I’ve been developing and conducting training classes for years – never entire curricula, but individual classes like security awareness.  In general I’ve been pretty successful, and I haven’t found it that difficult: explain the topic in an organized way, explain why certain things are they way they are, give some concrete examples, and most people get it.

Then I got the first dogs of my adult life, and learned to train them.  In many ways, training dogs is much more difficult than training people because there is no common language and dogs and people perceive the world in very different ways.  Now, before anyone gets offended, I’m not trying to compare people to dogs.  I am, however, trying to compare training methods – there are some interesting differences and similarities that are very educational, and training either species can have unintended consequences.

One of the most popular methods of training any species of animal is called clicker training.  A clicker is just a small plastic thing that makes a clicking noise.  You associate that noise with a treat, and the animal (in this case a dog) learns that the noise means something good is about to happen.  When the dog performs a desired behavior (like sit), you click at the moment that it performs, and follow up with a treat.  Because of the precision of clicking just when the behavior happens, the dog is clear on what you want, and learns a lot faster.  In fact, most dogs figure it out pretty quickly and will start to “offer” the behavior in the hopes of more treats.  This method is also used successfully with human athletes that have to do complex aerial moves like gymnasts and divers, to help them understand when to start or end a tuck or a twist.  The key message here is that immediate positive recognition for doing the right thing is the fastest way to ingrain a behavior – in any species.

The more interesting side of dog training is the unintended consequences.  Unlike with humans, you can’t just explain to a dog what you’re after.  You have to figure out how to guide (“lure”) the dog into doing what you want, but even then it might not understand.  If it doesn’t, you have to wait around and let it do the behavior by itself, and “capture” the behavior by clicking and treating when it happens.  The problem with luring and capturing is that sometimes you reward things that you didn’t mean to reward – thus the unintended consequences.  Here’s an example with my husband’s dog, Kozmo. We rented a house last year that was down the street from a school.  Kozmo decided it was a good idea to get up at 7am, run into the yard, and start barking at the kids walking by.  So every morning for about a week I got up when I heard him, went out with him, called him in when he started barking, and then went to the kitchen for a treat.  By the end of the week, he stopped barking outside.  But then he started doing something new.  Every once in a while, he’d get my attention, and walk toward the dog door, ensuring that I was still watching.  Then he’d rush outside, bark a couple times, rush back in, and go sit in the kitchen and stare at the treat cabinet.  In short, I was trying to teach him “don’t go outside and bark” but he learned “If I go outside and bark when mom’s around and immediately come back in, I get food and attention.”  To this day if he wants attention when we’re around, he’ll go outside and bark a few times, then come back into the house, expecting praise.

So what’s my point in all of this?  When we collect metrics in the customer services space and use them for performance assessments, we are effectively training our employees – if you score well on the metrics, you get a raise.  If you score poorly, you could get fired.  But measuring the wrong things can have unintended consequences – we think we’re rewarding delivering good service, but we’re actually rewarding behaviors that deteriorate service.  A very common example is when we measure speed of service instead of quality of service.  Speed is much easier to measure than quality, and it’s something that can be system generated: how many tickets closed per week, how many minutes spent on each call, etc.  On the surface, it also makes sense: if we’re closing calls and tickets faster, we’re completing more calls and tickets sooner, so the customers aren’t waiting around for service, and that’s good!  But what actually happens?  If an employee gets a gold star for being the fastest, that individual will do his best to continue doing so – at the expense of the customer.  The ticket will get closed with the work not being completed, or the call will end and the customer still hasn’t received the help they needed, or they’ve been passed along to someone else – wasting both the customer’s time and the time of the person they were passed to.  Meanwhile, the employee is getting rewarded for having been the fastest.  Measuring speed without measuring the underlying quality, has the unintended consequence of deteriorating service, when the intent is to improve service.

How do you measure quality in ways that reward good service?  More on that later…

by Ron Woerner

Often, we’re our own worst enemy.  We do things that make us a likely target for blame.  In other words, we’re on the suspect list.  We receive the blame when something goes wrong because of our actions or the access we maintain.

The best strategy is to keep yourself and other off of that list.  First of all, it disrupts the investigation into finding the true source of the problem.  Second, it causes others to distrust those on the suspect list, even if they’re innocent.  The best way to prove innocence is to have a clear name from the onset.

Often security professionals and IT managers have access to many systems, applications, or facilities. They believe it’s required because of their position or responsibilities.  The problem is that having access often puts them automatically on the suspect list.  Many times I’ve been accused of involvement when there were network issues.  “Were you running one of your security scans again?” is a common question aimed at me just because I have the ability to run scans, not because I necessarily did.

Often, other activities may add us to the “suspect list”, such as browsing the Internet, transferring documents from home to work and vice versa, clicking on links in email, or installing freeware or shareware applications on a work computer. While they’re not always bad activities in and of themselves, these actions do have potentially dangerous consequences.

