerabilities that the new patches were meant to mitigate.

Note: This step can be done concurrently with the operational testing period described in step 9.
Any vulnerability conditions that are related to the new patches that exist as a result of this scan are investigated, documented, and solutions determined.

The new patches are deployed to the remainder of the production machines.
Full scan of the production environment is run.

Note: The full scan of the production environment to look for the new patches should take place only after allowing sufficient deployment time. This will vary depending on the size and geographical diversity on the organizations.

Wrapping It All Up:

Having a standardized, methodical approach to patching and scanning will help give more structure to the whole process. Using a checklist, like the one above or a locally developed checklist will help ensure that testing is performed properly. It is easy to overlook things, and very easy to be led down an incorrect path when investigating the types of situations mentioned in this series. It is important to use several different tools and analyze the similarities and differences in information that each of the tools provides.

So the lesson learned in this whole exercise is that IT staffs should be less prone to jumping on the “False Positive” bandwagon, and more inclined to using research and investigative techniques to find out what is really happening. Don’t rely on just one analysis tool or set of data to make a conclusion. Security is hard work, and often involves many steps to get it right. Overlooking even a single vulnerability by claiming that it is a false positive gets it off your to-do list, but doesn’t actually clear it up – your machines are still vulnerable. If the bits are on the box, you MUST remediate. Calling it a false positive when it is not does not constitute a valid remediation strategy.

Use some industry respected assessment tools, come up with a good (consistent) methodology, search for clues, and above all else – do some research and investigation! As a line from the movie Apollo 13 goes – “Work the problem! Don’t make it worse by guessing!” Guessing that it is a false positive is a dangerous habit to get into.

Investigating False Positives and Other Security Anomalies Part 1

2007-03-04T14:46:00.000-07:00

Find vulnerabilities on the computers on your network; apply a patch, and all done, right? Well, maybe, and maybe not. Part of any good security program includes using a variety of tools to assess the risks in your environment. Specifically, I am talking about the periodic vulnerability assessments that are performed on the desktop and server computers in your network. Let’s assume you are an all Windows shop for the moment; On the most fundamental level, you get this risk assessment done for you every time you visit the Windows Updates site on the Internet. The Windows Update site uses a scanning engine to determine what is installed on your computer, what the most current patching levels are, and whether or not your computer has those patches. Same with your antivirus software – you are given the latest updates based on the most currently known threats and whether or not you currently have the definitions for those threats (in this case viruses).

Unfortunately, Windows Updates and your antivirus software aren’t the final and definitive answer about the status of your computer’s security level. The same is true for any other single security assessment tool. In a large enterprise environment, it is often necessary to use a variety of tools to assess whether or not you are protecting your systems. The information from one can often be used to validate or refute the information from the others. In other words, having multiple tools gives you a system of “checks and balances” in determining the total picture. Having multiple tools is also a good way to aid in investigations concerning the validity of security assessment information.

The purpose of this article is to give some definitions of a few types of vulnerability assessment tools, discuss definitions of types of vulnerability indications, and discuss situations where investigations may reveal a different story than what was originally thought to exist. It is important to understand that vulnerability scanning and other assessments aren’t necessarily straight forward or cut and dried insofar as the information they can tell you about what vulnerabilities exist. You often have to rely on your skills as an investigator to uncover the real story and figure out how to truly remediate the situation.

First some definitions: It is useful to understand the types of vulnerability situations that may be incurred at any given time. The true existence of a vulnerable item or configuration must be known in order to remediate or mitigate the vulnerability. It is also important to understand the different types of tools used to obtain vulnerability information. To get an idea what I mean by that, take a look at the following definitions:

Patch Management System: A system, usually centrally managed, that is used to assess patch statuses on end systems, determine which patches are applicable, and which patches need to be applied based on patching levels of the target system. Such a system can then be used to deploy the Patches To the end nodes, and return a follow-on assessment of whether or not the patch successfully applied. Windows/Microsoft Updates and Microsoft Baseline Security Analyzer (MBSA) are fundamental examples of this. Large enterprise environments may choose to use Microsoft WSUS or SMS, or third party tools such Shavlik, Ecora, or PatchLink. These types of systems usually look at what patches are needed based on what operating system and software are installed.

Vulnerability Scanner: These types of tools are a bit different in scope and purpose that patch management systems. Whereas patch management systems look for needed patches based on what is installed and operating on the system, a vulnerability scanner usually looks deeper for the existence of certain files and registry entries, whether or not the files and settings are actually used. Scanners can also look for other vulnerable configurations, such as too many admin users on the box, passwords that don’t expire, and similar items. Vulnerability scanners typically have scanning profiles that are based on CVE data and other vulnerability definitions. These profile definitions usually tell the scanner to look for the existence of certain file versions and date stamps that are known to be vulnerable. It doesn’t matter whether or not these files are actually in use, or are just left over files from an upgrade. If they exist, the computer is vulnerable. The saying often heard in the security community: “If the bits are on the box, you MUST remediate.”

True Positive: This means that a vulnerability item has been found, and it is correctly identified as existing on the computer. This is what is commonly referred to as a “known/known” situation.

True Negative: One or more vulnerabilities that were being tested for were not found on the target machine, and they were correctly ruled out from existing on the machine. Again – this is a situation of “known/known” data.

False Positive: Vulnerability was detected on the target, but investigation reveals that the vulnerability was incorrectly identified. The danger here is that this may be ignored in the future, even if the vulnerability detection later reveals a true positive situation. The other danger is that something is an evident false positive, but investigation reveals that another condition exists which caused the false positive to occur. Is this, then, really a false positive? More on that later.

False Negative: A vulnerability condition exists on the target machine, but the vulnerability assessment tools failed to identify it as being present. This is the most dangerous of all situations – your nodes are vulnerable, but you don’t even know it.

For the reasons alluded to in the definitions above, it is necessary to use a combination of these tools to get a true picture of an end node’s vulnerability status. Multiple tools that agree on vulnerability information can leave you with a pretty good level of confidence about whether or not vulnerabilities exist. If the tools don’t agree, however, then that should immediately cause you to launch an investigation to determine the true status. Unfortunately, the false negative situation may still exist. As mentioned before, this is truly the most dangerous situation where your vulnerability status is concerned, because you really “don’t know what you don’t know.” And your tools may simply all be in agreement that a vulnerability does not exist when it really does. Fortunately, this particular scenario in which all tools agree on a false negative is very rare.

False Positive? For an example of how a seemingly “false positive” situation exists that is worthy of further investigation, consider the following scenarios:

Scenario 1: A computer on the centralized patch management system shows that it is completely patched and up to date. Even a visit to the Windows Updates site reveals that the computer is up to date – no critical patches are offered. A later scan with a vulnerability scanner reveals that a vulnerability item exists on the computer. An in depth investigation includes using multiple tools to verify the vulnerability – the patching tools once again all say that the computer is patched, the vulnerability scanners again all say that it is vulnerable. Further investigation leads to a review of the session logs generated when the vulnerability scanner performed its scan. The logs reveal that a particular DLL file exists in the \Common Files\Office10 folder of the computer. You immediately say “Wait a minute!” because you know that the computer is now running MS Office 2003, which uses the Office11 folder for its files. The real story is that the computer was upgraded from MS Office XP to MS Office 2003, and the vulnerable DLL file is just a leftover. Here it is a seemingly false positive, but really and truly, the bits are on the box – the box is vulnerable. “If the bits are on the box, you must remediate.”

In the case above, testing revealed that simply renaming the file removed the vulnerability. This is done, by the way, in case doing so breaks an application, and roll-back is needed to troubleshoot. If it turns out that this file is indeed needed by some other program, then a non-vulnerable version can be obtained from the vendor and the vulnerability will be resolved. Exploits often target a file of a specific name, and if the file is not found (even if it is renamed) then the exploit won’t be effective.

Scenario 2: Your patch management system says that your computers are all the way patched, good to go (hint: all the way patched for the current software installation). Your vulnerability scanner then says that the computers are vulnerable for several MS Office patches. You double check, and sure enough, the patch management system says that those patches are applied. A visit to Windows Updates offers you no critical patches. So you dig out your MBSA tool and do a few scans. MBSA even says that those particular patches are applied. But wait a minute: You look further into the MBSA scan data and it reveals that a service pack for MS Office has not been applied. You apply the service pack. You perform another vulnerability scan – the office patches are still needed. Now you go to the Windows Updates site and your centralized patch management system, and wouldn’t you know it? Those patches called out by the vulnerability scanner are now needed. You apply the patches and your are now clean.

How did this happen? Remember: I gave you the hint in the beginning of the scenario that the computers were patched for the software that was currently installed. Installing that MS Office service pack significantly changed that installation and the old patches that were installed only applied to a computer that did not have the latest service pack. There were newer versions of those same patches that applied to the latest service pack. You applied these new patches, and then all of your assessment tools show that you are now clean and fully up to date.

Wrapping it All Up:

Vulnerability assessments are a vital part of your security program, and often involve using multiple tools to be effective. One tool will act as a system of “checks and balances” against each of the others. It is easy to get lulled into a sense of false security if only relying on one tool – it is even possible that all of your tools won’t find all of the problems. Remediation is not always straight forward either. Applying the patches doesn’t fix everything, and sometimes your system is vulnerable for things that can’t be patched. In some cases, changing a configuration by simply applying a service pack drastically changes the picture.

It is often necessary to rely on investigative skills and go in directions that are seemingly irrelevant.But by relying on multiple tools, performing sound investigations, and keeping up with due diligence, it is possible to minimize risk on your network and keep the threats somewhat in check.Remember: You will never eliminate risk completely.You can only hope to minimize it.But by having valid data from a variety of sources, you can make prudent risk assessments and ensure that your environment is as secure as possible.

