Achieving Information Security: Response (3 of 3)

Given enough time and resources, any security system put in place will be over come. This is undisputed fact. Coming into the office one morning, and seeing that your network has been compromised, knowing that detailed and confidential client or patient data has now been stolen, is not the time you want to figure out how you should react to the situation. It situations like this, you need to move quickly and intelligently, and not let your emotions (fear for your business, anger for the violation) take hold of you.

One of the most important parts of planning a proper response is to understand who is at risk because of the breach. You need to understand that as violated as you feel right now, other, who don't even know they are in danger, possibly are. If you run a business who bills clients (basically every business), then that payment information is on file somewhere, and puts those clients at risk. If you are a doctor, you likely have highly personal information about your patients.

Once you established who is at risk, establish a list of who needs to be contacted, and how you plan on contacting them. The most obvious, yet over looked often, are the police. If you think or know you have had a security breach, and data has been stolen, it is time to contact the authorities. data theft is still theft, and computer crimes are a big deal. Also, check which other authorities may need to be required based on your industry.

Once the proper Authorities have been contacted, contact others who may be at rick. If patient information has been stolen, contact your patients. If billing or financial information of clients has been compromised, let them know.

Contacting a client to tell them their information may have been stolen is a difficult thing. Expect to get a lot of calls, and be ready to answer a lot of questions. And in today's world, be prepared to compensate the client for their loss. It is typical for the company responsible for the data loss to pay for identity theft insurance for their clients for up to a year following the breach, anything more than that is nice, but unless what was stolen caused direct loss to your client, then you don't own them much, in my opinion.

Now that you have contacted the proper authorities and the people affected, then last step is to find out what went wrong, and fix it. How did the thief get the data, what type of attack was used, and what can you do to prevent it from happening again.

Bookmark this post:

Happy SysAdmin Day!

Happy Systems Administrator Day Everyone!


http://www.sysadminday.com/

Bookmark this post:

Achieving Information Security: Detection (2 of 3)

Any security expert will tell you that there is no such thing as absolute security, and there is no such thing as impenetrable or unhackable. The goal of security is, and always has been, to make getting something more trouble than it is worth. With that said, the secondary goal of security is to allow for detection if a breach does take place.

Detecting the Intrusion:

Depending on the type of attack you face, detection could be as easy as logging into your computer and seeing that your background image or the home page you have set has changed. It could even be that your companies web site has been changed from a friendly and informative page about your company, to the logo of some script kiddie. These are simple, and obvious ways to tell that something is going on.

But what if the attackers goal wasn't to damage any of your data, what if all they were looking for were a list of your clients, or details of a product your company is about to launch. If all the intruder plans on doing is take a copy of your data, how do you know it happened?

Server Security Logs:

One of the easiest ways to tell that an outsider is attempting to gain access to your network is already built into your Windows server. If you take a look at your Domain Controller's event log you will see a section for security. This log shows every attempt, both failed and successful, to authenticate a user to your domain. If you ever notice an abundance of failed attempts, you have one of two scenarios on your hands.

1. An employee has forgot their password. Now, this is by no means rare, but what would be rare is an employee trying 20 times before giving up and calling the IT staff.
2. Someone is trying to guess the password to an account. If you see dozens of failed attempts on the same account, you can almost be certain that the account is under attack.At this point, your best bet is to disable the account, and contact the user to verify it is not them doing this. Your next step is to find out who is trying to use the account. We will discuss this part 3 of this series.

In addition to your server logs, you should also enable logging on you primary network devices as well. Your firewall and gateway router are the entry points to your network, and if an attack is coming over the wire, there is no better place to look.

Intrusion Detection Systems:

Data security is so important, that there is an entire segment of the software industry dedicated to detecting data breaches. These types of software are called intrusion detection systems or IDS for short.

An IDS is a set of "sensors" on a computer or computer network that are looking for strange activity based on a predefined set of rules that if follows. An IDS knows what typical network traffic looks like, and can recognize attacks against your network as they occur, and in some cases can defend against those attacks, or at the very least sent your administrator a warning to let them know what is happening.

For Example, you IDS will learn about how much traffic should come to your network at a given time, if for some reason there is a sudden increase in the amount of data, or the number of connections being attempted on you network spikes passed a predefined threshold, the is a good chance that a Denial of Service attach may be under way. It can also recognize if someone is attempting to scan for available ports on your firewall.

Other intrusion detections systems are designed to monitor internal activity, after all, most data breaches are committed by employees. An IDS can look for signs such as large amounts of files being copied from a network share to a persons local computer.

