The Breaches Will Continue

As I write this, it’s been one day since news of the latest LinkedIn breach hit the news. To summarize, about 92% of LinkedIn users’ information was leaked via LinkedIn’s API. LinkedIn is officially denying this is a breach but is just a data scrape that violated the API’s terms of use. Interesting twist of terms. This reminds me of a former President who explained, “It depends upon what your definition of IS is.”

During my six years as a strategic cybersecurity consultant, I learned that most organizations do not take cybersecurity seriously. Breaches are things that happen to other companies, those with larger and more valuable troves of data.

Organizations, up to and including boards of directors, are locked in normalcy bias. No breach has occurred (that they are aware of), and therefore no breach will occur in the future. It is normalcy bias that is also responsible for the fact that most citizens fail to prepare for emergencies such as extended power outages, fires, floods, hurricanes, tornadoes, identity theft, serious illness, and so many other calamities. I’d be lying if I said that I’m immune to this: while we’re well prepared for some types of events, our preparedness could be far better in certain areas.

A fellow security leader once told me, “Cybersecurity is not important until it is.” Like in our personal lives, we don’t implement the safeguards until after being bitten. Whether it’s security cameras, better locks, bars on windows, bear spray, or better cyber defenses, it’s our nature to believe we’re not a target and that such safeguards are unnecessary. Until they are.

LinkedIn’s “Intro” So Toxic It Could Dramatically Change BYOD

LinkedIn’s new “Intro” iOS app directs all e-mail sent or received on an iOS device through LinkedIn’s servers.

Yes, you’ve got that right.

Even so-called “secure” e-mail.

Even corporate e-mail.

Has LinkedIn been acquired by the NSA?  Sorry, bad joke, poor taste – but I couldn’t resist. It crossed my mind.

BYOD implications

So what’s this to do with BYOD?

Many organizations are still sitting on the sidelines with regards to BYOD. They are passively permitting their employees to use iOS devices (and Androids, Windows phones too) to send and receive corporate e-mail, mostly on unmanaged, personally owned devices. This means that organizations that presently permit their employees to send and receive e-mail using personally owned iOS devices are at risk of all of that e-mail to be read (and retained) by LinkedIn, by every employee that downloads and installs the LinkedIn “Intro” app.

LinkedIn talks about this as “doing the impossible.”  I’d prefer to call it “doing the unthinkable.”

Organizations without MDM (mobile device management) are powerless in preventing this, for the most part.

Every cloud has a silver lining.

This move by LinkedIn may finally get a lot of organizations off the fence in terms of BYOD, but employees might not be happy.  Organizations’ legal departments are going to be having aneurisms right and left when they learn about this, and they may insist that corporate IT establish immediate control over personally owned mobile devices to block the LinkedIn Intro app.

Corporate legal departments usually get their way on important legal matters. This is one of those situations. When Legal realizes that LinkedIn Intro could destroy attorney-client privilege, Legal may march straight to the CIO and demand immediate cessation. That is, once you peel the Legal team off the ceiling.

Nothing like a crisis and reckless abandon by a formerly trusted service provider to get people moving.

This article does a good job of explaining the evils of LinkedIn Intro.

My respect for LinkedIn could not be at a lower point if they publicly admitted that they were sending your content to the government.

New Christmas computer, part 2: anti-virus

You are savoring your new PC and visiting your usual haunts: Facebook, Netflix, Hulu, and more.

But if this new PC does not have anti-virus, a firewall, and other precautions, the glitter will soon be gone, and you’ll soon wonder why the problems you’re having in 2013 are related to that new PC.

New machines are a good time to develop new habits. Sure, there’s a little trouble now, but you’ll save hours of grief later.  Think of this as the moments required to fasten the seat belt in your car and perhaps a bit of discomfort – but compare that to the pain and expense of injuries incurred in even a minor crash if you weren’t wearing it. Minor decisions now can have major consequences later.

Habit #2: Install and configure anti-virus

While many new computers come with anti-virus software, often it’s a limited “trial” version from one of the popular brands such as Symantec, McAfee, or Trend Micro. If you don’t mind shelling out $40 or more for a year (or more) of anti-virus protection, go ahead and do so now before you forget. Granted, most of these trial versions are aggressively “in your face” about converting your trial version into a full purchased version.  Caution: if you get into the habit of dismissing the “your trial version is about to run out!” messages, you run the risk of turning a blind eye when your trial anti-virus is no longer protecting you.  Better do it now!

If your computer did not come with anti-virus software, I suggest you make that the first order of business. There are many reputable brands of anti-virus available today, available online or from computer and electronics stores. For basic virus (and Trojan, worms, key loggers, etc.), all of the main brands of anti-virus are very similar.

