The Security Catalyst

Welcome to the debut of the Pop Culture Security program - a monthly installment of the Security Catalyst Show. Please also welcome James Costello - the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges.

This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program.

For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum - a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO). 

Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/

Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/

This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful - especially if you are interested in building a security awareness training program that works!

To participate in the monthly challenge:

• call  206-350-8346 and leave us a message with your challenge
• email popculturesecurity &at& securitycatalyst dot com

PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit - and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable - shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.”

 

 Security Catalyst Show | Pop Culture Security: Play Now | Play in Popup | Download (122)

By Michael Starks

Anyone who has moved across the country, or even across town, knows how much work it can be. Everything has to be packed, utilities have to be transitioned and friends need to be bribed with pizza. But what happens when things don’t go exactly as planned?

It was 9:30 PM. We had been working non-stop for the past two days. We had to face the facts. We had too much stuff. It wasn’t all going to fit. We had run out of room on the truck.

Looking around, we still had living room furniture, a 19” TV, work benches and various other items. Although we were exhausted, stressed and hungry, we had to make some choices. Enter Incident Response mode.

My Wife, Mother and Daughter were scheduled to fly out the next day. We had this plan, see, and everything was supposed to have been packed by now. The ladies would fly out on Wednesday, and my father and I would start the 1,500 mile drive to our new home.

Barely able to put two thoughts together, we reasoned that we had the following choices:

1. Change the tickets so they could stay behind and help.
2. Let them fly out as expected and deal with the stuff ourselves.

After a call to the airlines, option number one wasn’t so appealing. Clearly, they wanted to send a message that changing flight times was going to be painful. That message was about $900. OK, Dad and I can handle this. Somehow. Yeah. We’ll get it done! What was that we were trying to decide, again? I could really use some dinner.

The next day, Dad and I loaded the last of what was physically possible in the truck. After pondering one of those miniaturizing ray guns, we decided that the next best thing to do would be to donate the rest to a local charity.

That turned out to not be necessary. We didn’t realize it, but we had one of those neighbors that truly epitomized the word, neighbor. She offered to take everything that was left over. She would donate some, keep some and deal with the rest. She undoubtedly saved us at least an additional day of effort and countless hours on the road trying to make up for lost time. Score one for good Karma.

After four long days, we finally started our journey. And as I drove, I couldn’t help but look back and reflect on the situation. It had so many parallels to information security; specifically disaster recovery, business continuity and incident response.

What could we have done better and how does this relate to security?

1. We didn’t take care of the important stuff first. I would have much preferred to take the couch over the several PC skeletons I will rebuild. Someday. Right. Are you prioritizing the important items in your information security program? What will be left behind when the budget gets reduced?

2. We failed to plan for contingencies. Although we did give a lot away before the move, clearly we underestimated how much we had. We didn’t ask the question, “What is our plan if we run out of room on the truck?” We didn’t ask, “How will a change in plans affect ticket prices?” We did some planning, but it wasn’t enough to cover the risks. Have you considered what will happen if
key people are gone? Have you thought about the effects of the firewall being mistakenly configured for ‘allow all.’

3. We underestimated the impact of physical fatigue. Being physically tired affects our ability to think clearly and make good decisions. We’re human beings and no matter how unaffected we think we’ll be when the going gets tough, there will clearly be some level of detriment. Does your plan take the human factor into account? In a disaster, are you expecting your administrators to work 24, or even 48 hours without sleep? In effect, are you expecting them to be non-human?

4. Finally, We failed to properly estimate the work load. None of us ever have enough time in the day. Does your security program have the people and other resources needed to accomplish your goals? If not, there are two things that you can do: Get more resources or see number one—take care of the important stuff first.

Large changes in life and in security are inevitable. But with proper planning, you’ll be in a better place to deal with them. Now, where was that hammer…

During [these] periods of relaxation after concentrated intellectual activity, the intuitive mind seems to take over and can produce the sudden clarifying insights which give so much joy and delight.
– Fritjof Capra, physicist

Again, I find myself packing the RV to return home. Again, I find myself calm, mentally focused and brimming full of ideas. I am convinced that the body and brain need time away in order to make sense of that which we experience. Seems that every time we are in the RV, I am afforded time to think, consider and analyze. As such, I’ll be sharing some of what I observed this weekend as it relates to how we practice information security and change the way people protect information.

In specific, I’ve been thinking about “compliance awareness” — the stuff most people do today in the name of awareness — and “true awareness” — the situations that shift thinking and lead to a behavior change.

In the meantime, I’ve started to look for some additional voices to share their ideas and insights; to act as catalysts to help us think differently about the way we act.

Today, I introduce to you Michael Starks. Michael is an Information Security Professional specializing in host-based security, IDS, log analysis and compliance. He believes in applying basic security principles to an ever-changing threat landscape, and is currently exploring the various ways in which human behavior affect the success of security programs. He is a founding member of the Rochester, NY chapter of ISSA and has served for both ISSA and OWASP. He currently holds the CISSP, GSNA and A+ certifications. In his spare time, Michael enjoys spending time with his wife and daughter, and listening to early twentieth-century blues.

Hopefully we can convince him to share with us on a regular basis!

It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.

Plenty of specific details and analysis can be found in different places, including:

http://wiki.debian.org/SSLkeys

http://www.us-cert.gov/cas/techalerts/TA08-137A.html

http://www.kb.cert.org/vuls/id/925211

http://secunia.com/advisories/30220/

For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States.

Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi.

When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.

During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.

It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less!

In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/

Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training.

 

 Security Catalyst May 21 2008 [33:06m]: Play Now | Play in Popup | Download (101)

By Patrick Romero

In 2004, President Bush set a goal that by 2014 most Americans would be using an Electronic Medical Record (EMR). In his vision, doctors would be using EMR systems with interoperable standards that would allow them to share lab results, images, computerized orders and prescription information with hospitals and other health facilities.

The Office of the National Coordinator for Health Information Technology was created by President Bush to guide the work on EMR standards and coordinate public and private efforts. Its job is to define minimally functional systems as those on which doctors can record and manage progress notes, order tests, record test results and electronically prescribe medications.

The reasons for the insufficient progress are many, according to the report, “Gauging the Progress of the National Health Information Technology Initiative.” They include slow adoption of EMRs by physician practices, the impractical nature of a national health information network, the difficulty of creating interoperability standards and Congress’ failure to pass legislation addressing health IT roadblocks.

A 2005 survey estimated that only 13 percent of solo practitioners and 16 percent of groups with 2–4 physicians have adopted EMRs, compared to 29 percent of groups with 10–19 physicians and 39 percent of groups with 20 or more physicians. The office, created by Bush to guide the work on EMR standards and coordinate public and private efforts, defines minimally functional systems as those on which doctors can record and manage progress notes, order tests, record test results and electronically prescribe medications.

Slightly more than a quarter of practices with 11 or more physicians — a situation that describes only 8% of doctors — used comprehensive EMRs in 2006, according to an October 2007 Centers for Disease Control and Prevention report based the National Ambulatory Medical Care Survey. Solo or single partner practices — which account for almost half of all doctors — reported much lower levels of comprehensive EMR use: 7.1% of solo practitioners, 9.7% of those with a partner.

Another reason for slow progress on EMR adoption is that a national health information network is impractical, said experts in the California foundation report. The system is intended to be a “network of networks” linking state, regional and other health information exchanges so they can share information.

According to the eHealth Initiative Foundation (eHI), 28 states have initiated Health Information Technology (HIT) planning and an additional seven states have progressed to the implementation stage.

Privacy Concerns

The Medicare Electronic Medication and Safety Protection Act (S 2408), sponsored by Sen. John Kerry, would require physicians to use e-prescribing for Medicare patients or face a 10% cut in payments. The bill is pending in the Senate Finance Committee.

Deborah Peel, head of the Coalition for Patient Privacy, said an e-prescribing bill would be an excellent opportunity to prohibit data mining.

Privacy advocates are concerned that the bill should come with more privacy protection. They would like to require that any prescription data transmitted electronically be used for the express purpose of prescription filling and submitting the necessary codes to the insurer for payment. Other provisions being sought are annual reports to patients listing everyone who accessed their data and mandated security breach notifications.

While EMRs are not a panacea to fixing our national medical system, they do offer more than traditional modes of storing information. The government should continue to encourage doctors toimplement EMRs in their practice through substantial grants and subsidization. There are currently such programs but more needs to be done to publicize them. While a mandate might eventually be necessary, there are less restrictive alternatives currently available. Nevertheless, it is time that the medical community catch up with other sectors of our economy that have embraced the use of digital information.

