That got me to thinking about what I would do if I had the opportunity. So I’m going to tell you what I would do and then ask you to do the same. Tell me what you would do. If I had the poll module installed on my site I’d do a poll but for now I’ll just let the comment section be our poll.

Here are a couple of assumptions: They already have a firewall and host based security suite installed and up to date. Beyond that, it’s a crap shoot.

If I were coming into a company and had a free hand to do what I wanted I would first look at what I could do to get the biggest bang for my buck quickly and then focus on the long-term strategic planning. It’s easy to say I’d do “x” and then “y” but actually implementing them is another story. It takes time to plan and test it before you can roll it out. I’d say the first thing I’d do is implement a monitoring system so I can have some insight into what is going on. Probably something such as Snort in pure IDS mode just to give me something to go on.

Once that was in place I’d probably implement a Vulnerability Management program that starts with Application and OS patching and then focus on the scanning, testing, exploiting etc…. As that is being rolled out I’d be working on getting a good Security Awareness Training program to help my users understand the risks. Others things that would be going on at the same time would be related to governance. Working with the business units to see what their needs are and ensuring that Policies and Procedures were relevant and effective.

This is just a starting point. There is much more to be done this should get things going nicely. Obviously this is just a exercise and much of the real decisions would depend on the current security posture, risk, vulnerabilities, business needs, etc..  So now it’s your turn? What would you do? What comments do you have on what I’d do?

Why do people jailbreak their IPhones? Lots of reasons but for the vast majority of people it’s so they can either tether it for full internet access on a laptop or to run apps that have not been blessed by Apple. For this very reason it’s not surprising that lots of them don’t change the default SSH password. I’d venture to guess that most of them don’t know what SSH is or what it is used for or that it has a default password. Rafal Los thinks that they should read the manual so that they are aware of these things but I think that is asking a bit much of them. 90% or more of them have never unwrapped their manual and don’t even know where they put it. The problem with this is the same problem that many enterprises have with such issues with their employees.

APATHY!!!

That’s right they just don’t care. They aren’t concerned about security or ethics just getting the latest toy on their IPhone or PC. They could have read the manual and if they got so far as to reading about changing passwords they wouldn’t have thought enough about it to actually go through with it. It’s not a lack or reading problem so much as it’s a lack of understanding and caring problem.

Enterprises and SMBs have been dealing with this for years and it is one of the biggest problems that we face daily. If we can figure out how to effectively combat user apathy and their lack of understanding then we will be able to take a huge bite out of the poor security posture of many organizations.

User education is one of our best arenas for combating things such as this at work and at home. Companies have got to start implementing real awareness programs that do more then bore their employees. I’ve long been a proponent of quality awareness training but my good friend Michael Santarcangello has taught me much and (IMHO) has the answer to much of our awareness problem. We need to interact with them and get an understanding of what they need to do their jobs and how we can support them and not hinder them. We need to help them understand the importance of what they are doing and of doing it securely. They need to know that the company wants to help them do their job and that what they do and how they do it matters. I also firmly believe that if we will help them understand the dangers of the internet and how it can affect them personally then that will go a long way in doing the right thing and thinking about the possible ramifications of their actions before doing them. If they understand that surfing porn is likely to infect their PC with virus’ and keystroke loggers then they may not do it, at least not on the same PC that they do online banking with.  If they understand how file sharing programs can open up your whole PC to the world then maybe they will lock down (or turn off) their file sharing apps at home. If they understand the importance of keeping patches, AV and applications up to date then they are more likely to do it at home. If they are aware of the dangers and understand how they affect them personally then they are more likely to act more responsibly at work.

Engage, Enlist, and Empower your employees to work (and play) more securely with quality user awareness training.

When:

Wednesday, November 11, 2009

7pm – Networking

730pm – ATL NAISG Business

740pm – Keynote Presentation

830pm – End

Where:

Taco Mac – Lindbergh City Center

573 Main Street
Atlanta, Georgia 30324

What:

Taking Incident Response to the Next Level

This exciting and interactive presentation will discuss taking security incident response, not matter where you are, to the next level. We’ll specifically use the case study of a Fortune 100 company moving from a disjointed and undocumented response plan to the establishment of a Computer Security Incident Response Team. Topics will include realistic self-assessment, developing the business case, addressing small yet vital issues, and continual improvement.

Who:

Martin Fisher

Manager-Computer Security Incident Response Team

Delta Air Lines

Martin Fisher currently is leading the Computer Security Incident Response Team at Delta Air Lines. His 20-year IT career includes a broad set of experiences, including working the last five years at Delta to develop enhanced security incident response. A leader focused on developing teams, Martin currently is working to create a consolidated CSIRT for the largest airline in the world.

Why:

Atlanta has lots of User groups and technology related organizations that meet every month. So why should you attend NAISG?

