Companies and home users are definitely different entities with different approaches to computer security. Not only are some of the items different, but the solutions as well. What is important to a business may not be important at all to a home user, and the reverse is true as well. Home users value system performance, ease of use, stability, security of their personal data, and security with their identities. Home users can both be the hardest to break into and the easiest to break into, from a security standpoint.

Not every home user is technically inclined or even wants to learn to use new programs and such for being secure. For this reason, many of the best pieces of advice for home users is behavioral. Rather than "learn Linux and implement a highly guarded firewall" most users will read that and not even try. That's just too much effort to ask of most people.

You can also go crazy trying to keep up with the latest security news, updates, vulnerabilities, and patches. But why bother? Unless you're a geek or an IT professional, there is no reason to spend personal time being paranoid. Instead, home users can benefit from education and careful habits when working or playing on their computers.

For homes user, I assume the user is just operating one or a couple systems for the primary purpose of surfing the web, gaming, entertainment, and personal uses. No servers, web servers, mail servers, etc, are assumed. Once you get real servers with open services, the game changes quite a bit, and most home users do not do those things anyway.

1. Backups. Always back up important data to a second hard drive or system. If possible, do it twice and keep one set offsite somewhere. Windows has built-in mechanisms for automatic backups, but if you don't mind doing it, at least just drag-n-drop all the important stuff over. Imagine if your hard drive dies in the next hour and no data is recoverable. What is your pain? What will you miss? What cannot be recreated? Back that up. USB or Firewire drives are cheap and easy to get. Buy a spacious one and use it for backing up data regularly. If you can back your data up to a drive stored offsite or in a fireproof safe, that is even better.

2. Firewall or NAT the Internet link. Actually, it is much easier and more common for home users to simply operate behind a NAT device such as a typical cable router or wireless router from Best Buy. That is typically enough, but if the opportunity is there, run behind a Linux firewall, either iptables or SmoothWall/IPCop or something. This one step is enough to stop any curious Internet-side parties from getting into your systems. If you're not sure if you are protected by a NAT device, ask someone you know to check, or call your ISP and ask their support if they know. Be ready to let them know what your cable modem or DSL router model is. If you are not behind a NAT device, ask about how you can implement one. Most ISPs have recommendations and instructions on this.

3. Turn on Windows Automatic Updates. Every now and then perform a manual Windows Update, but otherwise just turn on Automatic Updates to automatically download and install on at least a weekly basis at a time when the computer will be on (like 8pm or something). Not only will this apply necessary patches, but can enhance or fix features like wireless options.

4. Practice safe computing. Do some common sense things to stay safer online. First, don't install every new and neat free program that tells you to install something or that you need something. Chances are, there is a reason it is free and enticing. Treat it like you would any advertising on television or radio and just be wary. Second, do not open any email attachments that are not sent from known people and are expected. Just delete those emails. Likewise, do not click on any links in emails unless from known people and the email is expected. when in doubt, just delete the message or type in the address to your web browser as opposed to copying it or clicking it. Third, do not frequent questionable sites, especially when using IE. If you are visiting a site you wouldn't want your parents or kids to know you were visiting, chances are you shouldn't be there. Avoid that darker and more dangerous side of the web. Fourth, always close pop-up windows. Never click inside them or respond to ads on sites. Just never do it. Fifth, if possible, use only one credit card for online purchases, keep the credit limit as low as you can while allowing you to do what you need, and always go over the monthly statements.

5. Protect your passwords. Write down all your passwords and put them someplace safe, but easy to get to while at your computer. I know, many security people will look aghast at this suggestion, but when it comes to home users, there is little real reason to trouble people with anything more complicated. Get an envelope and write down your passwords on paper inside it, and keep it tucked safely into a drawer or even inside a book. I suggest making two copies of this and storing it somewhere offsite, especially if you do lots of banking and other monetary things online. You don't want to lose your accounts because you lost your passwords in a fire or something. I do suggest not sharing passwords amongst spouses, roommates, or even your kids. Don't let them find or use those logins. Also, do not use the same password for everything. I find it best to have 3-7 different passwords. For anything you don't care about, use your first password. For more sensitive things, use other passwords. You can use multiple, but just think if one password is swiped by a hacker and is linked to your email account which has the same password. You can't usually protect yourself from lost accounts on various websites or even forums. They may be run be unethical people or they may be victims themselves of a break-in that divulges your personal information. More technically inclined users can look into using a program like PasswordSafe to store their passwords securely on their computer. Be sure to make a backup of the storage file.

6. Don't use Outlook or IE. Yes, IE and Outlook are easy to use and everyone uses them, making getting informal support painless. But just like ease of use is high for users, ease of use for malware is even higher. IE has had holes for years, unpatched, deep holes, and will continue to have them because it is so deeply married into Windows itself. Ask any IT pro to uninstall IE for you, and you will get the wide-eyed response that they can't. To make an analogy, IE is so deeply rooted into Windows, you cannot separate it out. That's dangerous, and Outlook is no better. Instead, use something less mainstream and exploitable. I recommend Firefox as default web browser and Thunderbird as an email client. Both are free, easy to use once someone opens their mind up and accepts a little bit of change, and suffice for 98% of everything users do with email and web surfing. This software switch will nearly eliminate the risk from email worms (although will not stop spam or malware attachments designed for the user to execute as opposed to running from a preview pane or through Outlook's tools) and drastically lower adware and spyware infections from web surfing.

7. Run antivirus software. Many new computers for most users come with antivirus software. Be sure it is set to update automatically, and pay for the protection if required. For somewhat technically inclined home users that practice safe common sense computing, this software may not be entirely necessary, but I suggest it for decent protection, detection of most malware, and peace of mind. I suggest F-Secure or Kaspersky as opposed to Norton or McAfee, but chances are the latter two came with the new PC. If so, stick with what is pre-installed. And yes, make sure it downloads new updates or signatures on a daily basis.

8. For wireless at home: secure your wireless. If you run wireless at home, be sure it is secured by at least WEP encryption. If available, use WPA encryption. This will prevent a huge majority of neighbors from hopping onto your wireless connection. Not only can they use your Internet link for their own traffic (legal or illega), but they can also probe at your network and computers and sniff your traffic if they get on. And yes, trust me, young adults and kids are curious creatures and will try these things if they have that sort of knowledge. Turning on encryption will prevent any but the most determined attackers.

9. For laptop users: be paranoid when at hotspots. Lots of people get fancy with recommending Tor even SSH proxying for secure access at wireless hotspots. But lets face it, only the technically inclined bother with such things. For all other users, just assume the wireless hotspot is not a safe network. Do not stay on wireless hotspot networks for too long. Do not log into email through Outlook or Thunderbird when at a hotspot. Do not log into a website that is not SSL-enabled. If you use IM, assume your conversations are being read by someone sitting near you, and, in some cases, assume they now have your login account and password. If you do not go to hotspots very often or you had to chat in IM or check email, once you get home immediately change your passwords for those systems. Hotspots are fun places for geeks like me who are curious about other people, and for people who would love to do you harm or mischief. Be safe when not at home. Now, what counts as a wireless hotspot? Any wireless network that is not your home network.

10. Get help. Like mentioned for small businesses, home users will benefit the most by befriending technically inclined friends and family, or even paying for the service of a home consultant or contractor to help you out. Always be nice to your experts, though, as we do tend to get tired of high maintenance users, especially if we're not being compensated for our time. I strongly suggest just asking your technical friends questions as opposed to asking them to actually do things for you. You can get really good return, though, for paying someone a little bit of money to spend an evening or some hours tuning your system and giving you some education on what the best things to do are. All the steps above are either behavioral (education), one-time deals where you set it up and that is it, or a few that require some additional changes or on-going action. Spend some money, hire up someone on the side that knows their stuff. If nothing else, befriend them and make a night of it with pizza, beer, and maybe hang out for a movie or something while they do their wizardry.

PS: I added a "1/2" extra step in a later post on getting to know how to reinstall your operating system.

The weirdness of this whole debacle between Maynor/Cache and Apple involving possible Apple wireless driver exploits continues. There are some fishy things going on here, and Apple is being very shifty in their dealings.

I previously likened the weight and importance of this situation to what Michael Lynn went through with ISS and Cisco last year, and the similarities continue to grow. David Maynor has been forced to pull out of his revelatory Toorcon presentation which was probably going to finally pull the veil back on this situation.

Now, SecureWorks and Apple are working through a third party, CERT, on security issues. Sadly, there is the possibility that Applie may stiff-arm CERT as well, which kinda digs at a suggestion I read and agreed with that perhaps security issues need to be verified by a third party so that full disclosure and corporate protections can coexist.

Unfortunately, the integrity of a third party is then in question, as are the rules of engagement for that third party. As Brian Krebs' mentions, what if CERT decides to just never authorize the release of information? We're back to having no real solution for the full disclosure debate.

If this keeps up, full disclosure will just plain happen, and corporations affected will simply be alienated from the research communities. Also, complete non-disclosure will happen by those who can't afford to fully disclose and possibly be attacked legally, which threatens the health of our systems and networks when corporations just stifle any problems with their products. In that case, one may as well sell the exploit to someone else.

Not only that, but just look at Brian Krebs' comments to see exactly how enflamed and impassioned even the security industry can be, on both sides of the issue.

A little closer to home, it seems University of Iowa has had to notify 14,500 persons that their data might have been disclosed. I like that the announcement qualified that the likelihood of disclosure was low. In other words, an attack was detected, but the extent of the breach was unknown, but this data was accessible on the system.

This makes me shake my head and wonder when this disclosure storm will end. Disclosing possible data thefts and leaks is just not a scalable or long term solution. It is not even a short term solution. Very quickly we will all become numb to this activity, not care, and even if we understand what to do by reading the letters and FAQs, we still won't do much more or change our behavior as users and consumers.

But there are other reasons why this is a poor decision. For instance, there is this huge grey area on defining what is a disclosure. What if a system was broken into, but all indications point to the system being used to house pirated movies, but *may* have had data disclosed? Do you have to disclose it if there is a reasonable expectation? What about a networked system that is not fully patched and is noticed to be out of date? Theoretically, it could have been attacked. What if the hosting company would not have detected such an attack? Is it reasonable to assume that system was never accessed fraudulently? And just where to 0day attacks fall into this picture? What if there may be the potential for disclosure in the future, which is not all that unlikely given a Windows architecture and the mishmash inner organization of most IT infrastructure from the perspective of the malicious insider. Should we disclose when information is just simply being stored in a non-optimal way?

And that is not even to begin to get into the grey areas within organizations on disclosure and reasonable expectations. Who is held accountable for hardening systems, detecting problems, escalating them to those that need to know, and then disclosing them? How much grey area or liberty will be taken with interpreting the regulations and expectations?

No matter the answers, the current practice of forcing disclosure of possible data thefts and possible identity theft are not very good procedures and may do more harm in the long run than good. But at least it drives home to C-levels the need to pay attention to this stuff, and not just treat IT like some arcane entity working behind a large screen. The handling of information and data access is only going to become more and more important over the next 10 years (and anyone having tried to track access to data and permissions in anything but small corporations will be able to relate exactly how difficult this may be).

And yes, at least this is the start and it is something, as opposed to diving straight into analysis paralysis and doing nothing.

Having started a new job this past spring, I've had some firsthand experience in starting out in a new IT (networking/sysadmin) role. And I have since become pretty sensitive about what I think is one of the most important things with new IT hires.

Recently, more talk has surfaced about IT hiring the right people and then training them for their job, as opposed to hiring only people trained for the job and hoping they have the ethics and soft skills needed to do a quality and loyal job.

One of the biggest challenges, and in my mind, mistakes, in managing my new employment has been lack of real training when starting the job.

Let's face it, even in the midst of regulations and standards flying around about how IT should secure and run their operations, there are no two shops that do something even as simple as track and allocate IP addresses the same, let alone all the other little stuff and multitude of settings in servers and devices (one of the reasons I really do not enjoy Windows Sysadmin work as much as networking). This means that any new people are either going to sit back and wait to be shown what to do, or will attempt to dive right in and possibly screw something big up either right away or maybe not even detectable for months or years. While I do believe in just getting things done, I've seen what happens to people (especially in my last job) when they make a simple mistake or move forward too quickly and how that will paint them in the eyes of the people who matter and write the checks, even if those same people were the ones who put the pressure on getting things done quickly.

So I feel that job training early on is paramount, especially for any Windows Sysadmin type of support work that is not very finite or narrow.

Training will also acclimate new employees with existing employees to gain some team cameraderie, which will more quickly open the avenues of discussion, collaboration, and comfort in asking for help when needed.

I think the best form of training is not necessarily documentation, although that is highly important, but actually just doing some shadowing of coworkers for not just a half day or even a day, but for a few weeks, to get used to the tasks, load, culture, and attitudes of the job role and team. In this way, also, the new employee made confide their own comforts, interests, and desires to their colleagues more than a manager, and thus their niche in the team may more quickly develop. This might bog down the existing employee who is being shadowed and sharing some of his workload with the new person, but in the long run, this is far better and I think will lead to a happier worker.

I feel that very, very few IT sysadmins and networking people can step into a job and do an effective job without lots of experience or in a contractual role that is narrow by definition.

Unfortunately, with my current job I had about a week and a half of corporate training with HR, phone systems, and other general stuff like benefits and customer service. This is all good and fine, but I had maybe a half day with the most senior analyst that I work with, and got shown the physical data center and where some things are. That was about it, for the most part...which has left me, 6 months later, still feeling disengaged and not entirely happy or comfortable with the job and network I work in. It is definitely an uphill battle that I am having to slowly tackle as the tasks slowly mount.

I just read an article on HD Moore, one of the most influential and brightest "non-corporate" white hat security researchers, in which he answered a quick question on his favorite hangout, "A dark room full of electronics."

Not only is that cool, but it got me thinking about what my own favorite room or hangout would be. I've been doing some casual thinking lately on owning property sooner than later, and how I would plan to do some stuff with it. Right now, I'm in "money-saving" mode, so my spare apartment bedroom is acting mostly as a place to put things I don't have a place for, instead of being developed into something much cooper.

So, what would I deem as a perfect room to hang out in? Honestly, I have three major ideas on that question.

1) The dark room full of electronics. Some people feel at ease and most happy when surrounded by other people or doing social things. For people like myself, I feel similarly when surrounded by electronics and maybe a person or two of like mind. A dark room illuminated by the soft glow and unjudging winking of LED lights and monitor displays. Maybe an indirect light source or two with a narrow cone of light to important places that need lit. It would need to be cooler than warmer. I would also prefer a house as opposed to an apartment, so that I could set up a decent (but not high-end) speaker system so I can play such music from quiet classical/ambient to pound out some industrial or metal depending on my moods. A clutch of test machines, a couple separated networks (one a main network and the other a sniffed, testing one), a workbench for system surgery and parts. The monitors would preferably be displaying specific things as opposed to operating screensavers. One should play movies that I can half watch in the background, another display an active packet watch on my main system (just to watch now and then and learn more) or even my test network if I am running something, another with network monitoring, and another with a security dashboard up or even cycling through a few. That would be an awesome hangout.

