Tom Olzak

Posts Tagged ‘federal’

Government Dysfunction Strikes Another Blow for Insecurity

In Access Controls, Business Continuity, China, Cyber Espionage, Government, Hacking, Network Security, Password Management, Policies and Processes, Risk Management, Security Management, Vendor Management on October 12, 2010 at 12:51

For many years, even before the Internet, changing default access codes, passwords, and other vendor assigned information was considered a basic no-brainer.  And I understand normal people (non-IT) not getting it.  After all, if it wasn’t a good password, why would a vendor assign it…?  And who wants to argue with a support guy on the phone who can’t understand why you changed it?  I get it.  However, when our government doesn’t see the value in the change, we have a big problem.

According to an article last week in the New York Times,

[University of Michigan researchers] infiltrated the District of Columbia’s online voting system last week. They changed all votes for mayor to Master Control Pro and elected HAL 9000 the council chairman. The blaring University of Michigan fight song played whenever a new ballot was successfully cast” (Wheaton, 8 Oct 2010).

To be fair, this is a pilot project by the District’s Board of Elections.  However, I always thought “pilot’” meant seeing how it works in the real world.  So it should also mean setting security for testing system trust.  One reason why this is necessary was included in the same article:

“[Professor J. Alex Halderman] said he also saw signs that computer users in Iran and China were trying to crack the system’s master password — which his team obtained from an equipment manual. (Network administrators had never changed the four-character default password.) He said that the foreign hackers were probably not specifically trying to break into the District’s voting system, but that they represented a threat nonetheless” (ibid.)

In addition to immediate attempts by our “enemies” to hack into the system, we decided to practice global good will by leaving the vendor password in place for anyone who wanted into our system.  What a novel idea regarding how to meet the cyber-crime and warfare challenges we increasingly face.

In case you haven’t yet gotten the message across to your network engineers or internal support personnel, this might be something you can use as an attention-getter (instead of the bat you’ve placed strategically next to your filing cabinet.

This is just one more example of the dysfunction of our government information handling capability.

But Congress hasn’t stuck its collective finger in it yet…

In Business Continuity, Cyber Espionage, Cyber Terrorism, Cyber-warfare, Cybercrime, Government on April 15, 2010 at 12:24

In a recent article, U S Cyber Command Nominee Discusses Policies, an army three-star general commented on cyber-war preparation.  While I agree with the military’s approach–what they will discuss, given the classified nature of their planning–I don’t believe Congress will be able to keep their hands out of this.  By the time our elected officials finish debating, filibustering, or holding hearings, our electricity, water supply, and financial institutions  will all have converted to Chinese as their official language…

And by the way, who taught the alleged soldier int the photo how to salute?  And what’s with the strap hanging down from his helmet?  Ok, Ok.  I know.  I was a sergeant way too long…  I’ll let it go.

White House Blowing Smoke?

In China, Cyber Espionage, Cyber-warfare, Government on April 7, 2010 at 11:45

A little something I wrote about recent comments by White House Cybersecurity Coordinator Howard Schmidt.

White House Blowing Smoke?.

Security Risk Extends Beyond Simple Loss of Data

In Business Continuity, Data Security, Government, Insider risk, Mobile Device Security, Network Security, Patching, Risk Management on June 7, 2009 at 14:52

Laptop encryption as a security control has become an expectation rather than an option.  Organizations worried about data breaches and their possible business impact are spending exorbitant percentages of IT budgets to avoid having to tell customers or employees they’ve lost their personal information.  Couple this with regulatory requirements to report certain types of breaches, and laptop encryption becomes as common on mobile systems as Notepad.  But not everyone agrees with this movement to protect laptop data at all costs.

Even the big picture suggests that spending is poorly allocated. “Thieves got 99.9 percent of their data from servers and 0.01 percent from end user systems, but enterprises spend about 50 percent of their security budget on endpoint security,” [Dr. Peter Tippett, founder of ISCA Labs] said. “They should spend more of it on server security.”

“The cause is a problem I call WIBHI, for Wouldn’t It Be Horrible If,” he said.

He added that it explains laptop encryption. He said that we encrypt laptops not because it will protect them better (passwords are good enough for that) but because we don’t have to report a breach if the laptop was encrypted.

