Cybersecurity Act of 2009

12 April 2009 by Jeff Hayes.

The 1 April 2009 Senate Bill S.773 is no joke, though much of might fit that label. The so-called Cybersecurity Act of 2009, sponsored by Sen. John Rockefeller [D, WV] and co-sponsored by Sen. Evan Bayh [D, IN], Sen. Bill Nelson [D, FL] and Sen. Olympia Snowe [R, ME] is designed to:

To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.

Some of the key items are:

• The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards in order to enhance the cybersecurity of small and medium sized businesses. However it appears the federal government will only fund up to half of the costs.
• National Institute of Standards and Technology will be the entity that will the cybersecurity standards.
• There will be a national licensing, certification, and periodic recertification program for cybersecurity professionals.
• Federal government will take control of IP addresses and DNS.
• The National Science Foundation shall take control of computer and information science and engineering research as well as academic scholarship.
• NIST will head cybersecurity competitions and challenges as well as established a secure products and services acquisitions board.
• The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information.
• The White House will create a cybersecurity plan, risk management plan, and an identity management and authentication program.

Whereas having a national cybersecurity program is merited, one must be careful in how much control to give the federal government. It is one thing for it to put restrictions on the what, when, why and how of federal agency security, it is another when it starts mandating what states, local governments and private businesses must do.

The bill will give the federal government (the President) the power to “order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security.” They shut down air traffic in the country in 2003 for a few days after 9/11; this would be similar.

How much power and control would it allocate to the major ISPs? How will the states fund the requirements? Will the business requirements and costs be overbearing for businesses? The federal government did it with Sarbanes-Oxley; this smells similar.

This is one to watch closely. Because it is sponsored by Democrats (Snowe is closer to a Democrat than a Republican), most of their bills look plausible at first glance but are binding and liberty-restricting when the details are examined.

Posted in Homeland Security | Print | No Comments »

Enterprise Clock Synchronization

8 April 2009 by Jeff Hayes.

As a product manager for many computer networking and security products, one thing I was able to address multiple times across multiple product lines was to make sure our products supported the Network Time Protocol. NTP was originally defined clear back in 1985 and is now detailed in RFC 1305. A client/server model, it is used by routers, switches, security appliances and many other classes of computing equipment.

Having consistent time stamps is essential for reliable logs and automated processes. A reliable time stamp is essential in forensics and in chain of custody verification. 

According to a 2007 studyby Florian Buchholz and Brett Tjaden, James Madison University in Virginia, more than a quarter of the Web servers on the Internet have their clocks off by more than 10 seconds.

During their six-month study of more than 8,000 Web servers, they found that systems with the wrong time frequently drifted—or jumped—in unpredictable ways. Some systems would get steadily slower or faster, and then jump back to the correct time. Other systems were rock solid in the rate that time passed, but they were off from the correct time by minutes, hours, days or even years. Some systems followed the wrong rules for Daylight Savings Time. And some servers appeared to have multiple wrong times—that is, one query to the server would return one time offset, and other query would return a completely different time offset, and then subsequent queries would alternate between the two. 

Luckily, enough product managers and developers have made sure that NTP is a standard product feature. All major operating systems across all platforms from PCs, servers, network and security equipment to mobile phones and modern handheld units support NTP. They typically sync up on boot and regularly check the NTP time servers to minimize float.

Smaller businesses should make sure that their networking, security and server systems all support a validated NTP implementation. Making sure it is activated across the infrastructure is a simple thing to do in the good housekeeping world of information security.

Posted in Infrastructure Security | Print | No Comments »

Power Grid Susceptibility

3 April 2009 by Jeff Hayes.

I have read with interest over the years about people concerned that unauthorized access to electric provider’s command and control center (any utility for that matter) will result in losing control over the power distribution. The fear goes that “the intruder could shut down power to a city, a neighborhood, a  specific building; chaos would ensue.”

An article this week in Computerworld commented on a report released by IOActive, a Seattle-based security consultancy. It mentioned that an ”emerging network of intelligent power switches, called the Smart Grid, could be taken down by a cyberattack.”

Whereas I do not doubt the possibility, I question the likelihood.

Where does the primary concern rest with this? Probably with the electric utility.

What about the average business? Should they be concerned? Should there be an action item here? Hardly. Just good security practices. Deploy UPS units; back-up data in multiple locations, and create disaster recovery and contingency plans.