My personal preference for anti-virus programs (in order) are:

1. Kaspersky
2. Sophos
3. AVG
4. Norton
5. McAfee
6. Panda
7. Trend Micro

Note: if selecting, installing, and configuring anti-virus seems to be beyond your ability, consult with the store where you purchased your computer, or contact a trusted advisor who is knowledgable on the topic.

Key configuration points when using anti-virus:

• “Real time” scanning – the anti-virus program examines activity on your computer continuously and blocks any malware that attempts to install itself.
• Signature updates – the anti-virus program should check at least once each day for new updates, to block the latest viruses from infecting your computer.
• Periodic whole disk scans – it is a good idea to scan your hard drive at least once a week. If you keep your computer on all the time, schedule the scan to take place when you are not using the computer, as a scan can slow down your computer.
• Safe Internet usage – many anti-virus programs contain a feature that will try to warn you or steer you away from sites that are known to be harmful.

Many anti-virus programs also come with a firewall and other tools. Some of these may be useful as well – consult your computer retailer or a trusted advisor to see what’s right for you.

Part 1: password security

Part 3: data backup

New Christmas computer, part 1: password security

There it is – a shiny new laptop, desktop, or tablet running Windows. You can’t wait to go to your favorite sites: Netflix, Hulu, Pandora, Flickr, Pinterest, Facebook, and see how fast things download, how crisp and bright the new screen, how precise the touchpad and keys.

But if this new PC does not have anti-virus, a firewall, and other precautions, the glitter will soon be gone, and you’ll soon wonder why the problems you’re having in 2013 are related to that new PC.

New machines are a good time to develop new habits. Sure, there’s a little trouble now, but you’ll save hours of grief later.  Think of this as the moments required to fasten the seat belt in your car and perhaps a bit of discomfort – but compare that to the pain and expense of injuries incurred in even a minor crash if you weren’t wearing it. Minor decisions now can have major consequences later.

Habit #1: Use unique passwords on every site

Many people pick what they feel is a “good” password (long and complex, not easily guessed), but they use that password on many or all of their favorite Internet sites. There is a serious problem with this: if any of those Internet sites suffers the type of security breach like we saw many times in 2012, your password may become known to an adversary. Since most peoples’ userids are their email addresses, and because many people use the same password everywhere, an adversary who has discovered your password on one site will try your email address and password on all popular Internet sites and see which of those sites they can also log in to.

How to use unique passwords

It can be difficult remembering a lot of different passwords, especially good passwords. I strongly suggest you begin using a password vault. The best ones are Password Safe and KeePass, both of which run on Windows and Mac. The password generator feature creates strong, random passwords. The best feature of these password vaults is that they make it easier to use passwords: select the site you wish to log in to, push a button to copy your password, and paste the password into the password field.

The reason that unique passwords are powerful is this: if one site’s password database is compromised, none of the other sites you log in to are at risk, since the one site’s password is not used for any other site you use.

Let’s consider an example: you use Facebook, e-mail, and on your online banking site. Your Facebook password is compromised – the attacker uses your e-mail address (in your Facebook profile) and your password, and tries to log in to your e-mail. Since your passwords were the same, your e-mail account is now compromised. Next, the attacker tries to log in to several online banking sites, and finds yours – again, because you used the same password.

E-Mail Password Importance

The password to your e-mail account is especially important, because your e-mail is the key to establishing / recovering the ability to log in to many of your other sites. When you click “forgot password” or “forgot userid” on many sites, getting into those sites is often as easy as clicking Forgot Password or Forgot Userid, and then reading your e-mail to get your password or a link to reset it. An attacker who controls your e-mail controls nearly everything.

If you are not sure how to use Password Safe or KeePass, the sites (links above) have installation and user instructions. If you are still not sure how to proceed, write down good, unique passwords on paper and find a computer expert friend who can help you install Password Safe or KeePass, after which you can transfer your passwords into those programs.

Part 2: anti-virus

LinkedIn skills endorsements adds buzz but not much value

I now view other users’ profiles with some skepticism and wonder whether they really possess those skills or not.

I’ve been a LinkedIn user for about eight years, and I’m highly appreciative of its business networking focus. LinkedIn has facilitate many fruitful business opportunities that might not have happened otherwise.

LinkedIn has been adding new features, and one of the newest is the Skills feature. A while after adding Skills, LinkedIn now provides a means for users to “endorse” the skills of their connections. Upon first glance, I thought this would be a useful feature that would help to add credibility to one’s claims of business and technical skills.  That is, until I started receiving endorsements from some of the people I am connected with.

I’m grateful to my connections for endorsing my skills – make no mistake about it. However, I’ve received many skills endorsements from connections that do not actually know whether I have those skills or not. While their endorsements seem to strengthen my credibility, I now view other users’ profiles with some skepticism and wonder whether they really possess those skills or not. If people are endorsing my skills without actually knowing whether I have them, how do I know whether others have the skills they claim, even when endorsed?

LinkedIn is just another tool that people can use to embellish their resumes. While LinkedIn has great potential for helping people find each other based on their profession, location, skills, and other criteria, LinkedIn is no substitute for other methods for determining whether businesspeople actually possess the skills they claim.

Which security certification should you earn next?

A reader who recently received his CISA certification asked, “Which certification should I earn next: CEH or CRISC?”

I see this question a lot, so I’d like to answer this in two different ways.

Sometimes when someone asks which certification they should earn next, sometimes I wonder if that person is asking others to choose their career direction for them.

In this case, the person wants to know whether CRISC or CEH is the right direction. If this person were asking me personally, I would respond with these questions: what aspects of information security interest you? For which aspects do you have good aptitude? What kind of information security job do you want to be doing in five years?

In the case of CEH and CRISC, these two certifications could not be more different from each other. One is a hands-on certification that has to do with breaking into systems (and helping to prevent adversaries from doing same), and the other has to do with risk management, which is decidedly hands-off.

Now for my second answer: you choose. Both are well respected certifications. Which one aligns with your career aspirations?

Another thing – for anyone who is just trying to figure out the next cert to add after their name – stop asking that question and do some other things first.

1. Assess your experience.
2. Figure out where your experience can help you go next.
3. Determine your aptitudes. Meaning: what are your talents.
4. Decide what you want to be doing in five years, ten years.
5. Only after you have answered 1-4 can you then think about certifications. They should reflect your knowledge and experience.

Knowledge and experience come first. Certifications are a reflection of your knowledge and experience, not a forecast of future events.

– from my posting to the CISA Forum

Risk assessment the key to budgeting security resources

I have yet to meet a security professional who has all the time required to do everything that he or she needs to, to protect his or her organization. Instead, whenever I network with security professionals, I ask them, “How’s it going?” and can usually predict the answer: “crazy busy,” “way too much going on,” “many unfilled holes,” and so on.

This problem is not limited to security. Most other business functions usually feel short on the resources they require to do what they need (or want) to do.

The question, then, is how to decide what activities truly deserve our time.

The answer to the question is, perform a risk assessment across your entire organization (or within individual business units if your organization is large). If you perform this competently and faithfully, you will end up with a list of risks.  If you categorize those risks in terms of short-term impact, probability of occurrence, public visibility, cost of mitigation, and long-term impact, then you should be able to “slice and dice” your list to determine which risks truly demand your attention now, and which are lower priority.

The next task, then, is to present the findings of the risk assessment to senior management, so that they can make any adjustments to priorities and provide resources as they feel are needed.

Finally, explicitly or implicitly, you will need to document all untreated risks as “accepted” by senior management. Do it in writing, as formal (or informal) as the risk assessment yourself.

Having done all of these, you will have done your job: make senior management aware of business risks, and enable them to make informed decisions.

If you agree (more or less) with senior management’s resourcing decisions, then you are fortunate.  If you vehemently disagree, it may be time for you to find some mentors in the organization who can help you to better communicate with senior management.  Lacking this, you may need to consider moving on.

Cloud based solutions bring disaster recovery within reach of small business

Backup and Data Recovery (BDR) solutions traditionally have been high priced luxuries out of the reach of many small to medium business owners. Tape drives remain very expensive hardware components, and offsite storage services are simply too expensive for many companies to use. But now, cloud based solutions are poised to bring BDR solutions within reach of every business from the sole proprietorship to the multisite enterprise.

Let’s look at what a company needs for BDR. Data must be securely backed up, available in case of need, but safe from any disaster that might strike the company. When all of your data resides only on your fileserver, it is at risk from hardware failures, theft, human error, fire or other catastrophe. Many companies use tapes to back up their systems, but do not use a reliable way to move those tapes off site to a secure storage location. The same fire that cooks your server will melt the tapes in the file cabinet, and so will the summer sun beating down on the car’s boot.

Even the least expensive courier services can cost hundreds of dollars a month, and relying on tapes to store your data means needing redundant hardware to recover your data in an emergency. Tape based solutions are simply out of reach for most SMBs, who choose instead to accept the risk of loss because they don’t have a viable solution. Or rather, they didn’t until BDR met the cloud.

Cloud based BDR solutions use your company’s Internet circuit to make a secure connection to your service provider’s network, and performs data back ups continuously. Typically an agent is installed on each server and workstation you wish to backup, and examines data changes at the block level, replicating data either directly to the cloud service provider, or to a staging appliance in your datacenter that can further compress the data, and stage most recently changed data for rapid restores if necessary.

Rather than investing thousands or tens of thousands of dollars on hardware and software, cloud based BDR solutions typically operate on a monthly subscription basis, with graduated pricing based on total data stored. This means that SMBs can start using the services immediately, and keep their costs manageable. They can select a smaller total data level to start, and raise the level as their needs grow. Because costs are monthly and subscription based, the financial treatment of these costs is frequently very attractive as well, going to operations rather than assets.

Many of the cloud based providers of BDR services offer free trials, which enables the business owner or IT admin to take the service for a test ride, ensuring that they are comfortable with the requirements, performance, and availability of the service. Some services can offer individual users with backup capabilities for their workstations that go hand in hand with server based backups, while others pool team based storage to further enhance the services available.

With your data securely backed up to a cloud provider’s network, you can rest easy knowing that if disaster strikes, your data is not lost. It is safe and secure in the cloud ready for you to pull down at need.

This guest post was written by Casper Manes on behalf of IT Channel Insight, a site for MSPs and Channel partners where you can find other related articles to disaster recovery.

Why the security war will never be won

At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.

How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?

The information security war will never be won.

Never.

As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.

In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what?  It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.

In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.

There are times when it proves very challenging to break directly in to information systems.  That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.

Why do intruders persist?  Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on.  Your defenses will only slow down a determined intruder, and maybe only be a small margin.

• We must protect all systems. An intruder will attack the system of his choosing.
• We must protect from all types of attacks. An intruder will use an attack method of his choosing.
• We must protect our systems at all times. An intruder will attack at a time of his choosing.
• We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
• We must obey all laws when defending our systems. An intruder may break any law of his choosing.
• The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
• Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.

Cloud service providers and the U.S. PATRIOT Act

The U.S. PATRIOT Act has a lot of non-U.S. companies wondering whether it is a sound practice to store data in a U.S. based cloud services organization. The concern is this: the cloud services provider may be obligated to turn over stored data on receipt of a National Security Letter, which is essentially a subpoena with a gag order.

But what if the customer is the legal owner of the data, and not the cloud services provider?

If legal contracts between the cloud services provider and its customers define customers as the owner of stored data, what happens when the cloud services provider receives a National Security Letter asking for that data? Can the provider say, “sorry – this is not our data, you need to ask the owner for it”?

I could see this going both ways.  Using the precedent of wiretapping, the law enforcement agency issuing the subpoena might argue that data ownership is irrelevant.

* * *

While we’re on the topic of PATRIOT… I often wonder about non-U.S. companies’ concern about it. Rationale I sometimes hear is that storing data in the U.S. is riskier because of PATRIOT.

Let me assert this: in the interest of national security, any nation’s law enforcement or intelligence agencies are going to search and sieze data as needed, whether there are laws on the books or not. The fact that the U.S. has its PATRIOT Act only means that the U.S. is being more transparent about a practice that we all know is pervasive around the world. Taking this argument further, you could argue that storing data in the U.S. is safer, because at least the U.S. has laws governing the use of search and seizure in the name of national security. In countries without such laws, what will limit the reach of law enforcement and intelligence agencies?

* * *

Finally, I want to say that I am not expressing an opinion about PATRIOT – whether I agree with it or not. It is simply a fact to be dealt with.

* * *

References:

The Patriot Act and your data: Should you ask cloud providers about protection? – InfoWorld article, January 2012.

Patriot Act Threatens American Cloud Computing – Wall Street Cheat Sheet, January 2012.

Block Javascript in Adobe Acrobat

Simple how-to instructions for blocking Javascript in Adobe Acrobat Reader in Windows, Linux, and Mac systems.

Reducing the attack surface in Adobe reader is an important step in reducing malware attacks. The vast majority of all PDFs do not contain Javascript, but Javascript-embedded PDF files is a well known method used to attempt to compromise end user systems. This can occur in phishing scams where e-mail messages contain infected PDF files, or links point to infected PDF files hosted on web sites.

Adobe Reader on Mac. Click for full size image.

Here is how to block Javascript in Adobe Acrobat 10 for Mac. Go to Acrobat > Preferences > Javascript and uncheck Enable Acrobat Javascript.  Then click OK.

Similarly, in Adobe Reader X on Windows, go to Edit > Preferences > Javascript and uncheck the Enable Acrobat Javascript, then click OK.

Likewise, for Adobe Reader 9 on Linux, go to File > Properties > Javascript and uncheck Enable Acrobat Javascript, then click OK.

Adobe Reader on windows. Click for full size image.

Click the thumbnails to view screen shots for Mac, Windows, and Linux.

Adobe Reader in Linux. Click for full size image.

Why Disaster Recovery Requires a Plan

Why Disaster Recovery Requires a Plan

Guest post from Casper Manes on behalf of IT Channel Insight

Whether you are a commercial pilot, an astronaut, a submarine weapons officer, or a Cylon, you know the importance of having a plan. There are certain tasks that, no matter how repetitious they may seem, are so important to get right the first time, and every time, that they have been boiled down to a checklist which any reasonably skilled and trained individual can walk through, step by step, in order, to accomplish the task. They are designed to be easy to follow, to spell out exactly what needs to be done, and the order in which it must be done, to get things going, and to require a minimum of creative thinking. Tasks are performed by rote, and verified each step of the way. That’s the perfect way to approach disaster recovery, and in this article we’ll discuss why you need a disaster recovery plan that is a little more detailed than “don’t panic!”

