I grew up listening to the Royals on the radio almost every night. Those were the days when the Royals were almost always in contention for the top spot in their division, led by players with names like Otis, Rojas, White, Brett, Mayberry, Busby, and many others. That does not seem to be the case now…

I keep wondering how this can happen? Last night it came down to pitching and hitting. The Twins kept hitting everything that the Royals threw, and the Royals didn’t. Someone on the Twins roster hit his very first major league home run – and it was a grand slam! (not good) The inability of the Royals over the past 20 years to regain their former status comes down to execution by players and management.

Now, let’s take a leap over to the information security things that I normally write about.

Last night’s loss illustrates an important point that we all should remember. Unless we are diligent, it is easy to allow gaps to appear in what we are doing to protect our networks and important information.

Just as there was a huge gap last night between what the Royals didn’t do and what the Twin did do, so there is often a big gap in our protection measures. We get busy doing stuff, and allow little holes to appear.

This easily happens regardless of industry. There are federal regulations and industry guidelines to help us do the right thing. But if we don’t regularly evaluate what we are practicing, then gaps appear.

• How long has it been since you have reviewed your firewall configuration?
• How about reviewing your logs for suspicious activity?
• When was the last time that your policies were reviewed? Do they still fit your organization?
• Is your patch management plan being followed?
• Are you doing vulnerability assessment? How about pen testing?
• How do you ensure that your software developers are baking good security practices into their code?

Thought should be given to these, and many more, questions about your security practices. The Bad Guys are constantly looking for gaps in your coverage.

Don’t let yourself develop gaps that are too big and costly to overcome. Don’t have a game like the Royals did last night.

- Dan

Employee at Maryland state agency posts client information online

Sensitive database compromised at Buena Vista University

Hospital: files with personal, medical data on 800,000 gone

Whether a state agency, hospital or university, the issues are the same. Confidential information must remain confidential and there must be practices in place to maintain this confidentiality.

This is true for the small business, also.

I have heard many small business owners state that “no one would care about them”. This may have been correct in the past, but it is certainly no longer the case.

Policy statements, and enforcement of that policy, can be a significant deterrent to events such as are depicted in the above links.

Think about this: Who is in charge of updating the business website? Is only authorized information put on the Internet? Who is the one responsible for authorization?

Sometimes a file may accidentally get put on a web server. The contents of the web server should be a part of the regular audits.

Regardless of policy, breach and data loss events are usually a result of someone not being diligent.

I sure not would want to be the one responsible for any of these data loss events.

- Dan

Even more alarming is that a tool to exploit this vulnerability is to be released at Black Hat 2010 in just a few days.

What can you do to protect yourself from this exploit?

1. Change the administrative passwords on your routers. All of your routers come with a well-known default administrative password. You should connect to the router and make sure that you are not using the default. You should also use a complex password.
2. Disallow remote administration of the device. Many routers allow administrative access from the Internet. This should be allowed only in rare and well-defined situations. Although this is not directly related to the DNS rebind problems, you should still verify this setting.
3. Upgrade the firmware to the latest version available from the manufacturer. Most manufacturers put out updates to the firmware that is running on their routers. If you are not running the latest version of the firmware for the router, go get it from the manufacturer’s website and do the upgrade. This will protect you from other attacks.
4. If you are using wireless, be sure to use WPA2 to protect your wireless connections. I hope you are not using WEP. Using WPA2 is much better. (A technical explanation is beyond the scope of this post.)

These steps will minimize the attack surface on your devices.

Good luck!

- Dan

Here is a summary of the objectives of the report which is take directly from the introductory comments…

On behalf of the Online Safety and Technology Working Group (OSTWG), we are pleased to transmit this report to you. As mandated, we reviewed and evaluated:

 

1. The status of industry efforts to promote online safety through educational efforts, parental control technology, blocking and filtering software, age-appropriate labels for content or other technologies or initiatives designed to promote a safe online environment for children;

 

2. The status of industry efforts to promote online safety among providers of electronic communications services and remote computing services by reporting apparent child pornography, including any obstacles to such reporting;

 

3. The practices of electronic communications service providers and remote computing service providers related to record retention in connection with crimes against children; and

 

4. The development of technologies to help parents shield their children from inappropriate material on the Internet.

 

The report contains recommendations in each of the above categories, as well some general recommendations. We believe these recommendations will further advance our collective goal to provide a safer online experience to our children.

This is an important document. If you have children, know children or are involved with kids at church or school you should take the time to read this report.

- Dan

I don’t have any first-hand experience with or knowledge of LIGATT or Gregory Evans. However I find this whole discussion interesting, and it raises a question for me.

What role does integrity play in the personal and professional life of an information security professional?

One of my professors at Dallas Theological Seminary once defined integrity as “doing what’s right even though no one is watching.” That has worked well for me.

I see these components of integrity at play in the LIGATT situation:

• Permission – Evans is accused of plagiarism in a recent book. Multiple authors claim that he used their material without permission. A significant part of integrity, then is using other people’s work only with their express permission. It doesn’t matter if that work is written, or just ideas. You can’t take what you know is the work of someone else and use it with the claim that it is yours.

• Honesty – Evans is also accused of falsifying or mis-representing his time in prison and his relationship with Kevin Mitnick. If someone cannot be trusted to tell the truth about their life, then how can you count on them to honestly present facts and finding from their work. Many times we are put in positions where we have access to confidential information. We must be honest in all of our dealings.

• Disclosure – The temptation exists to withhold certain information, at times, in an effort to bolster a certain position. Negotiations with vendors or unions often rely on this ploy. Sometimes, we are tempted to withhold information from the boss, because the full disclosure might make us look bad. There may sometimes be legitimate reasons for not disclosing all information. Make sure that the reasons for this are legitimate, and not simply to make yourself look good.

Like I said at the start, I don’t know Gregory Evans, nor do I have any experience with LIGATT. But, we all can learn some lessons from the recent flurry.

Let’s do our jobs with integrity, ok?

- Dan

A Mac? We don’t use those.

Flash drives are not allowed here!

We have all heard arguments like that.

For as long as I’ve been active with information security, there has been tension between non-InfoSec folks and technology users.

Users perspective – The tools and devices that the company provides just are not good enough. I use a <some device> at home and it really would help me at my job. In fact, I’ve already started using it for some work activities…

InfoSec perspective – The consumer device may be Really Cool, but we haven’t done a security assessment on it yet. Can the data on it be encrypted? What about a remote wipe of the data? We’re not going to allow that on our corporate network…

And so the tension goes on and on and on.

What ever happened to technology being an enabler?

So, what role does Information Security play?

• Don’t allow unwanted traffic on the network.
• Don’t allow unauthorized software on the workstation.
• Don’t allow access to certain data.
• Don’t allow unapproved devices.

That’s all pretty negative, isn’t it? Here are some random thoughts about what we should be doing…

• Don’t forget that business exists for a reason. Our job is to help protect that business, not always to be like Nancy Reagan and “just say NO”.
• Encourage personal responsibility to protect the business. It is the job of everyone.
• Find out what the real deficiency is that the user is trying to remediate with the consumer device and address that real need.
• Remember that there are legitimate times to take a stand and refuse to allow certain devices to be used in the company.
• Regulation, such as PCI/DSS, SOX, GLBA, etc, exist to provide guidelines. Many businesses can be surprisingly flexible, even when these regulations must be followed.
• But, don’t be afraid to do the necessary work to perform the risk analysis of the device, and maybe change policy or practice if the risk is at an acceptable level.
• Finally, an attitude of working together can go a long way in helping the user to understand the issues surrounding their favorite consumer device.

That’s about it for my thoughts this week. Until next time…

- Dan

By Ben Rooney, staff reporterMay 25, 2010: 6:25 PM ET

NEW YORK (CNNMoney.com) — Facebook confirmed Tuesday that it will simplify its privacy settings, in a move aimed at quelling growing concerns over how much user information is exposed online.

“I can confirm that our new, simpler user controls will begin rolling out tomorrow (Wednesday). I can’t say more yet,” Andrew Noyes, a Facebook spokesman, said in a statement.

 

You can read the rest of the article to see what is being said.

Of course, Facebook has been talking about privacy settings for a long time. So has the press, pundits and bloggers. Not that I’m skeptical, or anything, but time will tell as to whether Facebook is truly making any useful changes.

While you are waiting for Facebook to make things simple, head on over to http://www.reclaimprivacy.org/ and use their scanner to help you identify and understand your current settings. The tool will also make some recommendations for you.

Was that a black helicopter that I just saw flying overhead?

- Dan

You should never have the only copy of your important files be stored on your flash drive. It will die (or be lost or be stolen). If this is the case, you may be completely out of luck.

I had a friend give me a flash drive this past weekend. The flash drive is not recognized by any computer. Where there normally is a light that comes on when plugged in, now there is no longer a light.

If the problem is more that just a poor USB connector, then it will be pretty costly to recover the data, if it is possible at all… Usually the cost will outweigh the benefit of recovered files.

So, use the flash drive only as a working and portable storage device. Make sure they are encrypted. Copy the files back to your computer if they are important. That way they will be a part of  your normal backups. (You do have a backup system, right?)

If you don’t have a backup system in place, consider using something like LockYourData (www.lockyourdata.com). It allows  you to manage both online and local backups as well as keeping multiple generations of files.

The last thing you want to hear is the words of Dr. McCoy as he looks up and says, “He’s dead, Jim.”

- Dan

http://windowssecrets.com/2010/05/06/01-The-120-day-Microsoft-security-suite-test-drive

Important points…

• Use firewall, filters (in browsers & email), and anti-malware.
• Products from Microsoft are finally easy-to-use for normal users.
• MSE can be configured to be very unobtrusive.
• MSE will frustrate advanced users, or those who need more complex customization.

Personally, I’ve had MSE running on a virtual machine that I use every day, and have been pleased. It is lightweight in it’s use of system resources.

It seems that for most home users who are running Windows 7, there is no need to purchase a security suite.

- Dan

You really need to take a look at this article. It shows how Facebook has slowly and steadily made your privacy disappear.

You should carefully consider how this impacts you.

- Dan