Tuesday, December 24, 2013

Are You a "Target"?

   By now, most of you have probably heard about the Target credit card information breach.  This is very big here in Minneapolis, home of Target.  All the details aren't out yet but it appears that credit card information for brick-and-mortar stores between Friday Nov. 27 ("Black Friday") and Sunday Dec. 15.  Here are some articles covering the story.  Here's Target's response and an FAQ.

   I'd like to talk a bit about next steps.  If you've been the victim of a data breach... what next?

   First... for consumers.  Target is a retail company and the direct victims of the breach are those of us who shopped at a Target store during the dates in question.  Consumers have two concerns here: credit card fraud and identity fraud. (I don't like the term "identity theft" even though it is commonly used.  No one can steal your identity... you still have it.  They can improperly discover, and misuse, the details... a.k.a. fraud.)

Tuesday, December 17, 2013

f2f Still Rules

   It's definitely a digital world.  And with all the instant electronic communication methods available, it's easy to forget about good old-fashioned face-to-face.

   Many work places have gone to open seating, without cubes or offices, to promote collaboration.  There are "team spaces" and other kinds of open areas in which people can quickly get together to solve problems.

   I've been thinking about this topic for a couple reasons.  First, I've been talking with internal groups about Internet Safety for Families.  This is a great topic both for general information and for Security Awareness in the workplace.  One item we often discuss is communication methods.  Teens and young adults (as well as many high-tech workers) do a disproportional amount of their communication electronically.  Sometimes that works and sometimes it doesn't.

Tuesday, December 10, 2013

Password Problems Again

   So here we go again... more problems with breached passwords.  But this time there is a different wrinkle.

   By now, most of you have probably heard about the recent discovery of hackers getting around 2 million userid's and passwords to online services like Facebook, Gmail, Yahoo, LinkedIn and Twitter.  Notable on the list of sites is ADP, the payroll processor.

   It's "just" 2 million sets of ID's and passwords.  That's not really big news these days when the new record of over 152 million stolen passwords was recently set by the Adobe breach.  But there is a difference here.  For most of the big password breaches, the service provider's website or password store is hacked.  Then the encrypted password file or database is downloaded.  The attackers can take their time analyzing the encrypted data to come up with userid's and passwords.  This work is made easier because so many sites use poorly implemented encryption.  And some sites use no encryption at all.

   But that's not what happened here.

   This time the passwords were stolen from the users of the sites.  That's you and me (well... hopefully not you or me!).

Tuesday, December 3, 2013

Is Your "Friend", Your Friend?

   An interesting topic came up the other day.  The question was whether to accept random social media
requests.  Does your "friend" need to be your friend?

   Your answer to that question might vary based on the social network and how you use that social network.

   There's also an important Security Awareness angle here.  Social networks can be a vector for malicious links, phishing attempts, malware and scams.  These malicious techniques often work better when the link/attachment/request comes from a "friend", rather than via a random email or connection.

Tuesday, November 26, 2013

Internet Safety... The Song Remains the Same

   As seems to often be the case in the fall, I'm doing a number of Internet Safety talks lately.  Maybe it's the tie-in with October US Cybersecurity month, and I did some posts celebrating that.  Maybe it's that fall makes us think about back to school (though maybe safety should be a "hotter" topic in the summer when kids have more free time!).

   I've been presenting to groups about Internet Safety and related topics for over 12 years.  I've got a few events coming up at work, so I'm updating my material.  I've got a number of talks on these "consumer" issues.  You can see my slides on my slideshare page.  I regularly update my material.  But what's really amazing to me is that the core, key messages have substantially remained the same.

   For example, I recently did a presentation and blog post on bullying.  The biggest change in online bullying in the past few years has been the news media attention.  But what happens, how it happens and options for victims, unfortunately, hasn't changed much.

   As I talk with people about these issues, and research and update my presentation material, I think there are 3 main areas in which things have substantially changed.
  1. The rise and expansion of social media.  In the early 2000's, we were talking about things like email, Chat like AOL Instant Messenger (AIM) and web surfing.  Xanga.com was around, but MySpace and Facebook weren't even invented until around 2003!  And, needless to say, there's been an explosion of social media sites with the latest trends favoring pictures and video.  While kids had the ability to share too much information since the beginning, social media sites really drove the norms.
  2. Technology.  In particular... mobile technology.  I used to recommend that families keep their computer (singular) in a common place like the family room or kitchen so kids' use could be seen.  While that is still good advice, most families have more than one computer.  And most teens, and many younger kids, carry a powerful computer with them wherever they go... their smartphone.  While we still have options available for monitoring, and good communication is key, portable devices are really a game-changer.
  3. Kids get it.  During my Internet Safety talks of the mid-2000's, we used to play a little game.  It was a live demo in which I would bring up a social media site, typically MySpace.  The game was to see how few clicks it would take us to get to some inappropriate content (like kids/teens sharing too much personal information or posting pictures parents would wish they didn't).  When I first started doing this demo it would only take a few clicks.  Then, by around 2008, it took more.  Then I would just save a few URLs of TMI pages.  Then I gave up the game altogether!  It's not that we can't still find inappropriate content, or examples of kids sharing far more than parents might want.  But kids are doing a much better job of protecting their information online.  Of course, kids, teens and young adults - actually digital natives in general - do have different ideas, definition and expectations of privacy compared to their parents!
    One final thought... another thing that has changed is that the oldest digital natives - people who do not know of a time without pervasive digital media and technology - are now having their own kids and showing up at Internet Safety talks!  But some things don't change and their kids still know more about technology!

   What surprises you about changes in our online world over the past decade?  What do you think has changed, or has not changed?

Tuesday, November 19, 2013

It's That Time of Year - Holiday Spams and Scams

   It's that time of year again folks.  And whatever holiday you may, or may not, celebrate... there's something we're all likely to see.  It's not presents, though maybe there are some for you.  It's not snow, though we'll see that soon enough here in the upper midwest US.  It's malware and holiday scams!

   Unfortunately, it happens every year.  Sometimes it's malicious attachments.  Sometimes it's links to malware to download or phishing sites with forms ready to collect your personal and financial information.

   Here is my 2013 edition of my Top 10 Tips To Avoid Holiday Spams and Scams...

Tuesday, November 12, 2013

Rhymes with Assword

   Here we go again with more password-related problems.  You can't make this stuff up.  Well, you can but the truth is stranger.

   By now, most people have heard about the Adobe website breach.  I won't go into too many details but you can read Adobe's summary here, and here is a detailed review by Sophos.

   And, after I wrote this post I see that the This Week In Tech (TWIT) show on the great Twit TV network did a show of the same name (go to 1:56:20 in the show). Great minds think alike!  If you read the Sophos report you will see that someone used the phrase "rhymes with assword" as their password hint.

   There are a few key points to review:
  • A new record!  This breach has now set the new record for largest number of compromised accounts, 152,000,000, beating previous noteworthy large breaches including those from Sony, TJX and Heartland.

Tuesday, November 5, 2013

Cyberbullying - Improvements or More Problems?

   In addition to Cyber Security Awareness Month, October was also Cyberbullying Awareness Month.  There were a number of online campaigns to raise awareness on the topic including some high-profile pages on Facebook and Cartoon Network.

   This is an important topic and needs our attention.  I have given many presentations over the years on Internet Safety topics.  This past weekend my wife, a clinical psychologist, and I partnered on a presentation on Bullying and Cyberbullying at our local school district parent fair.  Here are the slides.

   Unfortunately, bullying has been around as long as there have been people.  The internet, social networks and mobile devices supplement have turned "old school" bullying into a 24x7 assault.

Tuesday, October 29, 2013

Online Self-Defense - Don't Phall for Phishing!

   It's Cyber Security Month!  And the more things change, the more they stay the same.  The key advice for online self-defense I've given in the past is just as true now.  So to help us all celebrate, I'm "re-featuring" a few articles I've run in the past.

   I said in part 1 that this would be a 3 part series, because everything comes in 3's.  Well... it's still Cyber Security Month and I would be remiss if I didn't write about phishing.  So we'll just call this part 4 of 3!  Here are parts 1, 2 and 3.

   As you probably know, phishing refers to an attempt to fraudulently get your personal information by masquerading as a trusted source. Examples include: a fake email that looks like it came from your bank; a fake fraud warning message that looks like it came from your credit card company, or; a distress message that looks like it came from a "friend" asking for money.

Tuesday, October 22, 2013

Online Self Defense - Don't Click!

   This week I'm presenting at the Cyber Security Summit in Minneapolis.  I hope to see you there!

   It's Cyber Security Month!  And the more things change, the more they stay the same.  The key advice for online self-defense I've given in the past is just as true now.  So to help us all celebrate, I'm "re-featuring" a few articles I've run in the past.

   This is the third post in my series on Online Self-Defense.  We've covered malware and passwords, two key issues effecting your online privacy and security.  If you've tried the simple tips I gave on those two subjects then you are now safer than most web surfers.

   Now, to keep you and your computer safe... don't click on that link!

Tuesday, October 15, 2013

Online Self Defense - Passwords

   Next week I'll be presenting at the Cyber Security Summit in Minneapolis.  I hope to see you there!

   It's Cyber Security Month!  And the more things change, the more they stay the same.  The key advice for online self-defense I've given in the past is just as true now.  So to help us all celebrate, I'm "re-featuring" a few articles I've run in the past.

   Last week I started a series on themes I covered in a talk entitled "Online Self-Defense".  In part 1 of that series, posted here, I talked about protecting your computer. This week we'll look at passwords.

