information security

Archived Posts from this Category

January 20, 2012

No place for dishonesty

Posted by andyitguy under Character, information security
Leave a Comment 

Happy New Year! I hope each of you had a great holiday season and that 2012 has started off well for you. I know for me I’m really hoping that this year my life can slow down some but if the first 3 weeks of the year is any indication then I may be in trouble. :(   For those of you who don’t know I’ve decided to take a short sabbatical from the Southern Fried Security Podcast. That was one area where I could step away and know that things would be in good hands and still keep some sanity. I don’t plan on it being a long break but don’t know when I’ll be back as of yet.

Now on to the actual reason that I’m writing this post……

As many of you know some hackers released source code for an older version of a couple of Symantec products. Symantec said that it would have no real impact on their customers because the code was for products that were 5 or 6 years old. They also said that the code wasn’t taken from them but from a business partner. I guess their conscious got the best of them because now they have decided to come clean and admit that the data was actually taken from them in a breech of their network. When you read the various articles the picture is still a bit fuzzy. Were they breached recently or 6 years ago? If it was that long ago why are we just now finding this out or worse yet why didn’t they know it until recently. If you read some of the quotes from Symantec spokesperson Chris Paden it almost seems to say that the breach happened in 2006 but they just discovered it. Lots and lots of unanswered questions and questionable comments and actions.

So what’s the point? Honesty, Integrity, Character, Trust. All things that people and companies need to embrace. Let’s face it we are living in hard times right now. Many companies are struggling and doing all they can to keep their heads above water and consumers (individual and business) are looking long and hard at where they are spending their money. They are also looking at the total value for their dollar and they want to know that the company they are doing business with isn’t trying to pull the wool over their eyes. I know that if a company changes their story and is vague on something like this then it says to me that they will do it in other areas and it erodes my trust in them.  The same holds true for an individual. If you are not honest in some areas how can I trust you in others?

On Wednesday I noticed that Josh Corman (@joshcorman) posted the following tweet couple of tweets.

joshcorman Joshua Corman

If $SecurityVendor uses deception / social eng to separate you from your $$$, how are they not just another adversary?

joshcorman Joshua Corman 

.@gollmann there are a lot of things $SecurityVendors shouldn’t do. Some abuse the implicit "trusted adviser" expectation more than others

18 Jan

 

I’m sure most of us have stories of vendors gone wild. Ones who sold you what you didn’t need or what wasn’t right for your environment. Sold you too much or baited you with a little only to hit you with the big stuff later. Maybe they gave you a good deal on what you needed but too you to the cleaners on professional services to make it work. Sometimes it’s the company culture that encourages it and sometimes it just a unscrupulous sales person or a SE who it working off commission and wants a nice Christmas at your expense. The problem still goes back to character, integrity and trust. If they aren’t there then someone will get hurt.

To be fair it also happens on the side of the customer. Often times they will try to take the vendor for all they can get even if it’s lots more than they paid for. Maybe they broke something but they want to get it fixed for free so they will try to make it look like it was defective. I remember one time early in my career we were having problems with a data circuit and in my troubleshooting I determined that the problem was with the smart jack  that our T1 terminated at. I called the local telco and put in a trouble ticket and they scheduled a time for a tech to be out to look at it. My boss called and told me to take a paperclip and short out the smart jack. The telco would charge us for a service call if it turned out that the problem wasn’t with their equipment and he didn’t want to risk having to pay. I refused to do it and it turned out that I was right anyway the jack was bad. To me it just wasn’t worth tossing my integrity out the door to possible save the company a couple of hundred dollars. Not to mention the fact that if I did that then what else would my boss expect me to do. It’s a slippery slope and we can’t afford to go down it.

Don’t get me wrong I’m not condemning Symantec b/c I don’t know all of the facts. They just happened to be the one that got me on my soap box.  I hope that Symantec is able to clear this up and that we discover that the twisted stories are all the handiwork of a few individuals who can be replaced with people of integrity. I’d hate to know that it was a corporate culture of lying that was behind this. There are already enough companies out there who will do all they can to keep and make more money no matter who it hurts. We have enough “evil” companies out there already and we don’t need more. We need to be people of integrity and we need to demand it of the companies that we do business with.

 

October 17, 2011

Book Review: America the Vulnerable

Posted by andyitguy under information security | Tags: |
1 Comment 

I love to read unfortunately I don’t have time to read too much but I do listen to books as much as possible in my car and when working around the house. I try to have at least one book in print that I’m reading all the time and often I’ve got 3 or 4 going at a time and I read a little here and there on each depending on my mood. Not too long ago I was asked to read a book and do a review of it on the blog. That book is “America the Vulnerable” by Joel Brenner. I get asked to review lots of books, mostly technical ones and I usually refuse but this one I decided to accept because I love reading books like this. They are usually exciting to read, full of good information and help to raise awareness of the state of technology security. This book does all that and some.

