Category Archives: End-user Focused

Why I Think Your Awarness Program is Broken…

Posted on by
Reply

Security awareness. I know, I know… This is one of the worst parts of being an infosec person. We all seem to have problems with it. Not so much because the content creation is hard, but because effective content creation is nearly impossible.

For almost 20 years, we in the infosec business have been harping at you about awareness. The story often goes something along the lines of “If only we could teach the users to be more careful and attentive, then we protect them better.” The truth of the matter is though, that the average user either doesn’t care about information security (until it’s too late) or they simply don’t have enough technology skills to protect themselves in a meaningful way. But, and I promise you THIS – the answer is absolutely NOT another poster in the lunch room about not clicking on the dancing gnome or opening emails from people you don’t know…..

I think we are going about this in the wrong way. In fact, I believe that the only prevention focused message you should be sending to your staff on a repeated basis is about laptop theft. I think if you focus all of your prevention awareness on laptop theft, you might accomplish a little bit more, since laptop theft is a pretty personal crime. So, if you must print up some posters – make it about not leaving your laptop in the back of your car, or skip the posters all together!

What do I propose instead? What then will we do with all of that awareness budget???

I propose this. I suggest that you skip prevention awareness and instead focus your staff on being better “net cops”. Yep, you heard me, NET COPS. Why the heck would you do that, you might be saying? Well, the main reason is, according to recent data that profiled data compromises, your team members (as in humans) are twice as likely to notice strange attacker behaviors, security issues and other anomalies versus automated systems like IDS and log monitoring. Plus, people already love to play net cop. Your customer service people love it, your sales people love it and face it, most infosec people love it too. There is a reason why there are so many crime shows on TV. Since people love the idea of being a net cop, let’s focus on teaching them, giving them incentives and helping them help us protect our data more effectively.

This month, as you may know, is security awareness month. As such, throughout the month, we, like other blogs and security companies will be talking a lot about awareness. BUT, on this blog and at MSI, we are going to talk more about teaching your users to be detectives. We think new focus on from “what not to do” to “help us patrol the network” just might work! We’ll never know, unless we try!

Give it some thought and as the month goes on, don’t be shy. Let us know what you think about the idea. Thanks for reading!

Pandemic Planning Update: Consider 10 Day Minimums for Sick Time

Posted on by
Reply

Having just read this article, and participated in several discussions around Pandemic Planning, I am of the belief that folks might want to consider mandatory 10 day sick times/work from home times for H1N1 infected employees.

Research shows that infected folks may be contagious for up to 10 days from the onset of their symptoms, even after they “feel better”. The problem with this is that as they “feel better” they may return to work or school, thus exposing others to the virus, albeit, inadvertently. Many people simply think that if they “feel better”, then they must be over the infection and not contagious anymore.

So, as you consider your pandemic plans, please think about the idea of a 10 day work from home program or the like for folks that are symptomatic. Explanation and education of folks carrying the virus can only help, so take the time to explain this cycle to your team.

Thanks for reading and please let us know if you have any questions about pandemic planning or remote working issues. My team and I have been doing quite a bit of consulting lately reviewing pandemic plans and helping organizations make sure that they are prepared and that their remote access systems are robust enough to handle the load and secure enough to be trusted. If we can be of any help to your organization along these lines, please do not hesitate to call or drop us a line!

President of Colombia Has Swine Flu and So Might Other Leaders

Posted on by
3

This article pointed out the recent diagnosis of President Alvaro Uribe, of Colombia, with swine flu. Even worse, the leaders of Colombia have alerted the other leaders that were involved in a regional South American summit last week. While President Uribe is not considered high risk for death from the disease, this is a new turn in the pandemic and public awareness. To date, Colombia has reported 621 cases with 34 deaths, making the mortality rate .05%.

Meanwhile, in the US and UK, school has just resumed and health officials are closely monitoring schools. Plans for handling outbreaks in the schools vary by district, but several are known to be testing plans for tele-education and remote teaching.

Once again, organizations are urged to undertake some form of pandemic planning and testing, as a “just in case” measure for H1N1 and the possibility of a strong flu season this year. SANS has just launched a site dedicated to pandemic planning and news. Check it out for more information, or give us a call and arrange a time to chat.

