Sunday, August 19, 2007

Laptop Security Starts with Physical Security

There has been a lot in the news lately about laptops getting stolen, and the resulting exposure of personal and other sensitive information. Protection of personally identifiable information (PII) has become a very hot topic lately, and there have been many instances in the news where PII has been exposed because of a stolen laptop. In fact, the Office of Management and Budget (OMB) in 2006 released a memo requiring government agencies to implement procedures to encrypt all agency sensitive data on laptop and other portable computing devices. This includes PDAs, Blackberries, cell phones, flash drives, and other easily stolen removable storage media. This article will be primarily discussing the loss of sensitive or personal information due to a stolen laptop or other device owned by an employer. But we could very well be discussing personal laptops and devices as well, because these security measures will apply to anything that contains data, is small, and can be easily lost or stolen. And in many cases the loss of your own personal data can be just as devastating to you as losing something that contained the data of others.

Much of what is being discussed to solve this problem involves implementing technological solutions. For example, laptops can be encrypted using something as simple as Windows’ built-in file and folder encryption, Windows Vista’s built-in BitLocker tool, or a wide variety of other full-drive encryption solutions. Blackberries can already be password protected and encrypted, and many flash drives come with built-in software to encrypt them. But using these technologies, while providing an extra layer of protection, will help protect after the loss event occurs, they do nothing to prevent the loss. Data security is more about being proactive than it is about being reactive.

These technologies offer a valid and useful solution to this problem, to be sure. But I think people are overlooking a very fundamental non-technical solution that can really go a long way to preventing these exposures – physical security. I was talking with a colleague recently, and she brought up a very valid point – if people would just do more to prevent these thefts in the first place, then we wouldn’t be where we are today, with so many instances of people winding up in the news because they allowed a laptop to be stolen from them. She said, and I strongly agree, that physical security is completely being overlooked. In fact, I would go so far as to say that the advent of all these technological solutions is actually giving people more of a reason to be less careful about protecting their laptops and other devices from theft. And all these technological solutions protect you after the fact. What ever happened to being proactive and using some prevention to avoid the theft in the first place?

How many times have we heard that a laptop has been stolen from a car? “But the car was locked,” “I was only gone for a few minutes,” “It was hidden in the back seat.” It only takes a fraction of a second to smash a window. And the thieves are getting clever and using electronic devices to help them detect if a car has a laptop inside. They can then be very selective about their targets, and easily do a “smash and grab” in very little time. “The laptop was stolen from my house. The house was locked. What could I have done?” This looks like a less preventable issue than having it stolen from a car, but let’s takes a look at what they have in common, and what the underlying issues are. Then, we will come up with some methods that can be used to protect them in each case.

Standard of Care: To being with, let’s look at the fundamental issue – if you are going to wind up in the news, it is because you did something to allow the personal information about many people to become compromised, or you were careless with a company’s secrets. The media could care less if you had your personal laptop stolen and your checkbook register, latest term paper, and resume where the only things that got stolen. If you are carrying around a laptop or PDA with a lot of PII and/or a company’s proprietary information, however, it means that you either have a piece of equipment provided by your employer, or you were keeping that information on your own personal equipment. First, I’ll discuss the later – what do your company policies say about you storing business information on your own personal computer? They don’t have a policy? That’s another issue, and I won’t cover that in this article. But even if they don’t have a policy, what does common sense tell you about it? You shouldn’t do it, period!

Now let’s look at the former – your company provided your laptop and PDA for you, and you will need to surrender it upon request. It is provided for your use to perform company business. Your employer paid for it, and hopefully they have policies about your responsibilities towards safeguarding it. This is where the commonly heard term “standard of care” comes in. Your standard of care in protecting this equipment is far greater than the standard of care you most likely exercise in protecting your personal computing equipment. You are not only responsible for protecting the equipment itself, but you are responsible for protecting the data on it as well. This may be the data about thousands of people or the trade secrets about your company’s newest product! Losing it may wind up costing you much more than just the embarrassment of media attention. Your company can be sued, and you can be sued. Or worse – federal or other regulations may have been violated, and you and your employer could wind up facing criminal charges. Termination, jail time, fines, and a long miserable process of dealing with the unwanted attention are some potential outcomes. Those ideas alone should instill a new sense of urgency in your thoughts about “standard of care” and “due diligence.”

So what can be done? This is the relatively simple part because laptops, PDAs, flash drives, and such are small – they should be easy to protect. Here are some ideas that you may find useful while taking your laptop out and about, or even just leaving it in your home, hotel, or dorm room.

Physical Protection in the Car: A laptop is light – put it in a carrying case and take it with you – just don’t leave it in the car. Is it really that tough to have to take your computer case into Wal-Mart with you? If it is, then why are you running all these errands? Take the laptop home, lock it up (see the next section), and then go shopping. I know, I know: Wal-Mart is just on the way home, and with the high price of gas, it is much more economical to stop off on the way home and pick up a few things. That’s a decision you have to make – but remember what I told you about “standard of care.” You have an obligation to safeguard this equipment and the data on it. Be prepared to take the necessary steps to protect it.

My colleague had a clever idea: She said that if you absolutely must leave it in the car, buy a computer cable and secure it. I’ll add to that, put the cable in the trunk, secure it to the frame, then secure the laptop to the cable, in the trunk. The one thing to remember is that thieves who break into cars don’t usually have a whole lot of time to spend trying to get around physical security devices such as cables. They are looking for targets of opportunity – the “low hanging fruit” so to speak. If they smash a window in broad daylight, they need to get in and get out quickly. A cable presents a significant delay, and more chances for them to get caught. If it’s in the trunk they can’t even see it in plain view, making it that much more difficult. But again, do you really need to leave it in the car? I am now putting on my “electronics geek” hat and will tell you that leaving a laptop in a car in either extreme heat or extreme cold, or leaving it exposed to the sun, is just wrong on so many levels. Forget my 30+ years of experience working with electronics. You are damaging your computer, or at the very least shortening its life by doing that!

Physical Protection in the Home, Hotels, and Dorm Rooms: There are a variety of inexpensive cables and other devices you can buy to protect laptops these days. Cables that do everything from simply physically locking down the device, to emitting an alarm when cut or broken, can be purchased and easily installed. If you are going to leave that employer owned equipment in your house, secure it to the desk. Better yet, how about locking those things up? Remember, thieves look for the low hanging fruit. If they break into your house, they aren’t going to hang out finding ways to get into secured cabinets or safes, and wait for the police to show up – they need to get in and get out. A locked filing cabinet inside a locked office does not present them with an easy target, but it shows that you were practicing due diligence in protecting these items should some brazen criminal decide to take the time to break into those secured areas.

If you’re in a hotel, it probably means that you are on travel for your job. That being the case, it should be just a simple matter of fact that you are taking your computer with you when you leave for the day for your conference or other meetings. If you are in a hotel on a pleasure trip, then why, oh why do you have your computer with you? OK – you’re probably a workaholic geek like me. In that case, then the above applies. Or ask the hotel to lock it up in their safe while you’re gone. The standard of care is then at least partially on them.

