As we’ve pointed out in a few previous posts the basics of infosec have not changed, and neither has the primary threat, the users of the network. Building a solid foundation of compliance to your security policies is fundemental. So how do get your users to invest in and live out your company security policies and procedures? How do you encourage them to be vigilant about security?

The best way to get people motivated is, as Neil pointed out to model good behavior yourself. But it shouldn’t stop there, you should always look for another person to encourage and teach in the ways of good security practices. And of course you should encourage them to find their own disciple. Ideally this kind of thing should be going on at a managerial and team leader level. I’ve found that people will generally rise to the level of leadership that is presented to them. You should be striving to build a culture where users invested in security and know that those around them are as well.

Education is, of course, paramount as users must know about the policies to be able to abide by them. Finding ways to educate users without drudgery can be challenging. Using the mentoring model is an excellent way to spread good security practices, it allows for a level of non-threatening accountability. Another idea is to use contests to reinforce training sessions. I’ve seen some security administrators set aside a few hundred dollars of their security budget to use as prize money throughout the year. use prizes of five to ten dollars to motivate their people to be on the look out for and report suspicious or unknown people in their buildings. The effort has greatly improved employees’ awareness of their surroundings and the benefits easily surpass the minimal cash investment by the company.

Tomorrow, Tuesday 11/07/06, is election day in the US, so don’t forget to vote. The polls are open in most states before and after work, so take a few minutes and let your voice count.

PS – In some states, Ohio included, make sure you remember to bring your ID in order to vote. Check with your local election officials for requirements.

What can you say? It doesn’t get more serious than when the CEO is the source of the threat to the organization’s assets.

In this story, CEO of MSP … Arrested a CEO is being charged with identity theft on a large scale. In this era of corporate governance and high penalties for abuse of one’s position, this will be one case to watch.

The story is via VAR Business and is pretty interesting. It is an excellent example of how identity theft from insiders has become “all the rage” in attacker circles.

Follow this one as it goes into trial. It promises to lay some groundwork for further prosecution of insider thieves to come.

I have talked to many organizations in the last few months that are all wrapped up in deploying new security technologies and making elaborate plans for securing their organization. The problem is many of these same organizations have yet to get the basics right.

It does little good for you to invest in new IPS technologies, encryption widgets, automatic defensive packet switches, uber biometric scanners and other gadgets if your employees simply give out their passwords when asked, continue to click on email attachments that are suspicious and throw away scraps of paper with the keys to the kingdom on them. As in Neil’s earlier post, some users just continue to be the weakest link.

How can IPS help you if you can’t keep your systems patched? Maybe it could be used to stop some attacks, but without omnipresent visibility, it won’t truly defend you, just give you a false sense of security. That’s the problem with relying on technology and gadgets to secure your organization, without the other components of policy/processes that are strong and awareness that is effective, you might as well throw your money out the window instead of buying some new whiz-bang piece of hardware or software that the vendors say will solve your problems.

The basics of infosec haven’t really changed. You still need a set of policies and processes that explain how the organization operates, how you will secure and handle data and how your users are to act. They need awareness training on these processes and policies so that they know how to act, how to handle data and what you expect them to do when something bad happens. THEN, you need technology to enforce the rules, audit for “bad stuff” and protect you against users who make poor choices. That truly is the role of effective security tools.

So, before you invest in the next overreaching security vendor “silver bullet”, take a moment and ask whether or not those same dollars could be better used in helping your organization do the basics better. If the answer is yes, then quietly excuse yourself from the presentation, go back to your office and implement a plan to assist with the root of the problem. Otherwise, buy away, keep looking for point solutions and keep wondering why your users are still throwing passwords in the dumpster…

As with a chain, so also with security: it only takes one weak link to cause a catastrophic Information Security Incident that leads to the theft of confidential customer data, loss of reputation and/or money.

Your company could have a bulletproof security policy on paper, but if no one in your organization is putting it into practice, or if a few people are cutting corners to save time, then that puts everyone at risk. A Kevlar vest does you no good against attackers unless you wear it.

So ask yourself: Am I the weakest link in my organization’s security? If not, how can I strengthen the other links through educating them? See if any of these apply to you or those around you, and strengthen the security chain against attackers.

• Do you throw away business documents without shredding them?
• Do you keep all your passwords in an unencrypted file called Passwords.doc in your My Documents folder or on your Desktop?
• Do you hide your passwords on a post-it note under your keyboard, under a coffee mug, on the wall, or anywhere for that matter?
• Do you use the same password for absolutely everything and never change it? Or if you do change it, do you only change a single digit?
• Do you open any attachment or follow any link that comes in your email inbox?

These are basic security mistakes that could lead to you becoming your organization’s weakest security link. Avoid these habits like the plague, and make sure none of your coworkers are doing this either. Read your company’s security policy, and follow it. Educate and implement.

Here are a few steps you can take to strengthen your security today:

• Install encryption software and use it to encrypt your Passwords.doc
• Use password-generating software like Personal Security Assistant to make totally random passwords.
• Utilize the shredder so that document reassembly will be a nightmare.
• If you don’t know who sent you an email, then don’t run the binary!!
• Store important files in an encrypted hard drive if the security policy allows it.

Don’t allow yourself to become the weakest link.

As we blogged about earlier in the week, core processing systems continue to be a focus for security teams. This week has seen additional new issues in HP-UX, Oracle problems and issues in various other related applications. Please take a moment and look through your patch levels and ensure your core systems are up to snuff.

In other news, PHP vulnerabilities are continuing to soar. Attackers are very focused on PHP problems, new vulnerabilities and exploiting vulnerable systems. PHP-based systems should be reviewed on an ongoing basis with bleeding edge updated tools to help guard against problems. Security issues with PHP have been identified in thousands of PHP applications, PHP language use and even some of the tenets of the language itself. While groups are working to educate users of PHP and harden the underlying code around the language, PHP is likely a risky undertaking for most businesses to be considering today. It is surely powerful, efficient and easy to use, but many organizations have outlawed it, claiming it is simply too insecure for “prime time” web applications.

As an aside, BT Group has announced an acquisition of Counterpane. Congrats go out to Bruce and team for their hard work. BT has gotten a strong visionary out of the deal, and with the likes of Marcus Ranum and other talented folks on staff, look for some great things from them in the future.

Looks like there are quite a few issues emerging with various systems and components that many banks and such use for their core processing. The last few weeks have seen issues in Oracle, MySQL, AIX, of course Windows and various supporting tools and services.

Given the importance of core processing availability to most financial institutions, many are hesitant to patch their production systems associated with these critical functions. However, just the opposite should be true. These systems should be among the first patched to various vulnerabilities – of course – once a patch has been properly tested and vetted in their backup, lab or QA environment (they all have those, right?).

Certainly, increased pressure on patching these systems is coming from legal compliance and regulatory requirements, but financial organizations should ensure that they have an action plan for maintaining the patching and security of these systems – regardless of, and in light of, their criticality to the life of the organization. Taking a “wait and see” or “it’s working so don’t mess with it” approach could be a severely damaging error on the part of IT and management.

Core processing vulnerabilities are going to continue to emerge and present themselves as critical issues. Getting a process for managing them put into place is an excellent idea, the sooner the better.

I just wanted to post this pointer to another article of mine that ITWorld is running. This one is an explanation of some ideas of different approaches to doing security testing of applications.

If you are considering app testing, and want to get an overview of pent testing, code review and hybrid processes, this is probably a good start. You can then dig deeper into the mechanisms and such via sites like OWASP, SANS, etc.

You can find the article here.

My column at security.itworld.com is now running an article I wrote about the key ideas behind risk assessment, and the top three things that organizations need to know when they are considering risk assessments.

You can find it here.

I especially think that more organizations need to remember point number two, which is that the risk assessment must address the business goals of the organization and provide them with a real vision of how to proceed in the future to reduce their risk. So many “risk assessments” I have seen in the last 18 months seem to be little more than vulnerability assessments with some tiny bits of policy review and analysis wrapped around them.

Organizations need to get a better understanding of existing methodologies for risk assessment in order to make smarter selections in terms of vendor offerings. I think too many organizations are making their selection based on price and many times, as in life, “you get what you pay for.”

Make sure when vendors talk to you about risk assessment that you get to see sample reports, that you feel that the assessment is at a high enough level to give you real vision and value and that the results are not just findings, but real-world strategies and tactics for today and tomorrow. Otherwise, you are likely going to get much less value for your investment, and much less return on what can be an exteremely powerful tool for the future of your organization.

In this day and age, almost anyone can invade your computer system and steal your data. This makes it all the more essential to ensure that beyond your perimeter network security barrier, you have a line of defense inside your system. That line of defense is encryption. Storing data unencrypted on your hard drive isn’t a mortal sin, but it could come back to bite you some day, so today we’re going to discuss that last line of digital defense.

There are two cryptodrive systems which have the biggest market share today: TrueCrypt and PGPDisk. Each has a number of advantages and disadvantages, but both share the quality of keeping your data secret from prying eyes (except when the drive is mounted). Whether you’re just storing your family photos or your customers’ credit card data, using this highly advanced technology is a must in today’s world.

I think TrueCrypt has 6 advantages over PGPDisk: 1) It’s open-source. 2) It’s free. 3) It’s cross-platform. 4) It can contain two volumes, accessed by different passphrases (or keyfiles), or you can have it only contain one “visible” volume. Anyone analyzing the bits of the unmounted drive/file cannot tell if there are one or two volumes, so 4) there is plausible deniability of the hidden volume (which TrueCrypt stores at the end of the big cryptofile.) 5) You can choose from a bunch of encryption and hash algorithms to suit your personal preferences. 6) There are absolutely positively no back-doors built-in (see #1: open-source). On top of all that, installation and use is mind-numbingly simple, especially on Windows machines. It’s hard to deny that TrueCrypt is an amazing technology.

For added security, you could even store PGP-encrypted files INSIDE of your TrueCrypt drive(s), and keep no plain-text files in there. Your mileage and paranoia may vary, but that sort of dual-encryption scheme will eliminate the problem where a mounted encrypted drive can be accessed just like a normal drive. Just because you want 1 file in the encrypted drive doesn’t mean an attacker should be able to get to all the files in there.

PGPDisk is no slacker either though… Even though it isn’t free and it isn’t open-source, its very fast and builds itself into the Windows shell quite seamlessly. It has great options. You can have it mount your encrypted drives at startup if you want, and auto-unmount automatically after however many minutes or at system standby. It can use any number of your existing PGP keys to access the database, so the drive could be accessed by 20 people if you want, and/or you could just use a passphrase not associated with a PGP key. This is possible because the PGP keys and/or passphrase unlock the master-key, and that master-key actually encrypts and decrypts the disk. So when you type in your PGP passphrase you are actually unlocking another master-key that does the dirty work. PGPDisk is for Windows only, so that is definitely one thing to keep in mind when picking which solution you want to go with. Also, it can’t be proven if PGPDisk has a backdoor or not, since it is closed-source, but crypto experts agree it is safe.

Also, it is best to keep your encrypted drive/file on a (1 gigabyte?) USB flash drive, and keep a backup of it on a CD or DVD. When creating your encrypted drive, 640mb is a good size to select since then you can back it up to a CDROM easily and you won’t have to worry about splitting the file onto 2 CDs.

One of the best reasons to use TrueCrypt is it’s cross-platform capability. You could be running a Microsoft Windows machine, and have Ubuntu running in a VMWare image, and both your VMWare and your real machine would be able to get to the data.

Also, on a bit of a side-note, if you’re using Windows it is a really good idea to do all of your web-surfing in the VM image instead of in Windows itself. Then, if you’re surfing along the net with Firefox in the Ubuntu VM image, and you get hit by a zero-day browser exploit, the effects stay trapped in the VM image. Then, since your real data is in the encrypted drive, and your real system is unaffected, its just a matter of getting a fresh VM image and you’re good to go again.

Information security doesn’t stop at the network perimeter, it stops at the bits of juicy data that the attacker wants to steal. Use encryption, use VM images – they are your friend. The digital future is shaping up to be a very hostile place for novices, so educate yourself and your friends now to avoid getting stung later.