Sunday, May 31, 2009

Recent Observations in Information Security:

Seems like my computer security related articles are indeed getting fewer and far between. It’s not that I’ve been too lazy to write. On the contrary - I’ve been writing frantically about issues related to our freedoms, standing up for values and principles, and in particularly supporting gun rights efforts. Regrettably, I just haven’t had the chance outside of my full-time computer security professional life lately to concentrate on my “geek” side during my off time. In the time since the presidential inauguration, our administration of “hope and change” has been catapulting our country towards destruction at an extremely accelerated pace. We are marching towards what some say is socialism, I personally believe we are headed toward fascism and totalitarianism, greater government control – control which is even affecting the computer security profession. You’ll see what I am talking about shortly. I wasn’t made to be a socialist or a slave, so my endeavors have indeed taken me in other directions over the past year or so.

So, I thought I would make a fervent effort to make some time and finally get back to you about some [computer security] issues that I have been involved in lately. This article will be a smorgasbord of issues, but there really are a lot of things going on in our profession worth mentioning. So bear with me, be prepared to shift gears frequently, and just use these things as food for thought for your own IT environments.

Administrative Rights on Computers:

One thing that has become obvious: Users who operate their computers regularly with administrative rights are more likely to be infected with malicious software. One statistic given by a well known computer security organization indicated that of all the exploits out there, greater than 90% cannot infect a machine if the person logged in is running as a limited user. Considering the thousands of exploits out there, this is a significant number. I know that many people have expressed concern that they won’t be able to perform their jobs, or do simple tasks such as install printer drivers or other software.

My answer to that is to:

1) Create another user that has admin privileges on the computer, and only use that account when it is necessary to do so.

2) Use the “Run-As” function (if using Windows XP) wherever possible. You can “run-as” the user created in 1) above. In Windows Vista, the User Access Control (UAC) function takes care of this for you.

3) If you are in a large corporate environment and need to manage many users from a centralized location, consider using something like BeyondTrust Privilege Manager (

4) If you’re not willing to do 1) – 3) above, then don’t ever connect to the Internet ;)

I have been running without administrative privileges on my computers for a long, long time now, and I can tell you that I have not been inconvenienced one bit. I also haven’t been compromised or infected, either. After getting tired of my kids downloading stuff and getting infected with tons of viruses, resulting in countless machine re-imagings, I took away their admin privs also. Haven’t been bothered by them calling me because of another virus warning in quite awhile now.

Policies, Procedures, Documentation, and Auditing:

In my recent involvement in certification and accreditation of information systems, the most prevalent reason I am finding why systems are experiencing weaknesses in meeting information security controls is due to lack of documentation, procedures, and policies. It is not enough to simply “say” that you are doing something to mitigate information security weaknesses.

You must be able to prove that you have the following:

1) A policy in place telling you that a certain function is to be performed, how often to perform it, and by whom it is to be performed. This policy needs to be updated every time there is a change in the requirements, or a change in the technologies to get it done. Annual updates are a minimum requirement.

2) A standard operating procedure (SOP) that describes how to perform the procedure consistently. SOPs need to be specific and include detailed steps for the entire process form start to finish. The SOP will serve as a checklist to ensure consistent procedures are accomplished, and also as a guide for someone who is performing the procedure for the first time. Make sure to include references, acronyms, and definitions in addition to procedural steps. The SOPs need to be updated every time there is a change in the requirements, or a change in the technologies to get it done. Annual updates are a minimum requirement.

3) Documentation that shows regular security control test and audit results. You need to be able to show that your policies are being tested and followed, and that SOPs are being used. The actual test results need to be securely stored. Remember – these test results are a window into any weaknesses that exist in your environment. Only people with the “need to know” should have access to these test results.

4) Third party auditing. Do your own in-house testing, but periodically hire a third-party, independent entity to come in and evaluate your testing procedures and your testing results. In many organizations, such as the one in which I work, periodic third-party independent testing is required by law. This is known in my industry as “security certification and accreditation” (soon to be known as “Security Authorization” when NIST 800-37 Revision 1 is published). In health and financial organizations, they usually have similar laws. Security certification and accreditation is performed every three years, and in-house security self-assessments are performed annually.