College students – even though I have been primarily focusing on employer owned equipment and data, I just have to mention you in this article also. Many of you live in dorm rooms and have computers. While the level of sensitivity of your data isn’t nearly at the level of what I have been discussing so far, can you really afford to lose that paper that is due tomorrow, and that you have been working on all night? Does your dorm room have a steady stream of visitors? Do you know all the people who your roommate invites in? Get a computer cable and lock that thing to your desk! Even if it’s a big desktop computer – lock it!

The University of Arizona has a great security poster that gives some good tips on security in the dorm room:

University of Arizona Security Posters:
http://security.arizona.edu/index.php?id=780


Physical Protection While Out and About: It is easy to let down your guard when going to the coffee shop, waiting for a flight in an airport, or just hanging out in the park. These settings all provide classic examples of how computers get stolen. In one example, a television commercial depicts a guy sitting in a coffee shop, turns around to look at a girl, then turns back – the laptop is stolen! The punch-line is “what now?!” What now, indeed? How many times do you go to the coffee shop, leave your laptop on a table, and go back to the counter to get your coffee and a donut? All it takes is for you to turn your back for a moment and for your laptop to then go missing.

You wouldn’t leave your wallet lying on a table while you go off to do something else, would you? As was stated in a 2004 Security Watch article by Robert Vamosi “…you should think of your laptop sitting on the table as a thousand dollars in cold cash; you wouldn't turn your back on that, would you?” Protect your laptop like you would your wallet or purse. Don’t take the thing out unless you are ready to use it, and you can be there to physically protect it. Robert also mentioned carrying laptops in non-descript bags. A great big black “Dell” bag is a good indicator that you are carrying a laptop. Use a padded backpack or something a little more plain.


Physical Protection While In the Office: We can’t discount security in the office or take for granted that just because your equipment is located in an office building it will be safe. First of all, just because it is in an office building, are you sure your employer’s policies don’t still hold you responsible for lost or stolen equipment? Start out by finding out what the policies are. Then, if they don’t already do so, ask your employer to purchase a security cable to secure that employer owned laptop. A number of recent articles have indicated that many, if not most, security threats come from within the organization. This can include coworkers or building custodial staff. How many people have access to your work area? If you are in a typical cube-farm, then nothing is secure. All of your work area is fair game for people to cruise around looking for easy targets.

If you are going to leave a laptop in the office or cubicle overnight, then lock as many things between public access and your equipment as possible. If it’s an enclosed office, and you are able to, lock the door. Secure the laptop with a cable or lock it in a file cabinet. Don’t lock it in one of those cubicle cupboards that someone can just lift off of the wall to get to the contents, but a file cabinet that is solid on all sides. Lock up any PDAs, flash drives, or portable storage units that you don’t take home with you. And since we’re talking about securing data in all of its forms, put away and lock up any paper, CDs, disks, or any other things that have sensitive information on it. Many organizations have a “clean desk” policy in place. And no, this doesn’t mean to take 409 and wipe down your desk every day. It means to put away and secure all items containing information: PDAs, paperwork, sticky notes, micro-film, secret decoder rings, everything!

An important note about those cables: If you do take your laptop home with you, don’t leave the cable just laying there on the desk with the combination dialed in. All someone has to do is come by, test the unlatching mechanism, and if it works, they can then look to see what the combination is. And dialing one of the numbers to one digit off won’t do it either. Set the dial to all zeros – don’t leave any clues at all. If you leave the combination dialed in, or close to it, on that cable, it doesn’t matter if you lock that laptop with the cable or not. The potential thief then has the combination and can just come back later. If you do use a combination lock instead of a key lock, change the combination periodically, just as you would change your network password periodically.


Wrapping It All up:

There are a wide variety of technologies now available to protect the data on your laptop or PDA should it get lost or stolen. But those things protect the data after the fact, provided they are in place and functioning. You still lose hours of hard work and an expensive piece of equipment. The real goal is to use some prevention and keep the asset from being lost or stolen in the first place.

Don’t be in such a hurry while running your errands that you leave an unsecured laptop in a car. Windows can be smashed and the laptop taken in seconds. Are you aware of your surroundings? When you leave the laptop on a table in a coffee shop, are you sure it will be there when you return? How about in hotel and dorm rooms? Are you sure the housekeeping staff is completely honest? Are your dorm room roommates having a lot of visitors? There are so many variables and so many possibilities to have equipment go missing.

Physical security is a preventive measure that should be taken seriously. Don’t rely solely on technologies to make data unobtainable through encryption – keep it from getting stolen and exposed in the first place. There a re a variety of low-tech to no-tech solutions to keep you from losing your equipment.. Cables, keeping the item with you, good file cabinets and locked doors will all add a significant measure of protection and security. It all begins at the lowest layer – physical security!


Additional Resources:

Security Watch: How to Protect Your Laptop While on the Road
http://reviews.cnet.com/4520-3513_7-5145310-1.html

Washington Post – “OMB Sets Guidelines for Federal Laptop Security”
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/27/AR2006062700540.html

Security Posters:
http://www.us-cert.gov/reading_room/distributable.html

Georgetown University Safe and Secure Computing Quick Start Guide:
http://www3.georgetown.edu/security/10574.html

University of Arizona Security Posters:
http://security.arizona.edu/index.php?id=780

IA Newsletter – Defense in Depth
http://iac.dtic.mil/iatac/download/Vol3_No2.pdf

Information Security Magazine - Laptop Security:
http://infosecuritymag.techtarget.com/articles/february01/features_laptop_security.shtml

SearchSecurity.Com - Elements of a Security Program:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1210562,00.html

NIST SP800-100:
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf

Wednesday, July 04, 2007

Types of Vulnerabilities and Their Impacts:

With all of the different types of vulnerabilities and security warnings these days, one of the most often asked questions is in regards to what it is that all of the various types of attacks actually do. If we take a step back in time and look at what some of the early attacks did, it puts into perspective just how sophisticated and damaging the latest attacks have come. Attacks on computers and the data they contain have come a long way in a very short time. With most of our computers now networked and attached to the Internet, our data can be attacked from far, far away, and the results can be devastating. The attackers have also found that stealing data, finding weaknesses, and disrupting services are all lucrative endeavors that other thieves are willing to pay for. And if you haven't already, see my review of TechEd 2007 for more information on security and attacks.


A Look Back at Some Early Computer Attacks:

Let’s go way back to the day of the early PC when they were not yet networked to any great extent. The networking architecture back in the day was known as “sneaker-net” where the method of sharing files was literally by manually sharing floppy disks and physically handing them from person to person. “Sneaker-net” got its name because of the idea that you had to put on your sneakers to make the long journey to get the disk to the person who you wanted to share with. The most common type of attack at that time was the virus. WORMS and backdoors typically weren’t useful because of the lack of remote connectivity. Trojan horses were usually not in the form of remote access programs, but they did exist in the type that looked like usable programs, and they would perform some other hidden function such as corrupting files or erasing the hard drive.