I had a great time at RSA 2008 this year, but didn’t attend any keynotes and only saw some snippets of sessions. Yet I took several *quality* briefings during the course of the week — and will be interviewing, profiling and sharing my impressions over the coming months. I started the week a bit sad — after walking the show floor, it felt to me that the industry was, en masse, running in entirely the wrong direction. I ended the week not only with renewed hope, but with new and powerful insights.

RSA carries a lot of hype. Now that the conference is over, Martin and I wanted to go beyond the hype and invited a panel with mixed experience to share with us their impressions, opinions and lessons learned. During this SRT, we cover the role of bloggers as media, the *real* value of RSA and a whole bunch of other interesting issues and perspectives.

I also share, near the end, what I thought the theme should have been. Thinking about it now, it is a good choice for next year, or even for a SCC conference!

This marks the return of the SRT. We already have the June SRT recorded — a great show with the Jericho Forum, dispelling a lot of myths and providing some good insight into how they are helping to drive change in the industry. In July we’ll tackle the issue of using botnets to fight botnets and August will revisit a topic raised during the May SRT — the responsibility of security bloggers and the role of new media.

Happy Listening.

 

 SRT May 2008 [54:34m]: Play Now | Play in Popup | Download (95)

Hi Everyone,

Well, it took a little while but I just found out that I finally passed the CIPP exam!!! I am now officially a member of the privacy professional community!!!

For those of you keeping up, I have been posting about my experience studying for the exam. I honestly was not sure whether or not I had passed since some of the questions were more complicated than what I was expecting. I am fortunate that I had some background on various subjects and was able to utilize my legal education in determining the correct response. I think that I definitely benefited from having previous exposure to the topic, especially when the questions related to privacy laws and regulations.

I did best on the section dealing with Workplace Privacy, which was my least favorite topic. It was more relevant to professionals dealing with Human Resources than anything that I enjoy learning. I performed worse on one of my favorite sections: Web Privacy and Security. I enjoyed immensely learning about the various ways that data protection collected from the internet needs to be protected and stored. I am definitely going to pursue further education on this topic and it is a very complex issue that requires a technical and legal background to properly understand.

My certification is good for three year and I have to take 30 hours of Continuing Privacy Educations (CPE) per year. This is probably something that I would do voluntarily so it isn’t that many hours. Plus, the IAPP provides various ways to keep one’s membership current and I am already planning on going to some conferences in NYC.

So I want to thank everyone for the help in studying for the exam. I know that some of you are thinking about taking it. If you have any questions, please contact me.

Thanks again!

Patrick Romero

I’m about to head to the opening of Hershey Park for the 2008 Season. This is the celebration of the opening (we were here for the last day of 2007, too) and the culmination of our April Expedition of the Campaign Across America. I’ll compile the stats and experiences from the trip and share in the coming weeks.

In the meantime, I had two really cool experiences this week - at truck stops. First, en route to Charlotte, NC (to help a friend), it was pouring rain when we stopped to “diesel up.” The protocol at truck stops is simple: pull in, diesel up, pull forward for someone else to get to the pump, head in to pay. I did. When I hopped out of the RV to pay (now fully exposed to the rain), I was surprised to find a fellow driver (though he was driving a big rig) _waiting_ for me - umbrella in hand.

He didn’t want me to get soaked, so he waited for me and we walked in together. It was a two-minute conversation about where each of us was heading and the weather. No ulterior motive. Pure generosity on his part.

If it were raining - would you wait for someone you never met to offer them your umbrella?

When we stopped to diesel up before we got to the Hershey High Meadow Campground (we got in yesterday), we stopped at a BUSY Petro station (we have two favorites: Pilot and Petro). While I was fueling, a truck pulled in - and based on the way he drove, I sensed he might have been frustrated. Then he hops out of the cab and walks right at me! Well, he wasn’t mad - he wanted to make sure I wasn’t getting ripped off!! He asked me if I held a Pilot Driver’s Rewards Card, and then shared tips on how to use it more effectively! We talked about fueling up, cars, trucks, locations, the whole bit. It was actually pretty cool - and I learned a lot (and left with a smile on my face).

Do you go out of your way to make sure people get taken care of (especially a complete stranger)?

In both of these cases, I found some of the most generous and thoughtful people while on the road. Complete strangers looking out for me, no strings attached. I know we need more of this in the world, and I hope that you take even a few moments to ponder these two examples to look for ways we can all look out for each other.

Have a great weekend.