On to Part 2

Additional Resources:

Microsoft Baseline Security Analyzer: http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Vulnerability Scanners Explained:
http://www.windowsitpro.com/Article/ArticleID/43888/43888.html

Free Vulnerability Scanning Tools:
http://netsecurity.about.com/od/vulnerabilityscanners/Free_Vulnerability_Scanning_Software.htm

Retina Single Audit Scanners:
http://www.eeye.com/html/resources/downloads/audits/NetApi.html

Foundstone Free Scanning Tools:
http://www.foundstone.com/

The Dirty Dozen: 12 Ways to Kill False Positives:
http://www.bcs.org/server.php?show=ConWebDoc.9384

The Certification-versus-Experience Conundrum – Part 3

2007-01-28T20:31:00.000-07:00

The ability of a potential job candidate to gain experience, especially when they are fresh out of school, can be a difficult task. As I mentioned in the Part 1 and Part 2 segments of this series, job candidates often seek out certifications as a way to validate experience, even if they really don’t have the actual experience needed to be considered “truly” certified. After all, certifications were meant to validate prior experience, not the other way around - experience validating prior certifications. And jobs that require certifications are therefore requiring a certain amount of experience as a prerequisite qualification. So how is it then, that job candidates seeking even entry level jobs are feeling pressure to become certified and prove skills for which they really have no experience? Some have the knowledge and experience they gained in college or other post-secondary training. In some cases, these people have no real knowledge of the technology other than what they have read in books. I think that some of the answer to this part of our continuing conundrum can be found by first defining what we think of as experience in a traditional sense, and maybe looking at ways to gain job and technical experience in nontraditional ways.

If we look at the various traditional ways of gaining job experience, it is evident that the experience most valued is that which a person accumulates doing various jobs. But how does a person get experience if they are just starting out? Are there other ways that will prove to be just as valuable? I think that there are. I think that we can actually break the existing paradigms of how experience is actually gained. As I mentioned, we most often think of “experience” only in terms of what a person has gained while actually employed in a so called “real” job. However, if we seek to think of ways to make nontraditional settings, such as academics, volunteering, and even the job interview process as valuable ways to gain experience, then we can actually get a better picture of what a person has actually been exposed to. There are many different avenues for one to shape their own problem solving skills, and these nontraditional ways of gaining experience will be just as valuable in determining what people are able to bring to the table. Isn’t experience, after all, simply a way that we measure how much exposure a person has had to various tasks and problems, and how much time they have spent learning how to find solutions? If that is the case, then it is very important to understand that there are various ways to gain this experience, to learn how to solve problems and to get repetitive exposure to tasks in other ways. So let’s take a look at some of the other ways that a potential IT professional can build up their experience portfolio.

Students:

Your road to gaining real experience doesn’t just start the minute you graduate from tech school or college. Far from the truth! You need to start thinking about accumulating (and documenting) experiences before you even step into your first class. Assuming you are going to college or at least a vocational technical school of some sort, shop around for schools that will help you accumulate experience. Look for the schools that are going to give you the type of education that involves lots of hands on training, and has a reputation for making their students do a lot of research and writing. Yes, I said writing! Communications is a highly valuable skill in any workplace, and especially important in the IT workplace. The more experience you have writing and researching, the better off you will be. Schools that offer training as part of a Cisco Networking Academy, for example, are more likely to offer you an assurance that you will spend a great deal of time in labs, with real computers, routers, and switches. You will spend a number of months – actually up to two years, continuously putting your hands on current equipment, performing actual tasks, and preparing you for the first level of the Cisco certifications (CCNA). Additionally, the Cisco training involves doing a number of case studies, where you will be given a series of scenarios, and will be required to come up with a solution. Again, there is that “research and writing” part of your education from which you will gain valuable exposure. Many tech schools, colleges, and universities are part of the Cisco Networking Academy system – look into one that will offer this training.

Some additional ways to gain valuable experience: Colleges and universities are more and more requiring instructors to place a very heavy emphasis on writing and reporting. You are in school to learn about more than computers and networks; you are there to learn how to be good employees, and how to communicate both orally, and in writing. There are many other skills that fall under what are known as the SCANS skills. These are skills that go way beyond just the technical aspects of the job. For more information on SCANS, see my article here.

Take advantage of these writing assignments by looking at these assignments as a way to gain experience, and especially as a way to get an early start at showcasing your ability to solve problems and communicate. Your instructors want you to do more than regurgitate a few well chosen articles and book paragraphs onto a research paper, in which you simply parrot what you have read. Take the initiative and take this a step further. When you are researching a topic, ask the tough and critical questions. What questions does the information you are reading about bring to mind? Can you identify a particular problem that has surfaced? Does this lend itself well to turning into a case study? All of these things can lead you in a direction that will help you not only research a particular technology, but identify problems, and allow you to come up with your own solutions. Your solutions may be right or wrong. It doesn’t matter. The main point is that you are starting to bring out your ability to use critical thought processes and solve problems. In doing so, not only are you meeting an academic requirement, but you are creating something that can be used in your portfolio of experience as well. Besides, if you find yourself applying for a position that requires a lot of writing, you will be asked to provide samples of your writing. As you progress through your studies, you will further develop your writing skills, and the papers you produce will be of higher and higher quality. This will all culminate in a well developed portfolio of your own work that you can use to prove your experiences and abilities.

To give you an example why this is important: Back when I was teaching networking and computing technologies, the various employers on our academic advisory committee would tell us that teaching students the technical aspects of the job should only be secondary to teaching them how to be “people” and how to think critically. In other words, they were asking us to teach them the foundations of the technology, and then heap on lots of exposure to critical problem solving, communication, and teamwork. If the tech school (or college) could take care of that part, then the employer would take care of getting them up to speed in the current and more advanced technologies through on the job and other training.

Employers:

OK, employers, time to pick on you again. What is it that you are looking for? Are you looking for candidates who can successfully answer a battery of technical questions? Or are you looking for people who can immediately contribute to your organization? If they answer all of the technical questions to your satisfaction, then you have an idea that they at least know something about the technology. If you do as I recommended in Part 1 of this series and ask questions that are based on certification objectives, then you have an idea that they have a good foundation of knowledge about the technology. Either that or they are fresh out of the exam and still have the important stuff memorized. Anyway, lets go ahead and give folks the benefit of the doubt, and just assume that they really do know their stuff, and move on to find out more about their ability to solve abstract problems.

You are now at the point in the interview process where you want to move past foundational knowledge and find out about their critical thinking and communications skills. I read a very interesting article recently about ways for employers to ask one very valuable interview question, and how to assess the candidate’s ability to research a real problem and come back with a solution. In an article on his company’s web site, human resources and technical recruiting expert James Gifford advises calling interview candidates ahead of time, giving them an opportunity to research the company and explain how they will contribute to the organization. I would add here that you can additionally (or alternatively) ask them to solve a problem, either a real one that the company is experiencing, one that was solved in the past, or even a plausible fictitious problem that you anticipate could happen to your organization. Tell the candidates to come to the interview ready to explain how they would approach and solve the problem, and make an immediate contribution to the company. They do that, Mr. Gifford explains, by researching company literature, speaking with selected employees, and gaining a feel for the organization - just as if it were their first day on the job. Mr. Gifford further mentions that a number of candidates will be eliminated immediately because many will not even want to expend the effort to research the problem and come up with a solution. Those that make the effort, however, may or may not come up with the exactly correct solution, but this will give you an idea of their ability to think critically, understand your specific environment, and present possible solutions.

Job Candidates:

If you are faced with the type of interview mentioned above, then this is your opportunity to sink your teeth into a real-life situation and offer ways to sell yourself to the company. If not offered this opportunity, then you can turn the tables a bit and take this as a challenge yourself. When invited to an interview, take a few moments to ask if they would be willing to briefly share with you a particular challenge or situation towards which they are hoping the new hire will be able to contribute. Even if they won’t share this with you, you can still research the company, read their literature, and become familiar with the environment. Do you know anyone who works for this company? Ask them some questions and gather some insight as to what kinds of technical challenges they are facing. Research industry best-practices dealing with that particular technology or industry segment, and then be prepared to discuss how you can apply these best practices to their company.

Be prepared to talk about more than just your memorization of computing technology facts and figures. You will usually be given opportunities to ask questions about their organization. Take some initiative and ask about what they feel are the most pressing technical challenges they face, and then use your recent research into best-practices and industry solutions to sell them on how you can contribute to their company. Will you have to think on your feet to make this a successful interview? Most certainly! But then again, being an IT professional is all about thinking on your feet and being able to quickly articulate a problem, and the solutions, every day. Additionally, the interview process is just as much an opportunity for you to shop for a potential employer as it is for them to shop for an employee. By taking some initiative and doing your homework, you will build up your own experience in tackling problems, as well as finding out if the potential employer is even a good fit for you.

If you didn’t get the job, follow up and ask what you could have done better to win the offer of employment. Ask about how they felt you were able to articulate your understanding of the questions and offer answers. What did you do well? What did you need to improve upon? Use this as a learning experience to do better at the next interview. Who knows, you may be back for a future interview with that very company.

Wrapping It All Up:

Part 3 of this series was all about preparation. Preparation early on in your academic career leads to experience that you can use towards proving yourself on the job. As we used to say in my teaching days: “This isn’t practice, this is real life!” This preparation starts, or at least SHOULD start, before you even walk into the first classroom when you start college. Find an academic setting that will let you roll up your sleeves and get your hands dirty. In my opinion, if you can configure a network router in a classroom and make it communicate with a network, then that is just the same as if you configured that same router in the telecommunications department of a real company. If you fix a complex computer problem in a lab, it is the same as if you fixed it in someone’s cube in an office. Same equipment, same issues, it is just that now you are getting paid to do it. So why not document this activity and use it as a way to show that you have in fact put your hands on this equipment? If you shopped for a school with a good reputation for academic excellence, then there is no reason why you shouldn’t expect to be actually working with the technologies instead of just reading about them.

Use that academic environment to build up your problem solving and communications skills as well. Don’t just cruise through with the expectation of turning in mediocre work just to pass a course. You are paying for the course to get something out of it. Why not use the opportunity to give yourself something that you can be proud to put into a portfolio of your work? I have seen many instances where my former students have actually taken this portfolio with them and offered selected works as evidence of their ability to do the job. I designed my courses to require this kind of effort, and many of my fellow instructors did the same.

Employers have the opportunity to really shop for a highly effective employee by designing their interviews to make candidates do a little work. Candidates can use this type of interview to their own benefit to showcase their problem solving skills and gain further experience applying solutions to a real-life situation. The mediocre candidates won’t want to do the work. The ambitious ones will. Employers, focus more on these ambitious candidates, and offer a willingness to train them in the specific technical areas once they are hired. I have heard many a hiring manager say that they valued the soft skills (communications, ambition, critical thinking) over the hard technical skills. If they found someone who really “had it going on” in the soft skills department, then they knew that training them in the technical areas would be a piece of cake.

Many ways to gain experience – most of which described here are considered non-traditional or perhaps unconventional. It is high time, in my opinion, that people be given credit for actual experience that they gain in a meaningful training setting. I feel that when people fresh out of school sit for certification exams, provided they made the most of that academic time, they will be calling on that experience to pass the exams and will have no need for memorizing brain dumps. Employers will be getting a much better rounded entry level employee as well.

Back to Part 1

Back to Part 2

Daylight Saving Time 2007 - What Does it Mean to the IT Community?

2007-01-20T13:13:00.000-07:00

Watch the news in the coming weeks - you are likely to see at least a few articles and reports of expressed concern over the new daylight saving time date change which takes place in 2007. In case you are not aware, daylight saving time (DST) has changed to March 11 this year instead of the first weekend in April as has been previously observed. This change was caused by the enactment of the Energy Policy Act of 2005, which President George W. Bush signed on August 8, 2005.

Initially, my inclination is to think that it is no big deal; I’ll just have to set my clock ahead a few weeks earlier is all. You would think that an event like this would simply come and go, we would set our clocks, VCRs, and computers, then life would be good. But when you think about it, you realize that with our current level of technology dependence, we rely on computers and cell phones for everything these days. Meeting schedules in our computer calendar programs, certain database events, when an online bill payment transaction is posted, even what time we can call on our cell phones to get the off-peak calling cost breaks, are all tied very closely to the time on our automated systems. Computer, network, and other system time accuracies are more critical than you might think.

There is a considerable amount of buzz about the DST issue in the patch management discussion groups on the Internet right now, so this must be a somewhat serious issue for the IT community. Today, for example, I think I received on the order of 50 or so emails on the DST patch (for computers) issue alone. Believe it or not, your computer is not the only thing that will be affected by the change. It is possible that network devices (such as routers and phone system components), PDA's, cell phones, and the like will also be affected. Some are equating this to a Y2K kind of event - on a much, much smaller scale, of course, but significant nonetheless. One article I read from Gartner suggested that companies form project teams to deal with this, and even have people on call and present to watch time changes to make sure the event goes smoothly, and that all systems are operating normally.

Although it will indeed be on a much smaller scale, here are some possible consequences of the DST change that people in the IT world (and consumers as well) are concerned about:

Bank transaction times - people worried about payments not being credited properly.
Cell phone time syncs - people being charged for peak minute usage when they are really in a non-peak time (i.e. after 9:00pm).
People in organizations where their computer and/or Internet access has access time restrictions, may not be able to log in and do their work - could that be someone you have to do business with?
eBay and other online auction ending times being affected.
Missed deadlines for time sensitive things - those folks who like to submit things online at the last minute might end up an hour late?
Incorrect departure and arrival times for airlines or other transportation.
There is not a patch for Windows 2000 and Windows NT servers – if you are still on these platforms, the patching process is going to be manual.
Networking equipment (certain routers) may experience issues when the new DST time change occurs, and again when the previously recognized DST date occurs.
Applications that rely on Java Runtime Environment rules for time will report time incorrectly from March 11 – April 2 2007, and from October 29 – November 4, 2007.
Java Applications return incorrect time after using Microsoft timezone.exe tool to update Windows (IBM Article: http://www-1.ibm.com/support/docview.wss?rs=3068&context=SSNVBF&uid=swg21250503)
Known DST bug in Palm Treo 700w devices: http://mytreo.net/archives/2006/04/treo-700w-daylight-savings-time-change-bug.html

There are a lot more possible outcomes being discussed. No need to freak out though – I just wanted you to be aware that if things seem a little strange when trying to conduct business on March 12 - now you know what might be causing problems.Kind of scary in a funny sort of way (or is that funny in a scary sort of way), but one of the network administrators in the patch management group I participate in had the following to say:

-----------------------------------------------------------------------

Just had a conversation with Verizon Wireless about DST and the Treos weare using. Very funny if a little scary.

According to the Tech I spoke with and the email I got all the Treo users need to do is turn off their Treo and turn it back on after the time change.

However they both said something to the affect of "You don't need to worry about that until April" (emphasis mine)

Apparently Verizon has not yet heard of the new DST changes.

---------------------------------------------------------------------

The patch to change your computer is available now on Windows Updates, but it is an optional software patch, so you won't get it automatically (yet). You have to visit the Windows Update site, select “Custom” instead of ”Express,” and select the Optional, Software series of patches. Be sure to install any Active-X controls when prompted to do so.

(click image to see full size view)

Next, look for the KB928388 patch as shown in the image below.

(click image to see full size view)

As of this writing, I am waiting to find out if Microsoft will make this Windows patch a critical update. Keep in mind, however, that if you are running systems with Windows 2000 or prior, a patch will not be available at all – you have to manually make the change in the registry settings and elsewhere that define when DST is changed on the computers. Either that or turn off DST altogether on those systems, and make the time change manually twice a year. If they do indeed move this up to critical, then those of you who have Windows Updates set to automatic download/automatic install will get it - well - automatically. They better do it soon, though - there is only one more "Patch Tuesday" (February 13, 2007 before the DST change in March. The March “Patch Tuesday” occurs the week following the Sunday that DST changes.

All in all, it is important not to panic. Watch the news, get the patch, and pay close attention to things that you do that require time synchronization to take place. Visit your cell phone company’s web site to find out what implications the DST event will cause for you.

Some sources you might find interesting:

About.Com Article: http://geography.about.com/cs/daylightsavings/a/dst.htm
CNet Article: http://news.com.com/Daylight+saving+change+could+confuse+gadgets/2100-1041_3-5823792.html
EdgeBlog Article: http://www.edgeblog.net/2007/daylight-saving-time-the-year-2007-problem/
Microsoft: http://support.microsoft.com/kb/914387

Addendums:

This article will change as new updated information is received. Check back often.

The Certification-versus-Experience Conundrum - Part 2

2007-01-15T18:02:00.000-07:00

In Part 1 of this article, I discussed the idea that the whole IT certification environment is a catch-22 between getting the experience you need to become “really” certified in your field, and getting a job to get the experience needed to pass a certification exam. People are getting a certification, any certification, just to get in the door and get the job so that they can get the experience they really need to validate the certification they already have. Are you dizzy yet? This whole situation leads to people who seek out brain dumps, memorize test questions, and get a certification, even though it means that they are lacking the skills and background needed to do the job. But, they have to have the paper just to be considered for the job. But let’s think about this: Isn’t the purpose of a certification to validate the background and experience you should have already gained? If you haven’t gained the experience, then what is it that you hope to validate? If you memorize test questions (and answers) just to pass a test, but do not have the experience, how much do you actually know? Now be honest. We are caught between a rock and a hard place with people who have “paper certifications” and employers who require the piece of paper, just for the sake of saying that they are raising their hiring standards.

In this installment of this article, I would like to discuss ways to build up that experience so that not only will you be exposed to the knowledge, skills, and abilities (KSAs) that you need to pass the exams, but so that you can be a productive and valuable asset for your employer as well. Employers, I hope you will take some of this to heart also, and explore ways to foster an environment that helps your employees gain real certifications, and make them more valuable to you.

If being an IT professional were easy, everyone out there would be doing it. However, it seems like many people who are just good test takers are jumping in and memorizing exams, then calling themselves certified. I know this because I have seen my fair share of these so-called certified “paper tigers” in the work place. They stand out because they have the paper, but also have to have their hands held every step of the way. In some cases these paper tigers do not know even the most fundamental of computer concepts. I recall one very profound example of this: When I was teaching networking at a junior college, I had one self-proclaimed MCSE in one of my classes who didn’t even know the first thing about IP addressing and networking basics. But by-golly, he was an MCSE!

So lets take a look at some ways to get some real and valid experience, and real-world knowledge. I think in many cases you will find that once you get to this level, you won’t have to seek brain dumps to pass the exams.

Education:

I have said it before, I will say it again: Information Technology is a profession worthy of formal education. You can expect that most employers will require (or at least ‘highly desire’) at minimum an associate’s level degree. Formal training in networking, programming, or some other computer science related field is a very valuable credential. In fact, companies like Cisco have endorsed formal education to the point of backing initiatives such as the Cisco Networking Academy, and bringing in companies such as HP and Sun to create non-Cisco curriculums for CompTIA A+ and web development. Many colleges and universities, such as Southeast Technical Institute in South Dakota, are fully fledged Cisco Networking Academies and can offer this training. Unlike simply memorizing the material for a single certification exam, completion of formal training indicates that you have been exposed to certain concepts over a longer period of time. You have probably passed several exams, and completed a number of hands-on projects. Formal education is more likely to also include exposure to critical thinking skills and more in-depth technical knowledge. There are many universities or even junior colleges offering IT related programs. The main benefit of attending such a program is that not only do you get a more formal education, but this whole process in itself counts towards valuable experience.

What about “Boot Camp” Types of Training?

Boot Camps have their place – and a very valuable place at that. But I highly discourage jumping into a boot camp with no practical experience. By doing so, you are once again falling into the trap of trying to memorize exam questions and passing a certification exam with no regard for any type of real learning or relevant experience. The boot camp types of training are really intended for professionals already in the field who have experience and will understand what is being discussed. The main focus of the boot camp types of training are to refresh you on knowledge you already have, but perhaps that you don’t work with from day to day. One very real example I can give you here is the last boot camp I attended for the MCSA certification. I already had knowledge of and experience with the concepts being discussed – most topics having very intimate knowledge. However, one aspect – managing DNS – was a particularly weak topic for me, and I found that the refresher was just what I needed to correctly answer the DNS questions on the exam. But nonetheless, this topic was not foreign to me – had I known nothing of this topic prior to going into the training, I would have still struggled on the exam. The boot camp simply provided a much needed refresher for concepts that I do not work with on a daily basis, but faced on the exam.

The other benefit of the boot camp types of training is that they usually prepare you for the “psychometrics” of the exams. That is to say that you get a pretty good idea of what kinds of questions will be asked, how they are asked, how to weed through the “fluff,” and what mind-set you need to be in to answer the questions correctly. The exam questions are not perfect, and you are often at the mercy of the point of view (and grammar skills) held by the exam question writers at the time. Microsoft exams, for instance, have a way of drawing you into long, verbose questions. The goal is to weed through it, eliminate the irrelevant information, and find out what the question is really asking. You have to know as much about the strategy for test taking for a Microsoft exam as you do the actual technical information. Likewise is true for CompTIA exams, and for the many other exams out there. For each exam I have ever taken, I have noticed that I have had to be in a different mindset for each, and had to know how to interpret what the question was asking.

On The Job Training:

Hands-on experience is one of the best ways to sharpen skills. On-the-job training (OJT) often involves working with real situations, on real problems. The best way to get this type of training is often to jump in and demonstrate that you are willing to learn, have an open mind to absorbing concepts, and are willing to take advice from others. One of the things I have often been an open proponent of is a workplace environment that teams a mentor with one or more people. A mentor can be a strong source of training for the employees being trained and the mentor alike. Latch on to someone whom you think has sharp skills and pick their brain. One thing about the IT community is the willingness that most of us have with sharing our knowledge with new people to our profession.

Later on, become a mentor for someone else. Teaching someone how to do something sharpens your own skills. Information retention can be as high as 95% when you are teaching it to someone else, as opposed to only around 5% when you are just reading about it. Being in a mentor/trainee relationship helps build a good team environment and solidify working relationships. Be open to the points of view and techniques of others, but don’t be afraid to form your own techniques.

Self-Study and Virtualized Labs:

Microsoft’s Virtual Server is now free of charge. Get this software and set up a virtual network on a single computer. Then look around and get copies of evaluation software for setting up your lab environment. A domain controller server and a workstation will fulfill the requirements for most hands-on training tasks for the Microsoft testing batteries. This will also give you tools to practice with for some of the CompTIA exams as well. If you need Linux, free versions of Linux abound. Get one of the training kits that offer lab exercises. Make an honest effort and actually do the lab exercises. Play around and explore the things that are not covered in the labs.

Volunteering:

There are a number of organizations looking for IT people to do computer work. Skills in anything from running network cabling, to refurbishing computers for less fortunate families, to providing office support, to providing training are being asked for. These are great ways to build up experience. Keep in mind that when you are performing these tasks, you are doing so for a real company. And since you volunteered your time to do it, the people are always extremely grateful, and when asked will provide a shining personal reference. Building up your list of contacts I just as valid when the list contains people for whom you have volunteered.They pay is not great, but believe me, the rewards are every bit as worthwhile as money, and often longer lasting. Try http://www.volunteermatch.org/ for some opportunities.

Find an Employer Who Supports Training and Mentorship Programs:

This is easier said than done – you just have to look around and interview people to find out which companies have a reputation for supporting employee development. And don’t forget – when you go to that job interview, you are allowed to ask questions of your own. Many employers will actually be very impressed when you ask questions about how they view teams and employee development. You are shopping as much for them as they are for you. In many areas, filling IT staffs is once again becoming a challenge for companies. Find out what they can offer you. Don’t burn bridges, but at the same time don’t jump on the first job offer that you get.

Employers, you aren’t off the hook in this article segment - I have to repeat what I said in Part 1: Carefully analyze your requirements for hiring. Don’t offer entry level jobs that require fistfuls of certifications just to get in the door. It’s not fair, and you are asking to be disappointed by gaining employees who have “paper” in hand, but no real skills. Additionally, set up a mentor program and get your senior people involved in the training and development of junior people. Support your employee’s professional development and help them gain certifications. My opinion on this is that you are likely to gain more loyalty from your employees by showing them that you are willing to support their growth and train them. If you really want to protect your return on investment, require your employees to complete a certification exam for which you send them to training, within a specified amount of time. Additionally, make them agree to continued employment with your company as a condition of receiving the training. On that note – employees: Show some loyalty of your own. Don’t join a company, just because they have a reputation of offering training, then bolt off to new opportunities. Stay and grow with them for awhile. If they are willing to train, they are probably willing to promote as well. Evaluate current and future opportunities with them and give yourself (and them) the chance to grow.

Where Are Certification Exams Headed?

If recent exams that I have taken are any indication, then I think the future of certification exams is headed toward overcoming this gap between gaining real experiences and passing the exam. More and more, certification exams are building in simulations where you actually have to be able to go into a simulated environment (a Windows 2003 server console, a Cisco router, etc) and do correctly do all of the steps required to complete a certain task. I remember the first time I passed the Cisco CCNA exam – it was all multiple choice questions – I was in and out in about thirty minutes. Now the CCNA exam is broken up into two exams (you have an option of one more broad exam or two more focused ones) and consists of questions requiring you to type in typing in router commands and the like to complete a task. The recent MCSA exam battery I just completed had a number of simulations where a specific set of tasks had to be completed. These simulations are extremely difficult for brain dumps to duplicate. Unless you are really good (and have a photographic memory), memorizing all the screens and steps will be difficult. I for one applaud this move as it requires a candidate to at the very least put together a virtualized lab environment where they can practice doing the labs and hands-on tasks.

Wrapping It All Up:

I’ll be blunt: Certification exams have experienced a somewhat “cheapening” of their worth over the years. To at least a minor degree it is because of employers who require multiple certifications for entry level jobs, causing potential candidates to scurry about to get certifications just to get in the door. But mostly, I believe it is because of people who are feeling the pressure to get lots of certs to be able to get those entry level jobs. And to a great deal, people just want to take the fast route to having lots of letters to put after their names. In many cases, especially the latter, people are getting those letters, but they have no real experience or practical skills to back them up. Certifications, that don’t expire and/or require proof of continuing education, result in stale skills. This also results in a “certified” person, who has outdated and obsolete skills, having little incentive to participate in continuing education activities. The IT profession is not something that everyone can fall into and expect to do well in – it is hard, complicated work, and requires people who are willing to commit to a long term of life-long learning. The IT profession is worthy of requiring formal education to get into, and certifications that validate real experience. And by that, I mean experience that gives true knowledge, skills and abilities for the job.

Do you want to know how valid this whole notion of having experience can be in preparing you for an exam? I can give you an example from one of my own certification exam taking experiences - one day on a whim, I downloaded the exam objectives for the CompTIA i-Net+ exam. I thought to myself "I know this material," and scheduled an exam just to see how well I would do. I figured the cost of the exam was worth the experiment. I passed! No brain dumps needed. I relied on experience I already had, and passed the exam, simple as that. This particular experiment ended with a pretty good additional outcome - shortly after passing the exam, CompTIA invited me in as a subject matter expert (SME) for a re-write of the i-Net+ exam.

Addendum:

The author of this article series has numerous IT certifications as well as a Master’s Degree in Computer Science (Information Security). He has participated as a subject matter expert (SME) in certification exam re-writes for CompTIA including the CTT+, i-Net+, and A+ certification exams.

On to Part 3

The Certification-versus-Experience Conundrum - Part 1

2007-01-08T20:05:00.000-07:00

Certifications play a big part in proving credibility in the IT world, but the reasons and timing for getting them has become somewhat of a nebulous and ever moving target. I’m sure you have heard the same old story: You need to have certifications to get hired, but you need experience to get certified. So how do you get experience if no one will hire you (because you don’t have certifications)!? We in the IT profession are operating under a rather strange standard, if you ask me – that many of our hiring managers are requiring certifications to get in the door for an entry level position. But our certifications, in order to be really and truly valid, rely on a person having prerequisite experience and knowledge. This is the classic “Catch-22” predicament. What this is actually leading to, however, is a whole bunch of people going out to find brain-dumps, memorize test questions, and go take the certification exams. Then they are hoping by some chance that they know enough to pass the interview, get hired, and can get on the job to learn about and get experience with what they really don’t know.

In reading the various message boards around the Internet, I see this very issue all too often. As a professional member of various online IT professional communities, I see over and over again messages from people who are asking where they can find a brain dump to help them pass the exam, not where can they go to get the experience or practical knowledge. The sheer number of brain dump sites in existence is testimony to what I am talking about in this article. We are living in a society of “paper certified” people, and it is adversely affecting the IT community as a whole. My opinion is that people in IT are working in a professional field of expertise, and that the certifications that go along with this profession are suffering because of the situations discussed here.

As members of a professional field, IT people really should at the very least be first undergoing some sort of formal training before attempting certifications. This isn’t a field for people who are solely “book-smart” as it takes a great deal of common sense and problem solving abilities to do well. If this was easy, everyone would be doing it. But wait – if you are a good test taker and can study brain dumps and memorize answers, then you too can be a certified systems administrator or engineer and get hired. Then you get into an organization and either get lucky enough to be taken under someone’s wing and get trained, or stumble through without really knowing what you are doing. The latter leads to a poorly run IT infrastructure, or worse, security breaches, damage, and loss of productivity because the answers to those real life situations were not included in the brain dump study guides.

How do we fix this? The first step is to make certifications become a reflection of what a person knows, rather than what we expect them to know in the future. Requiring certifications just for the sake of writing in some high and mighty hiring criteria does not make for a valid set of hiring requirements. In other words, certifications validate the level of professional expertise that a person has built up to, not a piece of paper verifying what a person can memorize. I didn’t get my pilot’s license just by passing a written exam – I had to prove that I knew how to fly the plane! So too should we be treating our certifications for IT systems. In essence, there are three groups of people involved in this conundrum who need to re-shape their thinking a bit.