For more information about Intrusion Detection Systems see the Wikipedia Entry HERE

Please check back for Part 3 of 3 of the Achieving Information Security series.

Bookmark this post:

M.I.A.

Hey Everyone,

As most of you have noticed, I have been M.I.A. for the last few months. This is just a formal "I'm Back" message. A lot has happened in the last few month. I got a new job, got my degree finally, and got a handful of new certifications, so check back soon for some actual posts. What does this mean for you all? Well, with the new job comes more challenges for me to write about and hopefully to help you resolve issues quicker. Thanks again for ahnging around, while I was gone, and hope you enjoy what is coming up.

Bookmark this post:

New Poll

There is a new poll on the front page. Industry Certifications have always been debated, some feel they are great indicators of knowledge, others think they are a dime a dozen. Which do you think are worth while?

Bookmark this post:

MS Extends Second Shot Program

For those of you looking to get some Microsoft certifications, Microsoft Announced they will be extending their Second Shot Program. Essentially what Second Shot is, is a joint program between Microsoft and Prometric where they allow you to register for a second shot voucher before you take a Microsoft Certification exam, and then you enter that voucher number when you buy your test voucher via Prometric, and if you fail your exam, you can re-take it for free. Its a pretty good deal, especially if this is your first time taking any of the MS exams. There tests are different then a lot of other certifications, so knowing how to take their tests is something that helps you, and this gives you that opportunity you need to try it out without blowing a couple of hundred dollars if you find out you aren't ready just yet.

Press Release:

Microsoft™ has extended its Second Shot offer for certification exams.

You can now take advantage of the opportunity to get a free second chance
to pass a Microsoft IT Professional, Developer, or Microsoft Dynamics™
certification exam through June 30, 2008. This offer is available
worldwide, to anyone who registers for Second Shot and does not pass
their first attempt at one of these exams.

Step 1: Before taking your exam, register for Second Shot and receive
your exam voucher number.

Step 2: Using the voucher number, schedule and pay for your initial
exam via Prometric's web site, call center or test center locations. (To
qualify, you must have the voucher number prior to registering with
Prometric.)

Step 3: Take your exam.

Step 4: If you do not pass on your first attempt, register for your free
retake exam via Prometric's web site, call center or test center locations
using the same voucher number.

NOTE: To allow for test results to be entered into the system, please wait
one day after the failed exam to register for your Second Shot retake.

For more information, or to register, go to: http://www.microsoft.com/learning/mcp/offers/secondshot/default.mspx

The Microsoft Certification Team
© 2008 Microsoft Corporation
Terms of Use | Trademarks | Privacy Statement | Sign up for newsletters | Update your profile

Bookmark this post:

Achieving Information Security: Prevention (1 of 3)

The most valuable asset of most organizations is the information they hold. Whether it be top secret design plans for their next product, accounting information about future company acquisitions, or the personal information of your clients and employees. A breach in the security that protects these assets can and has resulted in companies going bankrupt due to loss of client confidence, law suits, and loss of competitive edge. There are three parts to achieving information security; they are Prevention, Detection and Response.


Prevention:
As the saying goes, an ounce of prevention is worth a pound of cure, and that is no different in the IT world. Preventing unauthorized users from gaining access to your confidential data should be priority one. There are several things that can and must be done to prevent unauthorized access to data. Not only do you need to consider digital security (passwords, user names, file permissions, etc) but also physical security.


Physical Security:
Physical security is often overlooked when we think about protecting information held on a computer, but the truth is, if somone gains physical access to your file server, they now own your data. So making sure you keep your server is protected and secured area is very important. Servers and data backups should be kept under lock and key at all times. Ideally you want a room with controlled access that is monitored electronically and by a human. Because a secure environment like this is not always available at your office, many companies choose to use data centers to house their servers. Data centers not only provide a great deal of security, but they can provide redundant power as well as fire suppression to protect your equipment. The level of security at data centers will vary based on the center you are working with, but most are very good.

For example, the data center I have used for clients in the past included the following security:

• Biometric Palm Scanner + pin to get into the main door
• Sign in with a security guard as you pass though the first set of doors (they check ID)
• You go to your designated locker (they watch to be sure you are only near your lockers)
• Key lock AND combination lock on the server rack doors.
• Roaming security guard as well as CC security cameras.
• After hours, before you could even enter the building, you had to be buzzed in by security

Now this may seem excessive, and it might be over kill depending on your business, but we dealt with accountants, lawyers, doctors, DOD contractors and other professions that data security was considered top priority. So it will be up to you to find a proper solution that matches the value of your data.

