October 19th, 2007

DHS has some house keeping to do

Posted by Richard Stiennon @ 3:30 pm

Categories: Security, State Sponsored Hacking

Tags: U.S. Department Of Homeland Security, Security, Richard Stiennon

The office of the Inspector General of the Department of Homeland Security has issued a 41 page report on how the department is progressing on security. Summary findings:

Systems are being accredited without key documents or missing key information.

Plans of Action and Milestones are not being created for all information security weaknesses.

Plans of Action and Milestones are not being monitored and resolved in a timely manner.

Baseline security configurations are not being implemented for all
systems.

This report is part of an ongoing requirement of every branch of government to report on the progress they are making in complying with NIST and other security standards. While it helps to expose a lot of areas as slow to respond and lacking in basic reporting and response capabilities I am afraid that is is glossing over some blatant holes in DHS security.

High level reports like this are not going to dig down to the level that I am more experienced with; ports, vulnerabilities, infections etc. But incidents like the recent dual theft of laptops from TSA (no secure cleanup, no encryption) lead one to believe that a look at actual audits would have a typical security practitioner weeping.

While the issue of accrediting networks as passing without maintaining the proper paper work is one that government oversight bodies can sink their teeth in to I feel that getting deep into configs, rules, and defenses is needed to truly understand the sad state of affairs at DHS.

October 17th, 2007

Don't blame cost of security on the vendors

Posted by Richard Stiennon @ 10:19 am

Categories: Compliance, Data Security, State Sponsored Hacking

Tags: Network, Security, Richard Stiennon

As evidenced by my post last week I spent several days at the Gartner Symposium and ITExpo in Orlando last week. I can’t get one incident out of my mind. I was manning our booth as usual (my feet are still recovering from 4 days of standing, ouch) when a stout little man wandered by. I engaged him in conversation about network security and he lashed out with “you security vendors are always trying to sell us a new box, you are a money hole we keep spending on but we still get hacked”. This is one of my hot buttons. Pinning the blame on the security industry for all the different solutions that do not inter-operate is a favorite game played by industry pundits and CIOs.

As I was digging my heels in and getting my hackles up I finally read this guy’s name badge. He was CIO of a major branch of the US military. Well, here is my answer to him, thought up way too late to confront him face to face.

No sir, you have not spent enough on security. Look to your own operations. Have you enforced segmentation of your network? Have you put firewalls between you and the other agencies? Do you still allow telnet and ftp in unauthenticated clear text? Can you do user provisioning? What does your patch management look like? Do you have effective anti-spyware? Do you do security assessments of your entire network on a continuous basis? I know the answers to these questions as well as you do. Look to your latest computer security scores from GSAFISMA. An F. You see that? An F!.
Before you point fingers at a security industry that is constantly evaluating the threats and creating counter measures look to your own actions; or lack thereof. You sir have failed in your duty to protect the assets of the US Military. You have allowed foreign entities to overrun your networks. On your watch our digital homeland has been invaded.

October 10th, 2007

Blogging Ballmer

Posted by Richard Stiennon @ 7:32 am

Categories: Trade Shows

Tags: Presentation, Blogging, Engineering, Internet, Richard Stiennon

I am attending Gartner’s Mega IT Symposium this week at Disney World. 6,000 attendees are crammed into the biggest venue I have ever seen for presentations. We are awaiting the appearance of Microsoft’s Steve Ballmer. I think I have enough battery power to stay on and transmit some of his more salient points. Michael Dell is up next.

Some comments on this event. I have always felt that if I were an IT exec I would make it my top educational event. Within one week you can meet hundreds of your peers and hear hundreds of presentations from some pretty smart people. Well worth the $2,000+ that it costs to attend.

Stay tuned….

10:33 No chicken dance. Shoot.

10:40 Rich clients taken care of from “the cloud”. Answer to the Google question. Google leads in search in advertising. MSFT is going to invest to “change the rules in that space”.

10:50 Answer to Bill Gates transition: MSFT was born as software company, targeted desktop, grown into enterprise, mobile, entertainment devices, productivity, search. So, more distributed thought leadership with central synergies.

10:50 Gartner analyst Yvonne Genovese takes the gloves off on Vista usability. Says her 13 yr old daughter wanted Vista Gadgets. After two days of trying she went back to XP. Audience eats this stuff up. Ballmer’s answer: Vista is bigger than XP. Get a bigger computer. Michael Dell is going to love that.

10:54 Ballmer promises to be a little more cautious on timing announcements (remember the Vista issues?) and more transparent on road maps.

11:08 battery dying. Will be back after I find a free outlet.

October 3rd, 2007

Children. Be very, very afraid.

Posted by Richard Stiennon @ 10:59 am

Categories: CyberCrime, Data Security, Security

Tags: Professor, Hacking, Security, Richard Stiennon

I am sitting in on a presentation by Sam McQuade, a professor at Rochester Institute of Technology. He has a fascinating line of research at RIT on K-12 and cyber crime and victimization. Anybody remember my story from my first days out of school? I wrote it up in detail over at CIOUpdate. In short, I experienced first hand industrial espionage and theft of a specialized tool I needed to fabricate the Buick car seat I was working on. That led me to wonder about the current generations of graduates who I assumed were well versed in hacking techniques. My concern is that as we hire these kids they could increase the likelihood that our organizations could be caught up in hacking attempts.

Professor McQuade in his field work encountered: anonymous email bomb threats, downloading of pornography to cell phones in the hallway, pirated movie downloads, credit card theft, etc. He surveyed 13,773 students in his computer crime and victimization survey.

No surprises here. In the 7th-8th graders surveyed for instance: 21% have lied online about their age, 10% pretended to be someone else, 7% have circumvented security measures, 5% have used IT devices to cheat on school work.

One interesting result is that he found juvenile high-tech crime offenders tend to specialize. They are either good data miners, hackers, crackers, etc.

Professor McQuade’s overall message is that our school kids are involved in vibrant, sometimes dangerous online communities. In other words cyber space mirrors the playground. My message is that the behavior picked up in the digital school yard is going to carry over to the workplace. We will be expending much greater IT resources in the future to enforce acceptable behavior in our workforce.