Power grid hacking is one thing I never lay awake at night thinking about. I doubt the utility plant manager does either — protecting his operation against these types of outages is part of his daily job.

 Update 4/8/09:  The latest is that cyberspies from China, Russia, etc. have penetrated the U.S. electrical grid and left behind Trojans software programs. The scary thing is that the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies.

Posted in Infrastructure Security | Print | No Comments »

Telecommuting Security Concerns and Recommendations

26 March 2009 by Jeff Hayes.

I am a telecommuter. Over the past 13 years, I have worked some of the time out of my home office, in some cases 100 percent of the time. For the past three years, it has been at least 75 percent of the time, going into the office twice a week on average to coordinate face-to-face with my colleagues.

About 15 years ago, I worked for a mid-sized company that had a dual-authentication policy for remote access – clear text dial-up with SecurID one-time password authenticaton. At the time, we were on the leading edge.

Aside for the SecurID token, in all my professional working life, I do not recall ever being given a remote computing policy by a company I worked for. However, as a security professional, I have realized the importance of following sound practices. I have taken matters into my own hands. Some of the thigs I have done and encourage thers to do are as follows. Some of them were addressed in a recent CSO article, 4 Telecommunicating Security Mistation.

• Careless use of Wi-Fi and accessing unsecured networks — if you hav a wireless routers (most homes do), make sure it is secured using modern technology (WEP does not count). Make sure you change the default settings and try to make the configuration as obscure as reasonable. My SSID is not HayesWIFI. I actually prefer using a wired connection.I have this fobile that that integrated Wi-Fi radio a few inches from my head, if giving me brain cancer.
• Letting family and friends use work-issued devices — an easy rule for every one. This computer or these computers that belong to dad or dad’s work, mom or mom’s work, spouse or spouse’s work are for his use only. Avoid the plea to allow your family memebers to use the laptop for a school presentation …   even if it is just “this one time only.” Let all know that dad cannot risk anything happening to it as it might impact his ability to earn a living. Lock it down (Kinsington locks) and make sure you use timeout passwords.
• Altering security settings to view Web sites that have been blocked by the company — never a problem for me as I have never had a corporate-assigned policy on my laptops. If you do have one, then regardless of how unreasonable the policy is, accept it. If you feel the site or sites are blocked and you have a business need to access them, make your case.
• Leaving a work-issued device in an unsecured place — whether it is a laptop/notebook or PDA, make sure it is phsically secured. It does not belong for any length of time on the passerger car seat (theft), kitchen counter (food and liquid), unattended in the back yard (theft, sprinklers, weather), in the bath room (duh).
• Backup the hard drive on a regular basis — this will help or hurt you more than anything. I had a hard drive fail…really fail. Luckily I back up the hard drive regularily:  for me, every couple of weeks. I also use a USB thumb drive for backing up certain items; for example, things I am working on presently, prior to having emailed or distributed to others. I guard the thrub drive and the USB hard drive as I would my laptop — as something more important than the cash required to replace the hardware. If you company supports a central backup, use it. If not, consider a third-party online backup solution. They cost $50-75 a year. Well worth it.

I love working form home. I tend to work more hours, as I am always at work. But it is worth it to me. A few simple rules can help preserve that flexibility while securing the computing and networking processes.

Posted in Remote Access | Print | 1 Comment »

Web Application Vulnerabilities

25 March 2009 by Jeff Hayes.

Easlier this week, Cenzic, a web application security company, describe in it’s Q3-Q4 Trends Report (30 page PDF) that the web vulnerabilities and attacks through Web applications continue to grow.

The total number of reported vulnerabilities went up to 2,835, an increase of more than 10 percent from the first half, of which the percentage of vulnerabilities relating to Web applications hit a staggering 80 percent.

Some key findings include:

• Of Web browser vulnerabilities, Internet Explorer had the highest percentage at 43 percent followed closely by Firefox at 39 percent; Safari and Opera were at 10 and 8 percent respectively.
• Eighty percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Plugins and ActiveX, and Web browsers, which is a significant increase from earlier in the year.
• Adobe continued to be plagued by vulnerabilities some of which showed up in our Top 10 list. Others on this list included SAP, Microsoft, Mozilla, Sun, Apache, and Oracle.