In those days, viruses typically got onto a computer by someone putting an infected floppy disk into the machine. This was often by way of an infected game program, or someone using the same disks they used at school in their computers at home. There were a lot of viruses on college campus computers in those days, making it fairly common to catch a virus by using a computer at school. I remember when I took a computer hardware repair course at a local junior college back in the early 90’s: I built a completely separate computer at home to do all my labs and class homework, aside from the computer I used to do all my word processing and other work to prevent getting a virus on my main machine. There was also a lot of software swapping (today we call it piracy), and it wouldn’t be uncommon at all for people to pass infected disks to many people. I remember being called to check out one of the office PCs where I worked and found a computer screen displaying the message: “Your computer has just been Stoned.” The Stoned virus was a very common early virus and would format the hard drive, then display that or a similar message. I asked the person what they had been running, or particularly had installed on the computer lately, and the reply was (of course) “Nothing!” I looked beside the computer to see a floppy diskette containing a golf game. I scanned the floppy, and sure enough, there was the Stoned virus.

Back then the main damage caused by viruses ranged from an annoying pop-up message of some sort, to a complete format of the hard drive. Some viruses would go off randomly, some would go off on a particular day and time. The “Joshi” virus, for example, always went off on the day of the year of Joshi’s birthday - the virus writer had dedicated a virus to their dead son. Remember Michelangelo? Same type of virus – went off on a particular day. Since computers weren’t typically networked, and the Internet was not used by us common folk, the concept of the WORM did not yet really exist. Neither did the idea exist of people stealing data or damaging systems over a network or the Internet itself. But now, with networks and the Internet being such ubiquitous parts of our lives, “sniffing” network packets to steal passwords, intercepting and altering data before sending it on to the correct recipient, and even using tactics to deny access to certain web sites or databases are some of the very common attack methods.
Today, we have networks, the Internet, email, and a variety of other ways for computers to be attacked by others who may even be on an entirely different continent. I remember in 1990, there were fewer than 1,000 viruses. Last I checked there were over 50,000 viruses, including their variant forms. When I attended the recent Microsoft TechEd conference (see my review here), it was revealed that 82% of all email today is SPAM. Much of the SPAM out there these days contains phishing attacks and links to malicious sites.

Another startling fact that was mentioned was that there were currently 3,700 distinctly different malicious types of one particular type of image file that exploits the WMF vulnerability found in early 2006. There are also 38 million plus pieces of other potentially unwanted (PUP) software circulating on the Internet. We also have WORMS, Trojan Horses, backdoors, remote exploits, and a variety of other ways for our computers to be vulnerable.

So I wanted to take a look at some of the more common types of attacks and what kinds of impacts they can have. I am discussing the attack impacts in this article – but the attack itself can come in the form of any of the methods I just mentioned, as well as by attackers luring users to malicious web sites or convincing them to open an infected email attachment, in an attack method known as social engineering. The various attack vectors are too many to mention here, but I thought it important to at least discuss the impacts that attacks commonly present. The bad news is that this article only scratches the surface of what is out there.
Keep in mind that the objective of any of these attacks is to violate security. The three basic tenets of computer security are the three basic parts of the C – I – A triad as defined below:

  • confidentiality: not exposing personal or sensitive information to unauthorized people;
  • integrity: Not having data altered so that it is inaccurate, incorrect, or unusable;
  • availability: Being able to get to your data or information services when you need to.

An attack can be focused on one or more of those three aspects of data security, and can come in a variety of ways. So let’s take a look at some of the various impacts on malicious attacks:


The Methodologies and Impacts:

File transfer location tampering: This mainly exists of capturing data in transit and re-routing it to a location other than that which was intended. If someone is transferring financial or other sensitive data, the attacker can get a hold of data for identity theft, corporate espionage, or other reasons. It is obvious that the data falling into the wrong hands is often a devastating problem and can result in serious damage to an individual or corporation. The attacker may make their attack less noticeable by capturing the data then forwarding the data on to the correct recipient. The intent is not to prevent data from being correctly transmitted. The intent in this case is to simply steal the data and use the information for financial gain. The criminal can get more mileage out of this attack by making it less noticeable that it is happening. A variety of methods can be used for this, including ARP poisoning, and various other methods used for “Man in The Middle” attacks.

Elevation of privileges: This is a very common result of an attack, and can lead to other types of attacks or more serious outcomes. If an attacker can get administrator level privileges to a computer, then they can basically do anything they want. This includes taking control of the computer, installing other malicious software, deleting files, changing configuration settings, and doing many other high-level tasks that only an administrator can do. This is why it is so important to use your computer (especially while on the Internet) as a limited user. If you are on the computer as a user with no administrative privileges, it makes it much more difficult for malicious code to run and do damage. Windows Vista addresses this very serious concern by implementing a feature called User Access Control (UAC) and having Internet Explorer operate in a limited user capacity.

Remote code execution: You are probably starting to already see that many of these attack outcomes do many of the same things. That is true. Remote code execution allows an attacker to remotely take control of a machine, run code, execute programs, and many other things that can lead to damage, data loss, data theft, or other things to damage your system. But additionally, if someone can remotely use your machine to execute code, they can also turn your computer into a “Zombie” and use it to attack other systems. This often results in what is known as a “Distributed Denial of Service (DDoS) attack. See “Denial of service” below for more information. The Windows Vista UAC feature mentioned above also helps to address this type of impact.

Denial of service (DoS): Remember the three parts of the information security triad are “Confidentiality,” “Integrity,” and “Availability.” This particular attack outcome is that of taking away the availability of your system, or other systems’ ability to access other system resources. There are a variety of ways to do this: crashing a system, tying up a system’s resources so that they can’t process data properly, or creating huge amounts of network traffic so that others trying to access a system cannot get to the system because of the sheer volume of traffic. If a process can drive your CPU’s usage up to 100%, then your computer is almost useless and you have a hard time getting work done because it is so slow. If a web server is flooded with bogus SYN packets (part of the process that is used to request a connection with a web server), then the web server cannot provide the requested web pages or other data.

Distributed Denial of Service (DDos): This is simply a case of all of the above attack attributes, mentioned in “Denial of Service,” being performed by many computers simultaneously. In fact, this may be a combination of the above attacks where some code has been planted on and executed from a compromised computer. These many “zombie” computers simply take commands from a central attacker to flood the network with attack packets and cause the target (web server as in the case above) to be literally flooded with connection requests, and no longer respond to anything. This means that the target is then unavailable, and thus “denying service” to all legitimate computers that try to connect.

