blog

I have finished the update process of the CMS, currently running Drupal 5.7.

I also changed the template, I must say I like this one. It kinda grows on ya, don't ya think?

Comments and rants welcome!

Earlier this week, I received a new wall post on my Facebook profile. Now, I do not use Facebook a lot – I mainly maintain a small network to test and research this trend – so receiving a wall post was kinda fun.

Except – this particular post was written in English, by a Norwegian. Further, the message pointed to a service I had a very hard time imagining that my contact would be promoting.

Yes, yes, I know, I am a bit too paranoid!

Anyway, I contacted my friend, and as I suspected, she had not posted this – or the 150 other messages posted to her contacts. I started to poke around a bit, and pretty soon she admitted that she had experienced other strange episodes lately.

One of the other signs where that when on MSN, MSN would disconnect her, stating that she where being loged on using a different computer. Unlike some of us, she only had one computer she used for this.

I started to suspect that a key logger or other spyware had infected her computer, and made sure that she changed her log on details (username and passwords) on all the services she uses – and that she did so from a different computer.

The next step now is to reformat and reinstall the OS and applications – just to make sure that any software that may have been hidden is gone for good. Did I mention I am paranoid?

I also told her to go to the police – not because I think they can do anything about this event – but to make sure the event ends up in the statistics.

She may have picked up the key logger while browsing the net. She might have got it through a download – or by an email from a friend. Or by a large number of other means available to hackers. She might also have left her credentials while using her friends computer.

It does not really matter in this case. What does matter is her statement when I started to ask about the spam message on Facebook:

“I received reactions from my other contacts too – and I told them I had not done it. I thought it was just a system error, and wasted no more time considering it”.

(Emphasized by me)

And here we have the base of the challenge – normal users are not able to tell a threat from an error. Heck, sometimes us pro’s have problems with the very same challenge! And as threats evolve, and gets better at hiding, the harder it gets to know for sure.

I remember reading about this a while back – how all the errors in IT-systems have taught users that when unexpected things happen, it is just an error. Just restart and get on with it. (Please provide link if you know the story – I am unable to find it…).

And the result today is that when you do not understand what is going on with the computer, you just write it off as a “system error”, and get’s back on to what you where doing.

We spend a large amount of time to teach users how to deal with security. But if we are not able to teach them the difference between a system error and a plain security threat – how can we ever expect to succeed?

 

It is impossible to be interested in Information security without noticing Richard Bejtlich. He is a successful blogger, author of two books, and co-author of a third. Many have also had the chance to have Richard as a trainer and teacher. And even more have him as an inspiration.

Richard is the Director of Incident Response for General Electric. Before he joined GE, he ran the TaoSecurity LLC – an Information Security consultancy based in the US. His CV includes many other interesting and impressive employers too.

 

Richard has a background as military intelligence officer, but that is not where he got his interest in information security. It was merely a natural extension. You see, Richard got a Timex Sinclair (ZX80) when he was 8 years old. This sounds like some other people I know. And Richard used BASIC to create Boba Fett. Graphically, of course. And some of us understand that achievement just too well!

So what happened if you where lucky enough to have Boba Fett show up on your screen? Boba would ask you a question (written). “Do you want to see me wave?” You could say yes or no. To Boba it made no difference – he would wave anyway. The reason?

R: “I didn't spend all day rendering that character to not have him wave!”

The ZX was replaced by a Commodore 64, and Richard discovered what a wonderful tool they where to create and edit papers. After his Harvard graduation and his US Air Force intelligence service, he set out to defend enterprises and teach his peers to do the same.

Richard Bejtlich is a very analytic guy. He does not mind telling you what he believes is the truth. As when I ask him about the impact IS has on business, Richard says:

R: "I don't think information security has any real impact on business. On the contrary, business has much more of an impact on information security. No IS department exists to serve its own ends. If it does, it won't last long.

Businesses exist to make money; other organizations exist to meet whatever their goal is. No one exists to "be secure" (which isn't possible, anyway). As a result the history of IS is littered with decisions by business leaders that weakened security infavor of revenue or simply convenience. Nothing changes until a severe, visible, financial- or life-damaging incident occurs."

This is almost as hearing myself speaking, Richard. Perhaps I have spent too much time on your blog…

One of the things that amazes me with Richard Bejtlich is his attention to details. You see it in his blog, you see it in his comments. You see it in his books.

R: “In my first book I defined risk as the probability of suffering harm or loss. I defined security as the process of maintaining an acceptable level of perceived risk.

Digital security applies that concept to information resources, where threats exploit vulnerabilities in assets to violate confidentiality, integrity, or availability via disclosure, alteration, or denial.“

What should a security professional do to improve security?

R: “The role of the security professional is

1) to make it more difficult for information users and resources to do expose themselves to attackers (paraphrasing Nitesh Dhanjani),

2) to increase the amount of time it takes for the threat to accomplish his objective, and

3) to detect and respond as efficiently and effectively as possible when intrusions happen.”

Richard, I have asked all the Security Profiles to comment on the largest challenges in 2007. What are your thoughts on the threats?

R: “The biggest challenge facing all organizations is visibility. A few months ago I wrote a blog post pleading for the creation of Enterprise Visibility Architects.

It's fashionable to talk about "building security in." I say we should "build visibility in" because "security" will never be achieved. It would be an incredible first step to simply know when we are being compromised, because it's going to happen no matter what preventative measures we take."

Thank you kindly, Richard!

To catch up on Richard, visit his blog!

He is the author of the following books:

The Tao of Network security

Extrusion Detection

And co-author of Real Digital forensics

A while back, I needed an antispam tool for my blog comments. I decided to go with Akismet.

A few months down the line, my antispam solution have caught over 2 500 spams. 2 500 spam comments on my blog alone. I think that is a wast number - and can only assume what more popular blogs must handle.

According to Akismet, their service has caught more than 3 billion (as in 3,043,731,975) spam messages since they started. Their complete stats are available.

Thanks to Akismet, I am able to concentrate on doing the writing, and leaving the comments almost to itself. (So far, I have decided to approve all comments - I am now testing full automatic. You will soon discover if it works or not!)

Larko at Blogwatch.eu made a nice roundup on my blog the other day!

Thank you Larko, I had no idea I had this kind of positive impact! Keep it up, and I will too!  

In the blogosphere there are a few bloggers who stand out. Amongst security bloggers, one of my absolute favorites are Dr. Anton Chuvakin. He is extremely knowledgeable, and he dares have his saying. He is also one of the bloggers in the security space that has the highest production rate I believe.

Anton is also the co-author of the book Security Warrior.

Anton came to security after reading the book Maximum Security by Anonymous. It was an awakening, and Anton knew what to do in his life. He claims he still do not know who wrote the book.

For Anton, Information Security is not obvious, even if it sounds like it: A: information security is about two thing: "securing" and "information", not only fighting hackers, fixing vulns, blocking attacks, protecting networks, deploying appliance, configuring firewalls, etc.

Nowadays, information pretty much makes the world go round and the missing of security is to protect information C-I-A: confidentiality (of course, for confidential info), integrity and availability for legitimate use. Yes, there are various extensions to the CIA formula, but it does describe the picture adequately for our purposes.

On key impacts IS has on business, Anton says:

A: In short: IS protects business information.

That is why it is called IS - "information security." As far as the impact of security on business, it might be dramatic and negative or dramatic and positive or none.

What determines the above choice is how well you understand the risks you face. If you have no idea what risks you face and then you go and buy a lot of security gear and use it to block random things, you are guaranteed a negative impact.

And if you know the top risks, you invest in security wisely and thus allow the business to, well, "do business." :-)

Anton is the evangelist at LogLogic. As such, he has hands on knowledge on the challenges business meet regarding information security.

A: Regulatory challenges: more new regulations, more details on the existing regulations, more bad regulations, the whole pile :-) It will have sometimes good and sometimes bad impact on security.

Commercialized, professional hacking (this has been beaten to death, so - no more comments)

Data governance (and, especially, identity information governance): who can access data, who does, who has the data, what do they do with it, etc. This will be growing in importance for at least a few years.

You can read more about Anton at his website.

Anton has his Security Warrior blog.

He is the evangelist at LogLogic.

His book is available at Amazon!

And the book PCI Compliance is available at Amazon as well!

 

My dear reader,

this post is only here to thank you!

