23 October 2009 by Jeff Hayes.

Yesterday, U.S. communications regulators voted unanimously to support an open Internet rule that would prevent telecom network operators from barring or blocking content based on the revenue it generates.

“I am pleased that there is broad agreement inside the commission that we should move forward with a healthy and transparent process on an open Internet,” FCC Chairman Julius Genachowski said.

The vote came despite a flurry of lobbying against the net neutrality rule by telecommunications service providers like AT&T, Verizon and Qwest which say it would strip them of the ability to manage their networks effectively and would stifle innovation and competition.

[The rule] allows for “reasonable” network management to unclog congestion, clear viruses and spam, and block unlawful content like child pornography or the transfer of pirated content.

The challenge is how much favor is oriented toward the end consumer versus how much to control the free market. How much freedom should an ISP have in deciding how to manage traffic on their networks? What should be done to make sure one ISP does not play favorites by slowing traffic to their competitors?

From the looks of if, the FCC is leaning towards preventing service providers from discriminating what services and content they will carry over their networks and under what circumstances.

What if I am in a one-horse town and I only have one reasonable option for high-speed Internet and my ISP decides it does not like specific sites like the Drudge Report, Fox News, CNN or categories of sites like hate, gambling, drugs, adult (not talking child porn here), or all sites in Arabic?

One the other hand, what if I decide that I want an ISP that supports my moral values and I elect that company to provide me my Internet service?

What if my ISP elects to throttle-down P2P traffic? Is that bad? It is bad for the P2P user but is it bad for everyone else? So should the ISP be given free reign or should there be some regulation?

I support the principle behind net neutrality in that all Internet traffic should be treated equally. As rule, I don’t like the idea of my ISP screening, interrupting or filtering Internet content without court order. Any fragmentation of services or control over specific protocols should be the exception and not the rule.

Posted in Web Security, Privacy | Print | No Comments »

11 October 2009 by Jeff Hayes.

I just completed the five-week FBI Citizens’ Academy. We meet once a week in the evening for 3 hours at the FBI offices (mine was in Salt Lake City) and on one Saturday at the firing range (mine was with the Salt Lake County). The best training experience I have ever had.

The curriculum consists of

• Practical problems involving evidence collection and preservation.
• FBI jurisdiction and congressional oversight.
• Structure and operation of FBI field offices and satellite agencies.
• Fingerprint, forensic, technology, training, and other services.
• Policies and issues: ethics, discipline, communications, drug enforcement, civil rights, and future criminal trends.
• Firearms training.

The Special Agent in Charge (SAC) and the Assistant Special Agent in Charge (ASAC) lead the training; the actual Special Agents are the instructors. We covered white collar crime, violent crime, cyber crime, counterintelligence, domestic terrorism, undercover ops, victims, investigations, technology & tools, and careers. We got enter and see the gun vault (including a 1929 Thompson submachine gun) and play in Firearms Training System (FATS simulator).

On Saturday, we saw a sniper demo. We were told roughly were he was concealed; he made 4 precise shots from 100 yards. None of us could spot him until he stood up. We saw an explosive demo; amazing what a little C4 can do. We shot four FBI guns – two handguns and two semi/full automatic guns. We even got to shoot the .45 Tommy gun. We participated in a SWAT team hostage training session (we were the hostages).

There is no doubt that the men and women we met — Special Agents and support staff — are second to none. They are very professional and personable. They are dedicated to their jobs. I was more than impressed.

If you are interested in law enforcement, information security, investigations, forensics, homeland security, this is a must. It was a great experience for all of us. I want to thanks those that participated in the 12th Citizens’ Academy in the Utah Division. I wish them the best, including the SAC who is transferring to the SE USA.

Posted in Homeland Security | Print | 1 Comment »

8 October 2009 by Jeff Hayes.

As an adjunct instructor at ITT Technical Institute for the past four years, I enjoy introducing a new topic to the newer students and then to see them a year or two later and see how far they have come.

For most, the concept of policy and more specifically, security policy, is foreign. I think they must get tired of hearing me answer:  “it all depends” or “what is the policy and why does it exist that way?”

Joan Goodchild, Senior Editor of CSO magazine, wrote a recent article, The Seven Deadly Sins of Security Policy. Here are her security policy deadly sins: 

1. Failing to do a risk assessment before crafting a policy
2. Having a ‘one-size-fits-all’ mentality
3. Failing to have a standard template
4. Having policies that only look good on paper
5. Failing to get management to buy in to the policy
6. Writing policy after a system is deployed
7. Lack of follow up

It is my experience that the biggest issue is lack of buy in from the top. Without top level buy in, why should any one read, follow or believe the policies are enforceable?

For many organizations, security is viewed as the “business prevention department.” The challenge security professionals have the world over is justifying the associated expenses. Security is an expense but for many organizations, it might be absolutely necessary, even an item that be be used to differentiate it from its competition, attract employees, and have a positive impact the bottom line.

There are many deadly sins with respect to security, and the worst is something many organizations are guilty of (not being one of the seven):  they have no formal security policies.

Posted in Security Policy | Print | No Comments »

6 October 2009 by Jeff Hayes.

The U.S. Department of Homeland Security, as part of its National Cyber Security Awareness Month, has created a list of fourteen things home users can do to bolster cyber security.

1. Use a suite of automatically updating security tools that includes anti-Spyware, firewall and anti-virus software.
2. Be sure your operating system and Web browser are set to automatically update.
3. Use long, complex passwords for both your computer and your wireless network that include numbers, symbols and letters, and change them every 90 days.
4. Maintain vigilance online and be skeptical about giving up personal information.
5. Turn off your computer when you are not using it.
6. Employ the same online safety behaviors when “surfing” on a mobile device.
7. Be on the lookout for signs of an infected computer including slower processing times, unwanted pop-up ads and increased spam.
8. Talk to your kids about good online safety and security habits, including protecting their personal information and their reputation.
9. Know what sites your children are visiting online, and check their social networking regularly.
10. Regularly back up your files either online or to an external hard drive (and store in a secure location).
11. Post cyber security tips on your favorite community Listserv.
12. Go to your favorite search engine and search by your name and other family members to see what is on the web about you.
13. Make sure your children know that they can come to you if something online makes them uncomfortable, including what others are posting about them, unwanted contacts, and questions they have about staying safe online.
14. Learn more at www.staysafeonline.org.

Good list? Yes.

What about business? The best checklist I have found for good cyber security for the average business is from the Payment Card Industry within its Data Security Standard:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.

Simple? No. But is a great list to build a security plan upon.

Posted in Security Policy, Personal Security, Homeland Security | Print | No Comments »

2 October 2009 by Jeff Hayes.

October is National Cyber Security Awareness Month, as proclaimed by the U.S. DHS. The premise behind this is good: create awareness for cyber security. The DHS’s campaign will seek to: 

• Raise awareness of cybersecurity risks, consequences and available resources to a broad universe
  of information technology stakeholders  
• Reinforce shared responsibilities and provide a call to action to all computer users
• Direct stakeholders to tools, products and services they can use to protect their part of cyberspace
• Leverage Awareness Month events and activities to build a common culture of shared priorities
  across the full range of cybersecurity stakeholders
• Encourage interest of students in the cybersecurity field and help develop the next generation of
  cybersecurity professionals
• Promote the Cyber Security Awareness Volunteer Education Program (C-SAVE)

Security professionals the world over need all the help they can get to create awareness of their craft. For the most part, security measures, be they physical or cyber, are business expenses. The challenge security professionals have is to justify those expenses in a manner that helps improve the overall business appeal from the prospectives of the customers, partners, employees and investors.

For most of us working in the cyber security profession, we are viewed a smart but our value is questioned. “We pay this guy how much for doing what exactly?” “If we did not do ‘this’, what would be the impact?” “Do we really need to jump through all of these hoops?” “Do we really need to buy all of these security tools, applications and appliances?” “Wasn’t our security policy just updated?”

Some things are just hard. Cyber security is one of those hard things. It is tough to see, quantify and qualify. The better we are at creating reasonable awareness of the issues confronting or business and industry, the better and more effective we will all be at performing our security jobs.

Posted in Security Policy, Homeland Security | Print | No Comments »