The Security Skeptic

A side-effect of using Google AdSense is that I discover companies who offer products and services related to articles I post to my blog. Some of these have proven undesirable, and I've already written about the problems I have filtering rogue spyware product advertising from my Anti-Spyware Resources page. I've nearly exhausted my filter list allotment and have long passed my patience with this deception, so I will remove advertising from that page.

There are positive outcomes. After posting my article on security policy, I visited some of the AdSense advertisers who develop software to automate policy development and maintenance. While in no way endorsing these companies or products, I can point you to some additional examples of policies and policy templates.

If you are interested in a HIPAA Security Policy, visit HIPAAacademy.net and look at their templates

If you're interested in reading about compliance, try one of the ebooks offered by NetiQ. .

Lastly, you can download a full "watermarked" trial version of a set of Information Security Policies from Information Security Policy World.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID449 by Dave Piscitello  

Every organization needs a set of guidelines that identifies the assets the organization deems valuable or sensitive, and describes appropriate use and handling of such information, and what constitutes authorized access. A security policy identifies threats to an organization's assets and measures to take to mitigate or reduce these threats. A security policy also documents processes for maintaining security and for responding to attacks or incidents. It identifies conditions that necessitate escalation, disclosure, and notification of law enforcement, public relations, and legal responses. A security policy says, "here is what we value, threats that put what we value at risk, how we intend to protect what we value, and what we will do if it should ever be lost, damaged, disclosed without authorization, stolen, or attacked".

Few security activities are as routinely overlooked and discounted as security policy development. A common complaint every security consultant hears is, "Why bother developing a security policy? Assets, technology, and needs change constantly!" To this, I answer, "Change is a constant, not an excuse." Without guidelines on which to base security measures, organizations lack a comprehensive strategy for protecting assets, and so make ad hoc and technology-driven decisions. The result is security measures that don't satisfy all the criteria for adequately protecting assets. Too few members of an organization will know, appreciate, and consequently, comply with security and acceptable use policies (AUPs). [A good example of an AUP is the Acceptable Use Statement for NAS Systems Division Computing Resources. Other AUP resources are listed at the end of this article.]

Why are security policies important? Lacking policies, an organization cannot know exactly what it is they are trying to protect, what measures they expect implement to protect it, who is responsible for implementing these measures, and who is responsible for assuring that the measures are implemented as intended. The organization at large may not know how to react to an attack, and it will have little or no basis to hold insiders or attackers accountable for their actions. When such action or response plans are not provided, maintaining security standards, responding to security breaches, and taking remedial action are ripe with uncertainties and grow increasingly challenging as the organization grows.

Who should develop a security policy? Technical staff are important contributors, but when security policy is placed entirely in the hands of IT, the valuable contributions "non-technical" members of the organization can input to a security policy are overlooked and lost, often to the detriment - and expense - to the organization. Always engage representatives from legal, accounting, auditing, personnel, key business units. These parties can provide valuable input, especially in circumstances where a security policy must consider an organization's liability, accountability, regulatory obligations and business objectives. When you have completed your security policy, share it and have all parties sign or otherwise acknowledge their responsibility and accountability to the policy, and then consider implementation.

When should you develop a security policy? Few organizations today have the luxury of developing a policy before computers are used and networked by an organization. This really matters only with respect to how the security expressed in a policy is ultimately implemented. While I don't dismiss the challenge of incorporating security as a retrofit or upgrade to design rather than a fundamental consideration, it's still "an implementation". An important consideration regarding "when" is that a security policy should remain a living document within the organization. It should be revisited frequently, as assets, business objectives, and the regulatory environments that affect an organization change. Again, change is a constant, and security policy (and implementation) must respond and adapt to change.

Many resources, templates, and standards for developing a security policy are available on the Internet. The SANS Security Policy Project, the ISO 17799 Directory: Services & Software for ISO 17799 Audit, ISO17799 Compliance & Security Risk Analysis, the Network Security Library: Security Policy, and the Virginia Department of Education, Acceptable Use Policies: A Handbook may help you as you develop a policy for your organization. There are more online resources, to be sure.

None may precisely match your organization's needs, but these can serve as guidelines.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID448 by Dave Piscitello  

Domain name hijacking broadly refers to acts where a registered domain name is misused or stolen from the rightful name holder. A domain hijacking is a security risk many organizations overlook when they develop security policy and business continuity plans. While name holders can take measures to protect their domain names against theft and loss, many measures are not generally known. More...

