Monthly Archive

A week or so ago, I was contacted by email by someone working at a company who had developed a game. The game where used as part of the promotion of a security event. They wanted me to put a link from my blog to the game in order to promote the event.

The request was polite, and I decided to take a look. I did try the game, but saw no immediate connection to my blog, and decided against promoting it. And I had the courtesy to inform the someone (above).

I promptly got an answer, with some explanations; and quite a few ways I could implement the game anyway. Now, I am a professional sales guy myself, so I do appreciate a certain level of persistence. And being in the polite mood, I told the someone I would spend a few days to reconsider, and that I just might change my initial point of view.

And I did reconsider.

I thought that ok, I could make a quick post on the game, even sharing with you all how I did not have the patience (or skills???) to complete the game myself.

Unfortunately for you and the game developer, this individual (Jenny is her name), did not have the patience to wait. Or perhaps she thought I would not reconsider.

I do not not know, nor do I care.

So what did she do to piss me off like this? Instead of waiting, and accepting my supreme control of my blog, she decided to post a link in a comment. To me, that is SPAM!

And her actions pisses me off enough to do the following:

1. remove the comment/spam - done!

2. send an email to her explaining the fault - done!

3. write and post this post - done!

Yes, I admit, I most likely overreacted. Yes, it did help. I might have achieved the same calmness by walking around the block a couple of times, but then you would never know, would you?

And yes, I do have a very narrow definition of spam - unsolicited mail/comments. And I am the supreme decision maker when it comes to what I find unsolicited.

So you are selling something, and want me to cover it? Leave it to me to decide whether or not it will show up on my blog, duh!

 

I just came by this chart. I liked it. Gives away a fair bit about me, don't you think?  :)

Ps - unsure of D&D?  

Happy weekend! 

Have you ever wondered how to learn how to do SQL-injection attacks? Rescue is here!

You are now able not only to read about attacks and try to understand their logics, you can now set up your own lab and start doing injections directly. Thanks to Gerasimos Kassaras (I had a hard time spelling that, and will not even try to pronounce it), who have written this excellent walk-through on the topic!

He will even walk you through setting up IIS and the other tools required!

Still not into SQL-injections?

Well, you should be. Security now and in the future will be about two things - information management on one hand, and application security on the other hand.  

Many of my readers are curious about hacking, testing and the ins and outs of setting up a security testing facility.

So here goes a nice white paper authored by Harry Bulbrook at the Durham Technical Community college, explaining how to set up a secure lab for testing and learning. It is a year old, but it still is a great resource that enables you to easily set up and maintain your lab without interfering with your production network.

In a couple of weeks, one of the most important security events takes place in Europe.

 

The Infosecurity Europe 2008 event takes place in London April 22-24.

I am planning on going, and I would love meeting up with peers and blog readers. If you are going too, please drop me a comment or send me an e-mail (use my first name @ my domain name), and we will find a time to grab a beer or a breakfast.

I will give you my views and updates on what is going on too, so if you cannot be there, keep reading the blog ;)

This Easter vacation I spent with my family and friends from Den Norske Turistforening (DNT).  We were tending a Tourist Cottage – a unique service the DNT offers nature loving people in Norway. The Tourist Cottage is a network of freely available cottages scattered around Norway – where you can sleep, restock food and at some of them even get dinner served.

We were at Høgevarde – a cottage that sleeps 27 people, and that have restaurant facilities. This year, the restaurant was managed by a team of contributors, myself included, where we offered hot food and drinks to the skiers who visited.

All well. So where is the security in all this?

Part of the concept of these cottages is to provide shelter to travelers in the high mountain. They serve as a resting place. And most importantly, they serve as a rescue point in the high mountain when you are in distress.

And during Easter in Norway, many people travel to the mountain. They use their skiing skills only this time of year, and their knowledge of the mountain dangers are usually what they read in the paper or watch on the TV. You know, there is a bit of a difference watching a winter storm on the TV, sitting in your warm city house, and actually being in the middle of a winter storm in the high mountains.

As we experienced first hand this Easter.

Thursday came the storm. It was not a surprise, as it had been forecasted. What was a bit of a surprise was the high number of visitors we had this day. Some of them where dressed properly, and carried full winter rescue equipment – including shovel.

