Friday, June 22, 2007

Physical Security - the unlikely does happen

Police in Tulsa are chasing a ring of criminals who are conducting large scale thefts that most security folks would rate low on the probability scale.

Their most recent heist involved rappelling from the ceiling of a Best Buy to steal a large safe and electronics. They even disabled the alarm system. In other thefts, they've stolen a semi-trailer sized load of electronics, and cut through the side of a building.

I've seen drywall walls cut through to get into an otherwise well secured room, and I've seen datacenters that had no security camera, easy dock access, and a back door latch easily tripped with a credit card or screwdriver. While we're not used to physical theft, it is a fact of life, and if you have valuable, portable items - or even not so portable items, there is a risk.

If you have valuable merchandise, or if your data center has business critical data, you might want to talk to your management about the unlikely, but possible...

Thursday, June 21, 2007

What if everybody used your SSN?

The story starts like this:

"In 1938, wallet manufacturer the E. H. Ferree company in Lockport, New York decided to promote its product by showing how a Social Security card would fit into its wallets. A sample card, used for display purposes, was inserted in each wallet. Company Vice President and Treasurer Douglas Patterson thought it would be a clever idea to use the actual SSN of his secretary, Mrs. Hilda Schrader Whitcher."
Read the rest on the Social Security Administration's website. If you deal with user IDs, or Social Security numbers, this one will make you wince...and smile.

Wednesday, June 20, 2007

Wipe your devices

Like many IT folks, I've picked up used systems and media that contained data.

In my case, I've had everything from departmental mail servers to personal systems containing term papers and billing information pass through my hands. In each case, I carefully wiped the machine or drive before doing anything else with it.

What happens when it goes the other way? Dale Glass's network camera is a great example. He set up the camera to email him when it detected motion, then returned the camera to the retailer. The retailer didn't wipe it, the family that bought it didn't wipe the configuration, and Mr. Glass received email with video of the family.

Here's your reminder to wipe devices when they leave your care - and to check new ones when they come in!

Monday, June 18, 2007

Web application security test software reviews

Jordan Wiens is writing a series of "rolling reviews" on web application security testing software. First up on his plate is SPI Dynamics' WebInspect. You can find the full article here. He points out a high false positive rate, and that it had real issues with Ajax - neither of which surprise me. Any analyst who has been doing system vulnerability scans knows that false positives were (and at times still are) a fact of life - seeing those come up with web applications isn't a real surprise. In many ways, web application security testing feels like vulnerability scanning did a few years ago.

I'll be interested to see what direction the rest of the reviews take - most of the big names in web penetration and security testing still do a lot of manual work to inspect applications. In a business environment, particularly in a budget, skill, and time constrained environment, that may not work well.

Those limitations make the availability - and the accuracy and depth of tools like WebInspect - absolutely critical to custom application development processes. More and more organizations are adding security scans and testing into their development cycle.

One of my current goals is to find a way to easily put a good testing tool into the hands of developers that I work with. I'd like to see them able to take a good first pass at their own applications before running it past security for review - system administrators already have the ability to run vulnerability scans against their new servers and workstations, and that model has been helpful and is worth repeating.

Is that a complete solution to web application security? Definitely not. Will it put us in a better place than we were before we added testing to the development lifecycle? Definitely.