Three times in the past three weeks. That's how many conversations I've had people who have blown off any sort of technical or operational weaknesses associated with Microsoft BitLocker when using it as an enterprise full disk encryption solution. They're well-documented. I highlighted these issues in my recent whitepaper The Hidden Costs of Microsoft BitLocker as well.
I've said it before and I'll continue saying it: I've sung the praises of BitLocker for years. I still use it on a few non-critical systems that aren't storing sensitive information just to create a hoop for someone to jump through if the systems are lost or stolen. The thing is, there's a tool that can supposedly negate BitLocker's encryption. It's called Passware Kit Forensic.
In one of my recent full disk encryption conversations, someone in a highly-visible healthcare organization told me that even though it's been proven that laptop loss and theft is a big problem for healthcare (backed up by this December 2011 bit from Dark Reading on Ponemon's new study: Healthcare Data in Critical Condition), that loss/theft/Passware Kit Forensic was not a risk to the business. Even when the law says it is. Amazing stuff.
You see I've sung the praises of Passware Kit Forensic to over 1,000 people during my speaking engagements this year alone. I've see it in action and have had some colleagues who have used it recommend it to me. But I want to be able to demonstrate on my blog and to my audiences when I present how BitLocker can be compromised using Passware Kit Forensic. Although Passware has some screenshots on the process here, I need more.
Like other bloggers, trade rags and test labs, I'd like to get a (fully-functioning) demo/test/trial copy of the tool first so I can take it for a spin, validate which scenarios the tool can actually work and document my findings here on my blog, my articles and any forthcoming edition of Hacking For Dummies...especially given how pricey Passware Kit Forensic is ($995; it was $795 just recently so apparently there's a demand for it).
I truly believe this is a big deal and it'd be a win-win for us all. The problem is I can't seem to get anyone at Passware to get back with me. Numerous emails, a Web form submission and LinkedIn requests have fallen on deaf ears. Maybe Passware is no longer around?
For now, just know that the threat and subsequent business risk is likely there and maybe I'll have the opportunity to demonstrate it for you in the future.
Elcomsoft...help!
Wednesday, December 7, 2011
Information security quote
Don't expect short-term perfection in your security program. Instead, aim for incremental improvements over time. -KB
Join me live online today with TechTarget & ISACA
Today is our live virtual seminar Making the Case for the Cloud: The Next Steps. Join me, Urs Fischer, Dave Shackleford, Andrew Baer and Diana Kelley to hear about various aspects of cloud computing you may not have thought about.
Starting at 11:15am ET, I'll be presenting on Incident Response in Cloud Computing. I'll talk about common incident response weaknesses I see in my work, questions you must ask your cloud providers and how you can start developing your incident response plans with a proven incident response plan template.
It'll cost you nothing but an hour or so of your time and it'll be well worth it. You'll even have the opportunity to send me a curveball question at the end of my session. Won't you join us?
Starting at 11:15am ET, I'll be presenting on Incident Response in Cloud Computing. I'll talk about common incident response weaknesses I see in my work, questions you must ask your cloud providers and how you can start developing your incident response plans with a proven incident response plan template.
It'll cost you nothing but an hour or so of your time and it'll be well worth it. You'll even have the opportunity to send me a curveball question at the end of my session. Won't you join us?
Tuesday, December 6, 2011
School staff members and porn - Why you should care
Here's an interesting read on government employees trying to make an extra buck by serving up pornography on their high school-issued computers. What a lovely story.
Don't think this kind of behavior is random. I've seen this very thing at the university level during a security assessment I did early on in my information security consulting venture.
You see, one thing I do during my internal security assessments is connect a network analyzer just inside the firewall for a few hours to look at general traffic patterns, protocols and the like. Interestingly, during this assessment I found a workstation that was the top talker on the network. No, it wasn't the email server, or the Web server or the high-traffic FTP server but, instead, a workstation.
After further review it was determined that a staff member was hosting porn on his computer...right on the school network. He was apparently doing pretty well as his workstation was sending and receiving literally 10 times the traffic of any other system on the network.
Folks, just because an employee passed a background check, had good references and seems to be a reasonable person doesn't mean s/he can be trusted to always do the right thing.
You've got to know your network...As I wrote about a network analyzer is a cheap and easy way to get rolling to make sure your network - and your users - are kept in check.
Don't think this kind of behavior is random. I've seen this very thing at the university level during a security assessment I did early on in my information security consulting venture.
You see, one thing I do during my internal security assessments is connect a network analyzer just inside the firewall for a few hours to look at general traffic patterns, protocols and the like. Interestingly, during this assessment I found a workstation that was the top talker on the network. No, it wasn't the email server, or the Web server or the high-traffic FTP server but, instead, a workstation.
After further review it was determined that a staff member was hosting porn on his computer...right on the school network. He was apparently doing pretty well as his workstation was sending and receiving literally 10 times the traffic of any other system on the network.
Folks, just because an employee passed a background check, had good references and seems to be a reasonable person doesn't mean s/he can be trusted to always do the right thing.
You've got to know your network...As I wrote about a network analyzer is a cheap and easy way to get rolling to make sure your network - and your users - are kept in check.
Monday, December 5, 2011
What happens when third-party patches are ignored
The majority of people I speak with claim they have no means for patching third-party software. As Kelly Jackson Higgins mentions in her recent Dark Reading blog post regarding the rash of Java exploitations, when third-party software goes unmanaged, bad things can happen.
It's great that Metasploit has a a module for Java exploitation - something that'll not only benefit me in my security assessments but will also help bring to light what can happen in any given enterprise. But you know as well as I do that criminal hackers will use it for ill-gotten gains.
In my work, I certainly don't see what HD Moore was quoted as saying in the Dark Reading piece regarding most enterprises not allowing admin privileges on desktops. Between my clients and the people in at my speaking engagements, maybe 5-10% of businesses have their desktops truly locked down. I will agree with the reality that Java is pervasive across any given business. In fact, I had to install Java on a system yesterday and believe the following screenshots underscore the issue:
Given such proclamations, where do you think the bad guys are going to focus their efforts?
Another funny thing about Java is what Microsoft recently documented in its 2011 Security Intelligence Report. Microsoft found that Java exploits make up to 50% of all exploits. Wow. Another side note from this report that I found interesting is that 0.1% of attacks are related to the sky is falling zero-day exploits that so many people (especially vendors) are claiming to be a huge problem.
Bottom line: as I talked about this piece - unless and until you get your arms around third-party patches, you're going to continue to be vulnerable, especially given how simple Metasploit is to use.
It's great that Metasploit has a a module for Java exploitation - something that'll not only benefit me in my security assessments but will also help bring to light what can happen in any given enterprise. But you know as well as I do that criminal hackers will use it for ill-gotten gains.
In my work, I certainly don't see what HD Moore was quoted as saying in the Dark Reading piece regarding most enterprises not allowing admin privileges on desktops. Between my clients and the people in at my speaking engagements, maybe 5-10% of businesses have their desktops truly locked down. I will agree with the reality that Java is pervasive across any given business. In fact, I had to install Java on a system yesterday and believe the following screenshots underscore the issue:
Given such proclamations, where do you think the bad guys are going to focus their efforts?
Another funny thing about Java is what Microsoft recently documented in its 2011 Security Intelligence Report. Microsoft found that Java exploits make up to 50% of all exploits. Wow. Another side note from this report that I found interesting is that 0.1% of attacks are related to the sky is falling zero-day exploits that so many people (especially vendors) are claiming to be a huge problem.
Bottom line: as I talked about this piece - unless and until you get your arms around third-party patches, you're going to continue to be vulnerable, especially given how simple Metasploit is to use.
Thursday, December 1, 2011
You're in charge of your own crisis
Whether or not you - or your management - believes you'll suffer a security incident it certainly pays to be prepared. Odds are that something is going to occur.
Does your business have a solid incident response plan? What about a communications plan? Is an executive or business PR representative going to say "Um, well, uh you know - we got hacked and stuff..." to the eager media or are they prepared to answer questions in a mature and professional manner?
PR pros will tell you that you'd better be prepared. As Bolling Spalding - a PR expert here in Atlanta - said in this Atlanta Business Chronicle piece:
"Address the situation openly by saying, 'We don't have all the facts yet, but will tell you what we know now and we'll continue to report back as the facts come in.'...If you don't tell the story, someone else will tell it for you, and it might be someone with an ax to grind."
There's too much to lose folks. Do something now so you'll have a plan when the time comes.
If you're interested, here are some tips I've written about information security-related incidents and how to shore up what could be one of your business's greatest weaknesses.
Does your business have a solid incident response plan? What about a communications plan? Is an executive or business PR representative going to say "Um, well, uh you know - we got hacked and stuff..." to the eager media or are they prepared to answer questions in a mature and professional manner?
PR pros will tell you that you'd better be prepared. As Bolling Spalding - a PR expert here in Atlanta - said in this Atlanta Business Chronicle piece:
"Address the situation openly by saying, 'We don't have all the facts yet, but will tell you what we know now and we'll continue to report back as the facts come in.'...If you don't tell the story, someone else will tell it for you, and it might be someone with an ax to grind."
There's too much to lose folks. Do something now so you'll have a plan when the time comes.
If you're interested, here are some tips I've written about information security-related incidents and how to shore up what could be one of your business's greatest weaknesses.
Subscribe to:
Posts (Atom)
ShareThis
Posts