Others where dressed highly inappropriate. One guy in particular came with his son and a dog. The dog and son wore suitable clothing, but the father came as if he where to take a quick walk in the forest.

They had their break, and headed back down towards the valley. We gave it no particular thought. Until half an hour later the father returned. This time alone. And blue – as only the cold can make you.

We heated him up with some toddy and soup. And he had learned an important lesson about the mountain – always be prepared and dress appropriately.

Later that day, a couple of the experienced mountaineers dressed him up, equipped him with map and compass (which we had to teach him how to use too), and followed him halfway down to the valley. On their way back to the cottage, they (the experienced ones) managed to loose their direction in the storm, and spent some precious time trying to navigate their way back.

Thanks to their experience and equipment (map, compass and GPS), they kept their heads cool and found their way back.

We can learn a lot by such experiences, and we can apply it to the corporate security world too.

For example:

–       Be prepared for eventualities like a winter storm. In the corporate world that means disaster and recovery planning. It also means appropriate training and user awareness. By being prepared, you bring with you the experience and tools required to help you survive a hopeless situation.

–       There is no shame in turning around. In the corporate world this means that when you see that you are not able to complete what you set out to do (implement a new security tool, developing a new method, applying a patch, changing configs etc), take a time out. Revert to a last known good configuration, and reconsider. Perhaps you need to ask for help from someone more experienced?

–       Know your surroundings. Some mountains are easier to descend than others. If your mountain is too big, dig in and stay alive. Your survival is more likely if you get off the mountain and down into the valley, but some mountains does not allow you to do that. Thus, you need to know which strategy to choose.  In the corporate world this means that you need to know your position and environment. Sometimes you can wait things off, other times you need to get off your high horse and reconsider your approach.

–       There is always sun after rain. No storm lasts forever. Keep a positive mind, and focus on staying alive while it lasts. Always remember that eventually (and it may feel like never), the storm will move on and the sun arrives. In the corporate world this means that when the storm is on; stay focused on your goals, while riding off the storm. Keep doing the things that works; build a positive – but realistic – image about the situation. It may be a virus that takes down the full network, or it may be a media disaster – no matter what it is, only by keeping your focus on short term “staying alive” activities while remembering that sun will eventually arrive, will you not only survive, but be a stronger organization when the storm is over.

 

The guy we dressed up?

He made it down to the valley. He spent Friday as a perfect host for his guests. And Saturday, when the storm was gone and the sun shone all over the mountain, he went back up to us. With his son and wife. And the equipment he borrowed. We shared toddy and a waffle.

And we share the experience.

I still do not know his name. But I got my compass back. And I know we both will be humble when preparing our next visit to the high mountains.

 

The following are 5 tips on working with policies in a corporation. They are simple and to the point.

Enforce the policies

Enforce the policies through incentives. Make sure that you use the policies, or they may be useless when you try to enforce it 5 years down the line.

Follow up policies with technology

Use technology to control and enforce the policies. Never develop policies to adapt to the technology - it must be the other way around. If in doubt, hire specialist.

Review and audit regularly

Technology, markets, regulations and people change all the time. Policies need to be audited and adopted as you go - regularly. Make sure employees are allowed to suggest changes. If errors are discovered - make sure to act swiftly to update the policy.

Corporate governance is key

Corporate Governance is not only a new buzzword. It is only a new name for an age-old best-practice.

1. Set targets / visions

2. Draw the path through strategies and tactics.

3. Compare the outcome with targets/vision.

4. Start over

The purpose is simply to put forward a set of methods to ensure quality, trace-ability and documentation. You can do it in large scale or small scale - the principles stay the same.

Remove the bad apples

Bad apples must be handled correctly. Get rid of them by using their forces and turning them into valuable gems.

Or, throw them out of the basket.

 

 

------------------------------

This is part two of the article Bad advice for good security, as appear on Risksopportunities 2007.

Part one is available here.

Bad advices come from everywhere. One of the struggles of security is to teach management and employees alike the importance of policies and regulations, and the need to abide to them.

In an organization, there are rules. Rules are there to be followed - like it or not. To make sure that the rules are followed, most of them are written down as procedures and policies. That makes it easy to control, and change when necessary. The challenge is that not everyone follows the rules.

Policies enforces behavior

Humans are different - some are energetic and full of ideas, some are very down to detail and control. Others prefer a nice workplace where everyone is happy and calm. Others again like to be in control and drive their own agenda forward. The more people you put in a room, the more diverse the group will be. And without a clear leadership and management, the group will not be able to efficiently come up with anything but noise.

In a corporate world the same scenario is true. You need to control your employees and join their efforts to push in the same direction. On a day-to-day basis, policies are used to control the behavior and to put in place a set of methods and processes.

No incentives - no followers

One very important thing about policies is the fact that if you give no incentives to follow them, people will soon start to make up their own ways of doing things. To the one employee it may make perfect sense to use his laptop to store personal images and share music. To the company, this sort of behavior may result in lawsuits and liability.

The incentives will vary from organization to organization. The most important is that if an employee does not follow the rules, then a penalty must occur. The penalty should be widely known, and practiced.

A few years ago, a Norwegian oil company tried to sack a team of employers that had view adult movies at one of the oil rigs. The company did have a policy that prohibited any kind of adult material to be viewed using their systems. So you would think they had a clear case. Not so, the policy had never been enforced. The company had to take the employees back in, and even pay penalty.

The lesson to be learned is simple - when you have a policy in place, make sure you enforce it.

Technology is a supplement

Technology should supplement policies - not the other way around. You should never invest in (security) technology and then make the policies.

The purpose of security technology in regards of policies is to enforce the policies, to control that they are being followed and to trace possible violations. To do so, you first need to know the behavior you like to have in place (the policy), and then you invest and set up the necessary tools to check if the policy is followed.

Technology include tools that removes threats, tools that enforces a particular behavior, tools that logs and analyze the movement and use of your employers, as well as tools to audit, control and change policies itself.

Today there is a great demand for this kind of technology. The driving force is not so much the company itself. The driving force is the need for the company to stay compliant to public regulations like SOx, HIPAA, PCI and the like. These regulations come in different flavors, from international, to regional, via national laws. And finally as policies in the company. Then add industry standards like ISO. Clearly you need some technology to help you stay on top of the problems. Still, always remember to have the policies in place beforehand - the technology is only there to support and enforce your policies.

Review and audit

If you like it or not - or do not understand the reason behind the policies - then ask around internally. If you have the knowledge and the power, you may change them – a process that should be a major part of the rules, and it is called auditing.

Auditing is important to keep your policies and your employees up to speed.

If you have a policy that your employees see is useless, or wrong, they will try to find ways around it. You need to teach them that if the policy is wrong, the right way of doing things is to change the policy. It must be easy to report errors. It should be positive to report errors.

Errors happen all the time. If you if fail to catch the errors, how will you be able to improve?

The Toyota Production System is one way to do this. The purpose is to improve and manage quality. Toyota does this by emphasizing the need for improvement. They proactively ask their employees to come up with better ways to do their job.

Rule breakers

In every organization you have the people who always seem to be breaking the rules. Some are in the R&D - and there they are doing a great job. But other employees who break the rules with intent must be identified and removed. They are working against the target of the company, and they are reducing the inner bonding and cooperation of the team.

Most importantly, rule breakers impose a risk to the organization. You will never be able to control everyone 100%, but most people will follow most rules if told given a reason to do so.

If you add noise to the group in form of a rule breaker, the team will soon stop following the policies. And of course - people who do not abide by the rules is more likely to sell off company secrets, impose threats to the company and be an overall liability.

The challenge is to discover and neutralize such elements. Especially since they very well may add great value to the organization by their opportunistic views and new ideas. You see them in R&D, Sales and as business developers.

The bad bones you must remove. But if you cater for them correctly, and stay in control, any organization has great benefits from these people.

Success with policies

Policies are a set of rules put in place to ensure a particular behavior. Many policies out there are worthless - either because they are not being enforced, they are wrong or outdated, or they have been put in place by the wrong reasons.

Success with policies comes by combining the right mix of incentives and controls, with regular updates and audits. But if you forget that the policies are all about human behavior, you will fail.

