I grew up listening to the Royals on the radio almost every night. Those were the days when the Royals were almost always in contention for the top spot in their division, led by players with names like Otis, Rojas, White, Brett, Mayberry, Busby, and many others. That does not seem to be the case now…

I keep wondering how this can happen? Last night it came down to pitching and hitting. The Twins kept hitting everything that the Royals threw, and the Royals didn’t. Someone on the Twins roster hit his very first major league home run – and it was a grand slam! (not good) The inability of the Royals over the past 20 years to regain their former status comes down to execution by players and management.

Now, let’s take a leap over to the information security things that I normally write about.

Last night’s loss illustrates an important point that we all should remember. Unless we are diligent, it is easy to allow gaps to appear in what we are doing to protect our networks and important information.

Just as there was a huge gap last night between what the Royals didn’t do and what the Twin did do, so there is often a big gap in our protection measures. We get busy doing stuff, and allow little holes to appear.

This easily happens regardless of industry. There are federal regulations and industry guidelines to help us do the right thing. But if we don’t regularly evaluate what we are practicing, then gaps appear.

• How long has it been since you have reviewed your firewall configuration?
• How about reviewing your logs for suspicious activity?
• When was the last time that your policies were reviewed? Do they still fit your organization?
• Is your patch management plan being followed?
• Are you doing vulnerability assessment? How about pen testing?
• How do you ensure that your software developers are baking good security practices into their code?

Thought should be given to these, and many more, questions about your security practices. The Bad Guys are constantly looking for gaps in your coverage.

Don’t let yourself develop gaps that are too big and costly to overcome. Don’t have a game like the Royals did last night.

- Dan

I don’t have any first-hand experience with or knowledge of LIGATT or Gregory Evans. However I find this whole discussion interesting, and it raises a question for me.

What role does integrity play in the personal and professional life of an information security professional?

One of my professors at Dallas Theological Seminary once defined integrity as “doing what’s right even though no one is watching.” That has worked well for me.

I see these components of integrity at play in the LIGATT situation:

• Permission – Evans is accused of plagiarism in a recent book. Multiple authors claim that he used their material without permission. A significant part of integrity, then is using other people’s work only with their express permission. It doesn’t matter if that work is written, or just ideas. You can’t take what you know is the work of someone else and use it with the claim that it is yours.

• Honesty – Evans is also accused of falsifying or mis-representing his time in prison and his relationship with Kevin Mitnick. If someone cannot be trusted to tell the truth about their life, then how can you count on them to honestly present facts and finding from their work. Many times we are put in positions where we have access to confidential information. We must be honest in all of our dealings.

• Disclosure – The temptation exists to withhold certain information, at times, in an effort to bolster a certain position. Negotiations with vendors or unions often rely on this ploy. Sometimes, we are tempted to withhold information from the boss, because the full disclosure might make us look bad. There may sometimes be legitimate reasons for not disclosing all information. Make sure that the reasons for this are legitimate, and not simply to make yourself look good.

Like I said at the start, I don’t know Gregory Evans, nor do I have any experience with LIGATT. But, we all can learn some lessons from the recent flurry.

Let’s do our jobs with integrity, ok?

- Dan

http://windowssecrets.com/2010/05/06/01-The-120-day-Microsoft-security-suite-test-drive

Important points…

• Use firewall, filters (in browsers & email), and anti-malware.
• Products from Microsoft are finally easy-to-use for normal users.
• MSE can be configured to be very unobtrusive.
• MSE will frustrate advanced users, or those who need more complex customization.

Personally, I’ve had MSE running on a virtual machine that I use every day, and have been pleased. It is lightweight in it’s use of system resources.

It seems that for most home users who are running Windows 7, there is no need to purchase a security suite.

- Dan

Yesterday, there was an article posted at dark Reading detailing recent credit card skimming incidents at gas station pumps. It is reported that 180 gas stations in Utah were found to have skimming devices in the pumps.

Bruce Schneir is correct when he states that “The consumer can’t be expected to notice these things.”

What can you do? How about the following …

• Always pay with cash
• Use your credit card inside
• Keep all receipts and watch you statements closely
• Ride a horse

So, watch those statements. If you find charges that are not yours, contact your card company.

- Dan

Microsoft Security Essentials is a FREE anti-virus and anti-spyware offering from Microsoft. They bill it as a light-weight product that has a smaller footprint than commercial products. It is intended for the home user. It can be found at www.microsoft.com/security_essentials/

Obviously, it runs on the Windows platform. You’ve no doubt noticed the Mac bias from other posts. My interest comes from supporting the XP Pro notebook my wife uses and the Vista Home Premium notebook that one of my son’s uses. Other extended family members also use Windows.

The installation was amazingly simple. But, before the install, you should uninstall any other AV products you may be running. Go to the Security Essentials site and download the installer. Double-click on the downloaded installer program and follow the prompts. When the install is done, Security Essentials does an update of the signatures, and then you are encouraged to do a complete system scan. That takes a while.

The scan produces a report of any threats that are detected on your computer.

The Security Essentials console is arranged in a reasonable fashion. There is the Home tab which gives a quick overview of the state of AV protection on your computer. The Update tab allows you to force an update of signatures. The History tab let you see what threats have been found and the action that was taken. Finally, the Settings tab allows for modification of behavior of Security Essentials. The defaults are reasonable.

Following installation, I noticed that there are two new processes using memory. On my test XP Pro test machine, msseces.exe uses 11,820K and MsMpEng.exe uses 70,052K.

Very few CPU cycles are used when doing real-time protection. But, you will notice a performance impact when a full scan is running. This is similar to what you would experience with other products.

In summary, Microsoft Security Essentials was very easy to download and install. I found it simpler to use than competing free products like AVG Free. Several independent labs tested the efficacy of the product during the beta period. They all report sufficient detection and remediation of threats.

So, if you have a Windows XP, Vista or 7 computer at home and don’t want to spring for a commercial product, it looks like Microsoft Security Essentials is a winner!

- Dan

“Dripping with irony” is how Network World magazine describes this situation.

The lesson for the small business is that regardless of how advanced, or secure, your organization is, there needs to be constant vigilance.

You don’t want to be the next company that has a major breach with a loss of customer information or intellectual property.

- Dan

I have been finding that there are many religious or faith-oriented people in technical careers. There are also many who have no faith, or choose not to actively practice any faith or religion.

In a few days (on Friday, July 24, 2009, 8:00am EDT), I will be posting a survey aimed at Information Security professionals. After the survey is closed, I will take a few days to compile and analyze the data. The final report will be made available.

In order to have a statistically meaningful survey, there needs to be a large sampling. The more responses the better! The survey will be going out to various mailing lists that I use, as well as some social networking groups.

Be sure to understand that the purpose of this survey is to simply gather data and understand the role of religion and faith for information security practitioners.

The opportunity for anonymous responses will be available. No one will be contacted directly. The only exception may be if they indicate their willingness to provide more information.

Please come back on July 24 and provide your input!

Thanks,

- Dan

For a functioning description, consider Operations to be the tasks required to maintain a desired level of security. It is easy to get bogged down thinking about the security posture and auditing to make sure that we are maintaining that posture.

Regardless of what level of security you want, the following are some ideas to get you started thinking about InfoSec Operations…

Good InfoSec operations will be driven by policy.

• Acceptable Use Policy – The AUP clearly lays out what the organizations resources can or can not be used for. Check out some reasons you need an Acceptable Use Policy.
• Configuration Change Policy – Even the smallest of businesses needs to have guidelines and policies of who can make and when changes can be made to computer, software and infrastructure. Chaos ensues without this.

Good InfoSec operations will work to minimize the risk from malware.

• Operation system patches – Whether you are running Unix, Linux, Windows or OS X as you operating system, there are frequent patches that should be applied. Depending upon your business, you may even need to test patches on test servers and workstations prior to general deployment.
• Anti-virus updated and scanning – Malware is a significant attack vector. Viruses, worms or spyware are often used to gather personal information from the infected host. A major step in minimizing the risk if to keep the anti-virus software updated and scanning.

Good InfoSec operations will be aware of threats.

• Know what the risks are to your organization – The risks to a small bank are different than the risks for the fitness club. Awareness of the risks to your specific industry will enable you to establish sound defenses.
• Know what has been done to remediate specific threats – I keep a “risk register” of the various risks, threats, problems that I encounter. It includes the date found, a brief description of the risk, what I have done to address the risk, and the date that was done. Not only does it help me remember, but it is good to periodically review it to make sure the remediation is still valid.

Good InfoSec operations will be ready to recover from an incident.

• Backups – Having good backups can make you look like a genius! (and they can be the difference between an inconvenience and the organization shutting the doors…)
• Disaster Recover Planning – Even the smallest of businesses needs a DRP. Ready.gov can be a good starting place.

- Dan

You could have someone assigned to capture and analyze every packet that is aimed toward your your network, but they wouldn’t be able to do this with the speed and consistency required to effectively protect your information assets. That is where technology comes in.

Your small or medium business, or even your home, network needs to have some technology used to help defend and protect.

Consider the use of these basic technologies in your defense in depth strategy…

• Anti-virus and anti-spyware – Defends against malware and helps to ensure availability and confidentiality. Your computers stay running and the information on them stays in the organization. Opportunities to accidently install viruses and spyware come from shared files, or even from just surfing the Internet. Even legitimate sites often will spread malware!
• Firewall – Defends against unauthorized access and helps to protect the perimeter of your network. Your connection to the Internet is being frequently tested for openings that would allow entrance to hackers. The firewall is a basic first line of defense.
• File system encryption – Defends against loss of data if the computer is stolen. Many solutions exist, but both Windows and Mac OS X have built-in features for encrypting the file systems. Learn how to use this feature, and then make sure that you really are using it!
• Automatic Backup – Makes your information available in the event of a disk drive failure. This is an often overlooked element to information security in the small business. The usability of the backups should periodically be tested.

Of course, there are many others steps that can be taken ranging from segmenting your network to installing (and monitoring) intrusion detection/prevention systems to installing hardware encryption to active application scanning to multi-tiered firewall architectures to data classification systems to access control methodologies to …

So, by now we have learned that just being careful (the People element) is not all you need for good information security. You also need technology to supplement your people.

The last element of Defense in Depth is Operations. We will be looking at that in the next week or so…

- Dan

Patches and Updates are used to correct programming errors and fix vulnerabilities in the software.

It is difficult to keep up with the vulnerabilities that are found for Windows, OS X and all the programs that are running on them.

So, today’s tip is to use the automated facilities of Windows and OS X to automatically update the operating system and applications.

To enable this in Windows, go to the Control Panel and look for Automated Updates.

For OS X, go to the System Preferences application and open Software Update.

Both Windows and OS X allow for the computer to download the updates on a set schedule. When you are notified of updates, you should let them install.