What is a disaster?

Let’s consider what, in business terms, can constitute a disaster. Sure, things like hurricanes and blizzards come to mind, perhaps even fires in the datacenter, but a disaster is more than just a weather phenomenon or catastrophic loss; it’s anything that significantly disrupts the normal operations of your business. If we limit ourselves to an IT perspective, that can include prolonged Internet outages, a severe flu epidemic that takes out half the staff, a virus that shuts down key servers, or a SAN failure. It can also include HVAC failures, power outages, or hardware failures on critical, but not redundant, systems. Anything that causes a significant and protracted impact to normal operations may be enough to declare a disaster situation, and require that you implement your recovery plan.

Disaster declared, now what?

In the best case disaster, you have experienced a hardware failure that will eventually be corrected by the vendor. But while systems are down, your phone is ringing off the hook, you’re getting pinged on email and IM, and someone is probably sticking their head in your cube every 30 seconds asking if it’ fixed yet. In the worse type of disasters, you and your colleagues are probably more worried about your family and your own property more so than the company’s, and that’s assuming all your team even made it into the office. Hurricanes, blizzards, and other region impacting events can leave you with only a skeleton crew, and most of them are going to be worried about more than just how to get the website back online and email working. That’s why you want to work the plan.

By the numbers

Think back to how this article opened. When failure is not an option and there are countless distractions going on, you want people to have something to anchor themselves with, and to keep the need for creative thinking to a minimum. You also need to make sure that things are done in a certain order, and that nothing is missed, because most things have dependencies. A plan is the guide that your team will use to enable them to focus on specific and discrete tasks, without having to make it up as they go along. Make use of checklist; I mean actual paper documents on clipboards with check marks that each step is complete, so that;

a)     If something distracts you, it is easy to pick up where you left off without missing anything,

b)     You can hand off to someone else and they know exactly where to start

c)     Someone can audit that each step was done.

Paper checklists also have the distinct advantage of not relying on technology. I once saw an organization who kept all their DR procedures online; which looked great until they couldn’t get to them while the datacenter was down!

It’s a journey, not a destination

Disaster recovery planning is an ongoing process. Plans must be tested and revised as the company grows, new systems are brought into the environment, and old systems are deprecated. Real disasters don’t happen on schedule, so training must be thorough and testing must be performed to ensure that whoever is on the clock can handle the early steps of the process until more people can get online. Staffing changes will mean that this must happen frequently, and repeatedly. It’s just a part of the overall process, so accept it. And make sure that at least two people know how to perform any part of the disaster recovery plan since you have no way to know in advance whether everyone will be able to make it into the office when a disaster strikes. Redundancy of equipment is no more important that redundancy of skillsets, and a single point of failure could be the one guy who can’t get into the office because the roads are closed.

This article was written by Casper Manes on behalf of IT Channel Insight, a site for MSPs and Channel partners where you can find other related articles on how to setup a disaster recovery plan.

What does a network scanner bring to the company?

Guest post from Emmanuel Carabott of GFI Software Ltd.

Whenever someone does research on the best methods to secure a company’s network, they are sure to come across articles recommending network scanners. But what value do network scanners really provide any organization?

Network scanners generally provide two distinct important functionalities – information gathering on the network they’re scanning and information on any security issues found on that network.

Information on the network

Administrators need to keep up with the constant changes made to the network. Some might see change management as unnecessary, but this is an essential part of the process to keep a network in excellent shape. There are various reasons why administrators would want to know what software and hardware is running on their network, but the main reasons are security and the need to make sure that the changes administrators make will cause conflicts within the existent network infrastructure. When new software is installed, or updates are made to the existing installation through patching, certain configurations can make the system unusable (blue screens, for example) or unstable. To avoid this from happening, the administrator should keep a test environment which mirrors the network where these changes will be made before they’re pushed onto the live server. If users install new software on their systems without notifying the administrator, the test environments will not match the current network and therefore any pre-deployment tests will be inconclusive and not a true reflection of the current status.

Some hardware can pose a security risk to the network. It is imperative that administrators are immediately notified when a new device is connected to the network so that they can determine if there is a real risk to the company. The company’s security policy might specify that the administrator must be notified before any new hardware is connected to the network but that alone does not guarantee employee compliance. A network scanner, however, can periodically monitor the network for changes and notify the administrator as these happen.

Security issues on the network

A network scanner will also look for a number of security issues on the network it is scanning.

