Network Security Blog

I wish I didn’t have to turn off comments, but I was literally getting 50-100 comments an hour.  If I had them turned on, I would have known sooner that Mitch Ashley had some comments on the subject.  I don’t know where he and Alan get their pictures, but today’s is really ugly.

The Security Moron Award

Technorati Tags: Security, mckeay, password

I’ve been mulling RaviC’s post, Security as a core competence, for the last week or so.  I like his idea of selling security to management as a ‘core competence’, but unless security is a core part of your business and what they do, I think your doomed to failure.  If your company is a manufacturer of widgets, most people aren’t going to care how secure your company’s network is.  If you deal with credit cards and personally identifiable information all the time, you have a chance but even then it might be hard.

Really, I don’t think any business is going to buy into security as a core competence unless you can demonstrate to management that they’ve lost business directly because of a lack of security.  And even then, it’s an incident around lack of security that’s more likely to get action rather than the idea of being proactive about security. 

If your company does operate in an environment where security can be used as a sales tool, think about incorporating your sales department in your efforts to push security up the ladder.  If you have your VP of Sales talking about how how security will allow them to approach a market they haven’t been in before or get a sale they missed last year, management will see the dollar signs.  It’s probably a lot healthier way to sell security in the organization too. 

I will say that I think this is closely tied to the ROI savings model, but instead of stating what you didn’t lose, your stating the opportunities the company will create with security.  Management gets a lot more excited about opportunities than they do about loss avoidance.

Technorati Tags: security, McKeay, core competence

One of the last things I’ve done at my last three jobs has been to help the administrators change the passwords on the systems I had access to.  Not that I helped chose the passwords, but I did remind them of what I had access to during my tenure.  When I took my current job, one of the first things I did was work with the staff to change as many of the passwords as possible (Why not all, you ask?  That’s a story for farther down the line).

So when I read about Source Media charging their ex-VP of Technology with unlawful computer access to the mail servers, I have to wonder why he was able to use passwords from 3 years previous!  Why hadn’t these passwords been changed immediately when he left?  And even if they weren’t changed immediately, why haven’t the passwords been changed in the time between now and then?

Source Media may need to have a long talk with their current IT staff about how their ex-VP was able to access the servers.  Where were the multiple layers of protection that should have stopped this from happening?  Why don’t their policies and procedures require the change of passwords on a regular schedule?  Where was the user education that should have stopped users from sharing their passwords?  Where were the detection safeguards that should have seen this information exiting the network?

Changing passwords is a simple, basic protection that is easy to instill in a your staff.  They may whine a little, but there’s no reason not to force quarterly or at least annual password changes.  And if this VP knew their passwords from three years ago, how many other staff members have come and gone in that time? 

I just hope they’ve changed their passwords now.

Technorati Tags: security, McKeay, password

I’ve had to turn off comments for a day or two, maybe until this weekend.  I’ve been getting hammered with comment spam, and while my filters have been catching it, the spam has been coming in at a rate of one or two a minute, which I can’t keep up with.  So I’m exploring possibilities for combatting it and can hopefully come up with something soon.  You can always send me an email at nsp_at_mckeay.net

Last night when I got home from work I had a little reward to myself sitting on the table: a 1 Gig stick of DDR 3200 memory and an Athlon 64 X2 4600+ CPU from Tiger Direct.  I odered the CPU because the 939 X2 chips are starting to get a little harder to find and memory should be useful in the audio editing process.  I knew better than to install the CPU when I had a podcast to record, but I figured it was worth giving the memory a try.  Insert 1 memory stick, push the button and hear BEEEEEEEP!  Uh oh.

I tried every configuration of memory I could, just the new stick, the new stick and the onld sticks in every possible combination, no luck.  So the phone calls started, which was much less painful than I thought it would be.  I started by calling the manufacturers of the memory, Ultra.  I picked up the phone at 4:51 pm and was able to hang up by 5:02.  Most of that time was spent on hold, but once I told the customer support rep on the other end of the line what I’d already done, he issued me a return number without question.  Next I called Tiger Direct and was connected to a rep almost immediately.  There was a little confusion about which account she was looking at, but after that was cleared up, she had an RMA number for me and a replacement chip in the system to be on it’s way by 5:10.  All in all, a much more pleasant experience than I was expecting.

After I recorded the podcast last night, it was still early and I was chomping at the bit to get the new CPU in place.  The new heatsink on the Athlon is huge and the first time I’ve seen a stock heatsink using heatpipes.  The old CPU came out, an Athlon 64 3000+, and the new one went in with the new heatsink, and I pressed the power button with fingers crossed.  It came up without incident, I checked the BIOS settings (the CPU was recognized automatically and properly configured) and let it continue booting into Windows.  I’m running XP Professional, so when the system came up, it recognized the new dual-core CPU almost immediately and asked for a reboot.  When everything came back up, I had two beautiful little CPU usage windows in the Performance tab of the Windows Task Manager.  I haven’t run any benchmarks yet, but in non-scientific tests, Adobe Audition runs significantly faster, City of Heroes screams and I can quickly and easily assign programs to prefer a specific CPU.

Thanks to David at Ultra and Natasha at Tiger Direct for  great customer support.  Hopefully the new memory will get here soon.

This is the one year anniversary of the Network Security Podcast and I decided to spend tonight looking back over the past year.  Tonight’s podcast is short, but there’s a lot of things I have to be thankful of, including getting better audio equipment (you’ll understand when you listen to the opening).  I’ve made a lot of good friends over the last year thanks to my blogging and my podcasting, both amongst the folks I’ve talked to and amongst the folks who listen week after week.  I’ve really enjoyed doing the podcast over the last year and look forward to continuing it for the year to come.

Thank you for listening.

Network Security Podcast, Episode 52, November 14, 2006

Time:  17:50

And if you really want to torture yourself, you can go back and listen to Episode 1

Technorati Tags: security, McKeay, podcast

Firefox and IE7 both show room for improvement in their anti-phishing capabilities, but Firefox appears to be significantly better at it so far.  I’m also more comfortable with Firefox’s anti-phishing scheme, which involves downloading a database of known bad sites, rather than sending the request to Microsoft for verification as IE7 does. I also like all the plugins you can use in FF, such as Adblock which further strengthen the anti-phishing capabilities.

Technorati Tags: security, mckeay, browsers, fishing

If you’re not asking yourself this question on a regular basis, you should be:  what are my skills worth on the open market?  Computerworld has the 2006 Salary Survey available, and I don’t personally know how accurate their numbers are, but I wish I made what they consider to be ‘average’ for a security manager on the West Coast.  Oh well.

And in the interest of disclosure, I write for Computerworld, but you probably already know that.

Technorati Tags: security, McKeay, salary

Over the weekend a couple readers left comments or sent me emails about alternatives to Firebug and Webscarab.

• LiveHTTPHeaders:  This seems to have a lot of the same capabilities as Firebug, it also lets you see your cookies, which Firebug doesn’t.
• TamperIE Web Security tool:  I think this is a IE-specific equivalent for Webscarab.  Not much details on the Bayden Systems site, but they list this as a penetration testing tool.

What other tools are you guys using?  I’m not a pen tester (don’t even play one on TV), but I occasionally dabble in the area, so I’m always looking for new tools.

Technorati Tags: security, McKeay, tools, application

I recently had a QA technician asking about how she could see the exact requests were being sent from her computer to the web server.  I was able to get her the information  she needed using WebScarab, a local proxy, but it took a little while and created some other minor problems.  Now I find out about Firebug which would have given us exactly the information she needed much quicker. 

By the way, the problems I had with WebScarab were mostly IO errors, not issues with the program.   I’ve only used it a few times and had a hard time remembering some of the settings.  It’s a good tool and I’ll be using it in the future, but Firebug is better and quicker if you’re just trying to see the outgoing requests.

Technorati Tags: security, McKeay, firebug, webscarab