President Ronald Reagan said, “Trust, but verify.” I used to hold fast to that, but recently have learned that you cannot, nor should you, always verify.

Trust is a critical foundational element of life, government and information security.

Things would be different if trust was non-existant…

• Husbands and wives would always be paranoid.
• Negotiations between teachers and school boards would always go to impasse.
• You wouldn’t have any confidence in your antivirus or IDS system.

Right now, you’re probably saying that is the way things already are. To some extent you are right.

Distrust between two parties is as natural as entropy.

But, consider some of the ways that you do trust.

• You trust that the gas pump gives you what you pay for and that the meter is accurate.
• You trust that the government who puts the accreditation sticker on the gas pump has actually tested it.
• You trust that the person testing the gas pump knows how to accurately test it.
• You trust that the magnetic card reader for swiping your credit or debit card is not skimming that information.

Of course, there are many more examples.

• You trust Google to not share information about your searches, or the contents of your GMail account.
• You trust the security that your bank uses for your on-lne banking.
• You trust the validity of the certificates that are checked when accessing secure web sites.

Our society is built upon the expectation of trust. Sometimes people and organizations successfully show that they can be trusted. Othertimes, not.

Back to President Reagan…

There are times when I trust, but verify.

However, there are many more times when I trust, but either choose to not verify, or the risk is so low that it makes to sense to take the time to verify.

Carefully consider which times verification is important. It just might save the day for you sometime.

- Dan

We currently have two dogs and usually have multiple cats. We’ve had snakes, lizards, fish, birds, hedgehogs and other critters as pets in the past.

So it was with great interest that I listened to the advertisement on the radio encouraging pet owners to take their pet to the veterinarian and have a semi-yearly risk and health assessment performed. This radio spot was sponsored by some veterinarian organization.

The selling point was that your pets may be exposed to diseases and parasites that you are unaware of and the assessment will help to detect and give a jump-start to remediation.

Wow! That sounds like what is done in information security.

• Pets (dogs) will wonder around and stick their nose in places where it doesn’t belong.
• Users will visit just about any Internet site – even ones they shouldn’t.
• Pets will pick up parasites just by running through the brush.
• Users will get a virus, trojan or some other malware just by clicking a link in some spam email.
• Pets will sometimes have to be put on a leash to keep them from running off.
• Content filters are sometimes necessary for users.

I could go on. The point is that just like with pets, we need to be constantly aware of the changing risks and take steps to adequately respond to that risk.

Who would have thought we could learn information security practices just by having pets?

- Dan

“Backups are the disaster recover plan!”, he emphatically said.

And so began the conversation…

Of course, backups are a part of the disaster recovery, but not the complete plan.

Just last night I found out about a local business whose server crashed. They had been dutifully performing backups. The backup subsystem reported that backups had been created. But…

It turns out that the backups are unreadable and now they are scrambling to determine the next steps to keep their business running.

Tip: Periodically check your backups to make sure that (1) they are readable, and (2) that they contain the information you hope they do.

Put this into your list of things to review on a monthly basis. As some point you will be glad that you did.

- Dan

Do yourself a favor. Go grab your wallet. I’ll wait for you to get back…

.

..

…

Now, pull all your credit cards out. Grab your debit cards, also.

Look at them closely. Can you identify where each one of them has been used?

Have you ever used your debit card for on-line transactions?

By spreading your credit and debit card numbers out across cyberspace, you are increasing your target profile, and increasing the risk of compromise.

Speaking from experience, you don’t want those numbers to be used without your permission.

Tip: Create a plan and strategy for the use of your cards.

Here are some things you can do. You may do some other things…

1. Never use your debit card for on-line transactions.

Different banks will give differing explanations about your liability for unauthorized transactions. Minimize your footprint.

2. Have one credit card that is only used for transactions you don’t fully control.

(such as on-line transactions or paying for dinner where you give your card to the server and it’s gone for 10 minutes…)

3. Closely monitor the charges to your cards.

Use the on-line tools your card issuer gives you to see what transactions appear.

4. Don’t write your PIN on the back of the debit card, and don’t give it to your kids to use.

Believe it or not, I just noticed that a friend had done this. It’s like writing the burglar alarm code on the door of your house.

5. Don’t use credit and debit cards.

This is somewhat like using the Google Opt-Out that was reported on the Onion News Network. Radical and gets the job done, but probably not all that practical!

These cards are like the keys to your financial kingdom. Guard them!

- Dan

I don’t know if your memory is like mine, but sometimes I cannot remember what happened last week.

Do you remember each and every information security exposure that is found?

Several years ago I started keeping a Risk Register. This is very similar to the checkbook register that we all keep.

When I find a new exposure to our organization, I keep track of these things…

1. Date Risk Found
2. Description of Risk
3. Business Unit Impacted
4. Steps Taken for Remediation
5. Date of Each Step Taken

Now, I’ll be honest. Many times I keep much more information that what is listed above. But, the above is a good start.

What are the benefits of keeping a Risk Register?

• Helps with remembering what has been done.
• Helps with justifying InfoSec expenses.
• Helps in explaining what has been done to Management.
• Helps to identify the most vulnerable business unit.

So, remove some items from the list of things you need to remember. Keep a Risk Register.

- Dan

When the alarm went off this morning (4/27/09), the first thing I heard before I got out of bed was the NPR announcer saying, “… the U.S. is being warned to prepare for a Swine Flu epidemic.” I hit the button to shut her off, stumbled to the shower and spent most of the show considering how this relates to information security.

