Category Archives: How To

Comparing 2 Models for DMZ Implementations

Posted on by
7
I recently had a discussion with another technician about the security of the two most popular DMZ implementation models. That is: 
  • The “3 Legged Model” or “single firewall” – where the DMZ segment(s) are connected via a dedicated interface (or interfaces) and a single firewall implements traffic control rules between all of the network segments (the firewall could be a traditional firewall simply enforcing interface to interface rules or a “next generation” firewall implementing virtualized “zones” or other logical object groupings)
  • The “Layered Model” or “dual firewall”- where the DMZ segment(s) are connected between two sets of firewalls, like a sandwich
 
Both approaches are clearly illustrated above, and explained in detail in the linked wikipedia article, so I won’t repeat that here. 
 
I fully believe that the “3 Legged Model” is a lower risk implementation than the layered model. This outright contradicts what the wikipedia article above states: 
 
     “The most secure approach, according to Stuart Jacobs, [1]is to use two firewalls to create a DMZ.” — wikipedia article above.
 
While the Layered model looks compelling at first blush, and seems to apply the concept of “more firewalls would need to be compromised to lead to internal network access”; I believe that, in fact, it reduces the overall security posture in the real world, and increases risk. Here’s why I feel that way. Two real-world issues that often make things that look great at first blush or that “just work” in the lab environment, have significant disadvantages in the real world are control complexity and entropy. Before we dig too deeply into those issues though, let’s talk about how the two models are similar. (Note that we are assuming that the firewalls themselves are equally hardened and monitored – IE, they have adequate and equal security postures both as an independent system and as a control set, in aggregate.)
 
Reviewing the Similarities
 
In both of the models, traffic from the DMZ segment(s) pass through the firewall(s) and traffic controls are applied. Both result in filtered access to the internal trusted network via an often complex set of rules. Since in both cases, traffic is appropriately filtered, authorization, logging and alerting can adequately occur in both models. 
 
Establishing Differences
 
Now the differences. In the 3 Legged model, the controls are contained in one place (assuming a high availability/failover pair counts as a single set of  synced controls), enforced in one place, managed and monitored in one place. The rule set does not have cascading dependencies on other implementations of firewalls, and if the rule set is well designed and implemented, analysis at a holistic level is less complex.
 
In the Layered model, the controls are contained across two separate instances, each with different goals, roles and enforcement requirements. However, the controls and rule sets are interdependent. The traffic must be controlled through a holistic approach spread across the devices, and failures at either firewall to adequately control traffic or adequately design the rule sets could cause cascading unintended results. The complexity of managing these rules across devices, with different rule sets, capabilities, goals and roles is significantly larger than in a single control instance. Many studies have shown that increased control complexity results in larger amounts of human error, which in turn contributes to higher levels of risk. 
 
Control Complexity Matters
 
Misconfigurations, human errors and outright mistakes are involved in a significant number (~95%) of compromises. How impactful are human mistakes on outright breaches? Well according to the 2015 Verizon DBIR:
 
“As with years past, errors made by internal staff, especially system administrators who were the prime actors in over 60% of incidents, represent a significant volume of breaches and records ,even with our strict definition of what an “error” is.” —DBIR
 
Specifically, misconfiguration of devices were involved in the cause of breaches directly in 3.6% of the breaches studied in the DBIR. That percentage may seem small, but the data set of 79,790 incidents resulting in 2,122 breaches that means a staggering number of 76 breaches of data were the result of misconfigurations.
 
This is exactly why control complexity matters. Since control complexity correlates with misconfiguration and human error directly, when complexity rises, so does risk – conversely, when controls are simplified, complexity falls and risk of misconfiguration and human error is reduced.
 
Not to beat on the wikipedia article and Stuart Jacob’s assertions, but further compounding the complexity of his suggestion is multiple types of firewalls, managed by multiple vendors. Talk about adding complexity, take an interdependent set of rules and spread them across devices, with differing roles and goals and you get complexity. Now make each part of the set a different device type with it’s own features, nuances, rule language, configuration mechanism and managed service vendor, and try to manage both of those vendors in sync to create a holistic implementation of a control function. What you have is a NIGHTMARE of complexity. At an enterprise scale, this implementation approach would scale in complexity, resources required and oversight needs logarthmically as new devices and alternate connections are added. 
 
So, which is less complex, a single implementation, on a single platform, with a unified rule set, managed, monitored and enforced in a single location – OR – a control implemented across multiple devices, with multiple rule sets that require monitoring, management and enforcement in interdependent deployments? I think the choice is obvious and rational.
 
Now Add Entropy
 
Ahh, entropy, our inevitable combatant and the age old foe of order. What can you say about the tendency for all things to break down? You know what I am about to point out though, right? Things that are complex, tend to break down more quickly. This applies to complex organisms, complex structures, complex machinery and complex processes. It also applies to complex controls.
 
In the case of our firewall implementation, both of our models will suffer entropy. Mistakes will be made. Firewall rules will be implemented that allow wider access than is needed. Over time, all controls lose efficiency and effectiveness. Many times this is referred to as “control drift” or “configuration drift”. In our case, the control drift over a single unified rule set would have a score of 1. Changes to the rule set, apply directly to behavior and effectiveness. However, in the case of the Layered model, the firewalls each have a distinct rule set, which will degrade – BUT – they are interdependent on each other – giving an effective score of 2 for each firewall. Thus, you can easily see, that as each firewall’s rule set degrades, the private network’s “view” of the risk increases significantly and at a more rapid pace. Simply put, entropy in the more complex implementation of multiple firewalls will occur faster, and is likely to result in more impact to risk. Again, add the additional complexity of different types of firewalls and distinct vendors for each, and the entropy will simply eat you alive…
 
Let’s Close with Threat Scenarios

Let’s discuss one last point – the actual threat scenarios involved in attacking the private network from the DMZ. In most cases, compromise of a DMZ host will give an attacker a foothold into the environment. From there, they will need to pivot to find a way to compromise internal network resources and establish a presence on the internal network. (Note that I am only focusing on this threat scenario, not the more common phishing/watering hole scenarios that don’t often involve the compromise of a DMZ host, except perhaps for exfiltration paths. But, this is outside our current scope.) If they get lucky, and the DMZ is poorly designed, they may find that their initially compromised host has some form of access to the internal network that they can exploit. But, in most cases, the attacker needs to perform lateral movement to compromise additional hosts, searching for a victim that has the capability to provide a launching point for attacks against the internal network.
 
In these cases, detection is the goal of the security team. Each attacker move and probe, should cause “friction” against the controls, thereby raising the alert and log levels and the amount of unusual activity. Ultimately, this should lead to the detection of the attacker presence and the incident response process engagement.
 
However, let’s say that you are the attacker, trying to find a host that can talk to the internal network from the DMZ in a manner that you can exploit. How likely are you to launch an attack against the firewalls themselves? After all, these are devices that are designed for security and detection. Most attackers, ignore the firewalls as a target, and continue to attempt to evade their detection capabilities. As such, in terms of the threat scenario, additional discreet firewall devices, offer little to no advantage – and the idea that the attacker would need to compromise more devices to gain access loses credibility. They aren’t usually looking to pop the firewall itself. They are looking for a pivot host that they can leverage for access through whatever firewalls are present to exploit internal systems. Thus, in this case, both deployment models are rationally equal in their control integrity and “strength” (for lack of a better term).
 
Wrapping This Up
 
So, we have established that the Layered model is more complex than the 3 Legged model, and that it suffers from higher entropy. We also established that in terms of control integrity against the most common threat scenario, the implementation models are equal. Thus, to implement the Layered model over the 3 Legged model, is to increase risk, both initially, and at a more rapid pace over time for NO increase in capability or control “strength”. This supports my assertion that the 3 Legged model is, in fact, less risky than the Layered model of implementation.
 
As always, feel free to let me know your thoughts on social media. I can be found on Twitter at @lbhuston. Thanks for reading! 

Old School Google Hacking Still Works…

Posted on by
3

Did some old school Google hacking last night.

“Filetype:xls & terms” still finds too much bad stuff.

Check for it lately for your organization?

Try other file types too. (doc/ppt/pdf/rtf, etc.)

Information leakage happens today, as it always has. Keeping an eye on it should be a part of your security program.

How to Use Risk Assessment to Secure Your Own Home

Posted on by
Reply

Risk assessment and treatment is something we all do, consciously or unconsciously, every day. For example, when you look out the window in the morning before you leave for work, see the sky is gray and decide to take your umbrella with you, you have just assessed and treated the risk of getting wet in the rain. In effect, you have identified a threat (rain) and a vulnerability (you are subject to getting wet), you have analyzed the possibility of occurrence (likely) and the impact of threat realization (having to sit soggy at your desk), and you have decided to treat that risk (taking your umbrella) risk assessment.

However, this kind of risk assessment is what is called ad hoc. All of the analysis and decision making you just made was informal and done on the fly. Pertinent information wasnt gathered and factored in, other consequences such as the bother of carrying the umbrella around wasnt properly considered, other treatment options werent considered, etc. What business concerns and government agencies have learned from long experience is that if you investigate, write down and consider such factors rationally and holistically, you end up with a more realistic idea of what you are really letting yourself in for, and therefore you are making better risk decisions formal risk assessment.

So why not apply this more formal risk assessment technique to important matters in your own life such as securing your home? Its not really difficult, but you do have to know how to go about it. Here are the steps:

1. System characterization: For home security, the system you are considering is your house, its contents, the people who live there, the activities that take place there, etc. Although, you know these things intimately it never hurts to write them down. Something about viewing information on the written page helps clarify it in our minds.

  1. Threat identification: In this step you imagine all the things that could threaten the security of your home and family. These would be such things as fire, bad weather, intruders, broken pipes, etc. For this (and other steps in the process), you can go beyond your own experience and see what threats other people have identified (i.e. google inquiries, insurance publications).

  2. Vulnerability identification: This is where you pair up the threats you have just identified with weaknesses in your home and its use. For example, perhaps your house is located on low ground that is subject to flooding, or you live in a neighborhood where burglaries may occur, or you have old ungrounded electrical wiring that may short and cause a fire. These are all vulnerabilities.

  3. Controls analysis: Controls analysis is simply listing the security mechanisms you already have in place. For example, security controls used around your home would be such things as locks on the doors and windows, alarm systems, motion-detecting lighting, etc.

  4. Likelihood determination: In this step you decide how likely it is that the threat/vulnerability will actually occur. There are really two ways you can make this determination. One is to make your best guess based on knowledge and experience (qualitative judgement). The second is to do some research and calculation and try to come up with actual percentage numbers (quantitative judgement). For home purposes I definitely recommend qualitative judgement. You can simply rate the likelihood of occurrence as high, medium or low risk.

  5. Impact analysis: In this step you decide what the consequences of threat/vulnerability realization will be. As with likelihood determination, this can be judged quantitatively or qualitatively, but for home purposes I recommend looking at worst-case scenarios. For example, if someone broke into your home, it could result in something as low impact as minor theft or vandalism, or it could result in very high impact such as serious injury or death. You should keep these more dire extremes in mind when you decide how you are going to treat the risks you find.

  1. Risk determination: Risk is determined by factoring in how likely threat/vulnerability realizations is with the magnitude of the impact that could occur and the effectiveness of the controls you already have in place. For example you could rate the possibility of home invasion occurring as low, and the impact of the occurrence as high. This would make your initial risk rating a medium. Then you factor in the fact that you have an alarm system and un- pickable door locks in place, which would lower your final risk rating to low. That final rating is known as residual risk.

  2. Risk treatment: Thats it! Once you have determined the level of residual risk, it is time to decide how to proceed from there. Is the risk of home invasion low enough that you think you dont need to apply any other controls? That is called accepting risk. Is the risk high enough that you feel you need to add more security controls to bring it down? That is called risk limitation or remediation. Do you think that the overall risk of home invasion is just so great that you have to move away? That is called risk avoidance. Do you not want to treat the risk yourself at all, and so you get extra insurance and hire a security company? That is called risk transference.

So, next time you have to make a serious decision in your life such as changing jobs or buying a new house, why not apply the risk assessment process? It will allow you to make a more rational and informed decision, and you will have the comfort of knowing you did your best in making the decision. 

Thanks to John Davis for this post.

How to Avoid Getting Phished

Posted on by
Reply
It’s much easier for an attacker to “hack a human” than “hack a machine”.  This is why complicated attacks against organizations often begin with the end user.  Although e-mails with malicious links or attachments are often dismissed and referred to as “spam”, these messages are often the beginning of a sophisticated hack against a company.  Unfortunately there is no “silver bullet” that can prevent these attacks from taking place.
 
I recently had the opportunity to give a presentation during one of our client’s all-staff meeting.  Despite the fact that our client’s company resides in a relatively niche market, I was able to discuss several data breaches that took place in their industry within the last year.  Not only did the hacks all take place recently, they were all the direct result of actions taken by an end-user.  A majority of these attacks were caused by an employee opening a malicious e-mail.  I gave our customer the following advice to help them avoid becoming a victim of Phishing e-mails and felt that it was worth sharing on StateOfSecurity.com.
 
Verify link URL:  If the e-mail you received contains a link, does the website URL match up with the content of the message?  For example, if the e-mail indicates you are about to visit a website for FedEx, is the address actually FedEx.com?  A common tactic used by attackers is to direct a user to a similar URL or IP address.  An example of this would be to direct the user to FedEx111.com or FedEx.SE as opposed to the organization’s actual URL.
 
Verify e-mail address of sender: If the e-mail message you received came from a friend, colleague or vendor, did it actually come from their e-mail address?  It’s worthwhile to take a few extra seconds to ensure that the e-mail actually came from the aforementioned colleague, friend or vendor.  Also, avoid opening e-mails from generic senders such as “Systems Administrator” or “IT Department”.
 
Exercise caution from messages sent by unknown senders: Be cautious if a message comes from an unknown sender.  Would you provide your checking account number or password to a random person that you saw on the street?  If not, then don’t provide confidential information to unknown senders.
 
Follow up with a phone call: In the event you receive a message requesting that you validate information or need to reset your password, take some time to follow up with the sender with a phone call.  Trust me, your IT department will be happy to spend a few seconds confirming or denying your request as opposed to dealing with a malware infection.  Also, if your “bank” sends any type of e-mail correspondence requesting that you perform some sort of action, it’s worthwhile to give them a call to confirm their intentions.  Always be sure to use a number that you found from another source outside of the e-mail.
Spot check for spelling/grammar errors: It is extremely common that malicious e-mails contain some sort of spelling mistake or grammatical error.  Spelling mistakes or grammatical errors are great indicators that you have received a malicious e-mail.
 
Do not open random attachments: If your e-mail messages meets any of the above criteria, DO NOT open the attachment to investigate further.  Typically these attachments or links are the actual mechanism for delivering malware to your machine.
 
This blog post by Adam Luck.

Mergers and Acquisitions: Look Before You Leap!

Posted on by
Reply

Mergers and acquisitions are taking place constantly. Companies combine with other companies (either amicably or forcibly) to fill some perceived strategic business need or to gain a foothold in a new market. M&As are most often driven by individual high ranking company executives, not by the company as a whole. If successful, such deals can be the highpoint in a CEOs career. If unsuccessful, they can lead to ignominy and professional doom.

Of course this level of risk/reward is irresistible to many at the top, and executives are constantly on the lookout for companies to take over or merge with. And the competition is fierce! So when they do spot a likely candidate, these individuals are naturally loath to hesitate or over question. They want to pull the trigger right away before conditions change or someone else beats them to the draw. Because of this, deal-drivers often limit their research of the target company to surface information that lacks depth and scope, but that can be gathered relatively quickly.

However, it is an unfortunate fact that just over half of all M&As fail. And one of the reasons this is true is that companies fail to gain adequate information about their acquisitions, the people that are really responsible for their successes and the current state of the marketplace they operate in before they negotiate terms and complete deals. Today more than ever, knowledge truly is power; power that can spell the difference between success and failure.

Fortunately, technology and innovation continues to march forward. MSIs TigerTraxTM intelligence engine can provide the information and analysis you need to make informed decisions, and they can get it to you fast. TigerTraxTM can quickly sift through and analyze multiple sources and billions of records to provide insights into the security posture and intellectual property integrity of the company in question. It can also be used to provide restricted individual tracing, supply chain analysis, key stakeholder profiling, history of compromise research and a myriad of other services. So why not take advantage of this boon and lookbefore you leap into your next M&A? 

This post courtesy of John Davis.

Tips for Writing Good Security Policies

Posted on by
Reply

Almost all organizations dread writing security policies. When I ask people why this process is so intimidating, the answer I get most often is that the task just seems overwhelming and they don’t know where to start. But this chore does not have to be as onerous or difficult as most people think. The key is pre-planning and taking one step at a time.

First you should outline all the policies you are going to need for your particular organization. Now this step itself is what I think intimidates people most. How are they supposed to ensure that they have all the policies they should have without going overboard and burdening the organization with too many and too restrictive policies? There are a few steps you can take to answer these questions:

  • Examine existing information security policies used by other, similar organizations and open source information security policy templates such as those available at SANS. You can find these easily online. However, you should resist simply copying such policies and adopting them as your own. Just use them for ideas. Every organization is unique and security policies should always reflect the culture of the organization and be pertinent, usable and enforceable across the board.
  • In reality, you should have information security policies for all of the business processes, facilities and equipment used by the organization. A good way to find out what these are is to look at the organizations business impact analysis (BIA). This most valuable of risk management studies will include all essential business processes and equipment needed to maintain business continuity. If the organization does not have a current BIA, you may have to interview personnel from all of the different business departments to get this information. 
  • If the organization is subject to information security or privacy regulation, such as financial institutions or health care concerns, you can easily download all of the information security policies mandated by these regulations and ensure that you include them in the organization’s security policy. 
  • You should also familiarize yourself with the available information security guidance such as ISO 27002, NIST 800-35, the Critical Security Controls for Effective Cyber Defense, etc. This guidance will give you a pool of available security controls that you can apply to fit your particular security needs and organizational culture.

Once you have the outline of your security needs in front of you it is time to start writing. You should begin with broad brush stroke, high level policies first and then add detail as you go along. Remember information security “policy” really includes policies, standards, guidelines and procedures. I’ve found it a very good idea to write “policy” in just that order.

Remember to constantly refer back to your outline and to consult with the business departments and users as you go along. It will take some adjustments and rewrites to make your policy complete and useable. Once you reach that stage, however, it is just a matter of keeping your policy current. Review and amend your security policy regularly to ensure it remains useable and enforceable. That way you won’t have to go through the whole process again!

Thanks to John Davis for this post.

Three Danger Signs I Look for when Scoping Risk Assessments

Posted on by
Reply

Scoping an enterprise-level risk assessment can be a real guessing game. One of the main problems is that it’s much more difficult and time consuming to do competent risk assessments of organizations with shoddy, disorganized information security programs than it is organizations with complete, well organized information security programs. There are many reasons why this is true, but generally it is because attaining accurate information is more difficult and because one must dig more deeply to ascertain the truth. So when I want to quickly judge the state of an organization’s information security program, I look for “danger” signs in three areas.

First, I’ll find out what kinds of network security assessments the organization undertakes. Is external network security assessment limited to vulnerability studies, or are penetration testing and social engineering exercises also performed on occasion? Does the organization also perform regular vulnerability assessments of the internal network? Is internal penetration testing also done? How about software application security testing? Are configuration and network architecture security reviews ever done?

Second, I look to see how complete and well maintained their written information security program is. Does the organization have a complete set of written information security policies that cover all of the business processes, IT processes and equipment used by the organization? Are there detailed network diagrams, inventories and data flow maps in place? Does the organization have written vendor management, incident response and business continuity plans? Are there written procedures in place for all of the above? Are all of these documents updated and refined on a regular basis? 

Third, I’ll look at the organization’s security awareness and training program. Does the organization provide security training to all personnel on a recurring basis? Is this training “real world”? Are security awareness reminders generously provided throughout the year? If asked, will general employees be able to tell you what their information security responsibilities are? Do they know how to keep their work areas, laptops and passwords safe? Do they know how to recognize and resist social engineering tricks like phishing emails? Do they know how to recognize and report a security incident, and do they know their responsibilities in case a disaster of some kind occurs?

I’ve found that if the answer to all of these questions is “yes”, you will have a pretty easy time conducting a thorough risk assessment of the organization in question. All of the information you need will be readily available and employees will be knowledgeable and cooperative. Conversely I’ve found that if the answer to most (or even some) of these questions is “no” you are going to have more problems and delays to deal with. And if the answers to all of these questions is “no”, you should really build in plenty of extra time for the assessment. You will need it!

Thanks to John Davis for this post.

Compliance-Based Infosec Vs Threat-Based Infosec

Posted on by
Reply

In the world of Information Security (infosec), there are two main philosophies: compliance-based infosec and threat-based infosec. Compliance-based infosec means meeting a set of written security standards designed to fulfill some goal such as the requirements of statute law or financial information privacy requirements. Threat-based infosec, on the other hand, means applying information security controls in reaction to (or anticipation of) threats that organizations currently (or soon will) face. 

Compliance-based infosec is generally applied smoothly across the organization. In other words, all the security controls mandated in the security standard must be put in place by the organization, and the relative effectiveness of each control is largely ignored. In contrast, security controls are applied in a hierarchical manner in threat-based infosec. The most effective or greatly needed security controls are applied first according to the threats that are most likely to occur or that will cause the most damage to the organization if they do occur. 

The difference is sort of like the defensive strategy of the Chinese versus that of the Normans in post-conquest England. The Chinese built very long walls that went from one end of their territory to the other. Their goal was to keep out all invaders everywhere. This is a grand idea, but takes a very large amount of resources to implement and maintain. In practice, it takes tons of men and infrastructure and the defensive capabilities at any one place are spread thin. The Normans in England, on the other hand, built strong castles with many layers of defense in strategic locations where the threats were greatest and where it was easiest to support neighboring castles. In practice, there are fewer defenses at any one point, but the places where defenses are implemented are very strong indeed. Both of these strategies have merit, and are really driven by the particular set of circumstances faced by the defender. But which is better for your organization? Let’s look at compliance-based infosec first.

Compliance-based infosec, when implemented correctly, is really the best kind of defense there is. The problem is, the only place I’ve ever seen it really done right is in the military. In military information security, failure to protect private information can lead to death and disaster. Because of this, no expense or inconvenience is spared when protecting this information. Everything is compartmentalized and access is strictly based on need to know. Every system and connection is monitored, and there are people watching your every move. There are rules and checklists for everything and failure to comply is severely punished. In addition, finding better ways to protect information are sought after, and those that come up with valuable ideas are generously rewarded.

This is not the way compliance-base infosec works in the private sector, or even in non-military government agencies. First, statute law is tremendously vague when discussing implementing information security. Laws make broad statements such as “personal health information will be protected from unauthorized access or modification”. Fine. So a group of people get together and write up a body of regulations to further spell out the requirements organizations need to meet to comply with the law. Unfortunately, you are still dealing with pretty broad brush strokes here. To try to get a handle on things, agencies and auditors rely on information security standards and guidelines such as are documented in NIST or ISO. From these, baseline standards and requirements are set down. The problems here are many. First, baseline standards are minimums. They are not saying “it’s best if you do this”, they are saying “you will at least do this”. However, typical organizations, (which generally have very limited infosec budgets), take these baseline standards as goals to be strived for, not starting points. They very rarely meet baseline standards, let alone exceed them. Also, NIST and ISO standards are not very timely. The standards are only updated occasionally, and they are not very useful for countering new and rapidly developing threats. So, unless your organization is really serious about information security and has the money and manpower to make it work, I would say compliance-based infosec is not for you. I know that many organizations (such as health care and financial institutions) are required to meet baseline standards, but remember what happened to Target last year. They were found to be compliant with the PCI DSS, but still had tens of millions of financial records compromised.

Now let’s look at threat-based infosec. To implement a threat-based information security program, the organization first looks at the information assets they need to protect, the threats and vulnerabilities that menace them and the consequences that will ensue if those information assets are actually compromised (basic asset inventory and risk assessment). They then prioritize the risks they face and decide how to implement security controls in the most effective and efficient way to counter those particular risks. That might mean implementing strong egress filtering and log monitoring as opposed to buying the fanciest firewall. Or it might mean doing something simple like ensuring that system admins use separate access credentials for simple network access and administrative access to the system. Whatever controls are applied, they are chosen to solve particular problems, not to meet some broad baseline that is designed to meet generally defined problems. Also, threat-based infosec programs are much better at anticipating and preparing for emerging threats, since reassessments of the security program are made whenever there are significant changes in the system or threat picture.

These are the reasons that I think most of us in non-military organizations should go with threat-based infosec programs. Even those organizations that must meet regulatory requirements can ensure that they are spending the bulk of their infosec money and effort on the effective controls, and are minimizing efforts spent on those controls that don’t directly counter real-world threats. After all, the laws and regulations themselves are pretty vague. What counts in the long run is real information security, not blind compliance with inadequate and antiquated baselines. 

Thanks to John Davis for this post.

Computer Security is Your Own Responsibility

Posted on by
Reply

All of us know that our homes may be burglarized, and we take steps to help keep that from happening. We lock our doors and windows, we install motion detector lights outside, we put in alarm systems and some of us even install cameras. The same goes for the other stuff we do and own. We lock our cars, we put our valuables in safe deposit boxes and we avoid dangerous areas of the city late at night. We even watch what we say when we are talking on the phone, because we worry someone might be listening in. We all know that we ourselves are responsible for looking after these things. So why do we all seem to think that it is somebody else’s job to make sure we are safe while we are using our computers to surf the net or catch up on Facebook? We do, though. Ive seen it happen and I’ve been guilty of it myself, I’m sorry to say.

For some reason, we don’t think a thing about using our kids name and age as our email password. It doesnt enter our minds that it may not be a good idea to do our home banking while we are sipping a latte at Starbucks. And it doesnt bother us a whit that our home wireless network doesnt require a password theyre a lot of trouble, after all! But when we get hacked, the first thing we do is blame everybody from our ISPs to the companies that built our devices. I think part of the reason is that we think the whole computer thing is too technical and there is really nothing that we can do ourselves. But that simply isnt true. The biggest part of computer security is just mundane, common sense stuff.

The most important thing is to understand what is really going on when you are on the Internet, and it can be summed up in on phrase; you are communicating in public. You might as well be standing in the town square shouting back and forth at each other. One of the only real differences is that a lot of what youre doing is not only public, its being recorded as well! So, thinking with that mindset, how would you go about keeping your privacy?

First, you wouldnt trust anyone to keep quiet and protect your secrets for you, would you? So, when you are on the Internet, always be suspicious. Make sure that that email from your bank or your co-worker is legit, dont just click on the link. Be very suspicious of anything with attachments, and dont just blithely open any document that is sent to you unsolicited. And if you get an urge to go to that neat looking gambling site or you hanker to click on that link that says they will show you your favorite celebrity with their pants down, suppress it! Also, take a look every once and awhile and see what has really been happening on your computer. Your machines are usually keeping really good logs. Look them over and see if anything seems funny to you. You dont have to be an expert, just curious.

Next, be leery if your machine starts acting funny. Maybe it gets really slow once in a while. Perhaps you turn it on and a message says Download Complete, but you dont remember downloading anything. Lots of different things like that can occur. But when they do, and then your computer starts acting normally again, dont just blow it off; check into it!

And change your passwords! Its easy and fast, and it can save your bacon. If you have been at a hotel or have connected to the Internet from a coffee shop or airport, change your passwords as soon as you get home. If something funny happens or you think you may have done the wrong thing while you were web surfing, change your passwords. Use a password vault so you only have to remember one password. Then if something funny happens, you simply reset all your passwords and change the main one. And make it a good password, too. Make sure that nobody can guess your passwords or security questions just by reading your Facebook page.

Also, if you were out in public and wanted to keep what you are saying private, you could use a code couldnt you? Then, even if you were overheard, what you said wouldnt make any sense to anyone but you and the person you are trying to communicate with. Why not apply that to your computer, as well? Use cryptography to store your private stuff in memory and for sending private communications whenever possible. You dont have to be any kind of computer expert. Disc encryption tools are free and easy to use, and you can buy email certificates very inexpensively. The main thing is, though, take responsibility for your own computer safety like you would anything else you own. Ill bet you can think of plenty of other common sense ways to protect yourselves that I havent touched on here. 

This post by John Davis.

The Big Three Part 4: Awareness

Posted on by
Reply

Cyber-attacks are a simply a part of reality now, and are very much like home burglaries. We can install locks and lights, cameras and alarm systems, and despite our best efforts at protection and prevention, a certain number of robberies are still bound to happen. That is the reason we need to steel ourselves to this fact and prepare ourselves to resist cyber-attacks the best way that we can. And the Big Three; incident detection, incident response and user security education and awareness are some of our best tools for meeting this problem.

The importance of user education and awareness to information security cannot be over emphasized. Of all the firewalls, IPS systems and other security sensors available, none can compare to human beings in their ability to detect cyber-attacks and security risks. But to take advantage of this resource, it is necessary that users know how to recognize security problems and it is necessary that they want to be engaged in the security process. To accomplish this, companies need to do several things.

First, they should provide all of their personnel with information security training both as new hires, and then periodically thereafter. This training should include the company information security policies that apply to all, plus information security training that is specific to each users particular role in the organization. Providing extra information security training for individuals such as code developers, system administrators and help desk personnel is particularly beneficial.

Next, it is also very important to provide all company personnel with information security awareness reminders. These serve two purposes. First, they help keep the need for good security practices fresh in usersminds. But more importantly than that, good security awareness tips let your personnel know exactly what kind of attacks are out there and how they take place. Thats why it is important to base your awareness reminders on cutting-edge, real-world information security threats. For example, perhaps your employees gets a perfectly legitimate-looking email message from one of their co-workers that solicit them to check out a certain website and give an opinion on it. So they innocently click on the embedded link and wham! Suddenly their machines have been infected with malware and they dont have a clue that anything is wrong. Awareness reminders can help keep such things from happening.

On top of good information security training and awareness, we think that there is one more element that is needed to really make the process pay off. It is important to engage the interest of your employees and make them feel that they are an essential part of the information security effort. This

isnt really hard or expensive to do either. Explain their importance in the program to your personnel and ask for their help. Most everyone really likes to help out, and it makes them feel good inside. In addition, recognize those that have contributed to the information security cause and give them some kind of reward. This can be as simple as a little praise at the weekly staff meeting, or can include things like days off or preferred parking spaces. It doesnt have to be big, just visible. One thing is sure, it makes better business sense to utilize this free and effective security resource to the hilt than spend a million dollars on a vaunted new IDS/IPS system! 

This post by John Davis.