During the time I have blogged, my audience has grown steadily in numbers and in geography. What started out as a project for fun, has evolved into one of my true joys and priorities. And the reason for that joy is you, my dear reader!

And not only are you reading my ramblings, you participate, you comment and you send me mails! We may not always agree, and I am not right all the time. But you keep hanging in there, and by doing so, you feed my joy.

I also enjoy the number of bloggers who link to me. I even appear on blog-rolls of bloggers I highly respect and enjoy. I cannot tell how much that means to me. (I probably should link to you all, but out of fear of not having found all links, I choose not too).

I truly enjoy my blogging, and knowing someone else is too, that is a great driver for me! So keep it coming - please let me know how you feel! Please let me know if there are stuff you'd like me to cover. And please keep sharing your toughts!

So, my dear reader, this post is entirely dedicate to you! I wish you a lovely weekend!

 

At last - almost two weeks after the initial attack - my body is recovering. I am now back in fit shape, and attacking my back-log on the blog.

In the backlog is the next security profile Dr. Anton Chuvakin - the Security Warrior. He is one of my absolute favorite bloggers of security, and I am proud to present his profile next week!

I have also had a dialog with a security manufacturer, and I will present a CEO-profile in a weeks time. Perhaps that is the start of a new type of profiles on my blog.

While I have rested and fighting the virus, I have picked up on a number of stories going on the past two weeks. I will try to cover a few of them too - so watch out for my comments on the new Mohammed drawings, privacy and exploiting young people.

No guarantees that it all ends up here shortly - my backlog is not only on the blog!

Thank you all for your kind comments and sharing up mails. Also, thank you my regulars for hanging in there with me! I love the blog, and obviously some of you enjoy it too!

I wish you a lovely weekend!

--> Off-topic post warning <--

This summer has been wet. Pouring rain almost every day. I was hoping August would be better in terms of sunshine and less rain. I am still hoping, and it seems I better wait another 10 months for summer.

I am very busy with business development these days, focusing on compliance, corporate governance and information security in Northern Europe. It is a thrill - but I must admit - right now, I'd rather crawl in the sofa, with a good Wiliam Gibson or Neil Postman novel.

The soft voice of Kathie Melua and Shakira from the speakers.

Add to that a nice, big cup of homemade, hot chocolate. Made from dark chocolate bars, with fat milk and whipped cream on top.

A touch of chocolate powder on top for the color.

And Voila!

That is what I'd rather do today! Please tell me about your day and summer! Bring on a little sunshine!

 

Recently, I posted a question on LinkedIn. I asked LinkedIn professionals and everybody else how they define Information security. The reason behind the question is simple - I meet a lot of people thinking I am a IT-security guy. And allthough I do know what a firewall is, and how to operate an IPS, I am an Information security specialist. To me, that means I deal with information - not only the technology we use to communicate.

Not surprisingly, many answers where in the technology-sphere:

• I define it as the protection of the confidentiality, integrity and availability of sensitive data.
• interpretation is the building of a Digital Infrastructure ( D.I ) to be able to authenticate and verify the real person versus an imposter.
• the technological methods deployed by the intruders to hack this information versus technological methods used by you to protect this data

To me, technology is merely the tools we apply to get a part of the job done. So it is only important when the information itself resides or communications using technology.

A few smart comments where made as well:

• I'd rather clearly view the difference between information and desinformation.
  

Juri here points directly as one important feature of information security - the control of information, and the extension of using the same control to impact your environment. An example is from the spying business, where disinformation is used to create FUD. The same is applied by vendors in their sales process, making the customer uncertain about choosing the competitors products.

Although disinformation is not widely focused upon in the industry, I find it very interesting and important. Not necessarily to use it, but to understand that others might be.

---

Not surprisingly, Bruce Schneier's definition surfaced, in Jennifers wording:

Security is a defense against something intentional; Safety is a defense against something accidental.

 

My favorite is the definition made by Bruce Hallas. He will smile now!

"Security is about the management of commercial risk stemming from the interaction between people, both known and unknown, with an organizations information and information systems."

---

Imo, when security personal cries about not getting heard by their management, I believe they are responsible themselves. The purpose of security is not security it self, but the control of risks related to the organization.