You can't secure what you don't acknowledge.SM

Friday, June 10, 2011

The best information security quote ever

Thinking about all the security incident headlines over the past 30 days alone, this says it all:

"We can evade reality but we cannot evade the consequences of evading reality." -Ayn Rand

Wednesday, June 8, 2011

Weiner fallout: "I got hacked" is the new scapegoat

I recently met up with some technology lawyer colleagues after work and we shared our thoughts on the Anthony Weiner "incident". We were talking about how early on in the saga no one but Weiner and the lucky recipients of his tweets really knew what the truth was. Predictably, as we're seeing and hearing more and more these days, Weiner came out and said "I was hacked. It happens to people." In other words, instead of claiming personal responsibility for the issue, he could just claim someone else did it and hopefully wash his hands of the issue.

Don't get me wrong. Companies and people do get hacked, but hacking is not always what caused the problem.

Then it came to us, "I've been hacked" is the new scapegoat. Savvy politicians and business leaders know that getting "hacked" is a generic enough claim that the general public may buy it. After all, many people believe that hacking is this mysterious, intangible "thing" that just happens these days. It's simply dismissed as "Oh well, sucks to be that person or business". Such an excuse is very similar to what I've written about "computer glitches". It's an easy way out.

Interestingly, one thing that hasn't really been discussed in the media covering WeinerGate was here's how you get to the do X, Y and Z to reveal what really happened. Be it a simple forensics analysis of Weiner's computer(s) all the way to subpoenaing Twitter for their log files associated with the usernames, dates and times in question, there's a way to get to the bottom of such matters. These procedures are carried out as part of the legal process in countless investigations and lawsuits every day in the US. But we weren't hearing about that.

We now know that a formal investigation wasn't needed with Weiner. However, if you're caught in a bind and need to prove your innocence, the e-discovery and forensics processes have a nice way of working things out...It's all a matter of choice and, I suppose, context.

Perhaps it's time to step back, fix the low-hanging fruit that's putting your business at risk, and move forward with your chin up willing to take responsibility for information security once and for all. No scapegoats necessary...

Tuesday, June 7, 2011

New tool for ferreting out users w/local admin rights

Here's a free tool by @ViewFinity (the privilege management vendor I wrote about back in March) that helps you discover user accounts that have local admin rights:
Viewfinity Local Admin Discovery

...looks pretty neat if you have a need for running a quick test during an assessment or audit or just want to have something to use periodically to ensure user accounts are kept in check.

Monday, June 6, 2011

InfraGard Atlanta hack highlights some lessons for us all

What started with an email from a colleague's compromised Gmail account Friday evening has ended up making international news - the InfraGard Atlanta website has been hacked. With user names, email addresses and passwords - including those associated with the FBI - available via a quick web search I knew that this was a pretty serious issue. Although I've been disconnected from InfraGard Atlanta for the past ~6 years, I originally served as an officer when the group was getting off the ground back in the early 2000s...I hate seeing something like this happen to my friends and colleagues.

What's so frustrating in situations like this is the fact there are so many people associated with InfraGard Atlanta who are well-qualified (and often very willing) to pitch in and help to prevent such breaches. It must be human nature because I've offered to do gratis security assessments for various non-profits I've been associated with over the past few years and a funny - yet consistent - thing occurs every time...It's cricket, cricket, then nothing but silence...Or "no thanks, we're good" or "it's just our website" or "we don't have anything a hacker would want"...and on and on. You get my drift. Why is it we tend to ignore the elephant in the room and pass on pro bono services where they're often needed the most? I digress.

So, what can we do about this other than getting people to buy into security which I suspect isn't going to happen any time soon? The best thing you can do is to test every single system that's publicly accessible on your network. It's the only way you're going to find the flaws that matter...and man oh man, do we ever have some low-hanging fruit out there for the taking! Still, all the penetration and vulnerability testing you can throw at your systems is not going to uncover every single flaw in your environment. But it'll get you darn close and that's where you want to be.

All of that said, here are the lessons to take from this:

1) Test your websites and your externally-accessible hosts for security flaws...ALL of them, right now! Start today.

2) Test your websites and your externally-accessible hosts for security flaws over and over again, never letting up until the sites/hosts are taken offline [by choice, not denial of service ;)].

3) Fix the flaws you find.

4) Stop making bad password decisions. We've all done it and it's got to stop. Make a conscious choice right now to change that moving forward. Vow to never create an insecure password again and vow to stop sharing passwords across different websites and systems. Also, start going back and changing weak passwords that you know exist out there.

If you find the passwords that were recovered in the InfraGard Atlanta breach you'll see how "complex" passwords can still be cracked. Sure, part of such password flaws are architecture or operational-based weaknesses but my point is if you have a choice, then choose to create long and complex passphrases that are easy to remember yet next to impossible to crack.

The choice is yours....use it wisely.