Recent
Observations in Information Security:
By: "The Gonz"
Seems
like my computer security related articles are indeed
getting fewer and far between. It’s not that I’ve been too
lazy to write. On the contrary - I’ve been writing
frantically about issues related to our freedoms, standing
up for values and principles, and in particularly supporting
gun rights efforts. Regrettably, I just haven’t had the
chance outside of my full-time computer security
professional life lately to concentrate on my “geek” side
during my off time. In the time since the presidential
inauguration, our administration of “hope and change” has
been catapulting our country towards destruction at an
extremely accelerated pace. We are marching towards what
some say is socialism, I personally believe we are headed
toward fascism and totalitarianism, greater government
control – control which is even affecting the computer
security profession. You’ll see what I am talking about
shortly. I wasn’t made to be a socialist or a slave, so my
endeavors have indeed taken me in other directions over the
past year or so.
So, I
thought I would make a fervent effort to make some time and
finally get back to you about some [computer security]
issues that I have been involved in lately. This article
will be a smorgasbord of issues, but there really are a lot
of things going on in our profession worth mentioning. So
bear with me, be prepared to shift gears frequently, and
just use these things as food for thought for your own IT
environments.
Administrative Rights on
Computers:
One
thing that has become obvious: Users who operate their
computers regularly with administrative rights are more
likely to be infected with malicious software. One
statistic given by a well known computer security
organization indicated that of all the exploits out there,
greater than 90% cannot infect a machine if the person
logged in is running as a limited user. Considering the
thousands of exploits out there, this is a significant
number. I know that many people have expressed concern that
they won’t be able to perform their jobs, or do simple tasks
such as install printer drivers or other software. My
answer to that is to:
1) Create
another user that has admin privileges on the computer, and
only use that account when it is necessary to do so.
2) Use
the “Run-As” function (if using Windows XP) wherever
possible. You can “run-as” the user created in 1) above.
In Windows Vista, the User Access Control (UAC) function
takes care of this for you.
3) If
you are in a large corporate environment and need to manage
many users from a centralized location, consider using
something like BeyondTrust Privilege Manager (http://www.beyondtrust.com).
4) If
you’re not willing to do 1) – 3) above, then don’t ever
connect to the Internet ;)
I have
been running without administrative privileges on my
computers for a long, long time now, and I can tell you that
I have not been inconvenienced one bit. I also haven’t been
compromised or infected, either. After getting tired of my
kids downloading stuff and getting infected with tons of
viruses, resulting in countless machine re-imagings, I took
away their admin privs also. Haven’t been bothered by them
calling me because of another virus warning in quite awhile
now.
Policies, Procedures,
Documentation, and Auditing:
In my
recent involvement in certification and accreditation of
information systems, the most prevalent reason I am finding
why systems are experiencing weaknesses in meeting
information security controls is due to lack of
documentation, procedures, and policies. It is not enough
to simply “say” that you are doing something to mitigate
information security weaknesses.
You must be able to
prove that you have the following:
1) A
policy in place telling you that a certain function is to be
performed, how often to perform it, and by whom it is to be
performed. This policy needs to be updated every time there
is a change in the requirements, or a change in the
technologies to get it done. Annual updates are a minimum
requirement.
2) A
standard operating procedure (SOP) that describes how to
perform the procedure consistently. SOPs need to be
specific and include detailed steps for the entire process
form start to finish. The SOP will serve as a checklist to
ensure consistent procedures are accomplished, and also as a
guide for someone who is performing the procedure for the
first time. Make sure to include references, acronyms, and
definitions in addition to procedural steps. The SOPs need
to be updated every time there is a change in the
requirements, or a change in the technologies to get it
done. Annual updates are a minimum requirement.
3) Documentation
that shows regular security control test and audit results.
You need to be able to show that your policies are being
tested and followed, and that SOPs are being used. The
actual test results need to be securely stored. Remember –
these test results are a window into any weaknesses that
exist in your environment. Only people with the “need to
know” should have access to these test results.
4) Third
party auditing. Do your own in-house testing, but
periodically hire a third-party, independent entity to come
in and evaluate your testing procedures and your testing
results. In many organizations, such as the one in which I
work, periodic third-party independent testing is required
by law. This is known in my industry as “security
certification and accreditation” (soon to be known as
“Security Authorization” when NIST 800-37 Revision 1 is
published). In health and financial organizations, they
usually have similar laws. Security certification and
accreditation is performed every three years, and in-house
security self-assessments are performed annually.
Social Networking and
Security:
There is
an ever growing conundrum between the need to be secure and
the need to use social networking tools to reach customers
and co-workers. Even government agencies are realizing the
benefits of using social networking sites such as FaceBook
and Twitter to reach out to their constituencies. But
corporate security teams are also fighting the security
issues and the network bandwidth consumption issues that go
along with it.
There are a number of
things that need to be considered if these tools are to be
used in the workplace:
1) User
education
2) Making
sure computers are patched and virus signatures up to date
3) Making
sure your users are NOT running with admin privileges
4) Monitor
your network for bandwidth consumption – if it gets to be
too excessive, and can be attributed to traffic on these
social networking sites, your management may want to rethink
their decision to allow this in the workplace.
5) Monitor
usage of other software. If your users get the message that
social networking sites are OK, then they may also get the
impression that file-sharing and peer-to-peer applications
are alright as well. These tools can have devastating
consequences on your network and security posture.
US-CERT
has an excellent article on social networking:
http://twt.gs/n8z4m
NetworkWorld Magazine has a good article with some slide
shows on social networking security issues:
http://twt.gs/75e1G
Cyber-Security in the White
House?
Have to get back on my
political soapbox for this one. One of the Obama
Administration’s endeavors is to move certain tasks out of
the departments of the experts who do these things and into
the White House. For what reason is Obama doing this? I
can only assume it is for the purposes of having more
control. The census was moved from The Department of
Commerce to the White House. President Obama wishes to move
cyber security from The Department of Homeland Security
(DHS) to the White House as well. I have no idea why. The
DHS, of which
US-CERT is a part, have an exceptional team of experts
who monitor our Internet for malicious activity, and are in
touch with the experts who can help us to mitigate damage
caused by the many malicious processes out there. Are they
going to move all these workers to the White House? I guess
the regular Wednesday night pizza parties at the White House
are going to really be hopping affairs. Wonder if the Obama
kids will let the US-CERT folks play with the dog. As you
can tell, I am adamantly against this. The White House is
no more adept at managing computer security than they are at
running car dealerships and banks. Now you know why I am
spending so much time writing about political issues instead
of technical issues. This administration is out of control,
in my opinion.
Obama is
about to appoint a new cyber-czar. You do the math
on this one folks. 1. This is an appointed position, does
not have to be confirmed. 2. This new “czar” (wasn’t czar
a popular Russian title?) will answer only to the President
himself. 3. This position is going to be strictly
controlled by the White House. 4. The Obama administration
wants to bring back the Fairness Doctrine to get all of the
conservative talk shows off of the radio. 5. Talk show
personalities such as Tammy Bruce have already started
moving portions of their show to streaming Internet sites
(Tammy’s weekend roundup show, of which I am a HUGE fan,
will only be heard on streaming Internet beginning June 6,
2009. 6. Obama wants to control every aspect of these
people’s ability to broadcast. 7. The Obama Administration
has already deemed all conservatives and gun owners to be
“Right-Wing-Extremists.” 8. The peaceful “New Revolutionary
War” has already begun, and it is taking place with
conservatives burning up the Internet with warnings
Prediction: This new
czar will have nothing to do with focusing on computer
security, unless you consider censoring conservative blog
sites, conservative streaming talk shows, gun clubs, the NRA
and other pro-gun web sites, and tea party web sites as
having to do with “security.” Gee – wasn’t this done in
Germany quite awhile ago? Censoring freedom of speech and
controlling information on the Internet is Obama’s sole
agenda for this new czar. Stay tuned folks – this could get
scary.
“Obama addressed concerns that the person might not have
the budgetary and policy-making authority needed to
force change. The coordinator, he said, will have
"regular access to me."
Source:
http://twt.gs/VJD6a
Wrapping It All Up:
Don’t be surprised if it’s
awhile before I write my next computer related article. I
will try my best to keep you informed, but things in our
country are just moving too quickly. Much of my time these
days is spent building my 9.12 Project’s web site, adding
new technologies to my gun club’s web site, and generally
burning up the Internet on
Twitter and my [political] blog sites with my opinions
on how Obama and his ilk are ruining our country. As much
as I love my chosen profession, I am even more passionate
about my country and getting America back on track. Popular
rhetoric would have you believe that our country needs to be
“re-made.” Re-made into WHAT, exactly? I say that we need
to RESTORE our country. If we don’t restore America to what
she was designed to be, nothing else in this profession will
matter, in my opinion. For all you fellow conservatives out
there, keep up the good fight. And for all you slobbering
Obama supporting progressive radicals out there – how are
his policies working out for you? Well – you’ll get back to
me when you’re paying federal sales tax on all your goods,
can’t get to many Internet sites any more, are being told
what kind/color of cars you can drive and all that right?
By the way – congratulations to all you fellow owners of GM.
Get the latest
threat and exploit news
|
|
|
See
current Internet Traffic |
.jpg)
