Latest Publications

Practical Data Loss Prevention

(Week 4 of 4)

by Michael McKinzie, CISSP

Well as we are in our final week of this series with just a few comments I will briefly summarize and conclude this topic as best as I can. One reader indicated his organization currently uses a strict policy about internet use, and content is blocked based on type or category. I support enforcing a computer use or internet use policy with content filtering. It would be interesting to know if the organization blocks access to webmail and social media sites in addition to the standard blocked categories or at least have a more detailed understanding how they handle this.  These sites   pose certain risks due to their public and widespread use and since they are easy mediums to transport or publish potentially sensitive information. I understand it is neither feasible nor common practice to “lock-down” the network to prevent any and all access to the outside world. Although I do not think most users are malicious or have ill intent, but employees changing jobs, facing a lay-off or just disgruntled may not keep the company’s best interest in mind.

Recommendation #1 – Use ISO 17799 as a Guide for Information Security

This recommendation ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It may provide a good foundation which you can tailor to your needs and industry.

Recommendation #2 – Implement an End User Computer Use Policy & Awareness Program

Although it is only one component, it can be powerful by just informing users there are consequences to their actions and they can and will be held accountable. This should be handled by IT, Legal, and Human Resources or drafted by a contracted Law firm in the event legal action is necessary. I believe keeping the End User Computer Use Policy very simple and concise is an effective approach. It should be updated, and revised as necessary and presented periodically for instance during employees’ annual performance reviews.

Recommendation #3 – Auditing & Logging

An easy and often neglected area is simply turning on user auditing and logging. You may not have the resources physically (manpower) or technically (software) to capture, review and manage all interesting network events, but even native Windows and Linux (audit daemon) auditing can give you quite a bit of information about users’ behavior and  mis-configured users and systems.  Random reviews might be enough for your organization but there are a number of open-source utilities, commercial applications and even managed services which will aggregate, and correlate the data. In addition most event management systems and services will alert or take action based on the event and defined policy.

Recommendation #4 – Control the Data at the Endpoint

Many organizations have established multiple locations or a mobile work force to compete effectively, serve widespread customers, and increase domestic and international presence. This paradigm has created new challenges for IT departments not only in terms of supporting this infrastructure but to maintain reasonable control over company data. Based on a 2008 PC World survey (http://www.pcworld.com/businesscenter/article/147739/laptops_lost_like_hot_cakes_at_us_airports.html), over 10,000 laptops are reported lost or stolen each week from the 36 largest airports in the U.S. This is just one facet of data loss not including such risks as lost disks, tapes, malicious attacks or users, mis-configured systems, accidental data incidents and so forth.

  1. Endpoint Security and Full Disk Encryption (FDE) should be a consideration especially as it can be a very effective solution for lost or stolen devices.
  2. Apply appropriate rights and permissions to prevent accidental or intentional data discovery. I have personally seen many “snooping” incidents where users are curious about what others earn in the company, or interested in personal information which may be on file with Human Resources.
  3. Enforce Web and Email Content Filtering. Implementing tools to help mitigate and prevent accidental or intentional data leakage is an effective way to protect sensitive information being sent right out the front door.

Recommendation #5 – Hold Affiliates and Business Partners Accountable

Understand how your data flows through business processes and if the data is shared or provided to third parties. Hold your affiliates and Business Partners to high standards in protecting this data as you both fall into a chain of responsibility which may have legal and monetary consequences. Sharing your concerns and security policy may be an effective way to collaborate and improve the security posture for all interested parties.

Recommendation #6 – Have an Incident Response Plan

An incident response program can be very involved and resource intensive. A number of security companies provide services in this area, but an organization may implement a simple plan to handle the technical and logistical aspects. Organizations may want to prepare a notification plan to let affected persons or parties know the details, and recommended actions in the event a security incident occurs.

I appreciate the time you have spent to read our blog and we hope you find the information useful or provide some points for discussion. I think the way technology continues to evolve will provide a constant challenge to maintain security and privacy. It is important for security professionals and organizations to continually adapt and share information to battle security threats. Our goal is to help organizations find better and practical ways to implement and manage security. If you have questions or comments, I can be reached at mckinzie@securstar.com


  • Share/Save/Bookmark

Practical Data Loss Prevention

(Week 3 of 4)
by Michael McKinzie, CISSP

Last week we talked about data classification and policies and restrictions. My conclusion is it is very difficult for organizations to fully implement a broad restriction of access to personal use sites such as social networking sites, webmail, blogs, YouTube etc. Although, many tools exist to help enforce this policy on the LAN, or corporate network, users may simply be able to use their Internet enabled phone/Smart-phone to access these sites undetected by IT security.

If the organization allows synchronization of email, calendars, notes, documents, files or maybe even hosts an extranet service like a CRM application which is accessible by the mobile sales force, it is important to know the type and class of the data being shared. Mobile Phones may introduce a new risk to compromise sensitive data, which may not be as easy to control as implementing a gateway system or access control list. Should the organization have access to control personal devices or restrict what users can do on these devices? It probably is not realistic to tell users they cannot bring their mobile phones to work in the event they have a personal or family emergency, or if they want to make a personal call during a break or lunchtime. Perhaps an approach of limited use would help provide better controls to monitor use versus users turning to alternatives such as their smart-phones. I attended a concert recently where they said no cameras allowed. I wondered how it would be enforced since virtually all new generation phones have an integrated camera; they did not confiscate my phone. Maybe if I tried to march in with a high end SLR, I would have had a problem. What type of risk does this present to organizations? (Maybe another entire discussion)

As a former security consultant, I used the following trust and operations model.

1) Relied on Managers and Human Resources (HR) for employee background checks, and screening.
2) Provided network and data access based on job roles and responsibilities; enabled higher level of auditing/logging for first 90 days for all new users to monitor activity
3) If a user had a high level of access to customer records, financial data or HR, verbose logging was enabled on the systems and reports were provided to the user’s manager on a periodic basis for review.
4) Implemented security infrastructure and polices, and used BS17799/ISO17799 as a guide; all users would sign a computer use (Zero tolerance) agreement as part of the hiring process.
5) Promoted awareness/best practices through emails, meetings, and lunch-n-learns. Encouraged users to report suspicious behavior.
6) Ensured a balance of security and usability. i.e. user visits a site considered non-work related (webmail), a warning message appears to notify them, they are being monitored, but can click through to continue. A simple but effective reminder to not spend too much time on non-work related sites.

So simply, establishing a trust baseline, but restricting users from roaming servers and data in which they had no reason to access. You would think most Admins would naturally do this, but after countless audits and vulnerability assessments there would almost always be case of users having access to resources which were not necessary.

quote_week3_securityblog

I believe this is a result of IT not having intimate knowledge of department application servers, initiatives which did not involve IT or job changes, promotions etc and the user is “grand-fathered” in with the original access rights and new permissions are added. Smaller organizations tend to have a flat and open system where many users have full access. The receptionist may handle the book-keeping and customer service and their IT department, most likely an independent computer consultant who wants to ensure productivity while security is sidetracked. In my opinion the small business owner’s data is no less important than a larger organization’s data, so security should be weaved into the any IT deployment of hardware, software, and assignment of users’ rights.

I am interested in hearing your thoughts on:

1. How do you segregate resources? Roles, Responsibilities, other?
2. Do you think of soft policies/reminders is an effective approach for non-work use of IT resources? Any experiences you can share?
3. Should organizations have a policy over personal devices such as smart-phones, personal voice recorders etc. How would you enforce it?


  • Share/Save/Bookmark

How strong is your password?

People usually don’t give much importance to password strength. We must remember that the strength of a security architecture is equal to its weakest link. So it doesn’t matter if you have a strong cryptography algorithm applied to your data if you use a weak password for your key that can be quickly broken by guessing, or using a brute force or dictionary attack.

A strong password is formed by at least 8 of the most random sequence of letters (uppercase and lowercase), numbers and special characters possible. So we can tell that 3k!0H9w# is a strong password. The problem is, in a world where we have passwords for almost everything, how can we remember this kind of character sequence?

There are  some techniques that might help you obtain a strong password and still make it easy to remember. A common one is to switch letters with visually similar numbers or symbols, something like “P0c4h0nt4$” (Pocahontas). To make it better try to not use single words, but small phrases like “!l1k3P0c4h0nt4$” (IlikePocahontas).

If you still think that this is hard, try at least repeating characters in a word, avoiding a basic dictionary attack. For example, “anacondda”.

People tend to use common words for passwords. You can find a lot of lists on the internet. Check then and if your password is there, I recommend you change it immediately.

A free and very good tool called Keepass can help you to safe store all your passwords. The app database is encrypted, and you will need only to remember a master password (keep this one strong) to access all the other ones.

Be safe!


  • Share/Save/Bookmark

Practical Data Loss Prevention

(Week 2 of 4)
by Michael McKinzie, CISSP

Building on my post from last week I want to invoke thought about how you as an individual or on behalf of your organization approach data loss prevention (DLP). I used an example of the way we (generally speaking) expect, and rely on our financial institutions to keep our money safe and accurately accounted for but I also mention the expectations banks and institutions place on users and consumers. If we apply this same model to computer use, it is form of a privileged system model (authentication and permissions). i.e. proper authentication to access resources , and permission based rules to govern activities just as the bank controls access to accounts.

The challenge remains there are constant threats to our data from vectors by misuse, social networks, theft, lost devices, malware, viruses, Trojans, botnets, social engineering, integrated business partners, outsourcing etc. IT administrators adhering to best practices are vigilant in protecting data but are required to balance it with usability for businesses to remain productive and competitive. Businesses continue to rely on faster and broader communications and data security is often perceived as a hindrance.

“Every day, CIOs face the challenge of putting the necessary technologies and processes in place to protect confidential data and comply with federal regulations, but they have to accomplish this without impeding daily business operations.”CIO Magazine

So where do we practically begin? Does the organization know what their sensitive data is/classified, where it resides, how it travels through business processes, how it is shared and used? Some of these questions are easy to answer but some might be difficult. Who owns the data? If a user accesses his or her personal email account, or another personal use site, is any information or data downloaded belong to the organization? Does the company have a legal obligation to protect it? Should the company control the user’s content? Do they have a legal obligation to do so to protect company or customer information and interests?

How do we classify data? These are often the questions and challenges facing organizations on a daily basis. Is it practical to just restrict access? Perhaps sales and marketing or the executives of the company have specific needs requiring access? Maybe the company promotes control versus broad restrictions? I don’t have answers to all of these questions nor do I believe there is a simple answer which applies to all organizations. How do you approach it?

I am interested in hearing your thoughts on:

1. Do you think it is important to classify data formally? If so, have you done this and what was your experience?

2. What do you think is the largest threat to your confidential data? Users, malicious attacks, social networks, data leakage via lost or stolen devices etc.

3. Do you or your organization promote control over broad restriction policies or how do you determine the best practice? e.g. restrict or block webmail, and social networking sites versus providing limited access with monitoring


  • Share/Save/Bookmark

Practical Data Loss Prevention

(Week 1 of 4)
By Michael McKinzie, CISSP

Data Loss Prevention or DLP is an interesting and popular topic especially since the largest single incident of data theft recently occurred. Heartland Payment Systems discovered numerous systems were compromised and an estimated 130M consumer credit card numbers were at risk surpassing TJX Companies reported compromise in 2007 of 94M consumer records.

The implications of these incidents can be difficult to measure, but if you just consider the amount of resources to investigate, notify consumers and remediate an incident, the costs rise quickly. In addition if we try to account for any fraudulent activity that may have occurred or the time consumers must spend to monitor credit activity and/or dispute fraudulent activity this adds to the cost considerably. Will Heartland or TJX Companies disappear, fail or go bankrupt as a result of these security breaches? Well, not likely but is there a negative impact? If we look for a correlation between stock price and the reported incidences, it is inconclusive; TJX appears to follow the trend of the S&P 500, while Heartland does a nose dive. One thing is certain, the costs to investigate and remediate the data loss is significant having a negative impact on the bottom line in both cases.

Heartland stock image TJX Stock
HeartLand Payment Systems TJX Companies

Obviously, these are high profile incidences and may have even affected some of you reading this, but probably nothing more than receiving a letter, a new card and asked to monitor your credit reports, and watch for suspicious credit card activity. The questions I have are we as a society just accepting this as the problem is too hard to control or is it merely a cost of doing business today? International boundaries, anonymity of the internet, millions of insecure computers primed for botnets, poor security architecture by software vendors, lack of information security budgets etc., all are significant challenges to protect our information.

I believe there is a personal and corporate responsibility to protect our information just as most of us trust our bank to keep our money safe and it is expected they will do so or more safe than tucked away at home. They also expect consumers to be diligent with access control. They issue ATM cards with user defined Pin Codes (two-factor authentication with limited authorization i.e. maximum daily withdrawal limits), credit cards with signature panels and identifiers or they deliver a battery of questions when we need to obtain any information on our account by phone.

I am interested in hearing your thoughts on:

1. Is the bank/consumer model or concept reliable? Do you think it works reasonably well?
2. Do you think there should be greater responsibility on users, or the organization to ensure data confidentiality?
3. Is Data Loss, a real concern for you or your organization? Why?

About Me:

Michael McKinzie, CISSP (Business Development Manager, SecurStar) – security practitioner for 12+ years, worked in IT management, consulting, casino gaming, and on the dark side with encryption and security manufacturers. Still a fan of the C Programming Language by Kernighan and Ritchie and know I will make some money from my autographed copy of Applied Cryptography on eBay some day.