These generally include:

• Vulnerabilities
• Missing patches
• Unwanted open ports

New vulnerabilities affecting the network can arise on a daily basis, often due to changes in configurations, new exploits being discovered, and because of new software being installed on the network. For these reasons alone, an administrator needs a network scanner that can monitor the network for any vulnerability on a regular basis.

Next on the list is patch management.  Vendors continuously fix security issues in their software and then, release patches for the end user to install. Keeping track manually of all patches released can be a daunting task, but a network scanner helps the administrator to stay on top of the problem and apply any patches that are required.

Finally there are applications that communicate through the internet, such as web servers’ open ports for others to connect to. Every open port is a potential security risk because malicious persons will try to find exploits in these connections. It is highly recommended ports that are not in use are closed immediately. An administrator should be informed as soon as a new port is opened on a network machine. This usually happens when an employee may have installed a new application or due to a malware infection. Since the network administrator cannot be everywhere or see everything happening on the network all the time, a network scanner is an essential tool.

A network scanner is a very useful tool for administrator, making his life a lot easier. Having a ‘virtual consultant’ is a much better option that having to check each and every machine manually.

Companies that use network scanners will save time and money, while administrators can focus on more important issues that require manual intervention. Why add more work when tasks can be automated using a network scanner?

 

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on the importance of using a network scanner.

All product and company names herein may be trademarks of their respective owners.

Healthy Skepticism Required When Using Online Storage

When online backup solutions such as box.net, idrive, and dropbox came on the scene, I was skeptical. Store my data on some service provider’s system? Only with caution.

When news of the dropbox scandal was made public, I was not surprised. The promise, “only a customer has access to their own data”, evaporated. Not that it was ever a promise that could ever be kept.

Recommendation: if you insist on storing your data on someone else’s system, encrypt it locally and store the encrypted data on the other system. That is the only way to truly guarantee that no one else can see your data.

Reference:

http://techcrunch.com/2011/06/20/dropbox-security-bug-made-passwords-optional-for-four-hours/

Classification of data center reliability

The Telecommunications Industry Association (TIA) released the TIA-942 Telecommunications Infrastructure Standards for Data Centers standard in 2005. The standard describes various aspects of data center design, including reliability. The standard describes four levels of reliability:

• Tier I – Basic Reliability Power and cooling distribution are in a single path. There may or may not be a raised floor, UPS, or generator. All maintenance requires downtime.
• Tier II – Redundant Components Power is in a single path; there may be redundant components for cooling. Includes raised floor, UPS, and generator. Most maintenance requires downtime.
• Tier III – Concurrently Maintainable Includes multiple power and cooling paths, but with only one path active. Includes sufficient capacity to carry power and cooling load on one path while performing maintenance on the other path. Includes raised floor, UPS, and generator.
• Tier IV – Fault Tolerant Includes multiple active power and cooling distribution paths. Includes redundant components, including UPS and generator. Includes raised floor.

Excerpt from CISA All-In-One Study Guide, 2nd edition

Amidst the Growing Web, We Are Rushing Back to Client-Server Computing

In the early 1990s, client-server computing was all the rage. But it sucked, because networks were too slow and because updating client software was unreliable. Then the web happened, and soon, applications were we written for web browsers. It was a great time, for a while.

Client server is back, and it’s now – arguably – the dominant computing model today.

I’m talking about smartphones (iPhone/iPad, Android, Blackberry, etc) with their app stores.

Smartphones are outselling laptops. And while web surfing is popular among smartphone users, app stores is where it’s at.

Smartphone apps are the new client server model.  The protocols are better (POX – plain old XML) and more efficient, HTTPS for security, and bandwidth is better. The entire mechanism for updating smartphone apps is reliable, semi-automatic, bandwidth friendly, and easy to use.

I’m not knocking web browsers, really. They are great and getting better. But the differences between them is making the development of web applications that work across all of the web platforms and versions increasingly difficult.  The web is great for lightweight application interaction, but it’s difficult to get it right in complex applications.  Making web apps work across the popular browsers, versions, and OSs is not unlike the unenviable job Microsoft has of making Windows work on everyone’s Intel-based system. In the early days of the web, you wrote HTML and it worked everywhere. Not so any more. The bloom is off the rose.

So, what about app stores for laptops / desktops?  Since app stores are accepted by smartphone users, it makes sense that we’ll see them on laptop and desktop operating systems (Windows, Mac, Linux). If you use OSX (Mac), it’s already here. Microsoft is late to the party. Again.

I believe we will see a resurgence of client-server computing in the form of app stores for all major computing platforms, and that serious business applications that were previously web based will be app-based. Just like in the old days, only better.

Taking a Wider View of Application Security

As a software developer, you have a lot to worry about when writing and testing your code. But if you faithfully use secure coding guidelines from the Open Web Application Security Project (OWASP), test your code with security tools, and conduct peer code reviews, then your application will be secure, giving you worry-free sleep at night.

