Friday, October 30, 2009

Future Proofing an Information Security Job

One of the more interesting information security job questions that I've seen recently is "How do you future proof a security job?".

That's an interesting question - security, like much of IT has changed significantly over the past few years, and the skillsets required have changed or matured. A decade ago, there were far fewer dedicated information security positions, web security was just starting to become a visible issue, and intrusion detection was in its infancy. We've come from a world where local networks mean that copied floppies and boot sector viruses were our main threat to a world where even our phones are possible threat vectors.

How then, can an information technology security professional stay relevant?

If you want to remain a technologist, rather than enter management, there are two popular paths: specialize or become a generalist.

If you choose to specialize, your route will take you down the path of becoming ever more highly trained in one discipline, or possibly a few closely related areas. Penetration testers may become more skilled programmers, and could delve deeply into web technologies, or system kernel exploits. Network security experts might become a CCIE, or tackle high end certifications from specific vendors.

The problem is that when that technology dies, you may have to re-train. That's nothing new in the world of information technology. Banyan Vines and Netware administrators have moved on to handle Active Directory and experts in Token Ring have trained to deal with gigabit switched ethernet and Internet protocols. What it does mean is that you have to keep an eye open to avoid being outdated with the technologies that you are expert in. Specialization is a great way to get a job - if that job is in demand, and the supply is small. Cobol programmers knew this in 1999 - but that was a relatively rare opportunity for a dying technology to make a brief comeback.

The other route, of course, is that of the generalist. This tends to put you into a role that glues together security with other IT areas, and can be quite rewarding - but you may find that you're unable to operate at the same depth that your specialized peers can attain. Generalists may have a harder time justifying specialized training, and will not necessarily find that their resumes qualify them directly for the highly specialized jobs that require a single scarce skill.

Which route should a security analyst take? That's a tough call. At the end of the day, your work environment and your own preferences will likely shape your futureproofing efforts. In either case, technology will change, new threats will appear, and the job will continue to provide the challenges that we all face.

Thursday, October 29, 2009

How To: Search Engine Webpage Removal - A Search Engine Entry Removal Roundup

If you run a website of any type, there is a good chance that you'll want to remove content from Google, Bing, and other search engines at some point, either due to outdated information or sensitive data exposure. Below are links to the documentation provided by each of the major search engines for their removal process.

Most search engines will tell you that your first action should be to create an appropriate robots.txt, and many want you to return a 404 error. If you don't, they may keep your content cached for even longer than they might otherwise.


First, you can build and submit a removal request for information, images, outdated or inappropriate content.

Then, you can remove your own content, then cause Google to re-index it more quickly using their webpage removal request tool.

Finaly, make sure you follow Google's noindex meta tag and robots.txt instructions.


With Yahoo's move to the Bing search engine, their removal process has changed. You can use their SiteExplorer tool to remove your site from their results.

Ask (formerly Ask Jeeves)

Ask only provides robot.txt support, and has no formal published removal process.


Microsoft's new search engine has recently published removal instructions.


Per AltaVista's support information,

"If an AltaVista user comes across web pages that contain private personal, professional or financial information that is not available to the public and/or may have been illegally obtained, he or she can write to to request that the offending URL be removed from AltaVista's index. Please note that removing said URL from AltaVista's index does not remove the URL from the public internet or the indexes of other search engines." / the Wayback Machine provides a long term snapshot of much of the Internet, dated by when the page was crawled. If your site has been available for any length of time, and if you have static content that it can crawl, there's a good chance you'll want to contact for exclusion.

Friday, October 23, 2009

President Obama on Cybersecurity Month

President Obama's short video on cybersecurity month is available. This is the first time I've heard the President outline our frequent security advice - verify identities before giving out information, update your software, beware of suspicious emails. You can watch for yourself below:

Thursday, October 22, 2009

Worried About The Evil Maid?

Joanna Rutkowska's "Evil Maid" TrueCrypt attack has been getting a lot of buzz in security circles today. In essence, the attack involves compromising the trust that TrueCrypt (and the user) places in the boot process. An evil maid (or other ne'er-do-well) exploits their physical access to a machine and that machine's capability to boot from external media such as a USB device to add a keylogger or other trojan to the boot sector or firmware, allowing capture of the presumably unchanging decryption key that the user enters to access their filesystem.

Am I particularly concerned about this as an attack against my organization's resources? Of course not!

We do use encryption on our mobile systems - not TrueCrypt, but the caution is largely against the concept, not necessarily only Rutkowska's specific implementation. With that said, a simple risk assessment serves us in good stead. Is our data so valuable, or are maids so twisted that we have to worry about them attempting to access our laptops which (hopefully) we lock in safes in hotel rooms, or otherwise appropriately protect? No - none of the people that I work with are in Her Majesty's Secret Service, or otherwise likely to be high value targets.

The good news is that Rutkowska's implementation of this attack serves as a good reminder that our trust in enterprise drive encryption is much like any other technological solution in our daily security war - simply a stage in the escalation of tools.

Years ago, we recommended passwords on laptops. Then, legislation and more technically aware users pushed us to drive encryption. Next, as attacks like this become more widely approachable, we'll worry about how to use TPM, drive hashing, two factor authentication, or technologies that can guarantee the state of a system between uses. For now, I'm far more worried about malware installed on systems either via a vulnerability or a user's mistake. Why? Because our drive encryption efforts do nothing when the drive is unlocked for the user's daily work.

For your daily security efforts, you can likely worry about much more immediate security concerns - and in the meantime, if your maid cackles evilly, and speaks in l33t - you may want to guard your USB ports.

Tuesday, October 20, 2009

VirusScan 8.7 and Security Center reporting

If you've been driven to distraction recently by users who noticed that the Windows Security Center wasn't reporting their McAfee VirusScan 8.7 status correctly, you're in luck. Messages like "McAfee VirusScan Enterprise is on but reporting its status to Windows Security Center in a format that is no longer supported" on Windows 7 and Vista, while only a reporting issue, were resulting in a lot of questions.

McAfee has released Patch 2 (link goes to the readme) for VirusScan 8.7 which fixes the issue. Along they way, they also improved the performance of On Access scans, which many users were complaining about as well.

What went wrong? Well, the Microsoft API for this reporting was updated, and this required updates from vendors. McAfee's patch lagged behind, resulting in worried customers. The good news is that their AV was working. The bad news is that we've spent years making our customers more aware, and now even a false positive can cause a lot of helpdesk calls.

Saturday, October 17, 2009

1000 Security Experts? Not exactly what the doctor ordered.

Bob Cringely recently discussed the Department of Homeland Security's plan to hire 1,000 "cybersecurity experts" to defend U.S. computer networks. His take? That there aren't 1,000 cybersecurity experts to be found in the U.S. His unnamed cybersecurity expert friends tend to agree in various forms, ranging from a discussion of the semantics of the goal to a more in-depth discussion of the forms of expertise that can be found, and a note that there are 1,000 security experts - on the wrong side of the fence.

Cringely also contends that no matter what the actual intent, this hiring is largely window dressing and that the end result won't be a sea change in how government information security is done. He points to low CCIE graduation rates as a good metric for how many security experts can be found, which may not be the best metric for security expertise across the board - to me, it indicates that holders of one brand of high level network security expertise do exist, but that the demand for CCIEs isn't sufficient to push further qualifiers into the certificate at a high rate. In addition, personal experience indicates to me that many qualified security experts don't carry all of the certifications that they could qualify for for any of a broad variety of reasons - that doesn't mean that we have hundreds of certification-less CCIEs around, but it does mean that we may have experts we're not counting if we only count certificates.

The problem here is that security expertise covers a broad variety of fields from risk assessment to network security to physical security design and back again. Seeking a thousand cybersecurity experts is, in many ways more akin to seeking a thousand expert college professors in engineering. You many not find them all in nuclear engineering at the level that you desire, but you may very well find that many experts across all of the disciplines that you need - and then you'll realize that you really wanted some of them to be TA's, Ph.D. candidates, and others who many not yet be experts - but will be.

Polymath experts with broad experience and deep expertise across the spectrum of information security are definitely necessary to tie those skillsets together, especially when you need to glue complex systems together, but you don't need - or necessary want hundreds of those big guns. Cringely notes that such experts aren't found in packs, and that is one point that I'll agree with. In any field the major experts hold a special place, and some take full advantage of it.

One of Cringely's experts dismisses the DHS plan - "you will end up with 1,000 Security Managers in the government with Sec+, and CISSP certifications". This picture of outsourced expertise and a lack of true change doesn't reflect the fact that skilled security managers are just as necessary as the heavy hitter deep dive experts. If the Department of Homeland Security really wants to change the face of government information security, the program and these new hires must be run adeptly, and that can be a real challenge.

DHS doesn't need to simply hire 1000 identical security superheroes. They need to embed employees with appropriate skillsets in those areas that face risk - after they assess the risk - and then they need to work out a coherent program to improve and manage both their security program and their security staffers. With the right guidance, 1000 security employees of many types could change how government information security is done.

Thursday, October 15, 2009

The Three Phases of the Security Analyst

Creative Commons attribution licensed image courtesy Flickr user anyjazz65

I spend a lot of time working with people outside of my own immediately group of security analysts, and I often find it useful to provide a model that will help them understand how security analysts work. Fortunately, I've found one that I like.

Security staffers that I have known through the years tend to fall into one of three stages - typically depending on the phase of their career, with some variation depending on the person's personality, their workplace, and of course, their experience.

The Phases:

1. The Black and White Security Analyst: A Binary Analysis - typical amongst newer security professionals, a Black and White analyst sees the world as a series of security issues. A system is either secure, or insecure. It complies with best practices, or it fails. Black and white analysts can drive outsiders nuts (and, at times, their non-black and white compatriots), but they also serve as a very useful check to the other phases - and they make very good auditors.

