I’ve been so terribly busy this past few weeks that I’ve not been able to keep up much with the blogs and news out there! However, one article I am very glad to have gotten to is a quick read from Dan Morrill that touches so many pain/pressure points for our industry. Need a conversation-starter with your fellow geeks? Pick a paragraph from this post and start yammering. Basically, this post is our life in a nutshell right now.

My only concern is how we actually can win battles. I guess I should define that in this case I consider the enemy the attackers. The only way we can truly win against them is to catch them in the act and shut them down. Defending against their attacks is nothing more than being a hockey goalie slapping away on-goal shots. We’re not often allowed to cross the line in the center and delve into the attacker’s territory, at least not with the blessing of our organization unless we happen to work for law enforcement.

Of course, one can attack this position by modifying my definition of who the enemy is. If our battle is against the attacks, we certainly can win battles, many of them, and make progress. We can limit the attacks that affect us or that make us worry, deflect the ones that we do have to worry about, and detect the ones that make it through our gauntlet of defenses. We win battles every day when a random IP fails to brute our SSH server, or scripts/root.exe fails to execute against our web servers.

I’ve made a previous post about sending emails in PowerShell. Some additional notes I have found include creating the mail message as an object rather than straight strings. I also wanted to make multi-lined emails (carriage return, line feed, second line…), which seems easier when creating the message as an object. One could properly declare the email address string as a mail address object, but I just let PowerShell auto convert it for me.

$smtp = new-object Net.Mail.SmtpClient
$smtp.DeliveryMethod = “PickupDirectoryFromIis”
$objMailMessage = New-Object System.Net.Mail.MailMessage
$objMailMessage.From = “michael@server.com”
$objMailMessage.To.Add(“michael@server.com”)
$objMailMessage.Subject = “Subject line.”
$objMailMessage.Body = “Hello `nThis is a second line.”
$smtp.send($objMailMessage)

Work projects have been kicking my ass lately, and basically sapping the will to live! In all seriousness, I am a firm believer that complexity is the ultimate evil to all things IT, not just security. It turns simple plans into extremely frustrating projects that don’t end.

Unfortunately, complexity has a driver, and that is called the Deadline. Impose deadlines that don’t match the work to be done, and often the end result is a chaotic, complex mess…

I mentioned last year, and in various other posts about proving your cyber state. In that post, I mentioned safety, but I really meant security. Are you secure? Prove it. Richard Bejtlich echoes (or restates, since I’m not sure where I first heard this idea) that this is a key tenant of where we should be with our own cyber security. In fact, I will go so far as to say this question is as important as cogito ergo sum is to philosophy (it’s the basis of it, a foundational statement). It is more than a marketing ploy or illustrative approach; it is a basis for our entire industry and philosophy on security, business, IT.

Please read Richard’s post. In recent months he has been throwing various ideas around, and you can almost see the screws turning, popping this extremely formative and important post out. He builds up to what he defines as security, or rather, acceptable security.

My bank recently changed its name, and along with it some of its business decisions. Most likely a buy-out of some sort, but I really couldn’t care less about stuff like that.

Tonight I got one of those little envelopes that you tear off three sides for. Usually these are pretty important, so I always open them before Bills Time. Whoa…a PIN? For me? Ok, last 4 digits of this card…nope, not my ATM card. Nope, not my credit card with this bank. Rut roh, raggy. Let’s go back a few days in mail…

Oh, look, an envelope with a new Debit card. Ok, I don’t want a debit card, I want an ATM card. Really, a 4-digit PIN is not a huge security measure if someone looks over your shoulder. I’d rather protect viewing at an ATM machine than in a crowded check-out line somewhere with a clerk watching straight down. I can also scope out any suspicious gear at an ATM. I like my ATM card and have taken active measures to decline debit cards.

I also find another mailing also from a few days ago explaining the change, that my ATM card is being replaced by this Debit/ATM card.

Great, thanks. I guess that choice has been lost to me. 🙂

Ask any law enforcement officer if there is rampant depression because they will never really get rid of all the bad guys and bad things in the world,and if we should give up or change the playing field? What about ethical or moral activitists or environmental activists?

If I decide to be a carpenter because I want to have an achievable goal, do I get stuck in the same old mud because I’ll never be able to satisfy all the capentry needs of my region? Or do we take pride in each single creation, or series of creations that contribute to the whole?

Back in the early 1900s, unwanted and teenage pregnancy was a huge problem, but several groups eventually came together and educated women and promoted programs designed to address the issues. We have not solved these problems even today, but does that mean those early or subsequent efforts were useless and we look back on those people with a pitiful eye?

When you wash your car, do you avoid sprinkler puddles for a few days? Do you feel sad that the car will just get dirty in a few weeks anyway? Do you curse God because it rains the day after you wash the car? Do you take joy in the washing, even though you know dirt is inevitable? Do you wash the car and then avoid going places until you really have to so that it stays cleaner longer? Do you just wash it an obscene amount of times? And for what reward all this effort?

Basically, our dilemma is not unique, and at least our efforts are measurable in both tangible and non-tangible results. Any time we get down in the dumps about security, it is because we have poor goals and measurements. Are we making a difference? Should we change our name to make it better? Do we expect to eradicate insecurity, information loss, and protect our systems ultimately otherwise we are failures? Do we worry that our jobs stem from other people’s loss or suffering, or do we realize we are helping people deal with the inevitable? Inevitable: human mistakes, bad morals, economic choices [budgets], education to not make poor decisions, etc…these are our combatants, not pain and suffering.

It’s months like these that make me painfully aware of my growing list of personal projects. At work, we’re butting up against some deadlines in what is maybe our biggest project in a long time: migrating our operations from our on-site data center to a DR site in a dedicated facility…by using the facility as our primary site. So basically not just a DR project, but also getting our production environments over there. Not easy or terribly fun…although our intimate knowledge of our environments has never been better. You can see some of my personal stuff to do over on a Security Catalyst thread that Cutaway started. I’m obviously not alone in wanting to retool and practice on the home network! 🙂

Outside the business parking lot where I work there are 4-lane, fairly busy roads. On two of the drives out onto this street are very visible signs prohibiting left turns (i.e. across 3 of the 4 lanes, at a minimum). This is basically a sort of rule. However, there are, every day, people who disobey that sign and make the dangerous, inconsiderate turn left across all lanes, inconveniencing people behind them, drivers on the roads, and setting themselves up for an accident that likely will be billed directly as their fault considering the disregard. Likewise, almost everyone “obeys” speed limit laws by only going, at most, 10mph over the speed limit.

And we expect these same people to obey corporate IT policies? I guess my point is that user education helps those who care, but will do nothing to improve the security practiced by those people who are poor risk evaluators or just plain don’t care. They will take the shortcuts or bend the rules as they see fit. This is why I fall more on the side of technological controls than on user education when it comes to a solid security plan. I want both, but I can never truly rely on all the people…

I know, I’m beating a dead horse, but it’s an example I wanted off my chest and written down in my little journal here. Move along, these are not the droids you are looking for…

Have you seen recent HP promitions about how the computer is personal again? Well, check it out. We received a box from HP today with that same font on the side, which a few of us recognize from the movie and book, Lemony Snicket’s A Series of Unfortunate Events. We found it very humorous that a computer box would want to be associated with a series of unfortunate events, and it made for a very laughter-inducing morning!

Deborah Hale reported over at the ISC Handler’s Diary about taking part in a SANS conference which culminated in a red team/blue team event between teams of attendees and helpers. I really think continued exercises like this are some of the most valuable things we can do in security.

I wish my cube could look like these in the LinkedIn offices. Wow! Now, that is what work really should be like. Although some of the cubes look a little *too* themed and over-the-top, at least they are having fun and seem to encourage employees to be expressive. I really think that can only be a good thing. In my current job, the company has very strict rules about cubes (nothing above the sides, nothing hung outside the small tack boards, no white boards, no plants, no fish, tidy, no real decor…blah blah blah…basically a sterile hospital room), which makes for a very non-homey feel. Meh.

I dig the half-completed ceiling. It adds some depth, prevents the sterile-stifling-ceiling effect, makes things interesting, and likely gives it more air as well. Kinda combining the best effects of a factory facility with an office one. There’s a Superman in the pics that is a little too hung for comfort. Still, it would be fun to come to work in an environment like this. Many people, especially us techies, really do like our professions when given the chance; work is not work for us like it might seem for more blue-collar type jobs or more menial labor. It really is a boon when the company completes that happiness circle by letting employees be happy employees.

I’m surprised I didn’t see any cubes decorated with a variety of logic puzzles, plush toys, and various other little trinkets to play with from ThinkGeek. Geek out while stoking the fires of creativity… I’m also surprised more weren’t covered like the camp-themed one. I think it would be a bit popular to shut out the flourescent lighting and opt for something more cozy in a covered setting. I would take softer, less direct lighting any day over typical sterile office ceiling flourescents. More beanbags in corners for ad-hoc meetings, more comfy chairs for collaboration visits… 🙂

The IIA has a series of audit related guides available. I very briefly skimmed a couple of them to check out the content, and they look really informative. They seem to be about 50 pages long, which is right about my personal limits to what I print at work for personal pleasure. Therefore, logging the links for my own use.

1 Information Technology Controls
2 Change and Patch Management
3 Continuous Auditing
4 Management of IT Auditing
5 Managing and Auditing Privacy Risks
6 Managing and Auditing IT Vulnerabilities
7 Information Technology Outsourcing
8 Auditing Application Controls

Saw this from the Security4All blog. (Ok, fine, I printed guides 2 and 6…)

Cutaway posits, “Why is it that we have not seen college, high school, or any other school close their doors because of security breaches or just plain being totally owned?”

I’m not going to answer that, but I will say that this is my new ode to ousted CISO/CIOs who lose their positions due to a stupid security breach:

laugh and the world laughs with you,
weep and you weep alone,
for the sad old company must keep hold it’s money
but still has security troubles on its own

This is adapted from a wonderful poem by Ella Wheeler Wilcox called Solitude. (If you like that poem, I highly suggest browsing her other works…)

For some time now, the ISC has been my first check for information on Microsoft patches from Patch Tuesday. I then follow links to the disclosures on Microsoft’s site and the CVEs for more details.

I see BreakingPoint has gone further and released a slew of indepth looks at the patches and the vulnerabilities those patches, err, patch. I think this is awesome, and fits what is kind of the last piece to getting all the info about Patch Tuesday: overview, official statements, technical analysis. I hope they do this every month.

I think every time I call one of my credit card customer service centers, I have the same befuddled response, probably because I only call once every 6 months, if that. “Can I have your password for this account?” Me: “…huh, what? I didn’t know there was a password..” Rep: “It is probably your mother’s maiden name.” Me: “…oh…ok well let’s try this.” And of course it works…it’s just so odd being asked a password on the phone…

I really don’t like having a gap between my use of an IDS/IPS and knowledge of the signatures. Today a new alert came across proclaiming “NETBIOS-SS: Bugbear Virus Worm.” I’m not sure what a “virus worm” is, but it certainly is something to look at right away. Turns out it was a false positive, but I really wish I could see what my vendor’s signatures actually are, rather than seeing the interpretation of them in the management console (which are almost always inconclusive and vague). Oh, since I’m complaining about the IDS/IPS, I’ll echo my old complaint that I really dislike capturing only one packet per alert, even though I have it set to log the stream…one packet certainly gives me a lot of context!

Annoying vendor salespeople #84: Insist on digital communication via email only. Actively reject any attempts at face-to-face or voice-to-voice communication. I think sales people have a handbook that says sales are guaranteed with face-to-face meetings and 80% guaranteed with voice-to-voice meetings. It’s almost like seeing a squirrel stuck inside a gallon milk jug.

What if we start convincing companies to roll out “secure by default” devices and software? Will we dumb down our workforce too much, with people who know how to roll something out but not know how to manage anything? IIS is easy to build now, but takes work to really understand it. Apache still scares IIS users because you need to make config changes early on… Just a thought, although I do believe “secure by default” should be the goal.

I was adjusting a script of mine the other day to account for the event of a configuration error in some file replication apps we run. A config error led to an issue with script execution, so I coded around it before I found the config error. This is effectively a little bit of “defense in depth” although this has nothing to do with security. But what if a config error occurs again? Because I’ve layered my script over the config, it might mask the problem with the config. Can defense in depth mask holes in the various layers because testing isn’t done on each piece? Possibly…