Tuesday, September 15, 2015

Bring It On Home

   I'm giving a presentation at the Twin Cities ISSA Security Awareness SIG.  I'll be talking about a number of different methods I've used over the years to create buzz and interest about security and make topics accessible to everyone.

   I was planning to refer to one of my earliest blog posts, covering my general philosophy on this topic.  But... going through past posts it appears that, while I've alluded to the ideas, I never actually wrote the post!  So I'll do that now!

   Like the song says, I try to bring it on home.  I find that while people do want to understand security rules at work, when we start talking about things like home computers, smart phones and family internet safety, then we get peoples' attention.

   And that's a great thing!  For a bunch of reasons:
  • When people think about protecting themselves and family and data, it helps them remember that in the office we are protecting customers'/patients'/users' privacy and data.
  • Security needs the eyes and ears of all staff to help us know what is going on.  Security Awareness focusing on personal topics helps open the communication channels to the security team.  We're not so scary! :-)
  • When staff understand more about how security topics can help them, we gain real evangelists.
   And yet there is still controversy about the usefulness of Security Awareness.  But I think it's one of the most important and useful things we can do to help secure our environments.

   Here's a link to the slides from my presentation.

   And here are a few of my past favorite security awareness posts:
   If you are a computer use, what are some topics you'd like to learn more about?

   If you are an information security professional, what tips and techniques would you like to share?

Tuesday, September 1, 2015

The XORcist (aka Get Rid of Bad Encryption)

   I remember when the movie version of the Exorcist came out.  I was in high school and it was probably the scariest, most graphic movie released by that time.  Parents didn't want their kids to see it.  There were all kinds of media discussions about the potential detrimental effects to roller-skating Linda Blair, who played the possessed Regan.  It was a freaky movie, at least for it's day, though it was way surpassed in gore by the slasher movies of the 80s.

   I recently read the book (well, you know... audiobook!).  It's well written and I recommend it.  But it is graphic, and there's plenty that wasn't in the movie.

   Easily as scary is the way many systems and sites handle encryption!  For those who don't get the title... XOR is a basic mathematical function that all computers can do easily and quickly.  It's critical for computer operations, and is used in some encryption operations, but is not really a strong encryption method by itself.  If you want to learn more about XOR, look here or here.

   I've covered problems with passwords many times here.  One of the problems that has allowed password breaches to work is poor encryption of the password file.  XOR is not a strong encryption method!

   So what does this all mean?  I have two messages... one for programmers and one for everyone else.

   Programmers.  Don't invent your own encryption.  There are fantastic, freely available encryption routines out there that you can use in your code.  Or, your organization may already have standard encryption methods you can use.  Bottom line is that 2000 years of mathematics has led us to some pretty solid encryption algorithms.  Use them!  Friends don't let friends use bad encryption!  Here are some great references.

   Everyone else.  Password storage should use something we call a "one-way hash".  Not a tasty dish, but a method of encrypting data so it can't be decrypted.  That means that no one should be able to tell you your password!  So, if you call customer support or the help desk because you forgot your password, and they can tell you your actual password... run!

   Can you think of any examples of bad encryption?  Do you know of any websites that can show you a forgotten password?