Social Networking and Security:

There is an ever growing conundrum between the need to be secure and the need to use social networking tools to reach customers and co-workers. Even government agencies are realizing the benefits of using social networking sites such as FaceBook and Twitter to reach out to their constituencies. But corporate security teams are also fighting the security issues and the network bandwidth consumption issues that go along with it.

There are a number of things that need to be considered if these tools are to be used in the workplace:

1) User education
2) Making sure computers are patched and virus signatures up to date
3) Making sure your users are NOT running with admin privileges
4) Monitor your network for bandwidth consumption – if it gets to be too excessive, and can be attributed to traffic on these social networking sites, your management may want to rethink their decision to allow this in the workplace.
5) Monitor usage of other software. If your users get the message that social networking sites are OK, then they may also get the impression that file-sharing and peer-to-peer applications are alright as well. These tools can have devastating consequences on your network and security posture.

US-CERT has an excellent article on social networking:

NetworkWorld Magazine has a good article with some slide shows on social networking security issues:

Cyber-Security in the White House?

Have to get back on my political soapbox for this one. One of the Obama Administration’s endeavors is to move certain tasks out of the departments of the experts who do these things and into the White House. For what reason is Obama doing this? I can only assume it is for the purposes of having more control. The census was moved from The Department of Commerce to the White House. President Obama wishes to move cyber security from The Department of Homeland Security (DHS) to the White House as well. I have no idea why. The DHS, of which US-CERT is a part, have an exceptional team of experts who monitor our Internet for malicious activity, and are in touch with the experts who can help us to mitigate damage caused by the many malicious processes out there. Are they going to move all these workers to the White House? I guess the regular Wednesday night pizza parties at the White House are going to really be hopping affairs. Wonder if the Obama kids will let the US-CERT folks play with the dog. As you can tell, I am adamantly against this. The White House is no more adept at managing computer security than they are at running car dealerships and banks. Now you know why I am spending so much time writing about political issues instead of technical issues. This administration is out of control, in my opinion.

Obama is about to appoint a new cyber-czar. You do the math on this one folks. 1. This is an appointed position, does not have to be confirmed. 2. This new “czar” (wasn’t czar a popular Russian title?) will answer only to the President himself. 3. This position is going to be strictly controlled by the White House. 4. The Obama administration wants to bring back the Fairness Doctrine to get all of the conservative talk shows off of the radio. 5. Talk show personalities such as Tammy Bruce have already started moving portions of their show to streaming Internet sites (Tammy’s weekend roundup show, of which I am a HUGE fan, will only be heard on streaming Internet beginning June 6, 2009. 6. Obama wants to control every aspect of these people’s ability to broadcast. 7. The Obama Administration has already deemed all conservatives and gun owners to be “Right-Wing-Extremists.” 8. The peaceful “New Revolutionary War” has already begun, and it is taking place with conservatives burning up the Internet with warnings of the dangers that going down this path is going to bring us.

Prediction: This new czar will have nothing to do with focusing on computer security, unless you consider censoring conservative blog sites, conservative streaming talk shows, gun clubs, the NRA and other pro-gun web sites, and tea party web sites as having to do with “security.” Gee – wasn’t this done in Germany quite awhile ago? Censoring freedom of speech and controlling information on the Internet is Obama’s sole agenda for this new czar. Stay tuned folks – this could get scary.

“Obama addressed concerns that the person might not have the budgetary and policy-making authority needed to force change. The coordinator, he said, will have "regular access to me."

Wrapping It All Up:

Don’t be surprised if it’s awhile before I write my next computer related article. I will try my best to keep you informed, but things in our country are just moving too quickly. Much of my time these days is spent building my 9.12 Project’s web site, adding new technologies to my gun club’s web site, and generally burning up the Internet on Twitter and my [political] blog sites with my opinions on how Obama and his ilk are ruining our country. As much as I love my chosen profession, I am even more passionate about my country and getting America back on track. Popular rhetoric would have you believe that our country needs to be “re-made.”

Re-made into WHAT, exactly? I say that we need to RESTORE our country. If we don’t restore America to what she was designed to be, nothing else in this profession will matter, in my opinion. For all you fellow conservatives out there, keep up the good fight. And for all you slobbering Obama supporting progressive radicals out there – how are his policies working out for you? Well – you’ll get back to me when you’re paying federal sales tax on all your goods, can’t get to many Internet sites any more, are being told what kind/color of cars you can drive and all that right? By the way – congratulations to all you fellow owners of GM.