When did that happen?
by Jeff Kirsch
How often do we take a drive and realize what we see around us? I know I can drive to and from work, or to a familiar destination and never see what is around me. I am not talking dangerously oblivious, mind you, but sometimes you miss the details of what you pass. Then one day you take some time, for whatever reason, to look and actually see. Typically the phrase “I don’t recall seeing that before” comes to mind in these situations. This behavior isn’t just limited to driving, but to any task we may do that could be considered mundane or repetitive. If this becomes commonplace in our routines, it can affect how well we perform our jobs, and potentially lead to critically missed opportunities.
Stick a Fork in it
Occasionally my family decides to have pancakes for breakfast, but more frequently we have them for dinner. My kids favorite of the three varieties I make are chocolate chip. I make three different kinds because you never know when someone is in the mood for one type, and if you make just one or two you are more than likely going to disappoint someone. In addition to the favorite chocolate chips, I also make blueberry and plain. Since the crucial ingredients are not thrown in until the batter is on the griddle it is very easy to make “custom” meals.
Recently, my oldest son decided he likes both blueberry and chocolate chip. It seemed like any other meal, and we had just had pancakes the previous weekend. I made them the same way, all the while to the chanting of three little voices saying “we want chocolate chip” and one little tiny voice saying “dadadadada”. I brought the plates to the table full of pancakes and everyone claimed their favorites. As I was helping my daughter get some pancakes on a fork I heard a sudden surprised exclamation from my oldest son on the opposite end of the table. As I began to turn I could see a look of surprised laughter on my wife’s face. She was trying to hold it back, but as I completed the turn to look at my son I couldn’t help but laugh out loud. All over his face was blueberry, in little speckles indicating something had burst. “I just stuck my fork in it to cut it and it exploded” were his first words. The whole table burst into laughter and we continued to eat our meal, but with caution.
Take it In
When we talk about technology and information security, we know that the landscape for threats is always changing. A person responsible for maintaining systems could sing the horrors of having to make sure all systems are properly patched. Likewise, those who are responsible for monitoring threats to the technology receive new information continuously about areas most at risk. In this fast paced world we try to keep up, but find we are always one step behind. We are left to maintain and defend from the known, while someone plans the unknown. Do we just give up, throw our hands in the air and walk away? Perhaps we need to take in all that we have missed while fighting the fires of the day.
In the information security community, we need to put our fears aside and see all that is around us. Putting ourselves in the mindset of someone who wants what we have can make us feel uneasy but it gives us a new perspective. It helps us identify areas others might want to try as an attack vector, and then makes us evaluate the risk and implement a strategy based on the threat. I know that taking time away from our responsibilities seems like a fantasy, but what we may find is that we streamline our everyday tasks by attacking our own thinking. We marvel at how fast technology moves and lament when we don’t get the features we desire now. For all the lamenting, we tend to keep our thinking a few technologies behind. There will come a time, if we continue on that path, where something will blow up in our face. Better to take in what’s around us at least once in a while to see what we are missing. We might possibly get the upper hand.
An Information Protection Tool that Engages Employees
Information Protection Assessment Toolkit (IPAT)
I promised you a case study that demonstrates how the Information Protection Assessment Toolkit (IPAT) changes the way people protect information. In fact, I’m going to give you two case studies in one.
Harold Townley is a Funeral Director and business owner. He also sits on the board of the Town of Ballston. To prove the power of the IPAT, I ran town employees – including Harold – through the IPAT system earlier this year. The result was better protected information for the town and a new awareness about information protection in Harold’s business.
Like all municipalities, Ballston holds information that should not be in the public domain. While there had not been a security problem to date, with no plan in place to protect this information, it was a possibility. They needed the IPAT program.
In Week One I worked with a team of employees to identify what information was held in the organization, where it was held and how it was managed. The next four steps of IPAT involve processing what is learned, analyzing the results, developing an action plan and finally, generating reports. It was after only the first few steps that change was noticed. Involving all employees in IPAT “created an immediate shift in the mindset of town employees regarding information security” says Harold.
But for Harold, the change was extended further. He discovered that he wasn’t only thinking differently about information protection for the city – but for his business as well. At a meeting of funeral directors he encouraged participants to consider how they handle the personal data of deceased people. He wants his profession to consider carefully what is published in newspapers, how data is kept in the business and how requests for information are handled.
Harold doesn’t know that identity theft has occurred as a result of information provided by funeral homes but it is possible and he doesn’t want to be the source of a problem. “Just because we’ve done things one way in the past doesn’t mean we have to continue doing it that way,” he says. Thanks to IPAT, Harold looks at the information held by his funeral home differently. And the town of Ballston is well on its way to a proactive plan that engages all employees in information protection.
The Basics of IPAT
The Information Protection Assessment Toolkit is a process that helps you identify security issues and develop an information protection plan. It involves a set-up session, a toolkit and four coaching sessions. It can be scaled for large and small organizations, involves all employees and is the first step in protecting your organization from a breach.
Contact me (securitycatalyst@gmail.com) to learn more about our Special June Offer for the Information Protection Assessment Toolkit (IPAT).
“Pre” Security Revival Tour Warm-Up
Greetings from Ocean City, MD! We came down here this weekend to spend our Easter Weekend with some friends. Having an RV allows us the ability to travel as a family for work and for pleasure. Now that we’re back on the road, I remember why I love these trips so much (even when I am working): I welcome the opportunity to stop the world for a bit, get outside, relax and unwind with my family.
As I look back on the last few months, I am excited about the ground we have covered and the opportunities that come before us. Thank you for your continued support. As we prepare to take some next steps as a group, I wanted to share with you some plans – both to get your feedback and to ask for your help.
April is proving to be an interesting month: several of the efforts I (and some colleagues) have been working on for the last year are “ready.” In addition to launching some new offerings and solutions, we’re taking the family on an RV adventure in April/May and gearing up for a “Security Revival Tour” in 2007, followed by a “Campaign Across America to Protect Information” for 2008.
I’ll share more details about the tour(s) and such in the coming weeks. I could use your help in selecting cities, helping to spread the word and maybe even guiding some logistics. In return, those that help will discounted or free training, coaching and the opportunity to spend some time together.
I need some help – Short Term
In two weeks, we are leaving Albany, NY and heading to: Nashville, Atlanta, Key West and Baltimore. We are currently planning the following schedule:
• Nashville (arrive Monday, April 23, leave Wednesday April 25 or Thursday April 26)
• Atlanta (arrive Thursday April 26, Talladega April 27 – 29, back to ATL 4/30 – 5/2)
• Key West (5/3 or maybe 5/4 to 5/8 or maybe 5/9)
• Baltimore (5/10 – 5/18)
Atlanta is hopefully going to see the launch of the SEN/Salon and some evening gatherings. I have a long stretch in Baltimore and could really use some help connecting and reconnecting with the various groups I have worked with there.
In each city, we’d like to offer the following programs:
1. Are you Making a Living, or a Life? (morning) combined with Career Compass Coaching (afternoon)
2. Speaking About Security (public, private or semi-private)
Where feasible, I’m happy to offer some professional keynotes to the organizations that are in a position to support my efforts (or otherwise are good groups and would help you or make a difference).
SCC members can take 10% off or select a BONUS coaching session. In addition, registered participants in each location are eligible to win:
- coaching session (value: $250)
- presentation makeover (value: $500)
If you can help, please drop me a note and I’ll send you more information on the different programs, etc. We are working to finalize our marketing plan this week, and then spending Q2 working to get all of our marketing and branding in place. We’re all close!!
Thank you for your help and continued support.
Programs
Speaking About Security
Are You Making a Living, or a Life?
Career Compass Coaching
Available Keynotes
Transform Your Awareness Program
Setting Your Career Compass
Into the Breach
Speaking About Security
Do More with Less and Have Less Stress!
Security Catalyst: Family Security Series Podcast, Episode 2 – Using a Non-Administrative User
You are invited to learn how to reduce the effectiveness of attacks and sleep better at night by using a non-administrative user account. In this brief podcast, we explain:
- why you should be using a non-administrative user account
- how to determine which type of account you are currently using
- how to create normal user accounts
- how to change to a regular user account
Thanks to a dedicated team of professionals, this podcast has been made better. If you see them on the street, give them a big hug. They worked hard (and continue to) to improve our efforts to make a difference:
• Gary Morgan, CISSP
• Alvin Liau, CISSP
• George Viconovic, MCIW/D
• James Costello, Security + SME
• John Biasi
• Peter Clark, CISSP
If you have not yet joined the conversation in the Security Catalyst Community, please do so now: http://community.securitycatalyst.com/forums/index.php
The specific link for this discussion is here: http://community.securitycatalyst.com/forums/index.php/topic,335.0.html
(note: joining the community costs nothing – except your active participation!; we enforce a naming standard of using your full name. It helps us keep the supportive environment positive. We look forward to sharing ideas and learning with you.)
Links and Information Mentioned During the Program
Least Privilege
In computer science and other fields the principle of minimal privilege, also known as the principle of least privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.
Source: Wikipedia: http://en.wikipedia.org/wiki/Principle_of_least_privilege
Determine the current status of a user account
Two basic options in windows XP
Windows XP: Option 1
• Start -> Run -> CMD (bring up a command prompt)
• type ipconfig /renew (this will be in the show notes)
• Limited Users will be given an error that access is denied. Administrators will be allowed to renew their IP address.
Windows XP: Option 2
• Start –> Control Panel
• Launch the User Accounts application
If you are a Limited User you will be presented with the option to Change your picture or to click on Mail or User Accounts. • You are limited to changing your own password
• changing your picture
• or to set up your account to use a .NET Passport.
If you are an Administrator you will be given the option to Change an account, create a new account or change the way users log on or off.
For more ways, join the discussion in the catalyst community forums: http://community.securitycatalyst.com/forums/index.php/topic,335.0.html
Mac OSX
• System Preferences –> Accounts
• Right under the name it tells you the kind of account they have
Create a non-admin account
Mac OSX
• System Preferences –> Accounts
• Check that the lock is unlocked; if not, click it and enter your password
• click on the + sign
• Enter in the information, including a password
• DO NOT check (make sure you leave blank) the box for ‘Allow user to administer this computer’
Windows, pre-vista
• Start -> control panel
• Select ‘User Accounts’
• Select ‘Create a new account’
• Type in the name of the new user account
• Select the ‘Next >’ button
• Select the ‘Limited’ radio button
• select the ‘Create Account’ button
you’re not done! Time to select a good password
(We will go into details on good passwords in the future)
• You will be presented with a ‘User Accounts’ screen, with a ‘Pick a task’ option. Select ‘Change an account’ option
• Select the account you just created
• On the next screen ‘What do you want to change about Child 1’s account?’ select ‘Create a password’
• Then enter a strong password, in the first two boxes, enter a password hint in the Third box. Then press the ‘Create Password’ button’
Support the efforts of The Traveling Catalyst!
RV Tour (our pre-tour warmup for the Security Revival Tour)
• Nashville (April 24 – 25)
• Atlanta (April 26 – May 3 or 4)
• Key West (May 3 or 4 until May 
• Baltimore/Washington/Northern Virginia (May 10 – May 18)
We’re working now to set up some public sessions of
• Are You Making a Living or a Life?
• Career Compass Coaching
• Speaking About Security
We’re also interested in offering some public keynotes in each of the areas to support the efforts of security professionals. Send me an email if you’re interested (securitycatalyst@gmail.com)
We are in the process of selecting cities for our ”security revival tour” for the second half of 2007. If you would like us to bring our training to your city, send me an email: securitycatalyst@gmail.com
Thanks for listening – now go make your user account changes and be safe out there!
Have you contributed to the survey? Here’s what you can learn
As we set out on this survey about messaging solutions, we had a hunch that spam was again surfacing as an issue. A lot of the vendors have been discussing the increase in spam. Apparently, we see it, too. So far, 84% of respondents have noticed an increase in the volume of spam or an increase in the complexity of filtering spam over the last six months. As a result, 63% are planning on or considering upgrading their messaging solutions.
This sort of information will be shared back with our community in an effort to help provide some support to the decisions we need to make. If you haven’t yet, please take five minutes and take the survey based on your experiences. We hope to wrap it up this week and provide some insights through the forums and community.
Take the Survey Now (click here)
The Catalyst Community Forum Roundup; Connections Abound
It is important that the Catayst Community be a comfortable and supportive environment that allows everyone an opportunity to ask questions, answer questions and have their voice added to the conversation. I was delighted yesterday when a member of our community approached me to tell me that it is working! He was able to get some guidance he needed and formed some new relationships with some people that are now helping to mentor and guide him.
My friends, welcome to the Security Catalyst Community – a place to grow and make relationships that will improve your career! I believe that by using our full names in the forum, we have been ablel to develop a virtual resource that meets the needs many of us have felt in the offline world. The best part is that we have only just begun on many levels.
March saw a real explosion in terms of members and activity. The quality of posting, content and discussion is amazing and will absolutely contribute to your improvement. Like everything else in life, the more you put in, the more you get out. Here are some hot and interesting topics that you can contribute to today!
Presentation Ideas – At Risk Teenagers
Accreditation scheme for penetration testing companies launched in UK
Advantages/Disadvantages of working for a SMB or a Large Organization
Spinning up a Security Consult Business
IT & Security Magazines (and other paper publications)
What software is the world missing?
Where can I find GOOD statistics?
Fun/different awareness activities
Don’t see something here that is important to you? Come join the community and start a new topic. The entire community looks forward to learning from you and sharing in your passions.
