It’s harder than it seems to come up with a quick list of 10 things a small/medium business should do when looking to implement stronger (or a first level of) cyber security. It’s a copout whenever I see a “top steps for security list…” and they go something like, “secure endpoints, secure servers, secure network…” You’re cheating by not saying anything actionable or consumable by relatively average admins and business users.

Here’s my current list of top 10 items an SMB should do (I’m sure I left something obvious out…).

1. Backups. – Mistakes happen. And when shit hits the fan, you need to have backups to restore to. This includes something off-site in case your live backups are bad. You should also have some idea of what to back up, and a general priority of what is most important for the business to remain solvent. This needs to include procedures to verify backups and perform clean restores.

2. Endpoint security software. – Commonly antivirus or antimalware software that runs on end user and server systems. These should automatically update at least daily. Admins should understand this software enough to be able to work with it rather than turn it off for whatever reason when it gets in the way.

3. Patch your systems (and software). – I don’t care if these patch automatically or if a patch management process is in place, but all systems need to be running a patched OS. Software should be patched as much as possible as well, but I understand that can be harder for businesses that do not have automated endpoint management tools in place.

4. Identity management (lock your workstation). – Uniquely identify every user and require strong passwords for their accounts. Do not share accounts. Know which accounts (user and service accounts) have high privileges on your network and thus with your data. Locking the workstation is a form of controlling/limiting unauthorized usage of the unique account assigned to someone.

5. Practice least privilege. – Users should only have access to what they need in order to do their jobs. This is mostly focused on data access, but also applies to system and network (or Internet) access as well.

6. Practice proper password principles. – Don’t write passwords down. Don’t share them. Don’t reuse them. Do make them complex. Do change default passwords. Do change them regularly. Store passwords in something that has some modicum of security (i.e. not a password-protected Excel file).

7. Limit physical access to your IT assets. – Keep network closets, servers, data backups, and other IT assets locked away from unauthorized access. This should also include limiting access to mobile devices and storage devices for theft and tampering prevention.

8. Deploy a network firewall (network segmentation). – For really small business, this might be limited to whatever modem/router comes with their Internet access. But for everyone else, they should have at a minimum a network firewall between their corporate network and the Internet with default deny rules in place. Permit rules should adhere to least privilege principles, again. A firewall between wireless networks and the rest of the corporate network is good. As a bonus, a firewall between workstations and servers is a good next step. But at a base minimum, Internet access into the corporate network/servers should be controlled by a firewall. Limit who can make changes to the firewall.

9. Limit local administrative rights on workstations. – For small to medium businesses, it can be a fight to pry away local administrative rights to systems, but it really needs to be done, not just for security purposes, but also for desktop support sanity (efficiency). This will help prevent malware from running as a local admin, and will prevent users from installing rogue software on their systems.

10. Understand and protect your important data and corporate assets. – Yeah, I’m slightly copping out here on the last one, but every business should know what data is important for business continuity or what data, if divulged or stolen, will result in business closure. Special considerations should be taken to ensure these assets are protected. Most important to this specific bullet point, though, is just making sure the business goes through the exercise of identifying what is vital.

BONUS: Get help. – Get help from staff or a security consultant on how to properly do IT security, both the steps above, and the next steps. And to keep aware of new threats (ransomware) and issues (0-days).
Ultimately, I hate making a list of just 10 things, so here’s a few more more that come next.

11. Email filter for spam/phishing prevention.
12. Web browsing filter.
13. Password protect wireless access and limit only to corporate managed devices.
14. User education and security awareness training.
15. Establish security policies and procedures.
16. Identify your industry regulations and compliance that you need to meet. Get help on these.
17. Establish hardware and software inventory systems. Know when something is lost or mysteriously new.
18. Run vulnerability assessments on servers/systems and prioritize/remediate findings.

Are you looking for a security article that looks like it says a lot, but says nothing at all and ends up just making your eyes spin like that beer you’re going to chug tonight due directly to reading said article? Well, here’s four of them in succession! Just like those days in college with back-to-back-to-back-to-back vodka shots!

Over on the Tripwire blog, Pete Herzog guest writes several articles, starting with Three Ways Your Security is Actually Hurting Your Security. The other two articles are the second and third ways, but this one actually tackles: “You don’t know your attack surface.” Ok.

