Recently in Awareness Category

This week's topic of the computer security class that I teach was reconnaissance. The amount of information that is "out there", available for an attacker who wants to build a profile of his target is overwhelming. The things that we discussed today weren't very advanced or outlandish, but they were generally knew to my students (undergrads). Here are some take-homes:

1. Don't underestimate the amount of intel that can be found on social networking sites, such as LinkedIn, Facebook, Myspace, Twitter. It will be almost impossible to control what gets posted, so make sure that you know what information is there. Search for your organization and for your key employees and see what information is posted. Be aware of what others can find out about you as a target and act accordingly.
   
2. Be creative with search engines; check Johnny Long's Google Hacking Database. While you are there, order a copy of his book and support charity. Play around with the Goolag scanner to figure out what you can find.
3. Maltego is awesome; use it, play with it, and learn from using it.
   
4. Don't list anything in whois records that you do not have to. Do not list names, email addresses,  titles, street addresses, etc. if you do not absolutely have to. Instead of a real name, list a job function. Instead of an individual's email address, list a functional email address. If you do list an individual's email address, make sure that the first part of the email address isn't also the user's login. List a P.O. Box, rather than a physical address. Real names and email addresses can be used for social engineering, physical addresses can be used for site visits (for example, to search for WiFi bleeding)
5. Use split DNS and do not allow zone transfers.
   
6. Most of all, abide by the adagio: don't post online what you don't want to be found
   

In a rare flash of insight, I realized that I spend most of my days talking to people in my organization about what security is, and how to do things in a way that a) they can get their work done, b) they can get their work done, and c) how to get there work done in a way that slightly lowers the organization's exposure to information risks.

I do not spend a lot of time on technology at all. This is in line with observations that the real threat to information security is caused by a vulnerability commonly known as a user.

Life would be so much easier if patching users was as simple as patching servers!

With the month of August coming to an end, schools, colleges and universities all over the country are starting up again. For IT departments in higher education, it means that the busiest part of the year is over. Because the effect of service degradation is the lowest, the summer break is the time where most large projects are undertaken. For many schools this means infrastructure upgrades, upgrading/restoring labs, getting new faculty equipment ready in time for the new school year, etc.

For us as information security professionals, the summer is a good time to review our IT policies, revise them where necessary and get them approved by management and rolled out to our constituencies.

This year, we put the emphasis on revising our acceptable use policy and developing a new policy which was designed to reduce the amount of rogue networking equipment connected to our network. These two policies will be the topic of another post.

Having developed new and existing policies during the summer, the beginning of the school year is a good time for a security awareness campaign. When students come back after the break, they are a prime target for a campaign that explains proper use of IT infrastructure, or more importantly, improper use.

In our case, we are kicking off with a five-week poster campaign. Each week, we'll be putting up different posters covering different themes. This year's themes are:

• Protect your data: make backups often and keep them safe
• Sharing copyrighted files is usually illegal, and your are not anonymous
• Don't become a victim of phishing. Think before sharing personal information via mail, email, telephone, the web or phone. Always verify who you are sharing it with
• Before you click, ask yourself: is it safe? Be ware of unexpected email attachments and unknown websites
• You count on your password to keep your data and identity safe. Return the favor- Don't share your password with anyone

The posters have all been designed in-house, and they look awesome.

Since our primary audience consists predominantly of freshmen, it is near impossible to get a good baseline in place. As such, we'll have to measure the success of the campaign by comparing the number of incidents per constituent compared to last year. Hopefully it will be lower.

Having said that, we'll have to compensate (somehow ) for the fact that by increasing security awareness, the amount of incidents that is actually reported usually goes up too.

After these five weeks, we'll be in the first week of October, which is security awareness month. Throughout October, we will provide education and training in the form of targeted workshops and seminars for students and employees. 

Hopefully this will put us in a position where the people who are using IT resources to handle sensitive information are aware of the fact that they are doing so, and behave accordingly.

A vulnerability in the DNS protocol was discovered yesterday by Dan Kaminsky and announced in several places. Although it is not entirely clear if this was the first time the vulnerability was discovered, this is definitely the first time it gets acknowledged by the Internet comminity as a whole.

As I was out of the office yesterday all day, I spoke to a few colleagues today to discuss it.

Most of my co-workers are technically very skilled, which is why I was rather surprised to find out that most of them do not know in detail how DNS works. It goes too far to outline exactly what terms like recursive lookup, Query ID, root server, caching server, resolving, zone transfer, etc. mean in this post, but let me summarize the vulnerability in the way I explained it to the C-level.

News items like this have been bugging me for a while now.

Headlines like "China hosts most of the worlds malware" mean nothing to me. A truly remarkable headline would be quite the opposite. China is a large country. A conservative estimate it has a population of close to 1.5 billion people. At any time, the country sports a staggering 200 million Internet connections. Of course they host a large amount of malware; as a country, they are one of the largest presences on the Internet!

When you read the reports of information security breaches at The Breach Blog (see http://www.breachblog.com) and SC Magazine (see http://breach.scmagazineblogs.com), one of the most remarkable patterns is the frequency of breaches occurring in colleges and universities.

Source: Scott Wright's Security Views

While it is true that many of the published breaches took place at colleges and universities, it is important to realize that institutes for higher education are typically more open and willing to share information with the outside world than many corporations of a similar size would be. Do not forget that even a small college may have upwards of 10,000 users (students, faculty, administration and staff). Those numbers go up significantly when the larger universities are also included.

Shrdlu writes an interesting post on how to explain to non-security people what it means to be secure. Three basic rules:

1. Have control over your systems.
2. Check your security frequently.
3. Educate all your people.
   

This is an excellent summary.

We have all done it.

Who has not sent authentication credentials over an insecure channel in lieu of a doing it properly via a secure out-of-bounds circuit? With a high degree of certainty, just about everyone who reads this has done it at least one throughout their career.

Often, this decision is rationalized via a partial (often skewed) implicit risk assessment that probably looked somewhere along the lines: "The chance that someone intercepts this message, AND that the recipient does not change his password in a timely fashion to a properly complex pass phrase is low enough that we can do it this time". And the next time, and the next time, ad infinitum.

A 0day with an automatic discovery and dissemination tool shouldn't be a surprise to anyone. The fact that it's hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis?
Source: Network Security Blog

Observations like this once more seem to reconfirm that the bad guys are increasingly focusing on OSI layer 7 and above. While not to be ignored, simply putting up a firewall to keep unwanted traffic out, and an IDS to make sure the firewall is working well (or an IPS, if you prefer) is not sufficient.

xkcd has an excellent comic up today. The title is Zealous Autoconfig. Here it is:

Please respect their license.