Tuesday, December 22, 2009

Post-Blog Report: 26 Short Topics about Security

Aloha and welcome to the post-blog report.  Over the last 5 months, I’ve been writing a blog series called, 26 Short Topics about Security and wanted to share some observations.  First, I went about this since there are so many IT challenges when it comes to security and it’s virtually impossible to cover them all.  Plus, I’m always looking for interesting stats and stories pertaining to security and thought I’d gather them up in one place.  It’s sort of a 2009 ‘Security Greatest Hits’ (or Misses, if you’re a Devo fan).

If you are a blogger and sometimes have difficulty producing a consistent stream of valuable conversations, a blog series will do the trick.  You’re not alone since Perseus reports that 66.0% of surveyed blogs had not been updated in two months, "representing 2.72 million blogs that have been either permanently or temporarily abandoned.”  I had a daily urge to continue my quest and keep the flow going rather than jumping on ‘whatever the topic/crisis of the day’ was and writing about that.  Interestingly, the timing of many of the topics coincided with a recent event, so it worked out well.  Specific keywords in the titles, like Firewall, Virtualization, Twitter or any other term that’s hot (frequently searched) drew the most readers even if the title was a little ‘out there.’  And like any writer, I was a little surprised by the entries that got the most attention.  You know the routine, you think something is fantastic but nobody cares and the ones you feel are a little weak get massive reads.  Go figure.

The other thing I tried during this series is to both include a ton of links (Don MacVittie called it a link-fest) to referring stories along with links to the previous stories in the series for easy perusal.  When one got read, so did multiple others which positively influenced Pages per Visit and Average Time on Site – key metrics for any website.  Finally, I’m thinking about recording the blogs to offer an audio version (à la Audio Whitepapers) of the series.

Now to put a bow on this – All 26 Short Topics about Security:
  1. 26 Short Topics about Security: Stats, Stories and Suggestions
  2. BREACH is the Word, is the Word, is the Word that you Heard….
  3. Remember when we drew big Clouds on whiteboards…
  4. Decade old Data Centers
  5. The Encryption Dance (plus the A Cappella version)
  6. Yelling ‘WebApp Firewall’ in a Crowded Data Center
  7. Be Our Guest
  8. Hacks, Hackers, Hacking
  9. Dumpster Diving vs. The Bit Bucket
  10. The Threat Behind the Firewall
  11. Keys to the Kingdom
  12. Brought to you by the Letter L and the Number 7
  13. Reduce your Risk
  14. Our H1N1 Preparedness Plan (actually counted as 13.5)
  15. Can my PAN ride the LAN out the WAN?
  16. F5’s BIG-IP system with Oracle Access Manager
  17. This time, it’s Personal
  18. Don’t say a Word
  19. Will you Comply or just Check the Box?
  20. Social Media – Friend or Foe
  21. IPv6 and the End of the World
  22. You’ve Taken That Out of Context
  23. Virtualization is Real
  24. Windows Shopping
  25. X marks the Games
  26. It all comes down to YOU - The User
  27. Catch some Zzzzzzzzzzzzz
Bonus blog: Bit.ly, Twitter, Security & You
Bookmark and Share
Digg This

Wednesday, December 16, 2009

Catch some Zzzzzzzzzzzzz

It used to be the ‘stuck to our side’ pagers that go off at 3am telling you that a server crashed that would keep you up at night.  You’d drag yourself out of bed (or the chair at the data center that you fell asleep in), tippy-toe to the computer in hopes of gaining remote access or wonder to the car, still in your PJs, to drive to the facility.  In February 2009, InformationWeek & Dark Reading conducted a survey entitled, ‘What Keeps Infosec Pros Awake at Night.’  They asked more than 400 IT pros, among other things, what are their most serious threats, how are they prioritizing their defense of these and what are they going to do to keep their data safe in 2009 and beyond.  At the time, 52% said they were concerned about Internal threats – either employees or partners, accidental or malicious.  This makes sense since there were several articles in early 2009 which looked at Laid-off workers turning to Cybercrime.  They also feared the loss/theft of a laptop/potable storage device which might contain sensitive information that can lead to a corporate security breach.  Their biggest wish was for end users to be smarter about security and understand the risks.  Automated technology allowing IT pros to focus on emerging threats rather than day-to-day firefighting came in 2nd.  They just wanted to have the time to find ways to make their systems more secure, and compliance was driving it.