Hiring Managers:

Quit insisting on MCSE and CCNP level certifications for entry level jobs. If you are going to post entry level jobs, then that means that you should be willing to take someone with no certification at all, or at the most an entry level certification such as MCP or A+. Then, one way to ensure that your new people do get certified is to make it a condition of employment: “This job is probationary for ‘x’ number of months, at the end of which time the incumbent must be A+ certified to be considered for full-time permanent employment.” This will help get those entry level people in the door, help them get the experience they need to do the job, and especially help them to get the experience they need to pass the exam and be “really” certified.

Look at the relevancy and recentness of certifications – when interviewing candidates, make sure that the certification they have is relevant to your needs. An MCSE on Windows NT won’t do you any good in your Windows 2003 shop. Likewise, an A+ certification earned on Windows 3.1 and MS-DOS won’t help you much in your Windows XP desktop environment. A recently passed certification exam should not mean that the person is a “newbie.” It should mean that they used their recent and relevant experiences to pass a current certification exam.

Ask some technical questions to root out the paper tigers. If they say they are A+ certified, then you should ask questions that are part of the A+ objectives. If you need help with this, don’t hesitate to look to your IT staff for assistance with putting together interview questions. Don’t hesitate to go to CompTIA or Microsoft and get the list of objectives for the certifications so that you can design some good interview questions. You might also consider asking scenario based questions about how a candidate might solve a real problem or challenge that you are facing in your company. But ask questions relevant to the level at which you are hiring. Don't ask an entry level candidate to solve a complex engineering or design problem, and don't ask an engineering level candidate how to reset someone's email account.

Candidates:

If you are just starting out and going after the entry level certifications, read my point below about going to school. A formal training setting will give you much of the experience you need to get entry level certified with something such as A+. But don’t go after the certifications just for the letters. Find out what the objectives are and go further by researching the objectives more in-depth. This in itself will lead you to knowledge you perhaps didn’t have, and will give you more in-depth understanding of the material. Understanding is what it important, not just having letters by your name.

Entry level and experienced people alike: Do volunteer work – what an experience builder this can be. Virtually every city I have ever lived in has volunteer opportunities that you can take advantage of. If you live in the San Franciso Bay Area, you have the king of all IT volunteer opportunities – CompuMentor. Also take a look at Volunteermatch.org for some opportunities in your area. This is a great way to do professional networking, and build those contact and personal reference lists also.

Take some classes at the local junior college. This will often give you the prerequisite experience for those entry level certifications. It is not uncommon for a two year program at a junior college to provide plenty of the pre-requisite experience needed for a certification such as A+. There are a number of Cisco Academies that teach the Cisco networking curriculum for CCNA, as well as the HP IT Essentials curriculum needed for A+. These curriculum packages are all hands-on and will give you some real experience.

Certification Bodies:

Follow the lead of the organizations that bring us such certifications as the PMP, CISSP, and even the Cisco certifications. What do all of these certifications have in common? They expire and/or require proof of continuing education to keep a certification current. Even the Microsoft certifications eventually become retired, and at the very least are associated directly with a specific operating system or technology. A person may very well be an MCSE, but when the hiring manager asks for specifics and it comes out that he or she is an MCSE on Windows NT, then it is easily seen that the “big” certification has very little relevance in an all Windows 2003 shop. Cisco has an excellent structure for certifications: they expire, and follow-on certifications require a valid lower level certification to continue with the higher level cert. Gaining higher level Cisco certifications also maintains validity of the previously earned certifications.

CompTIA is one of the largest certification bodies in the IT community, yet none of their certifications expire, nor are the holders of those certifications required to prove any continuing education. These types of certifications are very relevant when they are current, but can quickly become obsolete. And given the relatively high price for the CompTIA exams, there is little incentive for taking the same certification exam over and over just to keep it current. How about an upgrade exam that is a little less expensive? What about requiring continuing education credits to keep these certifications valid? Just a thought.

Wrapping It All Up:

I end this article by using the technical people in the medical profession as an example of what I am talking about. Many of the professionals in the medical field, such as nuclear medicine technicians or biomedical equipment technicians, enter their first jobs with no certifications. But after working in their field for awhile, they are often required, as a condition of employment, to obtain their certification within ‘x’ months of being hired. These people are fresh out of a junior college or technical school; their employers know they have the foundational knowledge, but then give then an opportunity to gain real experience before requiring certifications. But a deadline for certification is often strictly stipulated. Get the cert or you’re out! Even doctors have to go through an internship as part of their training to build up experience, right? Let’s take that example as our lead to make the IT community a better place. Let’s quit requiring a fist full of certifications to get an entry level job. Grab the newly graduating people out of school, give them a real environment to hone their skills, and then help get them certified. My personal opinion is that employers will notice a good deal more loyalty from these folks (most would feel too guilty about leaving an employer that helped them get certified), and a great deal more sound productivity as well.

Personally, I think that we need to move more into a professional environment where we value life-long and continued learning rather than laundry lists of letters to put after our names. The certifications are a good way to validate what a person already knows based on the experience they have already gained. But a certification is a crummy way to try to validate what we think a person will know in the future. All the certification is doing in this case is testing a person’s ability to read, memorize, and take an exam. If that is all we are concerned about, then why bother?

Continue to Part 2

Who Is Deciding Your Information Security Policy?

2006-11-26T10:46:00.000-07:00

If the answer to that question is that your management and your corporate security professionals are setting the standards, then you need to read no further. Have a great day, and check back soon for my next article. However, if you don’t know, or your answer is that you don’t implement in-depth security practices because your users find them too hard – in other words, your users are making your information security decisions - then read on.

First, let me say this: Implementing in-depth information security practices is hard work. In a large enterprise, it takes dedicated, trained staff, and even then your users will still find it cumbersome and inconvenient. Let me also say that most people expect things to be easy, they don’t want to be inconvenienced, and they want it when they want it, without being tied to having to wait for this, that, or the other, and without having to click on any more things than necessary. They don’t want to be bothered by their computer slowing down a little once a week while the scheduled virus scan runs. People don’t want to have to take the time to decide whether to answer “yes” or “no” when their personal firewall prompts them when it thinks something suspicious is happening on their computer. All too often, IT support staffs are saying that they don’t want to make their users do something because the user says it is inconvenient, they don’t know how to do it, and they just don’t want to have to take the extra time to learn how to do it. This is a classic example of how information security practices take a back seat to security unaware users who don’t want to make the effort to keep their company’s data safe. In other words, the end users (security unaware end users) are making the security decisions, like it or not.

Information security involves a variety of safeguards, all the way from perimeter devices guarding your network, right down to the user at the desktop. This is called “defense-in-depth,” the idea that if an attack or other malicious activity gets past one safeguard, at least one of the others will catch it and stop it. Your data is at the center of a bull’s eye surrounded by subsequently progressive outward rings. These protective rings are made up of the user, operating system patches, personal firewalls, anti-virus/anti-malware protection, server access control lists, and perimeter devices such as routers and firewalls. The user plays a very integral part in these defensive layers of information security. You can have all the firewalls, access control lists, anti-virus programs, and computer patches in the world, and still not be safe. Because if your users are willing to give away the keys to the kingdom, either through laziness, ignorance, complacency, or just plain arrogance, then nothing you can do will keep your data safe.

I have actually heard IT support people say that main the reasons why they don’t do certain things is because the procedures are too hard for their users, their users have no clue how to do these things, they have no clue why they are necessary, and that they (the IT people) don’t have time to train them. Back in my customer service days, I would listen to customers as they would go into rages about this stuff being too hard, and that they didn’t see why they had to do it. Let’s face it, people are busy, there aren’t enough hours in the day, and people often get set in their ways. Change represents a scary thing, even if it means learning a new way to keep data on a computer safe. A thing like locking a screen when the computer is going to be unattended is a habit that has to be learned and ingrained into behavior. Much of what this article is about is related to behavior and how to change that behavior. The technical part is easy. It’s changing people that is the real challenge.

Let’s take the first one mentioned above – too hard for the users. If something is too hard, it means that the user hasn’t been trained or is too lazy to learn – or both! I will repeat it again here: security is hard work. So that means that the IT support structure has to get on the ball and provide training and awareness for their users. Conversely, the end user has to get of his or her backside and realize that it is their responsibility to learn how to use the tools of their trade. The computer, after all, is a vital tool that is in use by the vast majority of people in the work force today. I don’t care if you are a doctor, lawyer, biologist, or just a clerk. The fact of the matter is that regardless of your primary specialty, you still have to use a computer to get your work done.

And I’m not even talking about people having to learn in-depth or complicated security principles. They simply have to learn what to click on, what not to click on, and when their personal firewall is telling them about a risky event. Is it really so hard, that if a user gets a message saying that some software is trying to be installed, for them to make a conscious decision that either “yes, it is OK because I am installing software” or “no, this is not OK because all I was doing was checking my email”? Make an educated decision, and click on the appropriate answer. This takes a few seconds at best – is that really taking too much precious time? If they wish to continue to do their jobs, computer users must learn how to operate them and how to interpret simple messages. It is not enough to know how to fire up Outlook and whip out an email, you must know how to interpret your environment and act accordingly.

On to the second idea previously mentioned – users have no clue. No, I’m not saying that people are all a bunch of clueless drones. Well – actually - yes I am. The average computer user doesn’t know much about computer security, and quite frankly, they don’t want to know. All they know is that they have to use the darn thing (the computer) and if anything goes wrong it isn’t their problem. It is IT’s problem to fix. If the computer lets sensitive information get away, then that is the computer’s problem, right? Wrong! The people in IT didn’t click on the malicious link in the email joke that they just received, and the IT staff didn’t leave the user’s computer unlocked when the user got up to go to a one hour lunch break. Not only is it just too hard to resist the temptation to click on that link, but it is also too hard to press the Windows key and the “L” key to lock the screen when they get up. And quite frankly, most people just don’t understand why it even matters. All that hype about computer security, malicious links in emails, and spies wandering the company looking for unlocked screens is just a bunch of rubbish, right? Wrong! The threats are very real and present. Users need to get a clue that they fit in to all this in a very important way. The why? That’s easy – the data they are working with is not theirs. It belongs to a company who can suffer embarrassment, loss of business, or loss of trade secrets of the information gets out. Companies can suffer from loss of business. Governments can suffer from the loss of sensitive information. In either case, it can be disastrous. Even if just a user at home – would the normal person want to risk having their personal and bank account information getting loose on the Internet? Certainly not! Care in computing must be exercised everywhere. The good security habits that one gets into will be useful at work and at home.

