The Security Catalyst

I am excited to present to you the SRT’s third episode. The goal of these podcasts is simple: bring together podcasters and occassional guests to discuss important security topics. This episode had some great (read: diverse) representation as we tackled the issue of who should be responsible for vulnerable code and “good practices” around notification, patching and the like.

This podcast went a bit longer than planned, and I suspect we could have kept talking all night long! I personally learned quite a bit and enjoyed the opportunity to explore some of these issues and hear different perspectives. I hope you enjoy it too!

Joining us on this effort was:
Martin McKeay (The Network Security Podcast)
Paul Asadorian (Pauldotcom Security Weekly)
Jamal Khan (Hdaar Security Radio)
Alan Shimmel (Still Secure, After All These Years)
Ron Woerner (Security Catalyst Contributor)

Ideas? Comments? Suggestions? securitycatalyst@gmail.com

Michael (The Security Catalyst)

 

 SRT3: Play Now | Play in Popup | Download

I came across this today on Seth Godin’s blog. If you’re not familiar with Seth, it’s worth checking into his work, since he shook the marketing world up pretty well and continues to make a difference. The post is called “3000 times a day” - it is pity and is a quote:

(Permalink to Seth’s Blog: http://sethgodin.typepad.com/seths_blog/2006/07/3000_times_a_da.html)

If you wonder why I have started this community - the above quote explains it pretty well. I am passionate about security and how we can blend our efforts, insights and talents to make a difference. I’m also tired of misinformation and discord in the world of security. I’m not a big fan of mediocrity - and this is our chance to come together to do great things!
I am excited to welcome Ron Woerner as a regular contributor. We are currently preparing to welcome a few other contributors, too (stayed tuned for more in August and into the Fall). We’re developing a new, drupal-based, “catalyst community” [and could use some help/guidance] and are preparing to launch a new way to learn/practice security this fall.

If you want to get involved with the Security Catalyst, send me an email at: securitycatalyst@gmail.com.

Even if you don’t become a contributor to the Security Catalyst, let the spirit and passion of our efforts ignite in you a desire to focus on the good, provide diligent service and stop settling for mediocrity.

In America today, we are in the midst of a Privacy Meltdown. Personal information is flowing everywhere and there is a lot of it. Since the ChoicePoint theft of personal data in February 2005, the approximate number of *records* that have been compromised due to security breaches is 88,794,619[1].

With the Internet and advanced computer technologies, it’s now very easy to collect and aggregate large quantities of personal data. It can be in almost any desired format or structure and can be stored or distributed all without significant human thought. In the wrong hands, it can lead to identity theft and other forms of fraud against people and their company.

Everyone is talking about the problem, but very few are offering solutions on ways to protect personal information belonging to other people. The state laws don’t provide much help beyond stating that you should use encryption. They’re just ensuring there’s a hammer when a loss occurs. Additionally, few organizations have the technology or processes in place right now to properly encrypt data outside of a database. (Remember, most losses are occurring on backup tapes, personal storage devices or laptop drives.)

So, what can you do? One short-term answer is user education. I know, it’s not perfect and you can’t force people to attend or even listen, but sometimes it’s the only thing you can do in the short term.

Here’s a list for end users instructing how they can help protect other people’s personal information when it’s in their care:

1. Remember: Everyone needs to participate in protecting their own and others personal information.
2. Know what personal information is, where it resides, and how you come into contact with it.
3. Limit access to personal information to only those with a need to know. If someone doesn’t need to see the information, then their access should be blocked.
4. Appropriately protect the data to keep others from seeing it. This can be through encryption, other scrambling methods, or a compression program such as WinZip with password protection.
5. Ensure personal information (yours or others) is not on a medium that can be easily lost or stolen. This could be on paper, on a portable hard drive (USB thumb drive) or other removable medium such as CDs or backup tapes. If it is, there should be controls in place for that medium.
6. If you have a laptop, try not to store personal information on it and make sure it is protected from theft.
7. Dispose of the data so it cannot be easily retrieved. This includes using the shred bins for paper products and destroying magnetic media and hard drives.

What other ideas do you have for solving this problem of a Privacy Meltdown? Send in a comment by clicking below.

By working together and helping each other, we all become stronger.

As I work on more in-depth articles to share, I come across some great posts by others. I’ve decided to share some along the way.

As I have mentioned in the podcast, I switched our company to the Mac platform about 18 months ago. Despite being a security professional, my switch was driven by multiple factors (design, look, applications, built on BSD, etc.) including the pricing and anticipated lifetime. Based on my calculations, switching to the Mac cost me about the same if I had stayed with Toshiba.

As an aside: Over the last year, my Toshiba has had to have nearly every component replaced; after dealing with the steadily declining Toshiba Customer Service (if they can honestly call it customer-focused or service), I still have an maintain a windows working environment - but look forward to moving to the Mactels and dual booting (well, probably triple, since I’m interested in going with Ubuntu for a third OS).