 

 

------------------------------------------

Article as published on Risksopportunities.

Part two - 5 tips on policies - will be available from March 10. 2008.

I am having great fun when I train people. I ramble on with all the great stuff in the book (or in my world). If you've ever been to one of my workshops, you know I do the ramble - you do the work ;)

As happens with everyone giving some kind of lectures, you get to answer loads of questions. And today, I will share a couple. Keep in mind I am the one answering, so you might not agree. That is fine too - leave your comments :)

1. Why do I have to log on to my computer again every time I leave for a ... (insert tea, smoke, donut, coffee or just about anything).

Short A: To make sure you remember it!

Long A: This is the IT-security dept. idea of creating a secure work environment. They assume that when you leave for (insert whatever you leave for here), someone might pop by and use your computer. And they might be right.

To you, this is a hassle. You need to type in your password every time. That is hard work. (Seriously).

On the other hand, if someone would love to use your computer, they would most likely hide out in the neighboring cubicle, waiting for you to leave for your (insert whatever), and then pop into your seat the minute you leave. Because the log-on happens after a while - usually 10 minutes - of inactivity. Thus, it does not really make a sense IMO.

On the other hand, forcing you to type your password that often means you learn it, right? No more post-it notes.

My solution to these challenges is simple. Add biometrics, or smart card. Let the technology do the work, and take the hassle out of way. IT is designed by geeks, for geeks. We tend to forget that today (2008) most IT-users are human - not geeks.

We need to adopt IT to them - not try to make geeks out of ordinary people. That will never work.

But - until your employer implement smart cards or biometrics, you are stuck with the password.

 

2. What is this GHz, Gb, RAM, HD letters things?

Short A: Nothing you need to care about.

Long A: Look it up. They give you hints about a computers performance. The higher the numbers, the better. You need to be a geek to really care.

All new computers today will do everything most people with throw at them. Happily. Without hesitation. Only when you throw specialist applications (games, 3D, design tools, programming etc.), will you encounter a certain level of hesitation from your computer. But hey - did I just say specialist applications? That implies geek to me.

If you are doing specialist work with a computer, you already know the abbreviations above, and will be able to make the right choice.

If you are not a specialist, you do not need to care. Period.

 

3. My boss tells me that I am not allowed to use my computer for ... (insert whatever you'd like to do - porn, reading newspaper, buying stocks, banking etc.). Can he really do that???

Short A: Sure he can. He is your boss, and he just did. Suck it up and get back to work!

Long A: As an employee, you signed a contract. The contract states (perhaps a bit indulged) that you will give up some time (usually 8 hrs a day), where your employer (boss in other words) will decide where, what and how you are to spend your time (also called work). In exchange for your time, you get some cash.

This means that when you signed the contract, you signed away your rights to decide what to use the company computer for. Most companies today implement additions to the contract. These additions dictate what, how, when and where you should use the stuff your employer let you use (computer, PDA and phone). These additions, we call Policies. You may also call them laws, regulations, pain in a dark place and much more. The point is; when you signed the contract, you also accepted to follow these policies.

And as you just found out, some bosses actually know about those policies, and what they are about.

Perhaps you'd better get back to work now?

 

-------------------- Thats it for now, folks!

Biometrics has tried to make itself a buzzword for a decade now. Now and then there has been hype around Biometrics, but mostly it has lived a silent and anonymous life trying to compete with traditional and cheaper security solutions.

 

Traditional password protected logons has been a true servant since the birth of networked computers. In the beginning they where simple security mechanisms designed to make sure small groups of people had access to the relevant systems – typically system administrators and IT-pros. They needed a tool to avoid the typical user to accidentally wreck havoc in the core systems.

 

The Interconnected networks changed the ballgame. Suddenly “everyone” was connected – to everyone. The challenge soon became to protect everything from everyone. It became clear over the years that tradition computer security needed a complete redesign. Enter the firewall. Enter the centrally managed security tools. Enter layered security. Enter DRM. And enter a high number of password protected tools and systems to be managed. But the core design never changed – when you needed authentication, you just added a variation of the log-on and password method. 

 

Passwords stay on top as the identification and authentication system. What was a good idea decade’s ago is now so deeply integrated into ICT that almost every tool and system available on the enterprise market requires a log-on. With password. The users are expected to carry around between five and 20 passwords. Some have many more. Most of them use PostIT™ notes, Word™ files and other methods to manage it all. Others use the same password everywhere. And we have tried to teach them password management and awareness for ages.

 

And this is all yesterday’s news.

 

There are an increasing number of tools that enables Simplified Sign-on, Single Sign-on and log-on management. The point is to reduce the number of passwords required by the users. Most such tools are non-standardized, and they try to connect to a large amount of proprietary systems. There is a total lack of industry standards – which in turn makes it very hard for vendors and new technology to efficiently solve the problems of using passwords.

 

The impact on Biometrics is pretty obvious. Lack of standards means vendors of Biometrics need to develop one solution for every system out there. Further, they have to develop the interconnect ability of their Identification and / or authentication methods into the methods of the system in speak. And – they need to convince system vendors and integrators that Biometrics is the best way to solve identification and authentication challenges.

 

Both these strategies require a large budget, time and a proof-of-concept. Most importantly, though, they require a business plan showing clear values for the system vendor. In other words, Biometrics must offer values that are easy to communicate - to end users, to enterprises and to system vendors/integrators.

 

And in my opinion, Biometrics does that today. The message was clear ten years ago too – but then it lacked the necessary quality.

 

Some years ago, I had to use an external device in order to scan my fingerprints. The idea was great – a mouse with an integrated thumb-scanner – located exactly where my thumb where. It was easy to install – on a single client. And after only one week of use, it refused to read my prints.

 

It turned out the technology was way too young. 

 

Today, the scanner is integrated on my ThinkPad. I personally do not think it increases security – in the sense that if you like, you can still steal and access my data – but it does increase usability. And I argue that usability is a major part of security. People are lazy – and having to remember and use a number of passwords is just plain wrong. Particularly when we have technology available to take away the pain of logging on to different systems.

 

Biometrics strengthens the weakest link in security – the users. By reducing the strain on the users, you increase the overall security. This is achieved both by reducing password management issues, but also by making your users more content. Instead of knowing they are breaking the policies, they can now concentrate on their job.

 

The ICT industry is slowly moving in the right direction. I mentioned my ThinkPad™ that comes with an integrated finger print scanner and software to use it for local and network logon, as well as a password management tool. Other vendors do the same thing.

 

And when the system is correctly configured it works a dream. I just love not having to remember all the passwords.

 

In the enterprise, things are not so simple. Although they can make large savings by implementing biometrics, an enterprise requires centrally managed solutions, and integration with their core applications.

 

Most enterprises have a mixed environment of ICT. The mixed environment may include applications developed in the ‘70s, with systems added along the way, acquired through mergers and with new production facilities and requirements. Some of these applications may lie in the core of the enterprise, and careful considerations must be made before adding new security measures.

 

Lack of standardization means they will have to work closely with their system integrators and vendors to implement identification and authentication solutions. As always, this is a game of resources and politics.

 

When considering biometrics, many enterprises choose to evaluate competing tools like OTP and PKI. In my opinion, only PKI is relevant – as OTP is only a redesign of static passwords. And PKI is a perfect companion of biometrics – as most PKI tools require the user to locally authenticate using a pass phrase. Substitute the pass phrase with my fingerprint, and I can use my certificate to identify myself online and offline, locally and on my network – without having to remember my password at all.

 

And best of all – both technologies are ready, tested and available.

 ---------------------------------------

This article was first published in the Biometric Institute Ltd, Australia, newsletter, in January 2008. You will find more info on their website: www.biometricsinstitute.org

 

I have made money on this blog! 

I have just reached a milestone I never expected when I started blogging. I have made money directly off my blog!

I know this is off topic - but I wanted to share it with you. It is not a hole lot of money - and I don't see myself quitting my job for the blog - but it is fun! 

Still - my biggest thrill is the feedback I get from you - my readers - when you post your comments, and send me mails! I could quit my job for that (but I'd still have to buy food...)

To all of you, from all of me - Thank you!!!