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID447 by Dave Piscitello  

Blue Security's approach to combatting spam has attracted its fair share of criticism. Blue combines a proactive Do Not Mail Registry with an automated protest campaign against spammers. Most of the criticism is off target. In several articles, it's clear the critics didn't understand the approach; in other editorials, the critic is exercising his Internet-given privilege to flame.

Blue's protest, performed on behalf of its Do Not Mail subscribers, is a tightly controlled email and forms submission response. It's not a DOS-like retaliatory strike at merchant email accounts, web submissions pages, and access circuits as described by several critics. If any of the critics had taken the time to open-mindedly discuss Blue's methodology with their CEO Eran Reshef, they'd have learned that the response is proportionately bounded: one spam, one complaint. Disclosure: I know Eran well. If you spend any meaningful time talking with him, you'd have to wonder how anyone could conclude that this guy would design a service to "go postal" on spammers.

Blue does what individuals can do themselves: find a party responsible for the spam and complain. Blue does this more scientifically, with more coordination, and to a greater scale than individuals can. Blue wants to change the spam value proposition and ROI, which is ultimately the only way we will ever effectively defeat spam. It's reasonable, proportionate, and ethical.

Marcus Ranum recently wrote an excellent editorial debunking the claims that Blue's approach is unethical. You can read it at http://www.ranum.com/security/computer_security/editorials/bluesecurity/. In the editorial, Marcus gives a thoughtful and thorough analysis of Blue's process. Frankly, it should be required reading for folks who have been publicly critical of Blue Security. Marcus also considers criticisms and concerns that have been brought to the public's attention and explains why they are inaccurate, difficult to corroborate, or just plain silly.

The editorial (thankfully) has a good measure of Marcus' wit and keen edge. You really ought to find time to visit the page and read it.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID446 by Dave Piscitello  

On your network, time synchronization is essential for correlating event data, auditing, and accounting. MyLiveSecurity article explains why accurate, universal time across your entire network benefits you, and how to accomplish this using NTP. More...

Originally published via WatchGuard LiveSecurity, 03 June 2005

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID444 by Dave Piscitello  

What can you do when WLAN coverage is good in most areas, except for a few unfortunate users on the outskirts of your AP's current reach? Some off-the-shelf solutions that won't cost an arm and a leg, and will keep you on the friendly side of the FCC. More...

Originally published via WatchGuard LiveSecurity, 06 May 2005

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID443 by Dave Piscitello  

Today's workforce requires access to whatever applications they need to conduct business, transparently, from any location, when convenient and necessary, using any device, over any network. As I explain in this July 2005 BCR Magazine article, shifting from "tightly controlled" requires going beyond traditional remote access VPN solutions.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID442 by Dave Piscitello  

Tom's Hardware ran an article on the Domain Name Hijacking report SSAC presented to ICANN last month. Colleague Dan Halloran and I were both interviewed. To read the full column, visit http://www.tomshardware.com/hardnews/20050817_141236.html.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID445 by Dave Piscitello  

Internet security is often described in military terms. Many of these originate from the castle building vocabulary of England during the reign of Edward II. I've always found this analogy interesting. Recently, I received an email from someone who read an article I wrote in the TISC newsletter, entitled Server vs. Client-based Protection. In that article, I made a brief reference to Edwardian period castles. A year later, I wrote a section for a chapter of a book my partner Lisa and I never completed. I found that chapter and decided I'd revise and publish it section by section. Today, I'll compare the Edwardian period "security" to Internet Security.

Castles protected items of value and people of importance - the landowners and merchants - from miscreants, robbers, and armies of rival lords who would steal or destroy valuables, and injure the nobility, if not prevented from doing so. Castle designers employed layers of security to protect the donjon or keep, its occupants and treasure. Rudely constructed dirt fortifications improved over time to what we all imagine when we think of a "castle": a formidable fortress surrounded by moats, accessible only via a draw bridge, with yeomen and archers positioned on crenellated and battlemented walls of stone to keep intruders at bay.

Within these layers of defense, men at arms stationed at checkpoints allowed recognized inhabitants and authorized visitors to come and go as they pleased within the confines of the castle walls, but only permitted a privileged few to access the keep itself. Barred gates, tripwires and mantraps were used to block and delay intruders who managed to make their way past any given line of defense. Alarm fires and bells were used to raise a general call to arms when defenses were breached.

