The Security Catalyst

One of the true benefits of sharing thoughts through spoken and written word is the ability to meet quality people. I thrive on conversation - especially discourse that leads to new understanding. I am a firm believer that through purposeful conversation, honest intentions and open minds we can solve a lot of challenges we face.

So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey - no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas - and then boom - we recorded.

I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed - my mind was still engaged. I hope you have a similar experience when listening!

Find the show notes here: http://netsecpodcast.com/?p=48

And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-070108-ep110.mp3

(PS: I hope you still chose to listen to the programming on The Security Catalyst; however, somewhere in the feedchange, we seem to have confused iTunes. If it doesn’t look like we have new shows - you may want to unsubscribe and resubscribe.)

If you enjoyed this post, make sure you subscribe to my RSS feed!

Welcome to the debut of the Pop Culture Security program - a monthly installment of the Security Catalyst Show. Please also welcome James Costello - the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges.

This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program.

For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum - a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO). 

Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/

Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/

This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful - especially if you are interested in building a security awareness training program that works!

To participate in the monthly challenge:

• call  206-350-8346 and leave us a message with your challenge
• email popculturesecurity &at& securitycatalyst dot com

PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit - and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable - shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.”

 

 Security Catalyst Show | Pop Culture Security: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.

Plenty of specific details and analysis can be found in different places, including:

http://wiki.debian.org/SSLkeys

http://www.us-cert.gov/cas/techalerts/TA08-137A.html

http://www.kb.cert.org/vuls/id/925211

http://secunia.com/advisories/30220/

For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States.

Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi.

When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.

During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.

It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less!

In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/

Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training.

 

 Security Catalyst May 21 2008 [33:06m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

I am excited to introduce to you a new program that I host and produce for Cornell University called “Driving the Digital Revolution.”

Driving the Digital Revolution is a simple, but powerful, way to consider the changes taking place around us every day. The digital revolution has led cultures from poverty, literally changed the face of global business, local business and even impacted on the family structure. Without question, the digital revolution both counts on and plays an active role in shaping how people protect information.

Cornell takes its role in driving the digital revolution seriously. In both education and research, emphasis is placed not only on the field of study, but in how that subject is being transformed by advances in computing and information resources. It realizes that as ideas and technologies are advanced, we have an obligation to not only consider the consequences, but to study and anticipate the unintended consequences.

I am sharing this with you for two reasons:

(1) I am passionate about this series and the opportunity to work with other experts to dig deeper and uncover important concepts that are driving the digital revolution; their words have a lasting impact on me, and I believe they will on you, too.

(2) We are at a place in our industry when we need change. We need to grab on to a vision of hope and drive change. Studying how Cornell participates in driving the digital revolution is a blueprint for our success.

So sit back, plug in and consider the words — and passion — of Dean Constable and how they apply to what you do. Working together, we can change the way people protect information.

There are three ways to listen and subscribe (so you get every episode)
1. Each episode incorporates the ability to listen on the website! Simply point your browser to http://www.cis.cornell.edu/alumniblog/ and press play
2. You can download this episode directly: http://www.cis.cornell.edu/alumniblog/podcast/cornell-ddr-01.mp3
3. If you prefer to use and subscribe using RSS, here is the feed: http://www.cis.cornell.edu/alumniblog/feed/

 

 Driving the Digital Revolution [30:16m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Into the Breach is really taking shape - but I have been eager to get back behind the microphone and share the ideas and concepts I have been working on. You witnessed my transition to The Security Catalyst last year, and with it, my focus on changing the way people protect information.

In this podcast, I share a simple and powerful concept that can be applied to anything you do: PLAN - DO - REVIEW

I first learned about PLAN - DO - REVIEW a few years back when it was time to learn about nursery schools, and one of the schools followed the HIGH/SCOPE method. Curious, I went to explore and learn more. Since then, I have tested and adapted the approach for my own use - with excellent results.

Now I share my experience with you.

Here are three links if you would like to learn more:

http://www.highscope.org/

http://en.wikipedia.org/wiki/High/Scope

http://www.perpetualpreschool.com/highscope/highscope_info.htm

 

 Standard Podcast [13:04m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

On this program, we share a conversation with Brian Chess, the author of Secure Programming with Static Analysis - a conversation that is a must listen for business leaders, security professionals and developers if you want to learn how to engage your teams to better protect information.

Brian takes an approach with secure programming that is similar to the approach I follow when assessing and implementing awareness and training programs. So whether you are a developer or not, you will change the way you protect information by listening to Brian!

What I took away from my conversation with Brian
After reflecting on our conversation (I explain more during the podcast), here are the top five points I took away:

1. Introspection is important when looking to protect information. To me, this also means we have to stop blaming and looking to assign blame. We can look within, take (and encourage) responsibility and find solutions.

2. Trust is paramount. We have to find ways to establish and maintain trust, offline and online.

3. We need to develop processes and tools to support our experts in a way that naturally engages them and encourages their participation in information protection.

4. New processes, new learning and new tools require an initial investment (time, money and resources) that may sometimes seem sizeable – but the savings are realized rapidly and bring long-term positive benefits.

5. In security, we need to stop griping and learn to be good coming from behind. It’s okay, and we can do it.

What did you take away from this conversation? Send me an email: securitycatalyst@gmail.com, or better yet - join us in the security catalyst community – www.securitycatalyst.org and share your insights with others.

Information and Links

Brian Chess, Ph.D., Founder & Chief Scientist
http://extra.fortifysoftware.com/blog/bloggers.html

Dr. Chess’s research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedger.

Secure Programming with Static Analysis
http://www.amazon.com/Programming-Analysis-Addison-Wesley-Software-Security/dp/0321424778/ref=sr_1_1?ie=UTF8&s=books&qid=1196292147&sr=8-1

Blogging with Brian Chess
http://extra.fortifysoftware.com/blog/

Serving Your Needs
I thoroughly enjoy researching and producing these podcasts – and looking forward to getting back into a programming schedule with a bit more regularity. I’ve also been impressed with the Talk Shoe service, and considering hosting more podcasts through Talk Shoe so you can listen in live.

Let me know if you would listen live and participate if we made that an option, and who you would like to share a conversation with by sending me a note: securitycatalyst@gmail.comAs always, thanks for the gift you give me by listening. If you liked the program, tell a friend. If not, tell me!

 

 TSC: Brian Chess: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

This podcast explores how and why virtual teams fail, based on new research from a group of graduate students at Johns Hopkins Carey School of Business.

My belief is that in order to protect information, we have to support the individual – and make it easier for them to do their job. By learning more about how virtual teams fail, we can learn how to avoid mistakes and build stronger and more effective collaboration opportunities – where people can do their jobs while taking responsibility for protecting information. By absorbing this research, you may also learn how to work more effectively on your own virtual teams.

After our interview, I share the top five things that I learned about nurturing and protecting virtual teams. I invite you to sit back, listen, learn and contribute. I’m happy to keep the conversation going in the security catalyst community.

Background: Bring new knowledge to the field of work team behavior
A group of five graduate students (Robert Darling, Cari Endicott, Lisa Fratino, Matsuno Inoue, and Ellen Snydman) from the Carey Business School of Johns Hopkins University participating in a team building course under the leadership of Dr. Robert Pernick were charged with bringing new knowledge to the field of teaming.

This group elected to research the world of virtual teaming, and in doing so, found that here is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or become sub-optimized.  The team’s first research effort was to conduct structured interviews with a group of virtual teaming experts.

The experts interviews generally agreed that the success of virtual teams were threatened by:
•    Concerns regarding the ability to protect sensitive information
•    Lack of a single platform that provides all the tools necessary to optimize
•    The struggles of virtual communication
•    Poorly or under-trained users
•    The challenge of building trust  without the use of face-to-face communication

Overall, the experts agreed that all of these obstacles can be overcome and unless combined into the “perfect storm” are not likely to cause catastrophic failure. The experts felt very good about the work that is be done virtually and believe that the use of virtual teams will become even more prevalent into today’s global society.

The second phase of research involved the distribution of a short, online survey about virtual work.  The results of the survey are still be collected, but at this point there seems to be a great deal of overlap with the findings from the subject matter experts.  The podcast you are listening to will explore both elements of the research and will introduce yet another subject matter expert, Stu Snydman, the Manager of Digital Production at the Stanford University Libraries.

This podcast was created and hosted by Michael Santarcangelo and expertly engineered by Steve Witt. Thank, Steve!

 

 TSC - Why Virtual Teams Fail - and How to Avoid It [44:40m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

I’m back, baby! I know I’ve been remiss in sharing some ideas and observations - but I’ve been really focused. As I continue to focus on changing how people protect information, I have come to appreciate the value of the fundamentals. I share some insights in this long overdue podcast.  Things you will learn by listening to this podcast:

• I am a yankees fan
• Three lessons I took away from watching professionals and legends
• How to have more fun at work

I also share some updates on the Information Protection Assessment Toolkit, make a special offer and update some of my travel plans.  It’s nice to be back. We have an SRT coming up, and I have a lot I hope to share… more to come…  If you enjoy this, let me know. If not, let me know how I can make your job easier and improve the quality of your podcast experience. 

 

 Security Catalyst - The Value of Fundamentals [19:49m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

You are invited to learn how to reduce the effectiveness of attacks and sleep better at night by using a non-administrative user account. In this brief podcast, we explain:
-    why you should be using a non-administrative user account
-    how to determine which type of account you are currently using
-    how to create normal user accounts
-    how to change to a regular user account

Thanks to a dedicated team of professionals, this podcast has been made better. If you see them on the street, give them a big hug. They worked hard (and continue to) to improve our efforts to make a difference:

• Gary Morgan, CISSP
• Alvin Liau, CISSP
• George Viconovic, MCIW/D
• James Costello, Security + SME
• John Biasi
• Peter Clark, CISSP

If you have not yet joined the conversation in the Security Catalyst Community, please do so now: http://community.securitycatalyst.com/forums/index.php

The specific link for this discussion is here: http://community.securitycatalyst.com/forums/index.php/topic,335.0.html
(note: joining the community costs nothing – except your active participation!; we enforce a naming standard of using your full name. It helps us keep the supportive environment positive. We look forward to sharing ideas and learning with you.)

Links and Information Mentioned During the Program

Least Privilege

In computer science and other fields the principle of minimal privilege, also known as the principle of least privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.
Source: Wikipedia: http://en.wikipedia.org/wiki/Principle_of_least_privilege

Determine the current status of a user account

Two basic options in windows XP
Windows XP: Option 1
• Start -> Run -> CMD (bring up a command prompt)
• type ipconfig /renew (this will be in the show notes)
• Limited Users will be given an error that access is denied.  Administrators will be allowed to renew their IP address.

Windows XP: Option 2
• Start –> Control Panel
• Launch the User Accounts application

If you are  a Limited User you will be presented with the option to Change your picture or to click on Mail or User Accounts.  • You are limited to changing your own password
• changing your picture
• or to set up your account to use a .NET Passport.

If you are an Administrator you will be given the option to Change an account, create a new account or change the way users log on or off.

For more ways, join the discussion in the catalyst community forums: http://community.securitycatalyst.com/forums/index.php/topic,335.0.html

Mac OSX
• System Preferences –> Accounts
• Right under the name it tells you the kind of account they have

Create a non-admin account

Mac OSX
• System Preferences –> Accounts
• Check that the lock is unlocked; if not, click it and enter your password
• click on the + sign
• Enter in the information, including a password
• DO NOT check (make sure you leave blank) the box for ‘Allow user to administer this computer’

Windows, pre-vista
• Start -> control panel
• Select ‘User Accounts’
• Select ‘Create a new account’
• Type in the name of the new user account
• Select the ‘Next >’ button
• Select the ‘Limited’ radio button
• select the ‘Create Account’ button

you’re not done! Time to select a good password
(We will go into details on good passwords in the future)
• You will be presented with a ‘User Accounts’ screen, with a ‘Pick a task’ option.  Select ‘Change an account’ option
• Select the account you just created
• On the next screen ‘What do you want to change about Child 1’s account?’ select ‘Create a password’
• Then enter a strong password, in the first two boxes, enter a password hint in the Third box.  Then press the ‘Create Password’ button’

Support the efforts of The Traveling Catalyst!
RV Tour (our pre-tour warmup for the Security Revival Tour)

• Nashville (April 24 – 25)
• Atlanta (April 26 – May 3 or 4)
• Key West (May 3 or 4 until May • Baltimore/Washington/Northern Virginia (May 10 – May 18)

We’re working now to set up some public sessions of
• Are You Making a Living or a Life?
• Career Compass Coaching
• Speaking About Security

We’re also interested in offering some public keynotes in each of the areas to support the efforts of security professionals. Send me an email if you’re interested (securitycatalyst@gmail.com)

We are in the process of selecting cities for our ”security revival tour” for the second half of 2007. If you would like us to bring our training to your city, send me an email: securitycatalyst@gmail.com

Thanks for listening - now go make your user account changes and be safe out there!

 

 Family Security Series #2 [24:13m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

I feel like we’ve been building to this for a while now… Here is the first episode of the Family Security Series podcast. This episode focuses on operating system and application patching. The goal is to explain the basic approach, some configurations and then provide links and details, as available. I invite you to not only listen, but to share this podcast with others - especially those that you think would benefit from it.

We have also decided to include at least monthly programming designed to help consumers; this helps you with your awareness efforts.

I want to thank the advisory committee for their help. This episode is better because of:
- Andrew Hay | Founder and CEO of Koteas Corporation
- Peter Clark
- Alvin Liau, CISSP
- John Biasi

Basic Overview Sites (some of this material will be covered in future episodes)
Microsoft Security Site for Home Users
Apple Security Site (good starting point)

Links for Microsoft (Operating System)
Windows Update

If you need/want an alternative: AutoPatcher

Links for Apple/Mac (Operating System)
Mac OS X: Updating your software
Application Update Links

For Microsoft Applications:
Use System Restore to Undo Changes if Problems Occur
Product updates, free trials, and third-party downloads (there is a button on the right hand side to allow you to check for updates)

Other Updates we mentioned:

Download the latest version of Adobe Reader
Firefox (browser)
Thunderbird (email client)
Real Player

(if you have others - send them to me at securitycatalyst@gmail.com and I will include them in our Family Security Resources Section)

Episode Lineup:
Episode 1: OS and Application Patching
Episode 2: non-admin user
Episode 3: Anti-Virus, Anti-Spyware and other needed protections
Episode 4: Firewalls
Episode 5: Backup
Episode 6: Wireless Securiy Basics
Episode 7: Professionals Best Practices

Come discuss this and other ways to help protect information in the Security Catalyst Community.

If this helped you, please invite two friends to listen.

 

 (teach your) Family Security Series Episode 1 [27:18m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!