Digital Security:
Once you have a good physically secure location picked out and set up, you need to protect you data from people coming at it over the wire, and not through the doors. The method to which you choose to protect your data will again vary based on how valuable that data is, and it will be up to you to decide how much protection is enough. Your goal here is to make your data secure enough so those who aren't supposed to have can't, but those who need it can get it without too much trouble.

One of the easiest way to protect files in a windows domain environment, is by adding permissions to them. Not only can you select who has access to files, but you can choose what kind of access to the file they have. In some cases, many people may need to read a file, but only 1 or 2 need to be able to make changes to it, so you can give read permission to some and write or modify permissions to others. This allows a very customizable and secure security scheme. More information about windows Permissions can be found HERE.

File and folder permissions are great, but one of the major flaws in that type of set up is that the computer will assume anyone logged in as a user is indeed that person. So if Joe happens to know Susan's password and logs in as her, or Susan leaves her computer logged in and Joe sits at her desk, Joe will now have Susan's file permissions. So what we need here is called User Authentication. Essentially, user authentication is a way for a computer to verify who is actually sitting at the keyboard. The most common way to do this is via a Username/Password combination. More advanced and more secure ways include using Biometrics (fingerprints, palm prints, facial recognition) or a SmartCard. Many times people will use these different types of security in conjunction with each other (this is called multi-factor authentication) So like at my old data center, we used both Biometrics as well as a password (or PIN). This is a very common set up and the reason is it required not only two type of authentication, but two different types. So I needed something physically (my palm print) as well as something I knew (my pin). It might be easy for someone to steal a password or pin...but stealing a fingerprint or palm print is a lot more difficult.

Once you have your file security in place, you are pretty close so having a good security set up, but there is one last but very important piece of security that is constantly overlooked; The human element. In order to have any level of data security, you need to educate your staff on how to keep data secure. Employees need to know what data can be passed on to the public, what can be given to other employees or other departments and what must remain a secret or not be passed around. If you don't tell them, they wont know and the likelihood of an accidental breach is pretty big. A common way to keep track of what information can be given to different people is by giving different data a different level of clearance. For instance, in the military, and many large companies, they may label document confidential, secret, or top secret. Based on those designations, staff know that only people with top secret clearance can have access to top secret documents. Similarly, you may label some documents for "full public disclosure" where the data can be given out freely (this could be something like the phone number for the main office or a branch office) or "limited public disclosure" to control press releases and public announcements that can only be given with special permission.

Once you are able to control physical access, digital access, and are able to teach your employees on the proper way to handle data, you are well on your way to achieving a good level of information security.

Bookmark this post:

Lack of Updates

Sorry for the lack of updates everyone, I have been buried with other work.

What exactly has been keeping me busy? Well, school is starting up again (I get my degree this year), I have been tasked with designing, then building a NOC at work (really fun, although highly time consuming, project) and I have been taking some certification exams (mostly so people stop asking me what certs I have and becasue my boss wants me to get some so he can convince the CEO to give me a raise). I take the exam for one of my Security certifications tomorrow, and then will finish up some posts I have been working on.

Coming up I have posts about:

• The three parts of information security (3 part series)
• Certification Exam prep tips
• Building a NOC (Network Observation Center): My start to finish guide on the NOC I am building

All of these posts have been started adn are in different stages of completion, so hopefully you will see 1 or 2 by the end of the week, and the rest next week.

Bookmark this post:

Pondering the universe

Of all the things in the world to ponder, I have always asked my self the same question; what is beyond the edge of the universe?

Throughout my years of schooling I have taken both science and philosophy courses, and have never been given a good answer to my question. I was asked to stop asking questions by my astronomy professor when I simply asked what was beyond the edge of the universe.

The universe is said to be the whole of everything. It is also stated to be 93 billion light years across. But how can something with a limit, be the whole of everything? in order to place a limit on something, it has to have a start and an end. To have a start, there must be something before it, or you couldn't judge the start. If there is an end, then there must be something beyond that point which a person claims to be the end.

If we state the the size of the universe is infinite, then our teachers have been lying all along.

In addition to this, it is said that the universe is expanding. Where is it expanding to, if it is the whole of everything?

Maybe the key is that the term universe can only be used to accurately describe all the known objects.

Think about it.

Bookmark this post:

CompUSA LIVES!

