| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Nov | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 | ||||
3 November 2009 by Jeff Hayes.
I have three children in their young twenties. I see first hand how they use the Internet.
Social networking has a big roll. Facebook tends to dominate for them more so than other social network applications. They use P2P applications for their music and videos. My sons use their Playstation and Xbox to access Internet tools, applications, opponents. They use their mobile phones constantly — texting and accessing Web site for instant access to whatever information they are in need of. They email some, never use instant messaging, prefer texting. They watch videos — stream or via DVDs — on their laptops. They watch some TV but not too much — mostly sports and comedies. They are playing with Twitter — following a few of their sport or media icons. They are typical American twenty-somethings using so-called Web 2.0 technology.
This is what they are use to. When they get their college degree and start their first real jobs, how will their new employers deal with their habits? Will they block Facebook? Twitter? Why? Security issues? Productivity issues? How will they circumvent the control? Will they circumvent them?
Jim Routh and Gary McGraw coined a term (I’ll give them credit) lifestyle hackers. They have described this in their CSO magazine article Lifestyle Hackers. You might not be able to craft a document and listen to hip hop or rock at the same time, but these youngsters can; they do. These young employees are experts at multitasking. If security policies “cramp their style,” they may just figure out ways to circumvent it. Their intent is not malicious.
I remember when telecommuting started. Managers were reluctant to give up “control.” They wanted/needed to make sure “their employees” were working. We as a society got over that. Millions of people work some or all the time from home. I spent fifteen years working in either a remote office or home office. I can tell you that for certain jobs, remote workers are much more productive than headquarter-based jobs.
Social norms change. Security personal need to understand the entire landscape before saying NO. Technology is good. Web 2.0 has some great things. Let’s figure out to address this in a manner that is win-win. It does not need to be a zero-sum game. The winners will be those that figure out how create a non-zero-sum game.
Posted in Social Network Security | Print | No Comments »
23 October 2009 by Jeff Hayes.
Yesterday, U.S. communications regulators voted unanimously to support an open Internet rule that would prevent telecom network operators from barring or blocking content based on the revenue it generates.
“I am pleased that there is broad agreement inside the commission that we should move forward with a healthy and transparent process on an open Internet,” FCC Chairman Julius Genachowski said.
The vote came despite a flurry of lobbying against the net neutrality rule by telecommunications service providers like AT&T, Verizon and Qwest which say it would strip them of the ability to manage their networks effectively and would stifle innovation and competition.
[The rule] allows for “reasonable” network management to unclog congestion, clear viruses and spam, and block unlawful content like child pornography or the transfer of pirated content.
The challenge is how much favor is oriented toward the end consumer versus how much to control the free market. How much freedom should an ISP have in deciding how to manage traffic on their networks? What should be done to make sure one ISP does not play favorites by slowing traffic to their competitors?
From the looks of if, the FCC is leaning towards preventing service providers from discriminating what services and content they will carry over their networks and under what circumstances.
What if I am in a one-horse town and I only have one reasonable option for high-speed Internet and my ISP decides it does not like specific sites like the Drudge Report, Fox News, CNN or categories of sites like hate, gambling, drugs, adult (not talking child porn here), or all sites in Arabic?
One the other hand, what if I decide that I want an ISP that supports my moral values and I elect that company to provide me my Internet service?
What if my ISP elects to throttle-down P2P traffic? Is that bad? It is bad for the P2P user but is it bad for everyone else? So should the ISP be given free reign or should there be some regulation?
I support the principle behind net neutrality in that all Internet traffic should be treated equally. As rule, I don’t like the idea of my ISP screening, interrupting or filtering Internet content without court order. Any fragmentation of services or control over specific protocols should be the exception and not the rule.
Posted in Web Security, Privacy | Print | No Comments »
11 October 2009 by Jeff Hayes.
I just completed the five-week FBI Citizens’ Academy. We meet once a week in the evening for 3 hours at the FBI offices (mine was in Salt Lake City) and on one Saturday at the firing range (mine was with the Salt Lake County). The best training experience I have ever had.
The curriculum consists of
The Special Agent in Charge (SAC) and the Assistant Special Agent in Charge (ASAC) lead the training; the actual Special Agents are the instructors. We covered white collar crime, violent crime, cyber crime, counterintelligence, domestic terrorism, undercover ops, victims, investigations, technology & tools, and careers. We got enter and see the gun vault (including a 1929 Thompson submachine gun) and play in Firearms Training System (FATS simulator).
On Saturday, we saw a sniper demo. We were told roughly were he was concealed; he made 4 precise shots from 100 yards. None of us could spot him until he stood up. We saw an explosive demo; amazing what a little C4 can do. We shot four FBI guns – two handguns and two semi/full automatic guns. We even got to shoot the .45 Tommy gun. We participated in a SWAT team hostage training session (we were the hostages).
