The Trusted Toolkit Blog

A Simple Incident Response to a Simple Oversight

2007-10-02T13:00:00.000-05:00

Information Security

Today may be the day you need to step up and respond to a breach involving someone else’s confidential information. Do the right thing and you will be OK. Assuming the breach is less than it really is can negatively impact your company, the victims, and your livelihood.

A Little Background
I write for this and The Breach Blog because I am passionate about information security and protecting people when dealing with confidential information. The Breach Blog was born out of this passion just a few months ago, and I have already written 69 articles (with a backlog of four) about breaches and the lessons they teach us. I believe that people can really learn from other people’s mistakes. Anyway, on to the story...

The Incident
This morning I received a phone call from one of the IT administrators at a company that I provide information security consulting for. He was in a panic.

He regularly receives email updates from his human resources department outlining terminations, new hires and management changes. He gets these updates so that he can update the company’s Active Directory. Today, he received his spreadsheets as normal, but this time there was an additional column that he did not recognize before. The column was titled “Assoc. ID”, and the spreadsheet contained information on about 50 company employees.

Can you guess what the “Assoc. ID” is?
If you guessed Social Security number, then you are correct! Oh boy.

On the surface, you may say this isn’t that big of a deal. We can just go to human resources and inform them that this is an unacceptable practice and be done with it. OK, but put yourself in the shoes of a person that was in the spreadsheet. Would you be OK if information security just went to human resources and told them to quit it? I am guessing that your answer may be the same as mine, NO!

If I was a victim, what kind of questions would I demand answers for? Let’s see:

I want to know where this information came from.
I want to know if this has been an acceptable practice by human resources in the past and if so, how long?
I want to know if there was anyone else that received this email.
I want to know that the email containing the spreadsheet was deleted. Not just from the “Inbox” either, but also “Sent Items” and “Deleted Items”.
I want to know if there were any copies stored locally on the sender’s computer.
I want to know if there are any copies on a network drive (i.e. is “My Documents” synchronized).
I want to know if this information may be in a backup anywhere that needs to be
dealt with.
I want to know why this happened in the first place.
I want to know what human resources is going to do to make sure that this never happens again.
Are there any laws and/or regulations, i.e. do I need to disclose this breach to any state attorney generals?

You get the picture yet? I want to know everything there is to know about this breach and I want to take every possible action to contain the damage caused by it.

Victims and shareholders should ~~expect~~ demand no less!

As it turns out, this seemingly innocent mistake/training issue quickly escalated into a full-blown investigation that took away from other important tasks and cost the company money. It would have been easy to take the lazy approach and sweep this under the rug, but what service would I be providing to the victims, the company, or myself? Thank God this breach only affected 50 people and was relatively easy to contain and respond to. What would I have done if this breach affected 5000, 50000, or 500000 people? What if the human resources person sent the email outside of the company?

Tips I've Learned
An easy way to respond to an incident involving personally-identifiable information is to put yourself in the shoes of a victim. This may sound obvious, but too many times I have witnessed information security “experts” going the other way. Answer the questions that you would have as a victim. Take money, lost consumer confidence, stock price, etc. out of the equation and do the right thing. If we all did the right thing we would have less regulation and more time to do other “right things”.

The CIO of this company asked me a question on my way out the door once the investigation was complete. He asked me what makes an information security professional so good at what he (or she) does? My answer: 95% of what makes a good information security professional is common sense. The other 5% is skill.

Unfortunately, it is very difficult to teach someone common sense.

Shame on Wells Fargo or Shame on Me?

2007-09-17T13:25:00.000-05:00

Information Security

Friday was a busy day, but I found a little time to check my gmail account. My peak performance brain has been trained to immediately key on certain words that appear in my inbox and classify them as threats, either phishing or spam. You know words such as “Alert”, “PayPal”, “Warning” and “eBay”? This time my brain tells my eyes to check out this email labeled “Wells Fargo Online Notification of New Legal Notices”.

There are three primary reasons why I am particularly interested in this email. One, I am a Wells Fargo customer. Two, I signed-up for email updates and regularly get emails from the company. And three, gmail typically does a great job of filtering out phishing attempts from my inbox. So I open the email.

The email looks legit to me.

A Phish is a Phish?
I have been training users for the last couple of years to NEVER click on a link in an email to a login page, then proceed to login. I assumed that this is a “best practice” to protect oneself from phishing. I am always skeptical. Did this email really come from Wells Fargo? I check the header of the email, looks good. I check the links, look good. I check the html code, still looks good.

This legitimate Wells Fargo email goes against what I thought were best practices in regards to phishing prevention. Being the concerned (paranoid) information security guy that I am, I emailed reportphish@wellsfargo.com with the following:

to reportphish@wellsfargo.com
date Sep 14, 2007 1:50
PM
subject Fwd: Wells Fargo Online Notification of New
Legal Notices

To whom it may concern:

It appears that the email depicted below actually came from Wells
Fargo. The email contained links that went to your login page and
asked people to sign in. Wells Fargo should not be sending emails
like this to your customers! It goes against everything that we try
to teach people with respect to phishing.

Sincerely,
Concerned customer

Surely Wells Fargo knows much more about phishing than I ever could, so am I wrong?

Where Have I Been?

2007-09-11T12:28:00.000-05:00

Information Security

You may have been wondering where I have been for most of the last two weeks (maybe not!), and here I am to tell you.

I have started a new blog and have been spending much of my time creating content for it and getting it up to speed. The blog is "The Breach Blog" where I have been researching and providing commentary on breaches that have occured over the last month or so. I am motivated to share breaches with the public, provide insight from a security point of view, and give people a place where they can come and voice their opinions publicly. Basically, I get great satisfaction from helping people who don't know any better.

Information for The Breach Blog is compiled from a variety of sources including (but not limited to):

- The Attrition.org Data Loss Archive and Database (pioneers in breach disclosure)
- Privacy Rights Clearinghouse
- Google Searches
- News sources
- State government sites
- Victim emails

I hope that people from all walks find value in the information provided.

The Trusted Toolkit Blog will start to get more attention again soon as I begin to divide my time more and get more organized. I'll be back...
And here is the rest of it.

Passwords Written Down, Real Life Real Risk

2007-08-30T13:30:00.000-05:00

Information Security

I sound like a broken record sometimes. I get sick of hearing myself speak too. I will say it again because it is of utmost importance:

People, please STOP writing passwords down!

Here is a real-life example of a written down password that could have very easily led to over $500,000 in theft.

The Incident
I get the call all of the time. Someone calls to report (anonymously) that they have found a password written down on a laptop. As always, I initiate an investigation to determine the extent of the risk to the company I am contracted to work for. Upon arrival at the site of the laptop, I notice various passwords written down on stickers just to the right of the mouse/thumbpad.

Typically, the passwords I find pose more risk to the company (i.e. Active Directory passwords, VPN passwords, etc.) than they do to the individual at fault, but this one was different. My eye was immediately drawn to one written password entry, it read:

E-TRADE: etrade.com
EXERCISE PASSWORD: 88946571335
USER ID: jdoe
PASSWORD: jdoeDoneB4d

NOTE: These user IDs and passwords have been modified for the sake of this article. The actual user IDs and passwords on the stickers were different.

Naturally, I want to find out who this person is. After searching everywhere within the company and interviewing numerous people I had run out of options. I think to myself, self “The user name and password can’t still be valid, can they?” I decide to try. I go to http://www.etrade.com/. Oh %^$*@! They are valid! Upon login, I get confronted with the “Complete View” account page.

$492,640.25 worth of risk! Now I can find the user however, which is my main motivation. Obviously the first thing to do is have the user change their password, which they did. I spent a good amount of time with the user explaining what could have happened if this information fell into the wrong hands and gave them some alternative methods for password management. I am not sure if it sunk in or not, but it felt good to help for now!

How did the laptop end up where it was?
This is the question I would be asking myself. Through investigation it was discovered that the laptop was turned in to the help desk for normal hardware rotation. The user basically sends their old laptop to the help desk for a new one, which is common every couple of years. The help desk placed the old laptop in storage then brought it out as a loaner for a contractor.

Why didn’t the help desk remove the stickers and inform Information Security personnel when the laptop was returned for recycling?
Another good question. Because sometimes people forget that information security is EVERYONES job. People need to understand what role they play because we all play one. I have found through experience that an effective training and awareness program goes a long way. Training and awareness conducted correctly could have stopped the user from writing their passwords down in the first place and may have reminded help desk to remove and report.

Conclusion
I have given this much thought over that last few days. It really bugs me when people fall victim to scams, thieves, and the like. There is no sense in making it easy for them! People write down passwords because they typically do not know of a better way to manage all of their passwords. Can we blame them? See my previous article "Passwords Part 3/3 - Password Management" for some suggestions.

In hind sight I should have not logged into the account to find the username. This poses a risk to myself. Next time I will call eTrade and inform them of the username and password found on the laptop. I hope there won't be a next time, but I would to too naive to believe so.

Information Security Quote of the Day

2007-08-23T13:26:00.000-05:00

Information Security

"It's seems like there's a problem with security inside Homeland Security and that makes no sense"

- James Slade, TSA screener and the executive vice president of the National Treasury Employees Union chapter at John F. Kennedy International Airport in talking about the lost TSA hard drive containing Social Security numbers, bank and payroll information for roughly 100,000 employees in May, 2007.

NOTE: The agency said it did not know whether the device is still within headquarters or was stolen.

Hardly a week later DHS employees announced a class action lawsuit against the TSA in AFGE, et al v. Kip Hawley and TSA which to my knowledge has not yet been resolved.

TJX Breach News, and on and on...

2007-08-21T13:25:00.000-05:00

Information Security

Today the Boston Globe reported an arrest related to the TJX record-setting breach (in terms of numbers of affected consumers) in thier article, "Suspect named in TJX credit card probe Ukrainian's arrest seen as break in record fraud case".

I continue to be intrigued by the details of this case. Maksym Yastremskiy stands accused of playing a "key role in the sale of many credit card numbers stolen from TJX Cos" and likely the "largest seller of stolen TJX numbers".

According to the article, Mr. Yastremskiy sold cards in batches of up to 10,000 for $20-100 per card through various online forums.  Let's do some math.

10,000 cards @ $20-100/card = $200,000-1,000,000!

Let's say for a second that 45 million cards (allegedly lost in the original breach) were able to be sold for the same price.

45,700,000 cards @ $20-100/card = $914,000,000-4,570,000,000!

Up to 4.5 billion dollars! Now this is all VERY hypothetical, but it should be VERY clear why organized crime is so interested and active in information security (or insecurity). The amount of money made is incredible.

The article goes on to state that TJX reported that initial estimates of how much the breach will cost the company were grossly understated. TJX estimates that it will spend $256,000,000 to cover the costs of the breach, improved security controls, and lawsuits.
I don't know, but this still seems understated to me.

There is evidence of cards and/or information related to the TJX breach being used all over the world from retail WalMart stores to cash advances.

What a mess. What did Mom say? Something like an ounce of prevention is worth a pound of cure, or was it an ounce of security is worth $20-100/card? I can't remember!

Some good TJX breach-related links:
- The original TJX press release announcing the breach dated 1/17/07
- The TJX "IMPORTANT CUSTOMER ALERT" dated 2/21/07
- The original Information Week online article dated 1/17/07
- "TJX profit down sharply on breach costs" reported by CNNMoney on 8/14/07
- The recent Boston Globe story reporting Yastremskiy arrest dated 8/21/07
- Massachusetts Bankers Association class-action lawsuit announcement dated 4/24/07
- FTC Notice of Proposed Routine Use; Request for Public Comment, Privacy Act of 1974; System of Records: FTC File No. P072104
And here is the rest of it.

Mystery Credit Card Cancellations

2007-08-06T11:00:00.000-05:00

Information Security

This article raises more questions for me than it answers. I am referring to the article written by Stewart Carter, editor of The eCommerce Report titled "Visa confirms data tapes theft". I am assuming that this article is credible.

Data tapes containing "card data" were stolen in late May, 2007. Visa International has confirmed that "an investigation into the theft of data tapes on May 25 is ongoing and therefore we cannot comment further on this matter". Dead end.

On July 19th, the Sydney Morning Herald reported that Westpac (a large Pacific Rim bank) was cancelling Visa cards en mass. On July 24th, ZDNet reported that Virgin Money (Westpac's card partner) was cancelling MasterCard credit cards. It is unclear why Westpac and Virgin Money are cancelling so many credit cards.

Jane Counsel, Westpac’s senior media relations manager did respond to the eCommerce Report's inquiries by stating "…[T]he card data compromise which has impacted Westpac and Virgin cards relates to transactions that have occurred with a third party vendor who uses a payment gateway provided by one of the other major banks…”. "A third party vendor"??? Who?

It is clear from the article that none of the organizations involved want to take an responsibility into what could be a very significant breach. Stay tuned, as I am sure this story is far from over.

But, then again I wonder if this news is credible. I looked for both the Sydney Morning Herald and the ZDNet articles and couldn't find either. Please post them if you can find them.

Information Security Policy 101 – Policy Approval

2007-08-03T12:51:00.000-05:00

Information Security

OK, the time has come for us to wrap this up! July is over and so is “Information Security Policy Month”. This is the 19th and final installment in the Information Security Policy 101 Series.

If you have been following along over the last month you will notice that we have covered 16 of the most common information security policies, but we haven’t tied them together or sought formal approval yet.

NOTE: The “approval” we are seeking now is the approval of the written policies. This should not be confused with the initial approval you should have received prior to even beginning an information security policy project.

The advice that I will give in this article is based on what has worked for me in the past. I have had the honor of leading multiple information security projects in the past for both private and public companies from assessment through to final approval and adoption.

The Company XYZ Corporate Information Security Policy
The Company XYZ Corporate Information Security Policy is the one document that everyone in the organization is expected to read and understand. Some portions of the policy may apply more directly than others, but everything is meant to be understood by the audience.

Take the 16 policies (or however many your organization has deemed necessary) and place the “Company XYZ Corporate Information Security Policy” wrapper around them adding some important information that may include:

Header explaining the document
Versioning information
Table of contents
Introduction
Purpose (of the Corporate Information Security Policy)
Scope (of the Corporate Information Security Policy)
Definitions
Responsibilities
Waivers
Disciplinary Actions
Supporting Information, and;
References

Woah! Seems like a lot of information, doesn’t it? Admittedly, yes it does. Take a look at the sample and it should be clearer

SAMPLE CORPORATE INFORMATION SECURITY POLICY

Once the document is complete, it’s ready for approval!

NOTE: Be prepared for mutiple "back and forth" go arounds with management before the policy is "golden"!

Approval
The detailed process for approval of the newly written Corporate Information Security Policy will differ greatly from organization to organization. Some organizations have a more “approachable” executive team than do others so use judgment and care in your approach. When in doubt follow the chain of command by seeking the advice of your direct up line manager.

Approval must come from the leaders of your organization. If you have any hope of adopting, implementing and enforcing your policy then executive approval is a must. Too many times have I seen information security personnel attempt to implement policy without seeking the right approvals and every single time their efforts have failed miserably. Who has overall authority in your organization? This is the person that needs to approve.

Ideally, you have included your organization's leaders all along during the information security policy project. This makes communication and approval much easier. All is not lost however if you have not.

What does management need to know?
1. The Corporate Information Security Policy is based on sound security “best practices”.

Ensure management that the policy is a best of breed policy that was written after careful analysis and research.

2. Approval of the policy will not disrupt business.

The bottom line is that a company is in business to make money. You will not receive the approval of management if they perceive that information security will in any way hinder the ability of the company to make money. An art of information security is that it must NOT EVER stand in the way of business or be percieved as such.

Inform management that “approval” of the policy does not mean that the policy has been “adopted” or “implemented”. Approval gives the organization (and information security personnel) the ability to begin adoption and start the “secure” process. Create an adoption/implementation timeline that highlights when information security believes that the organization could be compliant with most of the policy and inform management that the organization will never be fully-compliant. Remember, security is evolutionary not stationary!

3. The expected costs involved through the approval of the information security policy will be more than offset by reduced risk and exposure

You can probably think of other items of note to use in your approval process, but the ones above have consistently worked for me.

Next Steps
The real work begins!
Now that you have your new approved policy in hand, decide how you will train the organization’s personnel. There are a variety of training options available including CBT, web-based, instructor-led, in-sourced, out-sourced, etc. Once a training timeline has been tentatively agreed upon, formally announce the new policy to the organization.

It is also time to decide how you will adopt and implement. Read through the policy and detail what you have in place now and what you will need in order to be compliant. Create projects and/or timelines for the implementation of the various standards, procedures, administrative and technical controls.

Closing
Thank you to all that have read and provided feedback to this series! You know who you are. I will be posting a summary post that includes all of the "Information Security Policy Month" articles in a nice consice format.

Feel free to contact me if you have and feedback or need any assistance in your own policies.

Previous: "Information Security Policy 101 – Virus Protection Policy"

Do you care? - Aflac lost laptop

2007-08-01T13:37:00.000-05:00

Information Security

I have been debating over the last week whether I even wanted to mention this, but this story just seems too good to pass up as an example of what is security news and might not be.

The headlines read:
"Aflac Reports Laptop Detailing 152,000 Clients Stolen" - bloomberg.com 7/26/07
"Aflac Loses Data on 152,000" - darkreading.com 7/27/07

And, etiolated.org reports this as an "incident" (etoilated and Attrition.org are a couple of my favorite sites BTW).

Your first reaction might be (or have been) a little like mine was. I immediately assumed the worse, shook my head, and clicked on the link to read a little more. You can read the articles yourself (click the links above) so I won't delve into all that they say, but some interesting points worth mentioning:

1. A laptop was stolen from an Aflac employee on a commuter train that contained "clients' names, addresses, birth dates, and policy details". Bad news, right? Read on...

2. "All the information was encrypted and password-protected, so it would be very difficult for any third-party to access it". Amen! Encryption if properly managed can make it nealy impossible for a third-party to access the data. I sincerely hope that the employee who had the laptop stolen from him/her is not akin to many of the employees I see with laptops when it comes to password management, i.e. written on a Post-it note or on the back of the laptop. Most likely a password is used by the employee and doubles as the "secret key" that enables decryption of the drive/data. Given the limited amount of information to work with, one can only assume.

"Aflac wanted to send letters apologizing to policyholders before alerting the press" Why? Don't most (if not all) breach disclosure laws and regulations have safe harbor statements when the data is encrypted? Maybe a reader can help me out here. If a company is not required by law to disclose the lost laptop publicly AND there is very very little risk of disclosure (encrypted), then why send letters and notify the press?

Thankfully, cooler heads seemed to have prevailed on this piece of news (or non-news) and it wasn't blown out of proportion. Kudos to Aflac for using encryption on laptops!

Information Security Policy 101 – Virus Protection Policy

2007-07-30T13:50:00.000-05:00

Information Security

Part 18 in the Information Security Policy 101 Series

For many organizations the threats posed by viruses are manageable given appropriate controls. A Virus Protection Policy is the first step towards ensuring that appropriate controls are in place on workstations, laptops, email gateways, servers, etc.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Virus Protection Policy is to describe the
requirements for dealing with computer virus, worm and Trojan horse infection,
prevention, detection and cleanup.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Virus Protection Policy applies to all persons with any type of access to an %ORGANIZATION% information resource.

SAMPLE:
Audience
The %ORGANIZATION% Virus Protection Policy applies equally to all individuals
that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Virus Protection Policy
The Virus Protection Policy is simple policy that you may find some overlap with other information security policies. One additional benefit of having a separate Virus Protection Policy is the ease of reference for users and support personnel. Be careful to write statements that do not contradict those in another policy, however rare.

SAMPLE VIRUS PROTECTION POLICY STATEMENTS:

- All %ORGANIZATION% owned and/or managed workstations, including laptops whether connected to the %ORGANIZATION% network, or standalone, must use the %ORGANIZATION% IT management approved virus protection software and configuration.
- All non-%ORGANIZATION% owned and/or managed workstations, including laptops must use %ORGANIZATION% IT management approved virus protection software and configuration, prior to any connection to an %ORGANIZATION% Information Resource.

Conclusion
The draft, approval, implementation, and enforcement of a Virus Protection Policy can decrease the amount of risk to an organization’s information resources as a result of malware (virus and/or spyware).

Download the SAMPLE VIRUS PROTECTION POLICY.

Next in the series: “Information Security Policy 101 – Policy Approval”

Previous: “Information Security Policy 101 – “Vendor/Third-Party Access Policy”

Information Security Policy 101 – Vendor/Third-Party Access Policy

2007-07-30T11:48:00.000-05:00

Information Security

Part 17 in the Information Security Policy 101 Series

Some organizations call on the support of a third-party and/or vendor rarely. Other organizations have third-party support personnel in and out of various areas all day, every day. Most organizations fall somewhere in the middle. I cannot think of a single organization that has not allowed a third-party and/or vendor at least physical access to restricted areas to conduct seemingly innocent tasks.

Question: What governs a vendor and/or other third party's access?

Answer: Vendor/Third-Party Access Policy.

NOTE: Some organizations have already negotiated detailed contracts with vendors and other third-party entities. In some instances an existing contract may need to be appended, a new contract drawn up, or a waiver request approved.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Vendor Access Policy is to establish the
rules for vendor access to %ORGANIZATION% Information Resources and support
services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and
protection of %ORGANIZATION% information. Vendor access to
%ORGANIZATION% Information Resources is granted solely for the work
contracted and for no other purposes.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Third-Party/Vendor Access Policy typically applies to those persons involved in contracting third-party/vendor support and representatives of the third-party/vendor itself.

SAMPLE:
Audience
The %ORGANIZATION% Vendor Access Policy applies to all individuals that are
responsible for the installation of new %ORGANIZATION% Information Resource
assets, and the operations and maintenance of existing %ORGANIZATION%
Information Resources, and who do or may allow vendor access for support,
maintenance, monitoring and/or troubleshooting purposes.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Vendor/Third-Party Access Policy
The Vendor/Third-Party Access Policy is longer and more in-depth than some of the policies we have covered most recently. Use the information gleaned from your business assessment to determine to what extent your policy should be detailed towards the information resources you are trying to protect.

TIP: Have your legal department (or whoever is in charge for negotiating contracts) review the policy in detail. You may also choose to have your legal department assist you in the drafting of this policy.

SAMPLE THIRD-PARTY/VENDOR ACCESS POLICY STATEMENTS:

- Vendors must comply with all applicable %ORGANIZATION% policies, practice standards and agreements, including, but not limited to:
@ Safety Policies
@ Privacy Policies
@ Security Policies
@ Auditing Policies
@ Software Licensing Policies
@ Acceptable Use Policies
- Vendor agreements and contracts must specify:
@ The %ORGANIZATION% information the vendor should have access to
@ How %ORGANIZATION% information is to be protected by the vendor
@ Acceptable methods for the return, destruction or disposal of %ORGANIZATION% information in the vendor’s possession at the end of the contract
@ The Vendor must only use %ORGANIZATION% information and Information Resources for the purpose of the business agreement
@ Any other %ORGANIZATION% information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others

Conclusion
The draft, approval, and implementation of a Vendor/Third-Party Access Policy will assist in ensuring that information security is forethought in contract negotiations and no longer an afterthought. Seasoned information security personnel understand the benefit of information security applied early on vs. retrofitting an existing solution with security after the fact.

Download the SAMPLE VENDOR/THIRD-PARTY ACCESS POLICY.

Next in the series: “Information Security Policy 101 – Virus Protection Policy”

Previous: “Information Security Policy 101 – “Software Licensing Policy”

Information Security Policy 101 – Software Licensing Policy

2007-07-30T08:30:00.000-05:00

Information Security

Part 16 in the Information Security Policy 101 Series

“The Business Software Alliance (BSA) is gearing up for a final push to convince companies to fill in their voluntary audit forms.” – VNUNet.com UK

“Thirty-five percent of the world's software is pirated. Software piracy is not only a crime, but it can destroy computers and data.” – Business Software Alliance

There is little doubt that the use of unlicensed and/or pirated software can pose significant risk to an organization’s information resources and assets. Risks can range from malware installation to significant fines. You may notice that there is some slight overlap between the Software Licensing Policy and our Acceptable Use Policy. If you remember, there was mention of using “unauthorized” software in our Acceptable Use Policy.

NOTE: A well-written software licensing policy can limit the amount of time required to satisfy BSA requests for information because it demonstrates proactive action on the part of the organization.

TIP: Many Windows-based organizations grant their users local administrator rights to their workstations. Disallowing this practice can significantly reduce the risk of users installing unauthorized and/or unlicensed software.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Software Licensing Policy is to establish
the rules for licensed software use on %ORGANIZATION% Information Resources.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Software Licensing Policy applies to all of an organization’s information resource users.

SAMPLE:
Audience
The %ORGANIZATION% Software Licensing Policy applies equally to all
individuals that use any %ORGANIZATION% Information Resources.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Software Licensing Policy
Like many of the policies already covered in this series, the Software Licensing Policy is short and simple. The policy makes management’s views regarding software licensing “official”.

SAMPLE SOFTWARE LICENSING POLICY STATEMENTS:

- %ORGANIZATION% provides a sufficient number of licensed copies of software such that workers can get their work done in an expedient and effective manner. Management must make appropriate arrangements with the involved vendor(s) for additional licensed copies if and when additional copies are needed for business activities.
- Users must refrain from knowingly violating license agreements and/or requirements.
- Third party copyrighted information or software, that %ORGANIZATION% does not have specific approval to store and/or use, must not be stored on %ORGANIZATION% systems or networks. Systems administrators reserve the right to remove such information and software unless the involved users can provide proof of authorization from the rightful owner(s).

Conclusion
A well-written Software Licensing Policy can save an organization a considerable amount of time and effort, especially given how easy it is to write and get approved. A subject of much debate is the BSA’s million dollar reward to turn-in software pirates:

BSA Rewards Page:
https://reporting.bsa.org/usa/rewardsconditions.aspx

A twist:

Would You Rat Out Your Boss for $1 Million?: http://blogs.pcworld.com/staffblog/archives/004849.html

Wouldn’t it be nice to take out the drama by using a simple policy and enforcement?

Download the SAMPLE SOFTWARE LICENSING POLICY.

Next in the series: “Information Security Policy 101 – Vendor/Third-Party Access Policy”

Previous: “Information Security Policy 101 – “Security Training and Awareness Policy”

Information Security Policy 101 – Security Training and Awareness Policy

2007-07-30T07:45:00.000-05:00

Information Security

OK, we're back!

Part 15 in the Information Security Policy 101 Series

“there is a substantial increase in the respondents’ perception of the importance of security awareness training. On average, respondents from most sectors do not believe their organization invests enough in this area.” - 2006 CSI/FBI Computer Crime and Security Survey. If I were going to overspend on any one area of my information security program, it would be for information security training and awareness.

Information security personnel can write whatever they want in their policies, but if nobody is aware of the policies or trained on how they can comply with them then what good are they?

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Information Security Training and Awareness
Policy is to describe the requirements that must be met, in order ensure that each user of
%ORGANIZATION% Information Resources receives adequate training on information
security issues.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Security Training and Awareness Policy applies to all of an organization’s information resource users.

SAMPLE:
Audience
The %ORGANIZATION% Information Security Training and Awareness Policy applies
equally to all individuals that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Security Training and Awareness Policy
The Security Training and Awareness Policy is a simple policy that states what management expects and gives authority to information security personnel. The policy should state general rules that the audience must comply with and lay the groundwork for the training program.

SAMPLE SECURITY TRAINING AND AWARENESS POLICY STATEMENTS:

- All new users must complete an approved Security Awareness training class prior to, or at least within 30 days of, being granted access to any %ORGANIZATION% Information Resources.
- All users must acknowledge they have read and understand the ORGANIZATION% Corporate Information Security Policy
- All users (employees, consultants, contractors, temporaries, etc.) must be provided with this policy to allow them to properly protect %ORGANIZATION% Information Resources.

Conclusion
Do not underestimate the importance of a formal information security training and awareness program. Understand that many people do not understand their critical role in keeping organization assets secure.

TIP: Find things that you can use to prove a ROI in you training and awareness program. I have used help desk staff in the past for this. We took a one month time frame before information security training, where we tracked the number of laptops that came in for service from field staff with passwords on Post-it notes before training. We tracked the same afterwards then calculated a percentage and extrapolated the number over a one year period. The change was dramatic.

Download the SAMPLE SECURITY TRAINING AND AWARENESS POLICY.

Next in the series: “Information Security Policy 101 – Software Licensing Policy”

Previous: “Information Security Policy 101 – “Privacy Policy”
And here is the rest of it.

Update

2007-07-26T23:45:00.000-05:00

To The Trusted Toolkit Blog Readers:

I have been caught up this week with a pretty serious investigation which I cannot detail publicly, so I have fallen behind on my schedule of delivering information security policies.

Stay Tuned. I will be publishing the "catch-up" postings soon. In the meantime, I suggest shoring up your incident response policy and procedures if you have not done so already. Mine are saving me a bunch of time and embarrasment this week!

Thanks for reading!

Information Security Policy 101 – Privacy Policy

2007-07-24T09:33:00.001-05:00

Information Security

Part 14 in the Information Security Policy 101 Series

Writing an organization's privacy policy is not as clear-cut as it may seem. An entire book could easily be written around privacy in the workplace. What an organization states, what it actually does, and what an employee reasonably expects are all critical to privacy/employment matters. To make things worse, privacy rights are not entirely clear under the law.

Two rules of privacy rights (although you could probably come up with more):

One, Write a policy that is focused. Do NOT write “you have no expectation of privacy” as a blanket statement. Privacy is not “all or nothing”.

Two, Do what you say you are going to do consistently. Do NOT follow your policy only when there is an enforcement action. As the US Supreme Court has noted, "[W]hile police, and even administrative enforcement personnel, conduct searches for the primary purpose of obtaining evidence for use in criminal or other enforcement proceedings, employers most frequently need to enter the offices and desks of their employees for legitimate work-related reasons wholly unrelated to illegal conduct."

TIP: Privacy policy should be reviewed by a legal counselor that is familiar with privacy rights and law. Many corporate counselors are not experts in this area.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Privacy Policy is to clearly communicate
the %ORGANIZATION% privacy expectations to Information Resource users.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Privacy Policy should apply to all personnel, and in some cases (depending on your organization) contractors, vendors, and other third-parties.

SAMPLE:
Audience
The %ORGANIZATION% Privacy Policy applies equally to all individuals who use
any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Privacy Policy
Privacy policy is a critical policy in most organizations and needs to clearly communicate what amount of privacy a user should expect when using the organization information assets.

NOTE: A very good article written by Mark Rasch; Employee Privacy, Employer Policy.

SAMPLE PRIVACY POLICY STATEMENTS:

- Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of %ORGANIZATION% are not private and may be accessed by %ORGANIZATION% Information Security employees at any time, under the direction of %ORGANIZATION% executive management and/or Human Resources, without knowledge of the Information Resource user or owner.
- To manage systems and enforce security, %ORGANIZATION% may log, review, and otherwise utilize any information stored on or passing through its Information Resource systems in accordance with the provisions and safeguards provided in %ORGANIZATION% Information Resource standards. For these same purposes, %ORGANIZATION% may also capture user activity such as telephone numbers dialed and web sites visited.

Conclusion
Be careful in using a sample Privacy Policy. Be sure that it fits your organization and internal processes. A poorly written or implemented Privacy Policy can leave your organization open to a legal quagmire. Most of the investigation and forensic work I have done in the past has been governed by what the organization’s Privacy Policy stated.

Download the SAMPLE PRIVACY POLICY.

Next in the series: “Information Security Policy 101 – Security Training and Awareness Policy”

Previous: “Information Security Policy 101 – “Mobile Computing Policy”

Information Security Policy 101 – Mobile Computing Policy

2007-07-23T09:21:00.000-05:00

Information Security

Part 13 in the Information Security Policy 101 Series

Few things in my profession give me more shivers than the amount and sensitivity of data that is carried outside the corporate boundary every day on mobile devices such as PDAs, laptops, and Smartphones. Without effective controls mobile devices are easily lost or stolen, data transmissions are easily intercepted, and shoulder-surfing is commonplace. Nearly every week a company is forced to publicly disclose a lost or stolen laptop that contained personally identifiable data (PII).

See: http://attrition.org/dataloss/, http://breachalerts.trustedid.com/, http://doj.nh.gov/consumer/breaches.html, http://www.privacyrights.org/ar/ChronDataBreaches.htm

Often information security is a discipline that constantly attempts to balance the risk of using a technology versus the business benefits gained as a result from such use. How can an information security professional effectively balance the risks inherent with using mobile devices while still allowing the business to benefit from their use?

In order to provide protection to the data that may be contained on a mobile device, organizations must extend protections and controls to such devices. Protection starts with policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Mobile Computing Security Policy is to
establish the rules for the use of mobile computing devices and their connection to the
network. These rules are necessary to preserve the Integrity, Availability, and
Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Mobile Security Policy applies to all individuals in the organization that use, possess, manage, secure, and/or approve the use of mobile devices.

SAMPLE:
Audience
The %ORGANIZATION% Mobile Computing Security Policy applies equally to all
individuals that utilize mobile computing devices and access %ORGANIZATION%
Information Resources.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Mobile Computing Policy
If an organization does not use or allow the use of mobile devices, then a simple statement in an Acceptable Use policy may be all that is needed. If the organization does allow the use of mobile computing devices, general rules around this usage need to be communicated to all relevant personnel. As with all policies, the Mobile Computing Policy should state general rules, leaving room supporting documentation (procedures, standards, and guidelines) to define the specifics.

NOTE: At least 35 states have laws regarding security breach notification and most have safe harbor provisions around data that has been encrypted.

SAMPLE MOBILE COMPUTING POLICY STATEMENTS:

- Only %ORGANIZATION% approved portable computing devices may be used to access %ORGANIZATION% Information Resources.
- Portable computing devices must, at a minimum be password protected in accordance with the %ORGANIZATION% Password Policy.
- %ORGANIZATION% Confidential data should not be stored on portable computing devices. However, in the event that there is no alternative to local storage, all Confidential %ORGANIZATION% data must be encrypted using approved encryption techniques, wherever possible.

Conclusion
Due to the increased risks that mobile computing devices pose to many organizations and the increased reliance on these devices to complete “business critical” tasks, it is recommended that a stand-alone Mobile Computing Policy be developed.

Download the SAMPLE MOBILE COMPUTING POLICY.

Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Physical Security Policy”

Information Security Policy 101 – Physical Security Policy

2007-07-23T07:45:00.000-05:00

Information Security

Part 12 in the Information Security Policy 101 Series

In some organizations “physical” security and “information” security are separated into different groups or teams. Whether this is a good idea or not has been the subject of some debate over the years. One issue that should not be debated is the tight interdependence between the two.

Information security is a balance of physical, logical, and administrative controls. Every control must have its roots written in somewhere in policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Physical Security Policy is to establish the
rules for the granting, control, monitoring, and removal of physical access to
Information Resource facilities.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Physical Security Policy applies to any person or entity that has the potential to physically interact with information resources or facilities that house information resources under the control of an organization. The policy is specifically written to provide direction to those individuals whom are charged with maintaining physical security.

SAMPLE:
Audience
The %ORGANIZATION% Physical Security Policy applies to all
%ORGANIZATION% individuals that install and support Information Resources, are
charged with Information Resource security and data owners.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Physical Security Policy
The form that a Physical Security Policy takes is dependant on many factors. This article is written with small to medium sized organizations in mind. These organizations do not typically have the staff to support a separate physical security group and/or opt to integrate physical security into a single information security program. In order to determine where a physical security policy fits best in an organization the earlier business assessment should be used.

NOTE: Physical security policy is a must in almost all organizations. If physical security is not adequately defined and applied, all other controls could be easily defeated.

SAMPLE PHYSICAL SECURITY POLICY STATEMENTS:

- Physical security systems must comply with all applicable regulations including but not limited to building codes and fire prevention codes.
- Physical access to all %ORGANIZATION% restricted facilities must be documented and managed.
- All Information Resource facilities must be physically protected in proportion to the criticality or importance of their function at %ORGANIZATION%.

Conclusion
The science involved with physical security is often specialized and there seem to be a limitless supply of available technologies and controls that can be applied. The physical Security Policy should be written in broad enough terms as to not restrict the use of any one specific control. The policy does not usually require an in-depth knowledge of all the available controls, whereas the application and implementation typically do. In most cases, I write the policy then call upon physical security consultants to design effective controls.

NOTE: If you have a keen interest in the physical nature of information security and would like to demonstrate your mastery, check out the Physical Security Professional (PSP) certification from ASIS International.

Download the SAMPLE PHYSICAL SECURITY POLICY.

Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Password Policy”

Information Security Policy 101 – Password Policy

2007-07-19T13:27:00.000-05:00

Information Security

Part 11 in the Information Security Policy 101 Series

Passwords get a bad rap. Nobody likes them, users, administrators, and information security personnel alike. Users don’t like passwords because us “information security police” make them so complex and hard to remember, administrators don’t like them because they have so many that they have to remember, and information security personnel don’t like them because they are arguably the most insecure means of authentication.

All the more reason and justification for a Password Policy.

A Password Policy should be required in all organizations that rely on passwords as a source of authentication.

Let’s get to it.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:.
Purpose
The purpose of the %ORGANIZATION% Password Policy is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of %ORGANIZATION% user authentication mechanisms.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Password Policy aptly applies to any person or entity uses a password.

SAMPLE:
Audience
The %ORGANIZATION% Password Policy applies equally to all individuals who use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Password Policy
The Password Policy should communicate the general rules for password creation, use, storage, transmission and destruction (the “lifecycle”). Most likely the policy will state many general security “best practices” of password management along with some home grown statements based on the business assessment.

NOTE: People will inevitably break some rules in password policy. It is proven that the number and severity of incidents can be reduced by training and awareness. Give users a better way to do things rather than telling them what they cannot do.

SAMPLE PASSWORD POLICY STATEMENTS:

- Password history must be kept to prevent the reuse of passwords
- Stored passwords are classified as Confidential Data and must be encrypted

Conclusion
A Password Policy is not just an efficient method of communicating good password management practices, but it is also an implement for enforcement. A well-written and implemented Password Policy can significantly reduce the amount of risk to the organization’s information.

Download the SAMPLE PASSWORD POLICY.

Next in the series: “Information Security Policy 101 – Physical Security Policy”

Previous: “Information Security Policy 101 – “Network Access Policy”

107,000 More Records Compromised

2007-07-18T15:17:00.000-05:00

Information Security

This time it's 27,000 names, addresses, and credit cards numbers lost by Kingston Technology Company and 80,000 names, addresses, and social security numbers lost by the Louisiana Board of Regents.

Kingston Technology (27,000)
Wouldn't you know it, there is no mention of this breach anywhere on Kingston's homepage.

Apparently the data was taken through unauthorized access of purchase information made at www.shop.kingston.com. What makes this interesting is that this breach supposedly happened in September, 2005 but went undetected until "recently".

Who is the victim?
"After confirming what data was accessed and who was affected, Kingston had to gather the appropriate contact information and arrange for consumer protection services and materials to notify the impacted consumers," the spokesman said.

Sound Familiar?
"The note added that, for the moment at least, there is no evidence that the illegally accessed data has been misused"

Kingston has an impressive track record of protecting information, and I get the feeling that they will only improve.

News: Computerworld
Letter to the New Hampshire Attorney General

Louisiana Board of Regents (80,000)
The Louisiana Board of Regents has a link on their homepage to some additional details.

I have to admit, this one has me a little miffed! I do not like how the data was compromised, how long it took to detect it, or the official Board of Regents (BOR) response.

The Compromise
A student found/stumbled on the data using Google. The student found a database of student names and 150 other files that he claimed contain up to 75,000 more names of students and employees. This information was accessible from the Internet without any protection whatsoever. According to BOR:

Groups Potentially Affected

Any student who was enrolled in the 10th grade at a Louisiana public high school and took the EPAS (Educational Planning and Assessment) Plan test between 2001 and 2003.
Any Louisiana public college or university faculty or staff member who was employed in either 2000 or 2001.

It is unclear how long the data may have been exposed, but it may have been "as long as two years".

The Response
The official response leaves something to be desired, for sure! Basically, all the BOR seems to have done is make the data inaccessible and offer some tips for those who may have been affected. How about STOP USING SOCIAL SECURITY NUMBERS AS IDENTIFICATION!!!

While researching this incident, I found a document titled "File Layout STS Student Transcript System". Data Element Name: State Identification Number --> Social Security Number, if available. Otherwise, a temporary number assigned according to LDE guidelines.

News: WDSU News Channel 6

Information Security Policy 101 – Network Access Policy

2007-07-18T14:55:00.000-05:00

Information Security

Part 10 in the Information Security Policy 101 Series

This is now the 10th entry into the “Information Security Policy 101” series. Are these policies starting to blur at all? Are they all starting to look the same? Believe it or not, the policies look similar on purpose and there are statements in one that may be found in another (also on purpose). The repetition can make things a little boring for the information security personnel, but it really does help “normal” people retain the information.

The Network Access Policy is found in many organizations, or at least the language of the policy statements. Often I will find Network Access Policy statements included in an Acceptable Use Policy instead. Tomayto tomahto.

As always…

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Access Policy is to establish the rules for the access and use of the %ORGANIZATION% network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Network Access Policy aptly applies to any person or entity that access the organization’s network either locally or through a WAN, VPN, modem, wireless, etc.

SAMPLE:
Audience
The %ORGANIZATION% Network Access Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Access Policy
The Network Access Policy is a simple policy that should outline some basic ground rules that people need to follow when using the organization’s network.

NOTE: Although the statements in a policy may seem basic and common sense to the author, don’t assume that they are for everyone.

STORY: I once had a user complain to me that a policy I wrote for a client company was too simple and common sense.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- Remote users may connect to the %ORGANIZATION% corporate networks only after formal approval;
- Remote users may connect to %ORGANIZATION% Information Resources using only the protocols approved by %ORGANIZATION% IT;

Conclusion
The Network Access Policy is simple and you may be able to get away with ditching it in favor of adding the required statements to your Acceptable Use Policy. This decision is up to you. The business assessment exercise could help you in this decision. I almost always separate the policy statements for easy-of-reference, simplified reviews and changes, and reinforcement through repetition.

Download the SAMPLE NETWORK ACCESS POLICY.

Next in the series: “Information Security Policy 101 – Password Policy”

Previous: “Information Security Policy 101 – “Network Configuration Policy”

Use Firefox? Upgrade to 2.0.0.5 Now

2007-07-18T09:05:00.001-05:00

The Mozilla Foundation, makers of the popular Firefox Web browser announced the release of version 2.0.0.5 yesterday (7/17) and all users are strongly encouraged to upgrade.

There are three "Critical", two "High", one "Moderate, and two "Low" risk vulnerabilities addressed in this upgrade.

To upgrade:

1. Open Firefox
2. Click Help
3. Click Check for Updates.
4. Click "Download & Install Now"

5. Click "Restart Firefox Now"

For more information:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
http://secunia.com/advisories/26095/

Western Union Breach

2007-07-17T22:16:00.000-05:00

Western Union Breach

Western Union admitted that personal data on as many as 20,000 customers was compromised due to a poorly secured database accessed by “hackers”. Names, addresses, phone numbers, and credit card information is all among the data stolen in the heist.

I looked around the Internet for an official response from Western Union and found nothing. I did notice something ironic on their homepage, http://www.westerunion.com/ though.

The section labeled “Protect Yourself from Fraud” immediately caught my eye. I guess one thing you could do is not do business with Western Union, but this won’t help you much if you are already one of the unfortunate victims!

The “Standard” Response
There seems to be some “standard” responses amongst companies that are losing data belonging to their customers. Mind you it is easy to play “Monday morning quarterback” with security breaches, but honest public disclosure, tangible assurance and change, and open communication with my customers would be near the top of my response list.

Standard Response #1:
“We are not aware of any ID theft or any kind of fraudulent use that was made from this information.” This sounds eerily familiar. Certegy responded to their recent 2.3 million record breach with “No Fraudulent Activity or Identity Theft Detected” in their press release. To be honest this means nothing to me. Just because the company has not detected any fraudulent activity does not mean that none has occurred or that none will in the future as a result of the disclosure.

Standard Response #2:
“It (Western Union) also offered to pay for one year of credit monitoring to affected customers.” From the letter sent to the victims of the Pfizer breach (17,000 victims) “support and protection package includes a credit monitoring program for one year.” I do like how Pfizer has responded although there are rumblings that they took too long to notify victims.

Western Union Breach
As I stated earlier, I still cannot find any “official” response from Western Union so it is hard to comment on their response. Among the things I would like to know are how the vulnerable database was accessed, what is Western Union doing to prevent future breaches, and any other information that can help me as a consumer feel confident that they take the security of my data seriously. The Certegy breach was a case of a criminal DBA, is this a case of an DBA with poor skills?

Content for this article refers to information originally reported by the New York Post, here.
Western Union has been in the news for a security breach before.

Feel free to comment!

Information Security Policy 101 – Network Configuration Policy

2007-07-17T15:08:00.000-05:00

Information Security

Part 9 in the Information Security Policy 101 Series

Most network configuration policies are fairly straightforward.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Configuration Policy is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the Integrity, Availability, and Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically a Network Configuration Policy applies to all individuals in an organization.

SAMPLE:
Audience
The %ORGANIZATION% Network Configuration Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Configuration Policy
Although many organizations do not have a separate Network Configuration Policy, many of the statements are important enough to communicate in one form or another. Some organizations will include these statements in other information security policies. I prefer to separate.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% IT owns and is responsible for the %ORGANIZATION% network infrastructure and will continue to manage further developments and enhancements to this infrastructure
- To provide a consistent %ORGANIZATION% network infrastructure capable of leveraging new networking developments, all cabling must be installed by %ORGANIZATION% IT or an approved contractor.

Conclusion
Read through the sample policy, and together with the business assessment, determine if a Network Configuration Policy makes sense in your organization.

Download the SAMPLE NETWORK CONFIGURATION POLICY.

Next in the series: “Information Security Policy 101 – “Network Access Policy”

Previous: “Information Security Policy 101 – “Incident Management Policy”

Information Security Policy 101 – Incident Management Policy

2007-07-16T11:50:00.000-05:00

Information Security

Part 8 in the Information Security Policy 101 Series

Let’s start off with a scenario. Bill Johnson works as the Information Security Officer of a medium-sized regional bank and its Monday morning. Bill receives a phone call from the bank service desk reporting that a laptop was lost or stolen over the weekend. Uh oh, Bill doesn’t have incident response policy or procedures.

Try to put yourself in Bill’s shoes for a moment. What risk does this incident pose? Does the laptop contain regulated data, i.e. social security numbers, credit card numbers, other personally identifiable (PII) data, etc.? Does the laptop contain usernames and passwords? Will this incident make the evening news? Who should Bill notify? Should Bill contact the authorities, i.e. local police, Secret Service, FBI, etc.? Panic might begin to set in for Bill. Maybe Bill should just drop everything, run, and find a new profession.

Bill shouldn’t have to worry about how to respond to such an incident.

All companies large and small should have an incident management program. What the program looks like and how it is run will differ from company to company as expected, but they all start with policy.

NOTE: The first actions taken following an incident are often critical and could dictate the entire course of an investigation. If an incident is handled incorrectly, cause identification and eventual prosecution could be impossible.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Incident Management Policy is to describe the requirements for dealing with computer security incidents. Security incidents include but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of Information Resources as outlined in the Acceptable Use Policy.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Incident Management Policy applies to all individuals in an organization. The policy is meant to be referred to by personnel charged with incident response.

SAMPLE:
Audience
The %ORGANIZATION% Incident Management Policy applies equally to all individuals that use any %ORGANIZATION% Information Resource

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Incident Management Policy
The Incident Management Policy is intended to communicate what is expected of personnel when confronted with an incident pertaining to information resource confidentiality, integrity, and/or availability. The policy provides the vital framework necessary to develop detailed incident response procedures.

NOTE: Incident response procedures will detail (preferably step-by-step) how personnel are expected to respond to an incident. Incident response procedures should be tested on a regular basis (quarterly, semi-annually, or yearly).

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% management will establish and provide overall direction to an %ORGANIZATION% Incident Response Team (IRT)
- %ORGANIZATION% IRT members have pre-defined roles and responsibilities which can take priority over normal duties

Conclusion
Do yourself a favor and create an incident management program. The incident management program does not need to be complicated and account for every possible scenario that could occur. Supporting procedures can be written in such a manner to be flexible enough to apply to most conceivable incidents. Incidents WILL occur, so be prepared!

Download the SAMPLE INCIDENT MANAGEMENT POLICY.

Next in the series: “Information Security Policy 101 – Network Configuration Policy”

Previous: “Information Security Policy 101 – “Data Classification Policy”

Information Security Policy 101 – Data Classification Policy

2007-07-12T17:52:00.000-05:00

Information Security

I will forewarn you, data classification can be a real doozy. The policy is simple enough to write and the concepts are simple enough to sell, but adoption and implementation is usually a whole different story. If done well the benefits can far outweigh the risks.

The purpose for most data classification projects (yours may differ) is to identify the data that is sensitive to an organization, classify (or label) this data, and apply appropriate controls based on the sensitivity-label pair.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Data Classification Policy is to provide a system for protecting information that is critical to the organization, and its customers. In order to provide more appropriate levels of protection to the information assets entrusted to %ORGANIZATION%, data must be classified according to the risks associated with its storage, processing, and transmission. Consistent use of this data classification policy will facilitate more efficient business activities and lower the costs of ensuring adequate information security.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Data Classification Policy applies to all entities that interact with data in any tangible manner.

SAMPLE:
Audience
The %ORGANIZATION% Data Classification Policy applies equally to any individual, or process that interacts with %ORGANIZATION% Information Resources in any tangible manner. All personnel who may come in contact with Confidential information are expected to familiarize themselves with this Data Classification Policy and consistently use it.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Data Classification Policy
The Data Classification Policy differs from most other information security policies due to the additional information required. The Data Classification Policy will introduce new concepts, roles, and responsibilities.

Roles and Responsibilities:
The following are typical roles and responsibilities defined in the Data Classification policy:

Data Owner
The Data Owner is normally the person responsible for, or dependent upon the business process associated with an information asset. The Data Owner is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.

- The Data Owner determines the appropriate value and classification of information generated by the owner or department;
- The Data Owner must communicate the information classification when the information is released outside of the department and/or the organization;
- The Data Owner controls access to his/her information and must be consulted when access is extended or modified; and
- The Data Owner must communicate the information classification to the Data Custodian so that the Data Custodian may provide the appropriate levels of protection.

Data Custodian
- The Data Custodian maintains the protection of data according to the information classification associated to it by the Data Owner.
- The Data Custodian role is delegated by the Data Owner and is usually Information Technology personnel

Data User
The Data User is a person, organization or entity that interacts with data for the purpose of performing an authorized task. A Data User is responsible for using data in a manner that is consistent with the purpose intended and in compliance with policy.

Data Classifications
Confidential
Confidential Data is information protected by statutes, regulations, organizational policies or contractual language. Managers may also designate data as Confidential.

Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only.

Disclosure to parties outside of the organization must be authorized by executive management, approved by a Vice President and General Counsel, or covered by a binding confidentiality agreement.

Examples of Confidential Data include:

- Medical records
- Clinical trial data
- Credit card numbers
- Social Security Numbers
- Personnel and/or payroll records
- Any data identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction
- Any data belonging to an %ORGANIZATION% customer that may contain personally identifiable information
- Patent information
- Regulatory filings

Internal
Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel designated by %ORGANIZATION%, who have a legitimate business purpose for accessing such data.

Examples of Internal Data include:
- Employment data
- Business partner information where no more restrictive confidentiality agreement exists
- Internal directories and organization charts
- Planning documents
- Contracts

Public
Public data is information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data, while subject to organizational disclosure rules, is available to all %ORGANIZATION% employees and all individuals or entities external to the corporation.

Examples of Public Data include:
- Publicly posted press releases
- Publicly available marketing materials
- Publicly posted job announcements

Disclosure of public data must not violate any pre-existing, signed non-disclosure agreements.

NOTE: The policy MUST NOT define HOW data will be classified (or tagged), use standards, guidelines and/or procedures to communicate how the different types of data should be appropriately labeled.

SOME SAMPLE Classification Protections
Confidential
- When stored in an electronic format must be protected with a minimum level of authentication to include strong passwords, wherever possible.
- When stored on mobile devices and media, protections and encryption measures provided through mechanisms approved by %ORGANIZATION% IT Management must be employed.

Internal
- Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure
- Must be protected by a confidentiality agreement before access is allowed

Conclusion
In my experience, the Data Classification Policy has been the most difficult policy to create and receive approval on. The most common and valid question I receive is “How will we ever comply?” Compliance with a Data Classification Policy has proven to be extremely difficult is most organizations due to a number of primary factors:

- People do not want to assume the responsibilities that come with their role, primarily the data owner
- Labeling standards are sometimes extensive and time consuming to write
- Data is strewn throughout the organization without centralized management
- Classifications assigned will vary from data owner to data owner and management is not “cut and dry”

Understand that information security is a science of evolution and it will take time to get data classification properly implemented. This is expected and accepted. All things in information security should start in policy and data classification is no exception. Approval of a policy does not mean formal adoption and compliance (we will cover post-approval of policy in “Information Security Policy 101 – Policy Approval” due on 7/30).

Download the SAMPLE DATA CLASSIFICATION POLICY.

TIP: Write your Data Classification Policy without worrying about the details of implementation, but at the same time make sure you will be able to implement each statement through the use of additional supporting documentation.

Next in the series: “Information Security Policy 101 – "Incident Management Policy”

Previous: Information Security Policy 101 – “Information Security Policy 101 - Backup Policy”

Information Security Policy 101 – Backup Policy

2007-07-11T11:55:00.000-05:00

Information Security

On the surface it may seem that data backups are mundane and simple tasks to carry out. Backups are often repetitive and change infrequently. Don’t believe it! Although there are SOME tasks that a backup administrator does that are simple and mundane, anyone who has spent any amount of time with or as a backup administrator knows how complex the job can be. There are a vast number of options and methods available to conduct and manage backups. Of these options and methods, some are more secure than others.

The Backup Policy is meant to address some of the grey area and provide direction to the development of more detailed procedural and standardization documentation.

General Policy Format

All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:

Purpose

The purpose of the %ORGANIZATION% Backup Policy is to establish the rules for the backup and storage of electronic %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Backup Policy applies to IT administrative personnel and those persons responsible for data backups specifically.

SAMPLE:

Audience

The %ORGANIZATION% Backup Policy applies to all individuals within the enterprise whom are responsible for the installation and support of %ORGANIZATION% Information Resources, individuals charged with %ORGANIZATION% Information Resource backups, security and data owners.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Backup Policy

A Backup Policy is written to provide rules and expectations around the treatment and management of data backups. It is a simple policy that rarely exceeds a page in length, but should/could be viewed as important in many organizations.

NOTE: A Backup Policy should not state backup settings requirements except in a general sense. The Backup Policy should not be confused with a Disaster Recovery Plan (DRP) which is much more extensive and outside of the scope of this article.

SAMPLE BACKUP POLICY STATEMENTS:
- The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.
- The %ORGANIZATION% Information Resource backup and recovery process for each system must be documented and periodically reviewed.

Conclusion
Do not assume that backups are simple tasks with limited options and flexibility. Backups are often a critical process for many organizations so it would only make sense to develop some policy around them.

Download the SAMPLE BACKUP POLICY.

Next in the series: “Information Security Policy 101 – Data Classification Policy”

Previous: Information Security Policy 101 – "Administrative and Special Access Policy"

Information Security Policy 101 – Administrator and Special Access Policy

2007-07-10T00:40:00.000-05:00

Information Security

And now I present to you the Administrative and Special Access Policy! OK, I admit it isn’t all that exciting, but it is a policy that provides value in many organizations. In many instances users of administrative accounts have the ability to do just about anything in a corporate server and/or network environment. Administrators can often create accounts, change passwords, change access rights, delete audit logs, etc. Without proper control, the risk of inadvertent errors and malicious abuse of rights is unacceptable.

All information security controls must have their roots in policy and those meant to limit the risk inherent with the use administrative access accounts is no different.

NOTE: This has been stated before, but I state it again in order to drive the point home. Supporting standards, guidelines, and/or procedures will need to be created in support the policy after the policy has been formally approved and adopted by management.

General Policy Format

All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Administrative and Special Access Policy is to establish the rules for the creation, use, monitoring, control and removal of accounts with special access privilege.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Administrative and Special Access Policy applies to IT administrative personnel or persons authorized and responsible for information resource management.

SAMPLE:
Audience
The %ORGANIZATION% Administrative and Special Access Policy applies equally to all individuals that have, or may require, special access privilege to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Administrative and Special Access Policy
The Administrative and Special Access Policy is written to communicate the general rules and guidance to those persons in an organization with authorized access to administrative accounts. The policy also applies to users of accounts that have access rights that exceed those of "general" user accounts.

As with all information security policies, the Administrative and Special Access Policy should be general in nature and not detail specific settings requirements. The Administrative and Special Access Policy should adequately address all areas of administrative access that reflect expected and acceptable use.

SAMPLE POLICY STATEMENTS:

- All users of Administrative and Special access accounts must have account management instructions, documentation, and authorization

- Each individual that uses Administrative and Special access accounts must refrain from abuse of privilege and must only perform the tasks required to complete his/her job function

Conclusion
Remember that a policy is a series of statements that accurately reflect management’s expectations with respect to information security in the organization. It is easy to forget about those users in an organization that have “special” rights and privileges. This is a mistake. Users with these rights and privileges, if not properly informed and trained can pose one of the most significant threats to the confidentiality, integrity and/or availability of organizational information.

Download the SAMPLE ADMINISTRATIVE AND SPECIAL ACCESS POLICY.

TIP: The use of administrative and special access accounts needs to be strictly monitored and reviewed. Include regular monitoring and auditing in supporting procedures.

Next in the series: “Information Security Policy 101 – Backup Policy”

Previous: Information Security Policy 101 – Account Management Policy

Buy your exploits here?

2007-07-09T08:31:00.000-05:00

Exploits

Are you in the market for a previously undisclosed exploit and/or vulnerability? If so, maybe you should check out the WabiSabiLabi MarketPlace, an online exploit auction site (or not).

So far, I have only seen four exploits listed for sale with only two receiving bids. Supposedly, I can become the high-bidder on a Yahoo! Messenger 8.1 remote buffer overflow exploit for only 2000 Euro (~$2720 US).

Let’s take a look at this.

The Site

If you have used eBay or U-Bid before, you already understand how online auctions work so I won’t explain any of that.

What sets this online auction site apart from others is the commerce, previously undisclosed exploits. Upon first examination of the site it appears to be legitimate, but due to my nature I want to dig a little more.

Call me naïve, but I gotta tell ya I am a bit suspicious.

First off, I had not heard of “WabiSabiLabi Ltd.” before this encounter. Before I do business with anyone, I certainly want to know who they are and rarely will I take their word for it.

There is little or no history of the company presumably because they are a startup. DNS provides little information as it is a GoDaddy private registration. The site itself (http://www.wslabi.com/) is hosted through California Regional Intranet, Inc. (cari.net).

Let’s say for a second that I have a “zero-day” exploit that I would like to profit from, and let’s say that I am a good guy (I am!). Should I sell my work through WabiSabiLabi and trust that they will make sure it is sold to another good guy?

WabiSabiLabi FAQ:
Q: Can everybody purchase vulnerabilities from the market place?

A: No, all purchasers will be carefully evaluated before granting them access to the market platform to minimize the risk of selling the right stuff to the wrong people.

Personally, I would like a little more disclosure on “how” WabiSabiLabi will evaluate a purchaser.

Now let’s say that I am a bad guy with a zero-day exploit to sell. Should I sell my work through WabiSabiLabi and risk disclosure of my identity or should I sell it to the highest bidder within “my network”? This is a simple question to answer!

Hey, maybe I am a bad guy with money to buy a zero-day exploit. Will the exploit be worth squat after the extensive “hinting” that takes place by disclosing even trivial details on http://www.wslabi.com/.

And lastly, let’s say I am a good guy again (following me?) and I work for one of the vendors mentioned with an exploit on http://www.wslabi.com/. Would I buy? What happens if I don't buy the exploit when I could have and it turns out to be a good one that causes harm to my customers? This scenario could hurt. Tough decision, but almost sounds like blackmail by WSLabi.

There is just not enough information on http://www.wslabi.com/ for me to make the decision to disclose anything, i.e. submit any zero-day information I had on hand. I agree that security researchers need to get paid for their work as I know the work can be extremely detailed, time-consuming, and stressful. I am just not convinced that this is the place to do it. I will take a wait and see approach to this one.

You will have to make your own decision.

WabiSabiLabi Information, According to the site:
“WSLabi laboratory in Switzerland covers a large quantity of high-severity ITSEC issues through its global research network of independent security researchers and third part organizations”

Their moto: “The art of continuous improvement of imperfect security “

Their Blog: http://wabisabilabi.blogspot.com/

Information Security Policy 101 – Account Management Policy

2007-07-08T22:12:00.000-05:00

Information Security

The Account Management Policy is next in our alphabetical list of information security policies that I will be covering as part of the Information Security Policy 101 series. Typically an Account Management Policy has more usefulness in organizations with a group of individuals whom are authorized to create, monitor, control, and/or remove user accounts.

The business assessment process that we covered in “Information Security Policy 101 – Assess the Business” should give information security personnel the information needed to determine if an Account Management Policy will provide value to the organization.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %Organization% Account Management Policy is to establish the rules for the creation, monitoring, control, and removal of user accounts.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically an Account Management Policy applies to persons authorized and responsible for account management.

SAMPLE:
Audience
The %Organization% Account Management Policy applies equally to all individuals whose authorized business duties include account management pertaining to any %Organization% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Account Management Policy
The Account Management Policy is written to communicate the general rules and guidance to those persons in an organization with account management responsibilities. As with all information security policies, the Account Management Policy should be general in nature and not detail specific settings requirements. The Account Management Policy should adequately address account creation, monitoring, control, expiration, disablement, and deletion.

SAMPLE POLICY STATEMENTS:

All accounts created must have an associated and documented request and approval
All accounts must be uniquely identifiable using the user name assigned by MGI IT

Conclusion
In the companies that I have had the opportunity to assess, many did not include an Account Management Policy in their greater global information security policy, although most of these companies could benefit from having one. The Account Management Policy is a very simple policy to write due to its limited scope and in most cases its creation, approval, and adoption is well worth the investment

Download the SAMPLE ACCOUNT MANAGEMENT POLICY.

TIP: Be sure that each account in your organization corresponds to a single entity (person, service, application, etc.) whenever possible.

Next in the series: “Information Security Policy 101 – Administrator/Special Access Policy”

Previous: Information Security Policy 101 – Acceptable Use Policy

When a DBA goes bad

2007-07-06T11:11:00.000-05:00

Certegy Breach

What happens when a DBA goes bad? In the recent case involving Certegy Check Services (a Fidelity National Information Services), the confidentiality of 2.3 million consumer records containing credit card, bank account, and other personal information is compromised.

In the July 3rd press release:

“Fidelity National Information Services Announces Misappropriation of Consumer Data by Employee of Certegy Check Services Division

Data sold to Marketing Solicitation Companies;
No Fraudulent Activity of Identity Theft Detected”

The data was stolen and subsequently sold to data brokers by a high-level DBA at Certegy who was entrusted with defining and enforcing data-access rights. The DBA; a guy named William Sullivan also allegedly owns a side-business named S&S Computer Services in Largo Florida. Allegedly, Mr. Sullivan took the data out of the building "via physical processes" not by transmission.

How does a business protect itself (and customers)?
I can think of two things right off the bat; extensive employee screening for employees with access to sensitive information and segregation of duty.

Employee Screening
Obviously employee screening does very little to protect against someone who has never been caught or someone who goes bad after being hired, but it is a good precaution nonetheless. I would be surprised if this was the first thing that Mr. Sullivan had ever stolen or if this was the first time he had done something unethical if not illegal. Perhaps he would have been screened out, perhaps not. Screening is only one layer of defense.

Segregation of Duty
DBAs are very powerful people in most companies. A DBA typically has access to vast amounts of very sensitive data, defines who else can access the data, and also audits who has accessed the data! Bad news. As security professionals, we should never accept a single entity with all three of these rights. There are good products in the marketplace to audit what DBAs do. Any company storing sensitive (and/or regulated) data would do well to have their security personnel look into these products.

Certegy
Although Certegy assures the public that no fraudulent activity has been detected with any of the personal information that was disclosed, there is essentially no effective way to prevent such things. Once confidential data is disclosed to unauthorized individuals, confidentiality can no longer be assured in any tangible manner. The best thing Certegy can do is take steps to ensure that this will not happen again and disclose to its customers what these steps are.

Certegy's Actions (thus far)

Certegy has filed suit against Mr. Sullivan in the case of Certegy Check Services Inc. v. William Sullivan, No. 076271CI13, Circuit Court, Pinellas County, Florida (St. Petersburg.)

NOTE: This really does nothing to protect the victims (consumers) and will do little to remedy the situation other than make people feel better that someone pays a price.

Certegy is implementing a fraud watch associated with the stolen records, and has notified credit-reporting agencies TransUnion, Equifax and Experian of the incident.

NOTE: TransUnion, Equifax, and Experian are three of the BIGGEST data brokers in the world! I would not trust them to do too much other than alert after the fact.

From Renz Nichols, president of Certegy Check Services "It's a reminder that the best security systems are not immune to rogue employees." I agree with Mr. Nichols in the respect that you cannot stop all rogue employees, but I think you can certainly do more to detect them.

Information Security Policy 101 – Acceptable Use Policy

2007-07-06T08:57:00.000-05:00

Information Security

Finally, our first policy! If we have done this right, we have already done much legwork. So far we have defined what a policy is, and obtained management’s endorsement. We have also identified what information our organization uses, how our organization uses the information it possesses, and identified the laws that pertain to the security of information. We should be in a good position to write policy according to what our organization needs.

As stated in the first Information Security Policy 101 post, I will cover some of the more common policies found in organizations. I will cover them in alphabetical order, NOT in order of importance. The first policy is Acceptable Use.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
This policy is established to achieve the following:

To ensure compliance with applicable statutes, regulations, and mandates regarding the management of Information Resources.
To establish prudent and acceptable practices regarding the use of %Organization% Information Resources.
To educate individuals who may use %Organization% Information Resources with respect to their responsibilities associated with such use.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically an Acceptable Use Policy applies to all persons.

SAMPLE:
Audience
The %Organization% Acceptable Use Policy applies equally to all individuals granted access privileges to any %Organization% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Acceptable Use Policy
An Acceptable Use Policy is written to communicate what practices are prudent and acceptable to management in regards to the use of the organization’s information resources. An Acceptable Use Policy should address:

General Information Resource Use

SAMPLE “General Information Resource Use” POLICY STATEMENTS:

Users must not attempt to access any data or programs contained on %Organization% systems for which they do not have authorization or explicit consent
Users must not intentionally access, create, store or transmit material which %Organization% may deem to be offensive, indecent or obscene

Email Access and Use

SAMPLE “Email Access and Use” POLICY STATEMENTS:

Auto-forwarding electronic messages to e-mail addresses other than those within the %Organization% internal e-mail system is prohibited
An employee’s personal e-mail account may not be used to send or receive %Organization% Confidential Information

Internet Access and Use

SAMPLE “Internet Access and Use” POLICY STATEMENTS:

Use of the Internet with %Organization% networking or computing resources for recreational games, or for obtaining or distributing pornographic or sexually oriented materials, is prohibited
Using %Organization% networking and computing resources to make or attempt unauthorized entry to any network or computer accessible via the Internet is prohibited

Voicemail Access and Use

SAMPLE “Voicemail Access and Use” POLICY STATEMENTS

Use of the %Organization% voice mail system to defame, harass, intimidate or threaten any other person(s), or to send unnecessarily repetitive messages (i.e. chain mail) is prohibited
Users must refrain from disclosing any Confidential data in voice mail greetings

Incidental Use

SAMPLE “Incidental Use” POLICY STATEMENTS

Incidental personal use of electronic mail, Internet access, fax machines, printers, copiers, and so on, is restricted to %Organization% approved users; it does not extend to family members or other acquaintances
Incidental use must not interfere with the normal performance of an employee’s work duties

Many times there are statements in an Acceptable Use Policy that overlap with statements in other policies.

Conclusion
An Acceptable Use Policy in a necessary policy in many organizations. It is important to keep the communication as clear as possible and encourage constant reference.

Download the SAMPLE ACCEPTABLE USE POLICY.

TIP: When all policies are written, combine them together as a global %Organization% Information Security Policy.

Next in the series – “Information Security Policy 101 – Account Management Policy”

Previous: “Information Security Policy 101 – Assess the Business”

Information Security Policy 101 – Assess the Business

2007-07-05T09:48:00.000-05:00

Information Security

Let’s assume a couple of things; you have identified the need for information security policy and you have executive management endorsement. Now you are ready to start writing policy, but before we open Word and start typing away, we need more information. The policies we write need to be relevant to the business and provide value. Enter business assessment.

A good business assessment for our purposes will attempt to answer the following questions:

What types of information does the business use?

How does the business use information?

What is the law?

The order in which these questions are answered is not important. What is most important is how accurately we answer them. The answers to these questions will provide direction in identifying which policies we need and what they should say.

What types of information does the business use?
It is important to identify the types of information used by the business in order to design controls (policy is a control) that apply the right amount of protection to the right information.

Information security personnel rarely know the information types that every business unit within an organization uses so it is important at this stage to reach out to the business units. Information Security can reach out to the business units in a variety of ways; in-person interviews, questionnaires, creation of an Information Security Steering Committee staffed by personnel across the organization, etc. No single approach works best for all organizations.

IMPORTANT: Information security must reach out to the various business units.

The goal of the “What types of information does the business use?” answers is to identify what information is most sensitive to the organization. Information that is typically more sensitive in nature:

Personally Identifiable Information (PII) – Credit card numbers, social security numbers, authentication data, etc.
Personal Health Information (PHI) – typically that information which is addressed by the HIPAA Privacy Rule
Financial information – financial information that has not been released by the organization for public consumption
Intellectual Property (IP) – inventions, formulas, trade secrets, etc.
Other information that if disclosed, altered, or destroyed has the potential to cause significant harm to the organization.

Gathering the types of information used by the organization will give guidance as to what should be protected the most.

How does the business use information?
The determination of how the business uses (creates, accesses, stores, transmits, discards, etc.) information will provide information security personnel guidance as to how to write policy that does not interfere with business.

Information security personnel should constantly remind themselves that a business is in business to make money. If information security controls are designed that hinder the ability of a business to make money efficiently and expeditiously, and not reduced risk accordingly then the control has been designed a poorly. Policy is no exception.

The goal in determining how the business uses information is to determine where information creation, access, storage, transmission, and destruction should be authorized and where it should be prohibited. Again, communication with business units is critical.

What is the law?
There are an abundance of laws that pertain to information security. It is very important to understand how the various laws affect the information security program and policy.

Public companies have the Sarbanes-Oxley Act of 2002 (SOX), companies involved in health care have the Health Insurance Portability and Accountability Act (HIPAA), companies involved in financial transactions may have Payment Card Industry Data Security Standard (PCI), pharmaceutical companies may have FDA 21 CFR Part 11, and the list goes on and on.

Information security personnel should consult the legal department to determine what laws and regulations apply to ensure that written policy will be in compliance.

Conclusion
There is plenty of groundwork that needs to be laid before writing an effective policy. Armed with the information obtained thus far, we should be a good position to begin writing policies. Next we will take a look at the various policies that are common in many organizations to help you choose which are right for you.

Next in the series – “Information Security Policy 101 – Acceptable Use Policy”

Previous: "Information Security Policy 101 - Introduction to Information Security Policy"

Information Security Policy 101 – Introduction to Information Security Policy

2007-07-03T09:57:00.001-05:00

Information Security

Information security policy is arguably the single most important component of an information security program. Most information security personnel understand and agree that information security is a discipline based on a lifecycle. The goal of the lifecycle is the continuous improvement of an organization’s information security posture in terms of reduced risk.

“Information security is NOT a destination, but a continuous cycle”

As you can see in the conceptual diagram, information security policy is at the core. All other components of the lifecycle are dependent upon policy.

Information Security Policy Defined
Great, I understand where policy fits within a greater information security program, but what is “information security policy”? Great question! We should probably answer this before we embark on the creation of our own! Information security policy is:

A series of statements that accurately represent the views and expectations of management with respect to the protection of information assets employed by the organization.

Sound good? Yeah maybe, but let’s elaborate a little:

“A series of statements” – The statements are meant to be short, easily understood, broad and not relevant to minute details. Details are typically mentioned in supporting documentation such as guidelines, standards and procedures.

“that accurately represent the views and expectations of management” – This means that we must involve management. Typically management does not know what an information security policy should say so a dialog will need to be opened between information security personnel and management. We will dig deeper into this later.

“with respect to the protection of information assets” – Protection of the confidentiality, integrity and availability of information.

“employed by the organization.” – The keyword is “employed” not be confused with “owned”.

Every company needs security policy
The things that seem obvious to information security personnel may not be so obvious to “normal” people.

“Why do we need a policy?” Well written information security policy provides the foundation to an information security program and helps to ensure consistency, enforceability, organization, and cost-effectiveness of the information security program.

Management involvement
After writing nearly 100 policies over the years I can boldly say that writing policy is the easy part. Most good policies can be written in less than a month. Getting management endorsement and final approval averages 4-6 months.

Note: “Management” refers to C-level executives in many companies, i.e. CEO, CIO, CSO, COO, CFO, etc.

Some tips:

Management involvement and endorsement is critical. Without management endorsement, the information security policy is worthless.
Get management involved as early and regularly in the process as possible.
Understand that management is typically more “revenue focused” and security does not generate revenue. This requires some selling on the part of information security personnel.
Management probably understands that there is a need to protect information but do not understand how to go about it.
Do NOT be intimidated. Management wants to do the right thing.

Next in the series – “Information Security Policy 101 – Assess the Business”

Previous: Information Security Policy 101

Information Security Policy 101

2007-07-02T12:08:00.000-05:00

Information Security

You have to start somewhere. All successful information security programs start with policy.

July is “Policy Month” at The Trusted Toolkit! Over the course of this month, I will write a series of short articles around information security policy and provide some samples that you are free to use in your own work.

The Series
Introduction to Information Security Policy (Publish - 7/3)

What is an information security policy?
Why do I need security policy?
Importance of management direction, endorsement and approval

Assess the business (7/5)

What types of information does the business use?
How does the business use information?
What is the law?

Common Information Security Policies

Acceptable Use Policy (7/6)
Account Management Policy (7/9)
Administrator/Special Access Policy (7/10)
Backup Policy (7/11)
Data Classification Policy (7/12)
Incident Management Policy (7/13)
Network Configuration Policy (7/16)
Network Access Policy (7/17)
Password Policy (7/18)
Physical Security Policy (7/19)
Mobile Computing Policy (7/20)
Privacy Policy (7/23)
Security Training and Awareness Policy (7/24)
Software Licensing Policy (7/25)
Vendor/Third-Party Access Policy (7/26)
Virus Protection Policy (7/27)

Policy approval (7/30)

What does management need to know?
How much will this cost?
Announcement and next steps.

We will kick this thing off by starting with “Introduction to Information Security Policy” outlining what a security policy is, why every company needs one, and what involvement is required by management. As you can see from the schedule above, I will be posting this article tomorrow.

Be sure to subscribe to The Trusted Toolkit Blog and feel free to comment!

NEXT: Information Security Policy 101 – Introduction to Information Security Policy

Evaluating Anti-Virus Programs

2007-06-28T10:34:00.000-05:00

Anti-Virus

All anti-virus programs are not the same and making purchasing decisions based on opinions (not facts) could put you at risk.

So which anti-virus (AV) program is best for you? It really depends on who you talk to, but should it? Ever since the advent of anti-virus, debates have raged as to which program is best and most of the time you get plenty of subjective opinions. We all have our opinions, but believe it or not there is significant science to the evaluation of anti-virus programs.

NOTE: This article is written with desktop and server anti-virus in mind. Enterprise management i.e. McAfee ePO, Symantec Corporate Edition, et al. is outside of the scope of this article.

The Science
The science of evaluating anti-virus programs is based on two main criteria; features and effectiveness.

Features
The anti-virus software market is more competitive than it has ever been. Some vendors offer a plethora of features in their offerings to attract more customers. Most people don’t even know what some of these features are or what they do, but there are some features that are important to look for during an evaluation of anti-virus programs.

OS Support
Does the anti-virus program fully support the operating system that it is intended to be used on? Sounds obvious don’t it? It does, but take Windows Vista for instance. Has the anti-virus program been designed for Windows Vista and has the program been tested and/or certified on this platform?

Automatic Updates
Can updates be downloaded manually and/or automatically?

Most people have better things to do than to make sure that anti-virus programs are updated regularly. This is a “must have” for a good anti-virus program. An added benefit is configurable automatic updates, allowing updates on a specific schedule.

On-Access Scanning
This is another critical feature. The on-access scan engine needs to start as early in the boot process as possible and files must be checked the instant there is any interaction with them.

On-Demand Scan
Is there an option to conduct a “deep scan” of files, folder, or drives when needed? All good anti-virus programs have this feature, but it is important to mention as a requirement anyway. It is also important that the anti-virus program allows for the scanning of removable media and network drives.

Heuristics
‘Heuristics’ describes the method of analyzing the code of a file to ascertain whether it contains code typical of a virus. Anti-virus programs that rely solely on signatures of known viruses are ineffective against many new viruses. In order for an anti-virus program to be trusted in my environment it must have the ability to detect viruses that are not yet known to the signature engine.

Scan scheduling
Much like automatic updates, most users typically forget to scan their computer on a regular basis.

Email scanning
Does the anti-virus program have the ability to scan inbound and outbound email? Does the anti-virus program have some controls built-in to prohibit mass-mailing? Email scanning becomes less important if it is certain that the email gateway has a properly installed and configured anti-virus solution, but it is always nice to have added layers of defense.

Reporting
Reporting is usually more important to technical and security personnel than it is to the typical user. The more reporting options the better. I conduct many information security audits and forensic investigations and enjoy the added benefit of detailed reports.

It is also important to consider what warnings are given to users by the anti-virus program. Are there warnings displayed if there are errors, scans have not been run in X number of days, the program has not been updated in X number of days, etc.

Effectiveness
What makes an anti-virus program “effective”? The criteria most often used are detection and cleaning rates compared with the function of time*.

*All good anti-virus programs will “eventually” detect and clean a virus. The time function gives an indication of how effective the program tested with newer viruses.

Testing the effectiveness of anti-virus programs can be cumbersome and very work intensive. It is a good idea to rely on independent lab reports and certifications conducted by companies and people who specialize in testing anti-virus products. The two that I refer to often are iCSA Labs and the Austrian anti-virus experts AV-comparatives.org

iCSA Labs
In order for an anti-virus program to be “ICSA Certified” it must meet certain and fairly rigorous criteria.

The list of certified anti-virus products can be found here: http://www.icsalabs.com/icsa/product.php?tid=dfgdf$gdhkkjk-kkkk.
The list of certification criteria is here: http://www.icsalabs.com/icsa/topic.php?tid=4a9d$80389867-30af3d4c$5524-512093a1

iCSA Labs does a very good job of testing anti-virus (and other) products. iCSA is a benchmark and lends credibility to the products it tests, but it should not be relied upon as the sole authority for anti-virus effectiveness testing. There are a variety of reasons why you may not see the anti-virus product you use on the list and a product that is certified may not necessarily be better than a product that is not.

AV-comparatives.org (http://www.av-comparatives.org/)
These Austrians know a thing or two about viruses and anti-virus software! If an anti-virus program was not found at iCSA Labs, it might be found here. The tests from AV-comparatives are very comprehensive and the reporting is excellent.

Conclusion
It is important to gather facts when evaluating technical solutions and anti-virus should be no exception. Before spending money on something someone told you was the best, do a little digging yourself. Create a checklist containing the evaluation criteria that are important to you and use it to evaluate the candidate anti-virus programs. If you would like a copy of the checklist I use in my evaluations; send me a note.

Active Directory Account Auditing 101

2007-06-21T12:13:00.000-05:00

Windows Security

How many login accounts do you have? What accounts should be disabled or deleted? What accounts are disabled, expired, locked, etc.? What accounts do not have a password expiration “override”, meaning they are not forced to change them? How many accounts are in compliance with your policy? You have a policy right?

In most Microsoft Windows (Active Directory) environments accounts and passwords are everything. Most companies aren’t using biometrics, smart cards, etc. so an account and password become the “keys to the kingdom”. I am going to show you how to do a cursory audit, answer the questions above, and do it in 30 minutes or less. Best of all, this is free!

NOTE: This article is not written to be instructions for a comprehensive account audit nor is it written to audit individual password strength.

Policy
To begin you need a policy. Without policy, information security initiatives are likely doomed. In many organizations the policy that correlates most closely with this audit is Password Policy. Your policy (and/or supporting standards) should specify the rules for login account passwords. You may also have supporting policies such as a privilege user policy or account termination policy.

NOTE: If you do not have explicit consent (hopefully written) to conduct an audit of an organization’s information assets, get it BEFORE proceeding.

The Audit
I use free tools regularly for audits, penetration testing, etc. Why write a tool if someone has already made one for you?

Before beginning an audit, define what you plan on using it for. Do you have a SOX auditor breathing down your neck (most SOX auditors want a list of login accounts with password age). Do you want the audit as FYI material? Do you plan to use the audit to initiate subsequent policy non-compliance remediation efforts? Most of the audits I conduct are used as part of an ongoing information security lifecycle. Typically, I will audit accounts on a semi-annual basis.

Anyway, let’s begin.

The Tool:
We need a tool that will enumerate the accounts and provide us with the information we seek. My old and trusty tool of choice is UserDump.exe written by Joe Richards. The step-by-step:

1. Visit Joe’s site at http://www.joeware.net/freetools/tools/userdump/index.htm and download the tool.

NOTE: Your email address is OPTIONAL. When I am given the option, I opt not.

For the sake of this exercise, let’s download the file to C:\Tools\UserInfo\UserDump.

2. De-compress userdump.zip (“un-zip”).

3. Open command prompt and change the directory so that you are able to run userdump.exe from the command line.

4. Type the following (without quotes), replace %dcnameorIP% with the IP address or name of an Active Directory domain controller:

“userdump %dcnameorIP% > dcusers.txt

5. After userdump has completed, you should have a tab-delimited text file in the directory that you ran it in.

6. Open Excel. Click File-->Open and locate the newly created dcusers.txt file. You will need to change the “Files of type:” option to “Text Files” in order to see it in the Open dialog box.

7. After you select the file, the Text Import Wizard dialog box will appear. Make sure that “Delimited” is chosen and not “Fixed width”, and click Finish.

8. Viola! Your audit is complete. Now maybe this one calls for some remediation.

Conclusion
The audit conducted in this article should give you answers to the questions we posed at the start. In this audit there were 952 accounts, of which 712 were login accounts. There were numerous password age and no password expiration policy violations as well as accounts that were thought to have been disabled and/or expired that were not.

In a simple exercise lasting no more than 30 minutes, we were able to gather good information. Through remediation we should be able to significantly reduce the risk of unauthorized disclosure, modification and/or destruction to this company’s information assets.

The Trusted Toolkit June Newsletter

2007-06-13T14:23:00.000-05:00

Quick Post...

Get The Trusted Toolkit's June 2007 Newsletter here:
http://www.trustedtoolkit.com/resources.aspx

The Trusted Toolkit newsletter is a monthly publication that we make available FREE of charge to customers and non-customers alike.

If you would like to receive our newsletters automatically via email, please visit http://www.trustedtoolkit.com/ and sign-up!

Enjoy!

5 Essentials for CISO Success

2007-06-11T20:38:00.000-05:00

Being a CISO ain’t that easy nowadays. Actually, I am not sure if it ever was. Besides the obvious attributes of a good employee; honesty, integrity, confidence, good staffing, etc., what makes a good CISO and what makes a great CISO?

Through conversations with other security professionals and my own observations, I noticed five essentials that great CISOs consistently do well.

DISCLAIMER: In case you thought otherwise, information security is a holistic discipline and this article is not intended to be all-inclusive. To do so would require volumes of books and experience.

Essential # 1: If you want someone to buy, you need to sell
This is always a challenge for me as deep down I am an introvert. I would be fine if all I had to do was work at my computer all day long, but I would make a much better analyst than I would a CISO. CISOs need to be visible and sell the programs they sponsor. CISOs need to sell everyone from the CEO to the backroom mail worker on how information security can help them conduct business better. People will buy into the concepts and ideas that make sense to them so spend time explaining how security benefits all stakeholders in the company.

My action item:
Each day I make it a point to talk to someone I have not talked to before in the company. Usually during casual conversations I find the opportunity to evangelize.

Essential #2: Align security initiatives with the business objectives
This seems simple enough, but unless a CISO actively seeks an understanding of the businesses goals and objectives they will not be known to him/her. Be careful not to make strategic decisions based on assumptions.

Too often security is viewed as a barrier to conducting business with no tangible benefits. As much as it is my job to protect the company’s information assets, it is equally my job to ensure that security does not get in the way of business and where possible enables it.

My action item:
Actively seek an understanding of the company I work for as each opportunity presents itself. Volunteer for committees, attend meetings on time, and ask questions regularly. When I ask questions I ask them in a manner that conveys my desire to understand and help.

Essential #3: Compliance is not the “end all”
Obviously compliance is very important and all companies face some type of regulation, rule, guidance, or law that they have to contend with in relation to the management of information. I have always viewed compliance as the things that a governing body makes us do because we were not doing the right things to begin with. If companies had adequately protected sensitive information all along, we would have much less red tape to deal with today.

The security program I am responsible for is not designed specifically for compliance but is built specifically for the business. If the security program I manage is managed well, then compliance will be mostly automatic. During audits, answer what is asked and provide what is requested, nothing more and nothing less. If there are deficiencies, attend to them and ask why it was not already designed into the program.

Essential #4: Train, inform, remind and reward
This cannot be underestimated, but in most companies it has been for a long time. How can you expect the users in your company to abide by the rules dictated in policy if they are unaware of the rules and/or do not know how to apply them to their work? In order for users to understand, they must be trained. In order for users to develop good habits, they must be consistently reminded. In order for users to care, they must be rewarded.

Believe it or not users believe they have more important things to think about than information security and in many cases they are right.

My action item
Create an information security training and awareness policy and obtain the approval of business executives. Develop an effective information security training and awareness program. Involve business unit leaders in the process of training and awareness program development.

Essential #5: Information will inevitably be compromised, detect and respond
Business information WILL be compromised through unauthorized disclosure, alteration, or destruction. This is an absolute fact. Prepare for detection and appropriate response.

My action items
Develop standards for various detection mechanisms and logging facilities throughout the organization. Detection and logging should overlap and be redundant in design and implementation. Develop incident response policy and procedures, then test them regularly.

Conclusion
These tips should only compliment what is already being done by an effective CISO. Wouldn’t it be nice if it were all this simple?

Password on a Post-It Note

2007-06-07T22:41:00.000-05:00

Sheesh! This is the song that never ends, it just goes on and on my friends...

I don’t think anything in this business torques this ISO more than a user that blatantly writes their password on a Post-It note and prominently displays it somewhere around their workstation. I could preach this until I am blue in the face, but people are people.

I bring this up again and again, but this week I encountered a couple of things that got my blood boiling again on this very topic.

The Survey
Early this week I was reading a recent survey from Cyber-Ark, an authentication management company. Obviously the section in the article titled “Post-It Notes: The IT Favorite for Storing Passwords” caught my eye immediately. The IT favorite? You have to be kidding me.

“It seems that very little changes year over year - more than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders to do differently. What's shocking about this year's annual survey was that the 50% number now applies to IT Professionals as well! More than half of respondents admitted to using Post-It notes to store administrative passwords, the super-powerful codes pre-built into every system such the Administrator ID on your local workstation.” - Survey Reveals Scandal of Snooping IT Staff, 5/30/07 Cyber-Ark

50% of IT Professionals admitted that they store passwords (or have) on a Post-It note! How many do and didn’t admit it? Should I be surprised? I have to admit that I was a little taken aback.

An Incident
The same day I read the article mentioned above, I received a phone call from one of our IT staff in one of our offices. He was calling me to report a suspected incident that may have happened over the weekend. A computer was logged into after-hours and used to commit acts that are against our policy. I will leave it at that.

When I receive a call of a potential incident, I begin the incident response process and an investigation. During the course of the investigation it quickly becomes evident that I will not be able to prove who did what during the time in question. For one, all of the people who use(d) the computer in question use a shared account (another separate no-no out of the scope of this article), and two the shared username and password were written on a Post-It note next to the computer.

Physical security i.e. access card controls, CCTV, etc. aside; there is little that can be done to hold anyone accountable for the actions that took place during this incident.

Essentially, case closed with many possible ramifications.

What to do? Policy, Education, and Enforcement
If you do not have a password policy, you need one. In your password policy it must be clearly stated (simple terms) what actions are acceptable and what are not in regards to password creation, usage, re-use and destruction. Your policy must be endorsed by executive management of your company if you have any hope to educate your users and enforce with action.

If I have learned one thing in security, training and awareness cannot be understated. People are creatures of habit. People with bad habits need to learn good ones. The only way people learn good habits is through constant, consistent training and reinforcement. Your training and awareness program should constantly remind people what you have written in policy with real-world examples of how it applies to them.

Enforce your policy. Your password policy should be viewed as management’s expectations of acceptable behavior from your users. If management has truly endorsed your password policy, they should expect you to enforce it as well. Enforcement can range from a friendly reminder to termination, depending on the nature of the offense. No matter which method you attempt to use to enforce your policy, be consistent and include your human resources and legal department as necessary.

Keep in mind that policy, education and enforcement all go “hand-in-hand”. If you are lacking in one, the others will suffer.

Abdul has sent me an e-card!

2007-06-07T07:18:00.000-05:00

My good friend Abdul sent me an e-card yesterday afternoon. It's good to hear from him again.

Seriously now, sp/cammers are very creative. This is the first spam email I have received that used a legitimate e-card and photo sharing site as a delivery vehicle. You have to give these guys some credit. They are very creative in the methods they use in attempting to evade standard spam filtering techniques.

How it works
This is a new twist on a newer technique used by sp/cammers. Its image spam in a way, but a little different. I’ll call it e-card spam for lack of a better term. Anyway, here is the story; I received Abdul’s e-card in my gmail account.

As you can see from the screen-shot, gmail and most respectable email clients nowadays automatically block images in emails from untrusted sources. This is not a big deal to sp/cammers though as they are interested in getting the email to your inbox then using motivating statements and phrases to get victims to act. Let’s say for a minute that I am one of those people.

I allow the image to be displayed in the email by clicking the “Display images below” link in gmail.

Oh! I see. Abdul wants to give me a large sum of money! This must be my lucky day.

Actually, most of us have seen emails with similar text. We know it’s a scam (I hope!). These scams must be working though otherwise the sp/cammers wouldn’t continue to send the emails and devote the time to find new scan evasion techniques. Clicking on the image in the email brings me to Abdul’s e-card.

NOTE: I do not advise clicking links in emails unless you are absolutely sure you know where it leads first!

The email and techniques used in the spam email are not earth shattering by any means, but there are some important topics to note.

1. These “official” attorney letters promising big payouts from their client’s estates et al must still be luring victims. This is sad.

2. The technique used to get the spam to my inbox was a little different than most I see, i.e. using a public photo sharing site as the host of the image.

3. More than likely the sp/cammers lose the ability to track my actions in clicking the image which is different than if they were hosting the image on their own sites. They are willing to forego this information.

4. You can block this spam easily by clicking the “To stop receiving photos and videos from all Ringo members, click here.” Link. This would work for Ringo originated e-card spam anyway.

NOTE: I do not advise clicking links in emails unless you are absolutely sure you know where it leads first!

5. Review of the email header provides some interesting information (they always do!). This email was in fact sent through Ringo’s systems. Ringo uses Habeas as an email accreditor which makes it much easier for the sp/cammer to get the email to you and me!

6. The bottom of the email includes a warning from Ringo in 7.5pt font; “Ringo advisory - Avoid scams. Beware of messages that mention sweepstakes, lotteries, money-making offers, work-at-home opportunities, etc.”

All-in-all I am not terribly impressed, but I can see potential in sp/cammers enhancing this technique to get more spam past filters and into my inbox. That doesn’t make me happy.

Please comment if you have something to say or shoot me an email.

7 Easy tips to help ensure your child's internet safety

2007-04-16T18:32:00.000-05:00

I have a couple of teenagers and another child about to become one. I am a caring father and a professional in the field of information security. Naturally I am concerned about the well-being of my kids when the use the Internet.

These are few tips based on my own experiences with my own children.

1. Talk to them
I have talked to many parents that claim to have an open dialog with their kids. There are basically three types of relationships with respect to parent-child dialog as I see it.

There are parents that have an open dialog with their kids, there are parents who think they have an open dialog with their kids but don't, and lastly there are parents that don't have an open dialog with their kids and they know it. The best method to approach your child will largely depend on which group you are in.

I like to consider myself as having an open dialog with my children but I am not naïve enough to think I know everything of what they do. Make attempts on a regular basis to sit down and learn how your kids use the computer. Get involved with them. Ask them to teach you about MySpace, instant messaging or the newest online game. I know my kids enjoy my involvement.

Parents who do not have an open dialog with their children need to start NOW. It may be difficult at first and your child may wonder “what’s the catch”. I urge you to stay consistent and build a habit out of demonstrating interest. Of course, counseling is always an option too.

Whatever you do as a parent, do NOT ignore the risks or think that they won’t affect your children. A false sense of security is no security at all.

2. Set boundaries
My children are not allowed to use the computer any time they wish. There are rules and boundaries to their usage. If I did not set boundaries, I am sure my kids would use the computer until their fingers bled. Your rules depend on your household and/or your beliefs, but set rules and communicate them effectively.

Just some of my boundaries:
- No computer usage until homework is done. (I do follow-up with teachers)
- There are only certain sites that I approve off.
- Very limited computer usage during nice days
- You must ask me before using the computer
And others…

If it helps, write your boundaries down on a piece of paper to share.

3) Work with them (will they let you particpate too?)
My teenage son loves to play games online, and I am not one to miss out on the fun. Last year we were talking about the games he plays online. He got me hooked on an online role playing game called Runescape. I am a game addict, so I have to be sure I follow some boundaries of my own! It's fun to share what we do and brag about our accomplishments.

My teenage daughter is more of a socialite, so her choice of Internet locations are MySpace, YouTube and blog sites. When she finds something interesting, she will share with me. When I find something interesting, I will share with her. We have a great time laughing about what we find.

IMPORTANT: Give some semblence of privacy. This is especially true with my daughter. She needs her space, so I do not hound her constantly about what she does. I realize that she needs to have private conversations from time-to-time with her peers. This is a balancing act. Allow her to have her space, but keep tabs too.

4) Stay consistent
My children don’t think twice when we talk about our Internet usage or safety. I don’t change the rules and I don’t spring things on them. There is an understanding built on trust and consistent clear communication. Stay consistent in the message and rules.

Equally important is to stay consistent in the punishment. Recently my teenage daughter broke one of my rules. Not a major rule, but a rule nonetheless. She lost computer privileges for two weeks. She knows why she was punished and she knows I care.

5) Understand the risks
Do some research and speak with facts. Don’t expect your children to take you at your word, especially if they are told differently by their peers. Once you are armed with facts, share them with you kids. Ask them how they feel about it.

Good resources for the facts:
SafeKids
National Center for Missing & Exploited Children
FBI: A Parent’s Guide to Internet Safety
MySpace: Safety Tips

Do some searches. There is much to learn!

6) Observe
This is a very simple tip. Have your children use the computer in an easily viewable location. Explain to them the reasons why.

7) Install controls
There are plenty of parental control software options on the market. I have used and can recommend Net Nanny. Install the software per the manufacturer’s specifications and check the access logs regularly. Follow-up with you children on any unusual changes in Internet access behavior.

Conclusion
None of these tips alone or in combination will guarantee your child’s Internet safety, they will only reduce the likelihood of something bad happening. I feel much better about my children’s safety since following these seven tips and our relationship has only become stronger.

Take an active role and don’t be intimidated by the technology or your children’s perceived mastery of it!

Top 10 Free security-related programs for every home user

2007-04-13T14:22:00.000-05:00

There are certain security-related programs that all home users should have installed on their computers. Installing, configuring, and maintaining programs from each category listed in this article will provide a good base of protection for most.

This list and accompanying suggestions are based with Windows 2000 and XP operating systems in mind. Many of the suggested programs in this article will not work with Vista.

Did I mention free? I like free. Don’t get me wrong I also like to do my part in supporting the economy, but why pay for something if I don’t have to (legally).

1. Anti-Virus Software
Effective, up-to-date anti-virus software is a critical cog in your home information security machine. I would not suggest anyone using a Windows (or Mac and maybe Linux) computer without it, unless you want to lose your information, have your computer participate in a “bot” network, or send not-so-nice emails to everyone in your contacts list.

Free Programs
My favorite is Grisoft’s AVG Anti-Virus Free. AVG has all of the options to ensure “good” virus protection, the performance is above-average, and it has a pretty good detection rate. The only beef I have with AVG is the clunky interface, but it IS free. Other free programs worth checking out include avast! 4 Home Edition and PC Tools AntiVirus Free Edition

2. Anti-Spyware Software
The question I get often is “If I am using anti-virus do I still need anti-spyware, and if so why?” The answer is always yes, and the reason is because of the difference in the way viruses and spyware (and adware) operate. Virus spreads, spyware imbeds. Your anti-virus software will not protect you adequately from spyware.

Free Programs
CRAWLER, LLC’s Spyware Terminator – Spyware and adware have evolved so much that I don’t think any of the free anti-spyware applications on the market should be relied upon solely. Although my favorite free anti-spyware application is Spyware Terminator, I would suggest that you supplement its protection with another (AVG Anti-Spyware Free, Spybot Search and Destroy, Ad-Aware SE Personal, etc.)

3. Personal Firewall
Personal firewalls are an important complement to your home computer information security. They are especially important if you have an “always on” cable or DSL connection at home. You should expect a “good” personal firewall to perform well in monitoring each connection into and out of your computer and tie it to the application (process) making the request.

Free Programs
Far and away, my favorite free personal firewall is Comodo Firewall Pro. Comodo performs well in leaktests, has all of the necessary options, and comes with good support in the form of updates, forums, and email. Other good free personal firewall products include ZoneAlarm Free, PC Tools Firewall Plus, and Jetico Personal Firewall (the best performer in leaktests).

4. Browser
There is always plenty of contention and discussion when talking about which browser is best. Whether you choose Internet Explorer, Mozilla Firefox, Opera, or any other browser, each will have its advantages and disadvantages. I can say one thing from experience; I am not at all pleased with IE7 on Windows XP SP2. The performance is horrendous.

Free Programs
All of the major browsers are free now and there are well over 100 available online. Trying to determine which one is the most secure is a very hotly debated topic. The most secure browser depends on the person using it. My favorite browser for security is Opera 9.20 for Windows. Opera is fast, can be made relatively secure, and has plenty of options. Other popular browsers include Internet Explorer, Mozilla Firefox and Netscape Browser 8.1.3.

5. Anti-Spam
Most home users use web-based email. Many of these web mail solutions employ some anti-spam technology. For home users that use an email client such as Outlook or Outlook Express, an anti-spam program is a very good idea. Convergence between spam, virus, and spyware is predicted in coming months and years (we have seen some already), which makes an anti-spyware solution that much more valuable.

Free Programs
My favorite anti-spam program for Windows is SPAMfighter. SPAMfighter does an admirable job of filtering spam and has features out its ears. Other good anti-spam programs include SpamAware V4.5 and Agnitum Spam Terrier. Spam Terrier looks very promising. I have not fully tested it yet.

6. Password Management (see “Passwords”)
I don’t know about you, but I have way too many passwords to keep track of! I won’t right them down (because you aren’t supposed to, duh). I use different passwords for different logins. In order to maintain control of my passwords securely, a password management program is absolutely necessary.

Free Programs
RoboForm has emerged as a market leader in easy-to-use, secure password management. I use RoboForm daily and I would be lost without it. Another good password management program that I use is PasswordSafe made by renowned crypto-expert Bruce Schneier

7. Anti-Phishing Software
As the number and sophistication of phishing attacks grow, so will the number of victims that fall prey. As the number of victims that fall prey grows, so will the number of phishing attacks. A vicious cycle. There are programs designed to help identify probable phishing attacks and it’s a good idea to check them out. Personally, I have received phishing emails that have gotten through both Internet Explorer’s and Gmail’s built-in protection.

Free Programs
Phishing is a social engineering attack, so the best free tool you can use is in your head (:o .

Using a browser and web-based email that provide built-in phishing protection is a good idea, but if you still want additional protection take a look at the Netcraft Anti-Phishing Toolbar or Phishing Detector v.1.0.

8. Backup Software
I am not going to suggest any free backup software other than what you already have on your computer. Use Microsoft’s backup program that was included with your operating system (assuming Windows 2000 or XP). Click Start, Run, type “ntbackup” (no quotes) and click OK.

9. File Recovery Tool
A case could be made whether or not a good file recovery tool is essential to the security of your computer. Too many times have I been called by someone in a panic because they had deleted their important information. The more time that passes between the time your files were deleted and the time you attempt to recover them, the less chance there is to recover them without a significant amount of expense. Having a tool “at the ready” will help to avoid confusion and diffuse the situation somewhat.

Free Programs
Be careful which file recovery tool you choose. Choosing the wrong one can make your problems worse. Also, install your program and test it out before a crisis. This way you will be that much more prepared. Convar’s PC Inspector File Recovery 4.x is one of my favorite free file recovery programs and their Smart Recovery program works well for flash media (i.e. photos from camera or video recorder).

WARNING: If your files are absolutely critical to you and you do not feel comfortable using a program on your own, call a professional.

10. Encryption Program
Being an information security guy, I do love me some good encryption! Encryption used properly will protect the confidentiality and integrity of your data. Essentially, your files will not be understood to anyone not authorized by you. If you store highly confidential data (i.e. tax documents, electronic bank statements, etc.), I would strongly suggest you encrypt it.

Free Programs
I have been using Axantum Software AB’s AxCrypt File Encryption Software for a long time and I have been very pleased with it. Another good free file encryption program is Cypherix Cryptainer LE. For those of you wanting to encrypt the entire drive for free, you can try CE-Infosys’ FREE CompuSec. If you are going to go for the “full disk” option, be sure to read the manual first (i.e. disable anti-virus during install)!

BONUS - Diagnostics
Sometimes a problem crops up and it gets misdiagnosed. In order to help determine what the root cause of a problem is, I need to gather as much pertinent information as I can about the problem. A good diagnostics tool helps accelerate this process.

Free Programs
There are hundreds of free diagnostic programs out there. Picking one as my favorite will surely draw some fire. Not being faint of heart, my favorite free diagnostic utility is System Information for Windows (SIW 1.67) written by Gabriel Topala. Much of what you will be looking for in a diagnostic program will be dependent upon your circumstances.

So there is my top ten, which is subject to change of course!

Keep in mind that this software is what I would recommend to a home computer user on a budget. The toolset I use in my work is more vast (i.e. audit tools, scanners, sniffers, compilers, etc.).

To the best of my knowledge, all of the software listed here is offered free to home users (i.e. non-commercial). Check with each individual developer to make sure you are using their software in compliance with their license.

Getta Lotta Spam? Some tips for you, next time.

2007-04-11T14:38:00.000-05:00

6.7 million cans of SPAM are sold each year in Hawaii, which equals 5.5 cans per year per Hawaiian. Those Hawaiians like a lot of SPAM. Interesting, but I think I got the wrong spam.

The "other" spam, the electronic variety, the kind that most Hawaiians don’t like. Now, I got it.

Some folks are calling 2007 "The Year of Spam", and maybe it will be. After all, IDC predicts 40 billion (that's 40,000,000,000) spam email messages will be sent worldwide this year. Couple this volume with the fact that spammers (those who are responsible for sending spam) are ever changing their filter-evading techniques means more spam reaches inboxes of people like you and me. Spammers are sneaky &#^$@*es.

Understanding the Spammer
Have you ever asked yourself why spammers spam? The answer is simple, money. Spammers make millions of dollars sending spam. It’s business to them, plain and simple. There are many ways that spam equals money for the spammer, from people actually buying goods advertised in spam emails to pay-per-click scamming. Spammers will do whatever it takes to get their email into your mailbox.

What spammers are doing is illegal, right? True, but spammers don’t care. The way they operate makes it very difficult if not impossible to catch and prosecute them. Spammers often use “bot” networks to send their emails through hundreds or thousands of unsuspecting hosts. Bot networks allow the spammer to hide his/her true origin. To complicate things more, the spammer may be physically located in another country.

Although there is no tool or technique that will guarantee you and I won't get spam email, there are things we can do to reduce our chances and/or the amount of spam email we receive.

‘Nuff of that, Now some Tips

Tip #1 - The obvious? Use anti-spam software and/or appliances. There are some useful programs on the market for personal computers and some good appliances for corporate environments. My favorite for personal home computers is SPAMfighter, and my favorite appliance is Tumbleweed. Your mileage may vary so check out what is a best fit for you.

Tip #2 - Use care in disclosing your email address. When posting in public forums (newsgroups, web sites, blogs, etc.) do not use your real email address. You can obfuscate your email address and still let people contact you, i.e. change email@trustedtoolkit.com into “ee em ay eye el at trustedtoolkit dot see oh em” or something else. You get the picture.

Spammers use various techniques for obtaining email address to send spam to. One of the easiest is to scan the Internet for patterns matching email addresses.

Tip #3 - Do not click links in spam emails. If a spam email gets through to your inbox, don’t click any links. If you click a link, chances are very good that the spammer now knows that you are a “live” person and the email address they have is good.

Tip #4 - Do not load images in emails automatically. The same premise in the tip above applies. Image spam is a very popular filter-evading technique these days. If you load images automatically in a spam email, chances are good that it contains a link that the spammer can track. Most email clients enable you to control how/if you load images in emails. Check your program for its capabilities. If you can live with “Text-only” (no HTML) email, then all the better.

Tip #5 - Do not “unsubscribe” to spam email. Spammers won’t take you off their mailing list; they will instead add you to the “active” or “confirmed” email list. The same premise in tip #3 applies. The unsubscribe link in the email lends some tiny semblance of implied legitimacy to the email in some people’s minds. No spam should be considered legitimate email.

Tip #6 - Read privacy policies. I understand that reading privacy policies is a pain in the rear for most people. Some privacy policies are a pain in the rear for me to read, and I read almost every one I encounter! Before I type my email address into an online form (encrypted, mind you), I check to see if the company or site has a privacy policy. If they do not, I will make a serious judgment call as to whether or not I want to share ANY of my information. If they do, I check the mention of how they will use and share my information, including my email address.

Tip #7 - If buying something online, read all the checkboxes during checkout. On many checkout pages there are checkboxes that state something like “share my information with partner companies” or “subscribe to company xyz news”. Don’t just skim over these checkboxes and continue on with your order. Read what they say and be sure that you have checked or unchecked the appropriate boxe(es).

Tip #8 - If you have a spam infested mailbox, consider a new email address. If your email address is “out there” meaning that it has been publicly posted on web sites, forums, newsgroups, etc. and you are getting an ample amount of spam, it may be time to consider a new email address. There are no methods I know of for cleaning your email address off the Internet, and spammers already have you in their lists. Might be time to “cut and run”.

Of course you could always choose not to use email.

I did not cover IM spam, Cell-phone spam, or any of the up and coming spam techniques being employed actively today. Maybe I will later.

Over 2000 are actively exploiting Microsoft .ani flaw

2007-04-10T08:46:00.000-05:00

2000+? That is a heckuva lot of sites!

"The number of Web sites engineered to exploit the problem has jumped considerably since the vulnerability was publicly disclosed by Microsoft on March 29. It will likely continue to rise until patches are applied across corporate and consumer PCs, said Ross Paul, senior product manager for Websense. " - IDG News Service, Over 2,000 sites now exploit .ani security flaw

If you have not applied this patch, you are implored to do so now! This is a serious flaw and exploits are rampant. Also, reference my earlier post labeled "Microsoft to Release OOB (Out of Band Patch) Tommorow"

Although there have been a few reported application incompatibility issues with this patch, the potential consequences of not patching should outweigh these issues.

When did kids get the right of free speech?

2007-04-10T07:48:00.000-05:00

Sometimes I stumble across news or information that makes me wonder "What the &*@?"

Today the news is "Court Upholds Expletive Laced MySpace Posting". Read the story, then read the actual court decision.

Lawyers like to make things complicated, but I understand some of what the decision says ;). What I can't get around though is the fact that this very troubled juvenile delinquent is now some kind of hero for the rights of free speech. If she isn't now, she will be soon.

I have more questions than I have answers. I am flabergasted about how children are allowed to behave today. Should a child be rewarded for acting out like this? I also wonder where the parents are in all of this. Do they stand behind their daughter's actions?

I could continue my ramble and rant, but I'll let the news stand and continue to wonder.

The MySpace Journey - Day Two (Part 3)

2007-04-09T22:03:00.000-05:00

Nothing notable on any of the three profiles today.

My Real Profile
I got a spam message for a loan application. The offer was intriguing, but I did not apply.
I also received an automated message with the subject "hey sexy". This is a message with a link a references to sexually explicit material.

The Other Two Profiles
No activity at all other than 1 profile view for the 15 year-old male profile and 2 profile views for the 14 year-old female profile. I have not done anything on these two profiles yet, and both profiles are basically blank. In order for people to find these profiles, I will need to add some information under one, more, or all

I noticed MySpace in the news today in a story labeled "Man sentenced to 10 years for assaulting girl he met on MySpace" This is a news story about a 41 year-old volunteer firefighter who molested a 14 year-old girl he met on MySpace between March, 2005 and February, 2006.

What Next?
It's time to add some content to the MySpace profiles. In order to access a MySpace profile, I need to visit http://www.myspace.com (in case this wasn't obvious!) and login by typing my email address and password in space provided on the left hand side of the homepage. After I successfully login, and am presented with my profile home page. From here I can enter detailed profile information that I want to share with other members of the MySpace community.

To edit the MySpace profile, click the "Edit Profile" link just to the left of the profile picture.

The profile categories that are available for edit are Interest & Personality, Name. Basic Info, Background & Lifestyle, Schools, Companies, Networking, and Song & Video on Profile. I am going to enter information under the "Interest & Personality" header today. Here I can enter information into the following fields:

Headline, whatever is typed here will show up in my profile just to the left of my profile picture

About Me

I'd Like to Meet

Interests

Music

Movies

Television

Books, and;

Heroes

Notice the warning in this graphic.

It states "Warning - Please be aware that MySpace is accessed by thousands of users every day; since you do not know every user on the MySpace site, exercise caution when posting personally identifiable information. " I didn't even notice that this warning was there before.

I am going to enlist the help of my teenage children to complete the profiles. I have seen each of their profiles and they have really spiffed them up, and I just realized that I know less about this generation that I originally thought!

Again, MySpace is a "piece of cake" to use. It is very user-friendly. Although I like the warning, it doesn't do much to deter a teen from doing what he/she wants to do online anyway. Relying on people (especially teens!) to read warnings and take action is wishful thinking. I promised that I would read the MySpace "Safety Tips" and I have. I will write something about them in the next post.

The Trusted Toolkit April Newsletter

2007-04-08T23:42:00.000-05:00

Quick Post...

Get The Trusted Toolkit's April 2007 Newsletter here:
http://www.trustedtoolkit.com/resources

The Trusted Toolkit newsletter is a monthly publication that we make available FREE of charge to customers and non-customers alike. If you would like to receive our newsletter via email, please visit http://trustedtoolkit.com/contactus.aspx and use the word “subscribe”

The MySpace Journey - "Creating the Profiles" (Part 2)

2007-04-08T20:13:00.000-05:00

Creating profiles on MySpace is really a simple process, and purposely so. Part of the reason for the success of MySpace is the easy of use. The first step to beginning the journey through the MySpace world is to create a profile. As mentioned in the previous post, I will be creating three profiles as part of this project.

The first step in creating a MySpace profile is to visit the MySpace home page, http://www.myspace.com/. At the top right of the page, there is a “sign-up” link.

Clicking the sign-up link brings me to the “JOIN MYSPACE HERE” page. I am prompted to type my email address, first name, last name, password (and password confirmation), country, postal code (zip), date of birth, gender, and language preference. I can also choose to allow others to see when it is my birthday (enabled by default). In order to proceed, I have to enter all of the fields and check the checkbox labeled "By checking the box you agree to the MySpace Terms of Service and Privacy Policy".

Clicking the "Sign Up" button at the bottom of the page (in the graphic above) takes me to a "Verify Account" page that displays a graphic with letters in it. I must type the letters correctly in order to proceed. This step is in place as an attempt to stop programs written to create accounts automatically. Spammers are notorious for creating hundreds or thousands of bogus accounts used to email legitimate (human) ones.

My account/profile is now created, but as part of the sign-up process I am prompted to upload pictures to share with other MySpace people. Before I am allowed to upload any pictures, I have to check the checkbox labeled "I have read the saftey tips". I wonder how many people, especially kids actually read them. I click the checkbox (I did not read the safety tips, but will later), and click the "Browse" button to upload a picture to use for my profile.

Next, I am prompted to invite my friends on the "Invite Your Friends" page. For now, I am going to skip this step by clicking the "Skip for now" link at the bottom of the page. The sign-up process is complete, and I see my profile page.

If I check the email address that I signed up with, I will have an email from MySpace asking me to verify my email address. This verification consists of clicking a link provided in the email. This is required if I want to communicate effectively with other MySpace members.

Break Down - The Good

The MySpace sign-up process was so easy and simple to follow along with. I was able to setup the three profiles that I will use in this project in less that 30 minutes. I liked how MySpace included some security steps along the way during the sign-up, i.e. the image verification step and "safety tips" checkbox. Clearly, the MySpace sign-up process was built for ease-of-use.

Break Down - The Bad

No age verification is a serious issue in my opinion. I can state my age as whatever I want. I can be a 10 year-old signing up as a 20 something, or I can be a 40 year-old pedophile signing up as a 16 year-old. I am not a seasoned pro when dealing with age verification, but I would think that MySpace could come up with something. The lack of age verification has been a serious point of contention between child advocacy groups and MySpace for some time.

As part of age verification, it would be nice to include a parental consent process of some sort also. Although I liked how MySpace included a link and a required checkbox concerning the safety tips, it still doesn't seem like enough to me. On the "JOIN MYSPACE HERE" page, I have doubts as to the effectiveness of Terms of Service and Privacy Policy agreement. Can you legally hold a minor to this?

Sign-Up Conclusion

The sign-up process was designed with easy-of-use at the forefront, security and safety were added as an afterthought.

Tomorrow I will complete the “Pick your MySpace Name/URL!” process, go through some of the MySpace safety tips, and share any notable events regarding any of the three profiles.

Oh yeah, Happy Easter!

The MySpace Journey – “The Project” Announcement (Part 1)

2007-04-06T07:51:00.000-05:00

A Little Background
Let me start out by telling you a little about myself. I am an information security professional (professional because I get paid) and a father of four wonderful children. Three of my children are intimately familiar with MySpace, and two have active profiles (Dad nixed one).

In the “big picture” that is the Internet, MySpace and other social networking sites offer a wonderful opportunity to meet new people, share ideas, and learn things that are happening in our world. I am a big fan!

In my “little corner of the world” I wonder how MySpace and social networking can affect me and my family. As I wonder and question, I become motivated to do something. My motivation:

1. Nothing is more important to me than the safety of my family. I try to do everything I can to protect my family. It’s my responsibility!

2. It pains me to see people get hurt. When I read articles like “MySpace mom's teen is pregnant”, “Man Arrested Again For MySpace Sex Crimes”, and “’Social surfing' could lose parents millions to ID fraud”, I feel terrible that people didn’t know any better!

3. I know I can offer advice that could help. If nothing else, people might just become aware.

Thus the creation of the MySpace, MyGeneration workshop and this project.

The Project
I have been researching MySpace and the whole Web 2.0 craze for a while now. I have much to share, but I want to know more. I want to share more. I am still amazed at how much life has changed since I was a kid!

The purpose of this project is to gain a better understanding of the risks and benefits of MySpace to myself and my family (my family is actually particpating which is a great learning experience for all of us).

The approach I am planning to take is to document three, 30-day journeys through the MySpace world. I understand that I will not be able to venture out into the entire MySpace world, but I think I will be able to give you a good picture of the landscape.

The Three MySpace profiles:

1. My normal everyday, 36 year-old, married, information security guy profile (for those of you that are interested my profile name is “TrustedToolkit”)

2. A fake, 15 year-old, male profile (I will share this profile name when the project is complete), and;

3. A fake, 14 year-old, female profile (I will share this profile name also upon project completion).

Profiles 2 and 3 are created in order to see what (potentially) my children (and yours) see. Profile 1 will give you a view of what I normally see as a parent.

Tomorrow - The MySpace Journey – Profile Creation

Passwords Part 3/3 - Password Management

2007-04-05T12:26:00.000-05:00

Too many times have I seen passwords written on a Post-it note. Too many times have I heard one person give another person their password. Too many times have I been asked for my password from Help Desk personnel.

Oooooh Boy! I have to tell you that nothing tans my hide or boils my blood more than a password written down on a piece of paper! Then I tell myself to calm down and take the ISO hat off for a minute. Many people don't know any better. Others may know better, but how else will they remember 10, 20, 30 or more passwords? Especially if they are all supposed to be "strong"? To make matters worse, I suggest using a different password for each different login.

Why do I suggest a different password for each different login?
Simple answer, to limit the damage. If one of my passwords is compromised only that account is compromised, not all my accounts.

I suppose I should also mention what I mean by "password management". In a nutshell, password management is ensuring the confidentiality of your passwords from their creation through to disposal. Basically, keeping a password secret from the time I think of it until I no longer use it and everything in between.

I have a lot of accounts! I have 59 passwords that I need to keep track of, and each one needs to be "strong". Can you imagine how bad it would look if the "security guy" had his password disclosed? I have a very limited memory as surely my wife would agree. There is no way I will remember 59 passwords. I'm lucky to remember one! Is there something I can use to store my passwords securely and allow me to access them when I need to?

Yep, enter personal password management programs. A good personal password management program will:

Be easy to use
Store my passwords using encryption. If implemented correctly, this measure will prevent someone else from accessing my passwords.
Give me the ability to copy and paste passwords. I like this feature because it is quicker and defeats simple keyloggers.
Have the built-in ability to make secure backups of my passwords. Secure backups mean that the backup data will be encrypted.

So, which programs do I use?

I use a combination of two programs for personal password management. I use RoboForm for the management of my Web site/browser-based usernames and passwords and I use Password Safe for the management of all other passwords. I can recommend either or both of these programs because I have used them extensively. As with most things, you may find something you like better.

Through the use of a secure password management program, I can store all of my passwords safely. I only need to remember the one password that opens access to all of the others. Easy, right?

Well, there you go. Passwords are a necessary evil for us all, but the pain can be reduced somewhat. Remember to make backups your passwords!

Passwords Part 2/3 - Strong Passwords

2007-04-04T12:40:00.000-05:00

Let's begin where we left of yesterday. As you might recall, I mentioned two factors that are important to ensuring password confidentiality. One of which was using "strong" passwords. Also from yesterday's post we learned that maintaining confidentiality of our passwords is paramount to maintaining authentication (proof of identity) integrity.

A few questions come to mind when I think of strong passwords. What is a "strong" password? How does a "strong" password help to protect the confidentiality of the password? How do I choose a "strong" password that I can remember? The answers to these three questions is in essense the meaning of this article. So, let's get some answers then!

What is a strong password?
In the simplest terms, a "strong" password is one that is not easily guessed, and cannot be easily "cracked". Cracked!?!? What is "cracked"? There are numerous methods of cracking passwords (I won't elaborate, but can through email). In simplistic terms, traditional password cracking employs a program that continually tries combinations of letters, numbers, etc. until it makes a password match. This brings to mind another question, what makes a password strong?:

Length, the longer a password is the harder it is to guess. I recommend a password longer than 8 characters
Use letters, numbers, and symbols (!@#$%&^). A greater variety of letters, numbers, and symbols = less length required = same password strength.
Do not use words that you can find in a dictionary.

This might make better sense if I give you some examples of "strong" and "not so strong" passwords.

Not so strong password examples:
John1970 (could be easily guessed and not so hard to crack)
144WestMain (could be easily guessed and not so hard to crack)
ChelseaMichaelMarthaBob (nice and long, but still easy to guess and crack)

Strong password examples:
J0hnSm1th!97O
i44W3stM4!n
Ch3ls3a!Micha3l!Martha!Bob!

See the difference?

How does a "strong" password help to protect the confidentiality of the password?
Not taking into account what I do with the password (Next installment, Passwords Part 3/3 - Password Management), using a strong password reasonably assures the confidentiality of the password.

How do I choose a strong password that I can remember?
My best trick is to take a phrase that is easy for me to remember and make it into a strong password. A few examples:

My Dog's Name is Rover (phrase)
My!D0g!Rover (strong password)
My wife and four kids (phrase)
MyWife&4kids (strong password)
Account at Wells Fargo (phrase)
Acct.@Wells4go (strong password)

It takes a little creativity on your part to make a strong password that you will remember. Once you get the hang of it, it's a piece of cake.

Now a catch, I suggest using different passwords for different purposes (one for work, another one for eBay, another one for your bank, etc.). This can make for a lot of passwords! Learn why I suggest this, and how you can keep track of all these passwords in the last installment of this series, Passwords Part 3/3 - Password Management.

Feel free to post your comments, check out The Trusted Toolkit, or email me for more!

Passwords Part 1/3 - Defending the IT Guys

2007-04-03T14:44:00.000-05:00

Passwords. Ugh! If you are at all like most people I talk to, you don't like passwords. Actually, most of us security guys don't like them all that much either.

In "Passwords Part 1/3" we are going to explain some things. We will explore what a password is and why these IT guys are always on your case about them.

"Passwords Part 2/3" will dig into some detail about what a "strong" password is and detail some tips to help you to come up with your own.

Finally, in "Passwords Part 3/3" we'll outline some tips and tools to help you keep track of all your passwords. None of these tips or tools will include a pen, a piece of paper, or the underside of a keyboard!

So, let's get this ball rolling. Do you ever wonder why IT guys are such sticklers about passwords or why they have to make things so dag nab hard for you? In order to understand where the geeks are coming from you need to know a little bit about "identification" and "authentication". I won't go into a lot of detail on these two terms, but I will give you a general sense of what they mean.

Identification is what you present to a system to profess your identity. It tells the system who you are. Many times identification takes the form of a username or userid. Typically usernames are not secret. If my name is Bill Smith and my username is "bsmith", your name is John Doe and we both use the same system, I can make an educated guess that your username is "jdoe". Identification is important in order to define what it is that you can do in the system, called rights or privileges. Some people get to do more with a system, file, directory, etc. than others.

Authentication is what you present to a system to prove your identity. Anybody can say that they are me, but who can prove it? There are a variety of methods of proving your identity, but for the purpose of this writing we are talking about passwords. Once I have presented my credentials (identity + password) successfully to the system, then I am "authenticated" and I am given my assigned access to the system.

If I have a password that nobody else knows does this not prove my identity (at least theoretically)? What if someone else DOES know my password? Proof is gone. Someone else can impersonate as me and do what only I should be able to do. Protecting the confidentiality of passwords is paramount IF it is your method of authentication to a system. The IT guys don't care what your password is, they want to make sure that confidentiality is maintained. Period.

Maintaining the confidentiality of passwords means that they must be strong (Part 2/3) and stored securely (Part 3/3).

Check back tomorrow as we continue...

Microsoft to Release OOB (Out of Band) Patch Tomorrow

2007-04-02T10:49:00.000-05:00

This is a little rare, but I am glad to see it! Microsoft made the announcement today that they would issue a patch for what has been called "Microsoft Windows Animated Cursor Handling Buffer Overflow". That's a mouthful. For those of you who don't know, Microsoft releases patches to the general public every second Tuesday of the month (AKA "Patch Tuesday"). Last month, Microsoft did not release any patches, which is also quite rare.

What is the "Microsoft Windows Animated Cursor Handling Buffer Overflow"?
This vulnerability was announced on various information security sites more than four (4) days ago. The issue stems from the method in which Microsoft operating systems (Windows 2000 SP4 - Vista) handle the processing of malformed .ani, cur, and .ico files, resulting in possible memory corruption and buffer overflow.

Should I Care?
Yes, you should. The is a remotely exploitable vulnerability which could lead to the ability to execute arbitrary commands and/or denial of service.

What does The Trusted Toolkit recommend?
Apply the patch tomorrow when it becomes available from Microsoft. In the meantime, follow other good security practices.

More Info:
Microsoft: http://www.microsoft.com/technet/security/advisory/935423.mspx
Secunia (rated "Extremely critical"): http://secunia.com/advisories/24659/