paulmudgett.com

The history of viruses.  Pretty cool actually to look back at where we’ve been and the advances made in nefarious code. Courtesy of Bitdefender.

Funny how the anonymous nature of the Internet continues to mock us all.   Back on September 8th, a fake FBI profile was distributed via Twitter as shown in a recent post on Naked Security – Fake FBI Anonymous psychological profile – a lesson to all Internet users.

It takes me back to an old New Yorker cartoon that ran when the Internet was still an infant.  Enjoying the nostalgia.

Photo credit:  Ben Larson

Disclaimer – I’m not an HR professional.    Okay, that covers that.

So, I’m diverting a bit from information security today.  I’ve read a lot of comments and questions recently related to what a hiring manager is looking for in interviews for IT and InfoSec jobs.  For instance, a reader question at IT World was submitted by a person who has “had a lot of first interviews but not many second interviews.”  The reader asked “what is the biggest turn-off for hiring managers in an interview?”  While a lot of the application and interview process is common sense, too often I see both recent grads and professionals shoot themselves in the foot.  While I can’t speak for others, here are my pet-peeves and thoughts on what I look for in a new hire…. you may be surprised (or maybe not).

1. Follow instructions!   If the job posting asks that you submit a cover letter, resume and 3 references, DO IT!   Promising resumes have ended up in the trash because the person didn’t submit a cover letter as requested.  If you take shortcuts in the application process, you’re likely to take shortcuts at work.  I don’t want you no matter how great you think you are.
2. Shine your shoes!   IT and Information Security requires attention to detail.  An old boss of mine said he always looked at candidate’s shoes as a measure of their attention to detail.  While not a deal killer, terribly scuffed up shoes may just help you stand out…. in a negative way.
3. Be creative!   Most hiring managers have read the “career advice” websites too.  If your answer to “what is a weakness” is as canned as the question then you’re boring me.  It’s amazing how many times you’ll hear “I work too hard or too much” as a weakness.  Blah, blah, blah.   Try something new.
4. Do your homework!  Nothing is more disappointing than a candidate that doesn’t know the first thing about the company s/he is applying for.  A candidate who knows about a project or news item that was in a press release is more impressive than a candidate who says “you sell widgets”.   I don’t expect anyone to know details.  It’s the demonstrated effort and interest that scores points with me.
5. Ask questions!   If someone told you there is no such thing as a dumb question… they were lying.   Ask meaningful questions.  Are there specific projects this position will be responsible for or engaged in?  How does the organization encourage professional development (not “do you pay for training”)?  What does the interviewer like/dislike about the company?  Be engaging… don’t be the candidate that just wants to be done with the interview.  Those who treat it as an interview for them AND for the company really shine.

For me, I’m interested in candidates who demonstrate passion.  While there is an expectation that the person has sufficient knowledge to meet the requirements of the job, I’m most interested in people with enthusiasm and talent, not a know-it-all.   Are they going to work well in the environment or well they be grating and disruptive.   If you are engaging, stay away from canned answers, and show that you are truly interested in the company rather than just landing a job, you’re going to improve the likelihood of a second interview and offer.  At least with me.

Senator Richard Blumenthal, D-Conn, introduced new legislation aimed to prevent data breaches.   The proposed legislation includes federal requirements for customer notification in the event of a breach (something most States have been requiring for years) and requiring companies to provide two years of credit monitoring service.  There are fines and program requirements for regularly testing controls and protecting information while stored.

SC Magazine Article:  New Senate Bill Aims To Prevent, Deter Data Breaches

Here’s just a few issues with this:

1.  We’re assuming the federal government can successfully patch together the existing state privacy and security requirements to make this helpful to businesses.  I’m not sure our federal government can successfully tie a pair of shoes without creating extensive knots.

2.  While requiring secure storage of sensitive information is certainly a valid idea, it doesn’t do a bit of good when sensitive information is readily copied to flash drives, laptops and other removable media.   Regaining focus on “least privilege” and reducing the ability to copy data to media that is easily lost or stolen is at least as important as storing data securely on servers.

3.  The alphabet soup of security/privacy legislation and compliance is mind boggling.  Personally Identifiable Information (PII) is defined differently depending on what piece of legislation or industry standard you’re applying.  PCI-DSS, HIPAA/HITECH, FERPA, GLB, SOX, state legislation, etc.   How about one definition to rule them all?

I’m encouraged that the government takes privacy and security seriously, but as too often the case, federal legislation is based on knee-jerk reactions to events and create such complexity that security and privacy are seldom improved.   I don’t disagree with the attempt, just wary of another set of regulations that may create more complexity without really improving the security and privacy of personal information.

Governor Sandoval signed Senate Bill 43 to move forward with the State Health Information Technology Strategic and Operational Plan using federal stimulus funds.  This essentially gets the ball rolling for the development of a statewide system for the electronic exchange of health information.  The intent is to improve health care quality, prevent medical errors and reduce medical costs.

The new law appears to pull from HIPAA and HITECH in regards to data security and privacy.  Interesting that Texas, also driving forward on stimulus funding for electronic health records,  just enacted tougher protections because of the perceived weakness and lack of enforcement in the federal laws.   From the June 28, 2011 article “Texas Enacts Health Privacy Law” at govinfosecurity.com:

“…she was frustrated by the lack of HIPAA enforcement at the federal level and wanted to pave the way for ramped up enforcement of healthcare privacy rights at the state level.”  – Sponsor of the Texas law Lois Kolkhorst.

” The federal attempt to stop the sale of protected health information without consent in the HITECH Act appears to have been weakened so much that it’s not going to have any noticeable effect.”   – Privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights.

While Texas has defined broader protections, Nevada seems much more in line with HIPAA and places the design of standards in the hands of the Director of Health and Human Services.   Two different approaches with hopefully good results in relation to protected health information.  Time will tell if the expected outcome of of privacy and security required in this new electronic health information exchange will match the desired benefits to quality of care and reduced costs.

Photo credit: Tabitha Kaylee Hawk

Mobile devices, use of social networking sites, and consumer cloud services are quickly becoming, if they aren’t already, a part of your business environment.  As is often the case, the ability and tools to securely manage new technologies lags behind the flood of use in organizations leaving a gap in the protection of sensitive information.

Quite frankly, we should have seen this coming.  The “new” workforce communicates differently and often more efficiently (not necessarily more effectively).  Text messages, tweets, IM, oh my!  There is a different, and often reduced, perspective on risk even while regulatory requirements for privacy and security become more stringent.

Now here we are.  Playing catch up in order to enable business to keep up with the times while preventing the unauthorized release of protected information (and the associated costs).   It’s not enough to deploy the “hope” method of information security but when the cat is out of the bag, it’s often hard to reign in perceived freedom without suffering a blow to the new work culture and reputation of information security.    To do nothing isn’t an option as quoted from a recent CSO Online article:

Organizations that have no control over unauthorized use of technologies on their networks are in “serious peril,” says David Knight, executive vice president of product management and marketing at Proofpoint. Sooner or later an unprotected device, social media site or IM platform will provide unauthorized access to regulated information, he says.   -  “Security concerns aside, consumer devices, services take over the enterprise” CSOOnline article by Bob Violino

Can you sandbox work applications and data on mobile devices to separate it from “personal” use?   Can you require connections to business functions and data over secure channels?  Can you remotely wipe a “lost” phone?  Can we provide the services and functionality required for the “new” workforce to be efficient and effective without sacrificing security and compliance?

We’ll see.

Photo credit:  David Fisher

I love this conversation:

“Is your workstation protected?”

“Of course, I have anti-virus installed.”

While anti-virus products are one piece of protecting your workstation, it isn’t enough.  Most AV products do a poor job of detecting new malware.  It does better over time protecting against old malware that happens to still be floating around IF (and a big “if” at that) signatures are updated frequently.

So what else is needed?

Single technologies can fail.  Think in layers when it comes to comprehensive security.  Here are a few considerations:

1. The bad guys have figured out that the quickest way to get to your computer is through 3rd party applications that are vulnerable and out of date.  Adobe seems to have taken Microsoft’s place as the malware whipping boy.   So, consider extending your patch management program beyond the operating system and common productivity suites like Office to include all applications that reside on business workstations.
2. Remove, where possible, local Administrator rights for users.  Most don’t need it.  Malware loves it.
3. Managing your endpoints and the software that can be installed helps control the “rogue” software that tends to magically appear on workstations.  If it’s needed for business then there is no reason it can’t be managed appropriately.  Application white listing tools may help here.
4. Consider host IPS and other features that come with suites of anti-malware products.  Tie them in with a central logging environment or management console.
5. Consider virtualizing the browser application to confine drive-by infections.

I could have sworn I was in a Dilbert cartoon when I got a phone call over the weekend from a small business owner who claimed a system on our network was attacking him.   The conversation went something like this:

Him:  “Your system has been attacking me on port 3389″

Me:  “Port 3389?  Did this just start?

Him:  “Yeah.  I’ve been having issues but I just looked at the firewall log today and saw your IP address.”