Mr. Brenner is a former top-level NSA insider and he seems to have the inside scoop on a lot of pretty scary stuff. He does a good job of telling a interesting tale and doing so on a level that anyone can understand. He explains concepts that those of you who read my blog already understand but there is a chance that your parents and their friends don’t understand. He also doesn’t just tell a story or try to scare you. He offers some insight into some things that need to be done and can be done to make some changes that hopefully will make a difference.

I like the way that he calls out both public and private networks being behind the curve when it comes to security. He highlights things that you and I do everyday that can impact your security, my security and everyone else on the internet. He gives examples of things that could happen and tells us about things that have happened. One of the things that I really enjoyed was a story about a “hit” that took place in Dubai. Those who were involved still haven’t been caught but the whole thing took place on camera. That is how we know what happened. Due to digital surveillance that occurs daily in Dubai those who participated were caught on video and the authorities were able to track them back to their original flights into Dubai. Unfortunately that’s as far as they were able to get. The point here though is that 20 years ago they would have never even known that much. Technology has it’s blessings in helping out with such things but it also has it’s curse because it has brought about the loss of privacy and anonymity in many ways.

This is a book that I like and would not hesitate to recommend to my friends and family. It has lots of useful info that will educate and inform those who need to know.

 

September 14, 2011

SC Magazine Debate

Posted by andyitguy under information security | Tags: |
Leave a Comment 
A few weeks ago I was approached by someone at SC Magazine and asked to present a short argument in favor of Security Awareness Training. This is a “Point/Counterpoint feature where someone else was to be against Security Awareness Training. Imagine my surprise when a coworker stopped by my desk to show her surprise at seeing my name and picture in the magazine. She showed me the page and lo and behold my “foe” in this argument is Amrit Williams. How fitting considering the history that he and I have in disagreeing on topics in the past. Anyway if you are interested you can find our thought either in the print version on pg 13 or by clicking on the link below.
 

September 9, 2011

Risk Management or Compliance Management

Posted by andyitguy under information security
[2] Comments 

Timing is everything. Sometimes it works in your favor and sometimes it sneaks up and bits you in the butt. I wrote this last night (Thursday) and didn’t get around to posting it and then today I see several people pointing to this video on the very topic I wrote about. Oh Well, here it is a day late and a dollar short.

I’ve been thinking a lot lately about “Risk management”. After all that is the core of a security professional is supposed to do. We help the business manage the risk that they face. Sounds great in theory but how well does it really work. What I’m seeing is a not real risk management so much as compliance management. We are tasked with ensuring that the business doesn’t fall below the compliance threshold and that is considered risk management. We talk to the business about issues and give them our input on what needs to be done and we are told “that’s not required by regulation X or policy Z” so the business will approve the minimum that gets them “compliant” and they then go on about their merry way.

Some will say that if this happens then you are just ineffective in selling your program or solution and maybe that is the case from time to time but I think it’s a much deeper problem than that. The business is focused on doing business and they push back on those things that they see as being a hindrance. They are more concerned about ensuring that Customer Connie and Client Clint don’t have to do anything themselves to protect their interactions with the business. They don’t want to negatively impact the customer experience and I get that. Very few people like it when they are constantly being asked to verify their actions online and they will go elsewhere if given the opportunity. The problem is that the business has taken the hard line and wants security to be completely seamless and invisible to the customer. Now the business has become the department of NO. No, we don’t want to deploy something that requires the customer to take action. No, we don’t want to deploy a solution that will slow the transaction by 1/2 a second. No, we don’t want to change the way we code we want you to install something that fixes (or hides)our mistakes for us.

The business has fully bought into the compliance mentality and doesn’t want to go beyond it. They tell us that they want us to manage risk but what they really mean is that they want us to ensure that they are not at risk of being out of compliance. Unless of course the compliance requires too much of them they they want either a compensating control or to accept the risk and hope that it never comes back to bite them. Then once it does they blame security because we didn’t push hard enough or didn’t inform them of the potential for it to be this bad. Of course the 20 different emails and slide decks where we laid all of this out doesn’t matter at this point. It’s still our fault for not doing our job.

 

August 22, 2011

OK Mr. Jobs…. You win

Posted by andyitguy under information security
[7] Comments 

Everyone said it would happen. One day I would open my eyes and see the light. I’d have a sudden urge to rush to the local Apple Store and run up to a sales clerk (or do they call them “sales genius”?) and utter those magical, mystical words “I want a Mac!”

Well, I’m thinking that the time may be upon me even as I type. I’m giving serious consideration to going out and buying not one, not two, not three……. but FOUR Macs. One for each separate household in my family. That way when they have computer problems they will no longer be able to call me for help because I can’t work on them, won’t work on them and refuse to work on them! My sister got one a few months ago and I haven’t talked to her since. Not because I refuse to but because she knows that I can’t and won’t help her with Mac problems. One of my Brother-in-laws got one a year or so ago and now when he calls we actually talk about things other than his computer problems. If it’s worked out so well in those two cases it’s bound to make my extended family relationships much better if they all have one.

Thanks You Mr. Jobs! I can’t believe it took me this long to see the light.

 

July 28, 2011

Interviewed by Fighting In.Security

Posted by andyitguy under information security
Leave a Comment 

I had the honor of being interviewed by Michael Fornal for his blog “Fighting In.Security”. He has just posted the interview here if you care to check it out. Read some of his own writings while you’re there. It’s more interesting than an interview with me.

 

June 20, 2011

Web App Sec Cheat Sheets

Posted by andyitguy under information security, Web App Sec | Tags: |
Leave a Comment 

I’ve never been one to use my blog to link to vendors and or their products but I received an email last week that was intriguing enough to get me to take a further look. I liked what I saw and decided to pass it on. It’s nothing earth shattering or new just some good ole common sense that we can pass on. One thing that I have come to realize as I work more and more with developers is that there really is a lack of understanding in how to write secure code. It’s not taught in school and many businesses and development shops are more focused on getting code written and out the door. As a result of this we see the same basic things pop up again and again and again. At work we see this as we review new code that is hoping to be put in production. SQLi, XSS, XFS, etc.… it’s like security groundhog day. You find it, get it fixed, tell the developers how to avoid it and start all over again. Much of this is due to developers being project oriented and many time they are contractors who come in long enough to write their piece and then move on. So what you taught them may never come to fruition for you.

Anyway, Veracode has put together 5 cheat sheets on common coding issues and they are pretty decent. They explain the problem, what it does, why it’s bad and give you some tips on how to avoid it in your code. There is also video and sample scripts and code for you to look at. It may not be anything for you but it is something that you can pass on to the developers that you support or work with. Who knows it may save you some time and headache as the number of issues is reduced because you took the time to pass this on.

• SQL Injection: http://www.veracode.com/security/sql-injection
 Cross Site Scripting: http://www.veracode.com/security/xss
• Cross Site Request Forgery: http://www.veracode.com/security/csrf
• LDAP Injection: http://www.veracode.com/security/ldap-injection
 Mobile Code Security: http://www.veracode.com/security/mobile-code-security

 

 

March 24, 2011

Missing the goal

Posted by andyitguy under information security
[6] Comments 

One of the things that we are faced with is meeting goals that often change depending on lots of different things. Current threats, business goals/needs, projects, etc… We all have the ultimate goal of securing the data and systems that we are responsible for, at least I’d hope that we all shared that common goal. How we go about this varies greatly, again depending on lots of different factors. I’m not one to criticize someone for doing their best but I will point out areas that I take issue with. Especially when I feel that they are doing something that ultimately will cause larger problems or are making statements that I consider to be detrimental to security, others, or even just themselves.

I ran across a blog post the other day that caught my eye due to the title “Mitigating OWASP top ten without any code.” So I saved it to read later since it is relevant to my interest and potentially to doing my job in a more efficient way. (not that I code. I tried my hand at that many years ago and discovered that I don’t think like a coder and would be miserable and probably very bad at it). But I am responsible for protecting sites, apps, and systems that are potentially impacted by the OWASP Top Ten.

As I read the post it both impressed me and made me scratch my head. I know that the author says that these things have and are working for them and I think that is great. I’m not sure that I would have done it the same way and when you add all of these things together it could be quiet costly to implement. I do love the fact that it does implement defense in depth which is still very important. The more hurdles an attacker has to jump over the less likely he is to keep after you.

What really bothers me about all of this is the final paragraph.

All the key controls are implemented in the infrastructure. Developers can be left to coding the functionality and improving performance.

I have a hard time with this because it gives developers a free pass. Don’t worry about writing better and more secure code just finish quicker or add more “features” so we can market them to increase sales. It also allows poorly written code into production where it is vulnerable to new attacks and also the potential failure of one of your layers of defense. Are you going to fail closed if something fails and risk shutting down the site/app until it is fixed or allow access to insecure code with no protections in place (Just like the old days).

If we continue to allow (or encourage) poor coding practices then we will always be behind the curve and playing catch-up with the hackers. I’m all for infrastructure protections but not if it means we give developers a pass on writing secure code. I know code will always have errors and vulnerabilities in it just as infrastructure and other areas where we implement protections will always have their shortcomings.

The very last part of this post does give a little hope though.

The security controls can also be implemented at a company level, with minimal security involvement required per project.  Is it just that when all you have is a hammer, everything looks like a nail or is this truly a better approach?

It shows that they realize that their solution may not be the best or only answer and that they are open to suggestions. So my suggestion is train your developers on secure coding practices while implementing these other controls so that one day you may just be able to reduce the number of total controls because your software is well written.

 

February 21, 2011

Why does Web App Security continue to stink?

Posted by andyitguy under information security, Web App Sec
[8] Comments 

Everyone and every company has a web site now a days. Some are professionally done, some are made from DIY kits provided by the hosting provider and some are done from scratch by someone who claims to know what they are doing. It doesn’t seem to matter who built the site most all of them have a common theme. Insecurity.

A joint survey and report by Barracuda Security, Cenzic and the Ponemon Institute that was released earlier this month confirms what we already knew. Web App Sec is still in the toilet. It’s high on everyone’s list of priorities but little is being done that actually makes a difference. OK, so that’s not exactly a fair comment. Lots of things are done that do make a difference but they only solve part of the problem. The problem is epidemic and multi-faceted. When you look at some of the numbers it’s enough to make you get angry, cry and pull your hair out all at once.

I have my own opinion of why web app security is so dismal. It’s due to lots and lots of factors.

  1. Poor development and coding.
  2. Reusing insecure code.
  3. Inadequate testing.
  4. Improperly configured web sites.
  5. Improperly configured web servers.
  6. Improperly configured network devices.
  7. Insecure architecture.
  8. Lack of policies around all of the above.
  9. Lack of understanding of the risk by management, IT and even those responsible for security.
  10. Lack of understanding of the effectiveness of controls.
  11. Only doing enough to “check the box”.
  12. Following the advice of a consultant or vendor who doesn’t take the time to truly understand your needs.
  13. Buying a solution that is sold as the “answer” to your security problems.
  14. Relying on your hosting provider to take care of security.
  15. Not using defense in depth.

This list isn’t comprehensive but covers a lot of the bases. A lot of the security issues arise out of a lack of understanding of the problem and assuming that the advice of someone else (consultant, vendor) is going to keep you secure. It’s because companies are rolling out web based applications faster than they realize. When you don’t even know how many web apps you have you have bigger problems than not knowing how to secure them. You have process  and procedure problems that need to be addressed. When you are deploying web apps at a rate that outpaces your ability to secure and monitor them then you have resource issues that need to be addressed. If you have resource issues then you probably also have a skills and training issue that needs to be addressed.

Security isn’t so hard that it can’t be done it’s just that it’s not important enough to be addressed seriously. It has been ignored for so long by so many that the problem has gotten out of hand. A company that brings security into the picture after the network is in place and apps have been deployed and now web apps are being deployed is already way behind the curve and playing catchup is never easy. It requires changes that may will break things. It requires money and inconvenience for users.

So what’s the answer? It’s not easy and unfortunately it requires lots of time and patience. It slows the release of new features and endangers deadlines. Things that most companies are not willing to put at risk. It requires that we spend money in places that provide no tangible returns. It requires that we change the mindset of the organization and our users.

Ultimately short of starting everything over and doing it right the answer lies with each of us doing what we can to secure what we are responsible for and to educate ourselves and those we work with. Create an agenda and plan and work with Management, the business, IT and your own security team to ensure that all are aware of the real problem and that all work together to make it better.

 

January 10, 2011

Social Security Awards

Posted by andyitguy under information security
Leave a Comment 

To quote @Armorguy….

OMG! OMG! OMG! OMG!

A little over a year ago Martin Fisher (@armorguy) and I decided to start a security podcast. We invited our “News Yankee” Steve Ragan (@steved3) to join us and we started recording. We knew only a little about podcasting and we knew that we wanted to do something a little different from most of the other security podcasts out there. We decided to focus on areas that we knew best which are leadership, management and operations.  As time went on we decided to add a “young whipper snapper” to the crew and Joseph Sokoly (@jsokoly) joined us. We’ve had a blast doing it and enjoyed interacting with listeners and with our guests. One thing that we never even considered is that a year later we would actually be honored to be listed as one of 4 finalists in the Social Security Awards for best security podcast.  We I read the post from Alan Shimel my heart stopped and jumped all at the same time. Especially when you see who the other finalists are.

  1. Pauldotcom Security Weekly
  2. The Silver Bullet Security Podcast
  3. CERTS Podcast Series

WOW! what company to be in.

Obviously we would absolutely love it if you would vote for us but even more importantly keep listen (or start if you haven’t been) and tell your friends about us.

To cast your vote you can do so from this link.

 

Next Page »

Follow

Get every new post delivered to your Inbox.