Hmmm… so finally, the last point - no time to train the users. All of the problems discussed up to this point can be boiled down to training. Not knowing how to do something or being clueless is not entirely the end user’s fault. Sure, the user has to get over their own laziness and arrogance, but they have to have knowledge to be able to act on it. But I have seen too many IT staffs who think they are protecting their users by not exposing them to complicated or extra tasks. Well – they are just making themselves feel good by trying to make their users like them and trust them. But sometimes good security practices involve a bit of “tough love” and forcing people to do things that seem hard at first. The IT staff can either make the choice to take the time to train their users, or take the time to clean up after their mistakes – it’s a clear choice in my mind. Take the time up front to train users, and keep them knowledgeable through constant awareness activities. Eventually, the training and awareness will sink in. By that time, your users will know what needs to be done (or what not to do) and they will now have a clue why this is all so important.

This may seem like one of my typical rants – you’re right – I’m busted. But how many more times do we have to hear in the news about breaches of corporate information security because of someone who lost a laptop or gave away information. You will notice that most of these events are due to someone doing something stupid – not being aware, not following directives and policies, or being just plain lazy. IT Staffs: train your users, keep barraging them with tid-bits of security awareness, and make them do the things that will keep your company’s data safe. End users: Get off your @$$ and learn why you are the most important link in information security. Security is everyone’s business. The management and security professionals in your company have the education, experience and know-how to make policies that will keep data safe. Don’t second guess them with your lack of knowledge – follow the directions. It’s not that hard!

Windows to Release New Operating System - Are You Ready?

2006-10-08T13:35:00.000-06:00

In the very near future, Microsoft will release their newest version of the Windows Operating System. The release of Windows Vista is due to reach the public around January of 2007. Of course, those of you who know me know that I can't look at anything new in the computer world without scrutinizing its security, support, and maintainability aspects. So, I wanted to take this opportunity to show you what Vista looks like, but also give you an idea of some of the enhanced security and maintenance features as well. This newest release of Windows represents the most radical change in the look and feel of Windows since the jump from Windows 3.x to Windows 95 over eleven years ago. From a security and stability aspect, this new version promises to be more robust. And for those of you who only care about the "eye candy" features and have grown bored with the way Windows XP looks, you too will have some new vivid graphics and gadgets (literally) to keep you happy.

A Word About Hardware:

If you truly want to take advantage of Windows Vista's new graphics and user interface features, you are going to need a fairly hefty computer. If you are buying a new computer, look for the "Windows Vista Capable" logo on the front. You are going to need a fast CPU (dual core would be nice), lots of RAM (1 GB minimum), and lots of video RAM (128 MB minimum). These minimums are mine, not necessarily Microsoft's, by the way. The computer will run fine with Vista on a typical machine these days (3GHz CPU, 512 MB Ram, etc), but many of the graphics features will not work. The user interface (UI) in Vista is code named "Aero," and if you have the more robust system, you can take advantage of a host of new features commonly referred to as "Aero Glass" features. The interesting thing here is that Vista will tailor its performance and feature sets to the hardware it detects in your computer. Better have a DVD drive. So far, I have only seen the ability to obtain installation media on DVD - it is a fairly huge package. I am not certain at this time if Microsoft plans on releasing the installation media on CD as well as DVD. DVD drives are cheap - you will need one anyway.

For my tests and the screen shots you will see in the full article, I am running Windows Vista Ultimate Release Candidate 1 (RC1) on a 2.93 GHz Intel CPU, 1GB of RAM, and an NVIDIA GeForce FX 5500 video card with 256 MB of video memory. The final release version may have slightly different features and screen appearances than those seen below. RC1 is drastically more stable than Beta 2 was, and has a slightly different look and feel than Beta 2. If this is any indication, then there will be some slight enhancements and bug fixes in the final release versions.

The Vista Upgrade Path:

Vista will be available in several different versions (six versions to be exact) for home and for business. There will be a version that has more multimedia features, and versions that have more business and networking features. Windows Vista Ultimate (the version I will show you here) will have it all. If you are running an older version of Windows, you are out of luck - there will not be an upgrade path for you - you will have to install from scratch. If you are still running one of these older operating systems, you probably need a new computer anyway. You will need to be running Windows XP Home or Professional to be able to perform a direct upgrade, all others will require a clean install. Note: If you are already running Vista Beta 2 or RC1, you may have to do a clean install. In my testing, I was not able to upgrade from Beta 2 to RC1 without failure. Clean installs will always give a better, more stable installation anyway.

You may want to wait a bit before rushing right out and buying/installing the upgrade, however. Make sure all of your applications will work properly with Vista. Your antivirus software may or may not work with Vista. Remember - Vista is a drastically different operating system - so viruses that affect previous versions of Windows do not affect Vista. For that very reason, many antivirus applications would not even install on my test box because they would not run on Vista. One great feature is that your Windows Security Center will tell you if you are missing an antivirus application, and will give you a web link to antivirus applications. In my tests, I found a great deal of difficulty just finding an antivirus program that would install - but as I mentioned above, Vista will take you to the site of a compatible application.

If you use other types of maintenance programs, such as Diskkeeper for defragmenting your drives, those programs probably won't work either. This article from Microsoft will give you a pretty good step-by-step process and list of issues to consider when upgrading to Vista. According to one eWeek article, the best way to go is to not do an upgrade but back up all your stuff and do a clean installation. Application compatibility is a more complex issue with Vista, but Vista offers compatibility wizards to help you make an assessment.

A Final Word:

If you want to upgrade to Windows Vista, make sure you have a fairly powerful computer, and go out and do some research so that you know all of the requirements and pit falls. Once you are satisfied that you want to make the leap to the new O.S., go out and buy yourself a good video card and a wide-screen monitor. Vista takes good advantage of the new wide-screen monitor formats. Quite honestly, you will be fairly disappointed if you try to look at Vista on your old 15" CRT or even one of the smaller LCD monitors. I tried it initially on a 1024 x 768 resolution monitor, and was left wanting for more. You will needs lots of RAM and a hefty video card to be able to use all of the aero glass features. If you are buying a new computer anyway, research a 64-bit machine and make the leap to one of the Windows Vista 64-bit editions. As Vista is making its appearance, so are the powerful 64-bit machines. I think we will be finding that future applications will cater to the 64-bit systems and operating systems.

Read full article with more screenshots...

It’s All About The Social Engineering, Baby!

2006-09-19T21:19:00.000-06:00

I’ve said it a number of times, and at the risk of sounding like a complete cynic, I will say it again: The biggest threat to computer (and information) security is the people who use them. Or, more appropriately, people who use computers and information technologies in a significantly “unaware” state. To give you an idea what I mean, let’s take another fairly ubiquitous implement in our society, the automobile. Why are there so many accidents? It’s not the bank robbers or the murderers and rapists (in other words, “criminals”) causing them. They are caused by everyday people not paying attention to those around them, people who think that rules of the road don’t apply to them, and even, dare I say, people who just don’t give a damn about those around them. I mean, why is it that people can get into horrific accidents driving down a completely straight piece of highway, like I-25 here in Colorado? It’s because people jump in those 2,000 pound pieces of hardware and just blast off down the road as if they were the only ones on it, completely oblivious to anyone else who may be around. As long as they get where they are going, they don’t care how they got there, and as long as no one else causes them inconvenience, whatever they do is fine.

Well – our love of computers is the same way as our love of the automobile. Computers and communications devices (such as cell phones) are such a ubiquitous and necessary part of our daily lives, that to go without email or our phones for even one minute would be disastrous. And our ability to click on any Internet link we want, and forward every email joke we get had better not be impeded in any way. This idea is at the very heart of many cyber-attacks these days. The bad guys know that people can be duped into just about anything – spreading email here, clicking on a link there, giving out information over the phone. It is very easy for the bad guys to plant a very innocent looking email, spam it out to the whole world, and then sit back and watch as the ignorant masses of scurrying mice blindly follow the bread crumbs. This, in essence, is what “social engineering” is all about. Social engineering encompasses a wide variety of things, such as me pretending to be the help desk and calling you up to get you to give me your network account password. Or diving through your trash to find out what usernames and passwords you had scribbled down and unknowingly thrown away. Or, how about me the nosey passerby shoulder surfing while you arrogantly (and show-off-ishly) flaunted your laptop in a busy airport or coffee shop? You know, in all my journeys through airports, I have gathered more information from listening to people yell into their cell phones that, if I were a bad guy, could be used against them (and their companies). I sat waiting for a flight from Rochester, NY one time and listened to some guy give an entire performance review over his cell phone – he wasn’t discreet or quiet about it at all. Social engineering is what gets you to give up your social security number and birth date when you reply to some scam offering you a refund from the IRS or an online deal that you just can’t refuse.

The above are all examples of social engineering, and there are many more. The bad guys rely on egos and ignorance getting in the way of security awareness. Those that would attack you know that you are either trying to show off how important you are or that you are just plain ignorant of information security techniques. They will use a variety of very simple techniques against you to steal your data, launch code to wreck your computer, or turn your computer into a zombie to proliferate other attacks. The bad guys use clever emails and lures to malicious web sites to launch attacks more often these days than most any other types of attack. In fact as of this week, there is a new flaw in Internet Explorer, and according to this article at ZDNet, porn sites are already exploiting it. The really stupid and lazy attackers will just get you to do their work for them and simply tell you that there is a security vulnerability or virus on your computer, and tell you to delete certain files. They will then get you to email all your friends and tell them delete these same legitimate files (this is known as a virus hoax) which will then render all of your computers unusable the next time you reboot. Essentially, social engineering (in the bad sense) is all about getting people to do things that the attacker wants them to do.

If you were to look at the majority of the descriptions for most vulnerabilities that are fixed by recent patches, you would see that the patch itself fixes a vulnerability caused by a programming flaw, but that it is only exploited when the victim opens an infected email, opens an infected email attachment, or is lured to a malicious web site. In many cases, the exploit is not “WORMABLE” and simply relies on a cleverly crafted email, attachment, or image file getting onto the victim’s computer so that it can do its thing. The attackers know that they can get you to visit a web site or open an email, and that they can certainly rely on you to forward it to all your friends.

So lets talk about “good” social engineering. One of the greatest challenges facing IT security professionals is to get people to change their behavior and attitudes towards information security. To most people, the security people are just the Gestapo out to spoil their fun and keep them from doing their job. We are the source of inconvenience because it just doesn’t seem reasonable that the threats really are out there. It’s all a big myth. I’m here to tell you that the only myth is believing in the false sense of security because of the “it can’t happen to me” syndrome. When your IT support people or your friendly bloggists bombard you every day with hints and tips about locking your keyboard when you get up from your computer, telling you not to open email attachments, or not to write down your password on sticky notes – that is the form of social engineering we are trying to use to get you to change your habits a little. We aren’t trying to keep you from being productive. On the contrary, we are trying to keep you from becoming a victim.

Bottom line – the bad guys are trying to “social engineer” your behavior so that you will fall into their trap. They can then laugh at you while they point you out to all their friends (and get the news media attention they crave), telling them how they “stuck it to the man” and screwed up a bunch of computers. The IT security people are trying to “social engineer” your behavior so that you won’t make an ass of yourself, or worse yet destroy the company’s network or compromise proprietary information. If you get attacked at home because you were complacent about your own computer security, then it may take you awhile to get back your system up and running. And it might take awhile for you to get over the embarrassment that you feel because you unknowingly passed along the attack vehicle to your friends. But if you get attacked at work because you just didn't care to be bothered by computer security requirements and even spread the attack to the entire network, embarrassment will be the least of your problems. The security people have an obligation to keep you informed. You have an obligation to heed the warnings and do the right thing. In other words, you have an obligation to stop being ignorant and be as vigilant with your information technology as you should be while driving down the road in that 2,000 pound weapon of yours. Use some due diligence, as we call it, and be aware. Security is everyone’s business!

Microsoft is (Still) Not the Problem

2006-09-02T19:27:00.000-06:00

Ahhhh - Fall is in the air and it is time to wrap up another summer! I want to start out this fine September by following up on an article I published on my main web site awhile ago. In that article, I mentioned that Microsoft was getting a lot of bad press because their products were always being attacked, and because they released so many patches. In following up and to set the stage for this article, I would just like to say that this has been a fairly interesting summer for Microsoft with the release of over thirty new patches for Windows, Internet Explorer, and Office products between June 2006 and August 2006 alone. All in all, we are up to numbered security patch MS06-051 (the 51st patch of 2006), plus several other patches that don’t fall under that numbering system. But let’s not forget that the folks at Firefox gave us at least two new releases this summer also, not to mention patches from Symantec, McAfee, and Intel (Intel/PRO Wireless Drivers). I’m not going to use today’s post as a forum to pit one browser against another or even one operating system against another. I just wanted to point out that there have been a lot of new patches all the way around, but that this high volume of new patches isn't necessarily the problem we are facing. In that previous article, I wrote that:

“Of all the people who regularly bash Microsoft for giving us an operating system with so many holes, I am probably one of the worst offenders. However, I recently had the opportunity to hear a talk by "Hacking Exposed" author Stuart McClure. He made a very interesting point - Microsoft is not the problem. There is so much talk about using the Linux operating system and alternative web browsers such as Mozilla FireFox. The point he made is that those systems also have security holes as do the Microsoft products.”

In spite of all these new patches this summer, I would like to say that I still believe that Microsoft is (still) not really the problem here. What I do see as the problem(s) are people who have too much time on their hands (the bad guys) and security unaware end users. The fact of the matter is that software code, no matter who writes it, is going to have flaws that are eventually discovered and exploited. It just so happens that Microsoft has the larger market share, so the bad guys are attacking where they know they can do the most widespread damage. So we know where the bad guys are presenting the problem – where they can do the most damage, and in doing so what will get them the most publicity.

So now let’s talk about the end user part of the equation. It’s a foregone conclusion that the software has flawed code, and always will. But let’s face it; Microsoft and other vendors find their flaws (or have the flaws reported to them), they fix the flaw and release a patch. It is now up to the end user (or the IT support structure in corporate environments) to make sure that the patches are getting applied in a timely manner. Are you setting your Automatic Updates to download and install your patches, or do you at least visit Microsoft Updates regularly to get them manually? How about your other (non-Microsoft) software – do you keep an eye on settings that will allow automatic updating for those as well? Since we’re on that subject, even if you do have your Automatic Updates set to auto/auto, when you have some down-time, why not visit the Windows Update site on your own. Check every once in awhile and make sure for yourself that you aren’t missing any critical updates. Just as you should be manually checking your antivirus and anti-malware definitions every so often to make sure your update engines are working properly and that your system is in fact getting the updates as it should be.

So what happens when a patch goes bad and breaks your computer or an application? Are you simply throwing up your hands immediately, screaming how %$#@& Microsoft is always breaking your computer? This is another example, in my opinion, where the end users are the weak links in this whole patching and updating game. Far too many people scream and curse at Microsoft when a patch goes bad on their system instead of taking a few moments to calmly find a solution to the problem. The solution, by the way, is as close as your telephone: 1-866-PCSAFETY. That is Microsoft’s hotline for solving patch related problems. If the problem is caused by a security patch, the call is free of charge. The problem may be isolated to just your particular configuration, and it may be a simple matter of uninstalling and reinstalling the patch. If enough people call with the same problem, then Microsoft knows that there is something wrong with the patch itself, and will quickly release a fix. But in order to do so, Microsoft has to know about it! They don’t read minds any better than I do – the end users that are seeing the problem have to report it so that something can be done about it.

I have been in the patching business quite awhile; I test and deploy patches that are applied to an enterprise of over 10,000 nodes, and I have yet to see consistent strings of patches that break computers. I do, however, see occasional problems come up on individual systems. I am telling you the same thing that I preach time and time again: Do some troubleshooting, find out if it is an isolated problem or a widespread problem, and call the Vendor and get the problem documented.

The other thing that I am absolutely sure has to be made clear is that the nature of the majority of the attacks in recent history rely on luring users to bad web sites or opening infected emails to expose themselves to the risk. Most of the time, you aren’t in danger of the flawed code on your computer being exploited unless you do what the attacker wants you to do to unleash the attack. The attackers have gotten too lazy to make their attacks “wormable” – and why should they? Why go to the trouble to write the type of code needed to make computers proliferate the attacks, when they can reply on security unaware users to do it for them? All those emails with attachments that you blindly pass on to all your friends, and all those emails with links that you blindly follow: did you ever once stop to think about whether or not they contain potentially harmful content? This is why, in my humble opinion that much of the blame for the proliferation of harmful code rests squarely on the shoulders of the people clicking the mouse buttons.

So to summarize – I will say it again: Given enough time, the bad guys will find and exploit flaws in anything. This problem is not limited to Microsoft. It is just that Microsoft has the largest market share and will earn the attacker the most press time. This summer, I have seen patches come out for Microsoft products, UltraVNC, Symantec antivirus, McAfee antivirus, Firefox (multiple), Intel/PRO wireless network card drivers, as well as a few other products. So don’t blame Microsoft – blame the bad guys, and blame yourself if you’re not keeping your systems patched. You can also give yourself a little of the blame if you are blindly clicking on the email “Forward” button or those links in your email when you don’t know what they are or where they came from.

Who’s Computer is it, Anyway?! (Part 2)

2006-08-31T19:36:00.000-06:00

Okay – here’s the scenario (again): Same as Part 1 - Corporate environment, computer is provided by the company, all of the initial software on the computer is installed by the company. The user signed an Acceptable Use Policy statement acknowledging their responsibilities with regard to computer use and security. The company’s acceptable use policy says something about “…only approved software…” The end user is the only user of the computer. Employees are allowed to use the Internet (i.e. the web browser), applications, and email for business purposes and for limited personal use.

More on those neat little freebies – but this time, it is not just a seemingly innocent browser toolbar. There are other free tools out there, commonly known as “peer-to-peer” (P2P) applications. Seems our carefree and gadget crazy employee from last time really likes music, so I will just concentrate on the P2P apps that allow you to download music files (MP3s), but there are many others. The way these applications work is that you install some software (free of course) on your computer, which then has the ability to connect to everyone else on the Internet who has that same software. The reason they call it peer-to-peer is because users don’t actually download the files from a central source, but from each other. The user enters the search terms of the music they are looking for, and the P2P software finds the other users who are online that have that music. The user can then choose to download the files they want. When the download is started, parts of the file can actually come from multiple peer users, speeding up the download process. Downloading MP3 files is great – the users can listen to them on their computer at work, providing they aren’t distracting coworkers, and they can even take them home at the end of the day. Ah, piracy has never been so easy!

Well, here’s the catch: For one thing, downloading copyrighted files from any source without paying for them is illegal. Remember last time I mentioned getting your employer in trouble by installing supposedly “free” software that actually had to be licensed? Well P2P software opens your employer up to a whole new batch of liabilities. We can safely assume (my opinion here) that most people that use P2P software to download music know it is illegal, but do it anyway. This makes the crime more blatant and premeditated, in my mind, and seems to result in harsher consequences. Since you are on company time and on company property, you are now (using a legal term here) under the “scope of employment” which allows prosecuting parties to hold your employer accountable as well as you. The employer should have known that the employees were using company network resources and company computers for downloading illegal music. If the employer is practicing due diligence, they would be checking their network for P2P traffic and scanning their servers for potentially illegal file types.

