openssl s_client -connect www.mysite.com:443 -ssl2

mubixPolling the audience (serious answers please). If you could get your boss to understand one security concept fully, what would it be?

@mubix Hard question, and worthy of a blog post. I'd say "You *will* have a security incident. Plan for it and plan to find it."

In a privacy error that underscores some of the biggest problems surrounding cloud-based services, Google has sent a notice to a number of users of its Document and Spreadsheets products stating that it may have inadvertently shared some of their documents with contacts who were never granted access to them.

set-location d:\setup\scripts

./psexec \\WEBSERVER1 -u DOMAIN\USER -p 'PASSWORD' /accepteula cmd /c "echo . | powershell -noninteractive -command `"& 'd:\setup\scripts\createsites.ps1'`""

The technology show Click acquired a network of 22,000 hijacked computers - known as a botnet - and ordered the infected machines to send out spam messages to test email addresses and attack a website, with permission, by bombarding it with requests.

Click also modified the infected computers' desktop wallpaper.

...They lacked the equipment to detect a breach and, even if they did, lacked the human resources to monitor such equipment. He told us his staff consists of one full-time employee and one half-time assistant who is shared with the help desk... [ed.: a company of 10,000 users, 127 sites...]

"What logs? Remember that each business unit is different, but here at corporate we don't have logs. In fact, logging was turned off by the help desk because they got tired of responding to false alarms. Help desk reports to the IT director, not to security.

• Users have administrative rights to their systems.
• IT also has administrative rights.
• Users won't install pirated or illegal software, but instead get comped by the org.
• Servers are still the realm of the IT teams, so let's just not think about them for now.

• Systems may slow to a crawl as they become infected with crap upon crap.
• Internal and external networks may slow to a crawl or becoming unusable due to worms, viruses, scanners, bots; both internal-only congestion and externally targeted congestion.
• Information may quickly get stolen, ala the program that installed and steals your aim/wow/bank account and password, either actively or triggered or keylogged.
• IT may have to answer questions and provide support for non-standard programs across a huge range of possibilities.
• Users may install tools that have malicious side effects, especially if they have a laptop that goes home. Things like BitTorrent and p2p apps tend to pop up on such systems.
• Most systems will have one or several IM programs installed and in use, opening the user to phishing/spam, an potential avenue to send information beyond the corporate garden, and lost productivity if abused.
• Users will use their personal webmail accounts, opening up the same avenues.
• Any type of development or creation processes may not be possible to move from the user's computer to a server. "You want *what* installed on the web server?!"

• A strong perimeter with aggressive ingress and egress rulesets with active logging on egress blocks. Yes, many apps will just tunnel through port 80, but that doesn't mean we should forget the floodgates.
• Strong internal perimeter to protect the DMZ and the suddenly rather untrusted internal LANs. Isolate print servers, file servers, and others from userland, letting only what is absolutely necessary past.
• Strong internal network monitoring to identify traffic congestion and unwanted communication attempts.
• The staff to attend to the alerts this stronger network posture will require. With such an untrusted userland network, bad alerts can't sit for very long, and there may be plenty of them.
• Consistent and regular user training about security concepts.
• Regular communication amongst employees and IT about how to properly solve various problems, use programs more intelligently, and so on. If one program can solve problems but everyone is just using what they know, perhaps opening communication may get everyone on a standard page. It certainly is better than everyone trying the same 10 programs to solve the same problem. [update: I'm not sure what I was saying here...]
• Foster an open environment where users can talk candidly with IT and security, without expecting laughter or a quick rebuke. This is going to be much like the TSA assuming every passenger is a threat.
• Will need an aggressive and automatic patching solution to keep the OS and major applications patched as much as possible.
• Have a strong imaging solution and architecture in place. People mess up their computers now and then and require them to be re-imaged. People who control their own computers will mess them up even more.
• Have strong network and file server anti-virus or malware scanning. Chances are pretty good that users will store their backup installs on your file server. Try to separate the screensaver crapware from the necessary stuff.
• Be proactive in supporting the software inventory needs of your users. If a user has a piece of software they had the company purchase, keep an inventory or even a backup of the install disk and serial under lock and key. This is far better than letting users manage (or steal! or lose!) their own copies. A photoshop disc left on a desk is a pretty easy crime of opportunity.
• Plan to have strong remote management of user's systems, especially when it comes to inventorying various things, such as accounts, installed software, running processes, resource consumption, log gathering. You likely won't parse these out regularly, but some you might want alerts for, such as new user accounts appearing.
• Proactively offer to assist users with any PC questions they may have. Often, users have lots of little annoyances they live with, but offering to help with the fixable ones can often go a long way towards satisfaction not just with IT but their job as well. If a system is running slow or they don't understand why a window displays as it does, assist them with fixing it.
• When assisting users, take extra effort to include willing users in your troubleshooting. This not only opens lines of communication, but also teaches them as you go. Maybe next time they'll already have checked for that rogue process before you get to their desk!
• Might be wise to evaluate DLP technologies. While administrative rights for users on their desktop means many forms of malware will do things like disable AV before it can interject, many users are not nearly as sophisticated when they purposely or accidentally move important data from the safety of the corporate environment to an outside entity. It might be enough to implement DLP to stop all but the truly crafty and determined insiders. That might be risk avoidance enough to deal with the determined ones on a case by case basis.

• Just ask.
• Don't wait for perfection.
• Become a master.
• Vision is everything.
• Never disqualify yourself.
• Challenge your limitations.
• Have a vision. Write it down.
• Speak every chance you get.
• Don't go it alone.
• Be flexible.
• Aim high.
• Be PASSIONATE.
• Beware of bright shiny objects.
• Choose tech or management.
• Do something bigger than yourself.
• Recipe for life:
  • vision
  • plan (take control back, take a break in the woods)
  • take risk (you can always go back)
  • stay focused (TTL)
  • determination (how badly do you want it?)
• Don't save your best for last.
• Be generous now. (Our stuff doesn't follow us.)
• Enjoy life.

During an event a panel of Gartner Analysts asked the audience what the best way is for organization to invest $1 million dollars in effort to reduce risk. The choices were Network, Host, or Application security... The audience selected Application security. However, the Gartner CSO (who took the role of CIO in the play) overruled the audiences' decision. They instead selected Network security, while at the same time curiously agreeing that Application security would have been the better path. His rational was that that it is easier for him to show results to his CEO if he invests in the Network.

The second problem is the grid's interdependence with the systems that support our lives: water and sewage treatment, supermarket delivery infrastructures, power station controls, financial markets and many others all rely on electricity... "It's just the opposite of how we usually think of natural disasters," says John Kappenman... "Usually the less developed regions of the world are most vulnerable, not the highly sophisticated technological regions."

So, what’s going on? We’ve finally managed to get security on the road-map for many major organizations, thanks to initiatives like PCI and some of the government IT audit standards. But is that true? Was it PCI that got security its current place at the table, or was it Heartland Data, ChoicePoint, TJX, and the Social Security Administration? This is a serious, and important, question because the answer tells us a lot about whether or not the effort is ultimately going to be successful. If we are fixing things only in response to failure, we can look forward to an unending litany of failures, whereas if we are improving things in advance of problems, we are building an infrastructure that is designed to last beyond our immediate needs.

• We are dedicated to working with other cloud computing providers to offer address the challenges of adoption our service may have, and to support ongoing standards. We have started by using common blog software, and a common layout of post title, body, date, and even comment services!
• At no time will we lock our customers into using only our service. Feel free to read other blogs, too!
• We will work diligently to align ourselves with existing standards wherever possible.
• We will also be aware that needs for new standards will be met through collaboration rather than individual standard provisioning.
• We will be committed to working with the community, not to further our own technical needs, but rather in response to customer needs.
• We will...hell..these all sound the same anyway, so we just meet the last principle too!

A Gartner Inc. analyst is urging companies that do business with Heartland Payment Systems Inc. and RBS WorldPay Inc. not to switch to other payment processors just because of Visa Inc.'s decision this month to remove Heartland and RBS WorldPay from its list of service providers that are compliant with the PCI data security rules.

Visa requires all entities that accept credit and debit cards issued under its name to work only with service providers that comply with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS).

But in a research bulletin issued yesterday (download PDF), Gartner analyst Avivah Litan said that customers can continue to utilize Heartland and RBS WorldPay without facing any fines from Visa.

All parties that handle cardholder data: Focus on maintaining continuous cardholder data security, rather than on achieving PCI-compliant status.