  • Share/Save/Bookmark

The Information Security Budget

If you are in charge of the IT security at your company, especially small and medium ones,  you probably feel your stomach ache when the subject is your share at the IT budget. For the last few years this ache probably got better, but still hurts (especially this year).

Managing the IT security budget in recession times is a theme widely discussed already, but I will write my share.

Talking about information security, in a business scope, is talking about manage risk. In recession times, knowing what risks your company is facing is the same as having a map of a mine field. The more accurate is the map in your hands, the less mines will blow. The problem is that at these times, the company needs to accept more risks, than mitigate it. This means that your company will blow some mines on the way. As a risk manager, is up to you point the blows that will spill less blood (read loss of money).

A big problem when you are trying to justify a budget for a security project (in recession or not), is that normally there is no ROI involved. A way of trying to justify the ROI is having metrics in your hands. Showing numbers about incidents, their frequency, and respective impacts (read loss of money, again) is the best way to get what you need. If you are thinking now “What metrics is he talking about?”, then you have another problem, and maybe your next budget must cover that. Doing the metrics is not cheap, depending on the size of your network. A well managed and documented incident response plan cost, above all, knowledge and time. For tools, there is some open source solutions that can do the work pretty well (ossim).

So, in short, what will get you out of this crisis more easily is planning and strategy (hope you already have some) rather than expensive technology, and you will get out of the mine field quite good.

Be safe.


  • Share/Save/Bookmark

Let’s talk about your mobile phone…

First of all, I’d like to welcome you to the SecurStar Security Blog. Here we will discuss a lot of subjects related to information security. Hope you enjoy it, comment and subscribe.

The mobile phones’ features grow light speed. We can’t even call some of them just “Phones” anymore – now they’re being called “Mobiles”-. You use them for everything. A mobile tells you what you have to do today, how is the weather, take pictures and make movies of your birthday party (and publish it on the Internet), play high quality games, tells you how to get somewhere. You can even play the guitar on some of them!

What I’m trying to say is that your mobile knows where you are, because it’s with you all the time, who you are,  cause it has a lot of information about you, and knows what you’re doing right now (oh, twitter!), as you are using it for everything, all the time.

There are lots of security issues that can be related to mobile phones, with different levels of danger, and different types of people. Ordinary people are unaware that when they lose their devices, they can get bigger problems than just losing some bucks. Even cheaper devices can store personal information like home address, email addresses, social network addresses. Using this information, a malicious person could gather even more personal data, and use this information to prejudice the owner of the device in many ways.

Moving into a business scenario, we can enumerate a lot of possibilities – we can start with wiretapping -. A lot of classified business information travels through GSM communication, and it’s well known that GSM has eavesdropping vulnerabilities. There are a lot of devices that can capture and record a conversation, and they are being sold on the internet for anyone who wants it. I think maybe you will check your office’s light switches and sockets today…

With GPRS and 3G technologies, things could get worse. You can do a lot of things connected to the Internet more than just talk to people. You can send and receive documents, check your bank account, etc. For this you use a lot of different protocols, and these protocols might be vulnerable to certain attacks. With the right tools and knowledge, a person can perform a MITM (man in the middle) attack and intercept your information – and that includes VoIP -.

Do you think you need to be talking at the cell phone for someone to hear your conversation? Think twice. With the right software installed on your device, a person could activate your phone’s microphone remotely and hear all sounds nearby.

Another widely discussed issue is about geographic positioning. You probably have seen some kind of spy movie where someone is being tracked through his mobile phone, and thought “Yeah right! They can’t do that!”. Well, I assure you: They can.  And not only the CIA or FBI, anyone can do it using the Internet.

Well, hope I didn’t scare you (much). So, what can you do to protect yourself? Let’s see some solutions:

- Keep your device off and remove the battery (easy, isn’t it?)

- Use a voice and SMS encryption tool (Did I say PhoneCrypt? Yes!)

- Keep your Bluetooth off, or at least configure an authentication for someone to connect.

- Before installing apps and games, search the net for security issues with them.

- Do not open or reply SMS of a unknown source.

- Keep an ear for breathing or click sounds at the background of your call.

- Don’t leave your mobile alone for a long period; people can get it and install malware.

- Beware other people’s phones left alone near you, they can use it as a eavesdropping device.

That’s it for the first post.
Hope you enjoyed it and found it useful.
A lot more will come soon.

Be safe! Bye!


  • Share/Save/Bookmark