Andy ITGuy – Information Security Blog

I feel kinda cheap and dirty because I’m posting something that I usually don’t post. No It’s not a Press Release and it’s not an endorsement of a product so that I get free stuff (although they did offer me free stuff but it’s the same free stuff that they are giving you. I just could have gotten it a day earlier.).  I’m putting this out because I do feel that some of you may benefit from it and it is free.  It’s free, not as in Beer b/c free Beer is usually given by a friend just because. It’f free as in Chips and Salsa b/c usually a restaurant gives you chips and salsa b/c they plan on selling you something else.

Paragon Software is giving away their Virtualization Manager 9.5 Personal for free from Friday May 21, at 9:00 AM (EST) until Monday May 24 at 9:00 AM (EST)  . It usually cost $29.95 but today it’s free if you go to http://www.paragon-software.com/free.  I’ve never used it before but have heard good things about it so I thought since they were giving it away I’d pass it on. Now it does require registration so be prepared to have the waitress put a menu in front on you.

Kevin Beaver writes about how the business continues to choose compliance over true security even though we (the security people) know that it’s a bad idea. He makes the following comment

Those of us in infosec circles know these dangers haven’t changed but management keeps on chugging along as if it doesn’t really matter in the grand scheme of things.

Maybe it doesn’t…?

Well, I don’t think that Kevin believes that it doesn’t matter. He just seems to be at a point where he just doesn’t understand why this continues to happen.

I have a few theories that I want to share with you.

1. Those who do understand still are not doing a good job translating the danger into a language that the business understands.
2. We don’t understand the business enough to realize that the cost/benefit trade-off is not enough for management to buy. They would rather accept the risk, take the chance and deal with the consequences.
3. There is no guarantee that Security X will prevent a breach but you can be sure that it will quiet possibly break something and/or cause lots of user issues.
4. Compliance still makes the Auditor happy and we all know that when  Audit isn’t happy nobody is happy.

There are other theories and reasons for this phenomenon and I invite you to share yours in the comments. To answer the question as to whether or not it matters I think that it does. It matters because just doing enough to get by is wrong in lots of ways.

1. It’s putting short term benefits over long term ones.
2. It’s telling the world that our standards aren’t really that high and that we only care about what looks good.
3. It’s creating issues that go way beyond us and the here and now.
4. It affects  lots of “innocent” people.

This is the kind of attitude that has gotten us into the mess that we are in with the economy, housing and even the BP Oil spill in the Gulf. It’s this type of attitude that has brought down companies such as Enron, Aurthur Anderson, MCI, and is going to bring down many more.  I’ll stop here before I get on a soap box.

One of the problems with policy is that the intended message and the delivered message are often not the same. The business develops policy based on lots of different factors. Regulation, business needs, company culture, security, usability, etc…. In a perfect world they are crafted with input from many different LoBs and run through legal, HR, and user groups. They then get approved and put into practice at work. That is where the problem often begins. Once they are approved they are ignored. Not always purposefully but inadvertently. Someone sends out a notice to let everyone know that a new or updated policy in now in place and that they should read and become familiar with it.

Then everyone goes on their merry way and no one outside the group that wrote the policy knows what it says. Sure they have an idea because of the summary given in the announcement but that is about it for most people. Then something happens and someone is allowed to ignore the policy or maybe just to “alter”  or “reinterpret” it. Like the situation that occurred when police officers were allowed to get around a policy that said that they were not to use their department issued communication devices for personal use. Instead of enforcing the policy their supervisor (or someone) said that they could use them for personal use as long as they paid for any overages occurred. This happened for a while until someone reviewed some messages that was sent and an officer was disciplined for what was in the message. This is where another part of the policy comes into play. You see officers were also told that policy stated that there should be no expectation of privacy when using department supplied equipment. Yet the officer felt that since he was paying for his personal messages that they should be private.

You may think that this is pretty clear cut. The officer is wrong, policy was clear and his discipline should stand. The problem is that the enforcement of the policy was not consistent with the intent of the policy and officers were allowed to ignore policy. In other words the message was not the message. What was intended and what was enforced were not the same and therefore the policy is weakened and possibly useless. There was no consistency in the intent and the implementation of the policy.

The team at Information Nation have a quick write up on this that is worth the read if for no other reason than it reminds us of the importance of consistency in how we apply policy. I think the bigger message is that there has to be a more concerted effort on part of the company to ensure that policies are understood, applied and enforced. The cycle of creating, announcing and forgetting has to end or we might as well quit creating them. We can use or time deploying firewalls and AV. All we really need.

I know that sounds kind of pompous. I can do very little to make the blog sphere smarter but I’m going to do what I can. Rich Mogul wrote a post that rings true about the drop off of content in the blog sphere. I know that my blogging has dropped off dramatically in the last year of so. It’s not due to Twitter or Facebook but just due to life. Life has gotten very busy and I’ve let my blogging take a back seat. I don’t know why actually because it has been a tremendous boost to my career. Rich talks about some of the benefits he has reaped from blogging and I can say ditto to them. Blogging is how I know of Rich and how he knows of me. I even talked about some of the benefits last week when Martin and I were on Pauldotcom Security Weekly.

So I’m going to get my blogging back up to speed. I’m going to start blogging more and hopefully other bloggers will head the call and get back to it. Let’s get the conversations going again.

OK we’ve all heard the story about the Google Street View cars “accidentally” collection personal info from open WiFi signals. I know that this is a family friendly blog but I have to call BS on this. Google doesn’t do anything with data “accidentally”. Google saying that this was accidental is like saying that Kraft accidentally sold macaroni and cheese.

First they lie and deny that the cars were even collecting the data and then they come clean when they realize that they have been caught. That makes this even worse. Now they are getting on the same level in my eye as Apple and that is pretty low. I’ve been openly critical of Google for their lack of concern for privacy and even went so far as to try and “degoogleize” my life (although I have sense started using more of their services). Now I’m starting to get more and more disenchanted with them b/c of this type of stuff. The quote by Eric Schmidt a few months ago about privacy not mattering was bad enough and now they are stooping to openly lying until they have to “fess up”.

Look, there are no perfect people or companies but come on act like an adult. Wait, act like a mature adult. If you are doing something that others may not agree with and it gets exposed (as it most always will) then just be grown up about it and admit it. I assure you that people will respect you more for it. That is one of the problems that I have with Apple. They have a history of dishonesty when dealing with vulnerabilities and such. If they would just admit it and move on then I probably would not have “de-appled” my life.

So here is my advice to Google and everyone else. If you get caught in something just fess up and admit it. Don’t try to hide it, spin it, deny it or hope if will go away. It won’t. People will remember how you act and respond. Remember Character does count and it does impact your business.

Martin and I were guest on Pauldotcom Security Weekly last night as they recorded episode 199. We went on to continue the discussion about Pentesting started at Shmoocon this year at the Security Podcasters Meetup.  A quick history lesson for those who don’t know what we are talking about. The topic of “valid” pentesting came up and someone made the comment that unless exploits were involved then it not really a pentest. Martin stood up and called “BS” on that statement and it went from there. I wrote about it back in Feburary and Paul picked up my post and talked about it some on an earlier of his podcast. After that I contacted Paul and asked him if they would be up to a debate on the subject.

It wasn’t exactly a debate but we did have a good discussion on the subject as well as on airline security and a few other things. We really enjoyed  joining them and appreciate them having us on the show. It should hit the download site in a couple of days so please download it and check it out.

Mark Your Calendar!!! It’s that time again! The Atlanta Chapter of the National Information Security Group is meeting on Wednesday May 12th at 7:00 pm. This month we have Atlanta’s own Dave Shackleford presenting.

Wednesday, May 12, 7:00 – 8:30 PM

Gordon Biersch Brewery Buckhead

“A Brief History of Hacking,”
by Dave Shackleford

Question: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD have in common?

Answer: They were all milestones in the evolution of hacking and information security.

In this session, you’ll learn about:
The early days of phone phreaks and bulletin boards
The growth of hacker gangs and 2600: The Hacker Quarterly
The 75-cent accounting error that led to an international crime investigation
Bill Cheswick’s evening with “Berferd”
The first malware and Trojan horse programs
And much more!

As an added bonus, Dave will discuss a number of the most popular hacking and hacker movies, giving his opinions on which are most realistic (if any)! It’s an evening you absolutely won’t want to miss! RSVP today, and please invite your security colleagues and friends.

Speaker: Dave Shackleford is currently Director of Risk, Compliance and Security Assessments at Sword and Shield Enterprise Security. He was formerly CSO at Configuresoft and CTO at the Center for Internet Security. Dave, a certified SANS instructor, also has worked as a security architect, analyst and manager for several Fortune 500 companies. In addition to these roles, Dave has consulted with hundreds of organizations for regulatory compliance, as well as security and network architecture and engineering.