   Passwords are a mess!  A "good" password has these features:
  • hard to create
  • hard to remember
  • hard to enter
  • probably has to be changed as soon as you memorize it
  • plus other inconsistent, random rules depending upon the site

Tuesday, October 8, 2013

Online Self Defense - Your Computer

   It's Cyber Security Month!  And the more things change, the more they stay the same.  The key advice for online self-defense I've given in the past is just as true now.  So to help us all celebrate, I'm "re-featuring" a few articles I've run in the past.

   Happy US Cyber Security Month!  This partnership between Homeland Security, NCSA and MS-ISAC is an opportunity to recognize the importance of information security.  How are you celebrating?

   Last week I ran a couple of sessions at work on awareness and security.  Over the next few posts I will be reviewing some of the 3 themes I covered in a talk entitled "Online Self-Defense". You can view the slides on my slideshare page. (actually, the talk focuses on just 2 of the themes but that's OK!). Since everything comes in threes (omne trium perfectum), I will give 3 easy tips for each theme (and some bonus tips as well).

   The first theme is protecting your computer or device.

Tuesday, October 1, 2013

Things That Make Me Crazy: "We've Always Done it This Way"

   There aren't many things about our InfoSec and IT industry that really bug me.  There are certainly things we can do better.  We're really just starting to get the idea of connecting with the business and that business leads technology (not the other way around).  Or that security controls and technology have to work for people.  These ideas are part of our evolutionary process.

   But there are some things that do get to me.  Call them pet peeves (what a strange phrase!),
annoyances, complaints... whatever.

   Right at the top of the list is when someone says "We've always done it this way".

Tuesday, September 24, 2013

So You're a New CISO!?

   There are plenty of articles out there about becoming a new CISO.  And what elements you should have in an enterprise security program.

   I'm about to become a new CISO... again.  It's not an entirely unique situation.  I've been a CISO for over 10 years.  I'm starting as a new employee of an organization that has newly created the CISO position.  So I am new, and the CISO position is new, to this organization.

   I read this interesting article entitled 68 Great Ideas for Running the Security Department.  It's a great article, but even as a mathematician, I just can't count that high!  I also love top 10 lists.  But sometimes 10 is too high a number as well.

   Here are the 3 key things I'm going to do as a new CISO:

Tuesday, September 17, 2013

When is Encrypted really Encrypted?

   With all the discussion on the NSA and what they can, and cannot, see, collect and decrypt on the net, the picture is pretty muddy.  Google has the announced plans to enhance their encryption.  Perhaps most confusing is what this means for home users.  Is your data safe?  Is it being collected?  Who can see your data and how can it be kept private?

   First, a few concepts... you can skip this and jump right to the "how-to's" if you want.  Without getting too deep into the bits and bytes, there are basically 2 forms of encryption: transport and file.

Tuesday, September 10, 2013

What Works in Tech #Leadership - Keep It Simple

   As I'm heading toward the end of my current job, and getting ready for the challenges of my next opportunity, I've been thinking and reflecting on a few things.  One of these is leadership.
   I've had the opportunity to lead some great programs and teams in my career so far.  I went directly from being a technical individual contributor to management without any formal managerial training.  Earlier in my career I had titles and responsibilities including: software developer/programmer, engineering support, systems administration, architect, systems support, web developer, email administrator, security administrator/architect.  All of these positions can offer leadership opportunities, but this is very different than formal management.

   When I was in purely technical positions I had no interest in management, and couldn't even imagine going in that direction.  But then an opportunity came my way and I started down the "dark path" of management!  And I figured it out as I went along, with some results better than others.

Tuesday, September 3, 2013

Putting the Face in Facebook

   As can happen in a month whose name contains an "a", "e" or "u" :-), Facebook has once again made
changes to its privacy policy and practices.  And, as always we all have two choices: accept the changes (and adjust our settings and practices appropriately), or; leave Facebook.

   Of course most people won't leave Facebook, and if anything they will add more users than those that leave.

   As I look through the changes (see Facebook's notice here with links to the details), I think there are three things to know...

Tuesday, August 27, 2013

People and Process First!

   I've been reading, and hearing, lately about the ideas of client-centric or human-centric IT.  Here's a cool article and interactive infographic from GovLoop.com.  It describes a roadmap approach to get to a people-centric approach while showing examples of what some US federal agencies are doing to advance the cause.

   I like infographics!  They are fun, impactful, and this is a good one.  But, sometimes they are so busy that the simplest parts of the message gets obscured.

   It's not just infographics that obscure simple ideas.  Security and IT are experts at over-complicating things.  We get so caught up in the cool tools that we sometimes miss the main point.

   In the Security and IT world, we should always look at any project or program through the lenses of:
  1. People
  2. Process
  3. Technology
   And definitely in that order!

Tuesday, August 20, 2013

Beyond the Checklist - Compliance v. Security

   SC Magazine put out a good article last week entitled Beyond the Checkbox: PCI DSS.  The article cover new revisions in the Payment Card Industry (PCI) security standard (Data Security Standard DSS).

   The point of the article is something I've been saying for years... That we can simply treat security regulatory standards as checklists.  It's not about just meeting the minimum requirements.  It's about integrating the standards into your security program.

   Now, I'm not completely dismissing checklists.  In fact, I think they have some great places within your program.  For example: server build checklists; server hardening checklists, and; an SDLC checklist.  I'm a big fan of the CIS checklists for hardened configurations.  I also like a standardized secure engineering process (or SDLC) with specific steps.

   As I've discussed here in the past, one size does not fit all.  While we can all share our processes, it's critical to tailor any process or checklist to your environment.

   But here's my main point... Compliance does not equal Security!

Tuesday, August 13, 2013

More Problems with Passwords???

   While I like to write about a variety of security-related topics, it seems that issues with passwords
keep coming up again and again.

   Passwords, and in particular their use for online authentication, is a mess.  I've written about this a number of times including here, here and here.  My advice for online use of passwords has been the same all along.  I've always said:
  1. choose good long passwords (long sentences are just fine)
  2. use a password vault, and
  3. use a unique password at each online site.
  4. (bonus) use 2-factor authentication for online sites when available (and complain if it isn't available yet!) 
   But... I had missed something!  There is another key thing that everyone needs to do to protect their online passwords... Don't Store Passwords in Your Browser!

Tuesday, August 6, 2013

A Culture of Security - The Best Infection!

   I was recently reading an interesting article at SearchSecurity entitled Staff infection: IT security education is contagious.  The article notes that security is the responsibility of every individual and that for an organization to have even a semblance of security, there has to be both buy-in and shared action by the members of the organization.

   The article, very correctly, mentions:
Even in today’s world, the general IT worker tends to view security as a barrier and a pain. It is implemented by someone else, and it makes their job harder to perform.
   This is one of the key problems caused by many security programs.  The information security industry often causes problems for itself by being difficult and inflexible.  Security is often viewed as a barrier.  Security is the group that adds extra requirements, delays projects and increases costs.  And with all of that, Security can't guarantee prevention, nor even provide a reliable probability of, an incident or breach.

Tuesday, July 30, 2013

The Need To Read

   I recently read a great article on summer brain drain on ParentsChoice.org's Read More. Play More. Learn More. blog.

   The article is mostly directed to parents, making the point that kids forget school topics over the summer and often need time to get back up to speed.  This can be remedied with fun, stimulating activities, like brain games.  The article links to some brain games from the Museum of Science and Industry in Chicago.

   And, as the post points out, adults can also suffer from the same brain drain due to the inevitable schedule variations of the summer.

   But the specific article aside... what a great name and concept.  We could all read more, play more and learn more.

   We all need to exercise our brains.  Many people read articles and other material as part of their job.  But regardless of how in-depth, creative or technical that job may be, I think it's important to read and learn about other topics.

   So read.  Read blogs, and books of all kinds: non-fiction, historical fiction, mysteries, sci-fi... whatever you enjoy.  Read things in your field, but be sure to also read other info and read for enjoyment.  And, if you don't have time to sit down with a book, try audiobooks and podcasts.

   What are some of your favorite reading, educational or brain activity resources?

Tuesday, July 23, 2013

Macs don't get viruses... right?

   It's that time of year again, when many first time college students and their parents explore that age old question... Mac or PC?

   Most schools will give one of two non-answers:
  • it's personal preference - just use what you like best, or
  • check with your major department for their requirements

   While these aren't terrible answers, they really won't help most people.  Most kids just use features of a computer like the web browser, chat client, skype and office tools, and don't really interact with the operating systems.  In fact, it's the same for many parents.
   And, most academic departments don't have specific requirements, and if the require specific software it will run on PC or Mac.  (YMMV/Your Mileage May Vary - and you should check with that academic department!).

   So, we haven't helped answer the question!  But here are criteria you shouldn't use: price (alone); "free" items included (like printers), and; don't choose a Mac just because you think it won't get malware!

Tuesday, July 16, 2013

Are You the Customer... or the Product?

   I regularly speak with people about Internet/Online Safety.  One message I frequently give about free online services is:
You're not the Customer... You're the Product.
   We often see people upset about changes in social networks like Facebook.  Folks complain about "customer service", not realizing that they are not the customer!  It's often the advertisers, or other backers, who are the real customers.  And what those customers want is information... about the users of the service.

   I'm a big fan of free online services, but it's important that people realize what's going on.  It starts with the privacy policy, which explains how an online service intends to use your data and information about you.

   But I want to talk about cloud storage services.  These services allow you to backup files, sync files between systems and devices, and have files available from anywhere.  How are your files protected?

Tuesday, July 9, 2013

The More Things Change...

   As the saying goes... the more they stay the same.  In our ever-changing world of technology and security, it always amazes me how things often don't change!

   Let me clarify... there's always a totally new technology, programming language or social network to learn. Of course, computing power has changed drastically.  Many of the techniques used by attackers to gain improper access to our information have changed.

   Though many have not.  And the advice we give to consumers and business users to protect themselves has not changed!   Consider...

Tuesday, July 2, 2013

Want someone's password? Just ask!

   SC Magazine recently put out an article entitled: More users than ever experiencing phishing attack attempts.  According to the article, phishing attacks are on the rise.

   Phishing is simply any kind of communication intending to extract (typically) personal information from someone.  The scam usually tries to either get the victim to visit a malicious website or directly provide their information, via a reply to the attacker or in an online form.

   Years ago, phishing emails were easy to spot.  They typically used obvious From: addresses, poor grammar and spelling, clearly misleading url's, and overall poor imitation of a legitimate organization's communication.

   But, as is often the case, the phishers have gotten better.  The emails look legit, the grammar and use of language is good, and the links often go to realistic-looking, but malicious, sites.  And email isn't the only delivery method.

   So, how do we avoid, and help others avoid, these attacks?

Tuesday, June 25, 2013

Countdown - the end of a (Google) reader

   The clock is ticking.  On July 1, Google will remove support for the RSS aggregator tool, Google Reader.

   In the past I've talked about how I keep up with the vast amount of information and changes in the security and IT fields.  That article focused on podcasts.  Another key tool I use is an RSS aggregator.

   An RSS aggregator is a program used to collect information from online sources.  You "subscribe" to a site (such as this blog), and then notices of new articles are automatically brought into the aggregator.  The power of the tool is that you can organize your subscriptions by categories you choose.  You can then quickly browse new articles by category.

Tuesday, June 18, 2013

One if by Land, Two if by Prism

   Last week I avoided talking about Prism, the supposed NSA wiretapping issue that has been all over the news.

   However, in the past week I've read or heard 3 different highly insightful analyses and I'd like to comment on them.

   First, on the possible techniques used.  Major data collection organizations including Facebook and Google have denied providing any information to the US Feds as has been alleged.  But the NSA is getting information.

Tuesday, June 11, 2013

Light and Sound - the next mobile malware vector?

   With all the talk about Prism in the security news, we didn't hear about much else.

   But here's an interesting story... Researchers at University of Alabama, Birmingham verified that malware, or other actions, can be triggered on a mobile device by sounds, music or light!

   From the article:
   "In one instance, the researchers used music in a crowded hallway to launch an attack on an off-the-shelf Android phone. In others, the malicious code was activated by a song with a particular pattern or the ambient light from a TV, computer monitor or overhead light bulb."

   For most of their experiments, the source of the sound or light needed be very close to the target device.

   Right now this is only experimental.  However, we know that well over 50% of mobile phone users in the US have smartphones.  And these phones have input sensors for light, sound and motion.  Essentially, we are all carrying devices that not only track our location and movements, but can record, and be influenced by, the environment around us.

   It will be interesting to track this research and see the ongoing new ways in which these ubiquitous devices can be exploited.

Tuesday, June 4, 2013

How crackers ransack passwords - Sort of...

   I am not trying to make this the password rant blog.  But we just can't go a full week without more news about password problems!

   Last week the excellent tech new site, Ars Technica, did a feature article in which they had first a journalist, then three different password hacking experts, try to decrypt passwords from an encrypted password file.  They were all quite successful... frighteningly so.
   Steve Gibson discussed this for a bit in Security Now episode 406.

   But, I think there were some critical flaws in the test.  And there were also some excellent lessons.

   I'll comment on the article using the sandwich method, starting with what was good...

Tuesday, May 28, 2013

Twitter 1-and-a-half Factor Authentication

   As you may have read, and hopefully enabled, Twitter added a 2-factor authentication capability last week.

   If you haven't yet turned this on, here's how.  Log in to Twitter; select Settings; select Mobile; add and activate your phone.  Here are the detailed instructions for adding your phone number. To enable 2-factor authentication, select Account, then check the box labeled: Account security

   Here's the good news... as I've discussed in the past, I am a fan of using some kind of 2-factor auth for website authentication.  I also like the use of a smartphone for delivering that one-time-use PIN or code.  While we still have a digital divide in the US, most people do have a cell phone, and most of those have a smartphone.

   But there are some issues.

Tuesday, May 21, 2013

The Business (not Blind) Side

   A Doctor, Lawyer, Salesperson and Systems Adminstrator walk into a bar...

   As I mentioned last week, the Secure360 conference was in town.  And as always, it was a great show.  I was pretty busy and had 3 different talks.  The first was a 4 hour pre-conference session on BYOD. (slides here)

   After talking about the history of portable devices and framing the issues with which organizations struggle, we did something a bit different.

Tuesday, May 14, 2013

One Size Does Not Fit All

   The annual Secure360 conference kicked off yesterday in St. Paul with pre-conference sessions. 
Secure360 is the major upper Midwest security conference and has become a US national event, now in its 11th year (I think!).

   I'll be pretty busy at this year's conference.  I've actually spoken at every Secure360, but this year I did a half-day seminar yesterday on BYOD, and tomorrow I've got back-to-back talks - one on the Insider Threat I call "The Accidental Insider" (blog post), and one on authentication "3 Factors of Fail" (blog series starts here).  Slides for all are on my slideshare site.

   I've got a wide variety of topics to cover!

   And that's what is so cool, and critical, about conferences.

Tuesday, May 7, 2013

So Long and Thanks for All the Passwords!

   If you've been following any online news lately you read about the recent Living Social breach.  They reported "unauthorized access" of their systems resulting in a download of customer data including name, email address and encrypted passwords.

   We have heard of many similar instances over the past few years.  I've written about this in previous posts and will be giving a talk at Secure360 in St. Paul, MN in a couple of weeks talking about authentication and passwords.

   In their defense, Living Social did do a couple of things well.  First of all, fortunately, they did store only encrypted passwords.  Unfortunately many organizations don't.  Unfortunately they used an older, weaker encryption algorithm.  And, of course, unfortunately they got breached and had the file downloaded.

Tuesday, April 30, 2013

Stuff I Say - Iterative Improvement

   This is yet another in my "Stuff I Say" series of posts.  I like to think about concepts of security management, though these ideas can certainly be applied to IT management (and management in general).  The themes of these posts are both things I think about and things I actually say.

   We've all got an incredible amount of work to do.  Most organizations have too many projects and ongoing development work, as well as too many existing and legacy tech assets to secure.  There are not enough resources to go around and the shortage of talent has been discussed in the tech media.  Prioritization is always a challenge.

   Security professionals have a difficult job.  Protecting individual and corporate data, and systems and networks is complex and often not well defined.  We don't really know when we've got it "right" (if there is a right), but we often find out the hard way when we've got it wrong!

   So, when faced with a new project, some security groups want to try to do everything at once.  We can't boil the ocean... but we have to start somewhere.  Some call it baby steps. Some call it putting one foot in front of the other.  I call it Iterative Improvement.

Monday, April 22, 2013

Stuff I Say - Do What Makes Sense

   Today I'm continuing a set of posts I started last year.  These ideas are covered in a fun talk entitled #*%! My CISO Says, covering a range of security governance and management topics.  Slides are on my slideshare page.  The first two posts are here and here.

   The idea of doing what makes sense is central to my thinking (about many things).  In security, many people base their strategies and tactics on what they read or what others are doing.  But you can't provide useful information security based on what you read in a book.  One size does not fit all.

   When we don't do what makes sense, we end up with ineffective controls (like this ineffective control from one of my favorite security pictures).

   What works in one organization does not necessarily work in another.  This can be true for a variety of reasons including differing regulatory environments, organizational culture and kinds of assets/information.  This is why I've never liked the phrase, or idea of, "best practices".  I prefer "good practices" (more on that some other time...).

   It's easy to say we want to do what makes sense.  But how do we put that into practice in our organizations?

   Here are 2 considerations:

Risk Management approach.  Rather than using strategies and practices from a book, we need to understand a number of things about our organization including:
  • what "stuff" do we have?
  • what stuff do we need to protect?
  • what threats do we know of?
  • to what threats are we vulnerable?
  • what is the potential impact if these threats manifest?

   Asking these, and subsequent, questions can help lead to a better understanding of the environment

   Then... Seek out and destroy policies/practices that do not add value!  Consider:
  • ineffective controls - find them and get rid of them!  And, if you do remove a control, make sure that you let the users know!
  • annoyances that effect people's perception of security - convenience v. security is always a trade-off, but your controls must take into account people's work practices
  • what makes work harder - security and IT must support the business.  If complying with controls negatively impacts the business you may find your program overruled.
  • overly strict practices can cause people to try to circumvent controls to get things done.
   This doesn't mean that the security organization allows a free-for-all.  My point is that by considering how users need to use the systems, examining alternatives, and working with your business partners, you can come up with a set of controls that protect systems and data, meet regulatory requirements AND allow people to get their work done.

   Can you think of ineffective or unnecessary controls in place at your organization?  How have you partnered with business users to come up with controls that meet all needs?

Tuesday, April 16, 2013

Bring It On Home

   There have been a number of discussions about the value of Security Awareness training floating around the net.  Some say that even with training, people will still fall for phishing attacks and social engineering, and that networks and servers will still get hacked.  I wrote about this a while back.

   I think there is great value to awareness training.  To me, the content and delivery are key considerations.  If the security messages are the same old, rehashed information then it will be hard to get people to pay attention, care and retain information.  No one wants to see yet another dry review of an organization's security policies.

    But there is a better way...

Tuesday, April 9, 2013

Keeping Security Simple

   This week I did a national webcast with Capella University.  The topic was the Insider Threat.  But my take on this is a bit different than what's usually said on this subject.  I call it "The Accidental Insider".  You can see my slides here.

   I was talking about how I think that accidents are the major cause of breaches.  I've talked a bit about how important it is to keep things simple here.

   If you're an information security professional, hopefully you are familiar with the Verizon Data Breach Investigations Report (DBIR).  You can see their page for the latest report.

   One of the interesting things they point out in the report is summarized in this table:

Tuesday, April 2, 2013

My Top 4 Everyday Apps

   I don't know about you, but I was not happy when Google announced that it would be pulling support of Google Reader on July 1.  Reader is tool I use all the time.  I have the RSS toolbar extension on Firefox on my computers set to default to reader so I can quickly add new sources to my feeds.  I regularly check reader on my computers and use the app on my mobile devices.

   So I was looking for a reader replacement.  CIO Online put together a nice list of alternatives.  After reviewing that list, I decided that feedly seemed to be the app that best met my needs.  I downloaded the feedly add-on for my browser(s) as well as the app for my mobile devices.  And that got me thinking... do I need the app on my mobile devices?  After all, mobile devices tend to become clogged with too many apps, and mine are no exception.

   And that got me thinking... what mobile apps am I really using?

Tuesday, March 26, 2013

Attack Surface

   Last week I did a national webcast with Capella University.  The topic was the Insider Threat.  But my take on this is a bit different than what's usually said on this subject.  I talked a bit about this topic in my post last week.  You can see my slides here.

   As happens in some (perhaps not enough) InfoSec talks, during the presentation we touched on the topic of Risk Management.  In particular, we were talking about how to help keep honest people honest and good people to do the right thing.

   There are all kinds of "formulas" used to calculate, or more correctly - estimate, risk.

Tuesday, March 19, 2013

The Accidental Insider

   This week I did a national webcast with Capella University.  The topic was the Insider Threat.  But my take on this is a bit different than what's usually said on this subject.  You can see my slides here.

   The typical story about insider threat is about theft or fraud.  Here are some recent articles.  This is a real and present danger.

   But there is another category of internal issues... accidents.

Tuesday, March 12, 2013

lnk.shrtnrs (Link Shorteners) and Safety

   Recently I was speaking with a group about online safety.  Keeping to the basics, we discussed two main sources of problems: passwords and clicking on links.  I've discussed passwords a number of times here, here, here and here.

   One great way to avoid problems online is simply to not click on links!  Of course, that would probably render the web all but useless to you (well... I guess you could just type in url's but that would get old very quickly).  You probably followed a link to get to this post.  Actually, you probably followed a shortened link to get to this post.

Tuesday, March 5, 2013

Pro-Hero instead of Anti-Bully

   As I mentioned in my post last week, I recently did an Internet Safety and Tech talk for parents of preschoolers.  When I talk about this and related topics, I always talk about bullying and cyberbullying.

   Unfortunately, the concept of bullying has been around through the history of humans.  Interestingly, the term and specific study did not begin until the 1800s.  Of course, bullying is not just something that happens to children in schools.  My friend Denise Moreland discusses workplace bullying and bad management in her book (buy it here) and blog.

   There have been traditional ways parents and schools have tried to deal with bullying.  I'll discuss those below.  I say "tried" because these methods haven't really worked.  There's also been an anti-bullying movement over the past 10-20 years.  Even with all the media attention this gets, that method doesn't work either.

   I've recently learned of a new approach that I think can work!  It's called Pro-Hero.  Check out this great TEDtalk covering the basics.

Tuesday, February 26, 2013

Tech-Smart Parents and Preschoolers

   This past weekend I had the opportunity to do something fun and different!

   I've been lecturing on Internet Safety and Awareness to all kinds of groups for about 15 years.  I've met with parents and professionals at conferences, businesses, churches, school district parent fairs and have even provided training to law enforcement personnel.  I enjoy doing this and always learn something new.

   After presenting at a school district parent fair last fall, I was invited to present at a local Young Children and Technology conference, specifically covering technology for the preschool and younger set!  Since most of my material is targeted for parents of preteens, teens and older, I knew I had some work to do!

   As I dove into the research, I found that there are similar categories of issues, but clearly preschoolers and toddlers use technology different than teens.

Tuesday, February 19, 2013

So What's the Authentication Answer? - 3 Factors of Fail (part 7 - last!)

   We've been discussing the authentication problem for the better part of two months, and now it's time to wrap things up.  If you've gotten to this post through a link but haven't read the rest of the series, it starts with part 1 here.

   Each of the 3 factors of authentication have serious issues when used individually.  The challenge is that we need to log a person into a system or application in a way that reasonably assures the person is who they say they are and has rights to the system.  And, perhaps most importantly, any method we use has to work well for people!

   So, how do we find a solution?

   The key is to think about the user and the use.

Tuesday, February 12, 2013

Multi-Factor Fail - 3 Factors of Fail (part 6)

from: brainyquote.com
   In December I was at the NG Security Conference in Austin, TX.  We had a fantastic discussion with a group of key security leaders focusing on this "quote" and how it applies to information security.  I say "quote" because there is some question as to who said this or if anyone actually did!

   As I've been saying throughout this series of posts, it seems that this statement is exactly what we are doing in the world of authentication!  None of the typical factors of authentication have really solved our authentication and access problems, yet we continue to use the same mechanisms over again.

Tuesday, February 5, 2013

The 4th Factor? - 3 Factors of Fail (part 5)

   Welcome to the next installment of my ramblings on authentication, 3 Factors of Fail.  So far we have discussed the classic 3 factors of authentication in parts 1, 2, 3 and 4.

   In recent years some additional authentication assurance methods have been grouped to form what some call the 4th factor of authentication.  This is also called risk-based, location-based or adaptive authentication.  It could also be called "somewhere you are" or "something you are doing".

   The basis of this method is in establishing a rich profile of the user.  This can include:
  • the machine used for access;
  • software used;
  • time or day of accesses;
  • IP address(es) used;
  • what country the connection comes from, or;
  • what actions the user attempts.

Tuesday, January 29, 2013

Something You Were - 3 Factors of Fail (part 4)

   Today we'll continue our discussion on problems in the world of authentication.  Here are links to parts 1, 2 and 3.

   The 3rd form of authentication is typically called Something You Are.  We typically think of this as some kind of biometric indicator like fingerprints.  But this is probably the earliest and most basic form of authentication used in human or animal species.

   Animal species can identify members by sight, but more often scent or sound.   In addition to the traditional 5 senses, some animals have senses that humans do not, like echolocation, to help identify "friend or food".  Here are some interesting articles.

   Human babies can identify their mother by smell and sound.  People have used visual recognition as a primary identification method for most of the existence of the human race.  Of course, visual recognition can be spoofed. And there are other reasons why visual recognition may not be the best identification method.

Tuesday, January 22, 2013

Something You Lost - 3 Factors of Fail (part 3)

   As you can tell if you read my last post, I have some pretty strong opinions about the failure of passwords as an authentication mechanism.

   To review, the 3 factors of authentication are referred to as: something you know, something you have and something you are.  Today, in part 3 of this series, we'll talk about the failure of the second factor of authentication, "something you have".  Here are links to parts 1 and 2 of the series.

   While not the oldest form of authentication, this factor of authentication has been around for a long time.  Think about a key, or perhaps some kind of scroll with the symbol from a leader, or even the sword in the stone!  A driver's license, ID card, credit card or passport is also something you have.  These are all things someone can have and can be used identify them or grant access.

   Today, the term "2-factor authentication" can the use of any two different factors of authentication.  But most commonly it refers to the combination of password or PIN that you know, with a single use 6-digit number from some kind of token.

   Here are the three most common single use string/token delivery methods:

Tuesday, January 15, 2013

Something You Forgot - 3 Factors of Fail (part 2)

   Last week we started talking about authentication and listing the 3 factors of authentication.  This 2nd in the 5-part series will look at the 1st factor.

   The 1st factor of authentication is "something you know".  We usually think of this as passwords, but there can be other forms like: PINs; lock combinations; "secret" phrases (the phrase that pays!); picture identification; and secret pattern (like on your smartphone).

   There are a few fundamental problems here.  And they are mostly caused by something we can't change... we're trying to authenticate a human! (usually)  So, rather than something we know, these authentication methods rapidly deteriorate into something you forgot.  Here's why...

Tuesday, January 8, 2013

3 Factors of Fail - The Authentication Problem

   Authentication is one of the biggest challenges in information security. We can have all kinds of technical security measures in our systems. There are various controls we can have at the data level. But we still need to allow people to use the systems and get to the data. I should say... we need to allow the right people to use the systems and get to the data! Authentication is how we decide who the right people are.

   Federal regulations like HIPAA, PCI, IRS 1075 and others have major focus on minimum necessary.  That is, giving a user the minimum access they need to do their job.

   Wikipedia defines authentication as: (from Greek: αὐθεντικός; real or genuine, from αὐθέντης authentes; author) is the act of confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person or software program, tracing the origins of an artifact, or ensuring that a product is what its packaging and labeling claims to be.  And Webopedia has: The process of identifying an individual, usually based on a username and password.  Interesting that this latter definition directly refers to username and password.

   There has been plenty of news in the past couple of years of breaches involving theft of a password file (encrypted or unencrypted) and customer/citizen personal data. Example like: eHarmony, LinkedIn, South Carolina Dept. of Revenue, and Utah. Many of these attacks involved exploiting authentication.

Tuesday, January 1, 2013

To Freeze or Not to Freeze, That is the Question

   As I make a cup of coffee this morning, I'm thinking about a recent change I made.  I'm getting my coffee out of the cupboard rather than out of the freezer.

   When I was a kid, I always remember my parents keeping their ground coffee in the freezer.  Typically that was perk (coarse) ground.  The thinking was that keeping the coffee in the freezer would keep it fresh longer.

   So, when I got older and had my own freezer, I did the same.  Typically I would either have drip (fine) ground coffee or whole beans.  For many years I never thought about whether or not that made any sense.