Second is Unbalanced Security is Increasing Your Attack Surface. It doesn’t take Pete long to get into two things. First, pimping OSSTMM. Second, spitting in everyone’s face who actually patches and updates software. He does both here.Oh, and we force in a mention about his own security awareness training event at the end. I’m not sure where security awareness came into this discussion before then.

Next is Security Solutions that Fight for the Same Resources. Honestly, I’m not even going to go over this one. I have no idea what it’s trying to say. But we do stream-of-consciousness our way back to security awareness and his own workshop.

But wait! It’s not just three articles. Despite only one comment on the actual articles, we have this admission: “…we received many questions and comments on what it all means. Questions like: What products do you need to…” Right. So this series continues by not answering these supposed questions with The Meaning of Security Hype. (Ho boy, the irony.) This one is fun, since Pete talks about how bad security marketing is and how they market you product categories like antivirus and antispam and firewalls and web app firewalls (that section is a mess), and antivirus again and then network monitoring. Nevermind the fact that his own standards categorize things.

Now, having read various posts from Herzog over the years, these articles are not surprising. He tries very hard to make sure that analyzing security looks as tough as possible, so big and complicated and broad and frought with analysis paralysis and the impossibility to get the right answers that you need something like, oh…ISECOM or OSSTMM, to make sense of it all to formulate an effective security plan. Oh, and yes, they’re Herzog’s products. Go figure. (Speaking of things that make your head spin and cause you to actually get nothing done, go check those out.)

NakedSecurity has a nice article on the current results of the CanSecWest PWN2OWN contest where attackers target popular web browsers and companion products for some public shaming. Between PWN2OWN and PWN4FUN, all 4 major web browsers (IE, Firefox, Chrome, Safari) exhibited security holes, with Safari even giving up privilege escalation into root.

Running IE is still a riskier position than running another browser (tempting attack surface, integration into OS, difficulty implementing user-gated authorization of scripts). But the takeaway from events like PWN2OWN is every browser has issues. Users still need to browse the web with care and turn off globally allowing scripting and other packages, no matter which particular web browser they use.

I always get crap for how web pages look in my browser as I disable so many things that sites want to load, but at least I have a little bit more assurance in the added security of my web browsing.

I’ve been playing SWTOR since release, and thought I’d share some thoughts on it. In WoW, I really preferred playing a healer or even a tank role, and in SWTOR I do mostly the same thing. I have a 42 smuggler healer, a 20 jedi guardian tank, and a 22 bounty hunter tank. Plus I’ve essentially started a total of 8 toons, but the others are sitting at their Advanced Class choice and are either parked for the future or do some crafting for me.

First, I just want to say I love the Smuggler healer. I’ve played healer types for many years, and really like the mechanic of the smuggler, especially while I level, since I can indefinitely heal my companion against many heroics and random champions/elites in the world; I can solo content most others cannot, even other healers. This is due to the energy regen/balance that a Smuggler has to maintain, rather than your traditional mana pool which will always go down faster than it regens…

Second, tanking is not as easy as WoW (seriously, it’s *easy* since Wrath), and not quite as fun. Lots of blaster-firing ranged mobs force me to play tag quite a lot. In WoW, tanks have it easy with AoE threat, other than Druids who do have to play tag. Most SWTOR tanks feel more like a Druid tank, with the slight exception of the Bounty Hunter who has a few extra AoE tools. Still, if the DPS in the group decides to go after their own targets, they’re going to get a tongue-lashing from the healer because they *will* pull aggro on their own targets. Tanking in SWTOR is not designed for the tank to hit two buttons and all the enemies stick to him like glue. This is both good (skill! fun!) and bad (a bit frustrating). Just like leveling the Druid as an instance tank!

LIKES

– I care about my freakin’ character’s….character! Yes, I care about his motivations, friendships, choices, backstory, and forward story. In WoW, I didn’t even think about it because I’d never had a game until Skyrim and then SWTOR which gave me a taste of that sweet, sweet nectar. I love that you can make choices in responses, dark/light alignment, advanced classes, and other things that are really either/or choices. Too many games end up allowing you to eventually do everything, but their is some power in forcing a hard, permanent choice for players when done correctly, and I feel SWTOR hits it correctly. I think in part because there’s no optimum answer. Many games with a hidden alignment choice (good/evil) end up agonizing players because they want to know which option is either the best one or ends up being the one they want, but in SWTOR, it really ends up not mattering to the min/max audience. Once you accept that and get into the character, it’s very satisfying.