Even if you are using one of the new and improved “pay as you go” services and pay for the music instead of committing piracy, you are still creating problems on a networking infrastructure. So now let’s take the whole “who’s computer is it anyway?” question a little further and ask “who’s network is it anyway?” The other thing about P2P software is that it creates network traffic – a LOT of network traffic. When I was teaching, our students were all required to have laptop computers in support of the curriculum. We had full Internet access for them, email, and wide open – no restrictions. Very early on in our experience with student laptops, we found that it didn’t take them long to discover Napster and Kazaa. While teaching class, I could look out and see the sea of dopey looks as these people were downloading tune after tune (not paying attention to the Instructor, of course). The magic question of “Hey!!! How come the network is so slow between the hours of 11:00am and 3:00pm??” popped up. It was because several hundred students were all downloading massive volumes of MP3 files and choking our network. Not only that, but our file servers hard drives were swiftly running out of space because of all the MP3’s being stored in student Home folders. Imagine that same problem, not in an academic setting, but in a business setting where real work is supposed to be getting done. These types of activities have the potential to hog bandwidth, take up valuable file server space, and are probably robbing employers out of productivity from their employees.

So now for the security aspects of this issue: P2P software is known to be a large source of security vulnerabilities and exploits. Software like this creates a pretty big opening into the hosting computer making it possible to spread viruses, WORMS, denial of service attacks, and other attacks that allow full control of a compromised computer. In fact, having this type of software may cause your company to fall out of compliance for various legislative act requirements such as those contained in HIPAA, Sarbanes-Oxley, or GLB.

Again, as in the case of the company owned computer – it’s not the employee’s network, it is the company’s network. The employer has the right – scratch that – the obligation to protect their network from performance degradation and unauthorized use. They also have a legal requirement to ensure that all of their information technology resources are in compliance with various regulations – and that includes making sure that the software installed on company owned workstations isn’t causing security or performance problems. Be a good employee – do what you want to your computer at home (you’re going to anyway), and leave your company resources for doing business. Failure to keep this stuff of your employer’s machines has the potential to hurt them, but also has the potential to hurt you more than you can imagine.

More Information:

SearchSecurity.Com Article: Are P2P Applications Worth the Risk?

DHS: Unauthorized P2P Programs on Government Computers

Article: Instant Messaging and P2P Vulnerabilities in Health Organizations

Who’s Computer is it, Anyway?! (Part 1)

Who’s Computer is it, Anyway?! (Part 1)

2006-08-29T20:47:00.000-06:00

Okay – here’s the scenario: Corporate environment, computer is provided by the company, all of the initial software on the computer is installed by the company. The user signed an Acceptable Use Policy statement acknowledging their responsibilities with regard to computer use and security. The company’s acceptable use policy says something about “…only approved software…” (more on that in a bit). The end user is the only user of the computer. Employees are allowed to use the Internet (i.e. the web browser), applications, and email for business purposes and for limited personal use.

Having remembered all that (yeah - right!), the employee is out cruising the Internet. They haven’t broken any company policies yet, they come across this site with a really cool toolbar for the browser, and best of all, it is FREE! It blocks pop-ups, gives enhanced search capabilities, even has a news feed reader and chat client. So they install that neat toolbar – free download, couldn't possibly be a problem, who’s gonna know? They may have just crossed over the line with company policy, it’s probably a minor infraction, no big deal.

Now it gets better: One day shortly after installing that cool new toolbar for the web browser, the employee tries to access a web site that they normally need to access to do their job. Certain functionality of that web site depends on scripting and pop-ups (authorized ones), but strangely they don’t work right. Hmmm – they reload the web site, check access to other web sites, and if they’re really savvy, they check pop-up settings and security settings in the native browser. All good, what can be the problem? Frustrated by this time, the angry employee finally calls the company’s help desk and reports the problem. The technician, having seen this problem before, and after checking the normal browser settings that the user just checked themself, asks the five dollar question: “Do you have any other browser toolbars or pop-up blockers installed?” Let’s just assume this employee is at least an honest person and reports the Google or Yahoo toolbar that they just installed. The technician states that the employee will have to uninstall the toolbar for the web site that they are trying to access to work. This infuriates the employee and they state that there must be SOME way to make it work with that toolbar. The technician promptly replies that the toolbar is NOT supported software, and that it is in fact NOT even approved software (remember that acceptable use policy?). “NO! %$#@&* - it, this is MY computer and I will do what I want with it!!!” shouts the now livid end user.

Here’s the bad news, folks: It is NOT the employee’s computer. It is the company’s computer. Those neat little toolbars and all those other cool freebies on the web are great for the computer at home, but have no place on computers at work. And here are the issues: 1) By having to muck about through trying to fix unsupported and unapproved software, we are making our help desk people do extra work that they shouldn’t have to do, and is probably against the service level agreement that the business unit has with the company. 2) By installing these things, we are possibly creating a security risk for our system and our corporate network by inviting in spyware and potential vulnerabilities. 3) We are opening our company up to all kinds of liability issues regarding software licensing (“FREE” does not necessarily mean free for use in a corporate environment), and information assurance (the spyware in that free toolbar may be a blatant violation of security policies).

The reason why there is an approved software list is because some pretty smart people figured out 1) What software licensing would cost for the organization to have certain software, 2) They have a pretty good idea what software works with all the other software on the machine, and 3) They know that there are certain information security “best practices” that need to be followed.

My final rant in today’s post is that the above scenario is all too common in today’s corporate environment. I am sick and tired of hearing about people bitching and whining because their computer is “…always broken,” and that “…these ^&%$#@ computers are no good.” Let me give you my $.02 worth: The reason they are always broken is because of security unaware and clueless computer users constantly installing this kind of crap on their company’s computers, and then ragging on tech support for not fixing it for them. I take exception to some blathering idiot taking out their rage on tech support people who had nothing to do with that user mindlessly horking up their computer. These morons break their computers, some do it every time they touch one – the help desk should make THEM re-image and reconfigure that machine once. That will give these people a good idea what it’s like to have to deal with and clean up after clueless people who break computers because of their own ignorance and gadget lust. Go see my "Know Your Computer" and "Are You a 'Responsible' Computer User?!" articles for more about what users can do to improve their own computing experience.

Disclaimer: I used the term “Help Desk” in this article ONLY because it is the term that most people are still familiar with. The correct term is “Service Desk.” I mention this disclaimer lest the ITIL folks come find me and revoke my ITIL certification :) For more information on ITIL, please go here. You will find a wealth of things in the ITIL world about service desks, service support and delivery, and best of all service level agreements, service security, and service management. Solid ITIL practices are why the service desk people are not your enemy - they are doing their job!

More ITIL Links

Who's Computer is it, Anyway?! (Part 2)

Using a Host Based Firewall

2006-08-26T10:34:00.000-06:00

Even if you have a hardware router, you could still benefit from a host based firewall on each of your computers. Host based firewalls also go by the familiar name of “personal firewall.” You already have a pretty good one built in if you have installed Service Pack 2 on your Windows XP computer. However, the built-in Windows Firewall lacks some features that some of the other third-party firewalls, such as ZoneAlarm or McAfee have.

So why do you need a host-based firewall anyway? Three words: Defense-in-Depth! A basic tenet of computer security is that no one measure will be able to prevent every type of attack. But having a variety of measures (layers) in place will be able to stop most of them. You have a router at the perimeter, you keep your patches up to date, you use antivirus and anti-malware solutions, and you have a host based firewall in place to intercept all other traffic. Here is an example: I have a Linksys router performing firewall duties at my perimeter. However, looking at my McAfee firewall logs I see that certain events got through, but were intercepted and stopped by my host based firewall.

Some of the added features of the other third-party products are the ability to more granularly configure program exceptions for allowed behavior, configure outbound as well as inbound blocking, and collect event log information. As far as the inbound events, the Windows Firewall allows you to configure applications and ports to allow. But as far as outbound events, the Windows Firewall won’t be able to allow configuration of those until Windows Vista hits the streets.

Installing a host based firewall doesn’t come without some complexity. You are going to have to be a little patient while the firewall is learning. It will alert and prompt you many times when something is trying to go outbound, and you will have to tell it to remember whether or not each item is acceptable. Likewise, on the inbound events, most firewalls will just outright block them, but will alert you. You will then have to see what it is and make appropriate configuration adjustments. Once you have done all this for several days, however, you will find that the alerts are les and less frequent, and the firewall will be pretty low maintenance after that. You will also need to keep your firewall up to date, just like your antivirus software and patches.

Defense-in-depth is a vital necessity for keeping your computer and your data safe. Host based firewalls will add to your other protective measures and help keep the threats minimized.

SANS Handler Diary Article

Another Firefox Vulnerability - Already?!

2006-08-24T20:56:00.000-06:00

Firefox’s latest browser, version 1.5.0.6, already has a new vulnerability.

National Vulnerability Database Article

Look to the left of this article – below my profile, and you will see that I am a big Firefox fan. I still use Internet Explorer, and Opera, and Netscape, yada yada yada, however, because I do a lot of testing. I just want to say that I am not writing this post to slam any particular browser or boost one over the other. But I have to wonder – and this is for all the little computer nerds who work in Best Buy, constantly parroting the virtues of Firefox to every customer they see – why is it that all these new vulnerabilities in Firefox practically go unnoticed while the Internet Explorer vulnerabilities get all the press?

In the last three weeks or so, Firefox has released two new versions, presumably to cover security holes and add features. The only reason I found out about the latest Firefox vulnerability is some micro-font text on a Dark Reading Weekly page – not a front page press item to be sure. I’m sure this will be published on Secunia and SANS very soon. But because the kids at Best Buy tell you matter-of-factly that Firefox is the only way to go, and just because Firefox doesn’t get the big press, doesn’t mean you are always safe and never need to pay attention to staying up to date.

Anyway, my point in all this is that people fall into a false sense of security because they hear so-called “experts” blather on about how Firefox is far superior to Internet Explorer from a security standpoint. People blindly follow this advice, thinking that they will never, ever, ever, ever have to worry about anything from now on. This notion is putting a patently false idea into your heads. Regardless of what products you use, you always need to stay vigilant for security flaws and apply updates when they are available.

The bad guys are getting bored with Microsoft – due diligence and proper risk analysis means that you are evaluating all of your software and keeping them up to date. Stay safe with all parts of your system!