Some black and white analysts find their role because of limited direct experience. Simple book knowledge rarely has a compromise solution, and forcing best practices can make an otherwise reasonable staffer look like a truly obstinate opponent. Every analyst needs to fall back on these behaviors at times, particularly for thorny problems that have a high risk solution. Of course, in some environments this is the desired mode of operation, and should be fostered.

2. Shades of Gray: The Risk Modeller - as security professionals spend more time in the field - and, often, as they become more jaded, they often start to view the world as a series of risks. Training teaches you to do a risk assessment, to rate those risks, and to build controls based on that model.

Their assessments start to balance these risks, and they become more flexible in their views. The danger? Making too many tradeoffs, whether for functionality or simply for the ease of implementation. This can have a benefit of course, as often the shades of gray allow the analyst to be more flexible when analyzing risks and controls.

3. The Realist: Life Along the Continuum- some, but not all security staffers make it to a third phase. This third phase tends to emphasize the continuum of possible security options, and those who have reached this level will typically rate security based on the improvement along that continuum. Analysts often set a minimum acceptable level - and strive to ensure that a balance is maintained between improvements beyond that and the organizational costs of moving along the line. Realists are fully aware that security cannot always win, and instead choose their battles. This can mean that at times, they are more willing to accept compromise than they necessarily should be, and burnout can lead to a less effective analyst, but realists are often the best interfaces with outside organizations if you need to build bridges.

In the end, all three stages are useful, and each has its place. What matters in the end is reaching an organizationally acceptable balance of risk, usability, and security, and that ebb and flow is what makes the job both a challenge and an adventure.

Sunday, October 11, 2009 Newsweek?

You know that passwords and their problems have gone mainstream when Newsweek carries an article about them. Nick Summers describes current password technology issues, as well as some of the potential future solutions. It even describes brute forcing and the issues with simple passwords - meaning that your users might come ask a few good questions.

Wednesday, October 7, 2009

That's amazing. I've got the same combination on my luggage...

Wired's Danger Room blog quotes analysis of a recent Hotmail, MSN, and Microsoft Live account leak which showed that 123456 was the most common password.

In my experience universities tend to find that their most common passwords are catch phrases common to the school. Corporations that run password audits may find similar patterns in their own users passwords selections.

Does your organization have a common password?

Thursday, October 1, 2009

Hostageware Hits the Mainstream

Creative Commons Attribution licensed image courtesy Alan Miles NYC

The New York Times was recently hit with a hostageware ad that switched from a seemingly legitimate Vonage ad to virus warnings. The Times believed they were trusting a vendor that they had previously worked with, and allowed un-vetted servers to serve ads to their site. The Times isn't the only major site to have this occur, and my security threats crystal ball says that since we've all locked our computers down to prevent worms, the bad guys are going to target the places that they know that we go - and trust.

As the New York Times article notes, "These so-called affiliates can mimic the advertisements of legitimate companies, learn their techniques for submitting ads to networks and sites, meddle with ad servers and then go so far as to provide customer support for people who install the software, keeping the scam running as long as possible."

In my own recent experience, this type of ad is increasingly prevalent as a threat to users, and the malware itself is taking advantage of a number of browser bugs and plugin bugs to slide past users defenses. With threats that take advantage of PDF vulnerabilities, Java vulnerabilities, and more, users who navigate to trusted sites may still be compromised. This also means that the standard habits that we have taught users for years are no longer a panacea - simply not going to untrusted sites and not opening unexpected emails, or avoiding clicking untrusted links isn't the shield it was.

Home users who find themselves staring at a popup screen that offers to save them from the malware that their PC is infected with can find some solace in the fact that capable anti-malware products like MalwareBytes is available for free. Sadly, mainstream AV seems to have real problems with many of these hostageware packages, so a second layer of defense is key.

So, what can you do from a corporate perspective? That's a bit tougher. Here's what I'm looking at:
  • First, full patching for systems that includes browser plugins is really essential. I continue to see systems that have full OS patches that are behind on browser plugins. Comprehensive, system wide software management is becoming even more of a corporate necessity.
  • Second, enterprise AV can still be helpful, even if only for detection. Remember to have your support staffers check out machines that show continued issues, as some components of malware often gets removed, but the remaining parts can restore them. I've had organizations using central AV notice large numbers of their machines disappearing, which resulted in investigation that showed a widespread compromise. Not exactly how they expected to leverage their AV management console, but well worth the price of admission.
  • Third, investigate enterprise licenses for useful tools. MalwareBytes and other vendors do offer attractive pricing for enterprise licensing. I've found that a quick Google results survey can often indicate what secondary package is most recommended, and that can really help.
  • Fourth, monitoring outbound traffic for hits on known malware and scam sites gives you a chance to find infected hosts before they become problems.
  • Finally, user training and awareness is still key. Finding out when these hostageware programs are showing up, and what the user was doing when they got infected can help prevent widespread infections.
How is your enterprise handling hostageware?