Blog Host: Kevin Beaver - President, Principle Logic, LLC READ ENTIRE BIO

The point I'm trying to make is that business information -- and therefore businesses -- are at stake here. If business information gets compromised, bad things quite often start happening. The same can be said for personal information getting into the wrong hands, as well. Information security is a business issue. Period. If upper management isn't involved, it's toast and time to look for a new job or a new customer.

Speaking of the business side of things, I think it's kind of neat that I've learned more about information security not from information security experts, but rather business success experts such as Brian Tracy, Jim Rohn and Jeffery Gitomer. Why? Because the vast knowledge they're willing to share with others focuses on business issues, not the nitpicky technical stuff that we as IT professionals often get caught up in all too often (I'm guilty of this, too). They look at the bigger picture and have inspired me to do so. I encourage others to listen to what they have to say so they can broaden their views, as well.

Do I think we have a snowball's chance in getting a grip on information security? Most likely things will get better, but there will always be bad people out there looking to do bad things to others in new ways we never thought of, so we've got to stay on our toes.

It's been real, y'all (yes, I'm a native southerner -- one of the few remaining in the Atlanta area). Keep things simple and balance security with convenience to keep (most) everyone happy. Those are the two best things I've ever discovered.

Thanks for listening!

Over, finished, done, gone, out.
Posted by Kevin Beaver Spyware and such
25 AUG 2004 20:24 EDT (00:24, GMT)
I've changed my mind about viruses -- I think spyware is the worst thing going on now. Not a day goes by I don't hear from colleagues or online postings that systems have been infected with spyware. You know, a lot of this has to do with the user. A message pops up, the user is busy and clicks start a-flying just to get the darn pop-ups to go away...then the problems begin. Ahhh! Many, including myself, scream "When will this spyware problem stop!?"

Beyond training users to be careful what they download, where they browse and what they click on, there are a ton of great standalone spyware prevention tools to load to keep this junk from being installed in the first place. My favorites are Spybot and PestPatrol (you often have to use more than one -- for cleaning, at least). PestPatrol (and likely others) have centrally managed enterprise versions, as well.

Have you ever used a network analyzer to peek inside your network to see what's going on? It's one of the best security tools you can have. What's even cooler is to watch the traffic generated by a vulnerability assessment tool such as Nessus or QualysGuard (my favorite) -- it makes you not want to run testing tools during peak production hours!

I think it's interesting how many organizations have security policies, yet they haven't even classified their information. How do they know what to protect first? Hmmmm...Just thought I'd throw that out there.

Another thing I'll throw out there -- have you written your representatives in D.C. lately? This is one of the best ways to make things happen that affect you for the utmost in professional and personal gain.

Speaking of politicians -- check out The Looming Legal Threat to Wi-Fi that I just read (I'm a few months behind in my print mags) about legal issues affecting wireless LANs. It's a very interesting take on a widespread issue that probably affects you in one way or another.
Posted by Kevin Beaver Certification schmertification
24 AUG 2004 23:00 EDT (03:00, GMT)
It occurred to me today that most IT and security certifications -- most -- are merely roadblocks that be scaled with a few days of cram studying -- big deal! A few aren't though...How do I know? I'm trying to pass one of those darn Cisco tests and it's not easy! Off to take the test (again) tomorrow. Major kudos goes out to all the CCIEs of the world.

Speaking of those who rely on certifications to get in the door -- great news today for people like me that earn a living helping others with their information security. It looks like the Yankee Group estimates that 90% of all enterprises will outsource security by 2010! I've never been one to rely solely on analyst group predictions, but maybe the power of suggestion will at least play a role here.

Holy Cow -- NetWare has a new security vulnerability! This is about the 10th one in 15 years. Someone should be ashamed -- just no one at Novell. Other vendors could afford to pay heed to what Novell has done over the years with its development practices.

Must study now...after I apply my evening security patches.
Posted by Kevin Beaver More of the same?
23 AUG 2004 19:46 EDT (23:46, GMT)
When you think about it, malware, phishing and even spam are simply social engineering with a different look. Like I said last week, though, I do believe the attack vectors will change over time to the point it starts getting personal in our homes, cars, highways, etc.

I'm hearing a lot of strong opinions that Microsoft should halt new development for a while until they get their security issues resolved. They did this recently, and I'm not convinced it really helped. I'm not sure it'd help if they tried it again.The problem is that as applications become more complex, the more weaknesses they're going to have. An analogy in the physical world is that of a one-story office building compared to a skyscraper -- there's simply more to go wrong. The more I think about this, the more I realize I don't know where I stand.

I had a network admin colleague recently tell me he's having trouble with an employee surfing for porn. He asked if I thought he should tell management since he feared backlash (like it's his fault) and also asked if I had any examples of an acceptable usage policy that he could put in place. I responded with a resounding "Yes, tell them now and let them put the policy in place." Ahh, jeez. I can't imagine being the network admin that puts an AUP in place and is responsible for enforcing it! Not on my time! Prime example of what I see all the time -- management doesn't really care what's going on on the network.

This is old, yet interesting news -- Congressman Putnam in Florida is talking about regulating information security if the industry cannot fix the problem itself. Just another example of infosec not being "mainstream" in the corporate bigwigs' eyes. <tongueincheek>I think we should just put the Department of Homeland Security in charge of implementing and enforcing information security -- that'll solve all our problems.</tongueincheek>
Posted by Kevin Beaver General observations on the information security industry
20 AUG 2004 23:00 EDT (03:00, GMT)
I think there are almost as many information security experts that have cropped up in the last two years as there are mortgage brokers.

I've got entirely too many vulnerability alerts coming into my inbox every day -- I can't keep up! (<yeah, right!> Can't someone just fix all the vulnerabilities? <yeah, right>)

Wouldn't it be nice if those of us who are IT consultants could bill for every second they work like lawyers do? There would be a heck of a lot more millionaires in this world!

I'm convinced there are too many information security conferences around these days. Well, you've got to keep up if you're going to stay at the top of your field. How can anyone possibly figure out which one(s) to go to? Unfortunately, it's called trial and error.

Apparently new vulnerabilities have been discovered in the MD5 and SHA algorithms. If only we could focus our efforts on information security basics as much as many do on less-than-unlikely-to-be-exploited vulnerabilities, I think we'd all be pretty safe.

Speaking of the basics...I'm absolutely convinced that if people would do what's right and patch their systems, consistently apply virus signature updates and just follow the free and simple guidance on the Internet to harden their systems, most networks and the Internet would be a safer place. Of course, if people did what's right, we wouldn't have to own guns for self-defense...or have militaries...or have to hire nickel-and-diming lawyers to protect us from other nickel-and-diming lawyers. I guess it's stuff like that that makes the world go around.

All of this is easy to look past when I think about living life according to Robert Schuller:

People are unreasonable, illogical and self-centered. Love them anyway. If you do good, people will accuse you of selfish ulterior motives. Do good anyway. If you are successful, you will win false friends and true enemies. Succeed anyway. Honesty and frankness make you vulnerable. Be honest and frank anyway.

Would malware really be a problem if it weren't for ignorant users?

Would malware affect Unix, Linux and NetWare if it weren't for Microsoft?

Would malware even be an issue if the thugs that write the code spent just half the time studying success and achievement to build their self-esteem as they do writing code to mess with others?

Will we ever get a handle on malware and other information security threats?

Is Microsoft really onto something with its new development paradigm using isolation and resiliency, etc., like they've done in Windows XP SP2.

Would we as IT professionals have jobs if it weren't for any of the above? Wait. I know! I know!....Probably not. Therefore, we must find a good balance between embracing these issues and staying sane.

Oh, by the way, I changed ISPs to get my e-mail working again. That was the second step in my business continuity plan -- right after "skip the obvious and try all the difficult things first." :-) Seriously, it's truly and absolutely amazing how much better service you can get from a small local ISP compared to national behemoths who care about nothing more than their stock price. Just damn.

The following quote makes all of this seem a little less painful and makes me believe positive information security changes can be made if we choose to learn from our goof-ups:

A life spent making mistakes is not only more honorable but more useful than a life spent doing nothing.
-- George Bernard Shaw

Editor's Note:
Feel like pondering back to Kevin? E-mail him.

MEMBER FEEDBACK

I failed hypothetical in college, so here are your answers:

Would malware be an issue if management cared more about long-term software quality than short-term sales numbers?
Depends on who you ask. I work for a small company that is worried about its survival month by month so it is really difficult for them to buy into the idea that they should invest in items to make them better three years or so down the road. I know the argument is "upfront investment saves future money," and I would love to get some of that upfront money so that I could pull off the impossible they expect from their current systems, but I see both sides. As to malware and managers...you ever heard Stephen Hawkin explain in purely mathematical terms how a black hole affects time? Well, the glazed look that would undoubtedly appear on the average guy's face is what I see all the time when I endeavor to explain malware.

Would malware really be a problem if it weren't for ignorant users?
Overall, probably not; but some will appear regardless, from the software you buy, Web sites that insist you accept cookies to use and new attacks from zombie servers by cyberpunks with too much time on their hands. How can you expect a working adult who has thousands of responsibilities and worries every day to compete with a kid on summer vacation who has hours upon hours to perfect malicious code and network with other miscreants? I am IN the computer field, but I don't have time to learn everything I need to know about computers!

Would malware affect Unix, Linux and NetWare if it weren't for Microsoft?
If they are networked, yep. In the real world (offline), we have laws that establish property rights and boundaries. Someone physically has to come to break those laws and they are subject to prosecution. On the Internet, everything is free, which means if you use the Internet, you agree that whatever you expose out there is available to anyone that wants it -- think of a phone partyline. Until laws are made and technology emerges that allows people to privatize parts of the Internet -- think personal phone number -- and identify intruders, which ignorant users need to have a chance, this problem will be here no matter which vendor is in charge.

Would malware even be an issue if the thugs that write the code spent just half the time studying success and achievement to build their self-esteem as they do writing code to mess with others?
Malicious code gives them two things: recognition and power. At least they aren't getting that recognition and power by walking into their schools and shooting people. I honestly don't think that malware is that big of a problem. Don't scoff at me...here is my reasoning: If it were, governments and big business, when banded together, pretty much would control or destroy anything, but they haven't yet. Until there are enough stings, they won't get serious about the issue. If they aren't serious about it yet and working TOGETHER to stop it, then it isn't a big enough problem yet...either that or they have solutions they aren't sharing.

Will we ever get a handle on malware and other information security threats?
Yes, once two full future generations emerge. The earliest types of computer viruses are no longer with us -- if nothing else, changes in technology and how it works took care of that. Will threats that act and spread like Netsky be a thing of the past and never thought of again? Sure, once a couple of generations of new threats emerge.

Is Microsoft really onto something with its new development paradigm using isolation and resiliency, etc., like they've done in Windows XP SP2?
No, smoke and mirrors, a la Gates. Proof is in the pudding, and my bowl is empty.

Would we as IT professionals have jobs if it weren't for any of the above?
Yes, improving technology and properly supporting business objectives. Although studies say the number of jobs for IT professionals is shrinking, they will always be needed, like mechanics and plumbers.

-- Aaron Wraight
network administrator/computer technician

Editor's Note:
Join Aaron's pondering.
Posted by Kevin Beaver What's your new vector, Victor?
18 AUG 2004 20:10 EDT (00:10, GMT)
I spend a lot of time thinking of new vulnerabilities in computers and electronics systems. I try to think like the bad guys, although I don't think my mind can twist quite far enough. Anyway, I've thinking more and more about what the next big means of propagation malware will take on.

Remember the days of good old floppy disk viruses? My, how things have changed....Then macro viruses were all the rage. Then there were (still are) malware affecting e-mail. The new trend is distributed worm attacks that compromise vulnerable servers.

So what am I getting at? I don't think we've even seen the tip of the malware iceberg that's to come.

I'm pretty sure our homes (appliances, TVs, alarm systems, etc.) and even our highways and automobiles are going to be the future of malware attacks. Call me crazy, but mark my words. Look at how attacks have worked in the past -- physically transportable, electronic and addressable across a network. Floppies, e-mail, servers -- you name it -- all fit into that category. One of these days, I believe we're going to have thugs releasing code from across the Internet that attacks the electronics in our own homes.

And you think a behavior-based attack on your refrigerator that shakes all of your beer bottles up and kills the taste is bad. Just wait...one of these days in the not-so-distant future (you know, in a few years when the government controls and monitors our highways, automobiles, driving habits, thoughts, etc.), when everything involved in our daily commute is addressable across some type of network (probably still IPv4) -- bad things will happen. Cars will be remotely unlocked and stolen, radios will be reprogrammed (you know like when you disconnect your battery and have to spend 30 minutes resetting the stations), onboard diagnostics (OBD) systems will be tampered with, making us look like worse drivers than we actually are. And then the crashes will come: perhaps software than leads to hardware that leads to physical disaster on the road. Just imagine a DDoS attack against our highways during evening rush hour the Wednesday before Thanksgiving!!

Oh, and what about electronic voting? Heaven forbid we have another excuse about a politician "losing" a close race due to some electronic chad overload!

I'm serious...
Posted by Kevin Beaver Would you like to buy some technical solutions?
17 AUG 2004 21:54 EDT (01:54, GMT)
Well, my e-mail woes continue today. My ever-so-lovely ISP has apparently just decided to block for certain customers all SMTP traffic that doesn't go through their e-mail servers. It's all in the name of "spam management." Funny how they didn't consider the business side of things and notify their customers that they're about to break something. But it's more about technical fixes than anything, right?

I've answered countless times in the past two weeks the question: "Why can't we have better security, more secure software and better products so we don't have to worry about security policies and procedures?" I even had a conference coordinator contact me, concerned about an upcoming presentation I'm making, thinking it might not be technical enough.

What is everyone's deal with focusing on the technical issues and bypassing the common sense basics? For every security patch applied, for every penetration test run, for every virus eradicated and on and on, there must be some higher-level business processes backing them up. Things like planning (I know it's not cool or sexy), developing a formal methodology and following up to make sure things are more secure -- these are the things that we need to be focusing our efforts on. Simply put: Technology should be used to enforce higher-level business policies -- nothing more and nothing less.

On a more positive note, there was an interesting acquisition today. Apparently McAfee intends to acquire Foundstone. This is a good sign that bigger companies are taking information security services more seriously.

Can you imagine if we could get to the point where the perceived value of information security countermeasures exceeds the cost? Just the opposite are those people in Florida (bless their hearts) that many claim are being victimized by those mean old "price gougers." Hey -- these people are in need of tools and supplies, and I'm sure they certainly appreciate the convenience some of these "price gougers" are offering them, hence their willingness to pay higher-than-normal prices in order to clean up hurricane Charley's mess. It makes me want to sing...Like to hear it? Here I go…(think back to the old Hee Haw tune)..."Where, oh where, did our free market go? Why are the politicians trying to destroy our republic!?"

Oh wait, I'm talking about the opposite issue related to information security -- I can't seem to get rid of that political soapbox for the life of me. How about "When, yes, when will management buy into security? When will they stop leaving us here all alone!?" OK...so I'm not a songwriter.

Until later. And don't open any so-called photos someone sends you in an e-mail attachment.
Posted by Kevin Beaver Don't forget the little things
16 AUG 2004 23:50 EDT (03:50, GMT)
We're drowning in viruses, worms, Trojans, spyware, and more -- what's this world coming to!? The theory of malware -- that's what I refer to it all as now...I got tired of trying to be technically correct when referring to the latest whozeewhatzee riffraff some cyberpunk has come up with -- started way back in 1949 when mathematician John von Neumann suggested that computer programs could reproduce in his work titled "Theory and Organization of Complicated Automata." Skip a generation or two to 1981 and Von Neumann's theory became a reality when the Apple II Elk Cloner virus was released. I know, I know -- I still wonder where the Apple viruses are now!

Well, moving forward and tens of thousands of malwarez (I think I just created a new word) later. here we are -- as vulnerable as ever. We've got scientists in the lab analyzing the radio frequencies emitted by computer chips, and they're telling us our information is insecure yet another way, while at the same time we seem to be having a lot of trouble protecting our computers when the solution is right before our eyes.

After troubleshooting my business e-mail that hasn't worked all day today (logging into my Webmail account 500 times, using a network analyzer, installing different e-mail server software and more), I'm discovering more and more that it's always the little things that get you. According to their level 1 support, my ever-so-lovely ISP is having an e-mail "outage" today. A level-2-thru-the-grapevine rumor tells me they're actually blocking certain e-mail traffic...What's an IT guy to do?

Anyway, I'm looking forward to answering your questions and giving you practical advice for the next two weeks on how to keep your computers, network and, ultimately, your information secure. Read on in my daily blogs, come back and visit, and post those questions!
Posted by Kevin Beaver