Source: Enterprise Security Should Be Better and Cheaper, Alex Goldman, Internetnews.com, 6 June 2009

I make a habit of reading as much as possible about actual breaches, and I agree that we may be overdoing it a bit when we put multiple layers of security on devices which are not typically the primary target of attackers.  But I have three questions for Mr. Tippett.  What about botnets?  What about loss of access to critical systems due to malware-caused enterprise network shutdowns?  And what about the impact on a business if the public discovers encryption—a security control they’ve been told must be implemented or a business is negligent—was not used on a lost laptop containing personal information?

Business risk extends beyond a simple breach.  Its scope must include all possible negative impact scenarios which might be caused by weak endpoint security.  Yes, it is all about the data, including its availability and public perception—not necessarily based on a scientific assessment of actual risk—of how well it’s protected.  So until potential victims, potential customers, careless employees, and knee-jerk-driven politicians are removed from the risk formula, we will likely continue to spend more than might be reasonable and appropriate in a perfect world.

System physical security should include mobile device asset management

In Access Controls, HIPAA, Physical Security, Piracy Legislation on May 27, 2009 at 21:43

Some organizations spend a lot of time worrying about administrative (policies) and logical (application and system electronic) access controls without much concern for physical security.  I don’t mean the kind of physical security where you make sure your data center is locked.  I mean the kind of security which allows you to track who has your resources and ensures your organization takes the right steps to quickly mitigate impact.

For example, it doesn’t make much sense to lock the data center when unencrypted, unmanaged mobile devices travel across the country.  The sensitive information stored safely in the data center might as well be in the lobby.  This might seem a basic principle, but many organizations still don’t get it.  Take the US Department of the Interior, for example.  According to a report completed last month by the department’s inspector general, Western Region,

…13 computers were missing and… nearly 20 percent of more than 2,500 computers sampled could not be specifically located.  Compounded by the Department’s lack of computer accountability, its absence of encryption requirements leaves the Department vulnerable to sensitive and personally identifiable information being lost, stolen, or misused.

Source: Evaluation of the Department of the Interior’s Accountability of Desktop and Laptop Computers and their Sensitive Data, U.S. Department of the Interior, Office of the Inspector General, 24 April 2009.

So the IG could verify the loss of 13 unencrypted computers, but about 500 were simply unaccounted for.  The reason? Several of the agencies within the department had no process to track computer inventory.  The following is from a related InternetWorld article:

Despite policies mandated by the Federal Information Systems Management Act and other regulations, including rules that say computers should not be left unattended in plain view and that organizations should establish policies to protect their systems from unauthorized access, the Department of the Interior doesn’t require that any hardware that costs less than $5,000 — that would cover most PCs — be tracked in an asset management system, and the current tracking system doesn’t have proper backing, according to the report.

Source: Department Of The Interior Can’t Locate Many PCs, J. Nicholas Hoover, InformationWeek, 27 April 2009

Most of us agree that encryption is a necessary part of any mobile device security strategy.  But why worry about tracking laptops?  Isn’t encryption enough to render the data on a lost or stolen laptop inaccessible?  Well, it depends.

Many organizations do not use strong passwords.  The reasons vary, including:

  • Users tend to write complex passwords down, leaving then easily accessible
  • Password reset calls constitute a high percentage of help desk calls, rising exponentially as password complexity increases

In other words, strong passwords are often seen as weaker and more costly to the business than simple passwords.  And password complexity tends to remain the same when an organization implements full disk encryption, raising concern about the real effectiveness of scrambling sensitive information.  The complexity of the password and the configuration of the login policy (i.e., history, failed login attempt, etc.) are factors in the strength of any encryption solution.  In any case, encryption solutions should be supplemented to some degree—depending on the organization—by a mobile device physical management process, including,

  • Mobile device assignment process which includes recording employee name and date of assignation
  • Clearly documented mobile device usage and protection policy signed by each employee before he or she receives a mobile device
  • Periodic, random verification that the assigned user still has physical control of the device
  • Strict employee termination process which includes receipt of assigned devices
  • Documented device end-of-life process, including
    • recording receipt of device
    • recording of device disposition, in accordance with the organization’s media sanitation and reuse policy
  • Tested and documented device loss process, including
    • process for reporting a mobile device lost or stolen
    • assessment of the probability of sensitive data breach and notification of affected individuals
%d bloggers like this: