Last night the Kansas City Royals lost a baseball game to the Minnesota Twins by a score of 19 to 1. That tied the worst loss in the teams history. Wow!
I grew up listening to the Royals on the radio almost every night. Those were the days when the Royals were almost always in contention for the top spot in their division, led by players with names like Otis, Rojas, White, Brett, Mayberry, Busby, and many others. That does not seem to be the case now…
I keep wondering how this can happen? Last night it came down to pitching and hitting. The Twins kept hitting everything that the Royals threw, and the Royals didn’t. Someone on the Twins roster hit his very first major league home run – and it was a grand slam! (not good) The inability of the Royals over the past 20 years to regain their former status comes down to execution by players and management.
Now, let’s take a leap over to the information security things that I normally write about.
Last night’s loss illustrates an important point that we all should remember. Unless we are diligent, it is easy to allow gaps to appear in what we are doing to protect our networks and important information.
Just as there was a huge gap last night between what the Royals didn’t do and what the Twin did do, so there is often a big gap in our protection measures. We get busy doing stuff, and allow little holes to appear.
This easily happens regardless of industry. There are federal regulations and industry guidelines to help us do the right thing. But if we don’t regularly evaluate what we are practicing, then gaps appear.
- How long has it been since you have reviewed your firewall configuration?
- How about reviewing your logs for suspicious activity?
- When was the last time that your policies were reviewed? Do they still fit your organization?
- Is your patch management plan being followed?
- Are you doing vulnerability assessment? How about pen testing?
- How do you ensure that your software developers are baking good security practices into their code?
Thought should be given to these, and many more, questions about your security practices. The Bad Guys are constantly looking for gaps in your coverage.
Don’t let yourself develop gaps that are too big and costly to overcome. Don’t have a game like the Royals did last night.
- Dan
I checked my email yesterday morning and was greeted with these three headlines:
Employee at Maryland state agency posts client information online
Sensitive database compromised at Buena Vista University
Hospital: files with personal, medical data on 800,000 gone
Whether a state agency, hospital or university, the issues are the same. Confidential information must remain confidential and there must be practices in place to maintain this confidentiality.
This is true for the small business, also.
I have heard many small business owners state that “no one would care about them”. This may have been correct in the past, but it is certainly no longer the case.
Policy statements, and enforcement of that policy, can be a significant deterrent to events such as are depicted in the above links.
Think about this: Who is in charge of updating the business website? Is only authorized information put on the Internet? Who is the one responsible for authorization?
Sometimes a file may accidentally get put on a web server. The contents of the web server should be a part of the regular audits.
Regardless of policy, breach and data loss events are usually a result of someone not being diligent.
I sure not would want to be the one responsible for any of these data loss events.
- Dan
Tags: Breach, Data Leakage
Most folks will not understand (or even care about) the details of the recently reported DNS rebind vulnerability. But this problem affects many of the low-end cable and DSL routers that are used in homes and small businesses.
Even more alarming is that a tool to exploit this vulnerability is to be released at Black Hat 2010 in just a few days.
What can you do to protect yourself from this exploit?
- Change the administrative passwords on your routers. All of your routers come with a well-known default administrative password. You should connect to the router and make sure that you are not using the default. You should also use a complex password.
- Disallow remote administration of the device. Many routers allow administrative access from the Internet. This should be allowed only in rare and well-defined situations. Although this is not directly related to the DNS rebind problems, you should still verify this setting.
- Upgrade the firmware to the latest version available from the manufacturer. Most manufacturers put out updates to the firmware that is running on their routers. If you are not running the latest version of the firmware for the router, go get it from the manufacturer’s website and do the upgrade. This will protect you from other attacks.
- If you are using wireless, be sure to use WPA2 to protect your wireless connections. I hope you are not using WEP. Using WPA2 is much better. (A technical explanation is beyond the scope of this post.)
These steps will minimize the attack surface on your devices.
Good luck!
- Dan
Earlier in the month, the Online Safety and Technology Working Group within the NTIA submitted their report entitled Youth Safety on a Living Internet, along with their recommendations to the Dept of Commerce and members of the House and Senate.
Here is a summary of the objectives of the report which is take directly from the introductory comments…
On behalf of the Online Safety and Technology Working Group (OSTWG), we are pleased to transmit this report to you. As mandated, we reviewed and evaluated:
1. The status of industry efforts to promote online safety through educational efforts, parental control technology, blocking and filtering software, age-appropriate labels for content or other technologies or initiatives designed to promote a safe online environment for children;
2. The status of industry efforts to promote online safety among providers of electronic communications services and remote computing services by reporting apparent child pornography, including any obstacles to such reporting;
3. The practices of electronic communications service providers and remote computing service providers related to record retention in connection with crimes against children; and
4. The development of technologies to help parents shield their children from inappropriate material on the Internet.
The report contains recommendations in each of the above categories, as well some general recommendations. We believe these recommendations will further advance our collective goal to provide a safer online experience to our children.
This is an important document. If you have children, know children or are involved with kids at church or school you should take the time to read this report.
- Dan
A lot of buzz has been generated recently as a result of charges and allegations against LIGATT Security and Gregory Evans. A recent article from The Register lists the major complaints.
I don’t have any first-hand experience with or knowledge of LIGATT or Gregory Evans. However I find this whole discussion interesting, and it raises a question for me.
What role does integrity play in the personal and professional life of an information security professional?
One of my professors at Dallas Theological Seminary once defined integrity as “doing what’s right even though no one is watching.” That has worked well for me.
I see these components of integrity at play in the LIGATT situation:
-
Permission – Evans is accused of plagiarism in a recent book. Multiple authors claim that he used their material without permission. A significant part of integrity, then is using other people’s work only with their express permission. It doesn’t matter if that work is written, or just ideas. You can’t take what you know is the work of someone else and use it with the claim that it is yours.
-
Honesty – Evans is also accused of falsifying or mis-representing his time in prison and his relationship with Kevin Mitnick. If someone cannot be trusted to tell the truth about their life, then how can you count on them to honestly present facts and finding from their work. Many times we are put in positions where we have access to confidential information. We must be honest in all of our dealings.
- Disclosure – The temptation exists to withhold certain information, at times, in an effort to bolster a certain position. Negotiations with vendors or unions often rely on this ploy. Sometimes, we are tempted to withhold information from the boss, because the full disclosure might make us look bad. There may sometimes be legitimate reasons for not disclosing all information. Make sure that the reasons for this are legitimate, and not simply to make yourself look good.
Like I said at the start, I don’t know Gregory Evans, nor do I have any experience with LIGATT. But, we all can learn some lessons from the recent flurry.
Let’s do our jobs with integrity, ok?
- Dan
