What's On The Horizon

Along with Kees Leune, the ISO at Adelphi University, I will be presenting, "When To Declare An Information Security Incident and How To Respond Once You Do" at the EDUCAUSE Security Professionals Conference April 15-17 in St. Louis. Details can be found here:

My most recent contributions to the information security community are presentations on the philosophy of security and on information security incident response at the Idaho Fraud & High Tech Investigation Conference, November 2012.

Saturday, March 9, 2013

Privacy? Security?

I've read several articles recently that spoke to the difference between security and privacy.  I was confused, I've always thought of security and privacy as complementary concepts.  Privacy is often defined by quoting one of the Supremes--Brandeis--who said it is "the right to be left alone."  I think of it that way, too, but in more mundane terms, the right to decide who knows what about me.  In the age of Google, that is probably impossible, but that's a topic for another blog.

Security is a collection of tools or activities used to maintain privacy.  In my personal life that means using the free credit reports that are available, paying attention to the cookies that get set by websites, changing my passwords, and other stuff like that.  At work, I am responsible for ensuring that a bunch of information about students, faculty, and staff are kept private, yet available only to the people who need the information to act for the benefit of our constituents--managing financial aid, recording grades, paying people for their work.

Privacy is my goal.  Security is the route to reaching that goal.

Friday, January 4, 2013

Is Looking at What Didn’t Happen an Effective Approach?
In a posting on  wired.com,  Ben Paynter defines “the paradox of the close call” like this:
“ . . . near misses aren’t successes. They are indicators of near failure. And if the flaw is systemic, it requires only a small twist of fate for the next incident to result in disaster. Rather than celebrating then ignoring close calls, we should be learning from them and doing our very best to prevent their recurrence. But we often don’t.”
One tactic I have taken to promote information security is to trot out statistics from our IDS logs or firewall logs, point to the numbers and say, “Hey, look at all this stuff that is trying to break into our network!  We’re stopping bad things from happening!”  Applying Paynter’s definition, I am celebrating near misses—and the result is the purse-string holders say “Good job” and turn down funding requests because we are doing a “good job.”  What I am really asking is something like, "We avoided a near miss.  With proper funding we won't even have the near miss to avoid."
The puzzle is how to demonstrate the value the information security team adds.  It is self-evident to information security people who say, “we add value because we stop bad things from happening.“  That isn’t evident to those who haven’t consumed the information security elixir.  How do you put a value on what didn’t happen?  Compare it to what recovery from a breach would cost?  That isn't a very effective sales pitch (though home security companies use it all the time).  I don't have an answer right now--I'll revisit it in another post. 
Here is the link to Paynter’s essay:

Monday, August 20, 2012

Secure Enough

I have a co-worker who lives in a safe neighborhood. He bought a house that came equipped with a security system, so he looked into the cost of using it and decided to take some less expensive measures to protect his castle. He was more worried about his dogs getting out of the yard than he was about someone breaking into his house so he spent money on repairing the fence and he bought some of those little “Not For Climbing” carabiners to secure the gate latches so the dogs couldn’t pop them open.

Last winter there was a crime wave in his neighborhood. Burglars invaded garages and stole stuff out of the garages and out of the cars parked in the garages. People had purses, wallets, guns, electronics, etc. stolen. The police deduced that the burglars slipped in through open gates and then into un-locked garage windows or pet doors. My colleague’s house wasn’t bothered because it was just slightly more difficult to get to and the burglars left it alone. His house wasn’t super-secure, it was secure enough.

Information security costs money. The question is how do we strike a cost-benefit balance? It depends on an organization’s appetite for risk and the value of the target the organization presents. In other words, what are the organization’s crown jewels and what is the cost of protecting them vs. the cost of losing them?

An easier lesson is, if you are going to leave your garage windows unlocked, don’t leave your cash and credit cards (and car keys) in the unlocked cars contained by the garage.

Left:  A simple, effective, redundant, though primitive, intrusion detection system.

Tuesday, February 15, 2011

SANS Comes to Boise

I am honored to be invited to participate as the mentor for the Sans Institute course, Security 504: Hacker Techniques, Exploits & Incident Handling. It is coming to Boise next Fall and will run one two hour session, one night per week, for 10 weeks. 504 is a very informative and challenging class--and it is a lot of fun. Students do the reading outside class and then we get together to work the exercises. It is an effective way to learn the material, meet other Info Sec professionals, and prepare for the exam. More details will be posted. In the meantime, you can learn more here: http://www.sans.org/mentor/details.php?nid=24648

Thursday, August 26, 2010

Policy & Auditors

We just got dinged by internal audit for not having an anti-virus and patch management policy. Both issues are spoken to in another policy, entitled "Information Privacy and Security," but the auditor has a point. Our A-V and patch management posture isn't very well publicized. I'm working on reviewing all of our IT and Information Security policies--you can't say I don't know how to have a good time--and there is some work to do. I believe policy should be concise with implementation details worked out in separate "procedures" or "standards" documents (our policy structure is not designed like that). That way, we can all agree on a philosophical vision of how IT and InfoSec should function in our organization. Then the nuts & bolts get tweaked by flexible, ever-changing procedures and standards which are reviewed and updated by the people closest to them.

Here is an example of the A-V and patch management policy I am thinking of proposing--in the form of a haiku!

Malware harms data.
Deploy updates. Be timely!
Please get protected.

Tuesday, August 17, 2010

Bet on Your Future!

The enterprising folks at http://www.ultrinsic.com/ are soliciting students who want to bet on their grades! What an opportunity!

A story on the topic is published at:

To participate, students need to upload their school records. And if they want the site to track their records for them, all a student needs to do is provide the company with their student login information--userID and password. How cool!

But wait. College and university student systems usually store some student and and family financial information. What all could the student be giving away? Their banking information? Their family's banking information? Their financial future?


Tuesday, April 6, 2010

Saf(er) On-Line Banking

I think it was in November that the American Bankers Association recommended that home users dedicate a PC for on-line banking--just in case their "surfing" PC gets whacked. It is a good idea.

Then in January SANS reported the following:

"The American Bankers' Association (ABA) issued guidance to small and mid-sized businesses regarding how to protect themselves from the growing problem of unauthorized Automated Clearing House (ACH) transactions. Of special note is the recommendation that businesses use a dedicated PC that is never used for email or web browsing to conduct online banking transactions."

Today, the following arrived in one of my emails from a reliable source:

"Many of the consumer protection laws that safeguard individuals and limit their liabilities in the event of loss, theft and fraud simply don't apply to businesses and their bank accounts. In many cases, the only protection that a business has is defined by the bank's terms and conditions of use. That means your business may be held responsible for any losses incurred prior to reporting suspicious activity to the bank."

Two take aways here: both home users and small business should dedicate a PC for on-line banking; small business owners face greater risk if something gets compromised. There are alternatives to a dedicated PC for online banking. One low-cost alternative is a bootable CD. I've been using Ubuntu at home. Download it, burn the CD, boot from it, do your banking stuff and nothing gets written to disk. Here is the URL:

It all comes down to your appetite for risk and level of paranoia; I have a low appetite for monetary risk and a high level of paranoia.