How often do we take a drive and realize what we see around us? I know I can drive to and from work, or to a familiar destination and never see what is around me. I am not talking dangerously oblivious, mind you, but sometimes you miss the details of what you pass. Then one day you take some time, for whatever reason, to look and actually see. Typically the phrase “I don’t recall seeing that before” comes to mind in these situations. This behavior isn’t just limited to driving, but to any task we may do that could be considered mundane or repetitive. If this becomes commonplace in our routines, it can affect how well we perform our jobs, and potentially lead to critically missed opportunities.

Stick a Fork in it

Occasionally my family decides to have pancakes for breakfast, but more frequently we have them for dinner. My kids favorite of the three varieties I make are chocolate chip. I make three different kinds because you never know when someone is in the mood for one type, and if you make just one or two you are more than likely going to disappoint someone. In addition to the favorite chocolate chips, I also make blueberry and plain. Since the crucial ingredients are not thrown in until the batter is on the griddle it is very easy to make “custom” meals.

Recently, my oldest son decided he likes both blueberry and chocolate chip. It seemed like any other meal, and we had just had pancakes the previous weekend. I made them the same way, all the while to the chanting of three little voices saying “we want chocolate chip” and one little tiny voice saying “dadadadada”. I brought the plates to the table full of pancakes and everyone claimed their favorites. As I was helping my daughter get some pancakes on a fork I heard a sudden surprised exclamation from my oldest son on the opposite end of the table. As I began to turn I could see a look of surprised laughter on my wife’s face. She was trying to hold it back, but as I completed the turn to look at my son I couldn’t help but laugh out loud. All over his face was blueberry, in little speckles indicating something had burst. “I just stuck my fork in it to cut it and it exploded” were his first words. The whole table burst into laughter and we continued to eat our meal, but with caution.

Take it In

When we talk about technology and information security, we know that the landscape for threats is always changing. A person responsible for maintaining systems could sing the horrors of having to make sure all systems are properly patched. Likewise, those who are responsible for monitoring threats to the technology receive new information continuously about areas most at risk. In this fast paced world we try to keep up, but find we are always one step behind. We are left to maintain and defend from the known, while someone plans the unknown. Do we just give up, throw our hands in the air and walk away? Perhaps we need to take in all that we have missed while fighting the fires of the day.

In the information security community, we need to put our fears aside and see all that is around us. Putting ourselves in the mindset of someone who wants what we have can make us feel uneasy but it gives us a new perspective. It helps us identify areas others might want to try as an attack vector, and then makes us evaluate the risk and implement a strategy based on the threat. I know that taking time away from our responsibilities seems like a fantasy, but what we may find is that we streamline our everyday tasks by attacking our own thinking. We marvel at how fast technology moves and lament when we don’t get the features we desire now. For all the lamenting, we tend to keep our thinking a few technologies behind. There will come a time, if we continue on that path, where something will blow up in our face. Better to take in what’s around us at least once in a while to see what we are missing. We might possibly get the upper hand.

I promised you a case study that demonstrates how the Information Protection Assessment Toolkit (IPAT) changes the way people protect information. In fact, I’m going to give you two case studies in one.

Harold Townley is a Funeral Director and business owner. He also sits on the board of the Town of Ballston. To prove the power of the IPAT, I ran town employees – including Harold – through the IPAT system earlier this year. The result was better protected information for the town and a new awareness about information protection in Harold’s business.

Like all municipalities, Ballston holds information that should not be in the public domain. While there had not been a security problem to date, with no plan in place to protect this information, it was a possibility. They needed the IPAT program.

In Week One I worked with a team of employees to identify what information was held in the organization, where it was held and how it was managed. The next four steps of IPAT involve processing what is learned, analyzing the results, developing an action plan and finally, generating reports. It was after only the first few steps that change was noticed. Involving all employees in IPAT “created an immediate shift in the mindset of town employees regarding information security” says Harold.

But for Harold, the change was extended further. He discovered that he wasn’t only thinking differently about information protection for the city – but for his business as well. At a meeting of funeral directors he encouraged participants to consider how they handle the personal data of deceased people. He wants his profession to consider carefully what is published in newspapers, how data is kept in the business and how requests for information are handled.

Harold doesn’t know that identity theft has occurred as a result of information provided by funeral homes but it is possible and he doesn’t want to be the source of a problem. “Just because we’ve done things one way in the past doesn’t mean we have to continue doing it that way,” he says. Thanks to IPAT, Harold looks at the information held by his funeral home differently. And the town of Ballston is well on its way to a proactive plan that engages all employees in information protection.

The Basics of IPAT
The Information Protection Assessment Toolkit is a process that helps you identify security issues and develop an information protection plan. It involves a set-up session, a toolkit and four coaching sessions. It can be scaled for large and small organizations, involves all employees and is the first step in protecting your organization from a breach.

Contact me (securitycatalyst@gmail.com) to learn more about our Special June Offer for the Information Protection Assessment Toolkit (IPAT).

This sort of information will be shared back with our community in an effort to help provide some support to the decisions we need to make. If you haven’t yet, please take five minutes and take the survey based on your experiences. We hope to wrap it up this week and provide some insights through the forums and community.

Take the Survey Now (click here)

I need to be in Phoenix, AZ for a wedding on March 31 and realized this is a great opportunity to do more work in the valley and meet more people. I am offering some fantastic incentives on my most popular keynotes and experiences. You could treat your team to a Spring Renewal with Are You Making a Living, Or a Life. This experience or key notes discusses how a positive vision can help them be more effective at work, reduce stress, and improve the quality of their time at home. Or take advantage of our new experience Speaking About Security. This experience will help your group improve their communication skills and increase your success.

Here a listing of the experiences and keynotes with incentives:
Experiences
- Speaking About Security
- Are You Making a Living, Or a Life?
- “Catalyst Session” – experience working with Michael in a way that infuses energy, passion and vision into your current efforts

Keynotes
- Transform Your Awareness Program
- Speaking About Security
- Are You Making a Living, or a Life?
- Into the Breach

Interested? Send me an email: securitycatalyst@gmail.com and we’ll arrange a time to speak. I need to lock in my tickets soon – so this is a first come, first to reap the rewards opportunity. I look forward to the chance to work with you.

Of course, this is why a number of us came together to form the catalyst community

Anyway – I allowed my HTCIA membership to lapse. While I admire the group and their goals, when I moved to Albany, I was immediately disconnected, and as a result, didn’t want to keep spending the money for no return in value. I truly wish more organizations would start to understand that “meeting” does not mean everything has to happen in person. Many organizations would benefit either creating an online community – or at this point, getting engaged and helping to grow the catalyst community.

So this evening, I got this email message:

Dear HTCIA Member,

Our records indicate that your 2007 dues have not been paid. If payment is not received prior to April 15, 2007, you will be required to re-apply as a new member in HTCIA. Renewals can be done via our website at htcia.org, or you may fax your credit card information or mail payment to the International Office address below. After this date, 2007 dues renewals will not be accepted.

Thank you for your cooperation in this matter and for your continued support of HTCIA.

Sincerely,

So why did I bother to post this?

Perfect opportunity here was missed to demonstrate to me the value of renewing – instead, HTCIA decided to take a tactic of telling me that by not sending in dues, I would be forced to reapply. Personally, I would have asked why I didn’t pay the 2006 dues… and then remind me of some of the benefits and offered a telephone number to discuss what was going on, etc.

I read this message and instantly thought, “screw it.” I doubt that’s the reaction they wanted. But making me feel like an inconvenience to your organization doesn’t encourage me to want to stay. I still like and support the HTCIA – so this message isn’t about bashing them or suggesting that people not join. I think this is a great group and if you have a local chapter, you _should_ join. Yet this approach struck me as “the normal way of doing business” – and upset me. This message was focused on the HTCIA and not focused on me as a member – which is odd, since they are asking for money.

Is this how you treat your users? Are they inconveniences to you? Do you take the time to communicate in a way that meets their needs and demonstrates benefits to them (in their terms)?

Don’t make this mistake with your communications and opportunities to make a difference.

For the complete show notes – check out http://www.securityroundtable.com/?p=17  In case I wasn’t clear – if you have any interest in understanding OpenID – you will need to go see what has to be the most impressive collection of links I have seen yet. Dan York is amazing.

Our goal is to come together once a month to discuss and debate important topics in the practice of information security. Please consider subscribing to the SRT feed here: http://www.securityroundtable.com/?feed=rss2 or in Apple’s Itunes here: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=156964477

If you feel like discussing OpenID (or looking to find some positive and passionate security professionals), come discuss this in the Security Catalyst Community: http://community.securitycatalyst.com/forums/index.php

Here is the OpenID thread: http://community.securitycatalyst.com/forums/index.php/topic,46.0.html

Basically, he builds on the notion of the power of a “consumer” revolt. Then he argues that the answers aren’t boycotts, but taking your spending power somewhere else. His argument, which I whole-heartedly agree with, is that if you don’t like the RIAA, then don’t boycott CDs for a weekend, but shift to online music or something else. The point is subtle, but important – if you don’t take an action that has an adverse economic impact, your message or dissatisfaction will not likely be heard. If you keep spending your hard earned money at the place you are unhappy with – can you really be that unhappy?

Don’t get lost in the semantics on this one. I think the solution to the breaches we keep reading about is the same. We seem to be up in arms over the spate of breaches at TJX…. then we immediately wonder why nothing was done and if they get a pass on this one.

Well, i have more to say, but I think the punchline is the consumers have to vote. DSW breaches, they continue. Choicepoint breaches, they continue. TJX breaches, they continue. Why? Do consumers actually care?

See, I think that the “scale” of the problem is so large that we, as consumers, don’t know what to do. The average consumer doesn’t have the “time in seat” or experience to consider the implications. They know what they read. They feel outraged and helpless. Or they are apathetic, because “what else can they do?” So unless we guide them to proper action, nothing will change.

I was watching a local business show yesterday (which in Albany, NY, is truly something to experience). Anyway, they have a group called the GenNeXt council (and I catch hell for Security 2.0??). So they have two people on at the end of the program opining how great the local economy is (it isn’t) and how wonderful for our generation (again, I don’t see it) – then they issue this warning “It will go away if you don’t get involved. So… get involved!” I almost threw something at the TV. And you have to understand, I’m not like that.

But to tell me to “get involved” and not give me options, so me how or otherwise guide me? How absurd. Now, with me, I’m the sort that doesn’t really want to be guided. Hey, if I was, would I be a ‘catalyst’ — probably not. But give me something… and I can choose to follow, adapt or do something else.

How many times have you plain said “give me feedback” – to get nothing. But if you hand someone a page – they rip it to shreds with ideas? We are all easier to react to an idea, to a concept, to _something_ in front of us.

Well, it’s no different when it comes to discussing security and the actions we want people to take. As I write my book, “Into The Breach: Why Corporations Fail to Protect Sensitive Information – and What Can Be Done About It” — I am working to explain an approach that any business can use to reduce their risk of breach. At the same time, I am working to develop a toolkit for consumers; they need some guidance on HOW to take ACTION when their information has been breached.

If we don’t hold people accountable and demonstrate our disappointment in a way they understand (hit them economically) – then change is less likely. But just *telling* people to boycott or to change won’t work. Afterall, if people want cheap clothes, TJX is still a good option, right? We don’t change behaviors with words. We have to explain processes and lead the way.

The other day I was reading Photo Business News & Forum and was reminded that sometimes this works both directions. I think I’ve been conscious of this for a while now, and so far I haven’t done or said something in a lobby or hallway that came back to haunt me. I *have*, however, had some experiences in public places where I felt like saying something about someone’s behavior (and sometimes I have made some, um, suggestions) – and perhaps one day that will work against me.

As a speaker, consultant, trainer, sales person, etc., this is something we have to remind ourselves on a regular basis. I believe it extends deeper. Take this into the corporation – how do you act or what do you say heading to or from a meeting? Have you shared conversations about important projects on the elevator when strangers and guests are there? Worse, have you mocked users or colleagues when you thought nobody was looking? We’re all human and have dealt with emotions and situations differently. It’s common to want to talk out your experience, but I invite you to think more before you act.

Regardless, what we do in our protection of information is important – and how you act matters. Sometimes it’s nice to have even a simple reminder and I think that Watch What You Say and How You Act is a quick and well-written reminder.

Gen C make their own content. Gen C form strong communities, and care about communication. They want to be connected. Gen C take on broadcast media on their own terms: They get involved, and are happy to make their own celebrities. Gen C control their own lives; they’re happy with complexity and continuous partial attention. Gen C work and live creativity: they work in creative industries, don’t look down on making and crafting, and want to adapt mass market products in acts of co-creation.

Those of you shaking your heads right now, get past buzz words and instead focus on concept. This is exactly what the members of the Catalyst Community are doing. We are making a difference – and we need to bust out of the technology mindset. I’m amazed at how much I’m learning and growing – to the point where my brain hurts! I invite you to come join us. Be part of the positive change in security. Help spread the vision of hope!

He’s covered mind mapping a bit, and recently covered the beta of MindMeister – an online, collaborative mind mapping tool. He then ran a brief experiment to test it by asking some of us to contribute our answers to “what is the future of blogging.” You can see our final result here: Some Ideas about the Future of Blogging. It got me thinking… we should do the _same_ thing for security. As we focus on “security 2.0″ – or what I’m temporarily calling the “Catalyst Approach to Security.”

No Battle over Security 2.0

I want to make a quick comment on “Security 2.0.” Alex suggested a battle was brewing over the concept:

Third, Interesting “Security 2.0″ battles. By Security 2.0, I mean online InfoSec communities. There’s the Trusted Security Catalyst folks, and now there’s ISM-Community.org. They both seem to be in their infancy. There’s more action at TSC, but ISM seems to have more structure and purpose.

Personally, I’m all for the online community thing, even if I do hate the term “Security 2.0″. Vendor accountability, research accountability, open standards and efforts – they’re all good things. Let me encourage you to research these aveneues and use them to your advantage, in both giving and taking.

To be clear, there is no battle here. I have been looking for a replacement name now for a while, and the next best choice has yet to surface. That said, I like what I know about Mark’s approach and look forward to learning more. My approach to security is one of inclusion. I’m going to keep developing the approach to provide some guidance for how we can advance our practice of the art of information protection. I welcome anyone to join. Similarly, I look forward to the opportunity to learn about and support other efforts, too. I got the impression Alex and others want the same thing – and I’m convinced that by blending our efforts, we all advance.

To that end, I have asked the members of the trusted catalyst community to joining me in building out a collaborative mind map on: The Advancement of Security: Catalyst Approach

You are invited!

Based on what I learned from Grigor’s approach, I invite you to join us. I don’t know how many people helping is “too many” – so we’ll have to play this entirely by ear. I only have 18 invitations left, so if you want to participate, we’ll work a chain of invitations so you will have the opportunity. Interested? Send me an email with the email address you want to be invited with (and then check your spam filter – the mindmeister messages get trapped for some reason) to SecurityCatalyst@gmail.com. I’ll post some suggested rules for working on the map today or tomorrow.

I figure we’ll try this for a week, maybe a few days longer. If it works, we’ll export it and incorporate it into securitypedia (the community, publicly accessible wiki we are launching soon) for any authenticated member of the SCC to help modify. Ideas, comments and constructive criticism is always welcomed.

Read/Write Web: Google Apps Premier Edition Launches – One Small Step Towards Google Office

eWeeks’ Google Apps Premier Edition Takes Aim at the Enterprise
What I found interesting, though, is a general lack of discussion around the “security” of the application. If you’ve been reading this blog for a while, you may have picked up on how I’m focusing less on the word “security” and more on the concept of “protection of information.” I would posit the same holds true here. My colleagues in the security profession hopefully realize that the difference is largely semantics, but the concept of how to communicate what we do is much clearer when explained as “helping to protect sensitive information.”

So back to Google. Well, the focus is Google (today), but they aren’t the first or only company to offer well-designed solutions that users will gravitate toward. So back to discussing how web-centralized applications are working to protect our information…

I enjoyed reading Marshall Kirkpatrick’s piece in Tech Crunch, It’s G-Day: Google Launches Apps Premier. In fact, this is the first piece that I read (so perhaps not the first piece in general) that mentioned the security aspect. What I also liked is that it revealed to me (again, not sure if he was the first) that GE and P&G were signing up to be Google Apps customers. Now, often times in an announcement like that, it’s not the *whole* company, but some part of it. Either way, my reaction is “Are you kidding me?”

I don’t mean that as a shot against google, GE or P&G. But by suggesting a company of this size is going to put potentially sensitive documents on a shared drive (or in a shared, web-based location) that they do not control and cannot control, it just seems odd. By odd, I mean: how is this good for the protection of information? Oh, and if you think a *policy* about what can and cannot be stored there will stop someone – think again. See, I *do* believe in the power of the user, but a user just wants to get their job done. As such, if Google Apps (or *ANY* online application) makes their job easier, my experience suggests they will use it.

Now, when GE or P&G decided to go this route, I really hope that their security teams got involved in the evaluation. My instinct suggests otherwise, and that makes me shudder. If you know otherwise – drop me a line (securitycatalyst@gmail.com).

One major concern that hangs over the head of tonight’s news is the ongoing question of Google security. TechCrunch asked for months whether business users would or should trust Google Apps with sensitive business information given the regular lapses of security experienced by the company’s hosted services. See a timeline and discussion of those lapses in this post.

To break it down easy – there is no guidance for companies trying to decide if using Google Apps Premier (or any other service like it) makes sense when they are also obligated to protect information. I run a company. And we launched a community. In both cases, looking at online solutions (especially since both the company and the community have virtual/location considerations) is appealing. In both cases, we have opted to only use them in limited circumstances. We’re small enough that controlling the information outside our walls is a bit easier. So how does the average company decide if using Google Apps, Microsoft Live or Amazon’s S3 storage is a good idea — when it comes to protecting information (if they even consider that)? I have no clue – since we have no commonly accepted framework.

Let me be clear: I’m not suggesting that Google (and others) is not taking this seriously and providing security. Look beyond Google – especially with some of the new and exciting Web 2.0 start-ups. Is designing a system that is “secure” on the forefront of their mind? I don’t think is it for most…. yet. The implication then? Well, we saw with identity theft that while I could steal only your identity, it’s more lucrative for me to break into a system and steal MANY at the same time. So I believe it’s reasonable to consider then that as more of these services go online and more sensitive information is stored on them, the focus of attackers will shift. So while you “trust” Google, Microsoft or Amazon – that’s not good enough for me (or anyone, really).

Interestingly enough, I’m not the only one thinking like this, when Larry Dignan asks, “Will you trust Google with your data?”

When I talk about Security 2.0 (and I still need suggestions for a better name), this is precisely the second component: security professionals need to get engaged in the process of developing and protecting these solutions. But it goes deeper… we need to work as a community to develop a framework and a method to be able to assess these solutions and decide if they are acceptable for us or not. Think about it – no provider can effectively go through a myriad of audits *each* day just to prove they meet the requirements of specific company. Same time, I don’t accept the Trust-E seal or “hacker safe” logos. I’m not knocking them – they serve a purpose; but for a corporation to decide to leverage a service to store data… we need something more.

Aside: I know the name Security 2.0 needs to change. This isn’t about numbers and versions. It was named to build on the success of Web 2.0; the approach still leverages the power of social media to affect a new way of practicing the protection of information. It is about bringing power and ease of use/design to the user. It’s about building a new approach and developing new skills. In the end, this my humble offering for how to move from being on a security diet to having a security mindset. I’m open for suggestions for a new name; until then, we’ll call it the “Catalyst Security Approach.” Clearly, I need some branding help here:)

Now, I don’t like to pose a question without a solution. I believe that what we need in order to assess companies is what I am calling a “security wellness index.” My background is in economics – and this is an approach that blends security with economics, engineering, social sciences and the like. I have a brief 2-3 page overview and have started some discussions to have this research project funded. It’s probably a 2008 effort – but if you are interested, shoot me a note and we’ll talk. I’ll save more details for another post.

But we have solutions if we are willing to apply the time, brain power and energy to making them work. This is not a new problem to solve. We need to change our way of thinking and make sure that, as a community, we all engage and work to implement common solutions. I know, easier said than done – but if we don’t have the conversations and make it happen…

Oh – and since these new web-solutions work, our users will absolutely move to them whether we want them to or not. So ignoring or banning the use of these solutions is not a solution. We have to be proactive and get engaged if we hope to make a difference. If we don’t, we’re doomed for bolt-on security (at best) for another generation – and to me, that means we failed. Besides, how many of you have “banned” gmail at work? Did you see this great posting explaining how to defeat your attempts to ban it: 5 tips for accessing your blocked Gmail (lifehacker)? If something works better than what you designed, they will move to it. The protection of information, therefore, needs to be integrated from the beginning.

The protection of information is a cultural shift.

So we have an opportunity here. Google is a big company that seems to have an interest in Security. They seem to have attracted other large organizations (again with large, I hope, security teams). This is the perfect recipe for working to establish transparent frameworks to embed security into this Web 2.0 (and beyond) applications in a way that we can more readily assess their ability to protect our information and satisfy our corporate policies and goals.

If we ignore this, we do so at our own peril. If we use this as the catalyst to have the needed discussions about how to make this work, we advance on many levels. I’m willing to help, I want to be part of the solution. What about you?

So, what can you expect from this program?
- Our goal is to review questions and answer them monthly
- We will answer questions sent in by readers and listeners, across three basic types:

- career
- consumer
- business

- Depending on each show, we may not cover each segment (or we might be covering one topic across all three). We’ll see how it goes.
- We are also taking the time for each program to research the questions a bit, and then are combining our experience, opinions and research to provide what we hope to be useful and helpful information.
- Each show will list links (which you’ll see below).

Here is our disclaimer
This is our best effort. To really benefit from this experience, we invite you to get engaged in the process:
- if you see something we missed, join us in the discussion forum and chime in
- use our experience as a guide for your own decision making
- if you need more help, join the security catalyst community (note the naming convention of: Firstname.Lastname)

On this Episode (three questions)

1. “I was curious if you are aware of any resources for security study and job-seeking, as I’m entirely self-taught. At this point I scan the logs and read whatever I can on the web and industry rags. I do Windows but prefer linux for its stability – most of my tools are on the linux box. Pisses off my boss to no end Not bad for self-taught, but it’s time for a large pay raise” – Jeff

Links from our answer:
NSA as Centers of Academic Excellence in Information Assurance Education (CAEIAE) http://www.nsa.gov/ia/academia/caeiae.cfm
http://www.cnss.gov/full-index.html

A list of all CAEIAE insitutions and the areas they have certified in is available here http://www.nsa.gov/ia/academia/iacmap.cfm

CISA – www.isaca.org/cisa/
CISM – www.isaca.org/cism/
CISSP – www.isc2.org/
SANS – www.giac.org/certifications/roadmap.php
Norwich – http://www.msia.norwich.edu/insecure/

Join the discussion in the Security Catalyst Community:

http://community.securitycatalyst.com/forums/index.php/topic,95.0.html

and

http://community.securitycatalyst.com/forums/index.php/topic,116.0.html

2. “I’m looking for some topic ideas relating to some awareness initiatives here where I work. I know you’ve been asking for feedback on topics, and I was wondering if you’d share any of your findings.” – Jim

Special Offer: If you send me an email at securitycatalyst@gmail.com – I will work with you to survey your audience and provide the results to you to help you kick-start your awareness program. While I welcome the opportunity to explain some of our research, there are no strings attached. This is what I do for a living, and if it helps get our much needed awareness efforts kick-started, then I’ll contribute this to the industry.

Links:
Come discuss this with us in the forum:

http://community.securitycatalyst.com/forums/index.php/topic,41.0.html

Some other ideas for topics:
NIST 800-69, Guidance for Securing XP Home: http://csrc.nist.gov/itsec/guidance_WinXP_Home.html (** this is what we are using for the first 5 episodes of the FSS Podcast)
CERT Home User Security: http://www.cert.org/homeusers/HomeComputerSecurity/

3. “I have been researching antivirus software for too long and just keep going in circles. I cannot distinguish between different antivirus software vendors because of either their marketing hype, inconsistent reviews, FUD, etc. Is there really a quantifibable difference or is it just opinions? What are your thoughts on this and could you provide an antivirus suggestion? At this moment I am leaning more towards either Zone Alarm Security Suite, or Kerio and NOD32.” – Eric

Links
If you are looking for more information on how specific AV software did in testing, check out
- AV Test (www.av-test.org), independent testing lab in Germany
- CheckVir (www.checkvir.com), independent testing lab in Hungary
- ICSA Labs (www.icsalabs.com), one of the first organizations to start testing the claims of AV vendors, now part of Cybertrust (www.cybertrust.com)

For those adventurous types that are looking to run a few in house tests, here are some resources that might help
- The European Expert Group for IT-Security (www.eicar.org), Look for the “Anti-Malware Testfile” link on the main page

Free AV resources
- AVG Free – http://free.grisoft.com/doc/1
- Avira AntiVir Personal Edition – http://www.free-av.com/antivirus/allinonen.html
- ClamWim – http://www.clamwin.com/
- TrendMirco Free Online Virus Scanner – http://housecall.trendmicro.com/

Subscription AV resources
- CA eTurst Antivirus – http://www3.ca.com/solutions/Product.aspx?ID=156
- Symantec (number of different products for home/small to mid business/enterprise) – http://www.symantec.com/index.htm
- McAfee (same as symantec, differen products for different sectors) – http://www.mcafee.com/us/
- NOD32 – http://www.eset.com/
- Sophos (for businesses) – http://www.sophos.com/

Additional reviews
- AV Test – http://www.av-test.org
- CheckVir – http://www.checkvir.com
- ICSA Labs – http://www.icsalabs.com

Recently, there was a flurry of postings about the value of using LinkedIn to build your personal and professional networks. If you have not yet heard about or used LinkedIn, you can learn more here: http://www.linkedin.com/static?key=company_info

From their website:

When you join, you create a profile that summarizes your professional accomplishments. Your profile helps you find and be found by former colleagues, clients, and partners. You can add more connections by inviting trusted contacts to join LinkedIn and connect to you.

Your network consists of your connections, your connections’ connections, and the people they know, linking you to thousands of qualified professionals.

I learned about LinkedIn a few years ago and created a profile. At different times, I have worked to update my information, and am currently working to improve what I have there now. You can check it out here: http://www.linkedin.com/in/securitycatalyst

I’ve talked to many security professionals about using LinkedIn – and we seem to be something of a split bunch. Many I know confidently use (and some swear by) the effectiveness of LinkedIn. Others cite concerns over privacy and security and refuse (or have yet) to use it.

Do you use LinkedIn? Why or why not?

LinkedIn to generate answers for business people?
Yahoo! Answers has been considered to be a complete success. Even presidential candidates have used it! Perhaps driven by the success of Yahoo! Answers (or perhaps on their own accord), LinkedIn recently created an “answers” solution – focused on the needs of business users. When this announced this, it caught a lot of media attention.

Check out LinkedIn Answers here: http://www.linkedin.com/answers

It was one of the developments that sparked my interest, but I have yet to really follow up on it. I do believe that having a cadre of security professionals available to help provide some guidance to others would be a benefit to businesses, so I hope more of us work through this solution and get engaged.

The Good: How LinkedIn Can Help Your Security Career
Admittedly, I have yet to really explore or “tap” into the power of LinkedIn, I can see where if I was looking for a position, looking to make connections or otherwise grow a network, it could be useful. I’ve put it on my expanding list of things to research and use more in 2007.

It’s also useful for connecting with lost colleagues and old friends. More than once, I have noticed that someone I am connected to is connected to a friend. Through this, I have been able to reconnect with some good friends.

Guy Kawasaki recently wrote and excellent post about how to leverage the power of LinkedIn. You can read it here. http://blog.guykawasaki.com/2007/01/ten_ways_to_use.html

Guy explains 10 ways that you can use LinkedIn, and if you currently or plan to use it, this is entirely worth the read. I might also suggest that if you don’t regularly read and learn from Guy Kawasaki, you’re missing out.

The Bad: Where LinkedIn Can Ruin Your Security Day
The irony of social media is that sharing information (or too much information) can lead to some creative and highly effective attacks. The main concern I see is the benefit to social engineers.

Think about it. Many people who list profile information (and select to make it publicly available, of course) will choose to list the companies they have worked for, the positions they have held – and many who are not security minded list project names and other information that would be a total score for an attacker.

But it gets better (or worse), since now they also see who are you linked-to, or what connections you have. If an attacker takes enough time, they can piece together a lot of information and wage a successful attack.

With that in mind, take a minute and consider the work you do and the people around you. Now, think about this: do you have people in your organization that could be poached away because of their linked in profiles?

Seriously. I have found that LinkedIn is fertile ground for recruiters. Well, your competitors know this too. How much damage would it cause you if one of your key employees were courted away – entirely legally!!

So it LinkedIn good or bad for security?
As we know from the practice of security, there are no absolutes. I think that the use of LinkedIn should be a personal decision (which most of you probably already know).

I would suggest that if you are aware that your users are using LinkedIn, you should review your security policy to ensure it covers posting company information to public websites. And then we need to find a way to teach our users about the dangers and risks, educate them about our policies and then help them find effective ways to use LinkedIn without putting your company in unnecessary risk.

My Choice and How I Use LinkedIn
I chose to use LinkedIn. I try to be careful about the information I include in my profile, but as a business owner and professional speaker, it’s to my advantage to be more visible.

As a rule, I don’t link to people I don’t know (or haven’t heard of). That said, if you want to link with me, please let me know a bit about you and that you listen to or read the Security Catalyst and we can connect. Check me out at: http://www.linkedin.com/in/securitycatalyst

Come discuss this with me and the other members of the catalyst community: http://community.securitycatalyst.com/forums/index.php/topic,83.0.html, and we can debate if it makes sense to start a Catalyst Community Group for linked in? I’d also like to know what precautions you take and how you have advised your users to be more effective and more secure.

During that journey, I interviewed the team from punchscan, and as you know from the two interviews I conducted with them, have become a believer in this approach. Open-source voting! Step back and think about the implications of a system that allows you to review the code, provides you a receipt of your vote that doesn’t reveal your vote (but can be used to verify) and includes a verification process. For me, this is exciting!

As I have encouraged each of us to learn more and support the efforts of punchscan, I have also donated some time and expertise to their efforts. They are busy, as a team, working to get some larger voting efforts to use their solution. I suspect we will hear more from them in the future.

Recently, they were the subject of a feature in the IEEE spectrum, and I thought you’d be interested in reading more, in case you hadn’t seen this already.

http://www.spectrum.ieee.org/jan07/4817

And the ever-so-popular ‘ballot picture’: http://www.spectrum.ieee.org/jan07/4817/nevotef2

There is much to be learned from their processes and developments, as much as we have much to share and contribute.

Way back in 1971, Walt Kelly had a cute cartoon called “Pogo.”  On earth day of that year, Pogo said something profound, “We have met the enemy and he is us.”  It’s just as true today that the largest threat to any human is themselves.

In her blog, “What comes after usability?” the author, provides a User Hierarchy of Needs to reach the nirvana of a development model where the user is king.  She’s missing a key element that Pogo realized 36 years ago; users need for safety.  No matter how usable a product or service, if it’s missing appropriate protection mechanisms it won’t be fully utilized.

I reference two points from history for my argument:

1.  Maslow’s Hierarchy of Needs.  Safety and security needs are second only to the needs for physical survival. The information age has not changed this basic premise.

2.  Saltzer’s and Schroeder’s Design Principles. This groundbreaking article was written in the mid-70s and gives a basic yet timeless approach in designing protection into a computer system.  The Design Principles are simplified here:
•    Economy of Mechanism – Keep It Simple (KISS); The product should have a simple and small design.
•    Least Privilege – A subject should be given only those privileges necessary to complete its task.
•    Fail-Safe Defaults – The default action should be to deny access to the asset and grant access only when explicit permission exists.
•    Complete Mediation – Check every access to every object.
•    Open Design – Security should not depend on secrecy of design or implementation.
•    Separation of Privilege – Requires multiple conditions to grant privilege.
•    Least Common Mechanism – Users should share the protection mechanism as little as possible.
•    Psychological Acceptability – Security should not add to difficulty of accessing the resource.
These principles of secure design underlie all security-related mechanisms.

We all need protection measures to be built into applications, often to prevent our own stupidity. Developers need to add it to the User Hierarchy of Needs.  Most of all don’t try to ignore it or save it for later because there’s no ROI. By having the protection mechanisms baked-in, it protects our greatest enemy – ourselves.

By working together, we all become stronger.
Catalyst Note: If you’re not currently reading “Creating Passionate Users” by Kathy Sierra, you should be. As we shift to the Security 2.0 mindset, she’s clearly ahead of the curve and puts a lot of quality out there for us to digest and incorporate.

Since last night was my parent’s last night here (on this trip), they invited us to join them on the wharf to listen to some live music and enjoy a quiet family dinner. They suggested we try the Conch Republic Seafood Company.

We watched the sunset celebration, then walked over to check the menu and get a table. We liked the fact that the music seemed decent and they weren’t too crowded – which meant getting a table for six should have been a snap. But not only did we learn that they didn’t want to seat us, turns out they are also prime candidates to CAUSE identity theft or credit card fraud!

My Mom went over to get us a table. The hostess bluntly informed her that it was a forty-minute wait! I don’t buy the wait, but that’s not a problem. What transpired next in incredible to me…

The hostess proceeded to inform my mother that if we wanted our name on the list to wait for a table, she needed to leave her military ID with them. My Mom immediately declined, because, as she said, “It just didn’t feel right to me.” And good thing, too. I don’t think that leaving Military (or any) identification with people you don’t know in public places is a good action for anyone to take.

So when my mom declined, the manager came over to get involved, declared her status as the manager and explained that they only way we would get a table was to leave the military ID (note, no offer to leave a driver’s license) or a valid credit card. Valid? Credit card?

Now I don’t know about you, but I have traveled the world and traveled the US extensively. This was the first casual dining restaurant where my party of six was asked for a credit card or military ID to even get our name listed on the wait-list for a table!

Needless to say, it upset my mother and father and we decided to leave. I was really proud of my parents that they instinctively knew that this was a bad request and to walk away. As a former restaurant professional, I was embarrassed for the manager and her poor conduct – she not only violated the laws of common sense, but she caused a party of six to walk out of her restaurant without spending any money at all. That’s a big loss for a restaurant with open tables.

Even in paradise, some people don’t get it when it comes to identity theft. There is no reason to ask for an ID card or credit card for a table.

It has occurred to me that if anyone reading this is stationed at Naval Air Station Key West, you may want to issue an alert to the base that this sort of behavior has been spotted and is not to be tolerated. I cannot imagine the negative impact of having a military ID stolen or compromised. If you’re in the military in a position to communicate this up, feel free to contact me for additional details. But at a time of 100% ID check, this sort of behavior in the town cannot be condoned.

In the future:

1. I strongly suggest avoiding The Conch Republic if you visit Key West. We found plenty of other restaurants that appreciated our business and provided excellent food without risking our identities or being ungrateful in the process. If you need some recommendations, send me an email. Going there and rewarding their behavior only means it is a matter of time before someone gets compromised by their antics.

2. TRUST YOUR INSTINCTS. If someone makes this sort of an absurd request, walk away. No restaurant is worth your identity or credit card fraud. In fact, one of the two times my credit card was compromised was at a restaurant (the other was a limo driver). Did you know the average victim of identity theft (not credit card fraud) pays $6600 out of their own pocket? That would be an expensive dinner!

3. If you are with an organization that provides a service, don’t make this mistake. Think before you act and consider the information you are requesting. Most places that ask for a form of identification or credit card don’t really need them.

Well, I’m off to celebrate another sunset. I hope your transition back to work has been smooth.

1/11/2007: Here is a quick update/clarification from my mom:
There is one point of clarification.  I believe the woman did ask first for my license, and when I told her I only had my military ID, she requested that.  I thought I was only showing it to her, but when she reached for it, I took it back and told her she could not have it.  After that, the manager intervened and requested my cc.  None of it makes sense to me yet, but I like the way you put the story out there including the reasons why it is a potentially dangerous practice.
This doesn’t really change my stance or attitude, but it explains the request for the military ID. Cleary, we have our work cut out for us in 2007. Spread the word!

How does Secure Sockets Layer (SSL) protect me?  Well, unless you understand network traffic, encryption, and web applications then you probably do not know the answer to this question.  Fortunately, if you are reading this you probably do understand how SSL works as well as the benefits and problems in its design.  If you do understand I want you to do something when you finish reading this article.  Stand up, step outside your office or cubicle so that you can see other people, and ask yourself if those people understand how SSL is designed to protect them.  Notice anybody who does not?

Here is where the Trusted Catalysts challenge you.  We would like you to walk over to a person, or better yet, get a group of people together and have a group discussion about this technology.  To facilitate this conversation here are a few points to help you:

•    Keep the conversation simple; avoid getting too technical, and do not talk down to anybody who does not understand.  They will when you are done, so be patient.  If you are in a group let others interject with their experiences and anecdotes.  Group discussions are always better learning environments.
•    Describe how SSL is a shared secret between their browser and the computer at the other end of the connection.  Although the traffic will flow through other computers and devices on the Internet the only thing they will see is a bunch of numbers, letters, and characters that do not make sense.  Show them how to look for the “https” portion of the URL within the browser’s address bar.
•    Explain that although the communication is protected the data stored on the other system might not be given the same consideration.  Suggest that they only provide information to sites that they specifically trust (double check those URLs).  Also, emphasize that if they are prompted to permit the storage of their personal or credit card information they should NOT allow it.
•    Talk about sites whose certificates produce an error window which will require end user interaction to continue.  Let them know that they must read the message to determine if they would like to continue with the transaction.  A good example site for demonstration purposes is the Center for Internet Security.  When you navigate to https://www.cisecurity.org the error window pops up because they are using the certificate that has been validated for the SANS.org domain.  Not a problem here but it IS a problem if you are unfamiliar with the site.
•    A good way to finish the conversation is to cover what to do if a person feels bad about a transaction.  Talk about how these people should immediately contact their bank or credit card company and talk to them about the situation.  These companies usually have very helpful departments dedicated to protecting accounts from fraud and monitoring them for strange or unauthorized behavior.

Now, don’t you feel better about yourself?  You have become a catalyst within your environment.

Go forth and do good things,
Cutaway

For this post, let’s ignore my thoughts (read: strong bias) that information security is about reducing the overall risk to information within an organization to acceptable levels (read: NOT about technology). Okay, perhaps that was a bit more like “announcing” my thoughts then “ignoring” them, but let’s just move along.

In The Daily Incite – November, 29 2006, Mike Rothamn mentions this question posted on Dr. Anton Chuvakin’s Personal Blog,”So, what do you think security is about: Fighting nefarious hackers or protecting information.” As you can tell from the opening paragraph, I personally lean toward Chuvakin’s option B.

However, many people that I talk to, both security professionals and non-security professionals, agree with Chuvakin’s option A. There are many valid reasons for holding this view. For example, unprotected computers tend to last mere minutes before compromise on the Internet and news reports are often filled with stories of nefarious hackers causing untold amounts of damage. Even the 2005 E-Crime Watch Survey seems to backup the choice of option A.

According to the survey findings, only 20% of attacks came from insiders while 80% came from external hackers. Normally, a discrepancy this large doesn’t require additional discussion. After all, a 4-to-1 ratio is simple enough to understand. However, looking at what attacks insiders launch versus what attacks hackers use against organizations, reveals a different picture altogether.

Here are a few of types of crimes that insiders were more likely to commit then external hackers:

• Rouge Wireless Access Point (72%)
• Theft of Intellectual Property (64%)
• Exposure of Private or Sensitive Data (56%)
• Theft of Other (proprietary) Information (55%)

In addition, insiders almost as likely as external hackers to commit Unauthorized Access to Information, Systems or Networks (54%).

Compare this with the crimes external hackers were most likely to commit:

• Phishing (92%)
• Web Site Defacement (92%)
• Spyware (89%)
• Illegal Generation of Spam E-mail (89%)

[This information can be found on page 19 of the 2005 E-Crime Watch Survey’s Summary of Findings]

While the sample size, around 550 organizations, for this survey is too small for specifics to be drawn, a few generalities become apparent when looking at the information above. Hacker attacks, according to these findings, seem to be aimed at computer users (with spam, phishing, spyware, etc.) and technical infrastructure (web site defacement). Insider attacks center almost exclusively on attacks to an organization’s information through theft, exposure and unauthorized access.

The problem with Dr. Chuvakin’s option A, then, is that it ignores the threats to organizational information posed by the very individuals that have authorized, unfettered access to the very information they are attacking. This authorized access to much of the organization’s information is exactly why malicious insiders are so dangerous to an organization. Unlike external hackers, insiders do not have to spend countless hours footprinting an organization to look for open ports that might lead to a way in; they simply need to enter their designated password. Insiders also do not need to delve through computer after computer hoping to find some valuable information; they already know where a good bit of critical or sensitive information is stored.

Insiders do not even need to be disgruntled or have ulterior motives. Valid access to vital information means that even simple mistakes by insiders can have serious impacts on an organization’s information assets. For example, here are just some of the accidental employee mistakes that can end up costing an organization: missing a decimal point in a spread sheet, storing critical files locally with no backup, or perhaps misplacing a laptop or PDA with critical and/or sensitive data.

None of this should be taken to mean that organizations should no longer worry about external hackers. Quite the contrary, external threats remain as valid as they ever have with computer systems. Instead, organizations need to understand that there are many threats to information coming from inside the organization. Insider threats can no longer be ignored simply because there is also an external threat.

Here are a few things organizations can begin to do to help protect against insider threats to information:
1. User training help organizations teach employees how to properly handle information assets. (See Joe Knape’s “What We Have Here… Is A Failure To Communicate” post on starting an effective user awareness training program)
2. Internal control programs help organizations create organizational policies and procedures dealing with approved ways to access, store, archive, and disseminate information.
3. Annual information audits help organizations identify where current employee behavior differs from established policy and procedures, exposing information to risk.

Larry Seltzer’s article “The New Attack Pattern” states that “things are getting better for the average user over time.” At the same time, several other authors state in a fairly lucid manner that users didn’t feel a whole lot more secure in 2006.

To make matters seemingly worse, according to most would-be fortune tellers, 2007 will see an increase in the number of application based 0-days, attacks on mobile phones will become more common, and incidents of identity theft and data loss will increase.

So which is it? Are we more secure and just don’t know it? Are we not more secure but living in ignorant bliss? Or are we on the edge of a digital precipice?

As Mike Rothman alludes to in his December 13, 2006 post, “Narrow and Targeted in 2007”, the answer is: D, all of the above. Of course, the real crux of the matter is how ‘we’ is defined.

Now, if “we” means the typical user in a typical large company then the answer is…yes — things are getting better from the perspective of the negative impact of “security” incidents such as virus outbreaks, DoS attacks, etc. People, processes, and technologies are all maturing and adapting to confront these issues (it may not be pretty if you’re behind the curtain but that’s another post).

If “we” means the typical user in a typical small-business or single employee company then the answer is…maybe. While the threats to SMBs (small and medium sized businesses) aren’t that much different from those faced by larger enterprises, the people, processes, and technologies are just now being revamped to address the specific careabouts and issues that are specific to SMBs and will continue to mature throughout 2007.

Finally, if “we” means the typical home user then the answer is…no, things aren’t getting better, in fact they’re probably going to get worse before they get better. Home users are more and more the target rich environment of choice for nefarious groups and individuals. The average home user doesn’t have (or isn’t willing or able to allocate) the resources (be it the time, skills, or even the desire) to protect themselves from these new levels of attack.

So what is the bottom line?

The risk may be to our businesses but the threats are not.

The threats we face and need to prepare ourselves to address are not business, or for that matter, technology based. The threats are targeted at users. If you step back, it’s clear that those home users, when it comes right down to it, are the same people that are users in the business environment. They are the employees, the managers, the salespeople, the presidents, and the owners.

Our methods, tools, and techniques have to span boundaries. We have to stop focusing on “this threat”, or “that application”, or “those users”. We have to crawl out of the gopher hole and broaden our vision, not narrow our focus.

As we wrap up another year of learning, improving and adapting, here are three things to think about for 2007, to help combat the growing and shifting nature of our threats:

1.    If you could tell every one of your peers, coworkers, bosses, etc. one thing that you believe would make them smarter users, and therefore more secure online citizens, what would it be?
2.    If you could make the security technology industry aware of one opportunity that you think they are missing the boat on, what would it be?
3.    Are you telling them? If not, why not?

For this episode, I had the chance to interview four of the team members (by Skype) to discuss their involvement, how the system works, the implications and what the next steps are.

Coming up, we’ll visit with the Punch Scan team again to dig a bit deeper and more technically into the solution. I’m also working to contact someone at Black Box Voting to speak with them about lessons learned and how our industry can get engaged to help.

Comments, ideas are welcomed!

Last week I had the pleasure of spending a Sunday afternoon watching football and eating pizza with Michael and his family. During one of our discussions, Michael mentioned a recent USA Today article he came across on new “Homeland Security” degrees that many colleges and universities now offer. Knowing that I am currently pursuing a Master’s Degree from Norwich University, Michael wondered what I thought about this new degree.

Let me state from the outset that, as someone with an excessive amount of education (one associates, two bachelor’s and an upcoming master’s degree), I believe that higher education is a good thing. However, the particulars of the “Homeland Security” major seem a bit off to me. According to the article, this new degree allows students to “do everything from create emergency management plans to design gas masks.” I will allow everyone a moment to let that last statement sink in.

Ignoring, for a moment, that designing gas masks and creating effective emergency management plans require an individual to have two completely different skill sets and aptitudes, is there any job in existence that requires a candidate to be fluent in both these areas? Yes, engineering, emergency management, language skills, cyber-security, international relations, and many more fields are all very important aspects of Homeland Security. However, it is unrealistic to believe that anyone would be able to master these diverse fields by the time they achieve their PhD with multiple years of work experience, let alone an undergraduate degree. The field itself is simply too broad.

So when organizations hire individuals with this type of training, these individuals might have a passing familiarity with most of the Homeland Security concept. At best this individual will have one or two areas of core strength and a shallow understanding of the rest of the field. While this is not necessarily a bad thing, wouldn’t this individual be better served by a bachelor’s degree in their area(s) of strength and perhaps a minor, concentration or certificate showing a base understanding in the area of Homeland Security? This way an individual with a public administration degree could still do emergency planning for Homeland Security, but would also have options should they choose pursue employment outside of emergency planning. The same goes for an engineering student that is fed up with designing gas masks.

In addition, the strength of Homeland Security, much like the strength in a good Information Security program, comes from the various viewpoints of those involved. A single individual’s viewpoint of a topic is just that, singular. No matter how hard they try, a single individual will never be able to see all aspects of an issue. This means that no matter what our education level, what our experiences, alone we will never see the whole picture.

However, by gathering a number of individuals that have different backgrounds in areas relevant to the topic at hand (Homeland Security), we can gain a much better understanding of the issues. For example, pulling together a team composed of engineers, emergency planners, border guards, intelligence individuals, etc, gives a Homeland Security team multiple viewpoints from multiple subject matter experts that have dedicated their lives to a single area of expertise and therefore bring a unique understanding to the team.

The need for this type of in-depth experience on a broad number of subject areas is why a degree in Homeland Security does not make sense. As the article points out, government agencies are looking to hire individuals in Homeland Security roles with expertise in technical areas as well. I find it very hard to believe that a student will gain this type of expertise in one of these new Homeland Security programs.

I understand the appeal these Homeland Security degrees have. After all, one single degree offers the allure of being able to make a difference, helping the country and studying current hot topic areas. However, I strongly urge any student interested in Homeland Security issues to take a more traditional major such as political science, international relation, engineering, computer science, information security, etc. and perhaps minor one of these “Homeland Security” programs if they wish.

Another option colleges and universities might wish to consider is creating concentrations in Homeland Security aspects for degree fields where there is a need. For example, a political science degree with a concentration in Homeland Security, or an engineering degree with a concentration in important areas to Homeland Security. This option allows students to gain a strong understanding of a career field while also learning how to apply this field of student to Homeland Security issues.

The added benefit to the students, again, is that these students have multiple job opportunities when they graduate. It is import for educational institutions to make sure that the student’s best interests are kept in mind with these new “Homeland Security” degrees and that it does simply become about gaining federal grant money. Incorporating Homeland Security concerns into more traditional degree fields or creating a minor in Homeland Security issues does just this. Not only will colleges and universities help arm students with the knowledge to better assist securing the country and ensuring the safety of its citizens, but they will be arming students with traditional degrees which translates into more job options then simply those involving Homeland Security.

Have you ever hung up with a friend or family member feeling frustrated? We ask ourselves, “Why can’t they…”, or “How hard is it to…”, or my favorite, “Don’t they know that….” I’m going to let you in on the worst kept secret in the industry; THEY DON’T KNOW.

Corporations and employees have access to all sorts of training and security awareness materials (or should). Our friends and family don’t have the luxury of posters, and emails, and codes of conduct, etc. What they do have is a willingness to do the things that will keep them safe on the Internet as long as it doesn’t cause them to go into seizures trying to figure those things out. This is where you and I come in. We need to start sharing our hard-won wisdom and knowledge, freely, and often.

See Ron Woerner’s post on Local Tech Support – Like It Or Not for a “closer to home” take on this issue.

You might be wondering what I mean by freely and often, so let me tell you. Why not come up with four or five slides with some “best-practices” and give a quick (30 or 45 minute) presentation every once in a while. “Wait!” you say; “What kind of audience would be interested in that? How would I get the word out? I don’t have the time to do that. What’s in it for me?” Let me address these questions and concerns one at a time.

“What kind of audience would be interested in that?”
Anyone who watches television and has access to the Internet would be interested. Security professionals have been griping about FUD for years but it works. It gets people thinking. No, not cynical, jaded, “experts” like us, but certainly Mom and Dad and Uncle Bob.

“How would I get the word out?”
Think about who your audience is and then think about where you might get exposure to them. I’m thinking of organizations like: Rotary, Elks, MoPS (Mother’s of Preschoolers, for those of you without kids), book clubs, library patrons meetings, PTA, American Legion, etc. The list is varied and large.

“I don’t have time to do that!”
Oh, Really? You can’t find 30 minutes every couple of weeks or so to get up and present in front of a crowd of people who will probably hang on your every word? If that’s true you need to stop reading this, and any other, blog, and go find a time management course!

“What’s in it for me?”
What kind of skills and experience might result from the above?

• Presentation Skills
• Ability to explain complex technical issues in “everyday language”
• Writing Skills – (If you’re the person that writes the presentation)
• Patience with others – (ok, maybe this one’s just me!)
• Public recognition
• Fewer urgent calls from friends and family asking how to recover from “my computer is acting weird”

To some, that might look like a scary list. There’s a running joke in public speaking circles that basically says most people would rather be the person being eulogized rather than the person giving the eulogy. With that said, this post isn’t about acquiring these skills, it’s about demonstrating them. I assume you all know how to use the Internet and the phonebook so, if you need to learn how to speak in public, write presentations, etc. there are plenty of resources available, and, since everyone learns differently I won’t be recommending any specifically.

It’s time to “stop preaching to the choir” and go out there and convert the unconverted.

Like many of you, I noticed this new feature when Google announced it, but didn’t really consider it or bother to look into it. After seeing the slashdot article this morning, I figured I’d take a look at the google FAQ to see how obvious this problem was… for some reason, I had visions of people spoofing their numbers to trick businesses – which is annoying and possibly bad for business, but not really a security risk. Lucky for us, Lauren considered this from a different perspective…

Based on Lauren’s blog, I could see an attack along the lines of:
1. I go and ‘click to call’
2. I enter in your telephone number instead of mine
3. google calls you instead of me, but presents the caller ID information of the business they are connecting you to (courtesy of me)

So – is this an attack?

In reality, I’m not sure how easy or hard it would be to execute an attack like this (to the point where it really becomes a risk)– where I could spoof someone else’s number and google connected us together in a way that I could launch an effective attack. It would seem to me that in order to truly attack an unsuspecting consumer, we’d also have to have control over the other end of the line. It seems to me that unless I had an effective way to get Google to connect consumers to me and present the caller ID as someone else, this isn’t a huge risk.

That said, I see a more alarming trend: as more people rely on caller-ID, any service that intentionally modifies this information certainly poses a risk and, like Lauren, I would urge Google and others to consider it’s use more carefully.

A feature for some is an attack for another.

I also think the following is a telling statement:

Most of those who were walking around were “adult trick or treaters” looking for giveaways from the vendors. 

Ironically, I stopped going to most security conferences, including the much-hyped RSA conference. However, I have been known to attend from time-to-time or get exhibit hall passes if I am already going to be in the city. What I always found interesting (I would have said ironic, but that would be using ironic for a while now). One of the trends I watch is “security professionals” who believe strongly in security are some of the first in line to give up their personal information in return for a CHANCE to win a tee-shirt.

Irony aside, I agree with Alan that we need less conferences, but for a different reason. When is the last time that you went to a conference and got some serious value from it? Since we formed our company a few years back, every time I get the chance to evaluate conferences, I have never felt that I would get the value back. Sure, you can meet good people, make connections, etc. — but the conferences are generally lame and the quality of presentations is mediocre at best.

Am I being harsh? Of course. Why aren’t you? If we continue to have crappy conferences and then pretend they’re great (if only because it was a chance to get out of the office), all we will have to attend are crappy conferences.

I was really blown away the first time I attended a National Speaker’s Association event. Imagine going to an event when everyone who takes the stage to speak is a professional speaker? First thing I noticed… a LOT LESS powerpoint, a lot more substance and I actually WANTED to pay attention. Since then, I have been spoiled countless times and now expect that a successful event should be including professional speakers (who actually study the trade craft of speaking and presenting) alongside well-versed speakers (for example, people who learn and practice through Toast Master’s or the like). I think a healthy mix of both is needed for a successful event.

I’d like to see smaller events with a more powerful focus on substance. I’d like to see better speakers and more time to reflect on the passions they have shared. The more I have started to consider what I dislike about our currently available conferences and compared them to some of the excellent Speaker’s conferences, I have started to think about putting together a small, invitation-only event.

What do you think?

If you had a chance to come to a small conference to share your security passion and learn about others, would you do it? The event we have started to plan will have no vendor support, but vendors will be invited to participate (as full contributors to the conference). And all speakers will be coached and rehearsed before they take the stage and present. And we’ll have plenty of time to think, reflect and build relationships that will help advance our careers and improve the profession we have chosen (or has chosen us).

I’m thinking of limiting it to 200 people. So – would you come? And if you want to help, let me know. If we have enough interest, we’ll kick it off in 2007.

Looking for a place to start? I think this is a perfect introduction and a fine lunch discussion.
Right in the introduction is the following passage:

The five most important protections that should be used for all Windows XP Home Edition computers connecting to the Internet are as follows:

• Applying updates to the operating system and major applications (e.g., e-mail clients, Web browsers) regularly, preferably through automated means that check for updates frequently
• Using a limited user account for typical daily use of the computer
• Running up-to-date antivirus software and antispyware software that is configured to monitor the computer and applications often used to spread malware (e.g., e-mail, Web) and to quarantine or delete any identified malware
• Using a personal firewall that is configured to restrict incoming network communications to only that which is required
• Performing regular backups so that data can be restored in case an adverse event occurs.

I’m in Phoenix this week (with a podcast almost ready to go), delivering a customized version of our newly launched Effective Assurance in IT Operations workshop/training course. I’m exited about this effort, since we’re taking a completely new approach to thinking about security and assurance – designed to have a lasting impact. And in this course, we take the time to discuss issues like the ones in this post. In fact, we spent time this week discussing the strategies for how we protect ourselves at home, and then how we can help our colleagues do the same!

Would it be valuable for your efforts if I used the Windows XP Guidance (and the 5 recommended actions) to develop a podcast that could either guide your efforts (or even be what you use during the lunch) ? If so, when I get back to the “studio” I’ll start working out the details and get something prepared to help you make a difference.
If you’d like me to take the time to podcast on this or have some ideas on how I can make this more effective to support your efforts, send me an email: securitycatalyst@gmail.com and let me know. And if you’d like to learn more about the success of “Effective Assurance” – drop me a line and we can talk.

As I have mentioned in the podcast, I switched our company to the Mac platform about 18 months ago. Despite being a security professional, my switch was driven by multiple factors (design, look, applications, built on BSD, etc.) including the pricing and anticipated lifetime. Based on my calculations, switching to the Mac cost me about the same if I had stayed with Toshiba.

As an aside: Over the last year, my Toshiba has had to have nearly every component replaced; after dealing with the steadily declining Toshiba Customer Service (if they can honestly call it customer-focused or service), I still have an maintain a windows working environment – but look forward to moving to the Mactels and dual booting (well, probably triple, since I’m interested in going with Ubuntu for a third OS).

So – those of you already using Mac and the rest of you who should seriously be considering a switch, I came across this article explaining the security features that come as part of OSX. It’s a good read and while focused on encouraging others to switch, has value for those who already did.

Key Mac OS X Security Features

http://switchtoamac.com/site/key-mac-os-x-security-features.html

Enjoy – and let me know when you switch.

PS: I’ll make the switch to Mactel Macbook Pro once Verizon makes an express card sized EVDO card (or I can find another EVDO solution for traveling).

Update (7.20 – 16:20p): I also wanted to mention (when I was gently nudged by a friend) that my Powerbook met with an untimely issue; seems that when I upgraded from 10.3 to 10.4 it caused a known issue (or well-reported) with the lower memory slot, causing it to short out. Don’t bother asking me how/why, since I have no clue. Anyway, the laptop was still under warranty and was covered by both AppleCare and ProCare (or whatever it’s called).

The team at the local Apple Store was great, but it still took 4 weeks before my powerbook was returned. 4 weeks! As a business, we cannot afford to be down a laptop for that long– so if Apple is going to continue to build on their market share in the business environment, they are going to have to improve. At the time, I wasn’t too happy with the process.

However, we figure we’ve spent 100 hour on tech support with Toshiba (combined) and needed to have about 7 visits until the laptop was fixed. In that time, it was unusable for about 7 months. By comparision, I was without the Mac for about 4 weeks, but only had to deal with one person… one time.

A few days later, I came across Reflexion, a company with a different approach to reducing spam, since they use what they call “non-disposable” email addresses. I called and shared some good technical discussions, and then decided to interview Scott Barlow about their solution.

Now this marks the first time I have interviewed a vendor about their solution. I took an approach of asking the questions I would ask them if I were going to consider them for my company or on behalf of a client. I hope you find this useful, and if so, I will look for other noteworthy solutions to share with you.

Either way, let me know – and ask more questions in our forum in this thread (click on the link).

In the podcast, Scott mentions a link to a diagram, here is the diagram.

Also, here are some of the recent threads on the forums that I would enjoy your feedback on:

Certs, Degrees, And Stuff, The Professionalizing of the IT Industry

Security Blogs And Forums

What Are The First 5 Actions, Security Catalyst Case Study – Baselines

Wireless Security: Protecting Your Company (Westchester County, NY)

Promo: The Mighty Seek Podcast

I have been working on a Wireless Security “Basics” eGuide that Red has agreed to help with – and we should have that published by next week for your review and use.

Talk about wireless security in the forums here: SC24 in the Catalyst Forums
Red’s posted question in the forums is here, please answer it if you can: Red Wagner’s Question – Gmail Chat Security/privacy, Opt-out chat logging

Thanks for listening. If you liked the program, please tell a friend. If not, please tell me: securitycatalyst@gmail.com

Listen to the show to see which programs and configurations we recomend to our family and friends. As our new friends, you’ll want to make use of our links and information to keep yourself protected!

Links and Information

Please remember to rate this podcast on iTunes and Yahoo! Thanks!!

Here are some notes and links from the show today:

Firefox

Thunderbird

Security Catalyst Consumer/Home User Security Resources

Join us as we discuss why these steps are important and gain the knowledge you need to be a bit safer!

The links from the show are here….
We are in the process of building a collection of consumer/home computer security links. Click here to check the current list and get information about updating your system, firewalls, anti-virus, anti-spyware and some good general advice.

The following track from the podsafe music collection of podshow was used during the introduction of SC13.
BAJA TAXI

Please remember to rate this podcast on iTunes and Yahoo! Thanks!!