1. Great opportunity to interact with some of Atlanta’s top security talent.
2. Good food, conversation and networking.
3. A focus on you and helping you in your day to day security endeavors.
4. Relevant topics that are interesting, entertaining, informative and most of all not a vendor sales pitch.
5. Focus on the needs of those in both operations and management.
6. No membership fees, sales pitches, or pressure to do anything but show up and learn (having a good time is encouraged though)

——————————————————————————————————————————-

I usually don’t blog about stories that everyone else has blogged about. I know that I really get fed up when I go through my RSS feeds and see post after post after post about some story. Take the SSN numbers being predictable story. I know I saw at least 50 different write ups on it. I guarantee you that everyone of you who read my blog saw that same story at least 10 times so why in the world would you want to see me write about it? But this time I’m going to break my own rule and write a little about a story that has made the rounds. I’m talking about the survey that Mike and Lee did regarding job satisfaction. Why? Because I was (note the emphasis) one of those “unsatisfied” individuals.

My story started a little over 2 years ago. I had just started a new job as the Senior Security Engineer for a company. I started on Monday and Tuesday I got the news that they also wanted me to be the Security Officer for the company. They needed a good deal of work in shoring up the security architecture and program. That meant that I would do less hands-on technical work than planned and spend the majority of my time trying to get the security house in order. I was elated. I had done similar work as part of my duties at my previous 3 employers and was excited at the opportunity to really build a program from the ground up.

One of the early concerns that I had was when the news was given to me about the change I was told that I’d have a dual reporting structure. My day to day reporting would be to the Manager of the Infrastructure group and I’d have a “dotted line” report to the CIO. That sounded reasonable especially early on as things were getting started. Then they told me that the CIO did not want me to go to him directly for anything that when he wanted me he would call me. That sounded odd at first but I figured that since he is the CIO and busy that made a little sense. I assumed that he would schedule a meeting with me in the next couple of weeks to talk about the program and hammer out some of the things that he wanted to see. A couple of weeks went by and still no meeting request. I went to my direct report manager and tried to talk with him about some of the things that needed to be talked about and got what I soon learned was his standard answer “What are the industry standards and best practices?”

One of the first things that I started looking at were policies and procedures. I needed to get a feel for what they said so I could better understand the overall company perspective on things. That didn’t get me too far because they were so old and outdated that they didn’t reflect much that was currently going on in practice nor did they reflect the current company and IT goals. So I set out on updating them as best I could. Since I was still new I spent a good deal of time talking with everyone I could to get a feel for how they needed to look. I still wasn’t getting anything from Management so I put them together and submitted them for review. Most of them sat for quiet some time without ever being looked at (over a year in most cases). Now I knew that I was really facing an up hill battle.

Things such as this continued for much of the time that I was there. I continued to do the things that I felt were necessary to build the house but with out any real help from management it was difficult to know what they really wanted and expected. I tackled PCI, internal audit findings, current practices within the various technology groups, new projects, existing projects. All of this with the goal of building cohesiveness within the security program. Things like ensuring that the server team, network team and application team were communicating regularly to ensure that the security tasks one team was doing was not being undone by another. Making sure that security got visibility into every program and that security has a voice in what was happening from an enterprise level.

Things were going on fairly well but I was quickly becoming unsatisfied. I felt that even though I was making progress and things were really shaping up that management really didn’t care about the program and that as long as we were keeping the auditors happy then everything was OK. When I tried to move the program “beyond the check box” I got push back. When I tried to get clarification on the direction I was taking the program I got blank stares. It was becoming evident that the only reason that they even had me there was because the auditors told them that they needed someone to shore up their program. It wasn’t a enterprise mandate (which unfortunately security rarely is). It wasn’t a Technology mandate or even a technology priority. It was an audit mandate and the technology department was audit driven. Audit reports went to the Board of Directors and therefore whatever audit wanted audit got.

By now I was seriously on my way to unsatisfied. When you are passionate about something and when you truly desire to do your best and you know that it’s not really making a difference because of corporate culture or management push back it’s hard to stay satisfied. It affected me beyond work. Fortunately not to the degree where it affected my family life but it did affect my blogging. You may have noticed that in the last several months my blogging has not been nearly as frequent as it had been. I was just so mentally wore out by the end of the day that I didn’t want to write about security because I was unhappy at work.

I thought about looking for other positions but didn’t want to give up. I still held onto a glimmer of hope that I could enable change. So I stuck with it. I was able to get a few things changed within the program that I felt would really make a difference. One of the “problems” that I saw was that I reported under the Infrastructure group. That meant that even though I had responsibilities for security in other groups they often pulled the “you don’t work in this department, you work in infrastructure” card. Then there was the resistance I got from Infrastructure at times. The “you work for me and will do things as I want” card was used often. I knew that in order to truly be effective I had to have a reporting structure outside the other departments. I needed to either report directly to the CIO or to the Director of the team that was responsible for the ancillary functions of IT. This group contained Change Management, QA and Compliance. I felt that if I could get the security program moved under that group that I would have more authority when needed. Since that group was independent of the other IT groups and due to the way it was structured it had that authority. I was able to convince the CIO to approve the move and that made a difference.

Unfortunately it did little to make a difference in the audit driven mentality of the whole IT program. So my dissatisfaction  continued. By this time I knew it was time to move on. Unfortunately before I could start a serious job hunt the economy bit me. Things were pretty well shored up in the house and now they could tell audit that we have things in order and money is tight so we had to make some changes. But that would be OK because they had the framework in place and they would continue to work under it as they had been for the last year or so. They now knew what to do to keep audit happy from a security perspective and since I didn’t do the hands-on day to day tasks needed to run the network I was the logical one to go.

So now I’m no longer a unsatisfied security pro. I’m currently an unemployed one, but I’m thoroughly enjoying getting back into the swing of reading and writing about security. I’m enjoying a renewed passion for security that had been worn down somewhat. It’s refreshing and encouraging. That’s my tale. It actually has a happy ending even though the ending hasn’t been fully written yet. I’m currently riding off into the sunset and waiting to see where the sunset leads.

——————————————————————————————————————————-

To the point that Raf made in saying that the participants in the conference were “lack-luster” and lacked passion I say “I completely understand”. I think that a big portion of Information Security Professionals are just flat wore out. They are having to do more with less and getting little support from management. That really can drain the energy from you and affect how you not only do your job but also your general attitude.

Before I go any further let me say that I am not a pen tester, vulnerability researcher or uber hacker by any means. I can and do some of the above when needed but for the most part I’m just a guy who believes strongly in doing my part to keep my little piece of the world secure. Unfortunately, the more places I go on the internet the bigger my piece of the world gets. If I’m going to use a internet based service, no matter what it is, then I expect it to meet a minimum level of various requirements and security is a big one. I also expect reasonable tech support services and a user interface that understandable and usable.

To vary slightly off path I want to say that I believe strongly that every insecure system, application and user out there hurts us all. It’s not just a “it’s my system and I can do what I want with it” world. When you disconnect from the internet and NEVER reconnect again then you can live your computing life that way. Until then you have a responsibility to keep your systems and applications secure and to practice “reasonable and secure” computing. If you don’t it affects way more than just you.

Back to my topic. So as I’m testing services I run across on that has an unusual “feature”. There are 2 “Continue” buttons at the bottom of the first page of the registration process. I’ve never seen this before and obviously am curios as to why. If you push one of the nothing happens (yes, I tested this in a secure environment) and if you press the other one you get different responses depending on whether or not you pushed the other one first.  So as I’m looking into what is going on I check the page source code to see what is going on and it appears that the “second” button is supposed to be hidden and is used for debugging. Someone just forgot to “hide” it after testing.

After I have completed my testing and have a pretty good understanding of exactly what happens under different circumstances I compose an email and send it to 2 different contacts that I was able to find for the site. Thus the reason for this post.

I sent 2 emails with the relevant information. I sent them copies of the error that was displayed, how to recreate the error and information as to why having an error of this type displayed is a hackers dream. To date I have not heard back from them and the site has not changed. It still has 2 “Continue” buttons. It still displays the error when you click the buttons in the right order. So since it’s been a while and nothing has happened I decided to write about it here. Not from the perspective of disclosing the site and hoping to “force their hand” but to talk about how to deal with such issues.

So how should you as a company deal with something such as this? At my last job shortly after I started we got an email from a “white hat” who said he had discovered a SQLi on our site. I did a little investigating myself and confirmed that we really did have a SQLi and so I got with my apps guys and got it fixed in a matter of minutes. I wanted to reach out to the guy who reported it and tell him thanks for the heads up and let him know that we appreciate him handling it this way and not a) exploiting it b) announcing it to the world. Since I was new in the position I decided to run it by my supervisor and he would not allow me to do so. He told me to ignore the guy and hope he left us alone. I wasn’t too keen on this but followed his directive and did not contact the guy. Was this the best course of action? I’m not 100% sure but I know that I didn’t like just leaving him hanging. What if it irritated him  and he came after us in other ways? What if he found other issues later and decided not to report them to us first since we ignored him? What were the implications of this? There are no hard and fast rules on something such as this. If someone says that they are a white hat and they are reporting a vulnerability or bug then chances are that they don’t care to be responded to but if they are a grey hat then this could be just the excuse they are looking for to justify their next step that is in the black hat realm.

Now, I’m not going to turn black hat on them and I really don’t care that they have not contacted me, but I do care that they have not fixed the problem. Because when others, who may be less amiable than me, find this they may have the skills and motivation to use this as an entry point into their network (yes they do have a “for pay” service that you pay for with your credit card) or to use it as a malware distribution point. Neither of which will benefit the company and both of which can hurt you and me.

THE GIRLS OF ERRATA!!

First, over at the Security Catalyst Community there are a couple of conversations going on that I think are quiet interesting (of course I started them so I’m biased). The first one has to do with the doom and gloom mindset that is going around in some corners of InfoSec. You can check it out and add your thoughts here (registration required)

Next there is a conversation about some simple things that we can do to simplify our lives and make our environments more secure.

Lori Macvittie has a good write up on Cloud Security considerations at the F5 blog.

Now, I haven’t read this yet but I can’t help but think that it’s good and well worth the time to go throught it. NIST – Small Business Security

On a non-security note my favorite Leadership Guru, John Maxwell, has posted the first chapter to a new book online. You can read it here.

Another one that I haven’t read yet but looks promising is the new issue of McAfee Security Journal.

PCI Guru Michael Dahn has a good article of the usefulness of a Capability and Maturity Model in a security program.

My good friend Martin Fisher has some great advice for us regarding IR and the leadership needed to have a successful program in your company. He has written 2 articles for the Security Catalyst Blog on this here and here.

I’ve got lots more reading to do so I’ll post more later. This should keep you busy for a while anyway.

Not that there isn’t plenty for us to be worried about, but we have to keep our rational minds about us. We can’t just talk about what’s wrong we have to focus on what’s right and what we can do to make things better. One of the things that I noticed at the GFIRST conference this week in Atlanta is that there was plenty of “woe is me” and very little of “here’s what we can do”. Even those that did have an idea as to what we need to do didn’t have much “real meat” to give us. If you don’t have good ideas or solutions and you are just sharing info then please make sure that you have run it through the tempering process. Are things really as bad as you think or is it just because you have seen a good deal of bad stuff lately? Are we beyond repair or is your perception currently clouded? Is it “game over” or are we just at half time and we’re needing to regroup?

These are the things that we need to think about before we get up and share information with others. Unless our goal is to engage them in the solution process then we need to really temper our thoughts. And I would venture to say that a conference is not the place to share info with the goal of engaging others in the solution.

FUD is rampant right now and we have to slow it’s progress. We have to look at who is saying it, where they got their data, what their motive is or may be, and what are their ideas on a solution. If we can’t get decent answers to these questions then I’d think twice about putting much stock into what they are saying. Let me give you a good example. Dave DeWalt, CEO of McAfee, said that there are 20+ countries armed and ready for cyber warfare. I tweeted that and shortly after that I got a request from Brian Honan for a link or some solid data to back that up. I didn’t have anything other than Mr. DeWalts word. Brian wanted facts to back up the quote because he was thinking rationally and not buying the FUD (or possible FUD).

I like to think that I’m a fairly rational thinker and that I don’t spread FUD and that I even put a stop to some of it. Hopefully I do. What I want to challenge you to do is also think rationally. Don’t react but plan ahead and think about what you hear and see. If there seems to be validity to it then think about possible solutions and engage others in the process. This is the kind of stuff that will gain us great strides in securing our systems and changing the way things are done.

We’re starting off with a bang! Atlanta’s own (he’s been here long enough to say that) Mike “Security Incite” Rothman will be presnting all NEW material. That means he’s not recycling old (yet very inciteful) material. I’ve talked with him about the presentation and I think that it’s something that we all need to hear.

PLEASE, PLEASE, PLEASE make plans to attend. Tell your friends! Tell your Twitter Tweeple and FaceBook friends. Announce it at work and anywhere else that there are people who want to hear more about security. They don’t have to work in security or even technology. The more non-techies we can get means that more people are learning how to do things securely and that means that Aunt Martha won’t be calling you for tech support as much.

Now that I’m through rambling here are the details!

September 9, 2009 — Atlanta NAISG Meeting

Taco Mac – Lindbergh (private room upstairs)

7pm – Networking

730pm – Presentation

Keynote: Mike Rothman, SVP Strategy & Chief Marketing Officer for eiQNetworks, Chief Blogger at Security Incite and author of the Pragmatic CSO

 The Pursuit of Security Happyness

For the most part, security professionals are a pretty grumpy lot. A good day for us is when nothing happens and we are always worrying about how we are going to die tomorrow. And it’s not getting any easier. Between bot outbreaks, audit findings, new mandates, budget cuts, and stupid users – it’s enough to put a security pro into a rubber room for a long period of time. Mike will provide a candid assessment of our self-inflicted angst and preview content from an upcoming manifesto that provides a number of techniques to do your job, without making yourself crazy.

Please RSVP to Meetings-Atlanta@naisg.org.

Our Sponsor this month will be eIQNetworks. They will be providing appetizers and and the first round of drinks.

Hope to see many of you there!