A few months ago, a company I was working with had its web server completely taken over by a some Chinese-bourn bot. The server was running Windows Server 2003 and IIS (version old). It had not been patched for a couple of years. It was co-located at a reputiable firm in Salt Lake City (XMission). There was no system managment contract with them — just rack space for a decent Dell server and a Cisco PIX firewall (which also had not been updated for a few years).

The reason it was in the secure data center was because of an application that was running that was used occasionally by a third party which required it to be in a physically secured location. The XMission data center, though not Ft. Knox, was good enough. The weakness was in the server.

This bot had taken total control over the server. As we stried to identify the cause of the outage (the server was no longer serving up Web pages), we noticied some strange processes running. We stopped them, or at least we tried. Within two or three seconds, they’d start right back up again. This server was really hosed.

The initial plan was to re-install Windows Server 2003 and IIS, and update them to the latest patch levels. Turns out, no one was in possession of the media or the license. With no real technical know-how in the firm or longer term plan to hire or outsource, the plan that was agreed upon was to move it to a managed data center.

This turned out to be the right decision. The people who manage the site (Portal Web Hosting in Aberdeen, SD) were willing to offer a deal that was actually cheaper and more extensive than what XMission was offering — secure data center, on-site technical assistance and server management, and a dedicated server running up-to-date Windows Server 2008, IIS and dedicated firewall.

Moral of the story: if you don’t have the technical resources, budget or need to do it yourself, don’t. There are plenty of solid firms that can provided a business with a reliable and guaranteed web server solution. Make sure they have a plan to do regular vulnerability scans and to keep the software patched appropriately.

Posted in Web Security | Print | No Comments »

Dumpster Diving and Security Leaks

20 March 2009 by Jeff Hayes.

When I was a kid, I was into collecting different beer cans (empty).  After 2-3 years of it, I had around 400 different brands — a collection I was proud of, at least until my mom told me they had to go. I got these cans by digging through trash cans. We had a number of large apartment complexes within a mile of our house and Saturday mornings were for dumpster diving. Besides the beer can ‘gold’ I found, I would come across some interesting things, at least in the eyes of a 12-14 year old. I was amazed at what people threw away: from working electrical appliances, lamps and still-good household wares to books, records and magazines (and oh the porn was an eye full for a young fellow).

When I was was a senior in high school and the year afterwards, I have a job at the Federal Reserve Bank of Cleveland. Initially I was an archive clerk and later a check sorting machine operator. As an archive clerk, one of my jobs was at the end of the working day to collect all of the paper waste in the facility. Along with another person I would select through a rotational means, we would sort through that trash looking for misplaced checks. Almost every week, we would find one that slipped through. These checks ranged from a few hundred to a few thousand dollars. One time, we found a million dollar plus check in the trash.

Today, whether at home or at work, we probably have a policy about shredding any confidential documents or documents with any personal information on them. Like the checks that made it into the trash, occasionally confidential or personal paperwork misses the shredder and winds up in the dumpster out back along with the lunch wrappers, nasal tissues and general rubbish.

What’s in the dumpster?  Credit card names and numbers? Bank account names and numbers? Account statements? Hard drives? USB thumb drives? 5.25″ or 3.5″diskettes or storage tapes that no one uses any more?

Like we did at the Federal reserve, I wonder how many businesses would be well-suited to sort through the daily trash prior to sending it into the dark parking lot? One man’s trash is another man’s treasure, which can be exploited or sold on the black market.

Posted in Social Network Security | Print | No Comments »

Security Issues with Social Networks Overblown

14 March 2009 by Jeff Hayes.

I am a big user and proponent of social networks. I have personal and work-related Facebook, Twitter, YouTube, Flickr, Photobucket, Imageshack and LinkedIn accounts.

I read a comment recently “that any company using Web 2.0 tools will inevitably face strong, and potentially embarrassing, criticism. No company is perfect, and some customers will complain about anything. That’s why some companies are still cautious about engaging with social networks.”

Unfortunately, this paints a false sense of security. It is erroneous to assume that if you elect not to participate in social networks as a business, you will not have bad Internet publicity. If people have negative opinions about your products, services or business in general, they will find a public vehicle to voice them.

It is a good practice to have a common voice for the firm. It is wise to limit those with log-in and posting privileges that officially represent the company on these Web 2.0 sites. It gets too noisy without some control. It is also a good idea to control offensive language. Other than that, let the opinions be voiced and heard. The more people you have engaged in evangelizing the company’s message, the better.