Here are five things you need to do to keep yourself off of the suspect list:
1. Limit your access.  This is the concept of least privilege.  If you don’t need it or don’t use it every day, disable or delete your access to it.
2. Only use administrator privileges when you administer the system.  If you’re always logged in as an admin, then you’re just asking for trouble.
3. Freeware isn’t always free and shareware may mean you’re sharing more than the program.  Finding programs on the Internet may save money in the short run, but they occasionally contain hidden malware than can take down your system.
4. Think before you click.  Be aware of where you go on the Internet.
5. Keep your secrets secret.  If you allow others to use your login id or badge, then that person is you and you’ll be on the suspect list if something goes wrong. Badges and passwords are like kleenex; it’s not cool to share.

Security’s objective is to keep people off of the suspect list.  We know that the great majority of our work force wants to do what’s right.  We want to help you.  Like the police, our objective isn’t to get you into trouble, but to keep you out of trouble.  Consider what you should do to keep yourself and others off the suspect list.  It will make your life much easier.

by Wim Remes

Once upon a time in the land of milk and honey, Jack and Charles, 2 hard-working dwarves, were strolling through the magic forest. They had been walking for a while now and they were getting tired, but Mike, their boss, had instructed them to bring home 10 stones and they had only found six.  Jack, being the senior dwarf, carried the backpack with the stones and regularly sent Charles between the trees to retrieve a stone.  Charles would diligently comply, and when he actually found a stone, he would put it in the backpack, quickly going back to searching for more stones.

What looked like an easy task turned out to be quite difficult: There’s more wood in a forest than there are stones, you know.

Jack was sweating heavily, his legs hurt, and he was slowing down. Charles, however, looked like he hadn’t done anything yet. He was dancing through the forest, quickly running left and right to look for stones.  “Hey Jack, should I carry the backpack now?” he asked. “No, keep searching, it’s about time you found some stones” Jack replied. He was not amused with the situation, feeling the skin on his shoulders being ripped to tiny pieces.

As the sun was falling toward the horizon, Jack and Charles reached a river. Charles quickly picked up four stones and put them in the backpack.  Jack was happy, and so was Charles. “Hey Charles,” Jack said “do you see that apple tree across the river?” Charles saw the shiny, juicy apples and he suddenly felt how hungry he actually was.

As Jack and Charles crossed the river together, Jack sank to the bottom and drowned.  Charles didn’t look back and moved on to stuff himself with tasty apples.  On his way back across the river, he slid the backpack off of Jacks already chilly shoulders. He walked home and delivered the stones to Mike who, of course, was very happy. He awarded Charles with an extra portion of porridge and Jack, well, nobody ever remembered who Jack really was.

Jack is a dead man! Why? Because he refused to share his knowledge (the stones) with Charles. He thought it was alright to boss Charles around, instructing him in exactly what to do.  He also got angry at Charles because he thought Charles was better off. After all, it’s not as though Jack had to carry that backpack. Charles wanted to because he felt it was his responsibility, which it wasn’t. As the senior dwarf, it was his responsibility to get the both of them home safely, with 10 stones.

Do you ever behave like Jack ? What gets you, your team and your company forward is the fact that you are open to share experience, ideas and knowledge. Refusing to do that might have you end up on the bottom of a cold river. Rest assured that your seat will not be empty for long.

by James Costello

It was a dark and stormy…

All right, it was a sunny morning in April when the first event to inspire this article occurred. I was walking back to my car after dropping off my daughter at school. As I walked around to the driver side I noticed a battered USB thumb drive sitting on the ground behind one of my tires

My first thought was “Oh, great. I dropped mine and it got run over.” I quickly realized that dropping it and running over it was nearly impossible and that it was not even one of the brands that I use. So I had four options:
1. Leave it were it was
2. Take it back into the school and leave it in the front office
3. Take it with me and try to determine the owner so that I could return it to them.
4. Throw it away.

The first option didn’t sit well with me; the next person to come along might do something malicious with it. The second option only works when the office is open (which it wasn’t, as my daughter was attending day camp during spring break). That left me with options 3 and 4. I decided to combine 3 and 4 into option 5:
5. Take the drive with me and throw it away later.

Fast forward in time three weeks…

I am once again in the parking lot of my daughter’s school staring at a smashed USB thumb drive of the same brand as the prior unit. Repeat thought process above. I was a bit suspicious and a bit curious. Two similar drives in the same parking lot. Was someone just very unlucky and lost two drives? Were there possibly two such unlucky individuals? Was someone trying to use the USB keys as a means to penetrate the school district system?

I decided that I would take a look at the new drive when I got home that evening, but I was going to take precautions. Plugging it into my computer could expose me to viruses, malware, and pictures of an inappropriate nature. What could I do to protect myself and my computers while looking at this drive?

1. Boot of BackTrack CD and mount the drive and look at it there
Advantage – lives in memory, low chance of infecting my hard drive
Drawback – this might not be a recommendation for others

2. Launch a VM on my computer and connect to the drive
Advantage – no need to reboot my hardware, I already have the VMs in place
Drawback – there could be malware that breaks through that VM software and infects my host system.

3. Boot a separate system that I do not mind rebuilding
Advantage – system can be rebuilt if there is malware on the drive
Drawback – not everyone has spare systems lying around to do this.

I chose to use an older Toshiba laptop to look at the drive because it runs Linux (lower chance of infection) and it has a USB 1.0 connector on it (older, slower, and not likely to run U3). Fortunately (or unfortunately) this drive was too damaged to operate, so it followed its predecessor into the electronic recycling bin.

