The Security Catalyst

On this last day of 2006, it seemed fitting to (finally) post the conclusion to the voting security series (it was delayed due to an ear infection and my lack of desire to finalize the recording). Now, from sunny Key West, I wanted to make sure we ended the year strong.

No end of year reflections, but in looking at the lessons learned, I realized that voting security and security in general have a lot more in common that we may realize at first glance. The good news, then, is that in 2007 we can continue to improve the way we practice security… and we may also be able to help improve the way our electronic voting systems work.

When listening to this interview, it may make sense to check out some of the diagrams and pictures from the punch scan website: www.punchscan.org

I really am impressed not only by the solution punch scan proposes, but by the energy and dedication of the punch scan team. I hope this solution is tested in 2007 and starts to gain more momentum. I plan to keep in touch with punch scan and support them as they continue to move forward.

I’m going to ring in the New Year wearing shorts and hanging out on the docks… and then I’ll be using some of the time here to think about and plan for the upcoming year. Expect more programming and more features designed to help you improve the way you explain and practice security in 2007. And expect to see the launch of the catalyst community (to support your efforts) as well as some additional programming, features and a book!

Yup, 2007 promises to be an exciting year for us all!

Thanks for your continued support, ideas, suggestions and passion. Especially your passion.

 

 SC 12-31-2006 [52:40m]: Play Now | Play in Popup | Download

Greetings, fellow Catalysts!

Just a quick post to thank you for your outstanding support, ideas, questions and comments that have helped grow this site and our efforts in 2006.

As I loaded up our RV and headed down US I-95 South to Key West, I had three days of windshield time to think and plan for 2007. I’m now going to enjoy festivities around the New Year taking place in and around Key West, Florida. Our RV location is literally on the ocean and I plan to enjoy some excellent weather, sunrises and sunsets… and use the time to reflect and recharge. We’ll have one or two posts during that time, and I have one podcast left to post before the year is over. Beyond that, I expect things to be a bit slow until the middle of January.
I have some exciting programming for the podcast in 2007, especially the (teach your) Family Security Series which will launch in January when I get back. The goal will be to take a few weeks and literally walk our families, colleagues, co-workers, friends and neighbors through a step-by-step approach to securing their new (and not-so-new) computers. Since all our work is released under creative commons, you can even use this to jump-start your awareness programs where you work. I’ll cover all this in more detail around the middle of January… (I get back to NY around January 10th).
We’re also readying the Catalyst Community and a few other offerings that we hope to release in 2007.

Lastly, I have a book that is tentatively scheduled to come out in the Spring of 2007. More details on everything to follow.

Thanks for a great 2006. I hope you have a safe, happy and relaxing holiday season as we all gear up for an exciting 2007. Change is upon us, and as catalysts, it’s ours to lead!

Happy New Year!

By Adam Dodge

‘Tis that time of year when Top Ten lists abound to remind us of what we lived through only a few short months ago. Luckily, The Security Catalyst writers are above such seasonal sensationalism… or am I?

I am currently working to compile a “Year in Review” of sorts on all of the reported security incidents that have occurred in 2006 at institutions of higher education. This report will be based on my research of such news reports, found at Educational Security Incidents (ESI), and will hopefully be posted by mid-January. (Note: I admit this is a shameless plug, but you do not have to care about ESI. I promise I will not be offended.) As I review the past years incidents, I have noticed that a few of them have sort of stand out for one reason or another.

Mulling over these anomalies I have come to the conclusion that these incidents hold some significance that set them part from the other incidents. Some of them jump out because of the number of individuals affected, others jump out because of the type of incident that has occurred. Still more jump out because they result from circumstances that really should never have occurred. Without further ado, I bring you:

Adam’s Top Ten Most Significant Educational Security Incidents of 2006

(in chronological order)

1. Metropoloitan State College - March 3, 2006: A laptop containing 93,000 student records is stolen from an employee’s car. Why were so many records on the laptop? The employee was using them as part of their master’s degree research. This is one of those incidents that probably should have never occurred.
2. Georgetown University - March 6, 2003: The US Secret Service is called in to investigate the exposure of 41,000 records belonging to an Office of the Aging grant project at Georgetown. This incident emphasizes the fact that there is more then just student or staff information at colleges and universities we need to protect.
3. Ohio University - May 6, 2006: Two different breaches expose upwards of 300,000 records. This incident is important since it was one of the first large scale incidents to gain media attention.
4. California State University, Stanislaus - May 26, 2006: Google’s Google Cache service indexes and makes available student information that was accidentally put up on Stanislaus’ web site for a short period in October 2005. This incident is a great example of the difficulty of controlling information once a leak has occurred.
5. Univerity of Kentucky - June 22, 2006: A USB jump drive containing 18 years worth of student data (including grades, names and SSNs) is stolen after a professor left the drive in a classroom. This type of incident will only become more and more common unless controls and policies are implemented prohibiting the use of such devices to store personal and/or sensitive information.
6. Berry College - September 20, 2006: A contractor “misplaces” over 2,000 financial aid records at a local airport. This is an excellent example of why it is important for colleges and universities to make sure that contracted third parties take the protection of client information seriously and have safeguards in place to prevent this type of incident.
7. Sacred Heart University - September 27, 2006: Stacy Koblinski is notified that her information was exposed during a recent security breach even though Ms. Koblinski is not a Sacred Heart student. With the increased sharing of student information and the collection of non-student information, the effects of security incidents can be felt far outside the campus community.
8. St. Norbert College - October 28, 2006: St Norbert College notifies the campus community about a failed breach attempt and urged anyone that noticed unusual activity to alert the college. This incident is an amazing example of exactly what every educational institution should strive to do. Kudos to the staff at St Norbert College!
9. Nassau Community College - December 5, 2006: A printout of all 21,000 student records is stolen off the desk of an employee. This incident is a perfect example of how security incidents involve information and not technology.
10. University of California, Los Angeles - December 12, 2006: A database breach exposes 800,000 records. The shear number of records exposed in this incident automatically gives it a spot on this list.

By Cutaway (Trusted Catalyst and host of Security Ripcord)

How does Secure Sockets Layer (SSL) protect me?  Well, unless you understand network traffic, encryption, and web applications then you probably do not know the answer to this question.  Fortunately, if you are reading this you probably do understand how SSL works as well as the benefits and problems in its design.  If you do understand I want you to do something when you finish reading this article.  Stand up, step outside your office or cubicle so that you can see other people, and ask yourself if those people understand how SSL is designed to protect them.  Notice anybody who does not?

Here is where the Trusted Catalysts challenge you.  We would like you to walk over to a person, or better yet, get a group of people together and have a group discussion about this technology.  To facilitate this conversation here are a few points to help you:

•    Keep the conversation simple; avoid getting too technical, and do not talk down to anybody who does not understand.  They will when you are done, so be patient.  If you are in a group let others interject with their experiences and anecdotes.  Group discussions are always better learning environments.
•    Describe how SSL is a shared secret between their browser and the computer at the other end of the connection.  Although the traffic will flow through other computers and devices on the Internet the only thing they will see is a bunch of numbers, letters, and characters that do not make sense.  Show them how to look for the “https” portion of the URL within the browser’s address bar.
•    Explain that although the communication is protected the data stored on the other system might not be given the same consideration.  Suggest that they only provide information to sites that they specifically trust (double check those URLs).  Also, emphasize that if they are prompted to permit the storage of their personal or credit card information they should NOT allow it.
•    Talk about sites whose certificates produce an error window which will require end user interaction to continue.  Let them know that they must read the message to determine if they would like to continue with the transaction.  A good example site for demonstration purposes is the Center for Internet Security.  When you navigate to https://www.cisecurity.org the error window pops up because they are using the certificate that has been validated for the SANS.org domain.  Not a problem here but it IS a problem if you are unfamiliar with the site.
•    A good way to finish the conversation is to cover what to do if a person feels bad about a transaction.  Talk about how these people should immediately contact their bank or credit card company and talk to them about the situation.  These companies usually have very helpful departments dedicated to protecting accounts from fraud and monitoring them for strange or unauthorized behavior.

Now, don’t you feel better about yourself?  You have become a catalyst within your environment.

Go forth and do good things,
Cutaway

In response to Michael Farnum’s ComputerWorld article of 12/5/2006 (http://www.computerworld.com/blogs/node/4115?source=NLT_SIC&nlid=92):

Michael,
You’re showing your grinch side again.
I too remember watching Wargames as a kid. While I was intrigued, it didn’t cause me to become a computer hacker or a hacker hunter. I was too busy typing in games from books and magazines. (Remember when computer magazines like Byte had the code for games in it. I’d spend all weekend typing it in and then all Sunday night playing it.) It was a great way to learn programming basics (pun intended).
But did you really say after watching Wargames, “I want to be a computer hacker or chase them?” I doubt it. Back then, we had no idea what computer security really was. We just knew that computers could do some cool stuff and we wanted to continue playing with them as a career.

Today, we have kids coming out of college knowing they want to work in security. We need those kids. You said it yourself:
The security profession does need passionate professionals who want to do the job well, no matter the grind. The security profession does need fresh blood who want to do the job because the job needs doing, no matter how many policies and procedures need to be written. The security profession does need individuals who will deal with that C-level manager who can’t figure out that security is job one.

We need to let them know that security is grand for exactly the reasons you say it’s a pain in your second paragraph. Look at the variety we experience on a daily basis: One minute we’re an extreme techie fixing a firewall, next we’re a psychologist trying to determine the intent of an incident and a few minutes later, we’re a salesman explaining why our organization needs security.

Few others in IT get to cross silos like those in security. Our position is like the safety on the football team. We go where we’re needed. We need expertise in a variety of technical architectures, while maintaining soft skills to work with management and the business. I rarely do the same thing day after day. For me, this is what makes security great. Our vast knowledge base and experience also positions us for bigger and greater things.

Yea, it’s a lot of work and has its hassles. It’s the same way with most jobs. Even those who hack or investigate hackers for a living experience the downside: it can be tedious and boring scouring log files and waiting for scans to complete. Then you have those who deny what you’ve found, despite the proof. It’s not really different in the security glory jobs. (BTW, please comment if you have one of those security glory jobs where you’re on a security “red team” or social engineer ethically on a daily basis. I’d like to hear your thoughts.)

It takes time and experience to become a complete security professional who can tackle all of its complexities. It’s not something you can learn in college. And yes Michael, it does take work. Those of us who have been doing this for a while need to step out mentor a newcomer. Show them the ropes and that our hard work is also our passion. Confucius says, “Choose a job that you love and you will never have to work a day in your life.”

By working together, we all become stronger.

By Adam Dodge

For this post, let’s ignore my thoughts (read: strong bias) that information security is about reducing the overall risk to information within an organization to acceptable levels (read: NOT about technology). Okay, perhaps that was a bit more like “announcing” my thoughts then “ignoring” them, but let’s just move along.

In The Daily Incite - November, 29 2006, Mike Rothamn mentions this question posted on Dr. Anton Chuvakin’s Personal Blog,”So, what do you think security is about: Fighting nefarious hackers or protecting information.” As you can tell from the opening paragraph, I personally lean toward Chuvakin’s option B.

However, many people that I talk to, both security professionals and non-security professionals, agree with Chuvakin’s option A. There are many valid reasons for holding this view. For example, unprotected computers tend to last mere minutes before compromise on the Internet and news reports are often filled with stories of nefarious hackers causing untold amounts of damage. Even the 2005 E-Crime Watch Survey seems to backup the choice of option A.

According to the survey findings, only 20% of attacks came from insiders while 80% came from external hackers. Normally, a discrepancy this large doesn’t require additional discussion. After all, a 4-to-1 ratio is simple enough to understand. However, looking at what attacks insiders launch versus what attacks hackers use against organizations, reveals a different picture altogether.

Here are a few of types of crimes that insiders were more likely to commit then external hackers:

• Rouge Wireless Access Point (72%)
• Theft of Intellectual Property (64%)
• Exposure of Private or Sensitive Data (56%)
• Theft of Other (proprietary) Information (55%)

In addition, insiders almost as likely as external hackers to commit Unauthorized Access to Information, Systems or Networks (54%).

Compare this with the crimes external hackers were most likely to commit:

• Phishing (92%)
• Web Site Defacement (92%)
• Spyware (89%)
• Illegal Generation of Spam E-mail (89%)

[This information can be found on page 19 of the 2005 E-Crime Watch Survey’s Summary of Findings]

While the sample size, around 550 organizations, for this survey is too small for specifics to be drawn, a few generalities become apparent when looking at the information above. Hacker attacks, according to these findings, seem to be aimed at computer users (with spam, phishing, spyware, etc.) and technical infrastructure (web site defacement). Insider attacks center almost exclusively on attacks to an organization’s information through theft, exposure and unauthorized access.

The problem with Dr. Chuvakin’s option A, then, is that it ignores the threats to organizational information posed by the very individuals that have authorized, unfettered access to the very information they are attacking. This authorized access to much of the organization’s information is exactly why malicious insiders are so dangerous to an organization. Unlike external hackers, insiders do not have to spend countless hours footprinting an organization to look for open ports that might lead to a way in; they simply need to enter their designated password. Insiders also do not need to delve through computer after computer hoping to find some valuable information; they already know where a good bit of critical or sensitive information is stored.

Insiders do not even need to be disgruntled or have ulterior motives. Valid access to vital information means that even simple mistakes by insiders can have serious impacts on an organization’s information assets. For example, here are just some of the accidental employee mistakes that can end up costing an organization: missing a decimal point in a spread sheet, storing critical files locally with no backup, or perhaps misplacing a laptop or PDA with critical and/or sensitive data.

None of this should be taken to mean that organizations should no longer worry about external hackers. Quite the contrary, external threats remain as valid as they ever have with computer systems. Instead, organizations need to understand that there are many threats to information coming from inside the organization. Insider threats can no longer be ignored simply because there is also an external threat.

Here are a few things organizations can begin to do to help protect against insider threats to information:
1. User training help organizations teach employees how to properly handle information assets. (See Joe Knape’s “What We Have Here… Is A Failure To Communicate” post on starting an effective user awareness training program)
2. Internal control programs help organizations create organizational policies and procedures dealing with approved ways to access, store, archive, and disseminate information.
3. Annual information audits help organizations identify where current employee behavior differs from established policy and procedures, exposing information to risk.

By David Stern

The Federal Reserve building in NYC is a fortress; literally. There are layers of physical security mechanisms inside and out to keep people away from where they aren’t supposed to be. If you ever go to a meeting there, you will find that you cannot wander too far before hitting a nicely ornamented gate and security guard. It’s no surprise that the pizza guy can’t just waltz in the back door. However, in most companies, the proverbial “pizza guy” is given a badge and institutionalized through the use of VPN. A security professional will tell you that VPN is a remote access technology that has as much to do with security as your 28.8K modem. VPN allows remote systems to connect into the network from anywhere on the Internet. In most cases, the only access prerequisites are a username and password. The same rules apply to VPN as any other remote connection. VPN access devices must be considered semi-trusted and placed in a DMZ. Their traffic and their logs must be monitored for dangerous activity. Modern VPN devices have security features such as proxying, access lists, and IDS built in. However, to meet segregation of duties requirements, the typical LAN folks cannot control them. As with any other technology, VPNs can be made secure, but they certainly are not security devices.

This FFF is part of a new (hopefully) weekly series where the different contributors and guests will be sharing quick Friday Fast Facts - specifically so YOU CAN TAKE THEM AND USE THEM AT WORK. Include these in newsletters, quick email updates or even status reports. Please cite the author (David Stern) and the Security Catalyst Community (www.securitycatalyst.com) when you spread the word.

I recorded a solid interview with Aleks of the Punch Scan team - going into more depth and discussing some technical details this week…. and the came down with the flu. I got my voice back today, but am heading out for a weekend trip. I’ll do my best to get the podcast posted this weekend. Might have to wait until Monday….

Next week I’ll announce the details of the (Teach Your) Family Security Series. Eight weeks of computer security basics — what you already are, or should be, teaching your family. Well, we’ll break it down for you in a way that you can give the podcast to them, or listen yourself and get some insights on how to walk family and friends through the process.

I’ve enjoyed the voting security series, and we’ll be finishing it up strong this week… and then launch into 8 weeks of focusing on family and basics.

- Michael

David Stern, a regular contributor to the Catalyst, recently shared with me a practice he started using at work: a “five minute” fact explaining a popular security concept for the management team. This morning he noted that it was working and helping to get some attention… and then the light bulb went off!

We’re going to start trying to introduce a new “Friday Fast Fact” each and every Friday. Given that we’re trying to launch this in December amidst a lot of other activities and changes, it may take us a few weeks to get fully up to speed. But here’s the goal:

• Each Friday, we will release a new “Friday Fast Fact” - a quick overview of a security concept, topic or product
• These FFFs are released under our Creative Commons license - which means you can use this work in an non-commerical way (meaning you don’t get paid additional for our efforts, but you can certainly use them where you work to help raise awareness); all work must be attributed to the FFF author and a link provided to the Security Catalyst website.
• Different authors will present their FFFs so we have a range of ideas, opions and topics
• You can get in the habit of including these in status reports and other events on a regular basis for your team and organization

We’ll be starting tomorrow morning. As always, feedback is appreciated. If you have an FFF inside you that needs to be shared, send me a note: securitycatalyst@gmail.com

By Joe Knape

Larry Seltzer’s article “The New Attack Pattern” states that “things are getting better for the average user over time.” At the same time, several other authors state in a fairly lucid manner that users didn’t feel a whole lot more secure in 2006.

To make matters seemingly worse, according to most would-be fortune tellers, 2007 will see an increase in the number of application based 0-days, attacks on mobile phones will become more common, and incidents of identity theft and data loss will increase.

So which is it? Are we more secure and just don’t know it? Are we not more secure but living in ignorant bliss? Or are we on the edge of a digital precipice?

As Mike Rothman alludes to in his December 13, 2006 post, “Narrow and Targeted in 2007”, the answer is: D, all of the above. Of course, the real crux of the matter is how ‘we’ is defined.

Now, if “we” means the typical user in a typical large company then the answer is…yes — things are getting better from the perspective of the negative impact of “security” incidents such as virus outbreaks, DoS attacks, etc. People, processes, and technologies are all maturing and adapting to confront these issues (it may not be pretty if you’re behind the curtain but that’s another post).

If “we” means the typical user in a typical small-business or single employee company then the answer is…maybe. While the threats to SMBs (small and medium sized businesses) aren’t that much different from those faced by larger enterprises, the people, processes, and technologies are just now being revamped to address the specific careabouts and issues that are specific to SMBs and will continue to mature throughout 2007.

Finally, if “we” means the typical home user then the answer is…no, things aren’t getting better, in fact they’re probably going to get worse before they get better. Home users are more and more the target rich environment of choice for nefarious groups and individuals. The average home user doesn’t have (or isn’t willing or able to allocate) the resources (be it the time, skills, or even the desire) to protect themselves from these new levels of attack.

So what is the bottom line?

The risk may be to our businesses but the threats are not.

The threats we face and need to prepare ourselves to address are not business, or for that matter, technology based. The threats are targeted at users. If you step back, it’s clear that those home users, when it comes right down to it, are the same people that are users in the business environment. They are the employees, the managers, the salespeople, the presidents, and the owners.

Our methods, tools, and techniques have to span boundaries. We have to stop focusing on “this threat”, or “that application”, or “those users”. We have to crawl out of the gopher hole and broaden our vision, not narrow our focus.

As we wrap up another year of learning, improving and adapting, here are three things to think about for 2007, to help combat the growing and shifting nature of our threats:

1.    If you could tell every one of your peers, coworkers, bosses, etc. one thing that you believe would make them smarter users, and therefore more secure online citizens, what would it be?
2.    If you could make the security technology industry aware of one opportunity that you think they are missing the boat on, what would it be?
3.    Are you telling them? If not, why not?