The Security Skeptic

Identity Management Appliances

Now that you've read my article on the dangers of neglecting identity management, you should read my partner Lisa Phifer's article, Identity management appliances reduce password cost, at Security Spotlight.

Where I focused on why identity management is too important to neglect, Lisa offers reasons to consider an appliance for IdM, describes deployment strategies, offers a list of features to look for in an IdM appliance, and tips on how to choose the appliance that's right for your organization.

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID551 by Dave Piscitello  

Six Worst Security Mistakes

My article, Neglecting Identity Management, is part of a six-article series published at Network World. The other articles cover a wide range of topics:

• Not having a security architecture
• Not investing in training
• Ignoring the insider threat
• Not protecting Web appliances
• Buying products with the most bells and whistles

.

You may not agree that these are the "top six" but you'll find them all interesting reading.

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID550 by Dave Piscitello  

The HTTP Proxy Chronicles

I'm a long time advocate of employing application proxies. I had the opportunity to write a series of columns to illustrate a number of ways an organization can use an HTTP proxy as an additional line of defense to protect users from unknowingly disclosing sensitive personal and company information. HTTP proxies can also be used to keep inappropriate or potentially harmful content from entering the organizations' network. While the articles I wrote describe features of the Watchguard FireboxX HTTP Proxy, these articles are useful to anyone who wants to learn about the benefits an organization can derive by applying HTTP proxies in general.

The complete series of articles is now available at these hyperlinks:

• Basic and Advanced HTTP Proxy Uses

• Fireware vs. the Cookie Monster, Part 1

• Fireware vs. the Cookie Monster, Part 2

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID549 by Dave Piscitello  

What Security Professionals can learn from Air Travel Restrictions.

Traveling by air these days is inconvenient, and as a security professional I will resist the temptation to whine about restrictions imposed on carry-on items. However, I will take my recent real world experiences to harp on policy definition and implementation.

In twoseparate screening instances, I have had the same items treated differently each occasion. My originating airport allowed everything I packed that was not specifically a liquid. These included a gel deoderant and a stick deoderant (I packed both with the expectation I'd have at least one upon arrival). Less than 24 hours later, the TSA agent who pre-screened items before X-Ray confiscated my gel deoderant but permitted my stick deoderant. After passing through X-Ray, a second TSA agent insisted that my bag be hand-examined. The object that attracted her attention was of course the stick deoderant. She opened the deoderant, scowled at me and claimed it was a gel. I made the mistake of defending my actions, explaining that "The other agent hand examined the stick and told me it was OK". Not satisfied with my reply, she called the other agent over. They proceeded to argue whether it was stick or gel for several minutes. In fact, the label on the deoderant said "gel stick". I suggested that since it was a trial size and nearly used up, I was more than happy to leave it, but by this point, the agents were wrapped up in a testosterone contest.

A post-mortem analysis suggests that one or more of the following failure conditions were encountered:

• The security policy was either hastily or incompletely defined.
• The policy was not communicated to the agents in adequate detail.
• The agents were not responsible enough to read it thoroughly.

The lesson? Security policy implementation can only succeed when policy definition, dissemination, and consumption are correctly executed.

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID548 by Dave Piscitello  

What should I shred?

I was asked this question several times during a back to school event. Realizing no one wants to be presented with an exhaustive list in a casual setting, I offered a simple, "any printed material that contains information you should or prefer to keep private". Given the worrisome increase in phishing and other forms of online identity theft, I'm actually encouraged that people are thinking about protecting their identities and other sensitive information in formats other than bits in motion and bits at rest.

I don't have statistics but I'll speculate that dumpster-diving for personal information is still a profitable venture for organized crime. With the increased emphasis on recycling paper, it's also become a less odious (and odorous!) task. Given that you can now buy a decent paper shredder for under $20 US, many people can afford to reduce the risk of identity theft by shredding. An extreme "shred everything" approach probably requires a industrial grade shredder, so here's a list of what I consider the highest risk papers. Before you toss these items in the recycling, consider shredding them:

• Credit card, loan, bank statements and any correspondence on which a complete account number is printed.

• Insurance, medical plan, and any other correspondence on which a complete social security number, claim number, or record of service is printed.

• Pay stubs, Social Security, retirement and other "benefits" statements.

• Credit card offers.

• "Debt consolidation" and Cash Advance checks financial companies send you (I call these "debt expansion" checks). Blank checks from expired accounts? Sure.

• Utility bills. There may be enough personal information on a utility bill for a prankster to impersonate you and arrange for your electric, gas, telephone, and water service to be terminated.