Modifying information: This impact is specifically aimed at changing the integrity (the “I” in C-I-A). As in the case of file transfer location tampering mentioned above, the goal here is to intercept information before sending it on. However, the intent is to not just steal the information to use it for financial gain later. The intent of this type of attack may be for a few different reasons. In one example, the data may be modified so as to actually cause damage to an organization by making their data incorrect and therefore useless. The purposely injected errors may be extremely difficult to locate, causing extensive staff-hours of research to correct. Another example of the usefulness of this type of attack is to divert financial transaction amounts for financial gain. The easiest way to illustrate this is the case of someone billing you $100 dollars for goods or services that only cost $90 dollars. They input into the system that the services cost $90 dollars, that they billed you for $90 dollars, and that $90 was received from you. They then pocket the 0ther $10 dollars for themselves. You may have seen the movie Office Space” where the guys injected a so-called “virus” into the system that took the rounded interest (fractions of a penny) and diverted it to an off-shore account for themselves. To make a good plot, the plan backfired, and they ended up with way too much money and were in a position of being easily discovered. This is another aspect of this type of attack: To make the interception modification, and theft of data to be difficult to detect.

Spoofing: Simply doing any of the above, but making the attacker’s identity to appear as the identity of someone else is known as spoofing. This can manifest itself in a few different ways. One way is for an attacker to get your log in credentials, log in as (or appear to log in as) you, and perform tasks under your name. If Bob (the attacker) logs in as Gary, and deletes a bunch of files, the audit logs will show that Gary did it. Gary gets blamed and has a hard time proving it wasn’t him. Another type of spoofing comes in the case of DoS and DDos mentioned above, where requests for a web site, for example, are requested, but the return network address of the computer is purposely changed. The acknowledgement then gets sent to an address that either doesn’t exist, or is that of a computer that did not make the request. In the mean time, the web server is waiting for the remote computer’s acknowledgement to its acknowledgement (the SYN, SYN-ACK, ACK process in the TCP three-way handshake). This is one way in which DoS works – the target machine is tied up waiting for acknowledgements from a computer that doesn’t exist, and is then too busy to service legitimate requests.

Theft of sensitive information: As in the case of modifying file transfer locations, the primary purpose of this type of attack is as its name implies - to steal data. Remember, this is the “confidentiality” part of the C – I – A triad; exposing data to unauthorized people. Modifying file transfer locations involves intercepting data, stealing it, possibly modifying its contents, then possibly (or not) sending it on to its intended recipient. This is just outright theft. Many of the other previously mentioned impacts can contribute to a criminal’s ability to steal information. If an attacker can elevate their privileges on your machine, for example, they can browse all of the folders on your computer, not just the folders available under a limited user’s logon context. There may be a variety of reasons for stealing data from a computer, including using the data for identity theft purposes, stealing proprietary information, or stealing password files so as to crack them and use them to gain further system access.

Buffer overflow: A buffer is simply memory space used to temporarily store data. For example, your computer has buffers for receiving incoming communications until it has a chance to process it and put it into the appropriate place in memory for the working application to access and use to do work. This space is not infinite. If the buffer can purposely be filled up, in some cases the excess data will simply overflow (thus the term buffer overflow) out of the buffer and have unpredictable results. This type of attack simply involves sending a computer more data than it can handle so that excess data spills over into areas of memory used to execute code. One thing that attackers have found is that certain vulnerabilities exist that are susceptible to these buffer overflow attacks. They will craft a special package that contains a large amount of data, send it to your computer, the buffers will fill up, and the excess data will be overflowed to parts of memory where it can be executed. This code execution may result in things used to crash a computer, elevate privileges so that other attacks will work, or a variety of other undesirable things.


Wrapping It All Up:

Attacks come in many forms, and have many different purposes and impacts. These attacks are meant to do everything from being a minor annoyance, to disrupting service, to theft of data, and to outright destruction of computer information systems. As I mentioned in my review of the TechEd 2007 conference (see my article here), data thieves have found that personally identifiable information is worth money. Whereas the hackers of old just wanted attention, the bad guys doing the computer attacking these days are just criminals, plain and simple. They want to make a living either by stealing your data, stealing the data of a competing company, or interrupting service. When they find vulnerability and a way to exploit it, they can also sell the exploit methods for money as well. And they have found a variety of ways to conceal their attacks and make their consequences undetectable for a long time.

There is good news; many of the attack impacts mentioned here are preventable. Good antivirus software, malware protection, firewalls, and above all keeping patches up to date will help prevent many of the exploits. I have told people over and over abut the dangers of clicking on every single link they get in an email, especially when that email is from someone unknown to them. Even the emails from people whom you trust is susceptible these days, because attack methods can use your own address book and email client to send out mass emails without your knowledge, and the recipients will think it came from you. But that too is preventable; use diligence and awareness when browsing emails, and especially on the web.


Additional Resources:

Thursday, June 21, 2007

Views From Microsoft TechEd 2007

Day 1: 6/4/07

The first day of any event like this is always the most – well – hectic. People everywhere! Thousands of computer geeks all trying to go in different directions through a convention center, but at the same time all trying to get to the same place – the place where the food is and the opening keynote speech. Once the keynote was done, things sort of calmed down as people went to the various breakout sessions. This convention center is huge! They could fit a few football practice fields in this one building alone. In the main building where the breakout sessions were held, it is a quarter of a mile from one end to the other. And given that some sessions were on one end, and some on the other, we walked this quarter mile span several times a day. The images of the main expo area don’t begin to do this place justice, insofar as giving a good depiction of the size of this facility. The building we were in was around a million square feet, according to sources we asked. And it was carpeted from wall to wall. Had to be one big, honkin’ vacuum cleaner they use in that place!

There were a number of new tools being introduced and discussed in depth. The problem with this conference is that we geeks were like kids in a candy store – so many presentations, but how to decide which ones to attend was a real challenge. I think I changed my schedule a thousand times!



Day 2: 6/5/07

Two recurring themes are emerging from the sessions so far: User awareness and risk analysis are key elements of the security of any system. Many of the technologies that continue to surface still have the interesting aspect of the “man-to-man” factor. That is to say: no matter how secure any new software code developments have become, the weak link is still the human. For example, if a human still clicks on every email link presented to them, then they are still putting their systems and data at risk.

On a final note, Steve made an interesting point by asking the question: “Is email even useful anymore?” He gave a (not too surprising) statistic that stated that 82% of all email is SPAM - unsolicited email to either sell you something, or just discover if your email address is active. I might even classify the endless forwarding of jokes, hoaxes, and other misinformation in this category as well. I mean really – of the 20 or 30 emails I get at home per day, maybe three of them are information I can use, or are “real” correspondence from a friend or relative. I never really hear from people anymore – I just get forwarded jokes on a daily basis. Oh well – at least I know there are still alive and well, which is a bonus.


Day 3: 6/6/07

One of the most interesting presentations so far: “I Can Hack Your Network in a Day” by Marcus Murray. He gave live demonstrations of the various ways to infect a computer with a Trojan horse, take over a computer, and potentially an entire network. The striking thing about this presentation is that he demonstrated how easy it is to create a Trojan horse program, send it to a gullible user and get them to execute it on their computer. One of the big reasons I harp so much on the dangers of clicking on unknown links in emails, and opening email attachments. This is exactly how these attacks get perpetrated and proliferated. This also made a very heavy argument for patching. There are exploits for everything, and growing by the day. Keep your patches up to date, and stay on top of information about new threats. And quit clicking on unknown email attachments!

A presentation on Microsoft threat research by Vinny Gullotto revealed that 3,700 distinct malicious WMF files exploited the part of Windows fixed by MS06-001 patch. This really puts this in perspective, because I remember the scramble we went through in early 2006 to get this patch deployed as soon as possible. Vinny mentioned that 38 million+ pieces of potentially unwanted programs (PUPs) currently existed, which includes adware, viruses, remote control programs, Trojans, bundled software, and other modifiers. This is staggering, as it really illustrates just how big our job as security professionals has become. Some resource that Vinny mentioned are the Virus Information Alliance (VIA), the “Wildlist” for viruses, and the Anti Spyware Coalition (ASC).

Another extremely interesting and energetic presentation was given by Laura Chappell, using Wireshark for troubleshooting a slow network. Like the Marcus Murray presentation, she ditched the PowerPoint slides and showed live demonstrations of packet trace files and showed how to use the Wireshark packet sniffer to analyze packets to get to the bottom of network and computer communications problems. The presentation was extremely interesting and she did a good job explaining the tools and methodologies. It was amazing to find out how much traffic is being generated in the background by an infected computer, just during the boot-up process. Her methodologies illustrated how looking at TCP/IP traffic can tell a lot about what is causing problems with an individual computer, as well as those on an entire network.


Day 4: 6/7/07

Today started with a presentation to get an insight into how Microsoft deals with IT security internally within their company. With over 500,000 computers and 120,000 to manage, security is not an easy task, but Microsoft appears to have some sound strategies in place to handle it, whereby information security is process driven and based on industry standards. The IT security staff at Microsoft makes up approximately 4% of the entire IT staff. Much of what is done related to IT security within Microsoft revolves around the Enterprise Risk Management Framework and the Trustworthy Computing Initiative. Policies are published, and industry standards are put into place to ensure security. Executive sponsorship of the IT security tenets is very strong at Microsoft as well, which is one leading factor in the success of such programs. In many organizations, IT security is viewed as a “tax to the business.” That is to say that users view the security practices as burdensome and preventing them from doing their jobs.

Technology, such as implementing network access protection (NAP), BitLocker (Windows Vista’s encryption implementation) on laptops, and implementation of two-factor authentication are some of the things that are used at Microsoft to ensure security security. These technologies provide sound and secure methods to keep an environment secure, but still enable people to do their jobs.

What most impressed me about Microsoft’s internal information security stance was that they made their employees sign acceptable use policy acknowledgement statements, and that non-compliant (i.e. un-patched) machines were denied access to the network until they became compliant. If a company like Microsoft can implement these types of processes, then why are so many of our other companies having such a hard time doing it? I think part of the answer rests with the fact that many users are unaware, many users view the IT staff as the “network janitors” and many people simply view IT security as a tax (burden) on business processes.
Mark Russinovich presented a talk on the changes in the Windows Vista kernel. Some of the notable new features in Vista include user access control (UAC) and some features that provide better performance. This includes such things as the ability to delay services so that they don’t all try to start up at once. Many who run current and older versions of Windows can attest to the fact that all the services that try to start up at the same time can really make the boot process painful.


Day 5: 6/8/07

The final day of the conference! On one hand, I want to hurry up and get this over with so I can just go home. I have been on travel a lot lately – three trips (including this one) since the middle of April. Living out of a suitcase and eating at Denny’s is getting old. On the other hand, there were so many presentations I wanted to see, but didn’t get to because of conflicts with other presentations, and wanting to visit the vendor expo. The crowd has really thinned out by now, but there are still quite a few people here. I will be interested to find out how many people were in attendance this year – had to be well into the tens of thousands.

They saved the best for last. I attended a few Mark Russinovich talks on the internals of Windows Vista, and using some of his Sysinternals tools to troubleshoot systems. There are a number of free tools that fall under the former Sysinternals umbrella, but are now distributed by Microsoft. Mark Russinovich’s tools are extremely easy to use and leave a very small footprint on the system because they don’t get installed. By developing some troubleshooting skills and using these tools, the average IT technician should be able to better troubleshoot systems. Troubleshooting is all about investigating and trying to see what should or should not be happening. Process Monitor and Process Explorer give a much more in-depth picture of what processes are running, how much of an impact they are placing on resources, and even what malicious processes are trying to spawn processes that can harm your system. Many of Mark Russinovich’s presentations from past TechEd conferences can be found on the web (see resources at the end of this article. – definitely worth a look.


The Conference in Review:

So what do most computer geeks take away form conferences like this? Well, I took away some very important ideas from this year’s TechEd conference: 1) The attackers, as well as their motivations and methods have changed; 2) Everything in security must be approached from a risk analysis and economic standpoint; 3) People are still security unaware and must be educated; 4) Microsoft is (still) not the problem, as I have indicated in my blogs a number of times.

The attackers have changed: Notoriety and getting attention used to be enough for the bad guys. They just wanted to inflict damage, interrupt people’s lives, and get noticed for it. But they figured out that this kind of deviant behavior pays, so they are out to make a buck by finding vulnerabilities, writing exploit code, and stealing data.

Risk analysis is everything: It isn’t enough to simply say that you want to be secure. It is important to find out how high a priority your risks really are and implement appropriate protections. Security professionals have said it a million times: “Don’t protect a $10 dollar horse with a $50 dollar fence.” And in order to pursue projects to put appropriate protections in place, it is important to illustrate to management to economic benefits of these protections. Otherwise, they will just view security as another expense for which they won’t realize any benefit. As Steve Riley and Jesper Johansen mention in their book “Protecting Your Windows Data From Perimeter to Network”: You are implementing security "so that nothing will happen." Meaning that the goal is for nothing to happen to your data, other than it being safe and accessible.

People are security unaware: It’s not that people are blatantly against doing the right thing, it is mostly a case of them not knowing what the right thing is. Further, they need to know how being secure will benefit them, not just that security is a mandated process. If people have some insights into why they need to be secure, the benefits and consequences to them personally, and how to do it, it will be much easier to get their buy-in.

The TechEd experience was unique. Not that I will be anxious to do it again (once is enough), but it was time well spent, and very informative. I got to see live presentations from some well respected names in the computer security biz, and had a chance to see some of the new technologies that Microsoft is producing.

To read the full review, find additional resource links, and see pictures of the convention center, read the full article here.

Friday, May 04, 2007

Security Tips To Keep You Safe While Traveling

As we approach summer, more and more people are once again thinking of traveling, both for business and for pleasure. TechEd is in June, and a variety of other techie conferences are not far behind. School will be out soon, making way for family vacations – although with the ridiculous price of fuel, I’m not sure how many people will be traveling. Even when only traveling for pleasure, many business professionals, as do I, take their laptops and PDA devices with them to be able to do work during a few “down” moments on their trip, or at the very least to have a way to keep tabs on their email and events at work. We geeks are such workaholics, aren’t we?

On a recent business trip to the east coast, I had the opportunity to once again enjoy my hobby of just sitting back and observing people. I was again reminded of just how complacent folks are about their security when it comes to using computers and other information technology enabled devices when on travel. This seemed to be especially true when using computers in public places – either their own laptops, or computers in hotel business centers. I am not sure if people are just in a hurry, or if they just really are not aware of the potentials for exposing themselves (in a “data” sort of sense, that is) while out and about.

There are a number of things I will talk about in this article having to do with ways to keep yourself (and your data) more secure when away on travels. Some of these things are as simple as using fundamental physical measures to shield your computer screen from curious eyes. Others involve the act of just taking the time to clean up after yourself when using a public computer, and yet other measures I will discuss simply involve the use of technology that is already built in to the devices that you are using. There really is very little to no cost involved in protecting yourself with these measures, but the cost of giving away your data can be huge and devastating. So let’s take a look at a few of the vulnerabilities we face everyday when on travel and some solutions for protection.


Shoulder Surfing:

If you are flying, your potential for vulnerability begins the very minute you get to the airport. Many people find that they have to arrive at the airport a few hours early just to make it through check-in and security, in order to make their flight on time. There is often a lot of “down time” here, so many people, as do I, pull out the laptop and the Blackberry, and do some work. In this setting, we are often in very close proximity to other people. Once we board the airplane, it is even worse. Unless you are lucky enough to be in First Class, you are sitting with your elbows right up against someone else’s, and their wandering eyes are just a foot or two north. Even if you aren’t flying, or have arrived at your destination, the local restaurant and the corner coffee shop are no different. When you sit down in that comfortable chair to enjoy your latte and do some work, there are countless wandering eyes trying to figure out what you are doing.

There are two main problems here. First of all, your neighbor (who is usually NOT minding their own business) is looking at your computer as you type in your username and password. If they can see your log-in box, they can see your username, and if your computer is joined to a corporate domain, they can see the domain name. As you type in your password, unless you are lightning fast, they can see you type the characters. I’m one of those “two-finger wonders” (I don’t touch type) so this is a particularly big problem for me. A devious person with intent on harvesting such information (and they are everywhere, trust me) will be very good at following your keystrokes and will be able to obtain all the credentials needed to log in to your corporate network. They now have your username, the name of your corporate domain, and your password. All they have to do is get access into that domain, and they are in. Your username and password exist on the domain, and are only cached on your computer, which means that they can access your account from any computer that can get access to your corporate domain, such as a VPN or other remote connection. Another danger is that if they are able to steal your laptop (more on this later), they will have access to the data on it. Remember – these people are everywhere. And if they are shoulder surfing to get your log-in credentials, they are also following closely to look for an opportunity to grab your laptop as well.

The second (and more common) problem with being in close proximity to others is that they are often able to view what is on your screen. Are you working on a document with sensitive personal or company information? Composing an offline email that you really don’t want others (especially strangers) to know about? How about that PowerPoint presentation chock full of corporate proprietary sales or engineering data? Whatever it is, you have to either make sure you are only working on things that are completely dull and unworthy of your nosey neighbor’s interest, or make the screen un-viewable. In other words, either pick non-sensitive stuff to work on during these times, or find a way to hide the screen. For example, I usually pick some low-level instructional or procedure guide to work on while I’m flying, or just do some professional reading. For example, I keep a lot of pdf white papers and “eBooks” from various online sources on my computer for reading while on the plane. My job is such that professional reading and just keeping are large parts of my work anyway – so it’s not like I’m goofing off.

Solutions: For the password problem, if you are on a computer that is joined to a corporate domain, use a local account on the computer (that does not have administrative privileges), and set a temporary password that will only be good for the duration of your trip. Of course, if you do this, you will have to make sure you know where to browse to on the computer to get to your documents in your “real” account, because the profile you log in with will have a “My Documents” folder in a different location. I get around this by accessing only documents that I have placed on a flash drive. If you are not joined to a domain, then just set a temporary password, and set it back to your actual password when you get home. One of the best solutions for this is to simply get a small finger print scanner to use to log into the machine. Many are small, portable, and just plug into the USB port. The newer laptops and tablet PCs even come with these built in. See my article on biometric devices for more information.

For the “prying eyes on the screen” problem, there are a variety of filters you can buy that will obscure the screen when someone tries to view it from other than looking at it straight on. This particular solution will also help to obscure your username and other login credential information as you log in. If they can’t see your username, the password will do no good. But again, don’t give them any pieces of the puzzle if at all possible. As I always tell people: “If they have even just your username, they then have 50% of the information they need to access your computer.”

Of course, being the wisenheimer that I am, if I notice someone trying to “catch a wave” on “shoulder beach”, I simply open a document, set the font to a larger size (to make sure they can easily read it), and then start typing in some juicy “official looking” verbiage. After a paragraph or two, I start a brand new paragraph, and type in “I think the nosey person sitting next to me is looking at what I am writing. I hope they enjoyed my previous two paragraphs. Now GO AWAY!” I have seen a red face or two resulting from that prank.


Using Flash Drives:

Flash drives are portable and can store a lot of data. Many people have resorted to using them because if they know they will have access to a computer at their destination, all they have to do is put their documents on the flash drive and leave the computer at home. Many cell phones and even iPods can be used for this purpose as well. The problem with these small flash drives is that they are easily lost or forgotten. It isn’t uncommon for someone to use them in a public or borrowed computer and then forget to take them when they are finished. A lost flash drive means lost data. Lost data can mean something as frustrating as losing work and having to do it all over again (if you didn’t have a backup copy somewhere else), or as devastating as putting sensitive information into a stranger’s hands.

Flash drives are cheap these days. If you lose the flash drive, you can just go get another one. But what about the data on the flash drive? Is it replaceable? Will it cost you if someone else has it? Another issue surrounding the ubiquitous nature of these things is that some people seem to have a whole lanyard full of them around their necks. Do you have a good inventory of how many you have? If one came up missing, how long would it take for you to notice? Kind of like the movie “Home Alone” where the family had so many kids that they didn’t notice little Kevin missing until they were in France!

Solution: The manufacturers of many of these drives have solved part of this problem for you. Flash drives have the ability to be encrypted, and the software to do that is often included with the flash drive itself. Typically, this encryption works by having you set up a password in order to access the data. You can encrypt all or only part of the flash drive’s contents. If someone gets a hold of your flash drive, they can access anything that is not encrypted, but will need to know your password to access the encrypted data. In some cases (depends on the drive and the encryption software), you can set your encryption such that if a number of unsuccessful password attempts occur the data on the drive will be erased. Know how many you have and keep track of them. If traveling, take only what you need – leave the other ones at home and in a safe place. I promise – they won’t miss you.


Using Common Area (Business Center) Computers:

Many hotels have business centers with computers to allow their guests to access the Internet and their web based email. In fact on my recent trip, I had full Internet access at the office I was visiting, but had to pay for Internet access if I wanted to use my laptop at the hotel. The only thing I needed after hours Internet access for was to check my personal email, and I wasn’t about to pay $10 just for 5 minutes of use. My remaining option then was to use the business center, since using those computers was free of charge.

A few problems present themselves in this scenario, however. One is that people use these public computers and often leave their surfing tracks for all to see. The other is that some people forget to just close out of their applications, and yet another is leaving those little flash drives plugged in for someone to come along and retrieve later. In fact, while in the hotel elevator on my most recent trip, I heard a woman telling her colleague that when he finished using the computer in the business center, he had left his email open, and she could have gone through all his email. Worse, she could have launched a few questionable emails in his name. This is truly a dangerous situation. What if it had been a stranger, and not a trusted colleague? That person could have read email, sent a few of their own (under the email account owner’s name), looked at the address book to get a list of names of people at the company, and just in general could do some serious damage. All this done under the name of the person who owns the account. How do you prove that it wasn’t you who did those things?

When I used one of the business center computers, I got curious and opened the browser history. I saw a plethora of email sites and surfing history. Wouldn’t be too hard to put together a few patterns and find out where some of these email servers existed. Depending on the cookies still on the machine, going to one of those sites may not even require me to log back in to access the account. The cookie would remember that I (or more accurately the email account owner) was just there and just let me right back in. This is especially true if the previous user had left the web browser open.

On a really malicious (and hopefully rare) side of things, a devious person could sneak into the hotel business center and put a keystroke logging dongle on the back of the computer between the keyboard and the computer, or in a USB port. Such a device is used to capture everything typed into the keyboard. Which means that they can get the URL to your banking site, the username and password for your banking site, and the contents of an email or anything else that you type into the computer. These key loggers have legitimate investigative purposes, but are inexpensive and can be obtained by anyone – including thieves. I say that this is (hopefully) rare, because most hotel business centers require a room key card to access – a person would (theoretically) have to be a paying guest in order to do this. But many public computers often do not offer such access protection as that provided by hotel business centers.

Solutions: For the reasons mentioned above, it is very important to pre-inspect the computer before and clean up after yourself after using a public computer. It takes a few extra minutes to do this, but you can’t put a price on the time it would take to straighten out the mess after you have been exposed because you didn’t have time to prevent these vulnerabilities. Here are some important steps to take when using public computers:

  • Do a quick inspection of the back of the computer and any USB ports to look for key logging devices. If you find something, and are not sure, contact the management immediately and have them investigate.
  • Never select the option to have “Windows remember me on this computer.” Do not allow the computer to store your username and password on the machine. Some web based email applications such as MSN will give you an option to tell it that you are on a public computer and not remember anything about your session.
  • Delete browser history, all temporary Internet files, and all cookies when you are finished using the computer.
  • Make sure you are logged out of any sites that you visited. Just closing the browser is not good enough. You must click the “Log out” link on the web site before closing the browser.
  • Close all instances of the web browser and all applications.
  • Make sure you take your flash drive when you leave.

Being the cheapskate that I am, however, my solution is that I try my best to only patronize hotels and coffee shops that provide complimentary Internet access to their guests. That way, I can avoid public computers altogether. But sometimes that just doesn’t work out, and I end up staying somewhere that makes me pay additional fees for access. In which case, the above solutions are a must.


PDAs/Blackberrys/Cell Phones:

Many of the same problems that exist with flash drives exist with these devices as well. They are small, easily lost, and can really store a lot of information. A Blackberry, for example is a phone, email client, and PDA all rolled into one. Emails, contact lists, to-do lists, documents, and personal journals are just a few of the things that can be kept on these devices. A lost phone device can not only give away sensitive data, but can give someone access to a free phone. And watch what you are discussing. What you say can be as revealing as anything else – especially if you are one of those people who puts everything on speaker phone, even when in public.

Solutions: Just as you can do with your flash drives, you can password protect and encrypt the data on your PDA as well. On my Blackberry, for example, I can password protect access and encrypt the contents. Not only that, but my Blackberry is set so that if someone types in an incorrect password ten times, the Blackberry erases all of the contents. Then, for added security, the data is encrypted, so that even if someone takes apart the Blackberry, and somehow gets the data off of the chip, the data is encrypted and unusable. Don’t discuss anything on your phone that you don’t want others in close proximity to hear. If you are sitting next to me on the plane, just don’t use your phone – period! I have no interest in what you have to say ;)


Laptops:

Saving the best and biggest for last: Laptops (and the data on them) need a lot of protection. They can carry a lot of data, and are very attractive to thieves. Keeping the laptop from being stolen is a job in and of itself, but if it does get stolen, there is more to worry about than just losing an expensive piece of hardware. Keeping the data on it from being compromised is the really important issue at hand, and if someone can access the data, they can potentially do a great deal of damage.

A big part of this problem is that even if they can’t log into the computer itself, and if they have the computer (physically), then they can remove the hard drive and put it into a computer that they can access. In fact, many data recovery techniques rely on taking the hard drive out of the failed (or in this case inaccessible) computer and “slave” it into a working computer. The working computer’s primary hard drive allows it to be booted up, and the slaved in hard drive contains data that can then be accessed. More clever people have freely available tools such as Knoppix (Linux on a CD) that they can use to boot up the computer, bypass the security on that computer, and access the data on the hard drive. In fact Knoppix can even be used to change the administrative password on a computer so that access can be gained through the more conventional method of booting up and logging in.

Solutions: There are some basic measures that will protect against access to a computer, but only if the computer is not stolen. In other words, these measures will work if you can keep the computer from being stolen. But once the computer is in unauthorized hands, these measures can be quickly bypassed. You can set a BIOS password that will prevent the computer from being booted into the operating system. But this is bypassed by simply taking the hard drive out of the computer and putting it into a different computer. Strong passwords for the operating system itself should also be used. As mentioned above, consider using temporary or “disposable” passwords. Small biometric devices, such as fingerprint readers, are fairly inexpensive, and many laptop and tablet computers have a fingerprint reader built in. Unfortunately, this can still be bypassed by putting the hard drive in another computer, or using a tool such as Knoppix to access the hard drive’s contents.

Encrypting the hard drive contents will help a great deal, even if the computer is stolen. Windows XP has the ability to do this using a built in feature. Windows Vista has a built in tool called BitLocker. Technologies such as that which is built into the BitLocker feature, for example, have the ability to protect data even if the hard drive is transferred to another computer. The downside of that is that you need to make sure you remember your password for logging into the computer, or set up what is known as a “recovery agent,” or you will lose your encrypted data.


Wrapping It All Up:

There are many other dangers that I haven’t mentioned here, such as accessing wireless networks while on the road, but that is a topic in and of itself. Wireless encryption, making sure you are not accessing an “evil twin” wireless access point, and a few other issues will be discussed in an upcoming article.

But for the purposes of this article, I wanted to focus mainly on the more ”physical” aspects of being secure on the road, as well as using built-in technologies to protect your data. Shielding your laptop screen from roaming eyes and preventing laptop theft are important ideas. If your laptop is stolen, knowing that you took measures to prevent the data from being usable by unauthorized people is also a very important idea. Other technologies, such as flash drives, cell phones, and PDAs represent things that are small, easily forgotten, or easily stolen. Those items contain sensitive data as well, and must have data security measures proactively applied. Once the data is in unauthorized hands, it must be assumed that it will be used for malicious or illegal purposes. Even if you retrieve your items, it must also be assumed that the information was copied and will be used – unless you took measures to make it useless in the event that a loss occurs.

It is easy to be complacent when traveling. And, unfortunately, there are plenty of people out there willing to take advantage of this fact. By taking a few extra moments to think about what needs to be protected, take inventory of your technology rich possessions, and take the extra time to protect your data, you will ensure a more worry-free travel experience. If I ever go into a hotel business center and see that you left your email open – man – I will hunt you down! (After I email a few jokes to your whole company, that is)


Additional Resources:

  • Theft tracking tools
  • Encrypting files and folders

Wednesday, May 02, 2007

The First 90 Days of an Operating System

People who know me know that I often complain about Microsoft systems because of the constant vulnerabilities they seem to have. "patch Tuesday" is always an interesting time for me, as it typically provides a lot of work. But I read a recent article that outlined the vulnerabilities that occurred within the first 90 days of the life of various operating systems. It was funny to see that of all the operating systems discussed in the article that Red Hat Enterprise Linux 4 Workstation Reduced actually led the way with the most vulnerabilities in the first 90 days. Also mentioned were Ubuntu Linux, Novell SLED 10, and MAC OSX 10.4, all of which had more vulnerabilities than both Windows XP and Windows Vista combined.

It appears that 1) Windows Vista has made great strides in plugging security weaknesses, and that 2) The Linux folks need to reassess their stance on just how much more secure Linux is than Windows. A thought from someone who tests and deploys patches on Windows systems from month to month: I still see a lot of work to be done, but this article really makes us security professionals step back and realize that security vigilance is important, no matter what OS you are working with.

I guess what I am trying to say here is that there is a lot of stereotypical information about where the problems are. As I mentioned in a previous article: Microsoft is really not the problem. The problem is in that people get so wrapped around the axle on making assumptions about that which they are familiar with. For example, the Linux people will swear that Linux is flawless, and the Novell people will feel likewise. Much vigilance gets lost regarding educating users, and just keeping up on the day to day maintenance of the systems you do have. Educate your users, keep your systems patched, and at the end of the day, you Windows users will have an environment that is every bit as safe as that which the Linux folks claim to enjoy.









Federal Information Systems - Information Assurance Reference

I wanted to take this opportunity to post a quick "cheat sheet" on the various resources needed for the certification and accreditation (C&A) of federal information systems, as well as some other related resources. A number of federal C&A things are changing. For example, rather than using the NIST 800-26 self assessment questions, C&A will be done by making assessments against the NIST 800-53 controls. Some organizations use NIST 800-53, and some use 800-53, Rev 1. Here is a quick list of the publications and regulations that apply to federal systems. Enjoy.

National Institute of Standards and Technology (NIST):

SP 800-100
Information Security Handbook: A Guide for Managers

SP 800-12
An Introduction to Computer Security: The NIST Handbook

SP 800-14
Generally Accepted Principles and Practices for Securing Information Technology Systems

SP 800-18
Guide for Developing Security Plans for Federal Information Systems

SP 800-23
Guidline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products

SP 800-26
Security Self Assessment Guide for Information Technology Systems

SP 800-27
Engineering Principles for Information Technology Security (A Baseline for Achieving Security)

SP 800-30
Risk Management Guide for Information Technology Systems

SP 800-31
Intrusion Detection Systems (IDS)

SP 800-34
Contingency Planning Guide for Information Technology Systems

SP 800-36
Guide to Selecting Information Technology Security Products

SP 800-37
Guide for Security Certification and Accreditation

SP 800-42
Guideline on Network Security Testing

SP 800-47
Security Guide for Interconnecting Information Technology Systems

SP 800-51
Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

SP 800-53
Recommended Security Controls for Federal Information Systems

SP 800-53 Rev 1
Recommended Security Controls for Federal Information Systems, Revision 1

SP 800-53A (DRAFT)
Guide for Assessing the Security Controls in Federal Information Systems

SP 800-55
Security Metrics Guide for Information Technology

SP 800-56
Recommendation on Key Establishment Schemes

SP 800-57
Recommendation on Key management

SP 800-60
Guide or Mapping Types of Information Systems to Security Categories

SP 800-61
Computer Security Incident Handling

SP 800-64
Security Considerations in the Information System Development Lifecycle

SP 800-70
Security Configuration Program Checklists Program For IT Products - Guidance For Checklists Users and Developers

-------------------------------------------------------------


Federal Information Processing Standards (FIPS):

FIPS 140-2
Security Requirements for Cryptographic Modules

FIPS 199
Standards for Security Categorization of Federal Information and Information Systems

FIPS 200
Minimum Security Requirements for Federal Information Systems

-------------------------------------------------------------


Office of Management and Budget (OMB):

OMB Circular A-123
Management's Responsibility for Internal Controls

OMB Circular A-130
Management of Federal Information Resources

OMB Circular A-130, Appendix III
Security of Federal Automated Information Resources

-------------------------------------------------------------


Laws and Regulations:

FISMA
Federal Information Security Management Act of 2002

-------------------------------------------------------------


Other Publications and Usefull Information Assurance References:

CNSS
Committee on National Security Systems

Common Criteria
Common Criteria for Information Technology Security Evaluation

Common Criteria - An Introduction
Brochure: An Introduction to the Common Criteria Project

DIACAP
DoD InformationAssurance Certification and Accreditation (will replace DITSCAP)

DITSCAP
DoD Information Technology Security Certification and Accreditation Process

GAO-05-231
Emerging Cybersecurity Issues Threaten Federal Information Systems

Mitre
Common Vulnerabilities and Exposures

NIACAP
National Information Assurance Certification and Accreditation Process

NIAP
National Information Assurance Partnership

NIATS
National Information Assurance Training Standard for System Administrators

NIST and SDLC
Brochure: NIST and the Systems Development Lifecycle (SDLC)

US-CERT
United States Computer Emergency Readiness Team

-------------------------------------------------------------


Topic Reference:

Security Certification and Accreditation
SP 800-37
NIACAP
DITSCAP
DIACAP

Security Categorization (C-I-A, High, Moderate, Low)
FIPS 199
SP 800-60