Me:  “What else is happening?  Can you send me the log for this?”

Him:  “Sure.  Just sent it.  As far as the server, my firewall rules have changed.  I keep getting gigabytes of files that I think are X-box games that keep reappearing after I delete them.  Oh, and there are some services running that look to be just one letter off from legitimate ones.”

Me:  “How long has this been going on? ”

Him:  “Oh, I don’t know.  I ran out of disk space about a week ago and have been cleaning it off every day.”

Me:  “Sir, I’m pretty confident your server has been compromised and if you are allowing RDP connections from the Internet, you might want to reconsider that.  You might also want to wipe and reload your server.”

Him:  “Oh, I had to do that just six months ago.  I had a SQL server that was compromised just like this.  Crazy.  I’m not sure why I’m a target.”

Me:  “So, you keep getting compromised.  Did you have RDP running on that server as well and open to the Internet?”

Him:  “Yeah.  It sure is convenient since I travel a lot.”

Me:  “Oh.  Just checking the log file you sent me sir and it looks like you may have transposed some numbers.  This isn’t coming from our network but it’s coming from a network in Texas.

Him:  “Oh.  I’m terribly sorry to bother you then.

Me:  “Not a bother at all.   If you dont’ mind can I make a suggestion?

Him:  “Sure.”

Me:  “You may want to consider getting some help securing your server and finding a safer way to access it when you’re traveling.  It may help so you don’t have to rebuild your system every few months and you can concentrate on more pressing business matters.

Him:  “Thanks but really, no need.  I’ve got it under control.”

Me:  “I wish you good luck then.  Have a good day.”

Certainly he had all good intentions but probably lacked the skills to adequately protect himself and his customers.  I’m a bit saddened that he wasn’t open to getting some help with this problem because I’m sure he has better things to do than rebuilding a server every few months.  Small business owners should concentrate on their core competencies and get some assistance in areas where they may not be as strong (or simply don’t want to spend the time).   In this case, it appears this business owner will be a repeat customer in the land of self-inflicted problems.

The FTC and White House are once again throwing their support behind a “Do Not Track” tool meant to protect user privacy on the Internet.   I think it’s easy to jump on board the good ship Privacy but anytime the federal government engages in such rule enforcement and legislation, you have to wonder what the unintended consequences might be.  Will it really make a difference?

For instance, if this models the Do Not Call list, does the collection of internet activity not apply to politicians and their election campaigns?  Or do they get a pass again?

Will it change the business model that provides free content and services?

If legislation is created and passed, will it also include funding for ant farms in Alabama or other items that have no business being in a privacy bill?

More importantly, will it really change people’s behavior? I’m not sure.  People have been giving away information about themselves for a long time whether it’s to get 3 cents off a loaf of bread or to win money in a lottery they’ve never entered.  Can you really legislate personal responsibility anyway?

I think providing a choice is a good thing.  I think it’s reasonable to inform people how their information will be used.  I’m just not sure the end result of this effort will resemble the good intentions.

Photo credit:  Mikey G. Ottawa

Anup Ghosh wrote in his SC Magazine article titled “Unwitting accomplices and complicit security teams“:

Cyber miscreants have figured out there is no sense in spending the energy trying to break through firewalls when you can simply ask any one of the thousands of users connected to the internet to invite you in.

How true!  What Ghosh refers to as castles and moats I call the Cyber Maginot Line.  The over reliance on simple perimeter defenses ignores the shift of focus that has been made to user behavior.  While not as sexy as the “hack” seen in movies it is simply easier to just ask.  Many users will oblige with information or are easily convinced to click on an official looking link in an e-mail.  Most are “addicted to click”.

While I agree with Ghosh that the philosophy of “users should know better” is not a strategy, awareness IS a component of an overall security strategy.  The problem is, many companies use hour long presentations on policy in hopes of convincing users to change their behavior.  Good luck with that.   A series of 5 minute videos over the course of a year is much more effective.  The goal isn’t to “train” people.  It’s to raise the level of awareness.  If an employee gets an “aha” moment and reports strange behavior or decides not to click on a link, mission accomplished.  If it helps them keep their home computer safe, all the better for everybody.  But again, it’s a small piece and can’t be relied on to adequately protect an organization.

That said, implementing technology that makes users “mistakes irrelevant” is absolutely a good approach AND the technology to do that exists while continuing to be refined.  Ghosh’s suggestion to isolate the desktop from web browsing would be a significant step in the right direction.  The threatscape continues to evolve and we need to be agile in our defense.  That includes protecting our users from themselves by not enabling their “click habit”.