• Correspondence that contains your full mailing address and phone number. If you've taken the time to arrange for an unlisted phone number but have provided it to a creditor, there's no point in leaving it for someone bold enough to dredge through trash to find and misuse it.

• Any paper on which you or a creditor has written credit card and ATM PINs.

• Pages or covers of mail order catalogs that contain your address and customer number.

• Children's school work. Sadly, these all pose a real threat. Your child's artwork, tests, and even homework in have powerful social engineering potential. Class trip announcements and after school activity schedules post threats as well, since they identify where your child will be and when.

• Truly personal correspondence - love letters, cards, you no longer care or dare to keep.

• Photographs (see "truly personal" above).

My wife just entered my office, and asked why I was rifling through my recycling bin. I explained that I was emulating a dumpster diver. She shook her head, gave me with one of those, "that's pathetic..." looks, and left. I suppose that's a good indicator that I've milked this thread for all it's worth.

[Note: if you want to add to the list, send me email...]

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID547 by Dave Piscitello  

Will Security ever "get done"?

Colleague Anton Chuvakin wrote an interesting (in his words, "fun") piece on this subject at O'Reilly SysAdmin. He provides accurate lists of both pro and con arguments. I won't reproduce them here but encourage you to read his article. Anton concludes his piece with, "the explosive combination of the march of ever-more-critical new connectivity technologies with the presence of dedicated evildoers will, in my opinion, guarantee that information security will remain relevant, vital and fun for years to come! Security technology innovation will not dry out any time soon".

If we do ever achieve closure on security I for one will be interested to see if anyone notices. Such an "event" will not be as newsworthy as banning liquids and carry-on bags on airplanes, unauthorized disclosure of personal information of tens of thousands of U.S. veteran, or an worm that infects and freezes iPods.

The biggest problems in security are rooted in human behavior and not technology. Scams, theft, and abuse antedate computers and networking. I am confident that programmers will write code securely and that operating systems and applications will be hardened on initial boot *long* before consumers of technology pay sufficient attention to security to make an event like "computing and the Internet are finally secure" meaningful.

Ironically, an announcement that security is done is probably the most pernicious event an attacker could conceive. Society would react by lowering its already pitiful guard entirely. Talk about adding fertilizer to a green field.

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID546 by Dave Piscitello  

Quoted in: VoIP security wake-up call

Journalist Geoff Long wrote an interesting piece for TelecomAsia.net on the increased attention VoIP is receiving from attackers. Whilst gathering background information for the article, Geoff interviewed me via email, and has included several observations I made in response to his questions concerning escalation, complexity, and threat levels associated with recent attacks against VoIP subscribers and service providers (with attribution). You can read the article here.

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID545 by Dave Piscitello  

Antivirus for the Mac OS X - ClamXav

If you believe that a virus infecting a Macintosh is about as likely as being struck by lightning, you are living on borrowed time. The infection probability is low today, but Macs now account for between 10-16% of the personal computer market, and it's growing. Eventually, some virus writer will be unable to resist the temptation to earn the notoriety associated with "the first major virus attack on Mac OSX". Moreover, many Intel-based Macs will run Windows XP in a virtual PC or shared partition configuration, so common partitions and network shares can be infected with Windows viruses.

The subject "Antivirus on OS X" generated an interesting thread on the Apple-Focus mail list. Some posters argue the case for "security through obscurity". Others argue that by taking advantage of the security features in OS X, you distance yourself from the "low hanging fruit" and are adequately protected. Still others argue in favor of commercial antivirus software.

Only a few chimed in with a freeware alternative I use called ClamXav. ClamXav is a GUI and configuration extension for the open source antivirus program, ClamAV. ClamAV is a respected antivirus checker. It offers background and on-demand scanning. You can schedule scans as well as virus engine and virus definition updates. ClamXav can be downloaded as a universal binary, separately or bundled with ClamAV. Some articles imply that ClamXav's GUI is more complicated than commercial AV software. I'd argue that ClamXav is *easy* to configure compared to some commercial AV products I've used and long since abandoned. And it's hard to argue "free" versus an initial outlay of $40.00 plus a recurring annual subscription fee for virus definition update services.

I don't subscribe to security through obscurity as the sole line of defense (thanks, Fred) and I'm never satisfied by merely changing my risk so I'm not among the low-hanging fruit. If you run OS X and aren't interested in purchasing a commercial AV software, try ClamXav. I've tested it with EICAR and other virus samples I've collected over time and it works fine for me.

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID544 by Dave Piscitello  

Security Expert, Professional, or Practitioner?

My wife is a licensed nurse practitioner. She has an RN, a masters degree from University of Pennsylvania, and extensive experience in critical care and private practice. Despite her accomplishments, degrees, and multiple certifications, many patients are confused when she is introduced. As an APRN (Advanced Practice Registered Nurse) in South Carolina and previously a CRNP (Certified Registered Nurse Practitioner) in Pennsylvania, she is routinely asked, "Are you a physician's assistant?", "Are you practicing for your nursing degree?", and "I just saw the nurse, I want to see the doctor!"

I began thinking about my wife's experience with degrees and appellations in the context of my own career. There's no concrete taxonomy for labeling and distinguishing security folks; in fact, degrees, certifications and titles are far more ambiguous in Internet Security than medicine. Satisfy the sometimes questionable criteria, and you can be a certified security professional or practitioner. Learn Linux, download bootable security images, and claim you're a security consultant. Here are my recent musings and ramblings on the topic.

Only a handful of people in the world are qualified and have accomplished enough in the short span where Internet Security has proved meaningful to be labeled experts. Dan Brown mentions Phil Zimmerman and Bruce Schneier in the Da Vinci Code. Give Dan credit for choosing two of an elite group of folks I consider experts (Bellovin, Cheswick, Diffie, Ranum, et. al.). The community at large diminishes "expert" status when it dilutes the talent pool by including anyone who can blurt out a credible quote for a reporter. Please be more disciplined...

I'm uncomfortable when people call me a security expert. I prefer to have folks describe me as a security practitioner. I study Internet Security and try to practice at it daily to increase my experience and expertise. Many of my colleagues do the same. Many are more expert than I in many areas. Some practice in research areas, others in deployment and operations. Over time, the best earn a positive reputation among the security community. These are the folks you want to meet. You look forward to reading and presenting their works.

Some of my colleagues have worked hard to earn certifications. IMO, certifications should reflect understanding of theory and accomplishments in practice. I believe that any certification that doesn't set minimum requirements for "time in the field" and only requires that you pass a test is suspect. I don't hold any certifications. I haven't identified one that would put me in a select group that would justify me exerting the effort to pursue at this point in my career. Even if I identified a certification I'd invest time to earn, I still believe that certifications cannot ever substitute for reputation.

I struggle with the label "security professional". The word "professional" is popularly associated with competition. Security practitioners aren't marksman, bowlers, golfers, or race car drivers. We may compete for income, but hopefully not for a ranking. IMO, the term "professional" should be reserved to reflect the behavior and integrity of of a security expert or practitioner.

I've mused and rambled long enough on this topic. Comments welcomed!

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID543 by Dave Piscitello  

Retiring from Security: A disturbing trend

I received an email today from a retired network engineer requesting permission to incorporate materials from a presentation I gave called 10 Most Commonly Overlooked Security Hazards into a lesson plan for a university level seminar he was preparing on network security. In his email, this gentleman said, "I was impressed by the correctness of what you have said. In my capacity as the network engineer for [...] I have often vented many of those same thoughts. I was frustrated enough that I retired in May of this year. It was refreshing to hear someone else with higher pedigree than I say those things."

Retiring from practicing Internet security is becoming an alarmingly recurring theme. At TechnoSecurity 2006, I spoke at length with two well respected security experts who are thinking of pursuing alternative careers, and another long time colleague has also indicated that he is leaving the security community as well.

I can't discount all of these decisions to midlife crises, and in fact, empathize with these folks more than I care to admit. Dr. Stephen Kent and I wrote an article for BCR entitled "The Sad and Increasingly Deplorable State of Internet Security" several years ago. At the time, several readers commented that "increasingly" was a poorly chosen descriptor. But all evidence suggests that Steve and I were spot on with our description.

• Security policy development is generally a poorly administered activity. Where policies exist, periodically reassessing policy and routinely auditing networks to test compliance are not assured.
• Access controls still lack granularity. The majority of egress traffic policies on residential and SME firewalls undoubtedly remains "allow any to any host". ISPs refuse to validate source IP addresses.
• Perimeter firewalls and desktop antivirus software are still the only lines of defense for most organizations.
• Default software installations, network and system configurations are as exploitable as ever.
• Authentication remains largely passwords-based, and folks are disclosing passwords for candy bars!
• Auditing and routine testing are haphazard activities, often performed under duress (BTW, incident response, forensic analysis and attack post mortems don't count...).

The experts who are jumping ship largely concur that technology alone can't solve these problems. I agree. But leaving the asylum in the hands of the insane isn't the answer.

At this point, I'm increasingly (there's that word again) inclined to believe we need to create rewards-bases systems that give employees (financial) incentives to compute, connect and communicate securely. Perhaps we need to complement technical expertise with expertise in behavioral psychology.

Now wouldn't that be an interesting career jump for a disillusioned security expert?

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID542 by Dave Piscitello