Roger's Information Security Blog

The second talk I attended on Sunday at the Gartner Information Security Summit was Debra Wheatman on How to Sell Yourself to Management. Debra is the Chief Career Strategist with ResumesDoneWrite.
At work one of our stated goals is “to grow and live the $company brand.” In this talk Debra reminds us “You’re always selling something.” I should be worrying about my brand. Do I have PR agents who are repeating the news of my success? Am I consistently putting forward a good image?
The concept of a career map was new to me. Basically its determining where I am and establishing short term goals. Since finishing a Masters in Computer Science in 2006, I’ve been coasting a bit. My progress at work seems to have been side-tracked. Creating a career map sounds like the sort of thing that would help me think some things through. I am going to Google to get more on that.
You may find upon creating a career map, that your dream job or desired role doesn’t exist in their organization. When this happens there are two possibilities; build a case for creating the post or get out. Changing the status quo is not easy.
The bulk of the time was spent on discussing the resume, the cover letter, and interviews. In spite of all I’ve read on resumes I got some new ideas. I have enough trouble writing a few sentences for the ‘about me’ on this blog or on linkedin.
Probably the thing I’ll remember most from this talk was the suggestion that its ok to ask what their budget is. Its funny, they would essentially ask you the same question, yet it will be awkward when the applicant asks.

A new Gartner Magic Quadrant covering Data Loss Prevention was released this week. Eric Ouellet spoke on this at Pre-Conference for Gartner’s Security Summit.
In spite of several years of DLP hype, Ouellet indicated that it is not yet at the sweet spot in the security product hype cycle. People who implement DLP often don’t have fully formed goals, they leave the product in monitor only mode and they are disappointed with the results.
It is important first to define terms, Garnter has begun calling it Content Aware DLP. This is a DLP that is content or context aware. Many vendors say they have Data Loss Prevention. To a specific definition this is true, anything that prevents data from leaking is DLP. Under this definition vendors have claimed that USB port controls, Enterprise Digital Rights Management, hard disk encryption, and file tagging are DLP. None of those devices are aware of the content of the data. To differentiate those products from the traditional DLP product space, Gartner uses the term Content Aware DLP.
Two trends have occurred since I’ve looked at DLP last. Antivirus vendors have taken the lead (through purchase) and added client DLP agents to their suite. Also it is no longer Network based agents versus the desktop agent. It is necessary to have both unless you are only after a specific monitoring purpose.
With DLP I have always struggled with the use case. Its pretty easy to install and report on credit card or social security numbers. But how does the DLP find what is important to my company. I dont even know what should be protected. The limited FIPS data classification that we’ve done doesn’t help either. I did learn that 90 percent of deployments are for compliance purposes (PCI, HIPPA) rather than for the protection of Intellectual Property.
The message I heard was ‘if you don’t know you need DLP, then you don’t need it.’ Too often people think they need it because its been written about in the tech press. If you are going to move forward, good general advice is don’t let the vendors website write your RFP. Dont write in requirements you wont use. Certainly dont use requirements you wont use as a differentiator between vendors. Be aware of the false sense of security that DLP can provide.
Ouellet closed advising that DLP is like a magnifying glass and the corporation is Pandora’s box. You’re going to find out things you didn’t want to know. Rather than being the impetus for budget justification, in some companies it has called the use of the existing budget into question.

I’m at the Gartner Information Security Summit in National Harbor for the first part of this week. The next few blog entries will be notes from the talks I attended.
I’m a bit surprised to be paying $18 a day to park outside the beltway. (National Harbor’s website claims $11, I guess the hotel garage is more). It will be reimbursed, but still its annoying.
I wonder if there is a lot of crossover between people at this conference and people at Shmoocon? It gave me a chuckle anyway. Probably shouldn’t break out the “I hack charities” t-shirt for this Gartner conference.
As I feared, the usual lack of power options was in full effect. In one room, I was able to right by outlets, in another only folding walls were nearby. I didn’t see any power. Looks like my decision to not bring a laptop today was a good one. I’d love to use the tablet for handwritten notes, but at this point the battery life is barely an hour. My mini has some great battery life, but I’m not sure the small keyboard would allow me to take notes very fast. No big deal, its better to not have to protect a laptop.

I’ve blogged several times about the desire to disable the wireless card when the wired card is connected.
A comment on one of my older entries points out that there is free software to do this now.

http://www.wlanbook.com/disable-wireless-connected-lan-xp-vista/

http://www.wlanbook.com/bridgechecker/

I’m now using SEP11 for this but passing it on in case others are still looking for a solution.
My older articles:
New version of Autoswitch out
Disable Wireless when Wired Connected
SEP11 and Wireless Management
Disable Wireless on LAN Access

Trend Micro’s blog entry about the Cligs blog url redirection takes a funny twist.
For those not reading all the other security blogs, Cligs is a URL shortening service like Tinyurl. They got hacked, so all of their URL redirections were sent to one specific, though fortunately not malicious, website.
Trend’s blog entry was automatically posted to their Twitter account using Twitterfeed. Twitterfeed of course shortened the URL automatically using TinyURL. Could have been worse, they could have been shortening the URL with Cligs. LOL

This is interesting. After I wondered yesterday about the applicability of IM security products that ignore social networks, MessageLabs announced the launch of a new public IM security service. The solution does not address any of the problems I mentioned.
The press release mentions AOL’s AIM, Yahoo! Mail and Microsoft MSN, but does not mention Google Talk. This service protects public IM protocols whereas the existing Enterprise Instant Messaging product (from the purchase of Omnipod) is a enterprise product competing with OCS/LCS.

As I upgraded my Symantec IM Security server last week, I thought about the state of Instant Messaging security.
These thoughts are based on my experience with Symantec’s products. I only briefly looked at the websites of Akonix and Facetime to see what they could do. I’m not up on their current releases.
When we implemented IMLogic, which was later purchased by Symantec, we were looking to protect ourselves from malware spread via IM. Users were getting infected by each new IM worm and it needed to stop. Typically one person would get a message and a link via IM. The user would click on the link, and install the malware. The user’s IM contacts would receive a message with a link to the same virus. Even if all the other recipients recognize the message as malicious, many would then call the helpdesk, leading to more wasted time. That’s a long way of saying that we implemented IMLogic to provide IM security protection. We aren’t under any logging requirement. Logging is a big driver for implementing IM security solutions at Financial institutions.
There are limitations in using an IM security product. Each time a new version of the IM client is released there is a great likelihood that the public IM vendor will change their protocol in a way that prevents the new client from being used until the IM security vendor updates their own product. AIM 6.8 for example used a new SSL based login that provided a lot of trouble for all IM security vendors.
As time went by, people’s habits changed. Do you still have three IM clients installed on your desktop? Probably not. Most people found them to be pretty bloated pieces of drek. When online web IM offerings became feature comparable, most real people switched to using that. Meebo works great from what I’ve been told. How did the IM security vendors deal with that? They put out a list of URLs to block so that users could not use web IM.
Now public IM systems are bundling their chat with their webmail. That made it difficult to block web IM. For a while, to block Google Talk, you had to block Google Mail. There are now ways to do that. You can also block Yahoo Messenger within Yahoo Mail. I haven’t yet found a way to block Live Messenger within Hotmail.
Users are doing more chatting on Facebook, Myspace and twitter. These are also outside the security environment provided by a IM security solution. Even if I could block just the chat component of Facebook, there would still be quasi real-time communication via the wall.
Symantec IM Manager is ignoring all of these problems. Facetime has a press release from more than a year ago that speaks of controlling 20,000 Facebook applications. That might be interesting to look at.
All the IM security problems seen today are HTTP links. If an adequate HTTP security solution was in place would it even be necessary to run a IM security product anymore? IM Security is not a big software maintenance bill. But it is man hours to update and maintain. Perhaps it is no longer necessary. Then again, if a computer gets infected with a virus that can worm through LCS/OCS, I’d hate to be the one that said its ok for the corporate IM server to go bareback.

I’ve used Twitter as a follower for a while now. I’ve decided to create a Twitter account for Infosec related stuff. Mark Cuban says more people find his blog via twitter or Facebook than Google. That is generally going to be people sharing links. Lets face it, his controversial posts are designed to create a link-storm. My posts, not so much. However it is true that Twitter is used as a search engine for people looking for up to the minute information. Also while its kind of a no-no in my opinion to ask for link sharing on a website, follows in twitter of routinely done.
It seems a bit foolish to open another account to update when my updates to the blog have been less frequent. Fortunately the twitter lifestyle doesn’t require a spell-check. Please shoot me if I ever spell “you” as “u” however.
Follow me on Twitter @InfosecTweet

Its nice that my cable and telephone company Cox is fixing a few their security problems, but it would be nice if they’d let people know that the ability to be more secure is available. Back in July 2007 I wrote about Cox adding POP3 over SSL. In November 2008, I wrote about Cox enabling SMTP/SSL. So I kind of laughed when I saw a Cox customer “Dave” complaining in cox.internet.discussion.email that not only did Cox not make a general announcement regarding these new features, their instructions are inconsistent in offering the option. Vista instructions include the secure options, Mac instructions did not.
I guess Cox figures that the few customers who know what this feature does will keep up on Cox news by reading forums. I admit, I figured it was Dave’s fault for not keeping up with the news. Then it happened to me.
In March 2008, I wrote about my displeasure that Cox was putting my PIN number on my bill. I wrote Cox, explaining that I felt this was poor security. This month while checking out my Cox account settings, I found there is now an option to suppress including the PIN on the bill! After making the change, my bill now shows xxxx instead of the actual PIN. So now I’m echoing Dave. Why didn’t you tell me this option, and why is insecure the default choice?

On Saturday I upgraded to the latest release of Symantec IM Manager, 8.4.11. This version includes limited support for Microsoft Live Messenger 2009. Prior to this upgrade users with this client could not log into Live Messenger from our network
The install went pretty clean. Before starting I had pruned the database to hold only the past 90 days of data. I backed up the database and the upgrade went like butter.
I updated the SSL cert used by AIM, the old cert was about to expire. I had a bit of a problem with importing the new cert. The problem was caused by NTFS permissions on the location where the certificates get installed.
The event log showed an error “error returned from calling imadminrunscheduledreport asp page=400″. What happened is the reporting pages use “localhost” instead of hostname to access the IIS webserver. IM Security is configured with two IP addresses and the IIS is only on one IP instead of all IPs. This means the server doesn’t listen to requsts for 127.0.0.1. Once I added that, it worked again.
Took a while to work through a few things that cropped up, but not too much trouble.