So - those of you already using Mac and the rest of you who should seriously be considering a switch, I came across this article explaining the security features that come as part of OSX. It’s a good read and while focused on encouraging others to switch, has value for those who already did.

Key Mac OS X Security Features

http://switchtoamac.com/site/key-mac-os-x-security-features.html

Enjoy - and let me know when you switch.

PS: I’ll make the switch to Mactel Macbook Pro once Verizon makes an express card sized EVDO card (or I can find another EVDO solution for traveling).

Update (7.20 - 16:20p): I also wanted to mention (when I was gently nudged by a friend) that my Powerbook met with an untimely issue; seems that when I upgraded from 10.3 to 10.4 it caused a known issue (or well-reported) with the lower memory slot, causing it to short out. Don’t bother asking me how/why, since I have no clue. Anyway, the laptop was still under warranty and was covered by both AppleCare and ProCare (or whatever it’s called).

The team at the local Apple Store was great, but it still took 4 weeks before my powerbook was returned. 4 weeks! As a business, we cannot afford to be down a laptop for that long– so if Apple is going to continue to build on their market share in the business environment, they are going to have to improve. At the time, I wasn’t too happy with the process.

However, we figure we’ve spent 100 hour on tech support with Toshiba (combined) and needed to have about 7 visits until the laptop was fixed. In that time, it was unusable for about 7 months. By comparision, I was without the Mac for about 4 weeks, but only had to deal with one person… one time.

We have started to organize the resources more efficiently so that you can come here and point your friends and family here if they need help.

You can find our current list of resources here: http://www.securitycatalyst.com/resources/

We currently have resources for protecting your home computers (Windows and Mac OSX), resources for protecting your children and a guide on protecting your identity.

What else would you like to see?

As a father, I know that protecting my children and keeping them safe as they grow and develop is important. In today’s world, that extends to the way that we and our children use the Internet, as well as teaching them about the predators that lurk in the shadows.

On this important episode of the Security Catalyst, we are joined by FBI Special Agent David Fallon and Police Officer Jonathan Lester - part of the FBI Innocent Images program. In addition to educating us about their efforts, they share simple tips and strategies that we should all be following to protect our children, as well as ways that we can get involved to help (without harming their efforts).

Here is the listing of resources mentioned on the podcast. I will continue to update and expand this page (especially with your help and suggestions): http://www.securitycatalyst.com/protect-children/

Based on this interview, I have started research and looking for some additional interviews to provide us with some insights on how to coach our children through this important process, the steps we need to take to protect our children and ourselves, the ways we can get involved. If you want to contribute, please send me an email.

Please consider sharing this program with others (tell them to check out http://www.securitycatalyst.com/2006/07/18/sc33/) and use the buttons on your right to subscribe so you don’t miss any future content.

 

 SC33 [39:23m]: Play Now | Play in Popup | Download

After some careful review and deliberation, I am going to drop using Invision Power Boards. Instead, I’m planning to develop the “new and improved” Catalyst Community using Drupal.

If you have experience using Drupal and want to help, even in the design, please send me an email to securitycatalyst@gmail.com.

I’m hoping to start the design in July and unveil the new community by September (maybe sooner). And we’ll have another benefit being launched in September, too - stayed tuned for more details.

I know it’s been a bit since the last podcast has been released. The irony of it for me is that I am still recording them and have actually started to settle into a more predictable plan of programming and production. The rub, for me, has been finding time for the production.

In my business, I have a simple rule: paying clients come first. It’s been an excellent summer for us, as Effective Assurance in IT Operations has been a success and we’re about to launch the security coaching practice this week. Both are things that I will tell you about in more detail in the coming weeks (and make some special offers designed to save you some money and allow us to work together).

The end result is a pile of audio that I need to work through. Here is what I am planning for the next 2 weeks:

1. I am editing and releasing my interview with the FBI about their “Innocent Images” effort to protect our children ASAP. I’m targeting a release early this week - along with some valuable links and insights designed to help you protect your children (and be more aware of the dangers that lurk in the shadows of the Internet).

2. Because we have been doing a lot of research on the FFIEC authentication mandate (and presented a “state of the mandate” teleseminar last week), I feel compelled to comment on the recent 2-factor authentication phishing scheme. It’ll be one of my first “special report” podcasts, but may actually take on more of a “deep dive” feel.

** Here is your change to help! I’m looking for a volunteer who wants to help me write the program for the

3. I am working on some supplemental information about how to protect your children on online sites, as well as interviewing some other vendors to bring you some valuable information. Consider it a follow-up to the FBI interviews with some detailed information on the steps you *should* take immediately.

Lastly, we’re recording the July Security Round Table tomorrow evening - so more insights and fun should be in store for us all shortly.

Thanks for your messages and support. We’re only just getting started!

I have received an interesting comment about last week’s blog on security reducing stress instead of causing it. Here’s the gist of it: “How can I be doing my job as a security professional if I just give user’s what they want in order to relieve their stress? Aren’t I just placating them at the expense of good security?” The answer is no. Security still needs to provide the boundaries to ensure a level of safety for the organization. Without those boundaries, there is increased stress for users, IT managers, and security. Giving in never reduces stress.

Policies, standards, and procedures established by security with input from the users form those boundaries. From the comment by oilpanic, “I really feel that IT security people and the end-users should combine forces, and most of all, the security professional should educate the users to understand why they need to have a policy. This way users feel they are a part of the security process which is #1 in order to get them to comply and feel no stress when they have to follow a policy.” I agree.

Michael (the bald security guy running this place) challenged me to give ways to decrease negative stress and increase collaboration with users while ensuring the right balance of security. Below are some ways to reduce stress and improve collaboration with users. In addition, you should read How to Win Friends and Influence People by Dale Carnegie for more ideas.

1. Respond quickly. Return phone calls and emails as soon as possible. Even if you don’t have an answer right away, at least let them know you received the message. This is critical in gaining the trust of users and colleagues. When you are quick with a response, users are more likely to engage you and look for your council. This is an easy, quick win that doesn’t take much time and adds tremendous value.
2. Develop relationships with your customers / colleagues. Your users won’t trust you if you haven’t taken the time to get to know them. This is through face-to-face communications where you can empathize with their frustrations and they can empathize with yours. To do this you really need to Listen & Understand. So many of us are running full-tilt that we forget to step back and truly listen. In order to listen, we need to be present. So, as you take this approach, you should be able to clearly explain back to you client/users: their wants, needs, and goals. You may find that this becomes more of a dialogue, as they are not entirely sure their wants, needs and goals, and you will be here to guide them, joining forces.
3. Be positive. Using FUD (fear, uncertainty & doubt) only goes so far and tends to provide negative stress. If you are negative in meetings, you won’t be invited in the future. It is possible to seriously state issues while remaining positive. A positive, helpful attitude will keep your customers coming back. “Attitude is a little thing that makes a big difference.” ~Winston Churchill
4. Use the Golden Rule. “Do to others as you would want them to do to you.” Also the correlary, “Don’t do to others what you don’t want done to you.” Treat others like you want to be treated. Show respect. It’s a small world and we all need to get along. Do your part to help. Remember that small things can make big differences.
5. Lead by Example. Don’t make your users live by rules that you don’t follow. The policies must apply to everyone from the CEO on down. That includes IT and security. (We are often the worst violators.) Explain to users the why of the rules and how they apply to everyone. It’s for everyone’s safety. As we like to put it at my company, “It keeps you off of the suspect list.”

While these seem like common sense, they are not necessarily common practices within security. Jesper Johansson echoes this in his recent article Security Watch: Help Wanted — Need “People” People (http://go.microsoft.com/?linkid=5049693). I’ll conclude with a quote from that article, “The real solution, therefore, is that we—the people who design, write, implement, and manage software—have to learn how to deal with people. That is the only way we will be able to help people defend themselves. Defending themselves is the only way people can be safe.” The techniques outlined above will help you become a better people person reducing negative stress for yourself and your users. Try them and see for yourself.

You’ve probably heard the analogy that security is like having brakes on an automobile. Brakes allow the driver to go faster, have more control and go where they want to go safely. While brakes are an inhibitor, they actually allow the driver to reach their destination in a safe, yet quick manner.
Imagine driving without them. You’d be a nervous wreck. (Okay, maybe not you, but most of us would be.) You’d go really slow; be afraid of changing directions; and feel stressed. Think: the only way to stop is to crash into something.

In the paragraphs above, replace brakes with security (meaning security controls and processes) and driver with your organization’s name. Isn’t the concept the same? Security allows the user (driver) to reach their goal (destination) in a safe, yet quick manner. If you (security professionals) and your customers (users) are doing it right, security should allow the business to go faster, have control, and reach their goals safely without crashing.

The security team should be a stress reducer, not an inducer. Stress (in the negative connotation) comes when we feel out of control. Shouldn’t it be security’s job to introduce control and offer solutions for reducing risks and thereby reducing stress?

In recent years, the security group has gotten the bad reputation for being (a) a barrier to business, (b) an overhead without a quantifiable ROI, and (c) the hammer when there’s a breach or policy is not followed. In other words, they increased the stress for our organization. They weren’t being “good brakes.” This caused the organization to try to bypass security to get things done. (Don’t you try to avoid those things that cause you negative stress?)
Instead, we, the people in security need to be stress reducers. We need to be the brakes for our organization. However, there’s one difference: brakes are not normally seen, only felt; the security team needs to be both seen and felt. You do that by implementing proper controls and risk management processes.

Security should collaborate with the business in identifying and assessing the risks and then implementing the proper controls to ensure the risk is appropriately mitigated for the business. (No more security for security sake.) This puts the business in control guided by security and reduces negative stress for everyone.

Security professionals: Next time you implementation a new technology, process or policy, ask yourself, “Am I being a ‘good brake’ or am I really adding negative stress?” You’d be surprised at how much better you will be received if you reduce your customer’s stress. Next week we’ll cover key steps you can take to become a security stress reducer.

By working together and helping each other, we all become stronger.