– All the classes/playstyles. The game touts 8 classes, but really there are many more. Each of the 8 classes makes a choice at level 10 for their Advanced Class. Each Advanced Class then opens up the 3 available talent trees (2 unique, 1 shared between both Advanced Classes). This means that you could make 16 toons, and not have any duplicated talent trees. Honestly, it’s a bit less than that, since some characters will play relatively similarly, but there are more playstyles to experience than just the raw 8 classes. (In WoW, there are 10 classes; and while there are multiple trees in each, you can always respec into them once you get max level. In SWTOR, you can’t respec to the other Advanced Class. In WoW, you’d only ever make one Horde Druid, but in SWTOR, you can make a Scoundrel Smuggler and a Gunslinger Smuggler on the Republic side, and still be entirely different.)

– Story, story, story. It’s freakin’ Star Wars. And it has great storylines! My smuggler has ‘scored’ with 5 ladies so far (one a repeat customer), my imperials have executed and tortured multiple innocents, and I have an ability called “Shoot First.” (Yes, my smuggler has that. Yes, I love Bioware just for that one thing.) The way story stuff is integrated into the world is really neat, and really does change the feel of an entire planet’s experience.

– The Dark Side is really dark. In fact, strikingly dark. I tortured, executed, and murdered at least 4 people before my first Sith was level 10. Many Dark Side choices are actually uncomfortable, and I applaud Bioware for being ballsy in that regard. The original Star Wars movies were not kid’s movies, but they were kid-approachable. The later movies were kid’s movies, and their non-lasting impact is increasingly clear.

DISLIKES

– No LFG system. Granted, this is a rather recent WoW addition, but oh my god is it awesome. I honestly put the LFG tool in WoW as one of the top two additions since launch, if not the top addition. For reformed hardcore players like me who just want a casual experience on my own time, the LFG system is an absolute godsend. SWTOR needs one. Badly. (And it is in the works, supposedly patch 1.3, which is probably 3ish months away or more…)

– The UI needs work. I really miss a few things like seeing target’s target and focus windows, especially as a healer/tank role. The UI also needs a lot of help to assist with crafting and playing the auction house (galactic trade network). It’s really a pain in the ass to craft, right now. I do kinda like that macros and addons are not supported, since you kinda eventually become a slave to them, but I do wish some of the more useful changes to the UI were included.

– The level designers made great, beautiful, HUGE maps and planets and buildings. But damn are some of them unnecessarily huge. They’re great to behold early on…until you have to run through them to make sure you didn’t miss a quest-giver in the corner of the second floor of the Senate. Oof!

– I kinda wish the dialogue wheel, where you choose your character’s responses to various cutscenes, could use work in accuracy. I really dislike choosing what I think is a witty response, only to have my guy say it completely unexpectedly and with a sarcastic, mean tone that I totally didn’t anticipate and pisses off my companion.

– I am looking forward to more content. In WoW, you could level up your toon in Kalimdor. Or Eastern Kingdoms. You could do so in the Dwarven area, or the Elwynn area. In other words, you could level 3-4 characters and never see the same content/quests until quite a bit later into the game. For SWTOR, you really will see the same planets and quests with your second toon as you did with the first, though all the storyline stuff will be different. Still, I look forward to more content in the future so that I can level other toons in different areas. (This might be really hard, since the story line stuff that goes up to around level 35ish is pretty set on specific planets…Bioware may have pigeon-holed themselves in that regard, but we’ll see!)

So I’m reading over at Naked Security of Meetup.com suffering a DDoS over the past week and a Meetup.com CEO post that said:

The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated.

Amateurs with a sophisticated attack. Wait what? Dropping the S word gives me Sad face.

Anyway, this is a great chance for discussion on how a business would go about preventing DDoS and/or reacting to it at the moment it happens (assuming some or no prevention in the first place). DDoS is not *that* sophisticated of an attack, but prevention and reaction is often sophisticated. Oh, and expensive.

