Andy ITGuy - Information Security Blog

Poll – Audit Relationships

andyitguy — Fri, 01 Jun 2012 19:05:26 +0000

I’ve set up a poll at polldaddy.com on the state of your relationship with audit. Please take a few minutes to give your answer. HTTP://poll.fm/3qkow

Review of Nokia 900 Windows Phone

andyitguy — Fri, 01 Jun 2012 11:09:06 +0000

Back in April my contract was up on my Mobile Phone plan and since my HTC Incredible had seen better days I decided to upgrade to a new device. Naturally I started looking at the latest Android phones to see what they had to offer and honestly I didn’t see anything that really impressed me. I was tempted by the HTC One X but since it was still a few weeks away I decided to try something new. For some reason the Nokia 900 Windows Phone grabbed my attention. I’m not sure what it was but I was drawn to it. I looked at it for a while and talked to several different people at the AT&T stores who had used it and since they had a 30 day exchange policy I decided to give it a try. I fully expected to return it and exchange it for the One X before the 30 days was up.

As I played with the Nokia 900 I had mixed emotions. I liked some things a lot but there were a few things that I was having a hard time adapting to. I went back and forth as to whether or not to keep it and kept looking at other options while I was in my 30 day window. I eventually ruled out the One X after I had a chance to look at it and considered a few other options. I even looked at an IPhone 4S, but I’m feeling much better now. Well, I decided to keep the Nokia and now that I’ve had if for a few weeks here are my thoughts.

Pros:

Nice screen resolution and size. Not too big but big enough to see w/o too much squinting
Great call quality
The selection of Apps for Windows Phone isn’t too bad. It’s definately a smaller pool than for the Android or IPhone but most of the major ones are there or they have something very similar.
Very fast application performance
I like the app interface better than the Android version of the same app. It’s cleaner and easier to use.
It has really good camera optics (but there is a con w/ the camera as well)
It is a well made phone and feels good in my hand. It’s not plastic and fragile like many are now.
There are a lot of configurability options to make it work best for you

Cons:

The camera response time is TERRIBLE. It’s almost like going back to 2002. It takes about 2 or 3 seconds from the time you “click” until the picture takes. Needless to say by then you’ve missed the picture.
It doesn’t support Flash (which is also a good thing).
There are not decent alternative browsers to IE. Having browser flexibility in a mobile device is a good thing since different browsers render pages differently.
Battery Life. It’s advertised at 8 hours but that’s only if you don’t really use it. 4 to 5 is more true to life.

Other than that I can’t think of anything else that I’m not happy about. I have to admit that the concept of Live Tiles still baffles me. I haven’t found a use for them yet but I’m sure that there is one. All in all I’m pretty happy with the Nokia 900 Windows Phone. I’m still learning about it and adjusting it to make it work for me but I think in a few more week I’ll have it just as I want it.

Good data gone bad

andyitguy — Thu, 31 May 2012 09:11:45 +0000

When it comes to managing risk you live and die by the data that is made available to you. In a world where there is so much data available it is imperative that you use the right data points to make your decisions and that your data be accurate. Choosing the wrong data points will either cause lots of extra work or will cause you to make wrong decisions. Having inaccurate data will cause you to make wrong decisions about what and how to protect your assets. It will impact how you spend your IS/Risk dollars. It will skew reporting and/or make it flat out wrong. It will cause you to start unnecessary projects and do unnecessary work. It will prevent you from doing things that you really should be doing.

Since we are flooded with more and more data every day it is easy to get lackadaisical about the data and assume that you are collecting the right points and that they are accurate. Or more likely not have the time to ensure that all is well. Yet if we don’t check them regularly then you are in danger of allowing your data to go bad. You need a process and method of checking you data regularly just as you need to assess what you are collecting to ensure you are getting the full picture of what is going on.

The potential impact to your program and the company may be very high depending on what data points are wrong. As I started earlier it may be unnecessary work, focusing on wrong areas for improvement, inadequate projections at key areas, reduced funding for your program, inability to justify funding for parts of your program, etc, etc, etc. Good risk data is essential to a good risk program so it is well worth the time and effort to validate the quality of your data on a regular scheduled basis and to do spot checks throughout the year.

Depending on the size of your company, program, and what data you collect this may involve lots of people and lots of different business units. It can’t be done in a vacuum nor by only one team. Changes are that you don’t fully understand the systems that provide the data nor the ways that the data can be corrupted. You need the group that does understand these things to work with you and to validate the data. You need them to help you understand the data and how it can serve the needs of your program and the company. You need them so that you will know when the data is wrong, what happened to make it wrong, and how to make it right again. They need to understand what your needs are, what you are trying to measure and accomplish and WHY it is important that their data be correct. It’s too easy for people to get busy and give a cursory review of data quality. They will do it to save time and focus on what is important to them unless they understand why and how their data quality is important to the organization as a whole.

Book Review – The Alexandria Project by Andy Updegrove

andyitguy — Thu, 31 May 2012 07:27:22 +0000

A while back Andy Updegrove approached me and asked if I would take a look at his book “The Alexandria Project”. I told him that I would love to but that it would take me a while to read it due to my schedule of late. Well, I finally finished it over the weekend and even though he said that writing anything about it on the blog was optional I wanted to since I did enjoy the book. So if I have any readers left after my extended absence here is my review.

The Alexandria Project is a techno thriller with computer security at the core of the plot. I’ve read a few others that fall into this category that I enjoyed so I was looking forward to reading this. For the most part I want disappointed. The pot is pretty well defined, the characters are believable and the book flows pretty well. The ending is what really makes this an interesting read though. He throws a couple of twists in that adds some excitement and a bit of healthy fear of there is any chance that this could really play out in real life.

My only issues with the book are that the “6 degrees of separation” theory have been cut down to about 3 at the most. All of the characters are a little too connected. The other thing is that at times I felt like I was being talked down to but that is only because I know technology and security. I’m sure that the average reader would not feel that way.

All in all it is a good read that’s recommend to anyone who likes a good techno thriller.

Dealing with a business that doesn’t want you.

andyitguy — Thu, 01 Mar 2012 22:07:19 +0000

We all face it at some point in our career. You are tasked with securing “x” and the business doesn’t want you doing your job. Sure they may put on a smile when audit or compliance are in the room but when they are alone in their office or in their team meetings they are stabbing a voodoo doll that resembles you or you walk in on a dart game where the board has been covered by your picture. They stall, delay, ignore and fight your every request. They build cases to support their argument that security is a burden to them getting their work done. Each scenario plays out a bit differently but in the end they are all the same. Security is not wanted.

I’ve worked in a few places where I security wasn’t wanted. We were there because someone said we had to be. It may have been regulators, auditors, compliance departments, a governing body for the industry, or the parent company or business itself required that we be there. But the particular business you support (or the business as a whole) wants nothing to do with you. That is frustrating for someone who believes strongly in the value of security to an organization. It’s tough to get up day after day and make the trek into the office when you know that you are going to be ignored and have to fight for every inch of ground that you gain. After several days like this the little bit of ground that you gain doesn’t give you the warm fuzzies that you would hope to get after a hard day’s work.

So what do you do? How do you keep your sanity and remain civil to your friends and family? How do you deal with this? How do you get your job done while facing constant opposition? Better yet how do you work through the situation and hopefully change some mind s and get the business on board with you?

In many cases you are going to have to start with changing the way security is viewed by the business. Usually, and unfortunately, security is often known for saying “no”, slowing down productivity, delaying product launch, impacting usability, and “keeping me from updating my Facebook status with my lunch choice for today” . This doesn’t set well with our customers (the business) for lots of reasons.
1. They are the customer and the customer is always right.
2. Their job is to produce and security hinders production.
3. They are tasked with fiscal responsibility and security is seen as being a cost center with little
to no return or value
4. Their job is to keep employee moral up and security hinders that.

Let’s look at each of these and see what we can do to effect real change that will improve our image and relationship with the business.

They are the customer and the customer is always right.
At least that is how they see it and we should let them believe it. Actually we need to act as if it is true. In reality it isn’t true anymore for its than it is for anyone else. Yet the principle behind it is very important in keeping the customer happy. Our mindset should be “if they want it then we will make it happen”. That doesn’t mean that they get what they want exactly. It means that we work with them to find a solution that will meet their needs and keep it secure. The days of saying no are behind us and we have to change the negative image that we have because of those days. If you are supporting a business that has never had security work with them then the first time you do this you may have to make sure you have smelling salts with you. If you take”no” out of your vocabulary and work to make things happen you will be amazed at how quickly the business starts to change their attitude towards security.

Their job is to produce and security hinders production.
One of the biggest complaints that I hear about security initiatives is that they often slow down the release cycle of products and programs. Sometimes there is not a whole lot that we can do about this especially early on. In today’s world we can’t ignore the need to implement security but we also can’t rush into it headfirst work little to no reward for how it impacts the work that the business is tasked to do. (Wow! That hurt to write that) One of the best things that we can do to minimize the negative impacts here is to make sure that we communicate with the business as to what is being done, why it’s happening, how it will benefit them (this one can be a tough sell), and what you are doing to make this as painless as possible. It’s also important not to have a “grin and bear it” attitude. If you can get good data that will show how the slowdown should only be temporary that will also be a big plus. Many times the problems caused by security programs will either go away or at least be reduced over time as people get used to the new processes and learn how to work with the security program.

They are tasked with fiscal responsibility and security is seen as being a cost center with little to no return or value
Don’t worry, I’m not going down the security ROI path with this one. As with most everything coast goes down over time so your job is to show the business how you too are being fiscally responsible. Be open with them about how cost and expenses rise and fall. Don’t ask them to find something without having a clear plan that shows them the cost and benefit aspects. Have plan A, B, and C when you need something new. Shot for the stars but be willing to settle for less. Also don’t come to them with a proposal that is stupid expensive when times are tough. You should never go to them unprepared. Remember they are business people not technology people and they want a business case not cool, flashy lights.

Their job is to keep employee moral up and security hinders that.
In this area there are several things that we can do to improve our image.
° Follow all of your policies. If they see you on Facebook when everyone else is blocked you will be vilified and your credibility will be damaged.
°Don’t block access to websites and technology without a good reason. There are few reasons and cases where complete exile from”non-business” sites is necessary so don’t do it just because you can.
°Expect everyone, including executives, to follow policies.
°Don’t deploy security that makes it too difficult for employees to do their job.
°Expect (read – demand) your employees to answer questions, work to solve problems, not say no, and do it all with a smile and an attitude that lets the customer know that they are not being a “stupid user”, even if they are. We all have our “stupid user” areas. Imagine how you would feel if you were expected to do something that you knew nothing about.

That does it. If you are tasked with making the business like you hopefully this will help. If you have been through this before, or are going through it now, please feel free to leave comments with what did and didn’t work for you.

Cudos to Apple

andyitguy — Mon, 27 Feb 2012 22:24:27 +0000

It was either late 2006 or late 2007 my brother in law bought his girlfriend a IPod nano. He paid $250 for it and after he got it he realized that for only $50 more here could have gotten a 30th iPod instead of the 4gb nano. He couldn’t return it because he had it engraved so he asked mange if I wood buy it from him for the discounted price of $200. This was before I had decided that Apple was the evil empire so I bought it. I used it up until 2010 when I bought a new mp3 player. I kept the nano and let my oldest daughter have it. Then late last year I received an email from Apple starting that the battery might blow up if I didn’t send it in for replacement, so I did.
Today I received my replacement and much to my surprise it was a newer model of the nano and it was a 8gb model. It’s still a generation or two old but that’s better than the 6 year old one that I had. Thanks Apple, stories like this just may help to repair the career ruining, don’t give a care, terrible customer service reputation that you’ve built over the years.