Your Next Security Threat May Not Involve Attackers

Posted on by
Reply

I was astounded when I read this article that includes a 2 BILLION estimate on the number of H1N1 cases that the WHO is expecting. Even worse, at 30% of human population on the planet, many are calling that number conservative. Some members of the medical community say that 45-50% may be likely!

In either case, the good news is that SOME vaccine is likely to be available to those in the Northern Hemisphere before Autumn arrives. The bad news is that there will likely not be an abundance of it, and that means some will not have access.

This is where the DR/BC planning comes in. By now, you probably have heard a little bit about pandemic planning and hopefully have created processes for remote working, containing illness and ensuring that you can operate with reduced staff. If you haven’t done this yet, NOW IS THE TIME to get this started.

If you do already have a plan, now might be a good time to do some rudimentary testing. Maybe declare a couple of reduced staff days, test the load on the VPN and remote access servers and such. This testing effort will likely reveal a few holes in these plans, but it is much better to learn about them and mitigate them now than when the real thing is going on.

Clearly, from the evidence presented by the WHO, this is something we should be paying attention to. Those who lack the focus or resources to take it seriously may well find themselves in troubling times when the weather turns colder and folks in the office begin to sneeze….

Book About PERL for Problem Solving

Posted on by
Reply

One of the essential tech skills I am always on the prowl for is a way to use technology to solve a complicated problem. Of course, one of the most useful ways to do this is to learn and apply simple programming skills. PERL is one of those scripting languages that is easy to get on a basic level, but it offers so much additional capability and complexity that it would take a literal lifetime to truly “master”.

But, the wonderful thing about PERL is its amazing capability in simplicity. You can take a few basic PERL legos and really make some wonderful things to increase the ease of your life and work. This book, <a href=”http://www.secguru.com/books/wicked_cool_perl_scripts_useful_perl_scripts_solve_difficult_problems” target=”_blank”>Wicked Cool Perl Scripts</a>, is chocked full of examples of just how to apply some basic PERL to real world problems. Check it out if you are a fan of PERL and want to automate things from work, to your news and RSS feeds to your World of Warcraft gaming. PERL is not only easy and cool, but also fun!

HoneyPoint Cracks with a Hidden Cost

Posted on by
Reply

OK, so we have been aware of a couple of cracked versions of HoneyPoint Personal Edition for a while now. The older version was cracked just before the 2.00 release and made its way around the torrent sites. We did not pay much attention to it, since we believe that most people are honest and deserve to be trusted. We also feel like people who value our work will pay the small cost for the software and those that just want to play with it and are willing to risk the issues of the “warez” scene would not likely buy it anyway….

However, today, someone sent me a link to a site that was offering a crack for HoneyPoint Personal Edition. The site was not one I had seen before, so I went to explore it. I fired up a virtual lab throw away machine and grabbed a copy of the crack application.

As one might expect, the result was a nice piece of malware. Just for grins, I uploaded it to Virus Total and here is the result:

http://hurl.ws/432e

Now, two things are interesting here. First, the crack is not even real and does not work. Second, once again, the performance of significant anti-virus tools are just beyond poor. 6 out of 41 products detected the malware in this file. That’s an unbelievably low 14.6% detection rate!

The bottom line on this one is that if you choose to dabble in the pirate world, it goes without saying that, sometimes you will get more than you bargained for. In this case, trying to get HoneyPoint Personal Edition for free would likely get you 0wned! Ahh, the hidden costs of things…..

If you are interested in a legitimate version of HPPE, check it out here.

In the meantime, true believers, take a deep breath the next time your management team says something along the lines of “…but, we have anti-virus, right…” and then start to educate them about how AV is just one control in defense in depth, and not a very significant one at that…

Lessons from an Almost Lost Laptop

Posted on by
Reply

I ran into this article this morning on my daily web run and thought it was a fantastic set of insights into what you should be doing to protect your laptops.

It also shows that even security folks can make mistakes (it’s human nature!) and potentially expose themselves and data to loss.

Even though the article is Mac-centric, the basics at the core apply across all platforms. You might need a different set of applications, but the underlying principles are all the same.

Check it out here.

A Basket Full of Caveats – The LimeWire Safety Page

Posted on by
Reply

I was taking a look at some P2P stuff for our Reputational Risk work when I bumped into the LimeWire safety page. This is a page that is (I suppose) intended to educate users on the risks associated with P2P file sharing networks and the use of LimeWire specifically. I really thought it was interesting.

The page is: http://www.limewire.com/legal/safety

Some of the items the page covers are: copyright infringement, careful shared content selection (to avoid leaking documents, spreadsheets, etc. and entire drives/folders), adult content, spyware/malware cautions and lots of language about default behaviors. Now to be sure, the authors of LimeWire have implemented new controls in their version 5 software to make it more difficult for users to make mistakes and share the wrong contents. Even given that, I still caution everyone to do their own risk/reward assessment before using such a tool.

The bottom line is this. Check out the page, because as infosec folks, we need to be aware of what topics we need to continue to talk about with others. Educating them in how to configure this type of tool, should they choose to use it, might be a powerful way to help them (and maybe your organization) remain safer online. At the very least, it seems that LimeWire has at least done a good job of trying to caution people about the problems with using their tool. That, at the very least, is quite admirable!

Lessons From a Reputational Risk Audit

Posted on by
Reply

Here is a recent lesson from one of our new Reputational Risk Audits that we have begun performing. The client, a financial services company, hired us to check out how their brand was being used online. They were very interested in possible risks that extend from the use of their brand and their online reputation.

We offer this service in three levels of research focus:

1. Basic web research and profiling only.

2. Inclusion of blogs and social networks.

3. Inclusion of peer to peer networks for leaking documents, pirated code, etc.

Our services look at many facets of online reputation and many mechanisms that DLP tools and the like might miss.

In this particular case, the client wanted us to focus in on the 1st and 2nd levels of our service. After a couple of weeks, we met to present our findings. There were several. I am at liberty to share one, in particular, with the public.

The client had a customer service person, we will call Sheila. Sheila had been with their organization for a little over 5 years and was considered to be a senior level customer service representative. She was very helpful and had great rapport with their customers. Unfortunately, Sheila had also recently discovered social networks and took it upon herself to create a customer support profile on a well known social media network. Her profile was linked to the brand and site of our client financial services company. Sheila did what she thought was an admirable thing and established the profile as an interface (albeit unsanctioned) for working with her customers.

Sheila was trying to do the right thing. She really wanted to use social media to talk to her customers, help them resolve their problems and truly help progress the image of the company she worked for. There were just a few issues with this approach:

1. She was asking customers confidential questions and receiving their information on a public service. This exposed the personal information of the customers to search engines, attackers and other online crimes.

2. She failed to obtain permission to use the brand of the organization she worked for and in doing so, caused harm to her customers AND the very company she was trying to help.

There are other issues as well, but these are the primary ones. Needless to say, our client was not thrilled when we detailed this for them. Talks with Sheila ensued and much discussion with attorneys, HR, regulators and eventually the customers were required. In the end, Sheila kept her position and while her management applauded her initiative and attention to the customers, she was sharply rebuked for causing the disclosures. Many customers were also furious as they were notified of the issue.

The moral of the story is that reputational risk is real. How your brand, online presence and service organization presents itself online has a huge impact on your customers, reputation and bottom line. Have you checked out your security policies around blogs, social media and/or online brand use? Have you sifted through the Internet to see what your organization looks like to the public, your customers and your employees? If you want to discuss reputational risk and how to help manage it, give us a call. We would be happy to talk you through some of the ways that you can tackle this growing issue. In the meantime, have a talk with your employees, especially customer service folks. Help them to understand that while they may want to “go the extra mile” to help their customers, they have to remain well within the boundaries of security and safe interaction. Sheila was trying to do the right thing, just like the folks on your team!

Microsoft IIS 6.0 WebDav Vulnerability – Urgent

Posted on by
Reply

We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers.” A common tool used as a WebDAV client, is Microsoft’s FrontPage.

The vulnerability describes a way for an attacker to retrieve protected files without any authentication. From a technical standpoint, all an attacker needs to do is insert a certain unicode character in the URI request. This make this vulnerability trivial to exploit. The vulnerability allows attackers to list all of the files in the WebDAV folder, and then access them individually.

As of this morning, there is no known mitigation for this vulnerability save disabling WebDAV for the time being.

Businesses employing an IIS 6.0 Web Server with WebDAV authoring method should carefully analyze their need for such service, and disable it if possible until a fix is released.