Wrong.

OK, sorry about that. I put that trap there for you, but I didn’t really expect you to step into it. I want to help you expand your thinking about application security.

Read rest of article here (redirects to softwaremag.com)

Car hacking, the crime of the future

Several years ago, when Microsoft announced its intention to have its software installed in automobiles, my immediate gut reaction was, oh great, now we will have bug fixes, patches, crashes, reboots, updates, blue screens of death, and car hacking. Such has been the experience of millions of users of Windows software for decades – why would the user experience in cars be any better – or different?  (and it if would be better, why are those improvements not yet present in desktop / laptop computers?)

Fast-forward to May 2010, when the New York Times ran an article that described the extent to which computer systems are at the heart of a modern automobile’s control systems. I am not talking about the navigation system here, but engine, brakes, lights, and other basic functions. A team of computer scientists from UCSD and UW demonstrated the ability to hack into a car and remotely control its basic functions, including starting, stopping, engine control, instruments, and steering.

Why hack a car

Hacked Instrument Display

Your next question might be, why would someone wish to hack into someone’s car?  Some reasons include:

• Theft. An intruder may wish to steal the car by hacking into its systems to disable the alarm, start the car, and maybe even remotely drive it for a short distance.
• Fun. Immature but technically talented individuals may derive enjoyment from their ability to take over the controls of a running automobile in order to alarm its driver.
• Harm. An individual or team may be intent on causing harm to the driver and/or passengers of a car by wrestling control of the car from the driver and causing the car and its occupants to crash.

The development of the Toyota loss-of-control matter has demonstrated to the public that automobile computer control systems are prone to malfunctions that can cause safety issues. Whether Toyota’s specific problems were proven to be related to onboard computer systems is irrelevant; the point is, that the crisis demonstrated that it is plausible that computer malfunctions can indeed result in potentially lethal safety issues.

Unsecure by design

The car hacking experiment conducted by UW and UCSD researchers was a proof-of-concept that was very time consuming to perform. The experiment proved that security controls installed in automobiles to prevent hacking are weak at best. Consistent with many other new technologies, computer systems in automobiles were designed with functionality in mind, and security given little or no consideration.

Easy to hack

Will car hacking always be difficult. Certainly not, and the firesheep tool is proof of this. Soon (perhaps already a fact for some readers of this article) there will be tools available for novice computer users who will be able to select from an array of nearby vulnerable cars, and be able to easily take over control of the car’s instruments, engine, brakes, climate control, navigation system and, indeed, practically everything in the car. There will probably even be an iPad version of this tool for hip hackers.

Improvements needed

Toyota [allegedly] has proven that automobile electronics can fail all by themselves. UW and UCSD has also proven that automobile electronics have weak defenses. Firesheep has proven that easy-to-use hacking tools will quickly be developed and used. Automobile manufacturers need to adopt a secure-by-design principle in the development of all on-board electronic systems in order to minimize the threat of car hacking.

Hack-proof Miata

I think that I’ll stick with my 1991 Miata for the time being.

Social media safety during the holidays

The late-year holidays (Thanksgiving, Hanukkah, Christmas) are known for travel, visiting with friends and family, and gift giving and receiving. Any time of year is a time for sharing some details of our lives with others through social media outlets such as FaceBook, Twitter, MySpace, and personal blogs.

During this time of year, it is especially important that you protect yourself from online threats, some of which are caused by others, and some of which are caused by you! Follow these steps to keep your property and your online presence safe during the holidays:

Don’t announce your travel in advance. If you post something like, “leaving home for Philadelphia for five days”, you are announcing to the world that your home may be vacant for extended periods of time, inviting burglaries.  Make your posts more vague, such as “spending Christmas with brothers and parents”, which might be where you live, or not.

Don’t gloat about your gifts. Similarly, if you talk about your new Kinect,  Wii, or iPad online, you may be sharing news of your loot with too many outsiders. Instead, be more discrete and share news about your new things more privately.

Limit FaceBook exposure. Check your privacy settings in FaceBook. Consider setting up one or more groups of family and friends, to limit how wide your announcements are sent. My wife and I have “immediate family”, “family”, and other groups of highly-trusted individuals with whom we may share things about travel, gifts, and other personal matters, so that the entire world doesn’t know that we might not be home at the moment.  Similarly, limit the FaceBook applications that you allow to access your personal data. Some FaceBook applications are malevolent and are designed to steal your information and use it against you.

Get a security tune-up. Follow easy steps to ensure that your anti-virus and firewall are working, and that your patches and browser are up to date. Do this before you shop online, to limit the chances that your credit cards will be compromised.

Secure your home Wi-Fi. Find the instructions to improve the security of your home router or Wi-Fi access point. Change from no security to WEP, or better yet, WPA.  While WEP is not as secure these days, it’s better than nothing. WPA or WPA2 are far better, and most PCs (and even gaming consoles) supports WPA and WPA2 these days.

Limit use of public Wi-Fi hotspots. From road warriors to housewives, we roam with our laptops from hotspot to hotspot at our favorite coffee shops and other public venues.  While it’s okay to check the news and get shopping information, it is not okay to check e-mail, log on to FaceBook or Twitter, or perform high-value activities such as online shopping from an open WiFi hotspot. Easy to use tools are widely available that permit even the unskilled to hijack your session and compromise your personal information.

Check your credit. U.S. consumers can check their credit three times per year for free (once per year for each of the three credit bureaus). Check your credit report carefully, looking for any accounts that you may not have opened, or for changes in accounts you may not have authorized.

Use a separate online shopping credit card. Rather than using your primary credit/debit card for online shopping, open a second account and use only that one. Keep a low balance to minimize your exposures.

Choose “credit” when using debit/credit cards. Whenever you are making purchases with your debit/credit card, choose “Credit”. Then, if your credit card number is later compromised, you may enjoy additional protection (such as the $50 liability limit) on your account. Many banks do not offer the same protection for compromised debit card numbers.

Preventing browser hijacking

Browser hijacking occurs when an intruder is able to successfully exploit a vulnerability in a user’s browser program.  When a browser is hijacked, the intruder is able to control how the browser operates. Examples include changing the default home page, as well as other settings.

Why is this a problem?

Some browser settings can cause all of the traffic between your browser and Internet web sites to be routed through the intruder’s system. This allows the intruder to follow your every move, and it may also allow the intruder to capture passwords you enter at sites such as online banking and e-mail.

Are you concerned yet?  You should be! If your browser has been hijacked, you could become a victim of fraud or identity theft.

Quick Fixes
(assumes you have a Windows computer)

1. Turn on Automatic Updates. This will cause your system to automatically download and install all the latest security patches for Windows and Internet Explorer
2. Install Microsoft Security Essentials or other anti-virus program.  AVG has a very good free anti-virus program.
3. Scan your computer for malware using your on-board anti-virus program.
4. Scan your computer for malware using one of several good web-based anti-virus programs, such as: Panda, Symantec, Trend Micro.
5. Turn on Windows Firewall.
6. Update to the latest version of Internet Explorer, which has a better design and better security controls.
7. If you don’t want to update Internet Explorer (or if you already have the latest), reset your IE settings.
8. Manage and disable add-ons. A lot of browser hijacking is the result of add-ons.

Even after you do these things, you’ll still be running a combination of software that is vulnerable by design and requires constant vigilance. Read on.

Long-Term Fixes

If you are running Windows, I highly recommend you stop running Internet Explorer altogether. Use it ONLY for running Microsoft Update, online virus scans (from step 4 above – most require IE), and those occasional website that do not render well in other browsers.

For greatest security when browsing on Windows, use Firefox with the NoScript and FlashBlock add-ons. This combination is the safest possible browsing when using Windows. You’ll still have to run anti-virus and automatic updates, though.

Paradigm Shift

Most people use Windows, but few people HAVE to. There are two excellent alternatives:

• Linux. The “ubuntu” release of Linux is highly reliable, easy to use, and secure. If you have a good PC, you can download ubuntu, burn it onto a CD, and try it out on your own computer. If you really, really like it, you can install ubuntu Linux onto your computer and say goodbye to Windows forever. We have done this on two systems here. Linux runs so much faster on a PC than Windows that you will think you got a hardware upgrade!
• Linux in a virtual machine. If you *have* to run Windows (because of that expensive software that runs only on Windows), then I recommend you download VirtualBox and install Linux as a guest. Then, do all of your Internet browsing from the Linux machine (running Firefox, Noscript, and Flashblock as described earlier). You can run it in full screen mode, which is the next best thing to running Linux on your hardware. Another nice thing about this method is that if you do get malware on your Linux system, you can reset your Linux system back to an earlier state (I have never had this happen, but if I did mess something up in the Linux system, reverting to a recent snapshot is still a nice feature).
• Mac OS. If your PC is not that great and you want to upgrade to new hardware, this is a great time to buy a Mac. While they may initially seem more expensive, you get excellent value and performance. On Mac OS, you can download Open Office, which is free and compatible with Microsoft Office. We have three Macs at home (a Mac Mini, a MacBook, and a MacBook Pro) and are totally satisfied with them. They are great computers.

Note regarding purchasing a Mac computer: do not get caught up in feature comparisons (e.g. a Windows system with a larger screen for less money than a Mac).  A Windows system is still just a Windows system, vulnerable by design and more expensive in the long when when you consider all the time you have to spend to keep it secure / make it secure. These videos say it better than I can: