Branden Williams

kitten, by Clevergrrl

Have you checked out ISSA Connect yet? The next issue is up there with my column, A Curmudgeon’s Party Line.

This month’s topic is quite timely as there have been several new attacks published related to SCADA and industrial systems. This article explores some of the reasons why we might see the marriage of IP-based systems with industrial systems causing issues today and in the future.

If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Possibly Related Posts:

• March 2012 Roundup
• Links from 2012-03-21 through 2012-03-22
• Herding Cats: Hunt (March 2012)
• February 2012 Roundup
• Links from 2012-02-21 through 2012-03-13

Check out this post by VPN Haus that tackles the cost savings aspect of BYOD. They argue that BYOD can be expensive and isn’t always a cost savings initiative. There are a few issues with this article that I’d like to address, starting with the cost issue.

Hands on: "MacBook Air"

BYOD isn’t just about saving money, it’s also about making employees happy. I have not met a knowledge worker that looks forward to getting their new clunky Dell or Lenovo laptop, especially if they travel. Having the ability to empower the worker to bring their own device allows for cost savings in a number of areas, including forcing them to handle their own basic break/fix support. In my case, I don’t call IT when I have a laptop problem. I make an appointment with a Genius (and I can sit face-to-face with that genius in virtually every city I travel to around the globe). I’m a happy camper because I carry a light load when I travel, my device works everywhere, and my work is kept secure.

The other item that struck me as funny was the investments in infrastructure that companies would have to make. Frankly, I think this was true five years ago because IT has transitioned to a service-based model whereby the ever-changing end devices have forced us to remain as independent as possible as applications outlive the devices we run them from. We don’t tend to think about software and tools that only work on one device, we code for as many devices as possible to mitigate endpoint issues and decrease long-term interface-related maintenance costs. If your company is just now starting to think about things like VPNs, information governance, and identity management, you are way behind and your competitors will leap-frog you. IT as a Hindrance (ITaaH) models affect the business’s ability to execute.

Here’s the irony: small businesses get this. They lack the security know-how and ability to execute, but they absolutely get that using an ITaaS model coupled with BYOD saves them loads of cash and allows them to scale with a much smaller investment.

VPN Haus is correct that adopting BYOD ≠ money in the bank. Absolutes rarely exist. It’s a different mode of delivering IT services to employees, and requires a fundamental shift in how your CIO thinks about IT.

Possibly Related Posts:

• Reducing the Risk of Passwords
• Passwords and the People Security Problem
• Top Five PCI DSS Mistakes that Lead to a Breach
• GRC in the NextGen Data Center
• Trusting Identities in the Cloud

Stay Classy, San Diego!

What was popular in March? Breaches and advanced security and March Madness, OH MY! St. Paddy’s and spring break dominated most of the twitter discussions this month, although at the end we sure had a topic to discuss. More on that later.

Here are the five most popular posts from last month:

1. RSA Conference 2012, Are You Ready? I hope you made it out to RSA Conference this year. The buzz and excitement around the event of 20,000+ attendees was electric!
2. Top Five PCI DSS Mistakes that Lead to a Breach. I wrote this blog post after speaking to several insiders about the challenges small companies face when it comes to complying with PCI DSS. Many of them look at the various SAQs and panic! So while I won’t endorse not complying with the standard, what are the top five things that cause a compromise? Read this to find out!
3. Top 3-5 Things to Remove from PCI DSS. It’s FEEDBACK time! Folks, take this seriously, it won’t be back for another two and a half years. Submit your feedback! But also, maybe think about things that could be removed from PCI DSS.
4. Passwords and the People Security Problem. This one sure did spark some discussion! Everything from “passwords are dead!!” to “users/society forces our hand!” accompanied this post as people discussed via Twitter. What do you think?
5. Boss, I Think Someone Stole our Customer Data. It’s so humbling when a blog post that is nearly five years old makes it into the top five. This post is timeless, and is based on a HBR case study from 2007. Give it a read!

Thanks for stopping by!

Possibly Related Posts:

• Links from 2012-03-21 through 2012-03-22
• Herding Cats: Hunt (March 2012)
• February 2012 Roundup
• Links from 2012-02-21 through 2012-03-13
• Links from 2012-02-15 through 2012-02-16

Risk, by Fayjo

On Wednesday we discussed passwords and their contribution to the people security problem. At the end of the post, I asked what we could change to take weak passwords out of the equation. If having passwords is a requirement to doing business, what things could we add to the mix that might be able to reduce the risk of using them?

• Strong Authentication. Obviously, adding an additional factor of authentication can go a long way to improve the risk scores associated with data access. Positives include a significant number of solutions with a few leading their respective packs. Disadvantages can include cost to deploy and manage as well as poor integration with every technology you may use.
• Risk-based Authentication. Keep passwords but tie the authentication process to other available data points that can help the system understand the inherent risk in that specific transaction. Is the user supposed to be in the office in New York City, but instead is attempting to authenticate from a coffee shop in Dallas? Let’s up the risk score and figure out what to do next.
• Out of Band Authentication. Many large financials now do something like this whereby a code is emailed or SMSed to a device for entry. In some cases, these may be useful, but they should not be construed with strong authentication.
• Cryptography. Using PKI, certificates, or other cryptographic keys can add an element of security that can potentially be transparent to the user. These can be defeated depending on how they are tied to the systems in which they operate. For example, a certificate with no password that is tied to a particular computer and exportable could be used maliciously.
• Change your Data Flows. How does data move inside your environment? How do your users consume it? Could you change your business to allow people to access certain parts of the data/infrastructure with a password, and other parts with strong authentication? This could help with the cost issue above, and would certainly serve to reduce risk if the exposure surface is reduced.

Just like the concept of designing security controls with the assumption that your network is already compromised, look at the password problem from a “how do we reduce the risk of using them” perspective. Not only will you will find innovative ways to support your users, but you can be a good steward of your company’s finances and reduce the overall information security risk as well.

Possibly Related Posts:

• Passwords and the People Security Problem
• Top Five PCI DSS Mistakes that Lead to a Breach
• GRC in the NextGen Data Center
• Trusting Identities in the Cloud
• Implementation is Everything

Links from 2012-03-21 through 2012-03-22:

• The Urban Legend of Multipass Hard Disk Overwrite – This is great stuff. QSAs should take note as the definitions for secure delete are pretty weak.
• How to Block Any Site from Showing Up in Google Search Results –

Possibly Related Posts:

• Herding Cats: Hunt (March 2012)
• February 2012 Roundup
• Links from 2012-02-21 through 2012-03-13
• Links from 2012-02-15 through 2012-02-16
• Links from 2012-02-14 through 2012-02-15

We can only blame people for so long. After all, we traditionally secure access to the critical resources on our network, whether that is customer information, price lists, salary information, or the secret recipe to our best selling product, by requiring users to log on with a username and a password. Usernames allow us to grant authorizations and track activity, and passwords authenticate the username, theoretically providing assurance that the owner is the person using the credential. Over the years, humans have demonstrated their poor ability to create and use strong passwords. We try to teach them about strong passwords, give them examples, set policies to require strong passwords, and yet we still get users with passwords like P@ssword.

Cracked Wall Foundation, by PJFurlong06

Our challenge is to find weak passwords on our systems BEFORE the bad guys do so you can help that specific user with a little extra training focusing on creating and using good passwords. But how can you go about this, without locking out your entire user base with a brute force attack?

• Start with policy. Bad passwords start with bad password policies. Vulnerability scanners and other types of policy checks via configuration managers are a critical asset when looking for bad policies.
• Find and fix weak passwords. The Microsoft Baseline Security Analyzer is a free tool from Microsoft that can identify accounts on your systems with weak passwords. It won’t tell you what those passwords are, but it can flag any that are weak. For Unix, you will probably need to run an offline password cracking tool against your user list with a dictionary of weak passwords.
• Crack your password database. To really assess whether or not your users are implementing good passwords, you are going to have to crack them (or at least attempt to do so). Any password cracking should be done using an offline tool to prevent users from being locked out. The SecTools.Org Top 125 Network Security Tools has some options for offline password cracking.

If you are going to do a full assessment of your users’ passwords, here are some guidelines:

1. Make sure your management is fully aware and you have written authorization to perform this “attack”.
2. Your account lockout policy is designed to prevent anyone from performing a brute force attack against your accounts, and your physical security is designed to keep anyone from booting a domain controller from a CD to snag the security database.
3. Accounts that fall to simple dictionary attacks should be addressed immediately.
4. Accounts that fall to hybrid attacks also need attention, but as a second priority.
5. Those left are probably as good as you can expect any user to have, so don’t waste weeks trying to crack those.

If you are a small company and have this kind of talent on staff (or feel comfortable contracting for it), this process can be a pretty useful exercise with tangible results. But what if we took the password part out of the picture entirely? If passwords are inherently weak yet in many cases still a necessary component to our operations, what else could we do to remove the risk associated with passwords? Check back on Friday for some thoughts around mitigating the risks to passwords.

Contributor: Emmanuel Carabott from GFI Software Ltd.

Possibly Related Posts:

• Top Five PCI DSS Mistakes that Lead to a Breach
• GRC in the NextGen Data Center
• Trusting Identities in the Cloud
• Implementation is Everything
• PCI Compliance for….

kitten, by Clevergrrl

Have you checked out ISSA Connect yet? The next issue is up there with my column, Hunt.

Continuing on our thoughts from last month, security professionals must hunt for intrusions in their environment, not just wait for the phone call from someone telling them they have been breached. Gatherers have a role in information security, but so do hunters.

If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Possibly Related Posts:

• February 2012 Roundup
• Links from 2012-02-21 through 2012-03-13
• Links from 2012-02-15 through 2012-02-16
• Links from 2012-02-14 through 2012-02-15
• Links from 2012-02-12 through 2012-02-14

Stay Classy, San Diego!

What was popular in February? RSA Conference was absolutely awesome this year. Not only was it packed, but the types of conversations we were having were much more security sounding (and less compliance sounding). Even the vendors on the edges (which is where the really good stuff is) talked about how valuable the show was for them.

Here are the five most popular posts from last month:

1. PCI Comliance For… The manuscript for the latest revision of the book is now complete! Here I reflect on a chapter I wrote about PCI Compliance for the Small Business.
2. RSA Conference 2012, Are You Ready? I hope you made it out to RSA Conference this year. The buzz and excitement around the event of 20,000+ attendees was electric!
3. Where is your Chaos Monkey? This one is in the top five for the fifth month in a row! I absolutely love that this concept is being discussed as a reality in Information Security circles. Is your company’s culture prepared to deal with incidents? Netflix has one, where’s yours?
4. Security Personae, the Troll. If you were at RSA Conference, you no doubt saw the signs around the RSA booth to find your Security Personae. iPads and TVs were given away! Here’s one of the five personae.
5. A Conversation with MasterCard. This one popped back up last month. After the 2011 Community Meeting, I met with John Verdeschi to discuss some of the MasterCard specific programs around PCI DSS.

Thanks for stopping by!

Possibly Related Posts:

• Links from 2012-02-21 through 2012-03-13
• Links from 2012-02-15 through 2012-02-16
• Links from 2012-02-14 through 2012-02-15
• Links from 2012-02-12 through 2012-02-14
• Herding Cats: No Bubble People (February 2012)