1. I realized that I don’t know as much about the swine flu as I should. Stephen Northcutt (of The SANS Institute) has prepared a briefing on swine flu. Get it here.
2. I realized that we may have an opportunity to exercise the disaster recovery plan. This was put into place about a year ago and we have run through some scenarios on paper tests. If people are told to stay home from work to slow the spread of swine flu, we might be forced to crank up the D.R. plan.
3. Finally, I also realized that some of the well thought-out policies might need to exceptions. As an example, we don’t like for non-company computers to connect to our protected networks. But, if staff are told to stay home, we might need to bend on this policy.

The moral to this story???

Now might be a good time to review you disaster recover and business continuity plan, specifically as it relates to pandemics.

- Dan

If you go to any class dealing with information security, you are bound to hear these discussed. They should be well understood before trying to set up a router, install anti-virus, or establish policies.

Yet… why should you care about these?

Just like building a house requires that there be a firm foundation, good information security must be built on these three solid principles.

So then, let’s move on. Here are the three foundational tenants of Information Security – represented by CIA.

No… not the Central Intelligence Agency…

1. Confidentiality – At the most basic level, the principle of confidentiality ensures that an appropriate amount of secrecy is maintained and that information is protected from unauthorized disclosure.

So, why is Confidentiality important?

• Many regulations require it! Several industries are regulated by either federal/state governments or standards bodies. Here are a few – HIPAA, GLB, SOX, PCI DSS.
• Disclosure of confidential information can ruin the reputation of your business.
• Loss of confidentiality of your personal information can lead to identity theft.
• I once lost personal banking information due to a worm on my computer that sent me personal information to a server in another country. Confidentiality became much more important to me after that!
2. Integrity – The principle of integrity is the assurance that the data is accurate and reliable and protected from unauthorized modification.

Why is Integrity important?

• Once again, it is implied in many regulations. The same regulations listed above also imply controls to ensure the integrity of the data.
• Just like having a mistake in your checkbook register can be disastrous, likewise errors in the data that you use to run your company can prove disastrous.
• Years ago, and at another company, we had a situation where an employee was maliciously changing customer records. While everyone thought they could trust the data, the integrity had been compromised.
3. Availability – Availability ensures that authorized users can use the data when and where necessary.

Why is Availability important?

• Businesses expect to be able to access information at certain times. It is not unusual for opportunities to be lost if a system is unavailable.
• In 2002 there was a significant DDoS (distributed denial of service) on the Internet that affected search engines, news sites and retail sites. Their on-line systems were not available, and as a result sales were affected.
• In the event of catastrophic events, such as fire, flood, or tornadoes, being able to bring the systems back up so that they are available for business can often be the difference between survival or failure for the business

Just remember, doing the latest shiny thing in InfoSec is not the end-goal. The objective is to build on the foundation of Confidentiality, Integrity, and Availability.

- Dan

What do the following have in common?

- Bank overdraft

- Cancer

- Automobile brake failure

- Cyber-intrusion

- Disgruntled employee

In each of these situations, early detection of the problem is important.

Early detection of cancer increases the chances of recovery. Early detection of a bank overdraft minimizes charges. Early detection of brake failure may save your life. Early detection of a cyber-intrusion can minimize your losses. Early detection of a disgruntled employee can prevent all sorts of problems.

You will never know there is a problem if you aren’t willing to put out the effort to watch for the early signs. If you aren’t watching for the early signs, the problems will continue to get worse.

Just ask the teenager who doesn’t balance his checkbook!

- Dan

I’ve been working lately on appropriate placement of IDS sensors. We don’t have the staff to be able to designate someone as a full-time intrusion analyst. As a result, I am needing to evaluate how we use IDS. Traditionally, we have had a sensor watching all in- and out-bound traffic. More information is generated than can reasonably be monitored.

Is seems that for us, placing a focused sensor in front of critical servers, or on sensitive segments seems to be where we can get the most Bang for the Buck. Here we will be able to tune the IDS ruleset to only alert and log on events that are relevant to hosts on the segment where the sensor is placed.

It has been educational to be forced to look at the servers with the intent of only including IDS rules that are appropriate to the particular host configurations. For example, if we are using Windows servers with IIS, there is no need to have the IDS check for attacks that only target Linux and Apache. Likewise, rules for the database server need to be focused for the product and host OS.

At this point there doesn’t seem to be much of a reason to have IDS on the user segments.

As always, it is a good things to be able to simplify things.

- Dan

A couple of posts ago, we began the End of Year Cleanup discussion. In that post, I encouraged you to ask the question “Where are we?” with regard to information security within your organization.

Now, we must address the question “Where do we want to be?

Over the years I’ve had several people express that they don’t know where to begin in thinking about this.

Covey says to begin with the end in mind. So, what is the end that you are after? Have you given any thought to this?

The Payment Card Industry (PCI) has created data security standards (DSS) that are to be followed by any organization accepting Visa, MasterCard, American Express, JCB, and Discover cards. It is a very good standard to use as a framework. The PCI DSS quick start can be downloaded here.

In a nutshell, here are the general steps…

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

You can always find more details for each of these steps in the full PCI DSS documents. Check out www.pcisecuritystandards.org for more information.

Keep in mind that not every organization needs to follow all of the details of the PCI DSS. You should aim for security that is reasonable for your organization.

Have fun!

- Dan