There is no doubt that the men and women we met — Special Agents and support staff — are second to none. They are very professional and personable. They are dedicated to their jobs. I was more than impressed.
If you are interested in law enforcement, information security, investigations, forensics, homeland security, this is a must. It was a great experience for all of us. I want to thanks those that participated in the 12th Citizens’ Academy in the Utah Division. I wish them the best, including the SAC who is transferring to the SE USA.
Posted in Homeland Security | Print | 1 Comment »
8 October 2009 by Jeff Hayes.
As an adjunct instructor at ITT Technical Institute for the past four years, I enjoy introducing a new topic to the newer students and then to see them a year or two later and see how far they have come.
For most, the concept of policy and more specifically, security policy, is foreign. I think they must get tired of hearing me answer: “it all depends” or “what is the policy and why does it exist that way?”
Joan Goodchild, Senior Editor of CSO magazine, wrote a recent article, The Seven Deadly Sins of Security Policy. Here are her security policy deadly sins:
It is my experience that the biggest issue is lack of buy in from the top. Without top level buy in, why should any one read, follow or believe the policies are enforceable?
For many organizations, security is viewed as the “business prevention department.” The challenge security professionals have the world over is justifying the associated expenses. Security is an expense but for many organizations, it might be absolutely necessary, even an item that be be used to differentiate it from its competition, attract employees, and have a positive impact the bottom line.
There are many deadly sins with respect to security, and the worst is something many organizations are guilty of (not being one of the seven): they have no formal security policies.
Posted in Security Policy | Print | No Comments »
6 October 2009 by Jeff Hayes.
The U.S. Department of Homeland Security, as part of its National Cyber Security Awareness Month, has created a list of fourteen things home users can do to bolster cyber security.
Good list? Yes.
What about business? The best checklist I have found for good cyber security for the average business is from the Payment Card Industry within its Data Security Standard:
Simple? No. But is a great list to build a security plan upon.
Posted in Security Policy, Personal Security, Homeland Security | Print | No Comments »
2 October 2009 by Jeff Hayes.
October is National Cyber Security Awareness Month, as proclaimed by the U.S. DHS. The premise behind this is good: create awareness for cyber security. The DHS’s campaign will seek to:
Security professionals the world over need all the help they can get to create awareness of their craft. For the most part, security measures, be they physical or cyber, are business expenses. The challenge security professionals have is to justify those expenses in a manner that helps improve the overall business appeal from the prospectives of the customers, partners, employees and investors.
For most of us working in the cyber security profession, we are viewed a smart but our value is questioned. “We pay this guy how much for doing what exactly?” “If we did not do ‘this’, what would be the impact?” “Do we really need to jump through all of these hoops?” “Do we really need to buy all of these security tools, applications and appliances?” “Wasn’t our security policy just updated?”
Some things are just hard. Cyber security is one of those hard things. It is tough to see, quantify and qualify. The better we are at creating reasonable awareness of the issues confronting or business and industry, the better and more effective we will all be at performing our security jobs.
Posted in Security Policy, Homeland Security | Print | No Comments »
25 September 2009 by Jeff Hayes.
Politically conservative, I question the value of many government agencies and jobs. By their nature, every single government job consumes taxpayer funds. Not one of them produces a single dollar.
Certainly there are many jobs and roles that are required from government. It is the opinions along this line that significantly define our political differences. Some feel government is the answer to many of our problems, other do not. I am in the later.
Nevertheless, I have many acquaintances that earn their living by working security for the federal, state, country and local governments. I do not have any ill-feelings towards any of them. Some of these jobs are very interesting. But are they absolutely required?
I attended our local InfraGard meeting this week. A good group and a good meeting. We heard a presentation from Access Data on computer forensics, some excellent insights from a civilian security specialist from Hill AFB, and a presentation from a gentleman from DHS. This latter presentation got me thinking about the scope of the DHS. Has it quickly expanded beyond what is reasonable?
There is a role that one of the groups performs: an infrastructure survey. One or more federal employee will come to your site — any site — and do a 4-7 hour assessment of your physical security, preparedness, etc. The billing fee? Zero. Cost? Not free. Certainly a service like this is useful. Any security officer would be dumb to not take advantage of a service like this. Another set of eyes can only help. But it is the best use of taxpayer funds?
Just like cash for clunkers, it is great deal for those people who needed a new car (or security assessment), but a bad deal for those of use who were unable to take advantage of the offer (or who did our own either ourselves or paid for a third-party to do it for us). Those that did not need a new car (new assessment) at that time were forced to fund those that did.
If the Department of Labor was completely eliminated, would anyone besides the employees notice? What about the Departments of Education, Commerce or Housing & Urban Development? Does the DHS need a Science and Technology Directorate?
The problem with government in all nations is that it is too big. It does not matter which political party is in power, government grows. Most of the growth is well intended. But the value is very questionable.
In the security world, the powers that be, they justify their positions, programs and plans as necessary to protect us and our operations. Security people over-blow most situations. Without fear, uncertainly and doubt, they would be without a job. Politicians do the same: the other guy’s special interest is corrupt and not required but theirs is.
I appreciate the men and women that are trying to protect us. I just think there are too many of them in roles that do little to reduce or manage risk.
Posted in Homeland Security, Infrastructure Security | Print | No Comments »
10 September 2009 by Jeff Hayes.
When I began my career in the 80s, I worked for a firm (NCR Comten) that competed against IBM. We provided communication processors for the mainframe/cluster controller/terminal industry. In the 90s, I worked for firms (Network Systems, Xylan, Alcatel) that sold channel extension, security appliances and switching products against Cisco. In both cases, were with outsider, trying unseat the incumbent. Outside of feature/function/benefit/pricing comparisons and long-term personal relationships between the sales team and customer, we had to combat fear, uncertainly and doubt (FUD).
FUD is based on the notion that if you — the customer — buy the incumbent’s product, you will regret it. Comments might include: “it will not work as advertised;” “the long-term costs will be greater than what you think;” “it will be a support nightmare;” and “your administrators and end users will not like the new solution.” In the security space, the points are the same but the infosec vendors add a new spin to fear.
Security entrepreneurs recognize a problem that is not being properly addressed by current products. They design, develop, test and market a new mousetrap. The challenge for all of them is to find a market large enough to cover the investment and to build a business upon the new market. Few people are aware that many of these problems exist. Enter marketing.
The infosec firm needs to define the problem so more people are aware of it. They need to expand the scope of it. They need to make you feel like if you don’t have this product, you are opening yourself up to a security disaster.
We all know technology and the exploitations evolve. Many of these new products do have merit but most do not. That’s why so many of these firms go out of business or cannot grow beyond $5-20 million in annual revenue. The lucky ones find an exit strategy by being acquired.
I was reading an article in CSO magazine, 7 Reasons Websites Are No Longer Safe. Though not a infosec vendor, it makes the read think that all Web sites are insecure and you might as well forget about it trying to secure them. Hum. So all of the e-commerce, banking and investment sites are unsafe?
The infosec industry makes its money by making people feel insecure. Fear is key to the marketing message. For most businesses, they do not need all of these leading-edge security devices or software. The sky is not following, despite the vendor-speak.
Posted in Infrastructure Security, Web Security | Print | No Comments »
9 September 2009 by Jeff Hayes.
One truly meaningful use of modern cellular networks, aside from gaming, sports scores and TV streaming is mobile telehealth.
Sensors are placed near or on individuals with medical conditions and updates communicated via the cellular network to a location that will record, analyze and act upon, if necessary. For example, regular communication of a person’s blood pressure taken every couple of of hours for a week.
The authenticity, integrity and confidentiality of the data path must be guaranteed. This raises the need for secure communications for mobile telehealth devices.
One must question the current security model followed and implemented by the mobile teleheath device manufacturers. Some will take it serious, others will not.
Posted in Remote Access, Privacy | Print | No Comments »
8 September 2009 by Jeff Hayes.
There are things that we should fear and there are things we should not fear. Lost data due to poor backup procedures, not safeguarding core intellectual property, and security policies with no enforcement teeth are things we should fear. Terrorism (unless you are DHS or are a high-value target) is one that we ought to put low on our list of concerns.
Joan Goodchild, Senior Editor, CSO magazine wrote the Seven Deadly Sins of Building Security:
This list is a solid list based on the prudent man principle of information security: Those with responsibility to invest money in order to secure the operations should act with prudence, discretion, intelligence, and regard for the safety of capital as well as the desired and resulting level of information security.
There are all types of security people — and we need them all — from the firewall/IDS/network security specialist and physical security specialist to the policy writers and auditors. However, we need a manager that sees and understands all of the key parts of organizational security and can map them to coincide with the organizational goals.
The key is to make a regular and complete assessment, implement accurate and quality processes, procedures and technology solutions, and to manage and monitor it continuously. Then stay at it, doing it over and over. Boring yes, but good security was never designed to be exciting. It needs to be in place when it is needed.
Finding one that can balance between what is good and financially in-line for the organization and what a security purist hopes for is where you will find the prudent man (or woman) of information security
Posted in Security Management, Security Policy | Print | No Comments »