Friday Summary: December 24, 2010By Adrian Lane
It’s the holiday season and I should be taking some time off and relaxing, watching some movies and seeing friends. Sounds good. If only I had that ‘relax’ gene sequence I would probably be off having a good time rather than worrying about security on Giftmas eve. But here I am, reading George Hulme’s Threatpost article, 2011: What’s Your IT Security Plan?. I got to thinking about this. Should I wait to do security work for 2011? I mean, at your employer is one thing – who cares about those systems when there is eggnog and pumpkin pie? I’m talkin’ about your stuff! One point I make in the talks I give on software security is: don’t prioritize security out in favor of features when building code. And in this case, if I put off security in favor of fun, security won’t get done in 2011. So I went through the process of evaluating home computer and network security over the last couple days. I did the following:
- Reassess Router Security: Logged into my router for the first time in like two years to verify security settings. Basically all of the security settings – most importantly encryption – were correct. I did find one small mistake: I forgot to require the management connection to be forced over HTTPS, but as I had not been logged in for years, I am pretty sure that was not a big deal. I did however confirm the firmware was written by Methuselah – and while he was pretty solid coder, he hasn’t fixed any bugs in years. It was good to do a sanity check and take a fresh look.
- Migration to 1Password: I have no idea why I waited so long to do this. 1Password rocks! I now have every password I use secured in this and synchronized across all my computers and mobile devices. And the passwords are far better than even the longest passphrases I can remember. Love the new interface. Added bonus on the home machine: I can leave the UI open all the time, then autofill all web passwords to save time. If you have not migrated to this tool, do it.
- Deploy Network Monitoring: We see tons of stuff hit the company firewall. I used to think UTM and network monitoring was overkill. Not so much any more. Still in the evaluation and budgetary phase, but I think I know what I want and should deploy by year’s end. I want to see what hits, and what comes through. Yes, I am going to have to actually review the logs, but Rich wrote a nice desktop widget a couple years ago which I think I can repurpose to view log activity with my morning coffee. It will be just like working IT again!
- Clean Install: With the purchase of a new machine last week I did not use the Apple migration assistant. As awesome and convenient as that Mac feature is, I did a fresh install. Then I re-installed all ,u applications and merged the files I needed manually. Took me 8 hours. This was a just-in-case security measure, to ensure I don’t bring any hidden malware/trojans/loggers along for the ride. The added beneft was all the software I do not have set to manually update itself got revved. And many applications were well past their prime.
- Rotate Critical Passwords: I don’t believe that key rotation for encryption makes you any safer if you do key management right, but passwords are a different story. There are a handful of passwords that I cannot afford to have cracked. It’s been a year, so I swapped them out.
- Mobile Public Internet: Mike mentioned this in one of his Friday Favorites, but this is one of the best posts I have seen all year for general utility: Shearing Firesheep with the Cloud. What does this mean? Forget Firesheep for a minute. General man-in-the-middle attacks are still a huge problem when you leave the comfy confines of your home with that laptop. What this post describes is a simple way to protect yourself using public Internet connections. Use the cloud to construct an encrypted tunnel for you to use wherever you go. And it’s fast. So as long as you set it up and remember to use it, you can be pretty darn safe using public WiFi to get email and other services.
That’s six things I did over the course of the week. Of course you won’t read this anywhere else because it’s six things, and no other security information source will give you six things. Five, or seven, but never six. Some sort of mythical marketing feng-shui numbers that can’t be altered without making some deity angry. Or maybe it was that you get cramps? I forget. There is probably a Wiki page somewhere that describes why that happens.
This is the last Friday Summary of the year so I wanted to say, from Rich Mogull, Mike Rothman, Chris Pepper, David Mortman, Gunnar Peterson, Dave Lewis, and Melissa (aka Geekgrrl), and myself: thanks for reading the blog! We enjoy the comments and the give-and-take as much as you do. It makes our job fun and, well, occasionally humiliating.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich was quoted so many times on Wikileak DDOS that he DDOSed all media outlets with the sheer volume of his quotes. They had to shut him down. The rest of us were too far gone as slackerly curmudgeons (or was that curmudgeonly slackers?) to speak to anyone.
Favorite Securosis Posts
- We all loved [Dealtime 2010: Remembering the Departed](Dealtime 2010: Remembering the Departed as the best post of the week. Except for Mike, who was unhappy we would not let him graph the specific hype cycles.
Other Securosis Posts
- Incite 12/22/2010: Resolution.
- 2011 Research Agenda: Quantum Cloudiness, Supervillan Shields, and No-BS Risk.
- React Faster and Better: New Data for New Attacks, Part 1.
- NSA Assumes Security Is Compromised.
- 2011 Research Agenda: the Practical Bits.
- Quantum Unicorns.
Favorite Outside Posts
- Chris: Apparently Amazon’s Mechanical Turk is a spam bazaar. Seems like an externality: Amazon can put effort and money into weeding out spam, or just continue to collect their cut.
- Adrian: MasterCard may cut off file sharing sites over piracy. Does anyone else think this is vigilante justice?
Project Quant Posts
- NSO Quant: Index of Posts.
- NSO Quant: Health Metrics – Device Health.
- NSO Quant: Manage Metrics – Monitor Issues/Tune IDS/IPS.
- NSO Quant: Manage Metrics – Deploy and Audit/Validate.
- NSO Quant: Manage Metrics – Process Change Request and Test/Approve.
- NSO Quant: Manage Metrics – Signature Management.
- NSO Quant: Manage Metrics – Document Policies & Rules.
- NSO Quant: Manage Metrics – Define/Update Policies and Rules.
- NSO Quant: Manage Metrics – Policy Review.
Research Reports and Presentations
- The Securosis 2010 Data Security Survey.
- Monitoring up the Stack: Adding Value to SIEM.
- Network Security Operations Quant Metrics Model.
- Network Security Operations Quant Report.
- Understanding and Selecting a DLP Solution.
- Understanding and Selecting an Enterprise Firewall.
- Understanding and Selecting a Tokenization Solution.
Top News and Posts
- Microsoft Warns of New Browser Vulnerability.
- Only 8700 Insecure FTP Servers.
- Warrantless-Wiretap Win Nets Victims a Paltry $40K.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Ed, in response to 2011 Research Agenda: Quantum Cloudiness, Supervillan Shields, and No-BS Risk.
I say write a paper on APT. As a marketing professional in IT Security we all have the tendency to jump onto the latest greatest hot topic, even though many of us may not fully understand what it means. I have seen APT thrown out in the market and positioned as the 2nd coming.
Many think APT is only related to national security issues, and still more associate it with only a nation state attacking a private company ala China-Google. I think we all need a chill-pill and some understanding and perspective on what it really means to the average company.
I have always taken APT to mean a larger shift is afoot where more targeted, and sophisticated malware is coming at companies with the goal of gaining valuable information (i.e Intellectual property).
Are these risks only for large multinationals? Are there risks for smaller businesses? How should I change my current approach to IT security as a result? Or is it all just overhyped marketing lingo?
I think a pragmatic point of view would be welcomed.