It’s been quiet a year for me and my family. Lots and lots of changes and I’m glad it’s almost over. Due to the busyness of everything that has been going on my blogging has suffered greatly. I’m talking about the quantity of posts so keep the quality remarks to yourself.   Even though I haven’t blogged a lot I’ve still been letting my thoughts on what’s happening in the industry be know via the Southern Fried Security Podcast with my good friends Martin, Steve and Joseph.

I’m also planning to move the hosting of andyitguy.com to another site soon and as I was preparing things I noticed that I’ve posted 666 entries to the blog. Not a good number to end the year on so I had to take some time to get at least one more blog in before 2010 leaves us. For those of you who do care I hope that next year I will get back into a regular rhythm of blogging and post at least once or twice a week.

I hope 2010 has been good to you and that 2011 is even better. I thought I’d leave you with this YouTube video that Marc Handelman posted on his site today.

Merry Christmas and Happy New Year!!

Today is Veterans Day in the US. A day when we stop to say a great big

THANK YOU!!!!

to all of you have have served or are serving in the military. I’ve got lots of friends who served and some who are still serving. I know it’s not a easy life especially in the last several years.

As the old saying goes “If you live in a free country, Thank a Veteran!”

Fishnet security recently published Survey of Security and Data Trends. They surveyed IT professionals from Fortune 1000 companies to get the answers to 3 major questions:

1. Where do we stand compared to our peers?
2. What security issues should we be concerned about?
3. Which people are must-have versus nice-to-have?

Before we get to far into this let me say that I’m not a big fan of such surveys. Usually they don’t really give us much in the way of real information that can help us in our day to day lives. I’m hoping that this one continues in that tradition. Why? You ask, because if what I see in here is true then things are worse than I feared.

Before I get too far into this I have to give props to Gunter Peterson. He is the one who pointed me to this survey and he is the one who saw this item of concern and brought it to my attention. 

The problem here is in a couple of the findings that came to light.  When you look at the list of top security concerns:

• Mobile computing 69%
• Social networks 68%
• Cloud computing platforms 35%

Then when you compare them to the top security investments:

• Firewalls 45%
• Antivirus 39%
• Authentication or anti-maleware 31% each

There is a big disconnect there. When you have a group of people saying that they are concerned about certain threats but their spending doesn’t match up then you have a problem. Why spend money on technology and controls that don’t address the things that you see as you biggest threats? Why? It just doesn’t make sense. Or possibly it tells a different story. Is this a story where companies are just spending money for the sake of spending money? Are they buy things that they are comfortable with instead of things that could actually give them some positive results for their spending? Do you like the way I avoided using the term “ROI”.

If this is actually indicative of real life happenings then it doesn’t paint a very pretty picture of what we as a profession are doing? It seems to suggest that we are a long way from being useful for what we are paid for. It also suggests that we possibly have a lot of people filling the role of Security who aren’t really qualified to fill that role. People who are not thinking outside of the box but who are thinking “what can I do that makes it look like I’m doing something?”.

Maybe and hopefully I’m wrong. Maybe those who filled out the survey are not the ones who are making the decisions and aren’t the ones who really should have filled out the survey. Maybe we will all wake up and discover that it’s all been a bad dream.

I ran across a couple of articles tonight that are on different topics but both of them made me think the same thing.  The first one is by Brian Krebs and it’s about a new bill that has been introduced to help protect the banking accounts of cities, towns and schools. The other one is about a new checklist that Google has put out to help users secure their Gmail accounts.

Now don’t get me wrong I’m all for protecting peoples accounts no matter what type they are. After all I am in Information Security for a reason. The problem that I have is that protecting accounts requires the user to want to protect it. Gmail users have to want to take the initiative to download the checklist and do what it says. People on Facebook have to want to ensure that their security and privacy settings are up to date and set to something reasonable. Those who do online banking have to want to protect their accounts and their money. You would think that this one would be a no brainer. After all money is pretty important to day to day life for most people.

What I have seen is that the users (at least a large number of them) don’t want to be bothered with these things. They have developed a entitlement mentality or a apathetic mentality. After all for much of this there is no real incentive for the user to care in many of these cases. The banks will cover you losses so why worry about having money taken from your account. Unless you use your Gmail for business what do you care if someone sends spam or malicious links from your account. All you have to do is say it wasn’t really me and everything is OK.

I’ve worked in the financial services for many years and have worked for lots of different types of companies in the industry. Banks, Payroll Processors, Check Cashers, Vendors and I’ve consulted for many others. One common theme that I’ve heard is keep the user impact to a minimum. Now I understand that we don’t want to make it such a pain to do business that they go elsewhere but there has to come a point where the users start taking responsibility. We can’t continue to hold their hands and fix all of their problems for them. After all why is it wrong to ask a user to take a couple of extra steps to protect their identity, reputation, finances, or privacy? In many other parts of our life we are expected to know and do the right thing and if we mess up we pay. Yet we’re given a free pass online. It doesn’t make good sense to me.

Many people who get pwned on the internet do so out of ignorance, stupidity, or apathy. Some get pwned completely innocently and due to sheer bad luck. Yet when bad things happen as a result of being pwned rarely does the reason for pwnage get taken into account. The bank doesn’t care if you have a system infected with ZueS because you happened to go to XYX.com on the day that they happened to host a malicious ad for something that you needed or if you picked it up at naughtynekidtramps.com. The banks take it on the chin because they want to retain you as a customer and because the government says that they have to. So why should you care?

I’m big on personal responsibility and I happen to think that the internet is a place where people need to take more personal responsibility. They need to take it upon themselves to understand the threats of going to naughtynekidtramps.com and of clicking on every cute, free, stupid thing that comes their way. I think that the possible consequences of not knowing are too great to others to continue to let it go as it is. After all we are expected to know and obey the laws of various towns and states that we travel to. If we break a law out of ignorance the police don’t say “It’s OK just be more careful”. At least not very often. So if that is expected of us why isn’t it expected of us online?

Now that I’ve been in the area for a little while I’m starting to get familiar with what is going on in the area of security happenings and I wanted to share a couple of them with you. Both of these are free and look to be full of great content.

September OWASP Meeting

• When: Monday September 27th 12.00 – 1.15 PM, Presentation starts at 12.15 PM

If you plan to attend the meeting please RSVP by registering for the September 27th date on http://owasp-cincinnati.eventbrite.com

• Presentation Title:Data Security challenges in the all too Public and not so Private sectors

The Internet threat landscape has shifted. What used to be a playground for hackers, crackers, script kiddies and packet monkeys is now a borderless abyss of organized crime fueled by financial gain and state sponsored forays into our critical infrastructures. Cisco Systems’ Patrick Gray, a twenty-year veteran of the FBI, will explore the current threat landscape by highlighting the newest cyber criminals and examining the latest tactics employed by these predators. Gray will address how spammers, phishers, botmasters and hackers interact with this new crime element utilizing Web 2.0 technologies and how we can prepare our infrastructures to stave off these relentless attacks and protect our critical business assets.

• Speaker Bio: Mr. Patrick Gray, Principal Security Strategist of Cisco Systems

• Location / Venue Sponsor: Citibank 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537

For help with directions contact Citi Blue Ash help desk at (513) 979-9000 or check directions herein.

Please access the building from the visitor lobby. This OWASP meeting will be held at the "Buckeyes" training room, first room on the right after the Citi guards desk

• Agenda
  • 11:45-12.15 Registration
  • 12.15-1.15 Presentation
  • 1.15-1.30 Q&A Session

• Proof of ID is required to attend the meeting

Citi guards verify that you pre-registered to the meeting by checking the RSVP list. Once you are checked and identified (please bring a proof of ID) you will be granted visitor access to the training facilities.

• Presentation logistics

The Citi sponsored Buckeyes lecture room can host up to 53 people and is equipped with video and audio system to be used either with the presenter’s laptop or with Citi provided laptop. When using Citi provided laptop please provide an USB driver with the presentation in powerpoint format.

Northern Kentucky University 2010 Security Symposium

Friday, October 15, 2010           
8:30am – 5:00pm
Cost: FREE!

The 2010 IMI Security Symposium is a one-day event, which focuses on IT security challenges, best practices, and professional discussions. This annual symposium brings together IT professionals for engaging talks, training, and live demos of cutting edge security products.

The Security Symposium is organized into four tracks:

• Information Security Governance and Compliance
  This informational track focuses on the understanding and implementation of management policy, procedures, IT audits, continuity planning, and security awareness and training.
• Application Software Security
  This track incorporates knowledge about how identity theft is being fought and information integrity is being secured by industry ingenuity.
• Information Security Practices
  Information security is everyone’s responsibility. This track examines best practices that lessen the risks to organizational data and computing resources.
• Infrastructure Protection: Wired & Wireless
  This track addresses protecting the security of an organization’s information and infrastructure. Topics such as firewalls and intrusion detection will be part of the discussion.

Episode 29 of the Southern Fried Security Podcast is on the streets! This week we talk about:

1. Foresters Zero-Trust initiative
2. HP’s strangle hold on the US Navy
3. Stuxnet

We also have a great interview with the organizers of Security BSides Atlanta. Which I strongly encourage all of you in the Atlanta area to attend. It’s free and has a great line up of speakers. Many who are NOT Atlanta area residents. They are coming into town to help you become smarter. I’m trying to figure out a way to get there myself.

As for the name of this weeks episode…… You’ll have to talk to Martin about that. I’m not sure what he was thinking.

I love and miss Atlanta. The Security scene there is fantastic and is getting better. This year in October the crew from the B-sides security conference are bring the fun to Atlanta for the first Atlanta B-Sides conference on the 8th. There is a great line up of speakers and I know that the day will be filled with fun and learning. I really wish I could be there. In addition to the great conference line up the guys (and gal) at Errata Security will be offering a free Wireless Pen Testing class. It’s an opportunity to learn from 2 of the smartest guys I know and two of the best researchers in the industry. For more info on this class contact marisa at erratasec.com. (Since she is going to be picky and actually wants me to spell her name correctly.)