Then I got to thinking. What if that drive was mine? Do I keep any data on a USB drive that, if I lost, could be used to steal my identity or perform credit card fraud? Would I want someone else going through it to find out if it was mine?

So what can you do to protect yourself losing your thumb drive and your data?

Keep physical control of your thumb drive, by keeping it on a key chain,  on a lanyard around your neck, or at home. Protect the data on the drive, via encryption (there is a mobile version of TrueCrypt that works on USB drives). Alternately, don’t put anything on your drive you wouldn’t share with your neighbor, such as tax data, your social security number, your date of birth, or your mother’s maiden name. Don’t share your drive with anyone else, and don’t carry your data with you. You can leave it at home and email any information you need to yourself using your company’s mail system (not from your home account, but through webmail) if that is allowed by your company. Make sure you find out what your employer’s policy is for USB drives before you bring them in.

This “case “ was fairly interesting for me, and I hope you found it interesting, dear reader. The next time you come across a thumb drive laying around, think of this story and my thoughts. Now go out there and be safe.

By Adam Dodge

I recently returned from yet another amazing time at the EDUCAUSE Security Professionals Conference. Out of all of the different security conferences that I have had the good fortune to attend, and out of all of the conferences that have taken pity and allowed me to talk, the SPC continues to be one of my favorite events. Not only does the SPC boast outstanding presentations, but the hallway conversations, informal roundtable discussions during meals, and Birds of a Feather gathers offer unparalleled opportunities to meet other security professionals in higher education and learn new, unique ways to address issues. I strongly urge all security professionals in higher education to beg, argue or barter for the funds needed to attend this yearly gathering.

The conference lineup this year was interesting. While there were the usual technically-focused talks, the majority of the talks did not center on specific technical topics. Instead, much of the conference was focused on building and maintaining a strategic information security program within higher education. There were sessions on building risk management programs, using frameworks to build information security policies and programs, creating standardized and measurable procedures, and even talks on how to leverage internal resources such as internal audits to help improve security posture.

Like many industries, information security grew up out of the IT departments at most colleges and universities. Unfortunately, many educational institutions still equate “network security” with “information security”, and information security is often still viewed as a technical issue. However, the presentations at this year’s conference clearly indicate that the viewpoint on information security is quickly changing at colleges and universities.

This shift in how information security is viewed within higher education speaks to the maturation of information security programs at many colleges and universities. Thankfully, the industry seems to be moving away from the misguided view that all institutions need is one staff member “doing security” to be secure. This type of growth and maturity of information security programs within higher education is a great sign that perhaps I will soon have nothing to report on Education Security Incidents.

Here, in no particular order, are the top three presentations out of the sessions I was able to attend. “An Auditor’s Perspective on Frameworks for Information System Security in Higher Education” by Erwin Carrow and Brian Markham were useful in teaching me that internal auditors can, in fact, be your friends. “Using the EnCase Field Intelligence Model in Assisting with Forensic Examinations” by Yu Chang, Tammy Clark, and William Monahan were useful in showing how Georgia State University handles requests for forensic investigation. “Mapping the Shifting Landscape” by Phillip Deneault and Brain Smith-Sweeney were useful in providing excellent quotes such as “Ready-Fire-Aim” and Brian’s poorly rendered yet still amazing image on the drivers and functions of an information security program.

Congratulations and thanks are in order for this year’s SCP program committee. These folks did an outstanding job.

Image used with permission from FreeDigitalPhotos.net

by Jeff Kirsch

As adults we like to have some sense of order. We get into a routine; get up at the same time, take the same route to and from work, eat our meals, and head to bed all on a schedule. Sure, we like to think we add some randomness to our lives by not going to eat at the same place each day, but we go to eat at those “different” places at the same time every day. It’s not bad to have a routine; that is what gives you a sense of control in what sometimes seems like a chaotic world. The question is, how much tolerance do we have for randomness?

Me vs. Random

I have a morning routine that helps me get the kids ready so I can leave on time. Part of that morning routine is feeding my daughter. Recently she decided she likes to eat bananas. She also prefers to have the banana cut in half, and this is what turns out to be my demise. I go through the rest of the morning routine and lean over my daughter’s high chair tray to give her a kiss goodbye. I give a kiss, hug, and high five to my sons, and then I am off to work. A few hours into work, I push back from my desk and happen to look down to find a giant banana stain on my shirt. I came to work and walked around the office with this very noticeable stain on my shirt, without ever having realized the spot was there. As I wash the stain off my shirt I contemplate my options to avoid this situation in the future.

A few days later, my daughter was again eating her banana. As I leaned in to kiss her, I bent in a way that ensured she couldn’t get me with her banana.  I gave a kiss, hug, and high five to my sons, then I went off to work. As I walked into my office building, I noticed my reflection in the window. Lo and behold, there was something on my pants around knee level.  I looked down to find a nice banana stain just above the knee. I let out a sigh and headed up to the office, making a quick stop at the restroom to wash off my pants. I realized my strategy has not worked, so I began to reformulate a plan to ensure I didn’t continue showing up with stains on my clothes.

A week later I gave my daughter her morning banana, but this time I cut it up into small pieces. My thinking was, if I give it to her in small pieces she can’t jab me with it, and if she throws it I’ll notice. I went through the routine thinking I won this round – even though my daughter has already won the first two rounds. I saw she was done and walked over to get her out of her highchair to get her dressed, and that’s when it happened. First, let me tell you that the last thing I do before leaving for work is to put my socks and shoes on. I can’t say why that ends my morning routine, but it does. So as I walked over to my daughter in my bare feet, I stepped right into a minefield of banana pieces my daughter had thrown on the floor. Game, set, match. My one-year old just beat me three games to none.

Ordered Randomness

As IT professionals, we spend our time planning for the random event that could take down our critical systems. We design our systems and find order in a mostly random world, but we always know there is still the unknown. So it all comes down to how well we handle the response. By designing a program that balances order and randomness we prepare for suprises. If our first response to random events is to be disorderly, our designed responses will fail. However, if we maintain order while responding to random events, the chances of containing the event and minimizing the potential loss increases. My response to the situation presented by my daughter was meant to add order to the randomness. Perhaps the better response would have been to check my clothes before I left for work. Detecting random events early, maintaining order, and executing the response is how we avoid the banana minefields.

by Ron Woerner

“Seven out of ten companies overspend on IT expenses without improving security or becoming compliant.”  Computerworld

What causes this phenomenon? One would think that overspending on security would be a good thing.  It’s not.  Overspending in some areas causes underspending in others that may have greater value to the business.  This practice often detracts from focusing on those risks that are really the greatest for an organization.

One of the causes is the introduction and promotion of “pet risks” by decision makers.  A pet risk is a threat, vulnerability, or solution that solves an apparent problem in the minds of IT or Security managers.  It’s their favorite risk, which is the center of their attention and therefore is allocated an overabundance of resources.  It’s like a person who’s so fearful of having their car stolen, they spend hundreds of dollars on an anti-theft system even though they’re driving a ‘96 Ford Contour.   The cost of mitigation is out of balance with either the asset value or the real risk.

It’s a common occurrence in many large organizations, where decision makers decide that they need a specific solution to prevent an apparent risk.  IT and Security leaders in the organization spend many dollars and staff hours to address their pet risks.  However, the Return on Security Investment (ROSI) isn’t readily apparent and often, the expense isn’t worth the apparent risk.

The decision maker has the position and influence to make it happen.  He or she is able to get the funding and personnel to address their pet risks.  They are a danger for many organizations because they cause an imbalance in the risk equation and often cause undue spending on risk mitigation.  Whether those risks are critical for the organization is debatable.

An example is data leakage protection (DLP).  The risk is that employees could place company information on a USB drive or CD and it could be stolen or lost.  Management may be convinced that they need to stop this at all costs.  They look for a DLP solution to prevent employees from using USB drives or CD burners. In this case, the pet risk is data leakage.   While it may be an issue, data leakage may not be the organization’s biggest problem.  It may be a pet risk of a decision maker and therefore one that’s addressed ahead of others.

How do you solve the problems caused by pet risks? The solution isn’t a product or service that you can buy.  What you need is an honest assessment of risk.  Addressing and quantifying risks allows for their ranking and prioritization based on the needs of the business.  Collaborating on the risk analysis also reduces the possibility of pet risks eating critical resources without increasing security or providing compliance.

Three ways to prevent pet risks from causing you to bark up the wrong “security tree” are:
Conduct a risk assessment;
Collaborate on the results with all stakeholders;
Be open and honest on the best ways to protect the business.

In the DLP case above, decision makers should look at all of their risks and determine where data leakage occurs.  They should address the potential impact and probability of data leakage.  Is it an irritant or could it be a major issue?  How likely is it that critical data can and will leak out of the organization?  They need to collaborate with others on their risk assessment to see how it affects the business.

Pet risks are an irritant caused by closed-mindedness.  Open your mind to address all possible risks to your organization.  Talk to others to get their honest opinion.  Get outside help when needed.  Don’t be the owner of a pet risk.

By working together, we all become stronger.

by Ioana Justus

I received a response to my blog titled “End Users: IT’s biggest barrier to good customer service” that I found particularly interesting. The responder wrote, “Some users tend to think that IT is here to serve them. To a point we are, to keep computers/servers/printers/etc running and functional. However, some think that if anything has to do with the computer, then we should be the ones taking care of it. As an extreme example, that IT should be responsible for ordering paper, since paper goes into a printer, and a printer can be hooked to a computer, so it is up to IT to order it.”

Although this is indeed an extreme case, it’s an interesting example and it does bring up a valid point: is it sometimes not our job to provide service to the customer? And do we tell them this?

The answer is, as usual, it depends. The reality is that IT professionals are generally better paid than their business counterparts, and although having IT personnel performing non-IT tasks may occasionally benefit an individual or even a small group, it ultimately hurts the bottom line of the company. So sometimes, it really is in the company’s best interest for IT to not provide the requested service. That said, when faced with such a situation, telling the customer no or not providing the service is not beneficial, either.

So now what? Handling a situation like this really depends on who the customer is. I think there are three categories of customer here:

- A “general” customer – i.e., someone with whom you do not have a current relationship, and whose motivations are unfamiliar to you

- A “VIP” customer – i.e., someone with whom you already have a relationship that you want to build further, or a senior executive of the company

- A “repeat offender” – i.e., someone who is a known pain in the rear or who consistently circumvents the process

Let’s take a look at each case, continuing with the “IT being asked to order paper” theme…

For a general customer, it’s worth it to do some root cause analysis: why are they asking you to order the paper for them? I’d be willing to bet it’s because either they don’t know the official process, or because the process doesn’t work. If they don’t know the process, you can provide excellent service and build a new relationship by helping them learn. Don’t just do it for them – take a little extra time to teach them how to fish. If there’s a form to fill out, show them where to find the form, and help them fill it out. If there’s a person to call, provide the name and phone number of the person, and then call them for the customer. For the single instance, the added time does cost more than just doing it for them, but it will be more than made up if the customer doesn’t have to ask you again.

If, on the other hand, the customer is circumventing the process because it’s cumbersome or doesn’t work, then a little process re-engineering is in order. Depending on who you are in the organization, you may or may not be in a position to facilitate this yourself. In this case, help the customer through the red tape, and at a minimum escalate the situation to your manager and suggest some potential solutions. If you can effect change, be sure to follow up with the customer to let them know.

For a VIP customer, the initial action is just to order the paper for them. To improve the level of service for this group and be cost-conscious for the company, the best thing you can do is coordinate proactive ordering with the right person or department. If the paper replenishes itself, the VIP customers will be happy because they no longer need to worry about it, and they won’t have to ask you to place the order anymore.

In the case of a repeat offender, it may be worth it to do a root cause analysis. If the process is tedious, you could repair a not-so-good relationship by helping to improve the process – or at a minimum, you can get this person out of your hair. If there’s nothing wrong with the process and the person just can’t be bothered with following it, well, that’s why management gets paid the big bucks – to deal with people like that.

by Carl Anctil

How to avoid being a target?

The quick answer is to move all essential, business critical or operational workstations and servers to a less targeted platform. If you’re less of a target, then the likelihood of a compromise significantly decreases. That’s all, folks; simple enough, huh?

Okay, it’s not quite that easy, but let’s compare for the sake of it. We’re going to stipulate that all configurations, settings, installations, etc. on all platforms have been completed following best security practices and that everything is fully patched and secured. So what do we have left to do?

The Windows solution is the most targeted platform for both the home and the business user. In order to successfully deploy the Microsoft Windows operating system for use on critical systems, a considerable amount of maintenance and dedication is required. The fact that this platform is the most popular and the most targeted platform of them all makes the attentiveness for this solution a must in order to prevent a compromise. Failure to do so is asking for trouble. The minimum required maintenance includes the following:

1.Keeping the OS fully patched.
2.Installing antivirus software and keeping it up to date.
3.Installing a software firewall for workstations at minimum.
4.Installing other various malware solutions and keeping them up to date.
5.Ensuring that third party software such as Java, Flash, Acrobat Reader, etc. are also all kept up to date.

These five steps are the bare minimum that is required to deploy an operational, critical system and to keep it safe. Anyone or any organization that is not ready or willing to spend the required amount of time and effort to continuously monitor and stay on top of this maintenance will, sooner or later, become compromised in some way. It’s simply a matter of time.

Or maybe it’s time for a change.

Moving your essential, business critical or operational workstations and servers to an alternate platform such as Linux, Mac or any other UNIX variant could possibly save a considerate amount of time and effort. Think about all the time it takes to continuously loop around the five steps above. Thought about it? This newly saved time could well be used to actually enjoy using a computer for work or play. Maybe this extra time could be better spent improving your business or customer relations. The fact is that a server or workstation that isn’t as much of a target will keep a significant amount of malware away. This is how computing should be – without malware.

Remember, these other platforms also have to be kept updated as necessary. However, they are not the most continuous target. That’s the difference.

by Dennis Kuntz

Ok, a little disclaimer: This is not specifically an “information security” post (far from it, actually). But, like so many of the awesome posts from the awesome writers on this blog, what I say here can – no, should – be applied to more than just information security situations.

Back when I was in my mid-20’s, I lived in lovely Los Angeles. I would listen to talk radio quite a bit. One day, a guy I listened to fairly often, Dennis Prager, said something that instantly resonated with me. To paraphrase:

Now, one of the reasons it resonated so quickly was that it echoed pretty much how I’ve always felt. I remember while growing up that my father pounded into me a couple of very clear behaviors, one of which was to be thankful.

Now, I have to admit that a lot of that teaching was couched in the concept of minding one’s P’s and Q’s – saying “please” and “thank you” and being very polite to adults. As I got older, however, saying those words over and over instilled in me the actual feelings – I was saying them because I was thankful. As I became an adult, it became very important for me to retain that politeness and respect in dealing with others – and it’s paid off.

Ok, so, I’m a polite guy (more or less) – so what, you might say – a lot of people are? Well, for one, a lot of people are not polite. That’s something that has shocked me as I’ve interacted with so many people through the course of my career and life. It’s truly shocking to me how many people lack general politeness. But this post isn’t about being polite; one of the things that makes being polite so easy for me is that concept of gratitude. To me gratitude is thankfulness that stays resident in one’s psyche – it goes beyond mere politeness.

As I thought about all of this, it occurred to me that gratitude doesn’t completely capture what just seems so darned important when dealing with others. It wasn’t until I got into management that I realized what was missing from what should be obvious: Gratitude needs to be coupled with humility. That’s where I decided to coin the phrase (royalty checks are enthusiastically accepted) ‘gratitumility‘ in a conversation I had with Michael Santarcangelo on a recent visit of his to Charlotte, NC, where I currently live.

Simply put, gratitumility is the concept of being humble enough to recognize the important contributions other have to make – whether it be acting in a contrary manner that teaches you how not to act (and/or how to be graceful in those interactions); to recognize what you do not know, and to know the value of that (which to me is one of the paramount traits of a person’s potential); to recognize the shoulders of giants on which one stands in doing whatever it is that one does; and at the end, being grateful for all of the opportunities that the results of that humility represent…so that you can do it over and over again.

Now of course, that’s an ideal. But striving for heights of gratitumility can lead you to take that verbal beating you just got from some “idiot” (be it a supervisor, customer, coworker, peer, etc.) and turn it into something that can change the course of your hour, day, week, month, career, and/or life. It can teach you to be patient with someone who otherwise might not merit such patience and to see them through to new levels of achievement. It can teach you to step back, and take stock of who you really are, what you’re doing, and how you treat virtually anyone and everyone. Really, the applications and situations are innumerable, and one of the best things is that practicing gratitumility makes you a better person, and puts you in a better position to deal with whatever happens to come along.

For a made-up word, I think that’s pretty cool.

by Trish Smith

As an avid blog reader, I often find myself wanting more information about the writers of the blogs I read. Most of the blogs I read are personal blogs, and so I learn most of what I want to know through the blog content itself. But on a professional blog, such as this one, you rarely read much about the writers. I know that the bios of the Security Catalyst writers do give you some information, but I’m sure you’ve caught yourself wondering, from time to time, just who we are.

In that spirit, I’m devoting this month’s blog posting to a little “Getting to know you (or rather, me)” session. Hopefully by the time you’ve finished reading this, you’ll know a little more about me and about why I became a Security Catalyst writer.

My computer experience began in 1990, when my high school installed a computer lab and began offering various programming courses. I quickly discovered that, although I wasn’t interested in becoming a programmer (a course in C++ confirmed it), computers could be very useful to me. Unfortunately, personal computers were still at a fairly early stage, and didn’t offer much by way of everyday usefulness. My first computer was a Commodore 64; I love to horrify my teenage nephews with stories about how we used to have to use tapes (which looked exactly like audio tapes) to store programs. It wasn’t unusual for it to take an hour for a game we wanted to play to download off the tape, frequently including some corruption of the data that forced us to repeat the entire process. Thus, at this point computers were (for me, anyway) still largely used for playing games and noodling around with Basic programming (I can still write a mean program loop using IF – THEN). But I believe that by beginning my computer education as a kid, I didn’t cripple my quest for information with the fear that I might “break something” (which, in my experience, is the biggest barrier to most people becoming comfortable with computers).

My experience with, and exposure to, personal computing continued through college, where computers finally became fast enough and powerful enough to be more than just a toy. This is where they began to make my life as a student easier.

I continued using computers through graduate school, along the way graduating to a 386, then a 486, and then finally (finally!) moving to a Mac. You’d never know it from my devotion to Apple computers, but when I first began using Macs (spurred by a then-boyfriend’s proficiency in them and easy access to his then-blazing-fast laptop) I resisted them vigorously. It didn’t take me long, however, to discover their appeal, and barring some necessary forays into the world of Windows PCs for work (and to fix my husband’s PC from time to time), I’ve stayed with them ever since. One little-known secret: Apple computers are great for those of us with compulsive tendencies. When I owned a Windows machine, I was forever “cleaning up” my computer by deleting all the weirdly-named little files that were installed on my hard drive with new programs. Inevitably, the files I deleted were ones I needed to run some essential piece of programming. So the fact that Mac programs tend to be fairly self-contained is a definite plus for us OCD-types.

The other significant aspect of my experience on computers has been my “online” experience, or what the kids today call “social media” (and yes, that was said firmly tongue-in-cheek). I began my own social media exposure on Compuserve, in chatrooms and private IM. I remember the beginning of AOL (and oh, how we all loathed it then, too), and IRC, and even farther back, BBS’s. I have that to thank for my own lack of crippling awe over websites such as Twitter, Facebook, and MySpace.

So generally speaking, my comfort level with computers (and, by extension, with computer people/geeks/techies/what-have-you) was developed through years of exposure to computers, and through the realization that they really aren’t very intimidating at all (computers, that is; computer geeks are sometimes an entirely different story).

This is probably the simplest reason that I’m here, the only non-tech person writing in a sea of tech writers. I suspect I should be more intimidated than I am; but as I said, a long education in and exposure to computers have removed most of my sense of awe. Fortunately, they haven’t removed my interest in and fascination with them, which is the other reason I’m here. I see all of this as your benefit: My non-tech perspective on the tech world, my lack of awe, and my continuing fascination with and interest in computers are all characteristics I gladly use in service of you, our devoted readers.

by Aaron Titus

Georges-Pierre Seurat was a 19th century French painter credited with starting Neo-impressionism and developing a painting technique called “pointillism.” His famous painting, La Parade, contains the detail on the right: A complicated series of blue, orange, pink, red, black, and yellow dots that together create a man’s profile.

This detail is the single best visualization of your “Data Self” I have seen. Your Data Self is a collection of your credit report, Facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Like pointillism techniques, which juxtapose contrasting dots to create vibrant masses of shaded tones, each piece of personal information is a single dot. Perhaps one is your address, your middle name, your pet’s name, or your favorite color. Maybe some represent your family, and others represent your friends or religious beliefs. Some represent your travels, magazine subscriptions, and purchase habits. Still others are intimate thoughts.

Taken individually or in small groups, they do not mean much- they may even seem to contrast or contradict one another. But all together they form your profile, or Data Self: A pretty good, but not 100% accurate representation of who you are. And this profile is exactly what data brokers, government actors, and marketers (among others) are trying to determine.

We leave trails of dots as we interact with others, especially online. As Gregory Conti, a computer science professor at the United States Military Academy at West Point, explained, “Free Web services aren’t free. We pay for them with micropayments of personal information.”

Since your Data Self is a digital alter-ego, with the power to enter contracts, grant access to your financial assets, have surgery, or commit crimes, you should actively shape and control access to your Data Self.

Hat tip: Daniel Solove

by Dennis Kuntz

Recently I attended a talk by Jennifer Jabbusch about the dangers posed by black hats exploiting all manner of wireless devices. The audience was mostly non-technical law enforcement, so the talk contained a little FUD by design to shake them a little as to the gravity of the threats. It was an excellent presentation that was well-received. During the 15-minute break before Jack Wiles was to speak about physical security, I overheard the officer next to me (he was there to “take advantage of the free training”) speaking with the business continuity guy on his other side. This is what I overheard:

Now, my first thoughts were somewhat predictable: How could you not want to understand what, how, and why these guys and gals can do what they do? Wouldn’t that just help your job? With the increasing prevalence of electronic crimes specifically, and the increasing role wireless devices will continue to play in other crimes, how could you not care about this stuff? How could knowing more – of just about anything – not be something for which to strive, especially if you can apply it to what you do?

Now, I do not know this officer. He might be the laziest man on the force, and might skate by doing the minimum that’s expected of him. I honestly do not believe that to be the case. So, assuming that this was a skilled officer who cares about solving crimes and catching the bad guys, something struck me – what this officer was really saying was that he just wants to do his job. He doesn’t want to deal with anything that he doesn’t have to in order to solve crimes. Because if it’s something he doesn’t have to know or deal with then it takes time away from what he does have to know or deal with. He wants to be able to rely on the technical folks to do “their part” just like he wants the physical forensics team to do their part – and without him having to know about all of the ugly details.

What also struck me was that this was reality. Here was a real person, from real life, who considers having to know anything about technology – beyond what he needs to know to function – to be something to avoid. We encounter these people all the time in every industry. As “IT” folks in general, and “IT Security” folks specifically, what can we do to deal with people like this officer who just want to do their jobs without being overwhelmed by technology?

There are two primary things that we can do: First, we can educate people as to the benefits various levels of understanding of technology will have on what they are trying to accomplish. Does this officer need to know how to fire up Wireshark and rip into some packets to help him do his job? No, he doesn’t. But can understanding the ease with which black hats can commit crimes, as well as facilitate others’ illegal activity, help him have more insight into the crimes he’s investigating? I would venture to say that it absolutely will. We need to approach people like this officer with the understanding that they are, at the very least, unconvinced that this knowledge will be helpful, if not against it altogether. We need to tailor our educational messages in such a way as to help them see that they can attain the benefit of the knowledge without it having to be a complete jargon-and-acronym-filled head spin, and without it sucking up all of their valuable time.

But what about those who refuse to accept any benefit? That’s where the second item comes in.

Ultimately a good portion of our jobs involves providing an appropriate level of protection for whatever assets are our responsibility in such a way as to help the bottom line, or at least to impact it only as much as is appropriate. When we encounter people who refuse to take part or to help with this, we need to use innovation and creativity to protect the assets anyway. In the case of the officer, it’s just as he said – the technology guys (and gals) need to do their jobs. Would it help if the officer did know a little so that the knowledge about the case could dovetail between the groups a bit? As outlined above, yes, it probably would. But if that officer is doing his job, and that job doesn’t require his involvement in the technology pieces of the case, then we need to be the ones to step up and fill the gaps. Just as we might wish others would have a better understanding of what we do, it’s important that we do the same, because ultimately it matters more that things get done than who does them. If we can educate along the way, all the better.

by Ioana Justus

In my last blog, I talked about how to build trust with a customer, and the advantages of doing so. By building a relationship of trust, communication becomes more open, allowing the customer to feel comfortable sharing their needs, and allowing the IT service provider to better customize service and anticipate needs. This concept also extends to intra-IT interactions – or regular life interactions, for that matter.

Sociologists will tell you that humans are social creatures – even the most introverted of our species require interaction with others. There is also the concept of the “inner circle” – each person has an “in” crowd that they trust and want to interact with. Evolutionarily, having such a group ensured survival: the group would mutually protect each other and they worked together to find food and raise children. The flip side of this evolutionary model is the rest of the world: If you’re not part of the inner circle, you’re not trusted and are thus treated with suspicion, prejudice, or even disdain. Individuals in your inner circle get the benefit of the doubt when they do something wrong, and you are compelled to help them through it. Individuals not in your inner circle are assumed to be malicious when they do something wrong, and you are compelled to be defensive and accusatory toward them for it.

It frequently surprises me how people assume that things in the IT or business world work so differently than they do in daily life, when there is actually little or no difference. We are the same humans with the same genetic make-up whether we’re home in our sweats or at work in our suits. Everyone knows that the best way to get a new job is to network with people at the target company, and many a manager has been accused of favoritism – Mary got a perk that I didn’t get because the boss “likes her better” (i.e., trusts her more) than me. Even security networks are built on trust (e.g., PGP): if I trust you and you trust John, then I can trust John.

So it stands to reason that if we can increase trust in the workplace, everything gets better: issues get resolved faster, there are fewer nasty surprises, there is greatly increased communication, and a strong desire to be inclusive. This then results in better collaboration between IT teams, which increases sense of ownership that in turn decreases errors and improves the overall quality of deliverables. All of this makes the customer – and thus the boss – happier.

But how do you go about this? Theoretically, it’s simple: communicate and include. Practically, it’s quite a bit more challenging. Make it a point to build trust with your coworkers, especially where you know it doesn’t exist today. At work, your inner circle is most likely your immediate team. But you probably work regularly with other teams. Are you accusatory of them? Do you have a less than impressed opinion? Do you think they screw up or are sub-par? Do they point their fingers at you? Those are the individuals you most want to target. Be sure to have face-to-face meetings with them – it’s a lot harder to think someone’s a jerk when they’re sitting right there. When you invite them to the table, ask everyone (including you and your team) to leave their prejudice at the door. Talk about what’s going wrong openly and honestly, with the intent to fix the problem, not lay blame. This may take some time, but have the good will to keep trying, and consider engaging a practiced facilitator if needed (many people are naturally good facilitators, but if you need someone who has been specially trained, try looking in HR or the training department). Extend gestures of goodwill by inviting the other team to an outing (e.g., lunch or drinks after work) or to meetings that they should’ve been invited to but weren’t. Above all, really listen to their perspective and make an effort to see their point of view. It might take a while, but what you’ll notice over time is increased respect and much smoother workings between you.

It may be a bit pie-in-the-sky, but imagine if you had trust with every team you worked with. I guarantee you’d be a happier employee and you’d enjoy your job a lot more. You’d also get work done faster with higher-quality results, making your customers and supervisors happier, too. And in this tenuous economic climate of cost-cutting and down-sizing, that’s maybe as close to job security as any of us can get.

by Carl Anctil

I have been using Privoxy for many, many years. It was actually called the Internet Junkbuster when I was first introduced to it. In early 2000 when I started getting into security and privacy, it was one of the first tools I began using to disguise my user-agent string.

Modifying a user-agent string is a simple way to avoid malware infections from websites that use the user-agent string as a method to determine the browser type and version in order to infect or hijack a browser (most common with IE). I modify the user-agent string to this day. However, what I do now is pretty subtle. I add or remove a single dot somewhere within the string. This way, if someone quickly glances at logs, my new customized user-agent string doesn’t stick out like a sore thumb.

Another reason I like using Privoxy is to block banner adds. Especially today, with all the XSS vulnerabilities going around, this is quick and simple way to eliminate this threat. I also believe in cookie management. Privoxy can be used to manage your browser cookies and how they interact with websites. You can block them altogether or modify them to force a particular behavior, such as whether they are session cookies or permanent cookies. I know this is possible from within the browser, but Privoxy offers many more options and more flexibility for cookie management. It’s really cool stuff once you get into cookies and the how and why they work.

Privoxy is an effective tool for controlling tracking web bugs. Web bugs are tiny 1×1 images used to report back to a company (website) whether you have opened or visited a certain page. Once this 1×1 image is rendered by the browser, various statistics are sent back to the requesting server such as the IP address, date and time, browser version and type, etc. This information is usually sent directly to a third party which usually is an advertising company. But there are other uses for this technology such as by some services that will advise you when an email (including webmail) has been read.

Lastly, I like Privoxy because I can also control the referrer. When a connection is made to a website, the browser will let the web server know which URL it came from. This is called the referrer. With Privoxy it’s possible to modify or block the referrer string that is sent to a web server when a new connection is made. This way web servers think you browsed directly to the url instead of having clicked from a link (being referred by).

Privoxy is a proxy. It runs in the background. I install it locally on every computer I have. I have it run locally on the loopback interface, which is the default. The browser will need to be configured to use the local proxy for it to perform the necessary scrubbing. For myself, Privoxy is simply another tool or software like antivirus, antispyware, etc. It doesn’t matter whether I’m on Windows, Mac or Linux, I install and use Privoxy when possible.