We deploy similar physical security measures today to protect computing facilities (Internet data and operations centers). We try to maintain a secure perimeter, a continuous fortification or enciente continue surrounding our networks and the electronic assets within. Physical security measures to protect networks and communications systems still include walls and armed guards at checkpoints. Electronic sensors, laser tripwires and even mantraps are common components of physical security where the value of electronic assets and the systems on which they are stored or operated is particularly high (e.g., financial institutions). Electronic swipe cards and biometric devices (fingerprint, iris, and palm scans, and facial recognition) replace and complement armed guards as preferred methods of verifying identities of those who have authorized access to secure facilities.

Physical security doesn't cover the problems associated with protecting electronic valuables and trusted communities of individuals (insiders) from miscreants, competitors, terrorists and rogue governments (outsiders), who could access these assets via an organization's Internet connection(s) unless measures were taken to prevent them from doing so. Additional security measures are often required:

Perimeter security enforcement systems - packet-filtering routers, firewalls, and application proxies - prevent unauthorized access and block attacks.

Authentication systems distinguish authorized users (members of the trusted community) from unauthorized ones.

Network admission and endpoint control prevent devices that are judged "unsafe" from connecting to networks.

Authorization services - on client and server operating systems and file systems provide additional access controls and govern the activities authorized users may perform.

Intrusion prevention, detection and blocking systems - Intrusion Detection Systems (IDS), tripwires, honeypots, anti-virus and server integrity software and hardware - provide additional lines of defense within the secured perimeter, and provide alarms warning administrators of security breaches.

A castle proved very effective so long as the treasures weren't moved and the population of the kingdom didn't venture beyond the stationary defenses their castles provided. But for nobles and their merchants, travel was inevitable and communication with other kingdoms necessary. Armed guards accompanied the noble's entourages and the merchant's trade wagons. Knights accompanied the wagons for added protection. Treasures were transported in strongboxes. Private correspondence was sealed and uniquely imprinted with wax and chop (or signet ring).

Networks and hence network security were also based on isolationist practices as well. But wholly isolated, private networks are as impractical today as isolated kingdoms were during Edward's reign. Most organizations must have Internet presence, and its employees must access Internet resources, from the office, at home, and while they travel. Thus, every organization today has information assets that must be protected from misuse, abuse, theft or damage from outsiders. Many organizations have mobile workforces and teleworkers. Increasingly, organizations allow business partners, customers and consumers to access information via intranets and extranets. Organizations exchange sensitive correspondence and perform business transactions electronically, over the Internet, as well. These organizations are growing more aware of the threats Internet-originated attacks pose, and want to protect access to their information assets, and to protect information exchange over the Internet of as well; so additional security measures are often required.

One of the most widely employed measures is Virtual Private Networkings (VPN). A VPN uses encryption methods to protect information exchanged over the Internet - or generally, any communications path that is not considered "trusted" (especially wireless networks) - from being read, modified, and replayed. VPNs also authenticate both ends (parties) of a communication. But VPNs are one of several measures required to maintain distributed security policy enforcement. Once a client and mobile computing platform ventures be-yond the security measures commonly provided by an organization at one of its facilities, it must be protected with commensurate security measures. Desktop anti-virus, personal fire-wall, system integrity, and IDS software extend an organization's security enforcement be-yond the physical and logical perimeter it creates at one of its facilities. Distributed security policy enforcement, layered security, and defense in depth will appear as recurring themes in WLAN security.

The analogy between Edwardian period and network security is interesting, accurate, and powerful.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID441 by Dave Piscitello  

My article on assessing antispyware software is available at SecurityPipeline.com. This article debunks the myth that users and administrators can draw useful conclusions regarding the quality of antispyware products based on numbers of spyware detected, and offers a better basis for comparison. The full article can be found here.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID440 by Dave Piscitello  

Good enterprise IT organizations appreciate the importance of orderly processes and centralized control. These characteristics are evident in the software, technology, and workflows they employ to manage complex networks. As they deploy currently available technology to combat spyware, enterprise IT departments have not lost sight of the requirements that will help integrate antispyware measures into standard desktop administration. More...

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID439 by Dave Piscitello  

Finance Tech offers an interesting article that suggests that the concern and worry over Internet fraud is (can you imagine) overblown. In The Internet Is the Safest Channel, Ivan Schneider quotes Richard Parry, a Senior Vice President of Consumer Risk Management at JP Morgan as saying that fraud is more commonly perpetrated over the phone and even face-to-face than through Internet-based services. Parry also claims the financial impact from Internet fraud is "limited".

So why is all the negative press aimed at the Internet?

