Andy ITGuy – Information Security Blog

I met with a Security Vendor today. I told him what I wanted and he told me that his company could do it but that they usually did not work with financial institutions because that was not their specialty. He said that they felt better giving a referral to a competitor than giving us below par security. I kept waiting for him to start laughing but he was serious. He said that they are great at what they do, but for our industry they just chose to stay out. How often does that happen?

One of the great things about blogging is that you have a topic that you want to comment on. You say what’s on your mind and often someone else will pick it up and run with it. Sometimes what they have to say is in opposition to your point of view and sometimes it supports and builds upon it. That is what Martin McKeay does in his post about logs.  I wrote my post with the intent of illustrating how important it is to review your logs. He read it and then built up it by talking about some good ways to keep your logs somewhat manageable. It’s kinda like having a conversation with another guy on your security team, except we get to share it with our millions thousands a few others who read our blogs. Now if I could just get him to fly to Georgia and set up my new log monitoring software so I don’t have to do it myself.

This post was prompted by Dr. Anton Chuvakin and his post on ignoring logs. I’ve mentioned this story before briefly here but felt that more detail would be beneficial to those debating the merit of reviewing log files. There may not be anything more boring in Security than reviewing log files, but there also may not be much that is more important.

A few years ago I did a stint as a Consultant for a small Kentucky company. Shortly after I started a customer called with an emergency. The guy who worked this account was on vacation so I went to investigate the problem. They were having problems authenticating users to the domain and therefore many resources were unreachable. I asked the standard questions about what had changed recently or had anything new been added to the network. They assured me that nothing had changed or been added. After having them show me exactly what they were doing and seeing what was happening I started looking at the DC to see what I could find. In reviewing the Security logs I noticed that a new administrator privileged account had been created 2 weeks earlier. After waiting 2 weeks to ensure that the account had not been discovered the hacker then proceeded to load file sharing software on the server and copies of 4 of the latest movies (2 of them weren’t even in theaters yet). Every time the P2P application ran it disrupted AD on the server and caused users to lose their credentials.

How did this happen? There were at least 2 MAJOR mistakes made here. First, the server, which was the Global Catalog and Primary Active Directory server, was dual homed and one NIC was on the internal network and the other NIC was on the Internet so partners could get to it for FTP transfers. I won’t even comment on that. The second problem was that they were not monitoring logs. They did a lot of network performance monitoring and WAN connectivity monitoring. Things that look cool on graphs and have a little sexiness to them, but they ignored the mundane, boring task of log monitoring. Had they been doing so they would have noticed the new administrator account and deleted it. Then they could have investigated how it happened and closed up the hole that the truck drove through.

Luckily this turned out to be just a big nuisance. I was able to repair the damage, remove the P2P app, restore everything and get them back up and running in about 4 hours. Nothing else seemed to have gone awry during this. My investigation didn’t turn up any other mischief. Needless to say the first order of business after that was to build them a new FTP server that sat on the DMZ all by itself. Then we implemented a log monitoring program to ensure that this didn’t happen again. I stayed with the consulting firm for a year after that and no other issues were reported so either they were successful in keeping the bad guys out or too embarrassed to let it be known that it happened again.

As I’ve mentioned in past posts I work for a small company and my role is multifaceted. I was hired for IT Security but that quickly morphed into managing all IT functions (if it plugs in, turns on, or looks technical it’s mine), project management for new branch openings, managing facilities, and physical security. A lot of this has been trivial due to partnerships that we have had with other companies. I did little day to day, hands on with a lot of these areas. I just managed the vendors, partners and people who did the day to day. All of that is changing. The company that we partnered with that did a lot of this is parting ways with us. Come the first of February we will have brought all these things in house. Some of it will still be outsourced, but the direct responsibility of it will be on my team.

Because of the nature of our business and the location of many of our offices, physical security is a BIG deal. Prior to this job I had very little experience with physical security beyond typical IT physical security. Server Room access and monitoring and such. I got this responsibility because I have a security mindset like The Mogull talks about here. Now that I’m responsible for ALL aspects I’m learning lots of new things that are being done in the realm of physical security. There is some pretty cool stuff and what is really great is the convergence of physical security and the rest of IT. Were in the middle of talks with various vendors to get all of the pieces in place prior to February and choosing the right vendor for each piece will be critical to the safety of our employees and the success of our business. Luckily my inexperience in this area is offset by my security mindset and others in the company who have been in this and similar industries for many years. They are not security experts, but they have seen and experienced lots of things that add value to my information gathering. I’m getting hints, tips and ideas from executives, hourly employees and everyone in between. It’s good to know that even if most of my users don’t get IT security that at least they are thinking about physical security and have something to add.

Michael Farnum wrote about his talk to Alert Logic. He was talking to the sales staff about what a typical SMB Security Managers day looks like. I wish more people knew what our days look like. I especially enjoyed the maybes beside Lunch and Drive Home. I can’t recall the number of times that I’ve missed lunch and putting my girls to bed because of work. I really don’t think that most people realize all that we have to do each day. Especially those of us in the SMB world. One person working in a department such as security (and often, as in my case, one person doing most everything IT related). I’m amazed at the number of people who either email, call or come to my desk and expect me to drop everything to fix their problem. Sometimes they are justified but most times they are petty and surely don’t justify me dropping everything. Yet, the user often thinks that because their mouse ball needs cleaning that I don’t have anything better to do.

If Michael doesn’t mind I may just post his “typical” day on my door and maybe even email it to everyone in my company. Maybe I’ll get some peace and quiet then. Nah, it’ll never happen.

Kevin Devin writes on his blog about how we write policies that tell users what they can and can’t do. When it comes to user education we often focus on the “do nots” as opposed to the “can dos”. We all know that giving a list of “do nots” usually raises the curiosity level of people and often encourages them to explore the “dark side”. For those of you who have kids you know what I’m talking about.

Kevin wonders what it would be like to give our users a list of things that they can do with their laptops, and portable devices, as well as any company resource. He is right in noting that it would be a longer document but it could provide some good direction for our users. I know from personal experience users often look at IT (and more lately the security team) as those “kill joys that want to control everything”. Having a list of things that they can do would go a long way towards improving our reputation. Not that our reputation is important compared to keeping things secure.

Even though it may provide benefits I think that going down that road is not a good idea. Too much room for wiggle. I can see users thinking that there is an “implied” clause that allows them to do “a” because it is similar to “b”. Having a clearly defined policy that sets boundaries, defines the consequences for exceeding them and is enforced is the best way to keep things in check.

Clement Dupuis posted a response to a message from a cccure.org member about his decision to use flash for a presentation that he is offering on his site. The guy had some valid arguments as to why flash can be a danger to use. He then shot himself in the foot by spouting off his “research” into the dangers of flash. What he failed to do was review the results of his research and make sure that they were relevant to his topic.

We are all susceptible to this. We get a notion in our head and run with it. We do some quick “research” on google and declare our hypothesis as truth. Security is serious business and we all do well to take it seriously but we also need to make sure that the case we build is built on fact and not FUD. This is the kind of stuff that makes it hard to get management on our side. We play the part of Chicken Little and look like a nut case. Even if our concerns are valid we have to be smart about how we deal with them. When we rush to judgement we make bad decisions or often look like fools in making good decisions. Some say that they don’t mind looking like a fool or a control freak if it keeps the network safer, but I say that you can keep it safe and keep the rest of the company from thinking that IT is a bunch of nuts at the same time. It just takes common sense.

This article on CNET.com makes my skin crawl. I know it’s not new information but it just doesn’t sit well with me. They say that due to the fact the the microphones are 3 to 4 meters off the ground that they can’t pick up normal conversations, but we all know that it won’t take much to change that. These are the things that are slowly stealing our privacy and rights.

Here is a really good idea that I’m afraid has the potential to go really bad. This is open source software that basically sets up a tor type network to allow people to anomalously connect to the web from countries that restrict what users can do on the internet. What scares me about this (I only know what I read so maybe I’m way off base) is that since it is open source it possible could be modified by someone with less than good intentions to do all sorts of bad things. Turning the machines that connect to the “bad” server into spam bots, infect them with trojans and other malware, decrypt the session and steal personal data. There is a long list of possibilities.

I hope everyone had a great Thanksgiving and got plenty of rest for the year end nightmare that we call IT Security. I know for me it’s gonna be a wild, fast ride.

DarkReading.com has a pretty interesting article The 10 Most Overlooked Aspects of Security. It also fits pretty well with my post last week What I Worry About. Most of it is common sense things that are often overlooked either by accident or by someone who is inexperienced or lazy, but it’s good to be reminded from time to time about things that can slip past our radar. One of the things that I like about this article is that each of the 10 items has a page to themselves with a little more detail and even some tips on how to prevent and reduce the impact of these items. It’s not a thesis on security but it’s pretty good reading to keep you on your toes.