February 9, 2012

Making A Change

Posted by andyitguy under Uncategorized | Tags: |
Leave a Comment 

I’m making a pretty big change in my technology usage. I’m moving from a laptop to a tablet for my personal computing use. I’ve been wanting a tablet for a while because of the smaller footprint and less weight to carry around. I like the flexibility of a tablet as well. They can do most things that a laptop can do and there are lots of apps to choose from that work better on a tablet than a phone. Our also gives me the conscience of an e-reader which I’ve wanted for a while and its better since I’m not limited to specific book formats.

Of course you have to be careful when you download apps. The potential for malicious behavior, poor coding and compromise are just around the corner. Hmm, sounds like the same problems PC’s have with software from major vendors. This will be interesting as I work through the change and make the required adjustments. I’ve been at it for just over a week and so far so good. Let’s just hope that it stays good. This thing cost to much to toss aside.

So far I’ve only real issue had been with some web pages not rendering properly. It’s not too bad and only happens on some pages. If any one else has made the switch is love to hear your stories, good and bad.

 

January 20, 2012

No place for dishonesty

Posted by andyitguy under Character, information security
Leave a Comment 

Happy New Year! I hope each of you had a great holiday season and that 2012 has started off well for you. I know for me I’m really hoping that this year my life can slow down some but if the first 3 weeks of the year is any indication then I may be in trouble. :(   For those of you who don’t know I’ve decided to take a short sabbatical from the Southern Fried Security Podcast. That was one area where I could step away and know that things would be in good hands and still keep some sanity. I don’t plan on it being a long break but don’t know when I’ll be back as of yet.

Now on to the actual reason that I’m writing this post……

As many of you know some hackers released source code for an older version of a couple of Symantec products. Symantec said that it would have no real impact on their customers because the code was for products that were 5 or 6 years old. They also said that the code wasn’t taken from them but from a business partner. I guess their conscious got the best of them because now they have decided to come clean and admit that the data was actually taken from them in a breech of their network. When you read the various articles the picture is still a bit fuzzy. Were they breached recently or 6 years ago? If it was that long ago why are we just now finding this out or worse yet why didn’t they know it until recently. If you read some of the quotes from Symantec spokesperson Chris Paden it almost seems to say that the breach happened in 2006 but they just discovered it. Lots and lots of unanswered questions and questionable comments and actions.

So what’s the point? Honesty, Integrity, Character, Trust. All things that people and companies need to embrace. Let’s face it we are living in hard times right now. Many companies are struggling and doing all they can to keep their heads above water and consumers (individual and business) are looking long and hard at where they are spending their money. They are also looking at the total value for their dollar and they want to know that the company they are doing business with isn’t trying to pull the wool over their eyes. I know that if a company changes their story and is vague on something like this then it says to me that they will do it in other areas and it erodes my trust in them.  The same holds true for an individual. If you are not honest in some areas how can I trust you in others?

On Wednesday I noticed that Josh Corman (@joshcorman) posted the following tweet couple of tweets.

joshcorman Joshua Corman

If $SecurityVendor uses deception / social eng to separate you from your $$$, how are they not just another adversary?

joshcorman Joshua Corman 

.@gollmann there are a lot of things $SecurityVendors shouldn’t do. Some abuse the implicit "trusted adviser" expectation more than others

18 Jan

 

I’m sure most of us have stories of vendors gone wild. Ones who sold you what you didn’t need or what wasn’t right for your environment. Sold you too much or baited you with a little only to hit you with the big stuff later. Maybe they gave you a good deal on what you needed but too you to the cleaners on professional services to make it work. Sometimes it’s the company culture that encourages it and sometimes it just a unscrupulous sales person or a SE who it working off commission and wants a nice Christmas at your expense. The problem still goes back to character, integrity and trust. If they aren’t there then someone will get hurt.

