25 September 2009 by Jeff Hayes.

Politically conservative, I question the value of many government agencies and jobs. By their nature, every single government job consumes taxpayer funds. Not one of them produces a single dollar.

Certainly there are many jobs and roles that are required from government. It is the opinions along this line that significantly define our political differences. Some feel government is the answer to many of our problems, other do not. I am in the later.

Nevertheless, I have many acquaintances that earn their living by working security for the federal, state, country and local governments. I do not have any ill-feelings towards any of them. Some of these jobs are very interesting. But are they absolutely required?

I attended our local InfraGard meeting this week. A good group and a good meeting. We heard a presentation from Access Data on computer forensics, some excellent insights from a civilian security specialist from Hill AFB, and a presentation from a gentleman from DHS. This latter presentation got me thinking about the scope of the DHS. Has it quickly expanded beyond what is reasonable?

There is a role that one of the groups performs:  an infrastructure survey. One or more federal employee will come to your site — any site — and do a 4-7 hour assessment of your physical security, preparedness, etc. The billing fee? Zero. Cost? Not free. Certainly a service like this is useful. Any security officer would be dumb to not take advantage of a service like this. Another set of eyes can only help. But it is the best use of taxpayer funds?

Just like cash for clunkers, it is great deal for those people who needed a new car (or security assessment), but a bad deal for those of use who were  unable to take advantage of the offer (or who did our own either ourselves or paid for a third-party to do it for us). Those that did not need a new car (new assessment) at that time were forced to fund those that did.

If the Department of Labor was completely eliminated, would anyone besides the employees notice? What about the Departments of Education, Commerce or Housing & Urban Development? Does the DHS need a Science and Technology Directorate?

The problem with government in all nations is that it is too big. It does not matter which political party is in power, government grows. Most of the growth is well intended. But the value is very questionable.

In the security world, the powers that be, they justify their positions, programs and plans as necessary to protect us and our operations. Security people over-blow most situations. Without fear, uncertainly and doubt, they would be without a job. Politicians do the same: the other guy’s special interest is corrupt and not required but theirs is.

I appreciate the men and women that are trying to protect us. I just think there are too many of them in roles that do little to reduce or manage risk.

Posted in Homeland Security, Infrastructure Security | Print | No Comments »

10 September 2009 by Jeff Hayes.

When I began my career in the 80s, I worked for a firm (NCR Comten) that competed against IBM. We provided communication processors for the mainframe/cluster controller/terminal industry. In the 90s, I worked for firms (Network Systems, Xylan, Alcatel) that sold channel extension, security appliances and switching products against Cisco. In both cases, were with outsider, trying unseat the incumbent. Outside of feature/function/benefit/pricing comparisons and long-term personal relationships between the sales team and customer, we had to combat fear, uncertainly and doubt (FUD).

FUD is based on the notion that if you — the customer — buy the incumbent’s product, you will regret it. Comments might include: “it will not work as advertised;” “the long-term costs will be greater than what you think;” “it will be a support nightmare;” and “your administrators and end users will not like the new solution.” In the security space, the points are the same but the infosec vendors add a new spin to fear.

Security entrepreneurs recognize a problem that is not being properly addressed by current products. They design, develop, test and market a new mousetrap. The challenge for all of them is to find a market large enough to cover the investment and to build a business upon the new market. Few people are aware that many of these problems exist. Enter marketing.

The infosec firm needs to define the problem so more people are aware of it. They need to expand the scope of it. They need to make you feel like if you don’t have this product, you are opening yourself up to a security disaster.

We all know technology and the exploitations evolve. Many of these new products do have merit but most do not. That’s why so many of these firms go out of business or cannot grow beyond $5-20 million in annual revenue. The lucky ones find an exit strategy by being acquired.

I was reading an article in CSO magazine, 7 Reasons Websites Are No Longer Safe. Though not a infosec vendor, it makes the read think that all Web sites are insecure and you might as well forget about it trying to secure them. Hum. So all of the e-commerce, banking and investment sites are unsafe?

The infosec industry makes its money by making people feel insecure. Fear is key to the marketing message. For most businesses, they do not need all of these leading-edge security devices or software. The sky is not following, despite the vendor-speak.

Posted in Infrastructure Security, Web Security | Print | No Comments »

31 July 2009 by Jeff Hayes.

P2P legislation talk is rearing its head again.

House Oversight and Government Reform Chairman Edolphus Towns today is expected to blame the Bush administration for having a laissez-faire attitude that has allowed privacy and security problems posed by peer-to-peer networks to persist online. At a hearing on the topic, he is likely to call for legislation to guard against inadvertent file-sharing, heightened FCC involvement and the creation of a public awareness campaign to inform people about the dangers of P2P software.

Making a law outlawing P2P software is not the answer, policy enforcement is. It is not P2P service providers fault that enterprise users elect to load and use P2P software for access to images, programs, and entertainment.

P2P software is something found on just about every home computer where there is a user under 30 years of age. They see the direct benefits of “free” music, TV shows and movies. Most have never experienced negatives:  no police knocking at their door or security incidents rending their computers into boat anchors. Most have no idea what the risks are.

Using P2P software and public services on business or organizational networks raises a whole series of issues. Copyright infringement, unlicensed software and security issues galore from Trojan and bots to offensive materials can make their way throughout the network, not to mention the bandwidth usage and productivity issues.

If P2P software is found withing the enterprise, then there is either poor education, weak policies, poor enforcement or a combination of all three. A law will still require education and enforcement. Solid policy and associated enforcement is better medicine than Congressional actions.

Posted in Security Policy, Infrastructure Security | Print | 1 Comment »

23 July 2009 by Jeff Hayes.

Limited to tech-savvy insiders and those passionate about security, darknets allows users to share files and communicate anonymously. For most, they need to install special clients; e.g., Freenet or WASTE. A pair of researchers from HP are planning to unveil a browser-based version next week at Black Hat they dub Veiled.

Great for the individual that elects to participate, not so great for the enterprise. Why? Because shared files are encrypted, fragmented and redundantly stored across the darknet. With a browser-based version, content can be published anonymously into the darknet with hyperlinks to other documents stored within the network.

For most enterprise users, there is no reasonable need for a darknet capability. A darknet application is a method to avoid the prying eyes of the “corporate police.”

The organizational security policy should contain a statement that “outlaws all darknets unless specifically authorized.”  As an agent of a business or organization, a user would be required to abide by the policy set forth by the organization.

Posted in Infrastructure Security, Privacy | Print | No Comments »

8 April 2009 by Jeff Hayes.

As a product manager for many computer networking and security products, one thing I was able to address multiple times across multiple product lines was to make sure our products supported the Network Time Protocol. NTP was originally defined clear back in 1985 and is now detailed in RFC 1305. A client/server model, it is used by routers, switches, security appliances and many other classes of computing equipment.

Having consistent time stamps is essential for reliable logs and automated processes. A reliable time stamp is essential in forensics and in chain of custody verification. 

According to a 2007 studyby Florian Buchholz and Brett Tjaden, James Madison University in Virginia, more than a quarter of the Web servers on the Internet have their clocks off by more than 10 seconds.

During their six-month study of more than 8,000 Web servers, they found that systems with the wrong time frequently drifted—or jumped—in unpredictable ways. Some systems would get steadily slower or faster, and then jump back to the correct time. Other systems were rock solid in the rate that time passed, but they were off from the correct time by minutes, hours, days or even years. Some systems followed the wrong rules for Daylight Savings Time. And some servers appeared to have multiple wrong times—that is, one query to the server would return one time offset, and other query would return a completely different time offset, and then subsequent queries would alternate between the two. 

Luckily, enough product managers and developers have made sure that NTP is a standard product feature. All major operating systems across all platforms from PCs, servers, network and security equipment to mobile phones and modern handheld units support NTP. They typically sync up on boot and regularly check the NTP time servers to minimize float.

Smaller businesses should make sure that their networking, security and server systems all support a validated NTP implementation. Making sure it is activated across the infrastructure is a simple thing to do in the good housekeeping world of information security.

Posted in Infrastructure Security | Print | No Comments »

3 April 2009 by Jeff Hayes.

I have read with interest over the years about people concerned that unauthorized access to electric provider’s command and control center (any utility for that matter) will result in losing control over the power distribution. The fear goes that “the intruder could shut down power to a city, a neighborhood, a  specific building; chaos would ensue.”

An article this week in Computerworld commented on a report released by IOActive, a Seattle-based security consultancy. It mentioned that an ”emerging network of intelligent power switches, called the Smart Grid, could be taken down by a cyberattack.”

Whereas I do not doubt the possibility, I question the likelihood.

Where does the primary concern rest with this? Probably with the electric utility.

What about the average business? Should they be concerned? Should there be an action item here? Hardly. Just good security practices. Deploy UPS units; back-up data in multiple locations, and create disaster recovery and contingency plans.

Power grid hacking is one thing I never lay awake at night thinking about. I doubt the utility plant manager does either — protecting his operation against these types of outages is part of his daily job.

 Update 4/8/09:  The latest is that cyberspies from China, Russia, etc. have penetrated the U.S. electrical grid and left behind Trojans software programs. The scary thing is that the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies.

Posted in Infrastructure Security | Print | No Comments »