Encourage employees, customers, prospects, partners, suppliers, investors to discuss the company in “Web 2.0″ formats. Monitor those posts. Contribute. When negatives come up, address them head-on and quickly. Don’t spin the comments as if trying to sway opinions like some blowhard politician. People see through this. Give honest comments. Don’t get defensive or offensive. Take the high road.

Seth Godin recently wrote “the closer you get to someone, something, some brand, some organization… the harder it is to demonize it, objectify it or hate it. So, if you want to not be hated, open up. Let people in. Engage. Interact.”

Social networks are great. Web 2.0 sites allow firms to fine tune and target their marketing message at very little cost. There are very little security issues that can be effectively controlled. Times are a changing … in a good way.

Posted in Social Network Security | Print | No Comments »

SOA Security and Cloud Computing

13 March 2009 by Jeff Hayes.

There is a real nice article on Network World online written by Mark O’Neill on SOA Security: the Basics.

Service Oriented Architecture (SOA) is an architectural approach which involves applications being exposed as “services”. Originally, services in SOA were associated with a stack of technologies which included SOAP, WSDL, and UDDI. [snip] More recently, Cloud services such as Amazon’s Simple Queuing Service (SQS) may be used alongside local servimsces, to create a “hybrid” SOA environment.

Why does a smaller business care about this? I worked for a small business (less than 20 employees) that built and sold content filtering software, now part of Blue Coat. SOAP was a protocol we used quite a bit. Even though we were a “security company,”the security of that protocol was only slightly considered. (I am sure they have addressed this, as that was four years ago.) SOA security vulnerabilities include:

• SQL Injection
• Capture-replay attacks
• XML External Entity Attack
• XPath Injection
• XML Denial-of-Service (XDoS)
• Harmful SOAP attachments
• XML Signature dereference attacks

Many, if not most, mission-critical applications leverage the browser as the user’s interface. Authentication is secured via SSL, X.509, XML Encryption, Kerberos and WS-Security. As more firms move to cloud computing, SOA is a key component. Firms need to be sure that no private, unprotected data is sent to the cloud.

Posted in Cloud Computing | Print | No Comments »

Incident Reponse: What Not To Do

12 March 2009 by Jeff Hayes.

In my ITT Tech Windows Server and security class this week, I had my students read and discuss an anonymously written article from the February and March issues of CSO magazine:  “Undercover:  The Company That Did Everything Wrong.”

It was written from a security consultancy’s perspective. It was brought in two days after a phishing email opened up the entire organization to a Russian hacking group. This group was using the targeted company as a hacking demonstration from a hacker conference in St. Petersburg. Some of the lessons learned were:

• Have an IT staff large enough to support the size, scope and mission of the company.
• Routers, firewalls, servers all keep logs: don’t turn logging off, secure regular back-up copies, and make a habit of reviewing the logs on a somewhat regular basis.
• Educate employees on email phishing.
• Have an incident response plan.

It is impossible to plan for everything, but a little bit of planning can go a long way when an incident does occur.

Most of my students will handle a full range of IT functions in a small company, less than 100 employees. They will be tasked from everything from desktop and server configuration to switch and router ownership, from firewall and overall information security to physical security. Not a week goes by that I do not hammer home the importance of a) thorough and well-written security policies, b) a test bed for all supported systems and c) an incident response plan that is re-evaluated, updated and assessed on a regular basis.

The California company in this two-part article did everything wrong. But they were smart enough to bring in some people that could assess the situation and take corrective action. Learning from our mistakes should be the common denominator for all of life’s mishaps.

Posted in Incident Response | Print | No Comments »

Verizon Wireless’ Privacy Workaround

9 March 2009 by Jeff Hayes.

I am a followers of the Boing Boing blog. Today, there was a helpful post on how Verizon Wireless customers can opt out of Verizon’s personal information sharing scheme.

I am a Verizon Wireless customers and was able to follow the simple directions and change my pravacy settings.

In an attempt to be helpful,the author Rob Beschizza, included his phone number in the explaination. I have no interest in his number…don’t know him and would never call him.

Goes to show that even the most helpful, even on the topic or privacy, is not immune to simple mistakes — let’s just call it an oversite.

Posted in Privacy | Print | No Comments »