To be fair it also happens on the side of the customer. Often times they will try to take the vendor for all they can get even if it’s lots more than they paid for. Maybe they broke something but they want to get it fixed for free so they will try to make it look like it was defective. I remember one time early in my career we were having problems with a data circuit and in my troubleshooting I determined that the problem was with the smart jack  that our T1 terminated at. I called the local telco and put in a trouble ticket and they scheduled a time for a tech to be out to look at it. My boss called and told me to take a paperclip and short out the smart jack. The telco would charge us for a service call if it turned out that the problem wasn’t with their equipment and he didn’t want to risk having to pay. I refused to do it and it turned out that I was right anyway the jack was bad. To me it just wasn’t worth tossing my integrity out the door to possible save the company a couple of hundred dollars. Not to mention the fact that if I did that then what else would my boss expect me to do. It’s a slippery slope and we can’t afford to go down it.

Don’t get me wrong I’m not condemning Symantec b/c I don’t know all of the facts. They just happened to be the one that got me on my soap box.  I hope that Symantec is able to clear this up and that we discover that the twisted stories are all the handiwork of a few individuals who can be replaced with people of integrity. I’d hate to know that it was a corporate culture of lying that was behind this. There are already enough companies out there who will do all they can to keep and make more money no matter who it hurts. We have enough “evil” companies out there already and we don’t need more. We need to be people of integrity and we need to demand it of the companies that we do business with.

 

October 17, 2011

Book Review: America the Vulnerable

Posted by andyitguy under information security | Tags: |
1 Comment 

I love to read unfortunately I don’t have time to read too much but I do listen to books as much as possible in my car and when working around the house. I try to have at least one book in print that I’m reading all the time and often I’ve got 3 or 4 going at a time and I read a little here and there on each depending on my mood. Not too long ago I was asked to read a book and do a review of it on the blog. That book is “America the Vulnerable” by Joel Brenner. I get asked to review lots of books, mostly technical ones and I usually refuse but this one I decided to accept because I love reading books like this. They are usually exciting to read, full of good information and help to raise awareness of the state of technology security. This book does all that and some.

Mr. Brenner is a former top-level NSA insider and he seems to have the inside scoop on a lot of pretty scary stuff. He does a good job of telling a interesting tale and doing so on a level that anyone can understand. He explains concepts that those of you who read my blog already understand but there is a chance that your parents and their friends don’t understand. He also doesn’t just tell a story or try to scare you. He offers some insight into some things that need to be done and can be done to make some changes that hopefully will make a difference.

I like the way that he calls out both public and private networks being behind the curve when it comes to security. He highlights things that you and I do everyday that can impact your security, my security and everyone else on the internet. He gives examples of things that could happen and tells us about things that have happened. One of the things that I really enjoyed was a story about a “hit” that took place in Dubai. Those who were involved still haven’t been caught but the whole thing took place on camera. That is how we know what happened. Due to digital surveillance that occurs daily in Dubai those who participated were caught on video and the authorities were able to track them back to their original flights into Dubai. Unfortunately that’s as far as they were able to get. The point here though is that 20 years ago they would have never even known that much. Technology has it’s blessings in helping out with such things but it also has it’s curse because it has brought about the loss of privacy and anonymity in many ways.

This is a book that I like and would not hesitate to recommend to my friends and family. It has lots of useful info that will educate and inform those who need to know.

 

September 14, 2011

SC Magazine Debate

Posted by andyitguy under information security | Tags: |
Leave a Comment 
A few weeks ago I was approached by someone at SC Magazine and asked to present a short argument in favor of Security Awareness Training. This is a “Point/Counterpoint feature where someone else was to be against Security Awareness Training. Imagine my surprise when a coworker stopped by my desk to show her surprise at seeing my name and picture in the magazine. She showed me the page and lo and behold my “foe” in this argument is Amrit Williams. How fitting considering the history that he and I have in disagreeing on topics in the past. Anyway if you are interested you can find our thought either in the print version on pg 13 or by clicking on the link below.
 

September 13, 2011

Breaking out of compliance management (part 1)

Posted by andyitguy under compliance, risk management
Leave a Comment 

After my last post on “Risk Management or Compliance Management” Martin Fisher and I talked about it on the SFS Podcast. It gave me an opportunity to “rant” more and as usual Martin has some good insight into things. Ranting is fine for a bit but if that is all there is then why bother to blog. There needs to be some actionable items to move things forward so here are some thoughts on getting back to Risk Management and away from “pure” compliance management.

I’m going to approach this from a generic angle because it will be different for each company due to many factors. This will probably work better for the SMB market due to the complexity of large enterprises but with some creative thinking you should be able to use this as a template for them as well. So if you are a security pro in and are tired of doing compliance management instead of risk management what do you do?

First you want to make a plan and prepare a strategy. Lay out the goals for for what you want to accomplish. Who do you need to influence?  Your boss, a business leader, company leadership?

A good place to start is with a good understanding of what you currently have. Do you know your environment? Do you have an asset list of all systems (Hardware, OS, applications, services, accounts, etc)? What patches do you have installed and what software updates do you currently have? What infrastructure components are in place? What are the various connections to the outside world? Do you have Extranets? Things such as this are key to the next step.

Do a Gap analysis to determine what you need to do to get from where you are to where you need to be. After that do a risk analysis on the gap. It doesn’t have to be fancy or even follow a particular methodology just as long as you are doing a through job and not just looking at things through the blood colored glasses of a security pro. Talk to others who are in the business and can give you insight. Ask questions of others in different roles to help you understand better and be able to view the “problem” from the security angle, the business angle, the user angle, the customer angle. These things will help you when you present your recommendations because you can anticipate questions and concerns ahead of time and have answers and alternatives prepared. Plus it really adds to your credibility because they see that you are serious about this and not just spouting off.

Next you will want to look at ways to close the gap. Don’t just think technology. What process changes can be made? You will be able to answer this because you took the time to talk to others and learn from them. Are there policies in place that address this and if so do they address it fully or are there areas that need to be shored up? What about current technology that is already in place can it be used to solve some problems? Then look at “new” technology that could be implemented. Also don’t forget awareness programs and other training that can reduce the likelihood that someone in the company will make a mistake due to lack of knowledge.

Now go back and look at what you can realistically do given resources available to you. Think about time, talent, money, etc… and build a case for doing what you can, but don’t stop there. Build the case for going beyond. Why is what you can do not enough? What risks will still be there that need to be addressed? Why do they need to be addressed and explain it in a way that the business managers and others that are not security focused will understand. I love this “nugget” from Mike Rothman’s “Pragmatic CSO”, put together different presentations for Plan A, B, and C. With A being getting everything on your list, C being the minimum you can get by with and B is somewhere in between.

Once you feel that you have built your case(s) then run them by others in the company who can help you refine them so that what you present to management is first class. After that practice your presentation many, many times and make sure that you have asked the right questions (those that management will ask) and have your answers prepared.

Now it’s up to Management how they respond but at the very least if you have done this well you will build credibility so that next time they listen to you more closely and value your input.

 

September 9, 2011

Risk Management or Compliance Management

Posted by andyitguy under information security
[2] Comments 

Timing is everything. Sometimes it works in your favor and sometimes it sneaks up and bits you in the butt. I wrote this last night (Thursday) and didn’t get around to posting it and then today I see several people pointing to this video on the very topic I wrote about. Oh Well, here it is a day late and a dollar short.

I’ve been thinking a lot lately about “Risk management”. After all that is the core of a security professional is supposed to do. We help the business manage the risk that they face. Sounds great in theory but how well does it really work. What I’m seeing is a not real risk management so much as compliance management. We are tasked with ensuring that the business doesn’t fall below the compliance threshold and that is considered risk management. We talk to the business about issues and give them our input on what needs to be done and we are told “that’s not required by regulation X or policy Z” so the business will approve the minimum that gets them “compliant” and they then go on about their merry way.

Some will say that if this happens then you are just ineffective in selling your program or solution and maybe that is the case from time to time but I think it’s a much deeper problem than that. The business is focused on doing business and they push back on those things that they see as being a hindrance. They are more concerned about ensuring that Customer Connie and Client Clint don’t have to do anything themselves to protect their interactions with the business. They don’t want to negatively impact the customer experience and I get that. Very few people like it when they are constantly being asked to verify their actions online and they will go elsewhere if given the opportunity. The problem is that the business has taken the hard line and wants security to be completely seamless and invisible to the customer. Now the business has become the department of NO. No, we don’t want to deploy something that requires the customer to take action. No, we don’t want to deploy a solution that will slow the transaction by 1/2 a second. No, we don’t want to change the way we code we want you to install something that fixes (or hides)our mistakes for us.

The business has fully bought into the compliance mentality and doesn’t want to go beyond it. They tell us that they want us to manage risk but what they really mean is that they want us to ensure that they are not at risk of being out of compliance. Unless of course the compliance requires too much of them they they want either a compensating control or to accept the risk and hope that it never comes back to bite them. Then once it does they blame security because we didn’t push hard enough or didn’t inform them of the potential for it to be this bad. Of course the 20 different emails and slide decks where we laid all of this out doesn’t matter at this point. It’s still our fault for not doing our job.

 

August 22, 2011

OK Mr. Jobs…. You win

Posted by andyitguy under information security
[7] Comments 

Everyone said it would happen. One day I would open my eyes and see the light. I’d have a sudden urge to rush to the local Apple Store and run up to a sales clerk (or do they call them “sales genius”?) and utter those magical, mystical words “I want a Mac!”

Well, I’m thinking that the time may be upon me even as I type. I’m giving serious consideration to going out and buying not one, not two, not three……. but FOUR Macs. One for each separate household in my family. That way when they have computer problems they will no longer be able to call me for help because I can’t work on them, won’t work on them and refuse to work on them! My sister got one a few months ago and I haven’t talked to her since. Not because I refuse to but because she knows that I can’t and won’t help her with Mac problems. One of my Brother-in-laws got one a year or so ago and now when he calls we actually talk about things other than his computer problems. If it’s worked out so well in those two cases it’s bound to make my extended family relationships much better if they all have one.

Thanks You Mr. Jobs! I can’t believe it took me this long to see the light.

 

August 3, 2011

Focus.com Security Awareness Roundtable

Posted by andyitguy under Focus.com | Tags: , |
Leave a Comment 

Next week I am teaming up with 2 good friends (Michael Santarcangel0 @securitycatalyst; Chris Carpinello @chriscarpinello) and one new friend (Steve Ellis *steellis) to talk about security awareness and the Human Paradox. Join us on Wednesday Aug 10, 2011 at 2:00 PM EDT and if you can’t join then you can download the mp3 and listen to it later (or several times)

The event is sponsored and hosted by Focus.com. We would love to have you join us and join in the conversation.

 

July 28, 2011

Interviewed by Fighting In.Security

Posted by andyitguy under information security
Leave a Comment 

I had the honor of being interviewed by Michael Fornal for his blog “Fighting In.Security”. He has just posted the interview here if you care to check it out. Read some of his own writings while you’re there. It’s more interesting than an interview with me.

 

June 20, 2011

Web App Sec Cheat Sheets

Posted by andyitguy under information security, Web App Sec | Tags: |
Leave a Comment 

I’ve never been one to use my blog to link to vendors and or their products but I received an email last week that was intriguing enough to get me to take a further look. I liked what I saw and decided to pass it on. It’s nothing earth shattering or new just some good ole common sense that we can pass on. One thing that I have come to realize as I work more and more with developers is that there really is a lack of understanding in how to write secure code. It’s not taught in school and many businesses and development shops are more focused on getting code written and out the door. As a result of this we see the same basic things pop up again and again and again. At work we see this as we review new code that is hoping to be put in production. SQLi, XSS, XFS, etc.… it’s like security groundhog day. You find it, get it fixed, tell the developers how to avoid it and start all over again. Much of this is due to developers being project oriented and many time they are contractors who come in long enough to write their piece and then move on. So what you taught them may never come to fruition for you.

Anyway, Veracode has put together 5 cheat sheets on common coding issues and they are pretty decent. They explain the problem, what it does, why it’s bad and give you some tips on how to avoid it in your code. There is also video and sample scripts and code for you to look at. It may not be anything for you but it is something that you can pass on to the developers that you support or work with. Who knows it may save you some time and headache as the number of issues is reduced because you took the time to pass this on.

• SQL Injection: http://www.veracode.com/security/sql-injection
 Cross Site Scripting: http://www.veracode.com/security/xss
• Cross Site Request Forgery: http://www.veracode.com/security/csrf
• LDAP Injection: http://www.veracode.com/security/ldap-injection
 Mobile Code Security: http://www.veracode.com/security/mobile-code-security

 

 

Next Page »

Follow

Get every new post delivered to your Inbox.