Having not actually worked at a company that suffered a DDoS attack, I’d only be guessing based on research and second-hand info, so I’ll just sit around with some popcorn for the moment.

This is also a great opportunity for Meetup.com to show off what they *did* do for this sort of attack. Though I doubt they have a more technical blog, which is a shame.

Don’t have things set up at home and need to probe an open port from inside a network? Try out portquiz.net which listens on all TCP ports.

Need something to probe an external port (maybe because you can’t hairpin to the external interface on your firewall)? Try out www.t1shopper.com/tools/port-scan/.

I have no affiliation with these, nor do I attest to their legitimacy. Just tools available out on the web. I use these to test out logs/firewalls.

Just like Target, we’re hopefully going to hear a lot more about the Neiman Marcus breach. Such as Sophos’ Naked Security reporting on a businessweek article: Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data. Quotes below will be from the businessweek article.

…a spokeswoman for Neiman Marcus, says the hackers were sophisticated…

Has there ever been a newsworthy breach that was *not* described by the victim as “sophisticated?” Please, stop. Even if they were, please stop with the implied excuse that they were sophisticated and thus oh so hard to prevent so please sympathize with us. /fairmaidenindistressvoice

According to the report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred.

Pray tell what data security requirements these were: internal? industry? PCI? And I require an explanation of why the requirements were met and yet an attack succeeded, not only in penetrating a network, but remaining in a network, planting code repeatedly on trusted devices, and exfiltrating card data. I’m not saying that security needs to be perfect or that requirements need to result in perfect security. But this is a gray line that needs to be spelled out. Otherwise I can make a shitty security policy, get hacked, and say the exact same line like it matters. “We were compliant with standards at the time the attack occurred.” Something clearly broke down or was missed. I need to learn from that.

The company’s centralized security system, which logged activity on its network, flagged the anomalous behavior of a malicious software program—although it didn’t recognize the code itself as malicious, or expunge it, according to the report. The system’s ability to automatically block the suspicious activity it flagged was turned off because it would have hampered maintenance, such as patching security holes, the investigators noted.

This is always a security bugaboo just waiting to bite someone; and it *will* *always* bite someone. Either you turn this on and get things stopped that should be stopped…and almost certainly hamer maintenance or legitimate business and incur the wrath of business managers…or you let it run much looser and not get in the way of business and hope your eyeballs catch the bad things. This is always a tough proposition in anyone execpt the largest of companies. I do actually sympathize on this, while at the same time wishing they had done it correctly (which itself is a moving target).

“These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day,”

If there is an elephant in the room where we’re talking about digital security, then there’s a room outside the one we all look at, and inside *that* room is a larger elephant. And that elephant is alert tuning and watching. No product turns on and is correct out of the box. This means every organization has a different posture on those tools that throw alarms. This means every organization’s alarm posture is dependent on their security staff. In addition, it is dependent on the securituy staff to sift through whatever alarms there are plus, when they can, sift through the false alarms just to make sure nothing weird is going on. All of this is hard, freakin’ work; time-consuming work; and is never seen as a value-add to anyone except organizations whose security is a core to their busiones. And if you think Neiman Marcus has it bad; visit any SMB in the country.

Should someone have noticed a nightly deletion of code off trusted devices? Maybe. I would kinda like to think so, but the realist in my is shaking his head in a not-positive fashion.

Sticking to the elephant in the room that contains the room; there is yet another one outside of even *that* room. And that room has a nastier elephant in it. This elephant does just one thing, he receites this litany: “If you staff a security team and they silently stop everything, the company will see them as unnecessary and cut back.” Often, a business only “sees” IT when issues happen. If everything is smooth, then clearly their job is easy and they can absorb cutbacks. So you kinda want to be good, but not so good that everyone wonders if you’re even doing anything. “I’m blocking attacks every day!” “Yeah, but *are* you really?” You gotta prove that to non-technical stakeholders.

“In an ideal world, your card-data network should be completely segmented from the general-purpose network,” said Robert Sadowski, director of technology solutions at RSA Security, a division of EMC (EMC). “Unfortunately, an ideal world is often different than reality.”

It’s like we’re on a safari, since that’s another elephant in the corner! It’s very easy to talk about segmentation and separation. It’s easy to pad diagrams and plans and even sneak in talk about VLANs and traditional broadcast separation. But pull up those covers, and you’ll see a long gray snout and sad black eyes looking up at you. True separation is difficult. It means a separate core, separate switches, separate virtualization hosts if you’re a virtual shop, separate Internet links if you have many remote locations, or at least heavy separation with access control devices (ACL or firewalls, pretty much) in place between the two. When you get strict about it, that’s shit gets expensive to a business very quickly.

Neiman Marcus was first notified of a potential problem on Dec. 17 by TSYS (TSS), a company that processes credit-card payments, according to the report. TSYS linked fraudulent card usage back to what’s called “a common point of purchase”—in this case, Neiman Marcus stores.

I always mention this as a way to say, “So, how was the breach noticed?” Kudos to the processors and banks and such for having fraud departments that investigate things like this. And those people who trawl carder sites for new caches of numbers and who try to identify where they come from and alert proper authorities. Clearly corporations are going to continue to need and rely upon this backwards alerting. “Oh crap, I’m glad someone was watching that pawn shop. I had no idea my house was broken into until someone said they saw my television in the pawn shop window.” (Ok, that’s not totally fair, since data isn’t removed, rather copied…)

The Target hackers used a protocol known as FTP, for file transfer protocol, to extract the card data, Raff said. The Neiman Marcus hackers used custom hacking software and sent the data out through a virtual private network, or VPN, Raff said, based on facts from the report.

No. At this point I’m spent. I don’t even want to go into how a VPN was set up on what I guess was the compromised central server that was in both protected and Internet-facing networks. (It’s the former bit of that sentence that I don’t like; not the latter; which is necessary.) However, kudos on the attackers for encrypting their exfiltrated data.

Nothing has been said about the initial breach into the network, but it’s almost certainly that server that is internet-facing that was mentioned in the article. Here’s hoping it’s Windows running asp.net and not patched…

For the next year, we’re going to hear a ton of speculation and details and suggestions and eventually facts on the recent Target data breach. Whee! It is, however, a personal pet peeve when expectations are made higher than they should be. Case in point follows!

So Target was breached, and Brian Krebs posted an article about how the attackers may have (read: probably) piggy-backed into the Target network by using the credentials of a third party vendor who apparently provided project management services (or HVAC services, the actual business relationship details are vague) to Target and thus had the ability to remotely connect to Target’s network. Makes sense!

Sophos’ Naked Security blog jumps in as well with Did the crooks who broke into Target tailgate the cleaners? and A hearty welcome to all Cyberoamers! The combination of these articles triggers a few thoughts.

First, it’s “easy” to require two-factor authentication for individual users. It’s more difficult to require it for an entire vendor. Who at the vendor gets the other auth factors? Do they share them? Is it software-based? There are logistics questions going on here that make this an annoying task, especially when something like this is planned, requested, and completed more than likely without any oversight in many companies. This is because it’s easier to just do it, and not involve cost centers like security.

Second, I don’t want alarms on remote connections occuring at 2am. I’m sorry, a firm may not have any business connecting at that time (this is why you time-box accounts or the remote connection portal), but sometimes someone may be burning the midnight oil and I don’t want to spend much time chasing these things down every morning when I check out my SEIM dashboard. Yes, you should log these. No, these aren’t valid alarms that should have, on their own, scrambled the security teams.

Third, HVAC and/or physical equipment vendors do routinely require some sort of remote access. This isn’t strange or rare, and is probably especially true when your business owns and operates, in full, building facilities in hundreds of locations.

Fourth, it’s probably not uncommon that the same pipes that connect remote facilities vendors to your remote facilities also connect your payment and data communication to your remote facilities. It’s annoying (not impossible, but highly annoying and costly) to get those truly separated. In other words, I think it would be, very strictly speaking, very annoying to truly segregate retail payment in-scope systems and networks from those that are not in-scope for PCI. This is because it’s easier to just do it, and not involve cost centers like security and IT, which then have to solve the above headaches and I can tell you it won’t effect the retail business revenues in any positive way.

Now, I’ll admit I’m nitpicking here. The major questions still remains as the articles all ask: Why did this third party have access to not only, apparently, the full internal Target network, but access into every remote facility? (I know, it’s easier to just make normal accounts than to take the time to lock them down or limit their scope with whatever remote access tools you’re using.) Why are the payment systems not segregated? (Despite being annoying, this is *still* a valid question to keep on the table.) Where was the rest of the monitoring such as on POS systems, netflow traffic egress, and so on?

Damn, IT and security cost so much money! 🙂

I thought I would get one last post on this site before 2013 rolled over, but much like most of 2013, I didn’t get anything out. There have been a few reasons for this, which I may as well throw out for posterity.

1- Not much new to say about security. Eventually, you do kinda get sick of the same old thing in security. Lots of people whine about this and say we’re not innovating or doing security in some new way that will win the War. I think that’s a lame way to look at it, and not correct at all. It’s not like security/insecurity evolves on its own; both are functions of technology in general, and follow along behind. And there’s no real win there; security will *always* be behind the curve. But still, it does get annoying when you have really nothing actually *new* to say.

2- Fucking Google killed Reader and fucking Twitter killed older API-using clients. My dearth of posts on this site corresponds to my lack of posts on Twitter. This is because, at nearly the same time, Google killed my preferred RSS feed reader of choice (and by preferred, I mean, preferred by a long shot) and Twitter shut off support for their older API, which killed my preferred Twitter client of choice, DestroyTwitter. I liked DestroyTwitter because it worked on both my Linux and Windows systems as a standalone client. I really have yet to *like* any others I’ve tried. I’ve sort of moved to Feedly for RSS feeds, but I just haven’t made it a normal part of my day/week like Google Reader was. I have yet to adopt a new Twitter client. Both of these make me feel very disconnected.

3. Been a busy year in general for me, both personal and work. Work has been busy with lots of changes and…challenges. On the personal front, I’ve just kept my interests elsewhere for the most part. The older you get the more you realize you only have so much time in a day. Tinkering with security-related stuff sort of took a backseat for the year after Twitter and Google cut me off. I’ve hung out in the main lobby, but have not delved deeper into back rooms.

No really huge, big, crazy reasons. Just sort of a break, which I do every now and then since I’ve had a blog of some sort since 2001 or so.

Probably the worst thing about business-to-business (B2B) security questionnaires is that you know 90% of them are being required, but never really reviewed. You can sort of answer anything, and as long as you have a “yes” or check mark of any sort, the reviewer isn’t smart enough to dig further. (Kinda like PCI QSAs!). Because of this situation where not-smart people are reviewing these answers, there are some questions I dread. Especially when someone gets a burr up their ass about better answering a question they don’t understand. I.e. achieving that checkbox!

So, what is your least favorite question to read on B2B security questionnaires?

For me, it is any question that involves DDoS protection. I work for an SMB. Our DDoS protection is pretty much hitting the low items. 1) We monitor bandwidth and servers and services to know when any are saturated or having resource issues. 2) We will work with our upstream ISP in the event we need their help in limiting inbound traffic to us. 3) Our standard for systems and processes is to provide for both high availability and disaster recovery/BCP. (In fact, we’re pretty nicely set up that way for an SMB of our size.) 4) As a bonus, we do have some capability to do some traffic threshold monitoring, shaping, and shunning with our firewall/IPS and web load balancer combo, but that is only after the traffic makes its way to us.

But if someone wants that answer to be better and more pro-active, you cause me to drink some more. Because what that really says is I should spend a good 100-250k on DDoS protection software (that won’t itself promise anything anyway) and a staff member to hold its hand, so that our checkmark in that DDoS box is a little more heavily outlined (and yet still not necessarily truthful). And even with that spend, there are multiple other places where a DDoS may occur. Wireless access on our campus. Email blasts. Legitimate traffic that exceeds what anyone planned for that fills our bandwidth/drops our firewalls/keels over web servers/overwhelms database servers/etc. Most of the time people who think about DDoS are just thinking about junk traffic filling up their Internet bandwidth, or maybe one step further and looking for known, singular resource-gouging attacks like a ping of death or SlowLoris or something. But, what about poorly written code in your custom application that bogs down resources that no tool is going to drop into place and automatically detect because, well, it’s custom code?

Anyway, coming in a close second to DDoS questions are Web App Firewall questions. Sure we have one, but is anyone actually making it useful to the custom apps it is protecting? Nope, not beyond the obvious like a 1000+ character URL (Apache issue from 10 years ago) or a GET for root.exe…

If you collect annual security and threat reports like I sure do, you’ll want to not miss the Sophos Security Threat Report 2014 like I did. If you follow the security news all year, nothing in here is particularly surprising, but a report like this is nice to whip out when a middle-manager wants to defend Android in the enterprise as being secure (da fuq?) or some other such nonsense. Happy reading!

Interesting story for those of us who administer IIS 7+ web servers: “The Curious Case of the Malicious IIS Module” from SpiderLabs. As sort of shown in the article, even an SSL-wrapped site isn’t safe, since once you’re inside IIS, you’re actually behind the SSL encryption process which is handled in the OS starting with IIS 7/Win2008. Even in earlier versions, getting that far gives you unencrypted visibility, pretty much.

The up side is if someone has this level of access to drop a new IIS module on your web server, they likely have access to just flat out change your code. So other than particularly nefarious attackers or automated tools that just do it for them, I’d not expect to see rogue IIS modules. However, this is definitely something to look for in modern IIS web servers and something to inventory and poll and alarm on anything new appearing.

I have a disaster recovery test this weekend, and as I prepared my survival pack of distractions and entertainment in the case of an all-nighter, I reminded myself I have a shit load of digital devices these days. What’s silly is I’m not necessarily an early adopted nor a gadget hound…
I have a smartphone. (HTC Thunderbolt)
I have an mp3 player. (Cowon J3)
I have an mp3 player in my car. (4th gen iPod)
I have a running-friendly mp3 player. (Cowon iAudio 7)
I have a portable media player. (Cowon A3)
I have a mobile gaming console. (Gameboy Advance SP)
I have a mobile gaming emulator. (rooted “fat” PSP)
I have a tablet e-reader. (Nook Color)
I have a netbook. (Asus Eee PC)
I have laptops. (from 6 to 10 years old)
Amazingly, I don’t have a digital camera or standalone GPS device.
That’s a crazy amount of digital devices, all of which do various things and have actual uses in my life. I hesitate to say “day” because some of these don’t get used all that often (PSP with its crappy thumbpad). I’m even toying with the idea of getting a Nintendo 3DS (probably not) or a new laptop (probably will).
Thankfully these devices are getting smaller and smaller (laptops excluded) so I can port them easily.
What sucks the most is that manufacturers are trying to package various roles into one device, namely all the smartphones and tablets trying to do multiple things. Which drags in people like me who really want good devices that do specific things which also aren’t locked behind DRM, digital walls, or untrusted apps.
I got over someone managing my digital life when I left AOL in the mid 90s.
I really fear the demise of standalone gaming and mp3 devices. That really blows for me, because whenever I play games on my tablet or smartphone, I’m constantly reminded that the roots of mobile gaming as we see it today are Flash games. Addictive but ultimately utterly unfulfilling and pointless when compared to the “real” gaming industry (PC and consoles).
Give me 10 games on a Nintendo device over 1,000 games on a smartphone any day.
The music service industry is also in a strange state of flux where services are now looking to tap into, sort of, what Netflix is doing: rental. You can sign up for a service via a subscription fee and then listen to whatever you want; sort of a leased music collection. While Netflix suffers from not having most of the movies I’d love to have in my collection (my own or leased)
Give me music files I actually can move around and store and use on my own.

An article posted by eWeek titled, “10 Disruptive Online Services Enterprises Should Ban From the Network”, is just ripe for looking at. And I’m not even going to start at the overly blatant buzzword forced into that title.

0. Just to start out, I dislike when “security” and “productivity” get thrown into the same discussion, especially in front of the IT folks. Security is an IT concern (and everyone’s if you want to get picky), but productivity is a managerial (and corporate/HR) concern. Not an IT one. So we’re already muddying the waters on this topic.

00. Oh, and I should also mention that more than likely many years ago, the phone was probably considered a time waster as well. How dare people have the chance to make personal phone calls during work time! For shame.

1. YouTube – I agree that YouTube is a time-waster. And one can also make the case for it being a bandwidth drain. But keeping employees away from YouTube can be a bit of a forced disconnect with the rest of the world. Need to check out a song quickly and easily? YouTube. Need to check out a commercial or ad from the past? YouTube. Need to network with clients and their userbase? Need to watch a vendor video on how to implement a new appliance? Conference talk you missed on physical security? YouTube is a remarkable site with a multitude of personal and professional uses for almost every employee at some point during their tenure.

2. Facebook – Again, I’ll agree there are people who waste way too much time on this site. But, I’d say there are plenty of people who do network via Facebook, even so much as researching potential clients or contacts. Yes, this is still the realm of marketing and sales (and maybe anyone who touches clients/customers), but it’s really silly when a company has a marketing team with a Facebook presence, but does not allow employee access to Facebook. I mean, really? Do you *really* value it, in that case? Would it not be helpful to have “free” Likes from your employees (without begging for it, of course)? I’d agree, though, that many people don’t really have any work reason to be on Facebook other than personal reasons.

000. Back in the day, network admins got serious about security and started putting up firewalls. Eventually, enlightened users started tunneling the services they wanted. Later on, IT and HR) started blocking personal sites as time wasters. So employees worked around it by riding the mobile and particularly cell device wave. There’s a lesson in there…

3. Twitter – Twitter is not for everyone, but I find more work-related value in Twitter than personal. There have been numerous times that I’ve heard about a breach or new 0-day or patch via the masses on Twitter. There have been times I’ve been really early in explaining some outage because the vendor/site/service had a Twitter feed I could check. This takes some personal energy to make it useful in a work sense, but it’s ridiculous to block it these days.

4. Social gaming sites – No argument here on this one. 🙂 Why might a company not block these? Maybe because it costs money to block sites; costs time to administrate it; and the chosen vendor may not be all that great at blocking them all. There are technology reasons for lack of coverage. Just sayin’.

5. Adult-oriented sites – Duh! 🙂

6. Vine social video-sharing site – I admit. My first reaction: “Vine what?” So I can’t really say why this is good or bad, but the article didn’t even begin to convince me this is bad.

7. Any shopping site with poor security and a worse reputation – What? No really, what? This paragraph doesn’t make sense. Anyway…this is still pretty dumb. No IT or security person wants to play ethics cop on sites, and then argue with users about it when they can’t buy whatever just because the site looks like it was made in 1997. This is why we rely on categories and the people/algorithms behind the scenes at the vendors to make these decisions. And even then, unless a site has a clearly detailed infraction, a user won’t understand the block and will raise a stink. It’s just not worth the time, usually. (I’m sad the author didn’t tap into the benefit of IT helping keep employees safe by not allowing them to put their personal financial data at risk with known bad sites, but whatever. It’s a feel-good bit of theater to present it that way.)

8. Pandora – We can again take the bandwidth angle here, but if you, as a company, want to take the stance of being anti-Pandora, you’re really taking the stance of being anti-streaming music. And good luck blocking them all. The benefit of employees being able to just listen to what they want and do their work is probably worth it. I mean, how many employees spend *that* much time curating their music libraries?

9. Security software sites – This bullet point pretty much tells me the author has not ever been a security or IT admin, or even desktop support for a decent company. The answer to this is not to chase down and block sites, but to restrict access on the endpoint system. And for those who do desktop support, it would really suck to have some big issues that needs cleaning while sitting at the user system, and not be able to get to a site for information or tools or updates. For users who are admins, this is where we talk about software inventory, policy, and auditing.

10. Anonymizer web tools – This item does have merit. But at some point we’re talking about wasting some poor admin’s time chasing down these tools, rather than having managers do their job with managing employees and their productivity. Or auditing surfing habits and enforcing computer usage policies. And to block “online instructions?” You mean scour forums and block any that offer any proxy/VPN solutions to the common question of how to bypass work filters? If a web filter has this as a category, it probably can be turned on, but more than likely you want a web filter that inspects the data flows and drops unknown protocols/tunnels. Nonetheless, if an employee is actively making this sort of effort to bypass policies, that should be more than enough to involve HR/management.

0000. No Skype? No IM? No Dropbox? No Gmail? No gun sites? No hate sites? No known malware sites? What the fuck, man? That’s not even WTF, that’s “What the fuck?”