This is one more example of the roller-coaster relationships the tech and popular press have with *any* technology. Over the years, I've observed that pop press reporters fall in love with and "marry" new technologies at rates that eclipse (ahem) chapel weddings in Las Vegas. A honeymoon period follows, during which reporters lavish their spouses with compliments - "innovative", "disruptive", "lifestyle-altering". When reporters run out of compliments, they become disenchanted and fickle. Most such marriages end in divorce, preceded by lengthy proceedings so reporters can milk negative copy from the relationship. Some reporters stay unhappily married simply because there's endless copy in beating down a technology or company (think "Microsoft").

It's simply the Internet's turn to take the abuse. But expect the Internet to remain a target for a while; like Microsoft, it's a big target.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID438 by Dave Piscitello  

Roger Seeholzer (Adjunct Professor, University of Maryland University College Europe) contacted me some time ago, asking permission to use graphics from Phishing columns I'd written for Loop as resources for a presentation at CSI 2005. I agreed, and he's graciously returned the favor by sending me a copy of his presentation. You can find it here [pdf], and you can find my columns at http://www.securityskeptic.com/phishing.htm

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID436 by Dave Piscitello  

Teddy Roosevelt is attributed to having said, "The best thing for the inside of a man is the outside of a horse". Having completed an exhilarating week riding a spirited gelding while on vacation at a dude ranch in Wyoming, I feel I know exactly what Teddy meant. I'm rejuvenated, refreshed, and relaxed, but mostly full of regret that my path in life keeps me from spending months rather than weeks riding in the Grand Tetons.

After four visits in five years, I find I am happier in and around the Teton and Yellowstone National Parks than anywhere I've ever been. I've also concluded that my affection for this part of Wyoming is due in no small part to riding. God intended that we see the Tetons from the back of a horse (no sacrilege intended). Why? Well, when you ride a horse, you cover as much ground as you would driving. The stop and go pace of crowded park roads assures that driving is slower going than a long, comfortable trot - and yes, I'm finally a competent enough rider that I can actually use "comfortable" as an adjective to "trot". You also see more of the park than you'll see if you walk (unless you can walk about 10 miles, a mile and a half above sea level, over the course of 2 1/2 hours, twice a day.).

We encounter wildlife in its natural habitat, closer than if we were in a vehicle. How close? Less than one hundred feet. Elk run from an SUV, but allow riders on horseback to cut through the herd. There's no engine noise and emissions to prevent us from hearing how a calf and cow communicate to locate each other. The sounds and scents from horses don't spook elk, and apparently mask the stink of the omnivores astride their backs.

We circle a herd of nearly 300 American bison, and your horse instinctively maintains a safe distance. The bulls stare you down. We're close enough to see their breath in the cool morning air, and to note that bulls have straight horns while the horns of the cows are curved. We observe how the cows circle around their young, like wagons anticipating an Indian attack.

Our wrangler leaves the trail and blazes his own, in search of a bull moose, pronghorn antelope, even a brown bear (grizzly). Wolves now populate the Tetons, and we wonder if' we''ll catch a glimpse of the pack we heard howling the night before.

We stumble upon a coyote. It bolts, and our wrangler gives chase! Cowboy fox hunt.

Our daughter keeps a checklist of the animals we've seen in the Tetons: bison, elk, mule deer, pronghorn antelope, moose, eagle, great white owl, heron, pelican (really!), coyote, badger, beaver,ground squirrel, and red tail hawk. Many of these live in habitats unreachable by foot or vehicle.

Riding at this particular dude ranch, the Triangle X, is special. If you can ride, you *will* ride, as in trot, canter, and gallop. You'll climb foothills and cross ridges on trails narrower than anything most folks would dare cover on foot. Take a full-day ride, and you'll climb to Ram's Horn, about 10,500 feet. The trails here are narrow, rocky, *and* steep, but the view is incomparable. Imagine yourself at the top of the Sear's Tower, but from the tower you can see the Bridger Mountains in Montana, the Tetons and Yellowstone Mountains in the south, and in the distant south, the Jackson Hole and Gros Ventre Slide.

You'll gallop through the shallows along the Snake River to cool off, and your horse will prove beyond doubt that his breed is playful, intelligent and *competitive*. You'll jump gullies. You'll learn that there's no shame in grabbing hold of a fistful of mane when your horse shies from a shadow, or stump, or scary rock.

Our son Matt had the unique experience of swimming across the Snake River on horseback. You have to see the current of the Snake firsthand to appreciate how daunting an effort this might be if you swam alone.

The poorly kept secret is out: Dave loves horses.

BTW, Teddy was only partly right about horses. If you treat them well and earn their trust, horses are wonderful, reliable, and playful companions. The best thing for the inside of a man may just be the inside of a horse...

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID437 by Dave Piscitello