TigerDirect plans on turning all of their stores (11 current 3 more opening) into CompUSA stores and join them with the 16 they just purchased. They will also keep the CompUSA website up and running. This means CompUSA lives!

Gilbert Fiorention acknowledges that CompUSA was doomed due to high over head (duh) because they insisted on keeping several levels of managers as well as a very heavy internal IT department. With all that overhead, it was very difficult to keep any store profitable. After cutting all the fat, they will have about 30 stores, and be profitable. check out the CNN Article for details.


Still no word on the fate of the Honolulu Stores. It looks like TD is trying to stay in the south east sector of the US, so I doubt they will be buying this store. Although Honolulu is highly profitable, it is a huge risk and involves a lot of extra overhead due to shipping and support requirements so the ROI may not be as good.

Bookmark this post:

Benefits of Server Virtualization

As both software and hardware technology advances, and the dependence on technology as a tool becomes more and more apparent, companies have began facing new challenges. As more servers are needed, several things happen. First, there is the cost of the hardware, then you need space to store the hardware. You need to make sure that area stays cool and dry, you need a proper fire suppressant system (spraying water on a server is a bad idea). You need to pay for the electricity for all those servers, and you need to repair parts on those servers when they go bad. Over time these costs can become huge. How does virtualization help?

Benefits:

• Less hardware to purchase. If you can run 3 servers on a single piece of server hardware, then you can save money.
• Less hardware means less heat, which saves you money on cooling.
• Fewer servers means lower electricity costs.
• Less hardware to maintain
• Less space taken up by servers

Disadvantages:

• Concentrated points of failure. Previously, when 1 piece of hardware broke, you lost one server. Now several are down.
• Extra software to purchase and configure (you need to buy VM software)
• if in a really high traffic environment, bandwidth limitations on the NIC could become a problem, although this is highly unlikely and can be resolved by adding a second NIC and load balancing.
  
• Not all software can run in a virtual environment. (this is rapidly changing)
  

Bookmark this post:

TigerDirect Purchases CompUSA

Official announcement that Systemax (TigerDirect) has purchased CompUSA

“We believe the value of the CompUSA brand remains very high. The company has a long legacy of value pricing, service and customer loyalty among consumers nationwide,” said Richard Leeds, Chief Executive Officer of Systemax. “We view this acquisition as a strong complementary business to our TigerDirect operation.”


So far it has been announced that the stores in Florida, Texas, and Puerto Rico are for sure, lets see if Honolulu is next.


Yahoo! Finance
Business Week
Reuters


UPDATE 01/07/08 4:oo pm:
Sources have stated that Circuit City should be making an announcement in the next few days about an acquisition of the Honolulu CompUSA location (basically opening a new circuit city in Honolulu) With recent announcements of their stock prices plummeting, this comes as a surprise to me, but it would make sense for Circuit City to create a larger presence in Honolulu. Look for that announcement soon.

Bookmark this post:

Questions for Mint.com

If you have read my blog, you have probably seen the criticism I have aimed at companies like Mint.com. I feel the idea of their product is good, but the execution is poor. There are too many points of failure, but that is inherited in the type of service they offer. I decided to try and get some answers from Mint on several occasions becasue it really isn't fair to just bash a product without giving the makers a chance to respond. I emailed Mint.com's Support, and asked questions on message boards, and finally I got a response from a person at Mint who agreed to answer some questions for me, it was like the light at the end of the tunnel, this was in November. I sent a list of questions asking about the security of the software, what type of liability they have, their policies as far as holding customer info (since most of the information on their website was vague), and while I didn't expect all questions to be answered (for various reasons including proprietary processes needed to be safeguarded, security etc) I did expect some, and unfortunately I was given none.

The lack of assistance from the company, and their outright refusal to answer questions about their product is disturbing. With a regular piece of software this would be irritating, I don't think it is unreasonable to want to know how your information is handled, but with a piece of software that is designed to handle financial data, by a company who is asking you to trust them with all of your account information and your credentials to access that information, it is just scary that they are so hesitant to work with customers to settle their fears. Below are the questions I asked the representative of Mint.com, I received a reply saying they were working on it, then that somone would get back to me, then nothing. Now they are saying their marketing staff wanted to review the answers first. I'm hoping somone can provide some answers for me. As online financial aggregators become more popular (there are several already) they will become a major target of criminals, and I think it is important for customers to have as much information as possible about the services they provide and the steps they take to ensure the security of their clients data.



Mint.com if you read this, please feel free to reply in the comments or via an email to me and I will fill in the answers below.

I checked their website again, and it looks like they added more info, so I'm going to fill in some things that they already published answers for. Glad to see they are updating their website. Maybe my questions aren't falling on deaf ears.

Update: A Mint.com rep has responded and the answers they provided are in red below. My Comments are in parenthesis.

1. Once an account is canceled, how long does Mint.com hold the information for?
   We delete the account within 48 hours from our primary production
   servers. We do not hold your information beyond that point.
   
   
2. How long are backups held after an account is deleted?
   See above (if this is true, then either they dont keep backups for more than a day, or they delete your info from the backup...both seem unlikely)
   
   
3. What is the policy for turning over information when requested by a 3rd party (police, lawyers, etc)?
   See link here: http://mint.com/privacy.html#a-10
   In addition, Mint, like any other corporate entity, would have to comply with any legal requests from law enforcement for information.
   
   
4. What liability does mint.com have if there is ever a security breach and information is stolen? Where is Mint.com's liability explained?
   Liability is explained in the Terms of use (see link: http://mint.com/terms.html#a-16)
   Important note: If the concern is about identity theft in the very unlikely scenario of a security breach, customers are protected by various consumer protection laws, including regulation E, if they advise their financial institutions within a specific period of time.
   
   
5. It states here that mint does not actually hold a users info, but that Yodlee does. How do Mint and Yodlee interact and ensure the user is seeing their information and not some others if there is no identifying data shared? We generate a random identifier for each Mint user and use that identifier when communicating with Yodlee
   
   
6. What type of encryption is in place between Yodlee and Mint? 128 bit SSL
   
   
7. Which company do you contract for your co-location? many "secure facilities" aren't all that secure. Can't Answer this (no answer was expected since saying we store our servers at X would be pretty dumb)
   
   
8. Is it a shared facility? Do you share hardware as well or does Mint use dedicated servers? Mint uses dedicated servers in a dedicated location, with our own biometric locks.
   
   
9. You also state here that no Mint staff have access to user credentials. Is this true for both user names and passwords, or just passwords? If they have access to neither, how can they assist a customer if they are having access problems? This addresses bank credentials, not mint.com credentials, so the answer makes sense.
   
   
   
10. How will you notify customers if the terms and conditions/privacy policy change?
    See link: http://mint.com/privacy.html#a-18
    
    
11. Do you share customer information with any affiliates?
    We will never share personal information. We will use aggregate data in various ways in the future, where it can be done to enhance the value of the service while
    maintaining privacy
    
    
12. How will you notify customers if there is a security breach?
    Email
    
    
13. You again state here that you don't store any cc info. So is it safe to assume then, that mint just acts as a "front end" so to speak for Yodlee?
    Mint leverages Yodlee's proven account aggregation service, as do most of the top US banks, MicroSoft Money, fidelity, etc. We then apply multiple patent-pending technologies to automatically categorize and analyze your transactions and find offers which will save you money.
    
    
14. Has this been resolved? I can't say that it is very comforting that "administrators" are answering with "I think" instead of certainty. Or is this another case of Mint just being a front end and really we should be working with Yodlee?
    No, this hasn’t been resolved. Security dongles aren’t supported because they create a random password every xxx number of seconds. There’s no way to support this right now.
    
    
15. Do you think it is unethical to recommend credit cards as well as other financial services without knowing the full financial situation of a customer?
    1. The offer is based on an algorithm about what we know about the customer at that time.
    2. The customer has no obligation to accept an offer.
    3. The customer doesn’t have to accept an offer to continue using the site.
    4. We present the best possible offer (based on what we know), even if we don’t make any money.
    
    

Now hopefully someone can help me fill in the rest of the answers.

Bookmark this post:

Tiger Direct eye's CompUSA

This has been Confirmed


There has been some major noise about Tiger Direct buying CompUSA for some time now, but in recent days the internal noise has been growing. Daily Tech Reports some interesting Wikipedia Edits going on that point to a Tiger Direct acquisition, in addition the Gordon Brother realtor's were in our store (one of the most valuable and one of the few profitable CompUSA Stores around) showing some people around. The location we are in is by no means cheap and is considered prime real estate in Honolulu (rent of this building approaches 250k per month) so any buyer would need to be big and willing to make an investment.

In addition to this we have been consistently receiving merchandise despite most stores no longer receiving inventories.

The official closing date for CompUSA is March 1st, but that isnt to say somone won't buy out before then, but only time will tell.

Bookmark this post: