tag:blogger.com,1999:blog-20757961214930994392024-03-08T05:17:30.715-08:00Skeeter SpraySkeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-2075796121493099439.post-5642090323850620012016-10-24T06:37:00.002-07:002016-10-24T06:37:12.342-07:00Getting Security Buy-in from Everybody<div class="MsoNoSpacing">
Buy-in of Information Security projects / initiatives / “we
should just be doing it” is a tricky thing.
While support from senior leaders in the organization is key for
resources (i.e. $$$$) and using their name in vain (i.e. “this is a top
priority of Mr. Big Pants” or “this project has the visibility of the Mrs. Big
Office”). But other that the money and maybe
telling their direct reports it is important, they really don’t do a lot for
the execution of the project or initiative.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
What we, the Information Security team, need is the
support of the IT teams (Windows and Linux administrators, Identity Management,
Application support teams, Network services, etc…). These are the teams that have to do the bulk
of the work to implement most of our initiatives and complete our
projects. But why doesn’t word get
down to them that it is important? Why
aren’t they jumping up and down to help us?
Well, guess what? They have
other things to do. Like their daily
break/fix, updates, customer enhancements…. you know things like – their job.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
So where does the solution fall? I believe it is two-fold. <o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
First, IT is an expense center…organizations are running
IT as lean as they can so there is very little extra bandwidth for projects and
initiatives outside of their respective customer base. Additionally, the same IT people can be
Information Security’s forward security beacons. The administrators know when something isn’t
right on their system and maybe if they had a little more time, they would
investigate it further and report it to Information Security. So by know you are asking…. how can
Information Security help this problem?
Information Security has the ear of senior leadership, include low IT manning
as a risk on your report(s) to leadership (ensure there is some coordination
with IT management first).<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Second, build that relationship with the other IT teams
and be sensitive to their plight. Have
regular meetings with the IT teams and let them know what is going on in
Information Security. If you have a
project going forward, let them know early on what the expected impacts are to
their teams. And lastly, be careful when
you play the “we brief Mr. Big Pant and Mrs. Big Office every month on the
status of this” ….it won’t help the relationship.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Until next time…. <o:p></o:p></div>
<span style="font-family: "Calibri",sans-serif; font-size: 11.0pt; line-height: 107%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">~Skeeter</span>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-41014679838039905572016-06-01T18:49:00.003-07:002016-06-01T18:50:19.313-07:00What Should Information Security Be Responsible For?<div class="MsoNoSpacing">
In the Enterprise environment it seems there is always a
battle around who should be responsible for what in IT. And there is always some manager or director
that complains (or his people do it for him / her) that Information Security
seems to be over-stepping their bounds.
Where is that boundary and where should it be? The answer to both questions is it depends
based on the organizational structure, expertise on different teams, and the
culture of the organization.</div>
<div class="MsoNoSpacing">
<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
A couple of areas that always seem to come up are email
and network security controls. Let’s
look at email first. No information security
team wants to be responsible for working tickets about emails that weren’t
delivered or restoring mailboxes. These
activities should reside with an email team.
However, who should control the settings on the mail scanner and what is
or isn’t allowed through? I believe
that regardless of who does the actually setting of the security controls on
the mail scanner, the Information Security team should be the final decision
makers of what the controls are set too.
Since the Information Security team is the group that has the knowledge
about the risks, vulnerabilities, and exploits, and they will be the group
driving the Incident Response process, they need have the ability to make ensure
that a defense in depth architecture is implemented.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Network services, specifically firewalls configuration control,
is also an area of concern for many organizations. I am all in favor of a Network team (whether
they report to security or are separate) doing the wrench turning of the
firewalls. The security analyst should
stay out of it if at all possible.
However, I believe that Information Security should be the approval
authority for all firewall changes….rules, file types, even logging
changes. <o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
There are other areas of IT, such as A/V – end point
protection, identity services, workstation and server gold images, etc…. that
also fall into the same category.
Information Security doesn’t need to do the day-to-day work, but they
need insight, and in some cases, approval authority to changes. It
all comes down to one group knowing all aspects of the defense in depth strategy
for and organization.<o:p></o:p></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Until next time…<br />
~Skeeter</div>
Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-25772881354060430712016-05-12T08:19:00.000-07:002016-05-12T08:19:32.552-07:00Is the problem local admin or change?<span lang="">Welcome back. "...back after {an} exclusive three year tour of Europe, Scandinavia and the sub continent" (Cab Calloway in the <i>Blues Brothers</i>). Ok, not really, I never left the city for more that a week at a time and that was for training. However, you may be asking yourself, where has Skeeter been? Well, it is a long story. But the cliff note version is a new job, completing my Masters degree, and earning several certifications. Now I am back to pondering Information Security thoughts in my blog. Hopefully on a more regular basis.<br />
<br />
Today's topic is local admin on workstations or maybe just the process of change. An organizaiton has allowed users to have local admin on their respective workstation forever. But the world has changed and security controls need to be implemented. So, why is it so hard to take local admin away? It shouldn't take months and months of planning and then talking, and going back an forth. Why doesn't management get it? Is it just that people don't like change? <br />
<br />
It should be as easy as send out the change message to the stakeholders, let them know how it affects them, why it needs to change (and how it protects them by changing), what the exception process is, test what needs to be an exception, and then GO. <br />
<br />
I figure that 80% won't know that they lost local admin privilges -- 20% to deal with. Of that 20%, half will want it back, but don't have a business justificaiton for having it and therefore won't have the balls to submit the exception request. That leave just 10%, they probably need it at some point and time, but maybe not all the time. For those that do need it all the time, I am ok with them keeping it (for now and until we address that in another project). For those that only need it occasionally, we have a technical solution developed for them to contact their desktop support person and get it for a limited time.<br />
<br />
Thanks for listening to the rant and until next time...<br />
<br />
~Skeeter</span><br />Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-66453846018181367542013-08-06T18:29:00.002-07:002013-08-06T18:29:39.470-07:00Threat Modeling and Security Assessments<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]--><br />
<div class="MsoNoSpacing">
</div>
<div class="MsoNoSpacing">
Over the last several months, in creating a threat
evaluation model / process and performing a security evaluation, I have come to
several conclusions.</div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
In creating a threat model, you must create a process
that is repeatable, yet has some flexibility in it to meet different
situations.<span style="mso-spacerun: yes;"> </span>For example, evaluating
threats and vulnerabilities against an operating system, such as what patches
are missing, and what risk they bring to the current environment is different
than evaluating a process for password management.<span style="mso-spacerun: yes;"> </span>The threat model has to have some flexibility
to ensure both cases are able to utilize the process.</div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
The security evaluation of another company’s enterprise
is more difficult that evaluating your own.<span style="mso-spacerun: yes;">
</span>In my enterprise I know how management see risks in certain areas and I
can gauge what the remediation effort will be based on the experience of
working in my enterprise.<span style="mso-spacerun: yes;"> </span>However, when
evaluating another enterprise, is more difficult to know everything that may affect
the risk score and remediation efforts.</div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Overall, the exercise was very good and a good bit of
knowledge was gained.</div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Until next time…</div>
<div class="MsoNoSpacing">
~Skeeter</div>
Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-2023998363820186252013-07-28T08:59:00.002-07:002013-07-28T08:59:43.375-07:00Creating an Action Plan from a Security Review<span style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif";"><span style="font-family: Arial, Helvetica, sans-serif;">After
all the work of performing a security review of an organization, it is time to
create an action plan.<span style="mso-spacerun: yes;"> </span>This plan must
be something the client can use, so it must be.…..actionable.<o:p></o:p></span></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif";"><span style="font-family: Arial, Helvetica, sans-serif;">How
do you classify the threats and vulnerabilities that need to be addressed?<span style="mso-spacerun: yes;"> </span>Do you do it by functional area, location,
responsible area, severity, or by amount of effort to implement the
recommendation?<o:p></o:p></span></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif";"><span style="font-family: Arial, Helvetica, sans-serif;">I
believe using a table format is the easiest to ready for the client. <span style="mso-spacerun: yes;"> </span>Additionally, I believe breaking the table up
by function area is also beneficial for the client.<span style="mso-spacerun: yes;"> </span>I choose to list the deficiencies by risk
level.<span style="mso-spacerun: yes;"> </span>This allows the client to quickly
identify the highest risk items for each section.<span style="mso-spacerun: yes;"> </span></span></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">The typical action plan table will have the following headings</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><strong>Vulnerable Area/System</strong> - The area (Active Directory) or System (Checkpoint Firewall)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><strong>Threat Description</strong> - A short description of the threat / vulnerability. The full description and/or risks will either be listed elsewhere in this report or in separate threat analysis report</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><strong>Severity</strong> - The risk level of the threat...High, Medium, Low</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><strong>Remediation Effort</strong> - This is based on the amount of work that will be required to implement the specific control. I prefer to use Costly, Moderate, Low.</span><br />
<span style="font-family: Arial;"><strong>Recommendation</strong> - This is the recommendation to correct the deficiency. I choose to keep this at a high level, as details can be provided to each responsible area.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">Finally, an appendix of definitions. At a minimum it includes the definitions of the Risk ratings and Remediation Effort ratings.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> </span><br />
<span style="font-family: Arial;">Until next time....</span><br />
<span style="font-family: Arial;">~Skeeter</span>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com1tag:blogger.com,1999:blog-2075796121493099439.post-71263269944133048912013-07-15T17:35:00.002-07:002013-07-15T17:36:23.056-07:00Threat & Vulnerability Mitigation – Asset Identification<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 12pt;">No
matter what you all your program (I call mine Vulnerability Management) to
manage threats and vulnerabilities as they apply to your network and processing
environment you must know what you have for assets.<span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 12pt;">Assets
---equipment, operating systems, virtual environments, applications,
infrastructure parts and pieces --- need to be identified by manufacture, make,
model, version, etc...<span style="mso-spacerun: yes;"> </span>While it will be
a chore to initially identified and gather all the information of these assets;
the hard part may be keeping the data current without proper processes in
place.<o:p></o:p></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 12pt;">When
setting up the process to gather and keep the information current, keep in mind
that it should be part of other processes.<span style="mso-spacerun: yes;">
</span>For example, during the project phase for new systems, include a step to
update the asset database.<span style="mso-spacerun: yes;"> </span>Including a
step in the change management process that requires an update of the asset
database with the new information will ensure existing assets are kept current.<o:p></o:p></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 12pt;">One
of the items that is frequently forgot in the asset identification is the
network infrastructure.<span style="mso-spacerun: yes;"> </span>Don’t forget to
identify the firewalls, proxy servers, VPN concentrators, switches, wireless
equipment (switches and access points), and network management devices.<span style="mso-spacerun: yes;"> </span>As a security professional, make sure you
include your own systems, such as a SIEM, DLP, A/V and malware servers, and
vulnerability scanners.<o:p></o:p></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 12pt;">A
key part of the tracking of threats against assets is knowing how the devices
are configured and used in your environment.<span style="mso-spacerun: yes;">
</span>An example would be Active Directory…what changes are made from the
default configurations?<span style="mso-spacerun: yes;"> </span>How does your
password policy compare?<span style="mso-spacerun: yes;"> </span>Is it weaker
or stronger?<span style="mso-spacerun: yes;"> </span>This could have an effect
on the risk rating applied to a vulnerability identified for your operating
system.<o:p></o:p></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 12pt;">Once
you have the assets of your IT environment identified, it is time to start down
the identification of SCADA and other control systems…..good luck.<o:p></o:p></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 12pt;">Until
next time….<o:p></o:p></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Arial","sans-serif"; font-size: 12pt;">~Skeeter<o:p></o:p></span></div>
Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-70733137128055834802013-07-09T18:14:00.000-07:002013-07-09T18:14:22.945-07:00How, What, and When to Patch<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<div class="MsoNoSpacing">
<span style="font-family: "Arial","sans-serif";">How an
enterprise decides to manage patch administration probably varies based on who
is doing it, the maturity of the Vulnerability Management program, and the
business’ tolerance of maintenance windows.<span style="mso-spacerun: yes;">
</span>In my opinion patching should be broken into four categories: </span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Arial","sans-serif";">(1)<span style="mso-spacerun: yes;">
</span>Infrastructure</span></b><span style="font-family: "Arial","sans-serif";">.<span style="mso-spacerun: yes;"> </span>This would be servers, devices, applications
that are used by IT and can be patched with no impact to business users or
business processes.<span style="mso-spacerun: yes;"> </span>This patching can
be accomplished as often as necessary, but monthly will probably work out the
best.</span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Arial","sans-serif";">(2) <span style="mso-spacerun: yes;"> </span>Servers / Operating Systems.</span></b><span style="font-family: "Arial","sans-serif";"><span style="mso-spacerun: yes;">
</span>This category includes the Windows and / or Linux servers in the
environment.<span style="mso-spacerun: yes;"> </span>This is where IT management
needs to get a recurring maintenance window from the business that is always
available for IT to use whether it is needed or not.<span style="mso-spacerun: yes;"> </span>In my humble opinion this window should be
available weekly.<span style="mso-spacerun: yes;"> </span>While we are probably
not going to patch weekly, this windows can be used to fix application
problems, apply emergency / critical patches, etc…<span style="mso-spacerun: yes;"> </span>Server patching probably can’t be performed
more that quarterly because you will need time to test patches in the non-prod
environment.</span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Arial","sans-serif";">(3)<span style="mso-spacerun: yes;">
</span>Applications</span></b><span style="font-family: "Arial","sans-serif";">.<span style="mso-spacerun: yes;"> </span>This category includes business applications
such as ERP systems, HR systems, etc…<span style="mso-spacerun: yes;">
</span>These systems should be patched during the maintenance window arranged
by IT management above.<span style="mso-spacerun: yes;"> </span>How often this
patching occurs will depend on the business’ desire because it will take good
amount of resources to test the patches and identify any impacts on systems
that may feed or receive data from the patched system.<span style="mso-spacerun: yes;"> </span>Twice a year maybe the best case scenario; once
a year maybe the answer the schedule that works best for the business.</span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Arial","sans-serif";">(4)<span style="mso-spacerun: yes;">
</span>Workstations</span></b><span style="font-family: "Arial","sans-serif";">.<span style="mso-spacerun: yes;"> </span>This is where the biggest risk may be located
for the enterprise.<span style="mso-spacerun: yes;"> </span>While the endpoint
security (anti-virus, anti-malware, etc…) should be updating daily, OS patching
should be applied monthly.<span style="mso-spacerun: yes;"> </span>If a standard
desktop image is used, testing should be pretty straightforward and a reboot by
users once a month isn’t to much to ask.</span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-family: "Arial","sans-serif";">No matter
what schedule an enterprise decides on, the key is management buy-in and
communications to the user community.<span style="mso-spacerun: yes;">
</span>Once the schedule is set, stick to it and only deviate in rare and
unique situations.</span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-family: "Arial","sans-serif";">Until next
time…</span></div>
<div class="MsoNoSpacing">
<span style="font-family: "Arial","sans-serif";">~Skeeter</span></div>
Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com1tag:blogger.com,1999:blog-2075796121493099439.post-78357666312399897312013-07-06T21:58:00.000-07:002013-07-06T21:58:22.242-07:00Vulnerability Sites ---- revisited
<span style="font-family: Calibri;">Several weeks ago I posted a list of sites and links
where threat and vulnerability information can be gathered from.<span style="mso-spacerun: yes;"> </span>Since then I have again had the privilege of
running a number of scenarios through my threat process model and want to up
you on the applicability of the links I provided.</span><br />
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: Calibri;">My recent research confirmed the format of </span><a href="http://www.securityfocus.com/"><span style="color: yellow; font-family: Calibri;">http://www.securityfocus.com</span></a><span style="font-family: Calibri;"> where you
can search via drop downs.<span style="mso-spacerun: yes;"> </span>For example
you select Cisco, then all Cisco products are presented and you can select the
product in question.<span style="mso-spacerun: yes;"> </span>If the product has
versions, you may also select that.<span style="mso-spacerun: yes;"> </span>I
also visited the Cisco website to search for vulnerabilities on their Nexus
7000, although several showed up, the site doesn’t tell you directly that a fix
has been released.<span style="mso-spacerun: yes;"> </span></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<a href="http://web.nvd.nist.gov/"><span style="color: yellow; font-family: Calibri;">http://web.nvd.nist.gov</span></a><span style="font-family: Calibri;">
<span style="mso-spacerun: yes;"> </span>also served me well, but you must know
exactly what you want to search for vs. the menu options of the securityfocus
site.</span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: Calibri;">For operating systems, such as Windows 2008, the NVD site
works very well for searching.<span style="mso-spacerun: yes;"> </span>It will
list all the vulnerabilities and provide a link to the vendors site, in this
case to Microsoft Technet and the 2008 security bulletin.</span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: Calibri;">For other situations such as VMware ESXi or a Belkin
router, I would continue to use the NVD site to search for vulnerabilities and
visit the vendor site if more information was needed regarding patch status.</span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: Calibri;">Until next time…</span></div>
<span style="font-family: Calibri;">~Skeeter</span><br />
Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-65445742789085107072013-06-29T19:59:00.004-07:002016-05-12T06:57:03.350-07:00Controlling Privileged Access<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span><br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">First, I define privileged access as anything above what
the standard user would get?<span style="mso-spacerun: yes;"> </span>How do you
control privileged access?<span style="mso-spacerun: yes;"> </span>Do you allow
your Linux system administrators to have the root password?<span style="mso-spacerun: yes;"> </span>Do you Windows administrators have the
password for a system account with admin privileges?<span style="mso-spacerun: yes;"> </span>Or maybe they have domain admin rights
assigned to their personal account.</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span><br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">A while back I attended a presentation about for a
product that stores the passwords for accounts…the assumption is that all
privileged accounts would be stored in this solution along with the
passwords.<span style="mso-spacerun: yes;"> </span>This system is also capable
of being integrated with AD and your ticketing system so when a user needed the
password, the system would check to make sure there is a valid ticket (incident
or change request) and that the requestor is also in the right AD group.<span style="mso-spacerun: yes;"> </span>This security solution will also change the
password after a set amount of time from when the password was retrieved.<span style="mso-spacerun: yes;"> </span>This would seemingly prevent the user from
reusing the password for an unlimited about of time.</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span><br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">While I can see why management and Internal Audit would
love this solution….on the surface it meets the compliance requirements for
controlling access and assists with the change management process.<span style="mso-spacerun: yes;"> </span>This system is also very useful in storing
passwords that don’t get used very often, thus making sure they are available
in a business continuity situation.<span style="mso-spacerun: yes;"> </span>However,
does it help a company be secure or does it give a false sense of security?<span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span><br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">What are the actual actions performed when the password
is retrieved?<span style="mso-spacerun: yes;"> </span>The IT guy could retrieve
the password and make any change under the guise of whatever the Incident or
Change ticket talked about.<span style="mso-spacerun: yes;"> </span>Every
environment has those system accounts where the password is never changed.<span style="mso-spacerun: yes;"> </span>These accounts tend to have a high level of
privileges and everyone on the team knows the password….so no trouble ticket is
required to use these accounts.<span style="mso-spacerun: yes;"> </span>I could
go on and on, but you get the point.</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span><br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">What is the solution?<span style="mso-spacerun: yes;">
</span>So will argue that the administrators need admin privileges all the time….it
is their job.<span style="mso-spacerun: yes;"> </span>I don’t necessarily
disagree with that.<span style="mso-spacerun: yes;"> </span>I believe the
solution lies in monitoring what the privileged accounts are doing.<span style="mso-spacerun: yes;"> </span>Implementing one of the solutions that
monitors key folders, directories, and files for access and modification is
also needed.<span style="mso-spacerun: yes;"> </span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span><br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Until next time…</span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">
~Skeeter</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">
</span>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com1tag:blogger.com,1999:blog-2075796121493099439.post-54408110080017221362013-06-23T17:47:00.003-07:002013-06-23T17:51:15.128-07:00Data Protection at all Levels<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span>
<!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]--><span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;">We all know that we need to protect the employee and
customer data from unauthorized access.<span style="mso-spacerun: yes;">
</span>We also are aware that there are many rules around the storing and
transmitting healthcare and credit card data. <span style="mso-spacerun: yes;"> </span>Most of us have went to great lengths to put
security controls in place on our Production environments to protect this
sensitive data in accordance with applicable policies, rules, and regulations.</span></span></div>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></div>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;">What have you done to protect the data on your
non-production networks?<span style="mso-spacerun: yes;"> </span>If you have a
test / QA environment that is used for functional, security, and user
acceptance testing, what data is being used to ensure testing is against the “exact”
data that is in Production?<span style="mso-spacerun: yes;"> </span>Some
enterprises might use an extract of the data from Production in lower
landscapes for their testing.<span style="mso-spacerun: yes;"> </span>Are all of
the same security controls in place in the test / QA environment?<span style="mso-spacerun: yes;"> </span>Or have the controls around privileged access
been relaxed to make it easier for testing?<span style="mso-spacerun: yes;">
</span>Or maybe you have password standards (probably relaxed) in the test
environment?<span style="mso-spacerun: yes;"> </span></span></span></div>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></div>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;">What about the development environment, I am guessing the
security controls are even more relaxed for DEV.<span style="mso-spacerun: yes;"> </span>The developers probably have access to just
about everything and are able to manipulate the security controls to make their
job easier.<span style="mso-spacerun: yes;"> </span>Where did the data come from
that they are developing against?<span style="mso-spacerun: yes;"> </span>Was
it copied straight from Prod or was it scrambled?<span style="mso-spacerun: yes;"> </span>Or maybe if you are lucky, the developer
just created their own data to use.</span></span></div>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></div>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;">I understand the need to use properly formatted data…..but
if you are going to use any sensitive data from the Production environment (include
employee database for a HR system, sensitive company for an ERP system, customer
data for customer relationship database, etc….) make sure it scrambled in some
manner to make it seem that it is just random data.<span style="mso-spacerun: yes;"> </span>Also, don’t allow the key security controls
to be removed in the lower landscapes, make the developers and testers
understand the need for the controls.</span></span></div>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></div>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;">Until next time…..</span></span></div>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;">~Skeeter</span></span></div>
<div class="MsoNoSpacing">
<span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></div>
Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com1tag:blogger.com,1999:blog-2075796121493099439.post-72312317372340652002013-06-16T14:27:00.005-07:002013-06-16T14:30:50.017-07:00Threats, Vulnerabilities, and News…where do you get your infomation?<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12pt;">As
all Information Security professionals, I have my favorite feed, blogs, and
sites I visit for my security news. Before I conclude this blog I will share
mine.<span style="mso-spacerun: yes;"> </span>However, where do you go for your
intelligence related to threats and vulnerabilities?<span style="mso-spacerun: yes;"> </span>This would be the sources that give you the
technical details, usually always in a standard format that the subscribers
have come accustomed to.<o:p></o:p></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12pt;">For
vulnerabilities, since CVE (Common Vulnerabilities and Exposures) is the
standard tracking of issues with software, every Information Security
professional should subscribe to a source that disseminates new CVEs.<span style="mso-spacerun: yes;"> </span>One such source is to use the RSS feed from
the National Vulnerability Database (<a href="http://nvd.nist.gov/"><span style="color: yellow;">http://nvd.nist.gov/</span></a>).<span style="mso-spacerun: yes;"> </span>Although if you don’t have lot of different
operating systems and software applications, they volume may be too much to
digest.<o:p></o:p></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12pt;">Cert
(<a href="http://www.kb.cert.org/vuls/"><span style="color: yellow;">http://www.kb.cert.org/vuls/</span></a>) also
provides a rss feed that will supply identified vulnerabilities.<span style="mso-spacerun: yes;"> </span>Another source our team uses is <a href="http://www.securityfocus.com/"><span style="color: yellow;">http://www.securityfocus.com/</span></a> and
don’t forget <a href="http://www.us-cert.gov/"><span style="color: yellow;">http://www.us-cert.gov/</span></a> or <a href="http://securityfocus.com/"><span style="color: yellow;">http://securityfocus.com</span></a><span style="color: yellow;">.</span><span style="mso-spacerun: yes;"> </span>Usually after a vulnerability has been identified
for a system I oversee, other sources, such as the vendor’s website, will be
reviewed for additional information.<span style="mso-spacerun: yes;"> </span>If
the vulnerability looks like it may be high risk, don’t be afraid to question
you customer representative from the company.<o:p></o:p></span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12pt;">For
general news and opinions of breaches, threats, and vulnerabilities I have
several sites I visit daily (usually while I am eating lunch):<o:p></o:p></span></div>
<span style="font-family: "Times New Roman","serif"; font-size: 12pt; mso-fareast-font-family: "Times New Roman";"><span style="mso-list: Ignore;"><span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";"></span></span></span><br />
<ul>
<li><span style="font-family: "Times New Roman","serif"; font-size: 12pt;">Dark Reading (http://www.darkreading.com) – they have cover a wide range of IT areas and have a good group of contributors <o:p></o:p></span></li>
<li><span style="font-family: "Times New Roman","serif"; font-size: 12pt;">SANS (<a href="http://www.sans.org/newsletters/"><span style="color: yellow;">http://www.sans.org/newsletters/</span></a>) – their newsletter provides a high-level recap of the top security stories for the week<o:p></o:p></span></li>
<li><span style="font-family: "Times New Roman","serif"; font-size: 12pt;">InfoSec Island (<a href="http://www.infosecisland.com/"><span style="color: yellow;">http://www.infosecisland.com/</span></a>) – a good collection of blogs.<span style="mso-spacerun: yes;"> </span>Pick a couple of follow<o:p></o:p></span></li>
<li><span style="font-family: "Times New Roman","serif"; font-size: 12pt;">Computer World has a <a href="http://www.computerworld.com/s/article/9239768/Security_Manager_s_Journal_Our_network_infrastructure_has_fallen_far_out_of_date?taxonomyId=17"><span style="color: yellow;">Security Manager blog</span></a> that is ghost written.<span style="mso-spacerun: yes;"> </span>Although not news, I do enjoy reading the issues this manager is having.<o:p></o:p></span></li>
<li><span style="font-family: "Times New Roman","serif"; font-size: 12pt;">PaulDotCom (<a href="http://www.pauldotcom.com/"><span style="color: yellow;">http://www.pauldotcom.com</span></a>) – I try to listen to their pod cast every week as they have some very good guests and the staff is very knowledgeable.<span style="mso-spacerun: yes;"> </span>And I never miss John and his latest episode of Hack Naked TV.<span style="mso-spacerun: yes;"> </span>The site also has a ton of helpful technical information<span style="mso-spacerun: yes;"> </span>(yes, I may have saved the best for last)<o:p></o:p></span></li>
</ul>
<span style="font-family: "Times New Roman","serif"; font-size: 12pt;">Once
you find a couple of good sites, share them with another Information Security
professional, I am sure they will share a new site with you.<o:p></o:p></span><br />
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: "Times New Roman","serif"; font-size: 12pt;">~Skeeter<o:p></o:p></span></div>
Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-33080562206613485692013-06-08T09:52:00.002-07:002013-06-09T16:33:03.097-07:00Where Work-Life Balance Meets Information Security<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: Calibri;">With people being more connected with their job through
laptops, tablets, smart phones, etc… it seems that more companies are worried
about work life balance. <span style="mso-spacerun: yes;"> </span>Some companies
may define work life balance as giving employees more “privileges” with their
company-owned computing assets.<span style="mso-spacerun: yes;"> </span>By
privileges I mean that they may allow the employees to do more with the company
owned laptop or loosen the restrictions on what websites can be visited on the
company network. </span><a href="http://www.blogger.com/null" name="_GoBack"></a></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: Calibri;">For example, some companies may let employees check
personal, web-based email while on the company’s network.<span style="mso-spacerun: yes;"> </span>Other companies may allow employees to visit
Facebook while others block it. </span><span style="font-family: Calibri;">As companies come to expect employees to be connected
24/7 to work, I understand the need to allow employees some freedom at work to
get away from the daily grind for a few minutes.<span style="mso-spacerun: yes;"> </span>But allowing the freedom comes with some
risk, and that risk needs to be discussed before the decisions are made.</span></div>
<br />
<div class="MsoNoSpacing" style="margin: 0in 0in 0pt;">
<span style="font-family: Calibri;">By allowing employees to visit Facebook, the company has
opened up a new attack vector into the company’s network.<span style="mso-spacerun: yes;"> </span>Before opening it up, maybe a company needs
to evaluate the reliability of their desktop protection software or look at a
solution that will detect malicious traffic at the network border.<span style="mso-spacerun: yes;"> </span>The same issues are present if a company
allows employees to check personal email at work.<span style="mso-spacerun: yes;"> </span>Additionally, if the connection is SSL, is
the company going to break the SSL connection and monitor the traffic? What
traffic is off-limits to monitoring?<span style="mso-spacerun: yes;">
</span>What websites will be blocked and does the proxy server / service have a
good track record of classifying websites? I suspect the HR and Legal will want
to weigh in.<span style="mso-spacerun: yes;"> </span></span></div>
<br />
<span style="font-family: Calibri;">I am not saying
what is right or wrong, but management must include Information Security in the
discussion prior to making decisions based on what is allowed on the network
and what employees can do on their company-owned computing devices.<span style="mso-spacerun: yes;"> </span></span><br />
<br />
Until next time...<br />
~SkeeterSkeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-65762141144262224832011-05-23T12:27:00.001-07:002012-02-27T10:48:53.753-08:00Bring Your Own Device - what's the big deal?<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">So Alice went out and bought herself an iPad for her birthday and now she wants to connect it to the network.<span style="mso-spacerun: yes;"> </span>Employees will continue to bring their own devices to work and they want to connect them to the corporate LAN.<span style="mso-spacerun: yes;"> </span>Don’t try to ignore it and bury your head in the sand because it isn’t going away. </span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">If you haven’t done so yet, you better get some procedures developed or you will be playing catch up.<span style="mso-spacerun: yes;"> </span>First, you need to decide what the Bring Your Own Device (BYOD) means in your environment.<span style="mso-spacerun: yes;"> </span>Does it include only tablets and/or Smartphones?<span style="mso-spacerun: yes;"> </span>Or are you going to allow laptops?<span style="mso-spacerun: yes;"> </span>Just remember the line between tablets and laptops from a year ago is not the same line and is getting blurrier as I type this blog.<span style="mso-spacerun: yes;"> </span>What data are you going to allow access to…email only or access to backend systems?<span style="mso-spacerun: yes;"> </span>These are the decisions that need to be made and implemented via your policy with very few (preferably none) exceptions.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">If you are going to allow tablets and smartphones access to data other that email, how are you going to manage the devices?<span style="mso-spacerun: yes;"> </span>If your users want access to the data, they will need to give up some of their “ownership” of their devices.<span style="mso-spacerun: yes;"> </span>You will want to be able to ensure password protection, remote wipe, certificates, and some sort of encryption on their device.<span style="mso-spacerun: yes;"> </span>If they don’t agree to these requirements, don’t let them on the network.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Another option, especially if you are going to allow BYOD laptops is to utilize virtualization.<span style="mso-spacerun: yes;"> </span>Creation of virtual desktops for these users and allow the device to connect to a virtual desktop environment.<span style="mso-spacerun: yes;"> </span>Most are configurable to control which services are or aren’t available…i.e. USB, drive mapping, etc…</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">You must also make the decision on what level of support your organization is going to provide.<span style="mso-spacerun: yes;"> </span>If they parameters are identified up front, a lot of “un-forecasted” man-hours could be spent on troubleshooting user issues.<span style="mso-spacerun: yes;"> </span>Also identify what operating systems will be acceptable and allowed to connect to the network.<span style="mso-spacerun: yes;"> </span>For example, do you allow IOS devices, Android, Blackberry, and Windows Phones, or do you limited it to a smaller subset of devices?<span style="mso-spacerun: yes;"> </span>What about laptops…Windows (all versions or just Win7), Mac, Linux?<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">As you can see there are many decisions that need to be made and you must have management agreement.<span style="mso-spacerun: yes;"> </span>One thing to remember is don’t back yourself into a corner that will force you to accept additional, unneeded risk in the future.<span style="mso-spacerun: yes;"> </span>For example, make sure the controls you implement will adequately protect your most sensitive data because whatever your backend systems are, you can bet that the vendor is going to develop an app that will allow access to that system.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;"><span style="mso-spacerun: yes;">~Skeeter</span></span></div>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com8tag:blogger.com,1999:blog-2075796121493099439.post-74773276937024577262011-05-19T19:21:00.001-07:002011-05-19T19:21:48.054-07:00How welcome are your guests?<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;"></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">When Joe the salesman from Pete’s Software Palace shows up at the guard desk (because I know you have one) and is signed into the system and is asked to have a seat until you come to get him.<span style="mso-spacerun: yes;"> </span>Is there a wired network connection in the lobby that would allow Joe to sniff your network?<span style="mso-spacerun: yes;"> </span>If there is, you should probably disable the port for that specific jack.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">After you come and get Joe and you go meet several other people in a conference room.<span style="mso-spacerun: yes;"> </span>Joe says he needs Internet access; is his only option a wired network or do you have a guest wireless network?<span style="mso-spacerun: yes;"> </span>The preferred option should be a wireless guest network, segregated from the corporate wireless network.<span style="mso-spacerun: yes;"> </span>Additional controls could include a daily, rotating password that only employees have access to, thus requiring a vendor or contractor to get the password from an employee.<span style="mso-spacerun: yes;"> </span>This ensures that someone at your company will know that they are connected to your guest wireless network.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">If your company has fast, reliable corporate wireless network, another sound practice is disable unused wired ports in conference rooms.<span style="mso-spacerun: yes;"> </span>Many times a vendor or contractor will be left alone in a conference room; the disabling of excess ports will help reduce the risk to the network.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">I will leave you this week with a couple of wireless network thoughts….what type of authentication to you require for your laptops to connect to the corporate wireless network?<span style="mso-spacerun: yes;"> </span>If you are not requiring some type of machine authentication, you are at risk for access point spoofing. <span style="mso-spacerun: yes;"> </span>How do you handle the ad-hoc networks your corporate laptops have previously connected to?<span style="mso-spacerun: yes;"> </span>These are usually from traveling (i.e. hotel, airports, etc….) and they will continuously send out a signal looking for their respective network.<span style="mso-spacerun: yes;"> </span>Another opportunity for access spoofing. Finally, How far does your wireless network extend outside of your building?</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">~Skeeter</span></div>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com1tag:blogger.com,1999:blog-2075796121493099439.post-89460694626284556232011-05-15T20:20:00.000-07:002011-05-15T20:20:00.394-07:00How do Information Security and Internal Audit play nice?<div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="font-family: Calibri;">What is the relationship between your Information Security department and the Internal Audit?<span style="mso-spacerun: yes;"> </span>Is it a friendly work together relationship or is there resentment between the two teams?</span></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="font-family: Calibri;">Both the Information Security and IT Internal Audit teams have similar goals.<span style="mso-spacerun: yes;"> </span>Make sure the company’s data is properly protected from inadvertent disclosure, modification, or inappropriate access.<span style="mso-spacerun: yes;"> </span>However the attitudes displayed by each of the teams and their members can go a long way to helping build a constructive, working relationship.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="font-family: Calibri;">Since I have worked both sides in the same company…moving from Internal Audit to the Information Security team, I can provide some information of this subject.<span style="mso-spacerun: yes;"> </span>Clear lines need to be drawn as to the responsibility of each team when the areas might start to come together.<span style="mso-spacerun: yes;"> </span>For example, if a project for an upgrade of an application that falls under the Sarbanes-Oxley (SOX) umbrella. Both teams are going to interested in it…Information Security will probably be more interest in the details of a set of criteria for new applications, while Internal Audit is probably more interested only in those controls pertaining to SOX.<span style="mso-spacerun: yes;"> </span>However, a lack of understand as to the other team’s responsibilities could lead to ill thoughts about the other team.</span></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="font-family: Calibri;">I believe each team can provide some level of assistance to the other team, there needs to be a defined separation of duties and each team member of both teams needs to understand where their responsibilities begin and, more importantly where their responsibilities end.</span></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="font-family: Calibri;">~Skeeter</span></div>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-70172343955411599762011-05-08T19:45:00.001-07:002011-05-08T19:45:17.899-07:00How do you measure your risk?<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;"></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">If you ask 10 security professionals that perform risk evaluations how that measure risk and what is important, you will probably get 9 different answers.<span style="mso-spacerun: yes;"> </span>There is a slim change that 2 might agree. <span style="mso-spacerun: yes;"> </span>Below are three possible approaches to risk evaluation: </span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">(1) Do you use a well defined methodology such as the NITST SP 800-30, Risk Management for Information Technology Systems?<span style="mso-spacerun: yes;"> </span>You follow it religiously never wavering from the formula and the living by the numbers.<span style="mso-spacerun: yes;"> </span>If it comes out at the top of the list, then you address it first without fail. </span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">(2) Or do you use a “fly by the seat of your pants”, “this is how it feels” system?<span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>Maybe you read about an exploit for the same vulnerability, so it is at the top of the list.<span style="mso-spacerun: yes;"> </span>No scientific approach, not a repeatable process (at least not one that works the same way every time).<span style="mso-spacerun: yes;"> </span>Maybe that application has little value in your mind or the application owner pissed you off once, so you make it painful for them.<span style="mso-spacerun: yes;"> </span>This is not the recommended approach to risk management. </span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">(3) Maybe you are using a combination of the two, where you incorporate some level of structure around the vulnerability, but reserve the ability to adjust based on your gut feeling after many years of Information Security practice?<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Option 3 is the option I feel currently works best for my situation.<span style="mso-spacerun: yes;"> </span>For applications, systems, and projects/initiatives, <span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>I have criteria based on vulnerability scan, type of data, how users will access the data, whether system is considered critical to the company.<span style="mso-spacerun: yes;"> </span>Additionally, there is a set of questions based on a set of standard IT controls, and based on how these are answered; they get entered on a risk matrix.<span style="mso-spacerun: yes;"> </span>Here is where the gut feel comes in…when answering impact and likelihood of these vulnerabilities.<span style="mso-spacerun: yes;"> </span>IT controls directly implemented for this system, enterprise controls, and manual controls, etc… are all considered when making these evaluations.<span style="mso-spacerun: yes;"> </span>This system is repeatable with the ability to make some judgment based the specific factors around the system being evaluated. </span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">If you need a new risk evaluations methodology…probably only the 1<sup>st</sup> or 3<sup>rd</sup> options above are recommended.<span style="mso-spacerun: yes;"> </span>If choose the 2<sup>nd</sup> option, good luck.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">~Skeeter</span></div>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-89844466326502950842011-05-01T13:18:00.000-07:002011-05-01T13:21:12.835-07:00Standards are like Rules...Made to be Broken<div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="font-family: inherit;">Standards are the preferred; however, as we all know, not everything fits into the same box.<span style="mso-spacerun: yes;"> </span>How does your company handle the exception to the standard?<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><a href="http://www.blogger.com/" name="_GoBack"></a><span style="font-family: inherit;">Let’s say your company has a password standard of 8 characters, to include at least one lower case, one capital letter, one number, and one special character.<span style="mso-spacerun: yes;"> </span>You also require account locking after 3 invalid tries and limit password reuse of last 10 passwords. If a department, say marketing, finds an application they say would greatly increase the company’s presence on the Internet and has a great Return on Investment (ROI); however, the application doesn’t require account locking after 3 invalid attempts.<span style="mso-spacerun: yes;"> </span>Although the information stored in the application doesn’t include any company confidential information, do you allow the application?<span style="mso-spacerun: yes;"> </span>If so, do you document it, along with the reasoning behind the decision?<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="font-family: inherit;">Now, if that same scenario is for a HR application that has sensitive employee data, do you make the same decision?<span style="mso-spacerun: yes;"> </span>Maybe, maybe not.<span style="mso-spacerun: yes;"> </span>You need to make the decision based on your organizations appetite for risk and what other controls are in place that might help mitigate the risk?<span style="mso-spacerun: yes;"> </span>For example, if the HR application does checking to validate that the user is in a certain group, maybe a HR managers’ group, then maybe the decision is made to allow it.<span style="mso-spacerun: yes;"> </span>However if you have loose controls around software installation on desktops and laptops and this HR application doesn’t do any group membership checking (or other compensating controls), then you might not want to allow it; this is the prime situation for a insider data breach.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="font-family: inherit;">There is nothing wrong with deviating from the standards as long as you document the deviation and reasoning and you must also evaluate the risk associate with the situation.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style="font-family: inherit;">~Skeeter</span></div>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-70450379979250382392011-04-24T16:05:00.001-07:002011-04-24T16:05:15.029-07:00Information Security Leader…where do you live?<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;"></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Where does the leader of your information security function fit into the corporate structure?<span style="mso-spacerun: yes;"> </span>Whether you have a Chief Information Security Officer, the function is handled by your Chief Information Officer (CIO), or this function falls to a Director in the IT organization, does the function have the proper authority to carry out its assigned duties?</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">If you your security leader falls<span style="mso-spacerun: yes;"> </span>somewhere in the middle of your IT organization you are probably dealing issue revolving around competing with other IT teams for resources, such as funding, personnel, and equipment.<span style="mso-spacerun: yes;"> </span>Also, sometimes you might suffer from an identity crisis, where business people think you are just like every other IT support team and don’t associate you with doing security functions.<span style="mso-spacerun: yes;"> </span>However, you do have some advantages; it is easier to get a seat at the table on important IT initiatives and to become involved in application implementation earlier in the process.<span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">If your Information Security Leader is the CIO, he or she probably has many other responsibilities and you are competing for attention and resources.<span style="mso-spacerun: yes;"> </span>Additionally, if this falls on the outskirts of the IT organization, you will be seen as the “red-headed, step-child” and won’t be involved in the initial, important discussions.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">The CISO scenario has several variables.<span style="mso-spacerun: yes;"> </span>If your CISO is completely outside the IT organization you will also experience the outsider treatment for the IT organization.<span style="mso-spacerun: yes;"> </span>However, this can be somewhat reduced if the CISO is moved inside the IT group and having the CISO report to the CIO with a “dotted line” to a senior executive outside of IT.<span style="mso-spacerun: yes;"> </span>Additionally, the CISO should be on the same level as any senior IT executives (i.e. Vice President).<span style="mso-spacerun: yes;"> </span>This will help ensure an equal voice when it comes to budget, personnel, and input on IT issues that involve security.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Where ever the Senior Security Leader is placed in the organization, the security team must build a relationship of trust with all levels, from VP to system administrator for the Information Security program to be successful.<span style="mso-spacerun: yes;"> </span>Once this relationship is developed, and information security isn’t seen as the “No” team, then they will be invited to the table and everyone will win. </span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">~Skeeter</span></div>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-65484943437404242412011-04-15T19:01:00.000-07:002011-04-15T19:02:34.036-07:00Another Star for Texas<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;"><span style="mso-spacerun: yes;"> </span>Another week, another breach…and I didn’t have to spend a week on vacation to read about this one.<span style="mso-spacerun: yes;"> </span>Off we go to the Lone Star State where yes, everything is bigger in Texas…3.5 million.<span style="mso-spacerun: yes;"> </span>That is a lot of records to be involved in a single data breach.<span style="mso-spacerun: yes;"> </span>If one were to use a cost of $200 per record, well…you can do the math and it is a BIG number.<span style="mso-spacerun: yes;"> </span>However at this time, the State of Texas hasn’t offered any free credit monitoring services, but they have set up an informational website.<span style="mso-spacerun: yes;"> </span>The story goes that the personal information was on a public facing website.<span style="mso-spacerun: yes;"> </span>The information was names, addresses, social security numbers, driver license numbers, etc… the kind of information that shouldn’t be on a public website.<span style="mso-spacerun: yes;"> <a href="http://www.txsafeguard.org/">http://www.txsafeguard.org/</a></span></span></div><div class="MsoNormal" style="margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">In most organizations the people that have access to that kind of information work for Human Resources (HR) and I will assume that is the case with the State of Texas also.<span style="mso-spacerun: yes;"> </span>So one of two things happened; (1) HR personnel has privileges to post information on a public website or (2) IT personnel, say maybe the web support team, had access to HR data and downloaded it and posted it on the website.<span style="mso-spacerun: yes;"> </span>For now, let us assume #1; although both scenarios lead to the same root cause.</span></div><div class="MsoNormal" style="margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Why does the HR person have access to post information to a website?<span style="mso-spacerun: yes;"> </span>I could understand an internal human resources SharePoint site but not a public facing website.<span style="mso-spacerun: yes;"> </span>I would have to consider this inappropriate access and it should have been identified during a periodic review of accesses or during an audit.<span style="mso-spacerun: yes;"> </span>If neither of these reviews is performed on a recurring basis, then the State of Texas probably has lot bigger problems waiting to be identified.<span style="mso-spacerun: yes;"> </span>It is also reported that a number of people have been fired over the incident.<span style="mso-spacerun: yes;"> </span>If departments involved haven’t been audited <a href="http://www.blogger.com/" name="_GoBack"></a>then the wrong people have been fired.<span style="mso-spacerun: yes;"> </span>If they have been audited recently, then the State of Texas needs to find different auditors.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">This is just another example of the importance of implementing an access review process, monitoring of privileged accesses, and have a 3<sup>rd</sup> party come in once in a while and verify that everything is being done the way it should be. </span></div><div class="MsoNormal" style="margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">~Skeeter</span></div>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-46186389372817840702011-04-11T10:50:00.000-07:002011-04-13T12:57:58.155-07:00Data Breaches---Where are you?<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">I spent a few days in New York City on a vacation (and with only going online three times in five days) and started reviewing some on my favorite blogs and websites to see what happened in the information security world during my hiatus.<span style="mso-spacerun: yes;"> </span>Low and behold, we have had a couple of more data breaches disclosed.<span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>The biggest is the disclosure by Epsilon, who is used by a large number of companies for marketing (<a href="http://www.darkreading.com/database-security/167901020/security/attacks-breaches/229400828/attackers-steal-major-retailers-financial-firms-customer-email-data.html">Epsilon data breach</a>).<span style="mso-spacerun: yes;"> </span>While only it would appear only email address where involved in the data breach, it does lead to some questions.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">What kind of service level agreement (SLA) did the companies involved have with Epsilon? <span style="mso-spacerun: yes;"> </span>How does your company evaluate the security controls of 3<sup>rd</sup> party vendors (hopefully, prior to signing of the contract)?<span style="mso-spacerun: yes;"> </span>Recently I have been reviewing the security controls and data privacy policies for several 3<sup>rd</sup> party vendors that my company is looking at contracting for specific services.<span style="mso-spacerun: yes;"> </span>While security controls might be in place and evaluated by a 3<sup>rd</sup> party, some of the privacy policies leave something to be desired.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">One of the privacy policies only said that the vendor would only share the personal data (name, email, company, etc...) with their affiliated companies.<span style="mso-spacerun: yes;"> </span>What the heck does that mean?<span style="mso-spacerun: yes;"> </span>Is that companies that are only involve with the specific product we are looking at or does that mean any affiliated company on any project, product, or services they might contract for?<span style="mso-spacerun: yes;"> </span>That could lead to dozens and dozens of companies that could potentially have access to data of my company’s employees.<span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>What kind of privacy policy do all these other companies have?<span style="mso-spacerun: yes;"> </span>What happens when one of these 3<sup>rd</sup> or 4<sup>th</sup> “generation” companies has a data breach?<span style="mso-spacerun: yes;"> </span>My company will never get notified that the email addresses of our employee’s have been potentially involved in a data breach.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">The moral of the story, when you are reviewing the security controls of potential vendors, make sure you know the privacy policy of those vendors and ensure that the notification process is documented in the contract, including timeframes, who makes notifications and to whom those notifications are made.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">~Skeeter</span></div>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-49336923745135038042011-03-31T14:07:00.000-07:002011-03-31T14:07:02.397-07:00Security Education…Removing the dread<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">We can all admit that security education isn’t ever going to at the top of the user’s </span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">super-happy-fun time list, but we can make it a little less painful.<span style="mso-spacerun: yes;"> </span>And maybe, just maybe, they will find it useful and tolerable.<span style="mso-spacerun: yes;"> </span>However, before you send out or conduct your next training, take a little time to evaluate you user education program.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Have you defined the goals of your training program, other than to provide training to users?<span style="mso-spacerun: yes;"> </span>Identify what areas you need to educate users on and if necessary, define classes of users and the training needed for each group.<span style="mso-spacerun: yes;"> </span>For example, you will probably have general users (probably will include all users) that you will want to provide the basics…passwords controls, screen lock, phishing emails, etc…<span style="mso-spacerun: yes;"> </span>What about those users that might need specialized training, HR, Legal, and Finance personnel?<span style="mso-spacerun: yes;"> </span>Depending on your business sector, you might need to provide additional training to these groups.<span style="mso-spacerun: yes;"> </span>Once you have determined the training needs, how do you deliver it?</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">There are several different ways that you can deliver training.<span style="mso-spacerun: yes;"> </span>The first is the mandatory, formal training that everyone has grown to dread.<span style="mso-spacerun: yes;"> </span>But if you are developing your own formal training (vs. outsourcing) here are a couple of helpful tips:</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -0.25in;"><span style="font-family: Symbol; font-size: 12pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7pt "Times New Roman";"> </span></span></span><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Don’t just use a slideshow / presentation.<span style="mso-spacerun: yes;"> </span>Mix it up, include videos or other motion tools </span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -0.25in;"><span style="font-family: Symbol; font-size: 12pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7pt "Times New Roman";"> </span></span></span><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Find someone that has a nice, pleasing voice to do the voice over.<span style="mso-spacerun: yes;"> </span>Don’t let the monotone guy do it again.</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -0.25in;"><span style="font-family: Symbol; font-size: 12pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7pt "Times New Roman";"> </span></span></span><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Consider conducting group training vs. delivering over the computer.<span style="mso-spacerun: yes;"> </span>In a group setting, make it fun…ask questions with small prizes for answers (right or wrong)</span></div><div class="MsoListParagraphCxSpLast" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -0.25in;"><span style="font-family: Symbol; font-size: 12pt; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7pt "Times New Roman";"> </span></span></span><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Work with other teams that deliver training to incorporate security into their training.<span style="mso-spacerun: yes;"> </span>For example, if you are training on a new HR system, have a 15 minute session on protecting Personally Identifiable Information.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Once you have the formal training out of the way, users once in awhile need a gentle reminder of security procedures / precautions.<span style="mso-spacerun: yes;"> </span>I call this Tidbit Training.<span style="mso-spacerun: yes;"> </span>A couple of sentences or maybe a couple of short paragraphs on the company portal or in an email (let the email support guys know first).<span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>If you relate this to things that might happen to the users at home, will give more punch.<span style="mso-spacerun: yes;"> </span>For example, if you relate clicking on phishing emails training to an email you received, chances are the users have also received one (probably the same one).<span style="mso-spacerun: yes;"> </span>Then you can relate the dangers of their personal information stolen to company data being stolen.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Another successful method is the use of a Security Blog on your internal network.<span style="mso-spacerun: yes;"> </span>This can be a touchy area with some companies as your management might want approval prior to publishing articles.<span style="mso-spacerun: yes;"> </span>If that is the case, it might not be worth the hassle.<span style="mso-spacerun: yes;"> </span>However, if you have free reign, then it can be a very powerful tool as long you keep it to information the general user population can relate to.<span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;"><span style="mso-spacerun: yes;"> </span></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">Every time I start working on a user education article, I think back to my Air Force days and Safety Training.<span style="mso-spacerun: yes;"> </span>Everyone hated Safety training, but there was a weekly report from the Navy Safety Office (I know…I can’t believe I typed it) that had a humorous spin on stupid things Sailors and Marines had done.<span style="mso-spacerun: yes;"> </span>It didn’t seem like safety training, but that is exactly what it accomplished. <span style="mso-spacerun: yes;"> </span>So remember, make your users a little less dreadful when you are developing Security training.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: "Times New Roman", "serif"; font-size: 12pt;">~Skeeter</span></div>Skeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-89095924938296562052011-03-25T20:45:00.000-07:002011-03-25T20:45:29.546-07:00One Stop Shopping --- Health Care and Credit MonitoringFor the 2nd time in less that 2 years, Health Net has lost a copy of the medical records of their customers (<a href="http://www.informationweek.com/news/healthcare/security-privacy/showArticle.jhtml?articleID=229301179">Infoweek.com article</a>). This time it is nearly 2 million records. In 2009, they were fined and ordered to pay for 2 years of credit monitoring (must have been about time to renew the credit monitoring subscription).<br />
<br />
You have to begin to doubt the company when they say "Protecting the privacy of our members is extremely important to us," Health Net said. "We apologize for any inconvenience or concern this may cause our members." The article also said "Health Net's statement suggested that the drives may have been misplaced, not stolen. A spokesman called them "unaccounted-for server drives." The company said it was continuing to investigate, and "out of an abundance of caution" it decided to notify "the individuals whose information is on the drives." "<br />
<br />
The company recently outsourced their complete IT operations to IBM. This incident highlights the importance, as company look for ways to reduce costs by outsourcing, of make sure all the security policies and procedures are review and meet your companies standards. Make sure the security breach notification procedures are outlines as to which company has responsibility for specific tasks. Having the Information Security involved early in the Request for Proposal (RFP) process can only help address some of the issues that might have been avoided by Health Net.<br />
<br />
~SkeeterSkeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-15307791144079696932011-03-15T10:14:00.000-07:002011-03-15T10:14:13.696-07:00Posting Your Life on Social Networking SitesI have always considered myself somewhat of a logical thinker when it comes to what should be posted on social networking sites. To clarify...I have a facebook page but I haven't posted anything to it; I only created the page so that I could monitor what my kids, nieces, nephews, friends kids, etc... were doing online (I feel that is part of my responsibility as a security professional). There has been several times that I have contacted my facebook friends and informed them of the risks of some of the information they have posted on their site. <br />
<br />
For example, we had some friends come and visit us recently. I happened to be on facebook the morning they were driving to our house. I noticed their 14 year old daughter Amy had posted they were coming to visit us and was giving an up every couple of hours on the drive. When they arrived, I told Amy that if I needed a TV and lived in their town, I would be visiting their house because I know they were going to be gone for 4 days.<br />
<br />
Many times I have told my own kids, that for the most part, the only people that care about the information they post on facebook is those people without the best of intentions (except for Mom and Dad of course : )<br />
<br />
Today's Thought: Spend a few minutes each week and monitor the online activity of those people in your life and take the opportunity to educate them about the risks of online activity.<br />
<br />
Until next time...SkeeterSkeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0tag:blogger.com,1999:blog-2075796121493099439.post-34425496580133155902011-03-14T08:26:00.000-07:002011-03-15T09:40:14.011-07:00Post #1Why Skeeter Spray? Information Security issues, problems, and /or incidents (whatever you call them in your company) can be like those pesky little bugs. There are many ways to deal with them:<br />
<br />
1. You can fog the whole yard and know that you will kill some. Just as you can send out mass user education and hope some of it sticks with some of the users.<br />
2. You can light up a cigar and use the smoke to keep them away and the heck with the 2nd hand smoke. Much like you create a policy that addresses a problem without concern for how it affects other business processes.<br />
3. You can spray some deet-based repellent and effectively keep the mosquitoes from biting you; however you must re-apply in several hours. You can create an effective information security policy; however you must review on a recurring basis to make sure it is still performing as intended and if necessary rework the policy and reapply it.<br />
4. You can do nothing and swat at each one. In the security world you go from one problem to another and usually don't end up fixing any of them...maybe (if you are lucky), you apply a band-aid.<br />
5. Or you can go in the house and ignore the mosquitoes. Much in the same way you can ignore the security issue and hope it goes away. Hint---unusually it doesn't go away...it gets worse.<br />
<br />
Take the time to teach someone something about securing their personnel information.<br />
SkeeterSkeeterhttp://www.blogger.com/profile/08882702264734625808noreply@blogger.com0