Making A Change

andyitguy — Thu, 09 Feb 2012 19:21:31 +0000

I’m making a pretty big change in my technology usage. I’m moving from a laptop to a tablet for my personal computing use. I’ve been wanting a tablet for a while because of the smaller footprint and less weight to carry around. I like the flexibility of a tablet as well. They can do most things that a laptop can do and there are lots of apps to choose from that work better on a tablet than a phone. Our also gives me the conscience of an e-reader which I’ve wanted for a while and its better since I’m not limited to specific book formats.

Of course you have to be careful when you download apps. The potential for malicious behavior, poor coding and compromise are just around the corner. Hmm, sounds like the same problems PC’s have with software from major vendors. This will be interesting as I work through the change and make the required adjustments. I’ve been at it for just over a week and so far so good. Let’s just hope that it stays good. This thing cost to much to toss aside.

So far I’ve only real issue had been with some web pages not rendering properly. It’s not too bad and only happens on some pages. If any one else has made the switch is love to hear your stories, good and bad.

No place for dishonesty

andyitguy — Fri, 20 Jan 2012 04:03:57 +0000

Happy New Year! I hope each of you had a great holiday season and that 2012 has started off well for you. I know for me I’m really hoping that this year my life can slow down some but if the first 3 weeks of the year is any indication then I may be in trouble. For those of you who don’t know I’ve decided to take a short sabbatical from the Southern Fried Security Podcast. That was one area where I could step away and know that things would be in good hands and still keep some sanity. I don’t plan on it being a long break but don’t know when I’ll be back as of yet.

Now on to the actual reason that I’m writing this post……

As many of you know some hackers released source code for an older version of a couple of Symantec products. Symantec said that it would have no real impact on their customers because the code was for products that were 5 or 6 years old. They also said that the code wasn’t taken from them but from a business partner. I guess their conscious got the best of them because now they have decided to come clean and admit that the data was actually taken from them in a breech of their network. When you read the various articles the picture is still a bit fuzzy. Were they breached recently or 6 years ago? If it was that long ago why are we just now finding this out or worse yet why didn’t they know it until recently. If you read some of the quotes from Symantec spokesperson Chris Paden it almost seems to say that the breach happened in 2006 but they just discovered it. Lots and lots of unanswered questions and questionable comments and actions.

So what’s the point? Honesty, Integrity, Character, Trust. All things that people and companies need to embrace. Let’s face it we are living in hard times right now. Many companies are struggling and doing all they can to keep their heads above water and consumers (individual and business) are looking long and hard at where they are spending their money. They are also looking at the total value for their dollar and they want to know that the company they are doing business with isn’t trying to pull the wool over their eyes. I know that if a company changes their story and is vague on something like this then it says to me that they will do it in other areas and it erodes my trust in them. The same holds true for an individual. If you are not honest in some areas how can I trust you in others?

On Wednesday I noticed that Josh Corman (@joshcorman) posted the following tweet couple of tweets.

joshcorman Joshua Corman

If $SecurityVendor uses deception / social eng to separate you from your $$$, how are they not just another adversary?

joshcorman Joshua Corman

.@gollmann there are a lot of things $SecurityVendors shouldn’t do. Some abuse the implicit "trusted adviser" expectation more than others

18 Jan

I’m sure most of us have stories of vendors gone wild. Ones who sold you what you didn’t need or what wasn’t right for your environment. Sold you too much or baited you with a little only to hit you with the big stuff later. Maybe they gave you a good deal on what you needed but too you to the cleaners on professional services to make it work. Sometimes it’s the company culture that encourages it and sometimes it just a unscrupulous sales person or a SE who it working off commission and wants a nice Christmas at your expense. The problem still goes back to character, integrity and trust. If they aren’t there then someone will get hurt.

To be fair it also happens on the side of the customer. Often times they will try to take the vendor for all they can get even if it’s lots more than they paid for. Maybe they broke something but they want to get it fixed for free so they will try to make it look like it was defective. I remember one time early in my career we were having problems with a data circuit and in my troubleshooting I determined that the problem was with the smart jack that our T1 terminated at. I called the local telco and put in a trouble ticket and they scheduled a time for a tech to be out to look at it. My boss called and told me to take a paperclip and short out the smart jack. The telco would charge us for a service call if it turned out that the problem wasn’t with their equipment and he didn’t want to risk having to pay. I refused to do it and it turned out that I was right anyway the jack was bad. To me it just wasn’t worth tossing my integrity out the door to possible save the company a couple of hundred dollars. Not to mention the fact that if I did that then what else would my boss expect me to do. It’s a slippery slope and we can’t afford to go down it.

Don’t get me wrong I’m not condemning Symantec b/c I don’t know all of the facts. They just happened to be the one that got me on my soap box. I hope that Symantec is able to clear this up and that we discover that the twisted stories are all the handiwork of a few individuals who can be replaced with people of integrity. I’d hate to know that it was a corporate culture of lying that was behind this. There are already enough companies out there who will do all they can to keep and make more money no matter who it hurts. We have enough “evil” companies out there already and we don’t need more. We need to be people of integrity and we need to demand it of the companies that we do business with.

Book Review: America the Vulnerable

andyitguy — Mon, 17 Oct 2011 16:51:55 +0000

I love to read unfortunately I don’t have time to read too much but I do listen to books as much as possible in my car and when working around the house. I try to have at least one book in print that I’m reading all the time and often I’ve got 3 or 4 going at a time and I read a little here and there on each depending on my mood. Not too long ago I was asked to read a book and do a review of it on the blog. That book is “America the Vulnerable” by Joel Brenner. I get asked to review lots of books, mostly technical ones and I usually refuse but this one I decided to accept because I love reading books like this. They are usually exciting to read, full of good information and help to raise awareness of the state of technology security. This book does all that and some.

Mr. Brenner is a former top-level NSA insider and he seems to have the inside scoop on a lot of pretty scary stuff. He does a good job of telling a interesting tale and doing so on a level that anyone can understand. He explains concepts that those of you who read my blog already understand but there is a chance that your parents and their friends don’t understand. He also doesn’t just tell a story or try to scare you. He offers some insight into some things that need to be done and can be done to make some changes that hopefully will make a difference.

I like the way that he calls out both public and private networks being behind the curve when it comes to security. He highlights things that you and I do everyday that can impact your security, my security and everyone else on the internet. He gives examples of things that could happen and tells us about things that have happened. One of the things that I really enjoyed was a story about a “hit” that took place in Dubai. Those who were involved still haven’t been caught but the whole thing took place on camera. That is how we know what happened. Due to digital surveillance that occurs daily in Dubai those who participated were caught on video and the authorities were able to track them back to their original flights into Dubai. Unfortunately that’s as far as they were able to get. The point here though is that 20 years ago they would have never even known that much. Technology has it’s blessings in helping out with such things but it also has it’s curse because it has brought about the loss of privacy and anonymity in many ways.

This is a book that I like and would not hesitate to recommend to my friends and family. It has lots of useful info that will educate and inform those who need to know.

SC Magazine Debate

andyitguy — Wed, 14 Sep 2011 14:38:34 +0000

A few weeks ago I was approached by someone at SC Magazine and asked to present a short argument in favor of Security Awareness Training. This is a “Point/Counterpoint feature where someone else was to be against Security Awareness Training. Imagine my surprise when a coworker stopped by my desk to show her surprise at seeing my name and picture in the magazine. She showed me the page and lo and behold my “foe” in this argument is Amrit Williams. How fitting considering the history that he and I have in disagreeing on topics in the past. Anyway if you are interested you can find our thought either in the print version on pg 13 or by clicking on the link below.

http://www.scmagazineus.com/debate-security-awareness-training-is-a-worthwhile-investment/article/209791/