Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security.

Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence, which are a great read for anyone looking at updating or auditing your policies for completeness.

The SANS top 20 controls are a must for any organization:

1. Inventory of Authorized and Unauthorized Devices


2. Inventory of Authorized and Unauthorized Software


3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers


4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches


5. Boundary Defense


6. Maintenance, Monitoring, and Analysis of Security Audit Logs


7. Application Software Security


8. Controlled Use of Administrative Privileges


9. Controlled Access Based on the Need to Know


10. Continuous Vulnerability Assessment and Remediation


11. Account Monitoring and Control


12. Malware Defenses


13. Limitation and Control of Network Ports, Protocols, and Services


14. Wireless Device Control


15. Data Loss Prevention


16. Secure Network Engineering


17. Penetration Tests and Red Team Exercises


18. Incident Response Capability


19. Data Recovery Capability


20. Security Skills Assessment and Appropriate Training to Fill Gaps

If you are missing policies dealing with any of these, this would be a great time to look at implementing them, especially with such a great resource now available.

 

Me Personally? I love DAOS...

I think DAOS is great, and why?   Because of the screenshot below.   A database a quarter of that size would make most admins cry, but with DAOS, it hums along beautifully.

Makes me wonder if this type of scenario is what IBM had in mind when they designed DAOS.

Oh, and the size is not an error.   Logically, it actually is 140GB in size, with about 53,000 attachments.

Indian users of Groupon subsidiary face password breach

An Australian security consultant, Daniel Grzelak, discovered an SQL file with over 300,000 usernames and plain text passwords from Sosasta.com by conducting a Google search.

The entire user database of Groupon’s Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google.

The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”.

On a side note, this is the same Daniel Grzelak who created, as a side project, shouldichangemypassword.com, a website that allows you to search a database of known-compromised e-mail address and password pairs to see if your password has been compromised.

Bioware Account Breach

I got an email the other day, one I wasn't expecting to receive, because I wasn't even aware that the organization had a data breach.  (But then, how could I?  They've been coming fast and furious for a while now.)

The email looked like this:

We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers' data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers. Our investigation shows that information such as user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates from accounts on the system may have been compromised, as well as other information (if any) that you may have associated with this forum account. In an abundance of caution, we have disabled your legacy Account. To create a new account please visit social.bioware.com.

We take the security of your information very seriously and regret any inconvenience this may have caused you. If your username, email address and/or password on your Neverwinter Nights account are similar to those you use on other sites, we recommend changing the password at those sites as well. We advise all of our fans to always be aware of any suspicious emails or account activity and report any suspicious emails and account activity to Customer Support at 1-877-357-6007.

If you have questions, please visit our FAQ at
http://support.ea.com/app/answers/detail/a_id/5367/ or contact Customer Support at the phone number above.

Aaryn Flynn
Studio GM, BioWare Edmonton
VP, Electronic Arts

Now, to be honest, I didn't even realize that I had an account at the Bioware forums.  I haven't actually played Neverwinter Nights in almost 7 or 8 years.  As a result, I'm not even sure what my username or password would have been.

I suppose that's the first lesson for me, I should be more diligent about logging where I have accounts.   I've started that recently by beginning to use LastPass, but prior to that, the odd email that arrived often reminded me that I had an account with a given service provider.

The breach was discovered on June 14th, 2011.  The first place they notified customers was on the forum itself.  Which is great for people who still use the resource, but doesn't do much for the rest of us.

My email came on June 23rd, 2011.  It contained a link to the EA customer support site.   (I wasn't even aware that EA had purchased Bioware.)

I'm not concerned about it taking a week to let me know about the breach.  First of all, the accounts compromised got locked down according to EA.  And they notified current users via their forum.   As a past user, there isn't much that I could have done to protect myself, and I make sure that I have unique passwords on each site I use so my other accounts shouldn't be at risk. (You do that too, right?)   I'd much rather a bit of a delay in warning me, than a constant back and forth about what data was actually taken.

So, in the end, the attackers have my:

• user name


• encrypted passwords


• email addresses


• mailing addresses


• names


• phone numbers


• CD keys


• birth date

The username, email address, encrypted password and CD key I'm not as worried about, I've moved a few times since I registered the account, so my address or phone numbers don't bother me.  I am concerned about my birth date and real name, but I can't easily change them...

Is speed a good thing in disclosing security breaches?

How quickly do you feel a company should notify you that your personal data has been exposed as the result of a security breach?

There have been a number of high profile data breaches recently, such as Sony, Epsilon and Honda Canada.  Each company took a different amount of time to notify customers, but that is because they are allowed to.  There are no laws that specify how quickly they must advise you that your private information may have become public.

Sony, who has lost more than 100 million records this year, took 3 days after the detection of the Sony Playstation Network breach to advise customers.

Epsilon, who lost millions of customer account data belonging to more than 50 major companies, contacted people only a day after the breach was discovered.

Honda Canada, who suffered a breach in March, didn't notify people until May.

Reuters is reporting that a new US data breach bill would set a mandatory maximum on the amount of time a company can delay advising the public.  The current version of the bill states that companies don't have to tell the public until 48 hours AFTER the investigation of the breach is complete.  Hopefully that gets strengthened, as an investigation can drag on for a very long time.

Basic Information Security Practices missing at most Small Businesses

As I read this article earlier today, I have to say that I am not really all that surprised.

Most small businesses are more concerned with their day-to-day operations and where the next client is coming from than they are around spending the time to creating policies and processes to manage security.

Although 78.6% of respondents were aware of the legal requirements of storing, keeping, and disposing confidential data, 31.1% never trained staff on the company’s information security procedures and protocols, and 35.5% of companies have no protocol in place for storing and disposing confidential data.

With any small business there is only so much time and so much to get done.  Most processes exist, but are usually non-documented, and quite often verbal.

“Most things are passed around in an oral tradition, rather than a written tradition. Information is imparted verbally, and companies don’t tend to have formal policies and procedures in place until that start to grow more”

Without a training program, and documented procedures, what are the chances that something like this may happen more and more often?

Canadian Privacy Commissioner criticizes Staples

The Canadian Privacy Commissioner, Jennifer Stoddart, has found that Staples Canada Inc. failed to fully wipe customer data from returned devices such as laptops, hard drives or USB keys prior to reselling them.

The Staples audit included tests on data storage devices (ie. computers, laptops, USB hard drives and memory cards) that had undergone a "wipe and restore" process and were destined for resale.  Of the 149 data storage devices tested, over one-third (54 devices) still contained customer data - in some cases, highly sensitive personal information such as Social Insurance Numbers, and health card and passport numbers; academic transcripts; banking information and tax records.

This brings a few questions to mind.

Who are these individuals who would return a device to a store, and blindly trust that the store will do what is in their best interest, rather than in the store's best interest.

The privacy commissioner stated that:

...although Staples generally has good privacy practices, it had not met its obligations under Canada's private-sector privacy law with regard to returned data storage devices.

How many organizations have a policy regarding data storage devices, and the safeguards around their disposal?  I would imagine that most do, but that won't protect the individual consumer.

Personally, I'd like to know the policies of a store before returning data storage hardware, such as cell phones (did you wipe the address book before you returned it?), smartphones (same goes for emails), USB drives, laptops, external hard drives, internal hard drives, computers, or memory cards to them.

I'd want to know if they wipe them, a little bit about how they wipe them, and as a purchaser of previously purchased goods, I'd want to know if the device had been checked for viruses and other malware.

And the next time I return hardware to a store, or purchase a previously purchased device, I will ask.

IamLUG - North American Lotus User Group

Once again, I beleive for the third year, St. Louis is opening its doors to Loti from across North America.

Founded on the 'free' conference ideal, IamLUG has offered more than 25 sessions each year with the optional 'TackItOn' full day of training on specific subjects.

This year's session list looks great, and the speakers rock.   It's happening on August 1st and 2nd, with the 'TackItOn' day being Aug 3rd.

You can find more detail here.

Taking Security Too Far: Breaking the Business Process

Read the following statement:

apparently the advent of 3D projectors is severely cutting the amount of light that reaches the screen because projectionists are not changing out the 3D lenses for 2D screenings as they should

Would you believe that a poorly planned security process is at fault of our enjoyment of 3D movies?  With more and more thought being given to security, and protecting the intellectual property of the organization, it is possible for those controls to go too far.

Hollywood is making a trade-off here: believing that 3D and digital are the new technologies that will get people back into theaters BUT believing that anything not locked down will be copied and redistributed without payment, the studios et al have opted to secure the projectors. Understandable. But in doing so, they've made it difficult for the people running the projectors to do their jobs properly.

While it is a great idea to make sure that the business is protected, making security too much of a challenge for people to do their jobs results in poor returns for everyone.

Opening the projector alone involves security clearances and Internet passwords, 'and if you don't do it right, the machine will shut down on you.'

when the designers developed the projector's security, they failed to consider who would be using it, their level of technical capabilities, and their own internal risk model ("If I do this complicated and difficult thing and make a mistake the projector will lock up and the screening will have to be canceled and I'll probably get fired.") The upshot is poor design that defeats the purpose.

When you are designing your next security model, give lots of thought to the business and its ultimate goals.  Make sure you are not a hindrance to the bottom line.

Reference: When Threat Models Collide

Conservative Party of Canada Contributor Information Leaked

According to @LulzRaft, it looks like there was a data breach of campaign contributor information that went along with the fake news release when the Conservative Party of Canada website was breached.

Update:  @LulzRaft is not connected to @LulzSec.

 

Technology, Law and the Canadian Workplace

Tod Maffin from the CBC interviews 2 lawyers about Canadian Law, and Technology in the workplace.

Wikimania - Please don't post (I want to win...)

Yeah, the title is a bit tongue in cheek, but seriously...

I entered an article in the Wikimania contest last year, and I even won a book, and a number of other small items.

I've entered again this year, on the very day the contest opened.   I suspect that I was even pointed out for it.

Sharing with the community is a great way to develop friendships and share information.  (And win prizes.  After all, who doesn't want to be recognized for their work.)

Security Review - 6/7/2011

Similar to a number of other breaches (Sony, Epsilon, Lockheed-Martin), hackers seem to mostly be targeting the 'larger' targets, that will bring a lot of public exposure.

The Conservative Party of Canada site was the target of such an attack this week, as were many branches of the Sony empire.  The Kingston Police department just got their website back online on Tuesday following a breach.

It's no surprise then that Vermont Democrat Senator Patrick Leahy has introduced a bill that would set a national standard for notifying consumers of breaches, and would make it a crime to conceal a data breach.

Is there any doubt why Canadian companies are wary of the cloud?

As a result, Canadian firms tend to experience fewer security lapses. On average, 43% of global companies reported a breach within the last year versus 38% in this country.

Hackers target Conservative Party website

Despite news on the Conservative Party of Canada website, Prime Minister Stephen Harper was not airlifted to a hospital in Toronto following a choking incident at breakfast with his children.

In fact, it was an attack by hackers targeting the Conservative Party website.

The CBC has more details.

Hackers make off with Government of Canada data

Back in April 2010, two groups (The Citizen Lab and The SecDev Group) discovered that government computers in 103 countries were compromised by hackers from China.  They wrote about it in a published report called Shadows in the Cloud.

Fast forward to the fall of 2010 when Communications Security Establishment Canada (Canada's electronic eavesdropping agency) started looking for signs that Canada's governmental networks had been compromised.

Fast forward to January 2011, when a hack was discovered in three Canadian government departments including the Department of Finance and an agency of the Department of National Defence.

A memo written at the end of January 2011 states:

"Indications are that data has been exfiltrated and that privileged accounts have been compromised,"

Moving on to February 2011, when Prime Minister Stephen Harper says that the government has a strategy to protect computer systems, but admits that cybersecurity is a "a growing issue of importance."

And now in June 2011, through a memo that the CBC received through an access to information request, that hackers stole classified information.

So, what's happened in the interim?

Departments have set up workstations on each floor where employees can go to access the Internet for work purposes.   And what happens when those are busy?   They take their laptops down to the local coffee shop and access needed resources there.

So, now that the secure corporate environment has been breached, the next target will be the coffee shop wireless connection.   My guess is that the wireless connections at coffee shops probably don't undergo the same rigorous security that goes into a typical corporate network.   But in this case, whoever the hackers are that infiltrated the government networks, they have definitely flushed the game out of the woods.

Tomorrow is IPv6 day!

Tomorrow is the Internet Society's World IPv6 day.

On June 8th, many major world organizations (including Google, Akamai and Yahoo!) will be turning on IPv6 services for a 24 hour test.

More information can be found here.