PS: The forums are expanding again in the coming days. Look for an announcement shortly!
Family Wedding in Arizona means an opportunity for you and your company
I have an exciting opportunity for you and your team or organization.
I need to be in Phoenix, AZ for a wedding on March 31 and realized this is a great opportunity to do more work in the valley and meet more people. I am offering some fantastic incentives on my most popular keynotes and experiences. You could treat your team to a Spring Renewal with Are You Making a Living, Or a Life. This experience or key notes discusses how a positive vision can help them be more effective at work, reduce stress, and improve the quality of their time at home. Or take advantage of our new experience Speaking About Security. This experience will help your group improve their communication skills and increase your success.
Here a listing of the experiences and keynotes with incentives:
Experiences
- Speaking About Security
- Are You Making a Living, Or a Life?
- “Catalyst Session” – experience working with Michael in a way that infuses energy, passion and vision into your current efforts
Keynotes
- Transform Your Awareness Program
- Speaking About Security
- Are You Making a Living, or a Life?
- Into the Breach
Interested? Send me an email: securitycatalyst@gmail.com and we’ll arrange a time to speak. I need to lock in my tickets soon – so this is a first come, first to reap the rewards opportunity. I look forward to the chance to work with you.
reminder: informal meetup in PHX tonight, 7pm
Those of you located in Phoenix – we’re gathering at the Tilted Kilt, Tempe. 7pm. See you there.
More proof we need to change our approach
Like many of you, I have been a member of ISSA, HTCIA and plenty of other organizations. As I have developed my career, I have found value in working with other professionals, and continue to find places to network, etc.
Of course, this is why a number of us came together to form the catalyst community
Anyway – I allowed my HTCIA membership to lapse. While I admire the group and their goals, when I moved to Albany, I was immediately disconnected, and as a result, didn’t want to keep spending the money for no return in value. I truly wish more organizations would start to understand that “meeting” does not mean everything has to happen in person. Many organizations would benefit either creating an online community – or at this point, getting engaged and helping to grow the catalyst community.
So this evening, I got this email message:
Dear HTCIA Member,
Our records indicate that your 2007 dues have not been paid. If payment is not received prior to April 15, 2007, you will be required to re-apply as a new member in HTCIA. Renewals can be done via our website at htcia.org, or you may fax your credit card information or mail payment to the International Office address below. After this date, 2007 dues renewals will not be accepted.
Thank you for your cooperation in this matter and for your continued support of HTCIA.
Sincerely,
So why did I bother to post this?
Perfect opportunity here was missed to demonstrate to me the value of renewing – instead, HTCIA decided to take a tactic of telling me that by not sending in dues, I would be forced to reapply. Personally, I would have asked why I didn’t pay the 2006 dues… and then remind me of some of the benefits and offered a telephone number to discuss what was going on, etc.
I read this message and instantly thought, “screw it.” I doubt that’s the reaction they wanted. But making me feel like an inconvenience to your organization doesn’t encourage me to want to stay. I still like and support the HTCIA – so this message isn’t about bashing them or suggesting that people not join. I think this is a great group and if you have a local chapter, you _should_ join. Yet this approach struck me as “the normal way of doing business” – and upset me. This message was focused on the HTCIA and not focused on me as a member – which is odd, since they are asking for money.
Is this how you treat your users? Are they inconveniences to you? Do you take the time to communicate in a way that meets their needs and demonstrates benefits to them (in their terms)?
Don’t make this mistake with your communications and opportunities to make a difference.
The return of the Security Round Table – and with OpenID
I should probably call this “what you need to know about OpenID” – along with some security. Dan York, Martin McKeay and I have re-invigorated the Security Round Table. Dan York led our February effort by doing some simply AMAZING research into OpenID – and really allowed us to explore and understand it better.
For the complete show notes – check out http://www.securityroundtable.com/?p=17 In case I wasn’t clear – if you have any interest in understanding OpenID – you will need to go see what has to be the most impressive collection of links I have seen yet. Dan York is amazing.
Our goal is to come together once a month to discuss and debate important topics in the practice of information security. Please consider subscribing to the SRT feed here: http://www.securityroundtable.com/?feed=rss2 or in Apple’s Itunes here: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=156964477
If you feel like discussing OpenID (or looking to find some positive and passionate security professionals), come discuss this in the Security Catalyst Community: http://community.securitycatalyst.com/forums/index.php
Here is the OpenID thread: http://community.securitycatalyst.com/forums/index.php/topic,46.0.html
Engage with Michael
-
Journey Into the Breach