2) Now, even the most hardcore of us needs to unplug every now and then. For a more unplugged experience in my abode, I would love to have an entertainment room that has a nice tv and sound system, is ideal for watching movies or sports events (about all I watch, I don't take to television anymore), and is filled with plants and a pleasing atmosphere. Something calm and idyllic, a place to relax and lounge and sprawl out in, to read a book, magazine, listen to some music, or watch a movie, or even pull a laptop into to just chill out, but not dominated by obvious electronics all over.

3) Lastly, completing the unplugging, my third preference would be the great outdoors, away from most everyone else and anything technological. Give me a breezy, amazing woodlands or mountaintop or tropical island beach, and I could find some real peace there. Give me a cabin up in the woods that I can escape to and some space to roam. Internet connection...debatable. :)

There has been a lot of articles and posts lately about users and the user experience and how IT interacts with users.

My "first" read on this came a few months ago in Network World, What users hate about IT pros, to which I rough-drafted a response essay I never did post on here on exactly the opposite topic, What IT pros hate about users. In the past few weeks, even more posts:

the snide IT attitude | counterproductive approaches to IT | dan morrill #1 | locutus | dan morrill #2

So who is right and who is not? Honestly, they are all right, to an extent.

There are problems with IT staff and "normal" users meeting together to work effectively and create proper solutions for a business. But the subject is far more complicated than so many writers are trying to make it out to be. In order to really look at a solution that works for a given business, the IT roles need to be better defined, the corporate culture needs to be evaluated, and then the exceptions need to be acknowledged.

IT should be sliced into smaller chunks as there are vastly different roles in an organization. What is important to, and how that employee relates to such things like users, differs even in our own field. Internal application developers will be different from those that develop applications sold to external users. IT shops that host services for external clients differ to those that just host internal infrastructure. A networker is different from a help desk jockey is different from a CIO. In fact, in each of those areas there are even still different roles that the workers and managers each fit. A help desk jockey is different from a help desk manager.

Does a backend networker need to be attentive and aligned with business needs as much as his or her manager? Or perhaps the user-facing help desk jockey? What about an application developer creating a standard application that will be used by 100,000 customers versus the internal application developer creating a system to be used by 10 people all located inside the company?

Once those chunks are defined, one can then look at a target corporate culture and managerial paradigm. Only then can real statements about IT, users, and the relationship of them be effectively made. Are the users technical in nature or not? Does the corporate culture encourage worker to worker interaction across boundaries, or does all of that occur only through manager levels? Can a beer be involved? Is it important to a business to have a customized service or a standardized product?

Lastly, look for the exceptions. It is true, sometimes customers make unrealistic demands that are a detriment to IT or even the business. When a customer gets on a metro rail system, do they expect to be allowed to guide the train and stop it at exactly where they want to get off? No, and to demand such when getting on the train is unrealistic. Likewise, users getting on the IT train need to plan and make requests properly as well, or at least be open to the possibility that their (and every other user) request may not be met. While the metro rail customer may be able to appeal to the train boards to add a new stop that happens to be closer to their home, what if every user made that request no matter what part of the city they were in and are not satisfied until the train stops within a block of their house? In that case, many someones will be disappointed in their request.

There is something to be said about being a good IT provider, but also about being a good IT customer.

But what if there are to be general, blanket comments and attitudes made? Is there some credo that all IT people can live by to do their work effectively and prosperously in the business world?

Perhaps. In the end, it is not about making a better widget, improving uptime, or meeting every customer demand both internal and external. It all gets back to the things that matter in life, the soft skills of working well with people and users and IT pros. Be respectful, professional, and honest. Work together to make great things happen in a company.

To bring this back to information security, Dan Morrill says something I think is important and cannot be said enough. If we end up being roadblocks to users, users will adapt and do things some other way which may introduce security and audit issues, widen the gulf between them and IT, and cost the business money.

The real bugbear is trying to figure out how to best work with the users in a given role with a given corporate culture and with the exceptions that will occur.

Go figure. Just this morning read an internal IT newsletter about this same subject. All of this information is second-hand, but I may just check out this book soon. The book "The Geek Gap: Why Business and Technology Professionals Don't Understand Each Other and Why They Need Each Other to Survive," by Pfleging and Minda Zetlin, claims that the "geek-suit" divide is inevitable. Here are some bullets points as to why:

• The tech worker, “the geek”, is a problem solver; the business person, “the suit”, is a people influencer. The geek likes to fix things, the suit relies more on people skills. Geeks and suits also interact with technology differently; the former are more interested in process while the latter are more consumed with use.

• To geeks, a piece of technology is a thing of beauty in its own right, a wonderfully fascinating puzzle. To suits, it's a tool that is only worthwhile if it helps them accomplish their objectives.

• The moment geeks are likeliest to lose interest in a project is when it's running perfectly ('Hooray! Now I can stop working on it!'). That's the moment suits are likeliest to start taking interest in the same project ('Hooray! Now I can start working with it!').

• Technology and business people differ in terms of career aspirations and lifelong goals, and relate differently to their workplaces. Tech people typically do not identify themselves by where they work but by what they do. It's more important to them that they are in the ‘community’ of, say, .Net programmers or database administrators rather than at the company where they work. Business people are much more about climbing their company's ladder.

The authors do go on to give points about how IT and business can help bridge that nearly inevitable gap, including cross-functional teams, intermingling, job exchanges, and business people doing what IT people now are doing: learning about how the other side works.

Since I spend most of my lunch periods nursing a latte at a nearby Barnes & Noble and recouping the cost by reading magazines and books, I may skim this to see if it is worthwhile to fully read and have on my shelf.

I've reformatted my new laptop harddrive, installed Windows, carved up the partitions to give Windows roughly 20GB, Ubuntu 30 GB, and the other 50GB for eventualy virtual machines.

I did this because originally Ubuntu just decided to take the whole disk, and I've had experience with Windows just not playing nice with Grub if it isn't loaded first. So now my system is in a moreorless state of completion to move forward again.

This also means I've spent a bit more time in Windows again, getting the new install configured up and things back to normal with email and such. Thankfully, since I build systems so much at work and home I've learned not to get fancy. Back in the day I worked with such things as WindowBlinds to make my Windows all fancy and neat and pretty and slick. But I quickly realized I don't want to spend a week redoing all that fancy crap every time I format.

Anyway, now that Windows is situated and my old drive is mounted in a USB enclosure fitted for laptop drives, I am now back into Ubuntu and moving forward with getting things installed and using it for more every day use. Next step this week sometime: get my email ported over from Thunderbird to...Thunderbird! Piece of cake!

Just a note and a small rant to myself. I've been using the McAfee IntruShield IPS here at work for a few days now (been poking at it for a few weeks, really), and I must say I really dislike being so disconnected from the actual packets and wire. I really like the information on exploits and alerts that McAfee includes, and also the reporting and dashboard (they recently updated it!).

However, any time I see something new or noteworthy run across the wire, my first instinct is to look at the packets and the flow before and after the actual alert triggering event. Sadly, these capabilities are far lacking. And what really is disappointing is any false positives even when the device itself is tuned up tighter. I don't really care if the IPS sees a UDP Port Scan all day when it is just a printer trying to reach out for some SNMP love because it lost contact with something.

Such is the price we pay these days for products trying to be the "silver bullet" of security or trying to be "all-in-one" and end up just disconnecting us from the real data and activity. Give me Snort and Wireshark and a portable tap (or the ability to put windump/tcpdump anywhere I want) anyway...

What I feel like is one of those Plato's cave analogies, where I'm no longer really looking at the actual subjects, and instead I am seeing only the dim shadows of the events...

This article got me thinking about how Microsoft is packaging some things into Vista that will put some current software makers into a real bind, such as free antivirus protection and free pdf creation/reading programs, and no doubt more.

Immediately I bristle at the notion that Microsoft can make these things better than those who specialize in it. I immediately think about all the monopoly issues that may arise, especially if Microsoft toes the line too far (particularly in Europe) and prevents competing products from being installed.

But the more I think about it, the more I truly think they have a good approach. The average consumer couldn't give two rat asses about needing third-party antivirus, firewalls, email spam blockers, a secure web browser with pop-up blocker and decent enough features for your average middle-aged worker or teenage myspace rat (now displacing mall rats). When I buy a car, I might add on little package deals like ABS and Airbags, but I certainly don't have to shop at Sears and pick from multitudes of vendors and pray I pick something compatible that does that job I want.

Consumers just want things to work with as much security as can be put in without getting too anal about it. This is the niche the Mac has enjoyed for quite some time: elegant simplicity and usability. Microsoft needs security in their OS, and they really cannot get away with just letting third-party software makers do the hard work they should be doing. Not only is it a bad long-term approach, but it also stymies the average consumer who doesn't want to constantly tinker with firewall settings and spyware scans and keeping up to date with 6 different programs and pay for those upgrades every other year...they just want it to work.

We just want it to work, not overpower out lives with complexity (like the VCR clock), and not be a completely leaky hole. Security holes will always exist, especially in the market leader, but let's get serious about what the future is. So far, that future still has Microsoft on the forefront, even if I think Vista is going to be ugly, complex, large, buggy, and still clinging to that old underlying architecture and assumptions that made Windows 98 and XP bad. But hey, they're moving in the right direction and once that big ship gets turned the right way and starts plowing along, they'll do some more great things.

In the meantime, I'll stick to older Windows OS and Linux and pine for a Macbook in the near future.

Spamhaus' recent continuing issues help convince me that spam blacklisting on a global or huge scale is just not worth it. Right now there are lots of firms doing a million little workarounds and hacks to offer up services for safe email, secure email, spam-free email, etc. All of these are built on an insecure protocol and are almost all really bad approaches that will work for a few years and for a decent scale, but are not the approach that will last.

Spamhaus was forced to take a company off their blacklist and pay millions of dollars in compensation to a mass-mailing company that won a suit again them (so I read). I've seen the cost, firsthand, to a company that gets wrongfully blacklisted (or rightfully blacklisted), and it is just not pretty.

Instead of the workarounds and hacks, someone needs to make a better protocol or force more use of the secure versions of those protocols. Let's face it, eventually all traffic is going to be encrypted or obfuscated in some fashion, even if it takes 50 years.

Better yet, adopt something new, like instant messaging over P2P or something similar. Email is surprisingly hanging on despite IM and texting and cell phone use. Will it really still be around in 15 years? I'm skeptical...

I've tried a number of stand-alone and web-driven RSS readers in the past few months, but none really gave me what I wanted or presented it in a way that was compelling and simple and, well, just right.

Much to my surprise, I tried out Google Reader and was immediately hit by, "this is exactly what I wanted." I added a few of the feeds I most regularly check, and I've been amazingly happy with this layout and simple feature set. I hope SufrControl doesn't add this to the list of things denied outright (yes, web filters are evil, more on that in another future post).

This topic has been buzzing around in my head a while now, and is finally ready to trickle out. But first, I need to set the stage. (This is going to sound more preachy then I intend, and has also become the unfortunate victim of me being interrupted a couple times at work and unable to put all of this down coherently...sigh. )

- You are never 100% secure, nor is there any silver bullet device, application, or methodology to security in this information age.

- Technology keeps moving at a fast pace, faster than it takes for any security team to dig solid trenches and fox holes and fortify the hills.

- And it keeps getting more complex, sometimes piling more complexity on top of insecure technologies. Complexity yields less security.

- Just today I read a couple doom-and-gloom articles by Richard Grimes, one recent and one from a few months ago. He has a point that security is largely lip service until AFTER "the big one."

- Also some talk about more appropriate consulting and pen-testing from Dan Morrill and Wendy.

- Let's face it, with so many different technologies, business needs, solutions (in-house and out-house), people, and problems, no two corporate networks are alike. Not even close.

Based on all of this, I am convinced of a number of things. First, we should all continue to share as much information as possible, and keep working at those communication lines. One thing that I don't think there is enough of, is on-site tours and demonstrations. Case studies are one thing, but get me and some buddies in the industry into each other's NOCs and systems and let's see first hand what is working or not working. I would love to see how a company like Boeing manages and works their campus wireless systems. Yes, it might be a security concern to let me know, but like Schneier would say about crypto algorithms, if disclosure hurts it, it's not secure anyway. Many corps have some excellent processes and setups, but they can never get talked about in meaningful ways that can help the rest of us. This is one reason I would love to become a pen-tester, assessor, or consultant...so I can see these solutions and build upon other people's hard work and loving efforts.

Second, we need to look to securing our own islands first, before we're going to be able to help with the whole world's picture. What works for one island may not necessarily work for another island. We need to be aware of that, such that not only is there no one device or application that can give 100% security, but there is also no such device or application that is appropriate for all environments (something the sales people don't understand). If we can't handle the microcosm of our own networks, we have no hope to make sense of the macrocosm of the Internet and the world's networks. Your island may be the only place you'll be able to experience a wave of security nirvana...at least for a few moments. Besides, if internally we are unable to quickly show who has access to our client XYZ's data that we are a custodian of, how can we begin to counsel other islands on how they should handle information?

Third, we need to fight the battle of complexity. Technology will move on and keep getting complex, but many attacks and defenses and competencies of security and security professionals remain grounded in simple basics. We need to keep those basics at the forefront of our minds, not make the security process so complex that we all stand up so high on rickety scaffolding as our foundation to climb to the clouds. Yes, it can be complex and full of frills and thrills, but never compromise the basics for those complexities.

Yes, security seems like a losing battle, but that is what makes this field exciting, ever-changing, a challenge, and a solid career. :)

I am going to deem today analogy Thursday, as I was looking for some ideas on analogies for how dangerous the Internet is, namely the web. It is just an odd situation that the Internet is inherently bad and malicious and that users need to take care when surfing. Yeah, like many people really truly take care...

What if television surfing were as dangerous as web surfing? This means that as you flip channels into some of those more obscure higher-digit stations, one may just hijack your television box and switch channels around, or just force them to switch much slower or only view their station until you reset the box and start from scratch. Oops!

What if shopping in a mall were as bad as surfing for places to shop online? Outside of some shops we'd have people jumping up in front of you with signs and coupons and good deals in hand, sometimes getting right in your face and flashing their goofy colorful smiles, causing young children to begin crying. In addition, random stores may put things in your pockets that you won't realize melted in the hot sun until you get home and put your hand in there. Oops! They might even put an RFID tag on you while you're not paying attention, and then follow you around through the rest of the mall. And city. And into your home, happily writing down everything you do on the off chance that they will learn how to market better to you. Who knows when you get into those stores!

And those free samples of chicken at the grocery store? Yeah, nothing is free. In fact, those samples contain powerful lingering doses of laxatives that will force you to stay on the pot for an hour each day for a month. But hey, the grocery store offers toilet paper and other remedies for a fee to help deal with that!

What if browsing a library for books to read were like browsing web sites? Every now and then, a book would take it upon itself to grab your arm and not let go, despite the alarms you cause when you walk out of the building and the nasty looks you get. In fact, some books may look like children's books, but inside are pop-up porn cut-outs. Oh, those long-lost joys of pop-up books! Yay!

Now, the one place where an analogy is a lot more appropriate for the web would be roaming around in nature. You never know if you might turn a bend and run into a bear, a rattlesnake, or even swim up on a stringray. You might just get chomped, bit, or speared if you're not constantly careful and aware of the dangers. And the more dangerous a particular area seems, the more likely it is dangerous. Thankfully nature typically provides warnings such as a snake's rattle or colorful markings on dangerous creatures. Likewise, web sites give off warnings too, if you know how to look for them. And would you stick your hand in a strange hole in the ground or sleazy looking pond without first doing some risk analysis on the odds of a badger or water-borne parasite present? And lets not even think about ninjas and how they might stealth up on the trail when you least expect it.

The web isn't what it used to be. While it has become prettier (not including MySpace pages which is the new GeoCities) and more useful and informative, it has certainly become a lot more dangerous, insidious, and complex.

A researcher has posed that it is worthwhile to get a 30-inch Apple monitor ($1999) because it improves worker productivity.

I really think some researchers are just not that thorough. Yes, you can likely get more work done with more desktop real estate, but how does this compare to a dual monitor setup with, say, 2 17-inch or 19-inch monitors, which would cost far less than $1999? I think unless you need contiguous screenspace (such as with Autocad, Photoshop, or maybe movie editing), the dual or even triple monitor approach is much more worthwhile than one huge single screen.

Do we even need dual monitors? Not necessarily. I currently work on just my laptop screen, although I certainly would make full use of dual monitors like at my last job or at home. As a networking and security geek, I could actually make use of 10 monitors if I had them, displaying things like dashboards, traffic sniffing, alerts, remote control sessions, etc. But for your normal workers, one monitor, maybe two, is sufficient for their job. Eventually, I get into the realm of wanting separate systems as opposed to more desktops or monitors.

I will say, if you want to impress pretty much anyone at work, grab a spare system or two, set it up next to you, and have it running pretty graphs, traces, and dashboards nearby. People seem to think that amazing, even if it is just gibberish. :)

From a CNET article,

"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."

His first sentence is correct. It is true, user education will not solve our problems. If education solved our problems, we would have a different president right now.

Indeed, as I always say, security is a secondary goal, even for developers and network administrators, let alone your average regular user. Functionality is always first, i.e. getting things done. "Getting it done securely," while a way for managers to package in security as just as important to getting it done, is still just a qualifier to "getting it done."

The second sentence is correct as well, we need to embed the process as much as possible. The systems needs to be more protected from dumb users or just simple mistakes in judgement. The network needs to be more protected. This is the real key where prevention systems come into play. Detection works wonders, but the assumption that users will make mistakes means you need prevention, mitigation and incident response, and audit trails (detection and logging).

And then his last few sentences are the real problem. We have to do these security things without impacting the user's primary goal of getting things done.

Now, I really believe education will not solve our problems, but it will go a LONG way toward helping. Just because education doesn't solve all our problems is not a valid argument to say we should throw our hands in the air and not do any education. I like the mention in the article about giving users some education while actually attending to a problem. This is highly effective and focused education that can have an impact. Education makes an impact and some people do want to learn and be better about it, but it is true, it won't solve ALL our problems. But the speaker is correct, we shouldn't hold up education as the root solution to our problems.

It is highly important to make sure security does not unduly interfere with employees getting their jobs done. However, this goes both ways. Employees need to be receptive to changes in their job. A security-induced change may not even impact users if they were to just adopt the new way of doing their job. Sometimes this battle between security and usability is just human nature being stubborn and unwilling to change, even if those changes result in less work for the user.

I've slowly become a minor proponent of having less rules and less impact on users. I detest rules and limitations on my computer use at work, which impacts my happiness and thus my productivity. Now, I may be a bit more progressive in my use of the Internet than many people that I work with, but slowly, attitudes will change as more and more people enter the business world that have grown up with a computer in their rooms and their social lives have long incorporated the use of a computer through web pages, blogs, IM use, email, music, and so on.

We still need education, but we also need to make sure we do our professional diligence on the back systems and networks before dictating what users can and cannot do. And I truly believe we need less rules, overall, in our businesses. We just need smarter rules and enhanced incident response. Rules stifle innovation and happiness, and we need both in our businesses.

Read this article on DarkReading.com about whitelisting of applications. I like this point:

But whitelisting has a down side. These endpoint tools come with plenty of administrative overhead as well as security risks. "The institutional overhead in maintaining them is extreme," says Thomas Ptacek, a researcher with Matasano Security. "Some poor group of souls in IT is charged with deciding which applications every sales person or project manager can run, and has to backstop all the ensuing arguments."

What are the pros and cons of application whitelisting, and where do I stand?

PROS
First, when machines are imaged or supported by IT, they should have a list of applications that need to be loaded for new hires or replacement machines.

They should also have a list of applications to expect, that IT may or may not have to provide at least a little bit of support for (yes, we'll help you with Outlook, no we won't help you with Alefox or IE toolbars). Related to support, security persons responsible for keeping up to date on patches need a list of applications they should be checking. IT should not be expected to be knowledgable on patches for every toolbar app that may be used in the corporate environment.

Additionally, disaster recovery may require knowledge of what is necessary for groups such as sales people to do their jobs.

Much like firewall rules, default deny with a whitelist of allowances is much easier to maintain than a blacklist. You can blacklist categories of applications (P2P, IM, etc), but even those lines continue to blur. However, we already do see lines blurring in those categories.

CONS
Take this scenario. Sales requests a new application on their machine. Those "poor souls" in IT then have to research it and either add it to the whitelist or explain why it should not be allowed. With strong policies and management support of policies, this might be ok, but I believe most companies will put those "poor souls" in the unfortunate position of either saying "yes" to requests or being in a hard place when trying to say, "no." The end result is wasted resources, unnecessary negative feelings towards IT by the sales group, and overall less authority. What if the sales group has already been using the application for 4 months? Those "poor souls" really are poor souls.

(Honestly, those "poor souls" need to be backed heavily by a manager-level person, otherwise anyone smart enough to do proper evaluations and even backstop the ensuing arguments is not going to be in this sort of a position for very long.)

And what if each department is asked to create such a whitelist of programs that are needed? I've seen managers throw back every single program they can think of, whether it is really necessary or not. "All of them." Many managers and business users do not care to be bothered by such things, but will detest IT making the decisons for them.

As long as users run Windows, run as Administrator, and all sorts of things want to get installed or used (some even as benign as a proprietary web player like Flash or similar), trying to maintain a whitelist of programs that are necessary is difficult.

Whitelisting will stifle innovation and the ability to try out new applications and tools.

So, where do I stand in all of this?

I think some whitelisting is necessary, but it cannot end up being heavy-handed unless the company has some serious security requirements, small niches for their computer use, or is a majorly large network where application management is nearly impossible. IT certainly needs to maintain a list for proper imaging and support of workstations.

This goes back to what I said in my previous post: less rules.

Less rules. Smarter rules. Better mitigation, response, tracking. Better perception of organizational IT. Let people, within reason, do as they wish on their workstations in order to have a productive, happy life with the company.

I think one barometer of how IT and security are moving more in tune with the business world instead of being some back room geek department, is how often I read buzzwords and newly created words.

I just read the Websense H1 2006 Security Trends Report and was amazed at all the new words I found.

We have malware, adware, and spyware. I guess I should have seen crimeware coming. Websense I guess crimeware is software use to commit a crime? I think I will stick to malware as my term of choice. I have also seen eCrime.

I also gleefully read how a host with multiple phishing sites is termed to be host to numerous phishes. Phishes...does that mean the host can be called a phish tank, or perhaps a pond? And would abandoned sites be phishheads? The report also referenced spear phishing, which is a more targeted phishing attack. Honestly, I think almost all phishing attacks are a bit targeted. While that term I have heard before, it still amused me since I started looking for these creative terms.

Screen scraping applies to those malware components that take screenshots of the users screen, a means to thwart captchas and virtual keypads kinda like a keylogger for the whole screen itself. Screen scraping just does not sound fun, and reminds me of a windowwasher or perhaps a visit to the dentist.

Now, while I might poke fun at the report for the terms used, the information presented is excellent and a very good read on the trends that Websense has been experiencing so far this year.

About 6 months ago I started delving into the world of podcasting and began to quickly try and figure out which computer security-related podcasts were worth the trouble to download and check out.

I never did find a groove with my checks and samples. I don't have ipod-support in my car, and really don't find myself just listening to them in the background while I do other things. If my car were more equipped, I may have checked into things more. I also didn't have the habit of listening to them otherwise, or the time to download them and catch up or keep track of all of their release times. I don't use iTunes for my own personal reasons (I would if I had a Mac), and none of the other downloaders were really all that excellent. Doppler was the best, but there was always that one odd podcast that Doppler couldn't track and auto-download, which eroded the whole experience. As such, I just this weekend deleted all the old ones I had downloaded and have shelved the pursuit.

But now I see Chris Brunner did some of the hard work for me of culling out the less useful podcasts, and created a list of them on his own site. I need to update my own geek site links with a few of these new ones that I didn't have, and check into trying to resurrect this habit pursuit. I'd love to keep up with security through this media as well as print news.

A recent SANS Handler Diary entry reminded me the importance of keeping at hand a list of The Questions that we should ask as IT and security professionals. I need to keep updating this list, as they will all likely be questions I will want to keep at hand throughout my entire career.

- If hard drive X were to die right now, could you confidently rebuild it using backups or other documented knowledge? This applies to any system from the most critical server to the least important spare system to any employee workstations.

- If incident X were to happen right now, what is your response procedure? Apply this to the most benign alert up to a major hacking incident that is right now being executed, successfully. Would you have an available audit trail?

- How do you know your network or systems are secure?

- How do you know that there are no rogue wireless access points giving access to your network (or that your users might be hopping onto nearby)?

- Are network diagrams, documentations, and inventory up to date? Include process documentation.

- If one of your users (CFO to call center ops) is specifically targeted by a 0day emailed exploit, how will they react? Is user education appropriate and is IT held in enough regard to have incidents reported?

- If a complete network audit were to be done now, what might you be surprised to see still in service, accessible, or configured? Yes, even networks need flushed and cleaned out and retooled regularly.

I hope to add more.

eWeek poses the question on whether the botnets have already won. Botnets are not new, but they have been hot news for the past year or so. Unfortunately, while technology likes to move quickly, and vulnerabilities appear and disappear even more quickly, botnets are a fact of life on the wire that is not going to go away any time soon. In fact, I firmly believe we've only just begun to see the power, effects, and changing landscape of the wire that botnets are catalyzing. The article mentioned is an excellent look at the situation.

Defending against botnets is difficult, if not even outright impossible right now. Traffic jamming at ISPs or even local networks is useless when the bots tunnel through common ports. Traffic inspection is useless when the bot traffic becomes encrypted or the attacks themselves are real traffic. Shutting down C&C servers is futile now that botnets can work with existing dynamic features on the Internet, can become smaller automous units, or just plain efficiently change servers in an instant. Centralized tracking, detection, and disinfection of bots is not cost-effective for anyone because many home users who are infected have no idea they are infected nor have any idea how to fix it without a lot of hand-holding. Besides, it is a common fact that securing every system on the Internet is just not going to happen. Coordinating efforts across nations and continents is not supportable at this time, and even if an effort got underway, laws are still far behind technology. Botnet code can be reverse engineered and attacked directly, but much like signature-based detection, is thwarted by even as little as a single bit change, let alone polymorphic code. And attempting all of these things is still tough to do in as lucrative and profitable a way as the attackers. The article even mentioned that some significant work is done by volunteers.

To strike up a poor analogy, imagine that cars are able to be controlled remotely (not all that far away considering we can monitor the status of cars now and unlock them from a central system or intall navigation systems), and I have a way to control half the cars in your neighborhood. What would happen if I have them all play demolition derby with your house? Imagine that some of them are unmanned, but some are manned with trapped drivers. You can build walls, attack each one with rockets, put mines up all over, build a basement they can't get into, build fake houses so they may or may not get your real one...

So, what about beating botnets? Where are some of the weak points to attack? Well, first of all a botnet might be able to be wielded against a botnet, although to what aim, that is a bit unknown as are the ethical implications. However, it is only a matter of time before a government decides to have its own botnet for cyberdefense and attack reasons. Whereas so many simluations talk about targeted attacks and actual hacker penetrations shutting down systems, something as simple as a coordinated, specific DDoS attack by a botnet can stranglehold critical services. Ask any company that has gone out of business due to a sustained DDoS on their systems.

Botnets, in the end, are still controlled by one or a small number of skilled people. Those people need to be ferreted out and shut down or neutralized or brought to justice. While law enforcement is still largely powerless against foreign-based attackers, I can foresee a time when more secretive agencies or corporate-sponsored groups clash on the cyber battlefield as both attempt to protect their interests. Still, take out the people doing the intelligent coding...

Corporate IT security can move outward to protect employees even at home or on home networks. The real skill in cleaning infections and increasing security at work or at home still lie with IT professionals getting their hands dirty and educating users, even just a little bit. While corporate entities can do a decent job internally, so often we shy away from opening the doors to home support (and mostly rightly so...). It definitely would take a commitment from top management, but does make sense even from an HR perspective.

Better Operating Systems and security products for the home would be a step in the right direction, but will never be more than a variably-sized speedbump for botnets and attackers. Still, some protection is better than none, and a secure or less popular OS is better than putting oneself in the midst of the low-hanging fruit masses.

No matter how this plays out, the botnet war is worth watching. This is still only the beginning and is a major issue that few people want to talk about because of how debilitating it can be and how nearly impossible it can be to defend against or prevent. But this is a topic that will be shaping our security and maybe even our networking as a whole for the next ten years. Mark my words. :)

I am amused and irritated by regular news reports lately that come in one of two flavors.

First, the articles about how information disclosure occurred at an organization and that X amount of people were notified, a hotline set up, and a web site created with answers to common questions that the possible victims may have. While all of this is good and detailed, rarely is there any discussion on two things I most want to know: How did the attack occur, and what assurances are there that the information on the system was all that was exposed? My guess is that these are cloudy questions with even cloudier answers...which troubles me.

Second, articles that state an organization thrwarted or repelled a hacker attack. Ok, how do you know there was a hacker attack? Who was it? What did you do to thwart it? Was there even an incident at all? I guess if I wanted to drum up my IT team, I could spread word that when Snort gave an alert about a sendmail.pl exploit attempt against my server (captured in IIS logs) that doesn't even affect anything on my server nor would ever potentially affect it because we don't run sendmail, I can go ahead and raise the flags and drop confetti because my team...hell...*I* saved the day and thwarted a hack attempt!

As a technical individual, I am quickly requiring details, or it didn't happen. Screenshots or it didn't happen!

I love articles like this short bit about password security from eWeek because there are simple parts to them that I like and other parts that I really disagree with.

What I agree with: Yes, I truly think biometrics will continue to increase in widespread use, even down to individual systems. But unlike passwords, the simple use of these things can provide false positives or true negatives and will not reduce any dependency on help desks. In fact, help desks might be even more encumbered as fixing biometric logon issues is a bit more complex and dangerous than just resetting someone's password.

Yes, I think single sign-on technologies should be focused on as much as possible, even though they tend to be a luxury for many IT departments as opposed to what just happens. But single sign-on technologies should not be confused with actual authentication technologies. They are separate entities.

And yes, users tend to write down their passwords just like people put spare keys under their car, under the doormat or nearby garden rock or on the back door frame.

What I don't agree with: Passwords written down on paper are better than easy to remember passwords that are not written down, especially passwords that are too simple. While a complex password might be written down on paper next to a desk, an attacker still must have local access (either personally or through an insider) to the physical facility to read the paper. A simple password on a networked system can be guessed or cracked. So I find it dubious to dismiss passwords simply because they can be written down. For technical peope who are comfortable with passwords and password safety, they are just fine.

No IT help desk should complain about user password reset requests. That is why that business function is there, and any alternative is going to be more of a headache than verifying the user and resetting the password. This should not be an argument for alternative forms of authentication.

In the end, there is no 100% perfect authentication system, which is why I dislike articles like these which try to dismiss one because it is not 100% perfect, and market others (whether a new idea or just the same old rote from 2 years ago, like this article). Yes, passwords have issues and there are risks associated with any level of their use, but they are easy and are going to continue to be used for many, many years to come for a variety of things (although perhaps the highest security for information and perhaps corporate use may shift as higher order tech lowers in cost).

I just have to say I think more blogs should email commentors on responses to their comments. Too often I make a comment that I'd love more dialogue about, only to never remember to hit that blog again until more news has buried what I commented about. I don't like fire and forget blog comments...but I frequnetly forget to check back. I imagine I am not alone.

Then again, perhaps that would get spammy with lots of commentors...and that might be open for abuse as well.

Dang, well, the idea SOUNDED good... Hmph.

The more I work in small-medium companies that act as ASPs (application service provider, i.e. we host servers that our clients use), the more I realize there comes a point where process outweighs getting things done.

Instead of fielding requests as they come in and just getting the work done, change management starts to tickle the back of the throat and more and more, documentation and process need to be invoked. When a request comes in, a process is begun to deal with that request and tie it into any other processes.

For example, an SSL renewal is not just an SSL renewal anymore. Not only does it need to take place on the web server, but the new SSL needs to be imported into our IDS/IPS to decrypt the traffic. While one person doing all of this can keep track of it, eventually as growth continues, multiple people doing these things means they may possibly get lost. Ack! ...And this is one of the simple ones.

What makes all of this even more fun is the propensity for people to want to avoid documentation and process and change management. It slows things down and sometimes brings out some weaknesses in how people document and write and attend to detail. In fact, out of about 25 IT people I have worked with extensively, only about 4 have not heavily resisted these tasks (this includes.

This is kind of a reason I include a line on my resume below my college degree that states I have also have a background in "environmental sciences." There is nothing like lab work in genetics, biology, physics, or chemistry to ground oneself in documenting observations and drawing valid conclusions which can be recreated and clearly conveyed to others. Having had an interesting 2.5 years of that work, it does make a difference when troubleshooting networks and documenting process.

Mostly posting this here just to save this link for myself. This is a nice list of some of the more dangerous things users do online. This is not everything, but hits many points, in order of descending severity:

- Clicking on email attachments from unknown senders
- Installing unauthorized applications
- Turning off or disabling automated security tools
- Opening HTML or plain-text messages from unknown senders
- Surfing gambling, porn, or other legally-risky Websites
- Giving out passwords, tokens, or smart cards
- Random surfing of unknown, untrusted Websites
- Attaching to an unknown, untrustworthy WiFi network
- Filling out Web scripts, forms, or registration pages
- Participating in chat rooms or social networking sites

Somethings I would add: participating in P2P or IM services at work; not evaluating information that they send out via email whether their audience should be reading it or not; purchasing and installing random devices on their computers (ipod, wireless APs, mobile handhelds...); and the list can go on...

Thought for the weekend.

Microsoft wants to fortify its own operating system, Windows Vista. But will it be forced to keep the OS insecure because there is a big market for companies that secure Windows? Imagine the extreme. What if Vista were a highly secure OS? Would these companies curse Microsoft for putting out a good, solid product?

Talk about a bad situation...

Just wanted to again mention that Google Reader is amazingly awesome. It has certainly solved my problems with managing news sites, reading news daily, blogs, and rss feeds.

Google is doing something right with their "web 2.0" apps or pseudo-web 2.0 apps depending on whom you ask. I really appreciate the ability to look at my news sites from any system from any net connection. I think as the world becomes more mobile and people begin to have multiple computers (and devices) both personal and even counting their system at work, the freedom and demand to be able to access things remotely is going to increase dramatically. And it is not enough to push VPN technology and remote control solutions (all those RemoteToMyPCAnywhere sites can go to hell, really). In the end, the most-used apps are going to slowly creep towards being web-delivered just like webmail is. I can access Gmail from anywhere and get the same experience as if I were on my personal machine. I can do the same exact things from my Linux and Windows boxes, just by using a web browser.

Google has a good head-start here by identifying the most-used apps on computers, and attempting to replace them with web-driven alternatives. Email, IM, voip, Office, news (RSS), entertainment, and so on.

It is no longer about being able to roam from computer to computer in a corporate environment and have my own profile and settings and apps available. It is about roaming anywhere in the world and still having everything I need.

Ira Winkler from ComputerWorld has a rather controversial article up about the separation of ethics from computer security. This is IT journalism at its most typical: they can write about it, but they don't know it. He does have some points, but otherwise he also has dubious claims.

There are a few things Ira conveniently leaves out or is not even aware of in regards to this subject.

1. The methods to detect, investigate, and enforce ethical behavior on computer systems utilize many of the same functions that computer security uses. This means there is a natural integration of the two. Computer security requires virus scanning and data/file inspection of some sort. Unethical copyright distribution will utilize similar tools and the same staff.

2. There is a tendency to generalize. If someone is visiting bad web sites that are unethical to visit inside the corporate network, there could be security implications. Too often, those same sites house malware and other bad things. This is just a tendency, but that is what computer security is about. It is not just 100% black and white. The twin goals of ethics and security help to fully dictate that those sites are offlimits and against policy. In short, why make two policies when they support each other?

3. If there are too many points to make when educating users on computer security and ethics, that is not an argument to separate the two entirely. It just means the education needs to be structured better to accomodate making only one or two points. Perhaps ethics can be split off during the education process, but this is simply not an a valid supporting argument. It would be difficult to teach users about email security, password complexity, phishing attacks, and proper data usage in the copy room at one time as well. So does that mean those should not be computer security as well?

4. What does Enron have to do with this discussion other than being an excuse to bring up a popular culture/media example?

5. What does physical security have to do with this argument? Yes, security staffers may be disdained for being those who mete our punishments, but it makes no sense in an argument to separate ethics and computer security. The argument would be to minimize our negative impact on users. Well, by that token, should we separate out incident response, since that tends to be negative? What about when a virus is detected on a machine and we have to go inform the user and slap their wrist for downloading it in their email and saving it? This argument makes no sense.

6. Ira would have been better served by not bringing up phishing attack examples and how those are mechanical in nature but ethical decisions are not as straight-forward. Tell that to the people doing studies on how difficult it can be to detect phishing websites. In fact, I would conjecture that most unethical behavior in a workplace is *easier* to determine than some of the "mechanical" computer security issues, especially for non-technical people.

The best part of the article is how Ira even attacks his own argument and makes no real effort to address it. The ending feels very bipolar like he had an argument, didn't win, but then just moved on.

Now, all that said, there is merit to saying ethics should be separated in part from computer security itself. IT staffers may detect and report on unethical behavior, but ethics is still ultimately up to legal, HR, and corporate executives to determine. But that is not enough to say that ethics and computer security should be fully separate. There is too much at stake for business and security staff to try to fully separate these spheres in anything but a very large company that can have separate ethics staff. Even then, those teams will work closely together anyway.

In my previous post, one bullet point was brought up about physical security and computer security and Ira Winkler brought up that physical security is often welcomed while computer security staffers are often not liked. Why is this?

The biggest single reason is simply rooted in culture. At home and outside work, people use computers in their daily lives to do many, many things. From looking at maps for driving directions, popular news, entertainment, distractions, looking up information on a topic, meeting new people, remeeting old friends, and on and on. Computers are used at home in a variety of ways, many of which are not necessarily safe, ethical, or healthy.

Physical security is present to make sure people don't go where they should not be going, etc. This is not necessarily bad for people as they are not being limited in a way that takes something they would have already had. They didn't have that access anyway, so there is no loss. But when security imposes computer limits (or the technology imposes those limits), no matter the benefit to the company, those actions involve taking away what users would normally be able to do.

Another lesser reason is the presence of physical security and the smiles they can give. Unfortunately, computer security staffers can't smile through the computer as user data flows by their gates. Thus it can be easier to get mad at the unseen people in the security cubes. Likewise, as part of the general masses, people feel a bit safer and unconsciously accept the security of physical security guards and locks much easier than they do technical security measures and limitations. (This is the only stable reason for most of the TSA regulations; they shallowly make people feel safer without being really all that effective once you start thinking about it.)

There have been a load of posts and discussion on high-profile blogs and mailing lists about the value of IDS/IPS. Richard Bejtlich, Thomas Ptacek, Alan Shimel, Amrit, and others such as the Daily Dave have all chimed in along with their respective gaggle of comments. Lots of people get pretty vehement and passionate about this subject.

An IDS and an IPS are two wholly different things. Any discussion needs to start by laying the groundwork on which one is being talked about. The next step is to describe how the discussors define an IDS/IPS. Lastly, review their respective expectations of those IDS/IPS devices.

I really like Alan Shimel's descriptions of the "trough of disillusionment" and "peak of inflated expectations." I really think there are some skewed expectations of what an IDS and IPS are supposed to do. Of the two devices, I really believe IPS is the one that has had such high expectations that it will not be delivering satisfactorily, ever. IDS, on the other hand, has been mistaken to be IPS very often.

To me, an IDS is lumped with other functions such as logging, syslog analysis, intrusion response, snmp monitoring, and other network/performance monitoring. All of these functions tend to detect or record, providing information or alerts during and after the fact. They are passive technologies that do not take specific action beyond ringing bells and blowing whistles.

IPSs are in the same category as firewalls, antivirus apps, spyware cleaners, web filtering proxies, and spam gateways. They take IDS one step further by actually performing some action based on the alerts, from changing firewall rules to dropping traffic to throwing out TCP resets. As such, they fall into the problem of stopping things that should be allowed, or allowing things it didn't know where problems.

IDS/IPS functions are not on my list of the top things to have in a corporate or home user environment. An IDS can detect and alert to events happening that may or may not be malicious or problems. This is certainly a valuable function, but not so valuable as to trump very many other things. IDS technologies tend to be the pet projects of geeky admins that have some time on their hands. The rest of us tend to have other fires that need putting out over babysitting an IDS/IPS device.

Personally, I like IDS for the knowledge and monitoring it can provide about the network. And that is what the real expectation of an IDS should be. The information it provides to better inform those who perform subsequent actions, but only in correlation to how well the device, network, and tuning is understood. IPS devices I can do without unless the environment is so huge that it needs automated responses, but even then the environment is likely so huge that only a handful of IPS-enabled (active) rules will be enabled.

There is a challenge floating around about whether there are any instances where a company was "saved" (benefitted) from having an IDS/IPS device in use. I have not had one personally, but I can certainly think of situations where someone might be throwing internal exploits at LAN systems in an attempt to break into a system, or maybe a worm trying to propogate over the network. An IDS can alert on an otherwise possibly overlooked situation and flag it for investigation. However, as much as an IDS can be helpful, every other layer of technology steals a little bit of its thunder. Network or even host-based firewalls and antivirus will lower the value of the IDS because a lot of malicious stuff is stopped before it traverses the network.

Think of it this way. An IDS/IPS is like a home security alarm system. The IDS will log attempts to break in, possibly track where the thief moves throughout the house, maybe even determining the method of breakin, and will alert the owner that a break-in is occurring and has occurred. An IPS does all of this, but also rings a loud alarm through the house, turns on all the lights and a spotlight, seals away the family valuables, locks all the entry points, and lets loose dogs to chase the intruder away, actively preventing the success of the attack. In light of this analogy, both systems will have had a very valuable effect at some point (that is not to say the IDS/IPS tends to warn when even an insect alights on the window pane or that they don't detect hispanic intruders...).

Update: More posts are popping up on this topic. The Digital Voice has chimed in as well, with a nice post and viewpoint. TechBuddha has some thoughts as well, about finding your own truths and relax a little bit when it comes to arguments like this. Sawaba at SecuriTeam chimes in.

The weather in the midwest has just recently taken a dip into the cold ranges with plenty of wind added in. Walking to my car for lunch this afternoon found me thinking about analogy for how networks are planned and built.

Think of a child's toy closet. At some point, the closet does not have much in it, maybe just whatever the parent puts in there, most likely some child-related paraphenelia like cribs, strollers, and other things not very interesting to children but necessary for initial childcare. But as the child grows up and time moves on, things are acquired and put away. Maybe some new toy franchise comes along and over the course of 2 years the child builds up a nice collection of toys which then get shoved into the closet wherever they can fit. One weekend a television ad book-ended by a favorite cartoon prompts a new impulse purchase later that day for some rather unwieldy toy aircraft that gets pushed into the closet as well. Perhaps a series of books and shoes get piled in there. No child truly likes shoes and clothes, so they tend to get thrown in with even less regard then normal, falling on the floor of the closet or across various toys.

This slow building of toys and items fitted into various nooks and crannies and sometimes just plain thrown in eventually make finding the good toys a little more difficult. In fact, some toys may end up forgotten about for years, sitting in a dark corner along with a few unwanted guests: shells of crickets and other insects. And when a wanted toy is needed, rummaging through the mess to pull it out while hoping the mountain of everything else doesn't topple out on top of it can be a harrowing experience. And we all know that the subsequent shifting of items will mean placing it back in the closet later will find it in a new place tomorrow. If other junk does fall out, chances are it is all just pushed on back inside in whatever fashion it can fit.

This may eventually mean that friends who stay the night can get away with snatching a toy without anyone knowing it. Or may perhaps wreak havoc with pulling our precariously perched parcels only to topple mounds of others.

And what about those toys received over Christmas and birthdays that are sometimes unwanted and unasked for. The useless junk that accumulates due to what other people thought you might make use of, or trendy toys from years past.

Ask any parent how the image of a child's toy closet left uncleaned for 4 years makes them feel.

The only way to combat the closet trash mess is with regular cleaning. Take everything out, and put it all back while culling the unwanted.

Networks are similar. Over time, they can become completely unwieldy entities with lost applications lingering in dark corners, unwanted guests never detected, a mish-mash of interconnected parts that depend on each other to avoid falling over into a mess when in fact each can stand on their own if but for a little bit of planning. And how can you truly plan for the future when there is no clue on what the next hot toy will be, or the next ad that is seen on television with that inpulse "must have this now" item?

We have a problem in the security space.

It is widely touted that marketing and ill-informed managers and non-technical C-levels are looking for silver bullets when it comes to computer security. Most security experts will respond that there is no silver bullet. In fact, we say this a lot even though no one is truly arguing this topic...at least not anyone important or knowledgable about our industry. We seem to just like saying it amongst each other.

Now, speak to security researchers about wireless security and the use of WEP. Some will get very vehement in saying that WEP is broken and useless and get rather vicious in deriding anyone who says they use WEP for their home wireless network.

See the problem here?

What is disturbing is the ability for us to completely reject a countermeasure or protection as worthless just because it is not perfect, yet we reject the concept that there is a perfect countermeasure. In the above case, WEP may have holes and be easily broken to someone with the knowledge, but it still has value because it can block a large group of unskilled attackers. IDS may be circumventable and may not catch everything, but it still has value to catch the low-level stuff and mass attacks or worm traffic and such.

We should always be careful not to think there are silver bullets in security but yet fully reject bullets that are 25% silver. Every little bit that we can raise the bar for attackers is a little bit more security we will gain.