Category Archives: End-user Focused

Review of Puppy Linux 5.0

Posted on by
Reply

Lucid Puppy Linux 5.0 was released back in May of 2010, but as one of my favorite distros, I have been playing with it heavily since then. I have been so impressed with the new version that I wanted to take a moment and write a quick review of this release.

You can find the official release page here, along with download information.

First, let me say that I have really come to love Puppy Linux over the last several years. I use it as a LiveCD/USB platform for secure on the go browsing, a Linux OS for old hardware that I donate to a variety of folks and causes, and as a platform for using HoneyPoint as a scattersensor. I like the ease of use, wide range of hardware support, and small footprint. All of these make this a very workable Linux distro.

This version especially seems to be stable, fast, and capable. I have taken to running it from a bootable USB drive and the performance has been very nice. Being able to drop these onto untrusted systems and use them as a browser, VPN client, and productivity tool has been handy. Using HoneyPoint Personal Edition, the nmap plugins and some other Puppy installs of security tools gives me a great platform for working incidents, gaining visibility and catching rogue scans, probes and malware that are in circulation when I pull in to help a client. Over and over again, the distro has proven itself to be a very powerful tool for me.

I suggest you take a look at the distro, LiveCD or USB and see how it can help you. I think you’ll find it fun, easy to use, and quite addicting. The pictures of the puppies don’t hurt either. 🙂

Check it out!

Using WordPress In the Corporate Environment

Posted on by
Reply

WordPress (WP) has become the dominant force in blogging platforms for a very good reason. Because it’s open source, creative developers are constantly looking for ways to improve the product to meet the needs of both personal and business bloggers. Consider that WordPress can be hosted on your own server (or hosted by whichever service you use), has an army of theme designers (both free and premium), and attracts traffic by a variety of add-ons.

A quick list of the competition: TypePad, which costs $14.95 a month for the “pro” version. You’ll need to learn a specific TypePad programming language to customize your blog. Tumblr does not allow comments so if you used it, you would have to embed Disqus to enable comments. Movable Type offers customization, but requires a license for business use, which ranges from $50 to $1,000, depending on how many people will require access to make updates.

WP is a free download but many themes have a cost attached. You can find some great free themes, but be sure to look for support. If a theme designer’s website has a forum, that’s a very good sign. It means they’re open to questions and helping you when needed.

Once you set up your WP blog, avoid spammers by activating the “Akismet” plug-in. What this plug-in does is protect your blog comment section from being spammed. There are many great plugins for business blogs. Search Engine Journal has a few here and a helpful article with more plugin recommendations from Better Business Blogging.

One of the reasons WP is loved by businesses is because it is SEO-friendly. Google and other search engines play very nicely with WP. Once you create a powerful header and add keywords within your post, a search engine will notice. Searching for relevant keywords? Try Google’s search-based keyword tool. It will give you ideas of what people are searching for in your industry and you can adopt a few of those keywords to drive traffic.

WP also allows multiple users to contribute to the blog. You can also schedule blog posts to be published at a later date. If you have multiple users, it may be a good idea to filter the posts through a gatekeeper (such as HR or marketing) before posting, to ensure a consistent message for the organization.

WP has updates, like any software. Install an automatic update plugin to help you stay on track. Use strong passwords for logins and have strong file permissions set.

Another way to secure your blog is by using a secret key. In WordPress, the wp-config.php file is the file that stores the database information that WordPress needs to connect: name, address and password of the MySQL database. Go here and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.

Blogging can be an excellent way for your organization to stay current in its industry. By consistently posting relevant blog posts for your audience, you have the opportunity to inform them and stay connected. Using some of these tips will help make the most of your blog.

The iPad as a VPN Client

Posted on by
Reply

Today was my first real chance to try out the iPad as a VPN client in a critical situation. I needed an essential file for a client in a real hurry. We were about 50 miles from the office and a physical return with the file wasn’t possible. Even worse, it was stored on an encrypted vault volume on my personal backup system, so none of my engineers could assist me, since they lack credentials for that box.
Thankfully, I had my iPad with me. I had already set up a VPN connection for my device, but hadn’t yet tested it. The good news is that it worked perfectly! I was able to quickly create a VPN tunnel back to my network and then SSH into my vault. Once there, I could effortlessly arrange for a file transfer to my client in a secure manner. I even piped a VNC connection over the tunnel using iTeleport and could interact with the GUI nearly as easily as on a laptop.
All in all, it was a great save and made an excellent real world use case for the iPad in my work flow. Have you had any other big successes with the iPad in your security work? If so, drop a comment and tell us about it. I look forward to reading about it!

How To Create a Social Media #Security Policy

Posted on by
Reply

Facebook now claims 300 million active users. And Twitter, has 6 million monthly unique visitors. As more employees use mobile devices and their desktops to access social media sites, it poses an increasing security risk both for user and organizations.

And according to a survey recently conducted by IANS, a Boston-based research company that focuses on information security issues, more companies are starting to address concerns by creating a social media policy.

Because social media will not likely disappear (In fact, more are more likely to develop.), an organization needs to create guidelines to help protect their confidential data. Here are a few things to consider when crafting your own policy:

  1. Communicate with employees and emphasize current policy. If it’s not acceptable to discuss new business at a live networking event, then it’s not acceptable to post it on Twitter or Facebook. The social media platform may change, but the principle remains the same. “Loose lips sink ships” isn’t just a quote for the military. You may already have a policy in place regarding sharing information. Include it in a social media policy.
  2. Use social media policies as an additional tool for your employee awareness program. When you develop a policy, and emphasize it with training classes, email reminders, or media – employees remember how important it is to protect the company’s intellectual property. As you explain to employees that social media just gave them a megaphone to broadcast; and with that comes responsibility, more of them will think twice before sharing something that they’ll know is inappropriate.
  3. Work with both the human resource and marketing department. To put a positive spin on usage, it’s good for employees to realize what they can post on their accounts. In fact, your employees can become an in-house public relations firm as they share with their followers the great things about their workplace. Allowing employees to have influence in an organization’s message will give them a sense of ownership in its success.
  4. Have a password vault available for each employee. One of the most common ways a hacker gains access to accounts is by discovering a password and then reusing that password to gain access to a person’s other social media accounts. KeePass is a great, open- source version to help secure passwords. Encourage employees to change passwords often.

Keep policies current to match new developments within the social media industry. Be as specific as possible and have ongoing awareness sessions to ensure everyone is on board. By planning ahead and communicating expectations clearly, a company can significantly decrease their level of vulnerability by an employee’s misuse of social media.

Social Media and Reputational Risk: 3 Ways to Keep It Real – And Safe

Posted on by
Reply

You have employees who are addicted to social media, updating their status, sharing everything from discovering a helpful business link to where they went for lunch. However, they also may be broadcasting information not intended for public consumption.

One of the most difficult tasks for an organization is conveying the importance of discretion for employees who use social media. Not only are organizations at risk from having their networks attacked, but they must protect their reputation and proprietary ideas. What makes these two areas difficult to protect is their mobile nature. Ideas are invisible and have a habit of popping into conversations – and not always with the people who should be hearing them. They can get lost or stolen without anyone knowing they’re even gone. Suddenly, you find your competitor releasing a great product to your market that you thought was yours alone.

If you want to decrease such liabilities, you have a few options. Initiate some guidelines for employees. Send friendly reminders from newsworthy “social-media-gone-bad” stories. The more employees know where an organization stands in regard to safe social media use, the more they can be smart about using it. Here are three basic rules to help them interact safely:

1. Don’t announce interviews, raises, new jobs, or new projects.
Talking about any of these sensitive topics on social networking sites can be damaging. If an employee suddenly announces to the world that they’re working on a new project with XYZ Company, there’s a good chance the news will be seen by a competitor. You may see them in the waiting room of your client on your next visit. One caveat: If you’re hiring, it’s a good thing. Your organization will be seen as successful and growing. However, those types of updates are usually best left to the HR department.

2. Don’t badmouth current or previous employers.
It’s good to remember what mom used to say, “If you don’t have anything positive to say, then say nothing at all.” The Internet never forgets. When an employee rants about either their past employer, or worse – their current one, it can poison a customer’s view of the organization. Nothing can kill the possibility of a new sale than hearing an employee broadcast sour grapes. If this is a common occurrence, it can give the image of a badly managed company. This isn’t the message to send to either customers or future employees.

3. Stay professional. Represent the organization’s values well.
Employees are often tempted to mix their personal and work information together when using social media. Although many times, such information can be benign, you don’t want to hear about an employee’s wild night at the local strip club. There are mixed opinions among experts whether an employee should establish a personal account, separate from their work life.

Emphasize your organization’s values and mission. Ask employees to TBP (Think Before Posting). Social media can be a good experience as long as its done responsibly.

Is IE Still on the Desktop at Your Organization?

Posted on by
Reply

I know that the IE infection is hard to kick. The most common argument I hear, many sites just don’t work with anything but Internet Explorer.

Is this a true issue, or merely an excuse for inaction? I know a few organizations that have installed alternative browsers (OK, Firefox, in all cases), and blocked all external access to IE users. They then take the help desk calls, check the sites that the users say won’t work with anything but IE, make sure they meet a business need, and then one by one add them into the proxy to be allowed out with IE.

Sure, this is a lot of work on the front end. Here’s the rub, though. 30 days out, the work drops like a hot stone in the hands of a yeti. Basically, the ongoing need to add sites become so infrequent as to be non-existant and handled with a one-off approval process. In terms of risk, the few who have taken this approach claim such a huge reduction in spyware cleanup, infections and basic break/fix calls that they say the longer term savings paid for the work of the 30 day period in less than 3 months. Thats a 90 day, 100% ROI for a 120 day project!!!! In business terms, this is a NO BRAINER.

Given the oddity of Aurora, the history of IE vulnerabilities and the ease at which new users of Firefox, Opera, Chrome, Safari, et all become proficient, the deck begins to stack in favor of replacing IE for Internet-bound traffic in all but a limited set of cases. Sure, use IE for that odd website, for those internal legacy apps where code-rewrite is not feasible. Heck, in this case, maybe even allow IE 6 to live on for internal use only (pray for no internal malware or xss attacks). We all know the real attack surface for IE is overwhelmingly the Internet.

Maybe this approach will work for you. Consider it. It works even better when combined with proper egress filtering, enclaving and role-based access controls.

Let me know what you think!

Creative Uses of Video for Quick and Easy Awareness

Posted on by
Reply

Are you looking for an effective mechanism to help your staff stay alert against laptop theft during the holidays and such? Here is a quick suggestion.

Take an iPhone, iPod or other video and shoot a quick 30 second piece about a laptop getting stolen. Have your own team star in it. Keep it quick, light and humorous. Maybe show your CEO in a panic when she realizes her laptop is missing, or a shot of your IT manager in a hoodie grabbing a laptop from the lunchroom and running. Make it over the top and funny, then close with a serious message about how quickly laptops can be stolen, how you should never leave them in a car or such without locking them in the trunk and other stuff you want the users to know.

Close with how they should tell you if they have lost a laptop and who they should call.

That’s it. Keep it home video looking, don’t worry about production quality or any of that. Quick and dirty videos are the way of the new web, so think more YouTube than MGM.

Now, send your video out, or a link to it, and let your employees make suggestions for future episodes. Everyone who submits a suggestion gets entered into a drawing for movie tickets. Easy, affordable and effective.

Who knows, you may not get an Oscar, but you might just save yourself from a data breach. Either way, it will be fun and educational.

Enjoy and don’t hesitate to call us if you need help with the video, ideas or need more information about laptop encryption or other security measures. We are here to help and can get you through most laptop security issues with ease!

Some Laptop Theft Info

Posted on by
Reply

As a part of security awareness month, I have mentioned that we really need to focus any preventative mention awareness on laptop theft. As a part of that, I have been working on some interesting research around this threat. There is a ton of information out there on laptop theft. This wikipedia article has a lot of good information. It is a great place to start if you want to build some quick materials. I love the cost estimate of $89,000 on average per lost laptop. This aggregates the work it takes to recover from the loss, the hardware cost, the aggregate average of fines and regulatory losses, etc. That number is a real eye opener for many people who tend to only think about the hardware replacement costs, which is especially true for end users. Also, in my experience, we have timed some of our security engineer ninjas on how long it takes to break a car window, snatch a laptop and bolt. One of our quickest ninjas takes under 12 seconds to get 100′ from the vehicle. Even rounded up to an even 20 seconds, that is not very likely to matter. Timing how long it takes people to go into a convenience store to pay for gas or grab a soda is almost always in the 3-5 minute range. That’s a lot of time for 20 second intervals to occur.

Just something for you to give end users to think about…

Three Ideas to Encourage Employee Net-Cops

Posted on by
Reply

Here are three quick ideas about how to encourage your employees to be better “net cops”:

1. Make sure they know who to report suspicious behaviors to and never, ever punish anyone for doing so. Make sure you give them a place to drop anonymous notes too, if that is appropriate for your program. Teach them how to report suspicious emails, calls and information requests. Create an ongoing program reminding them about how to do so.

2. Incent them to report suspicious behaviors. Create an email forward box for spam, phishing and other types of suspicious email. Enter the first people to report each sample into a monthly or quarterly drawing for movie tickets or some small prize. Not only will you get people interested and get more insight into your security posture, you just might learn more quickly when a spam or trojan attack is under way.

3. Hold a security day where you have games and such that back up these ideas. Focus on teaching your people how to recognize social engineering and such and how to report it. Use the opportunity to remind them about the other ideas above. Have some swag made for them that talks about how each of them is a “security agent” or “on the front lines” “investigating threats against your customer’s data” or the like. Get marketing and HR involved to create something memorable.

What ideas do you think might get people focused on noticing when bad things are happening? How does your organization encourage your staff to be better detectives?