Recent data from Verizon’s addendum to its Data Breach Investigations Report actually shows that most (73%) data breaches come from External sources, not insiders.  Granted, the InformationWeek data was garnered from a survey (point in time opinion) and the Verizon info was generated by analyzing disclosed/investigated public data breaches (over time) and it doesn’t include undisclosed incidents with internal investigations.  Verizon concluded that breaches which warranted public disclosure were primarily done by external sources.  I’m sure that many internal incidents that didn't affect a large swath of the public were never disclosed, which could slightly sway the results but interesting nonetheless.  So the fear was Insider threats yet the actual data implicates outsiders.  I started wondering if this one of those Perception vs. Reality things or as Stephen Covey puts it, “We see the world, not as it is, but as we are.” 

In February 2009, when the economic crisis was in full swing, layoffs were a daily occurrence.  There were many documented cases in the early 1990’s of crime/fraud that occurred during that recession and many believed it would happen again – but this time with technology's help.  Stories started to appear indicating that this scenario might happen again and when the few that did happen were spotlighted (like the current trial of Terry Childs) - folks believed, or feared, that a new wave was coming.  The data that came out other end, seems to show that those internal threats were less than expected, except maybe in the financial industry.  The other side is that sometimes perception is more important than reality.  With the perceived immanent danger of rogue ex-employees, IT departments had a wake up call to reexamine how they handle access termination, a critical piece of data preservation.  In life and security, our view of the perceived risk is based on our past experiences/beliefs and that ultimately shapes our reality.  My reality and your reality might be very different but we always have the power in how we respond to events, even ones out of your control.  So as 2009 winds down and you get some needed rest (maybe), revel in the fact that this challenging year is almost over, you did the best (hopefully) you could and there will be a whole new set of threats, breaches, viruses, vulnerabilities, scams, malware and many other incidents that put security at risk as thieves typically work through the holidays.  Plan as best you can and take the new ones in stride as a challenge to all of us to get even better at protecting all our critical assets – including the living, breathing ones.

And there you have it – 26 Short Topics about Security.  Yea, we made it!  But wait, there’s more.  Stay tuned for the Post-blog Report where we look back at the series, pick some favorites and share what I’ve learned about putting together a chain of blogs over the course of 5 months covering a single topic.  Should be fun.


Technorati Tags: Pete Silva,F5,security,application security,network security,virus,

Monday, December 14, 2009

It all comes down to YOU - The User

One of my favorite Security writers, Bruce Schneier, had an interesting entry last week called Reacting to Security Vulnerabilities where he discusses the recent reports about the security flaw in the SSL protocol and how we as users should relax and essentially, ‘do nothing.’  “What?!? – Do nothing??”  Yup, and he has some good reasons why.  Usually, new exploits, threats, breaches and the typical security stuff that garners the headlines, makes security folks jump.  Jump to search the internet for anything related, jump to see if our systems are infected or vulnerable, jump to put an action plan in place to reduce the risk.  These are reactionary behaviors when gloom gets delivered and we fully don’t understand the risk.  I’m not saying ignore warnings or plan for the worst, but since several new ‘weaknesses’ seem to get published on a monthly basis, you do need to prioritize and put some context around it.

With anything in life, there are certain things we have control over and others we do not.  For many years now, we’ve been warned that it is risky to click on embedded links in a suspicious email or dangerous to click through the certificate warnings from your browser and hopefully many people have changed their behavior.  That’s within our control.  But when a researcher finds a specific vulnerability in a particular protocol, potentially affecting several vendors, there is really not much an individual user can do.  Sure, you or the IT department can check with their vendor to see if it applies to their product but would you immediately stop using something when it’s a critical part of your infrastructure.  Once again, which is usually the case for security, you must weigh the risks and determine if it’s within your control.  Bruce points out that many of the vulnerabilities affect systems that are out of our control and if your data is already out there, unplugging your computer will not lessen the potential exposure.

What you can do is simply stick to your general security practices (AV/FW, OS patch, Auto updates, backups, common sense), which already protect you from a slew vulnerabilities but let the experts/vendors figure out the best way to handle new exposure(s) since they must deal with them on a daily basis.  If the risk is too great and your infrastructure is vulnerable, push your vendor for an answer.  Most vendors, especially with security products, are fairly reasonable and typically move fast when it comes to security holes – their reputation and revenue are at risk.  You can also report to CERT if you’re not getting a response but most vulnerability ‘finders’ alert the vendor fist and give them a chance to fix or respond to it.

Protecting yourself from the multitude of threats on the internet can be daunting, never ending, and always changing so you do need to be vigilant with the things you can control but as you peruse the Top 9 Beaches of 2009 or the Top 15 Most Common Attacks, you find there was/is little you could do to avoid them.

*For the record, F5 is listed on the US-CERT site as being potentially vulnerable but we have tested our products/versions and are not vulnerable to this issue.  F5 Networks has published a security advisory in the past to cover similar vulnerability and provide best practice recommendations. These best practice recommendations can be found at the F5 support site:

Tuesday, December 8, 2009

X marks the Games

Sony Playstation Celebrates Its 15th Anniversary, Happy 20th birthday, Game Boy, Happy 10th anniversary, Sega Dreamcast! and November Marks the Launch Anniversary of Many a Gaming Platform.  Gaming has come a long way since the Atari 2600 and the Fairchild Channel F when we would screw those little U connectors to the UHF/VHF thingy.  Then we got ColecoVision’s arcade quality games like Donkey Kong and the early Nintendo’s and Sega’s to today’s Sony PlayStation, Microsoft Xbox (there’s your 24th letter) and Nintendo Wii.  These days, not only can you hook you console up to your TV monitor, you can connect to the internet and play games online, even without a console.  While gaming threats & breaches don’t always make the splashy headlines like stolen credit cards and hacked financial applications, there is still plenty of things to worry about while you’re having fun.  Whether you’re a player or provider, the risks are out there and many (both technical & social) are no different than the exploits, malware and thieves we typically hear about from general online communities. 

Over the last couple years, a number online gaming sites experienced DDoS attacks that forced outages and tossed some sites offline and even Pirate Bay got hit with a DDoS attack when their users were not happy about the sale to Global Gaming Factory.  Even back in 2004, there were articles that covered the Security Issues of Online Gaming and a few of those mentioned still hold today.

For users, the risks loom since they spend a lot of time and money on these games and there are always crooks out there looking to exploit that.  There is also significant amount of social interaction with other players and many of the social media threats, like being tricked into exposing personal or financial information, are just a prevalent.  And it’s not just hidden criminals.  Full on media companies offering rewards, points or other game enhancements trick users into signing up for bogus offers and monthly subscriptions all while capturing their email address, credit card and other personal info.  This is quick money for game developers (and social sites, advertisers and others) even if it is done in an unscrupulous way.

Malware infection whether it be worms, viruses or bots are also a risk.  Most of us have learned that we should not click on an embedded email link for fear of computer infection.  But do you use the same technique when searching for a new/hidden game file or conversing with another player over IM?  They might have been part of your online ‘team’ for some time and you’ve exchanged tips.  Then they promote some cool new ‘add-on’ and send you an IM saying, ‘download this hidden gem – earn points faster!!’  Would you use the same caution as a phishing email or click away?  If the game required administrative rights for installation, would you grant it?  Would you allow all JavaScript and ActiveX to run, knowing the inherent browser risks?  Also, since you’re playing online, you have to be connected to a server somewhere.  Is that server vulnerable?  Has it been compromised?  If it has, then you too can be vulnerable – it’s really no different than other server exploits.  This applies to game operators also.  How are you protecting your infrastructure from malicious behavior?

This document (pdf) from US-CERT has a nice overview of avoiding online gaming risks, was an inspiration for this blog post and offers several protective measures….which look a lot like the general security good practices we hear on a daily basis:
• Use antivirus and antispyware programs.
• Be cautious about opening files attached to email messages or instant messages.
• Verify the authenticity and security of downloaded files and new software.
• Configure your web browsers securely.
• Use a firewall.
• Identify and back up your personal or financial data.
• Create and use strong passwords.
• Patch and update your application software.
Not to dampen any of your fun this year as many of us rip open new gaming consoles, connect them to the internet and start firing away, just use the same caution, suspicion and protection when you enter that fun zone.  Don’t let your guard down just because you’re having a great time – that holiday glee can morph into your winter of discontent with a single click.

Related resources:

Monday, December 7, 2009

Pearl Harbor, Punchbowl and my Grandparents

In honor of Pearl Harbor day, I want to take a quick break from 26 Short Topics to share a bit of history you might not know about.  This has nothing to do with technology, security or our awesome BIG-IP solutions but felt compelled to honor both my grandparents and service men/women everywhere today.  I am Hawaiian (1/8th, direct from Kekaulike line), was born there and most of my ancestors lived there while it was still a Monarchy.  My great(s) and present grandparents all were born and raised and some witnessed the destruction that day.  A shell had even landed in my grandmother’s backyard while they were at church!  Both my grandfathers played a significant role in the days and weeks following the bombing.  One of my grandfathers was a carpenter and lived in Pauoa Valley (O’ahu) which is situated right next to Punchbowl, National Cemetery of the Pacific.  While many equate Honolulu with Diamond Head (or Leahi – Brow of the Tuna – to Hawaiians), Punchbowl is also an old volcano crater that helped create the island.  When my grandfather was a kid they used to play there and he spoke of many fun times running around inside Punchbowl as a youngster.

When Pearl Harbor was hit, many locals were called (and wanted) to help, as you can imagine.  As my grandfather tells it, they needed a place to temporarily put those who had died and Punchbowl was both the closest (about 15 miles), had the space and was known as the ‘Hill of Sacrifice’ to the ancient Hawaiians so it had historical significance.  Being a carpenter and living less than a mile from Punchbowl, he was part of the team that built the wooden caskets for the fallen.  As the days went on and suitable re-locations were not available, they decided to start properly laying to rest those who had perished – right there at Punchbowl, including an uncle of mine.  The Pearl Harbor victims were among were the first to be buried there, 776 of them.  About 8 years later, they officially dedicated it as the National Memorial Cemetery of the Pacific – it’s the Arlington for the Pacific Fleet.  Those who have served in the Pacific Fleet actually have their choice of Virginia or Hawaii as their final resting place, as I understand.

My other grandfather, who happened to be a Hawaii Cop at the  time, was born in Yokohama (although not Japanese) and had learned Japanese while attending school there.  He moved to the Hawaiian Islands with his parents when he was still a teenager and grew up on the Big Island.  Since he understood Japanese, the US Government had him guard the Japanese consulate when the US declared war.  He really didn’t like the assignment since he had become friends with staff due to being a local police officer and had fond memories of being Japan.  After the attack, there were curfews and blackouts, and my grandfather had to make sure there was still a little illumination but nothing bright.  One evening as he was coving an exposed light bulb with a mimeograph carbon copy he pulled from the garbage, he noticed the backwards Japanese characters of a letter.  As he looked closer, it contained information of about the locations of ships and other munitions stationed at Pearl Harbor, which became a key piece of evidence as they started to piece together what happened.

As the years roll on and those who witnessed the Pearl Harbor attack become memories themselves, I offer these few short stories to the great Internet to file, store and recall whenever someone wonders about all the little back stories of this significant event in our history.

Wednesday, December 2, 2009

Windows Shopping

I’m really not one of those vocal Operating System lover/haters. My dad worked at IBM for 30 years and so I grew up with computers and even took a PC Jr. with a whopping 128k of RAM and a color (what we called color) monitor with me to college in the 80’s. My first work computer was a Macintosh and learned about all that AppleTalk stuff and the cool publishing Quark could do. I’ve used and administrated Win3.1, NT 4.0 (on laptops), Win95, WinME, Win2000/Server, and of course a user of XP and Vista along with a few variants of Linux. I use Windows for home and work and personally I think each OS has it’s plus’/minus’. Very non-committal, I know. Now I’m looking to buy a new computer and with that, a new Operating System.

If you’ve been avoiding the news, TV or print ads over the last year, Windows 7 is the long awaited new OS from Microsoft.  Much has been written about Vista and the delicate balance between usability and security.  People want to be protected and secure but also want to do their daily computing tasks without much interruption.  Enterprises need to secure their access points but users want to single click to everything.  There has to be a balance.  With the endless amount of threats, I want a box that has the basic protections but also want to make some security decisions myself.  I also want to make sure that the computer I choose abides by the company access policies in place, in case I need to connect to my corporate network since I probably will be doing some work from my home computer.  This has become a requirement in recent years as tele-working continues to grow.  With Windows 7, Windows Server 2008 R2 and Direct Access, folks will be able to do that with ease.  F5 recently announced solutions to optimize Win7/Server 2008 R2 deployments and our FirePass SSL VPN already supports Windows 7 clients.

Sifting through some of the recent articles about Windows 7, there is this one that indicates Windows 7 is gaining but at the expense of XP – this one that announces Windows 7 passed Mac OS X in market share – and this one that says ‘Of all new Windows 7 users, 70% said that they were "extremely satisfied" and another 24% said they were "somewhat satisfied" with the operating system.’  And it seems like they’ve answered the most recent BSOD, saying it probably was malware but will still wait to see the final outcome.  Then, of course, there’s the Windows 7 Whopper to contend with while I figure out which hardware platform I want.


Related resources: