Who needs employee exit procedures and disaster recovery plans are for whimps…

November 3, 2008

This article talks about the conviction of Pryavrat Patel for actions he took after his long-term contract employment with Pratt-Read was terminated.

Now, what Mr. Patel did was definitely wrong, but frankly, Pratt-Read should probably put some thought into how they dealt with the situation too.  It took them two weeks to recover from the actions of Mr. Patel and, per the article, were actually using paper and pencil at one point to keep the business running.

So, how do you bake a fail-cake?


  1. Long-term system administrator.
  2. No apparent backups.
  3. No apparent disaster recovery plan.


Have system admin work on systems for 8 years.  Terminate said administrator. Leave remote access available to administrator and also leave access rights in place. Wait one month and break out pad and pencil to manage business when the systems can’t be used after administrator visits via remote access.

This isn’t the first story of a fired employee/contractor retaining access after being fired and causing mischief, nor will it be the last. However, it does drive home a few things we really ought to be doing in order to protect our business. Not only from situations like this, but in general.

The short list of failures I see in this story are:

  1. No process to terminate remote access and revoke access rights.
  2. Apparently, no backups.
  3. Apparently, no disaster recovery plan or a very poor one if it existed

So kids, make sure you change those passwords and disable the accounts of your departing personnel. Make double sure you change the administrative user passwords on all systems that said individual accessed, have a business continuity and disaster recovery plan, and backup your systems.  Finally, test those plans and backups.  If they don’t work, you are still in the same spot as if you didn’t have them in the first place.



Recap: RSA Europe 2008 Day 2

November 2, 2008

Hello again. Day 2 of RSA Europe 2008 was a busy one.  I attended several sessions during the day and then the Security Catalyst, Security Bloggers, Security Twits get together happened that evening. This post will only talk about the day.  The meet-up post will be later. Without further ado, let’s get to it.

‘The New Face of Cybercrime’ Film Screening and Executive Panel Discussion

Fortify commissioned the creation of a short film that explores what cybercrime looks like in today’s world. The film was well done and does a good job of showing that cybercrime is no longer about how many defacements malicious individuals can rack up. It isn’t about bragging rights on which systems were hacked.  Cybercrime is big business these days.

Those perpetrating it are doing it for money.  As such, they don’t want to get kicked out of you systems and don’t want anybody to know they are there.  It is a different world and we need to be vigilant and focused if we are going to be successful in protecting our enterprises.

Blinded by Flash: Widespread Security Flash Developers Don’t See
Prajakta Jagdale, Security Researcher, Hewlett-Packard

Prajakta’s session was an interesting one. She showed us how most current problems we find in web apps also exist in Flash based applications.  This includes things like XSS, cross-domain privilege escalation, data injection and others. She also showed some interseting things that can be done with some Action Script functions like onMetaData, a video related function, setClipboard, which does exactly what it says and runtime instantiation.

Of more concern is her finding of client side authentication and other client side issues in a disturbing percentage of applications.

The Future of Privacy
Bruce Schneier, Security Technologist and CTO, BT Counterpane

Bruce always has interesting things to say.  I will share that most of what he talked about is stuff that he has been talking about in his essays and on his blog. That being said, here are a few nuggets that resonated with me.

  1. Data is a byproduct of the information age – systems are not generating scads and scads of data on you because they are malicious. It just happens as more and more facets of our lives are moderated by computers. Think about email, telephone calls, credit card purchases, books bought via Amazon.  All of these generate data.
  2. Ephemeral data is now stored – In the past the conversation you had in the hall with your co-worker disappeared as soon as it was over. Now, with email, instant messaging, skype and other methods of electronic transport becoming more and more the primary method of communication, those conversations are sticking around.
  3. We aren’t in control of that data – We don’t have the ability to delete all the data that is being built up about us because we don’t control it. Again, this isn’t malicious, it’s just the way things are in the information age.

The rest of the keynote was quite interesting as he delved into many facets of what will be happening moving forward.

Herbert H. Thompson, Ph. D., Chief Security Strategist, Peope Security

Dr. Thompson gave a great talk that drove home even more that we are in an era where the motives of today’s attackers are no longer about the ‘cool’ factor.  It is a business and we are being faced with well financed and motivated attackers who are interested in what we have as opposed to just wanting to take us down. He posits Five Laws of Hacker Economics which is worth a read.  Good stuff.

Another good day at the conference.


Technorati Tags: , ,

Recap: RSA Europe 2008 Day 1

November 1, 2008

Hi there folks. I am home and somewhat rested from my trip to London for the RSA Europe 2008 conference. It was a great trip and i enjoyed the conference.  Below is a recap of my first day.  This is going to be long, so hang in there 🙂

Information Security: From Ineffective to Innovative
Arthur W. Coviello, Jr. – Executive Vice President EMC

If I had to compress Mr. Coviello’s talk into a few concise points, they would be the following:

  1. Concentrating all our information security efforts at the perimeter is an ineffective model in today’s world.
  2. The data we are tasked with protecting must become central to our thought processes when determining how to protect our enterprises.
  3. Information security must be business aligned.

Point number 1: Our perimeters have become quite porous.  This is by design.  As such, customers, partners and others have much more access to internal systems than ever before.  This means that perimeter defenses are inadequate in dealing with attacks that are targeted at the data contained in the applications which are published to the world.  It’s the old crunchy shell vs. chewy center problem.

Point number 2: As alluded to above, in many cases the data and applications most important to the enterprise are being published to the internet or to trusted third parties in such a manner that perimeter controls are next to useless in protecting them.  We must start thinking of ways to protect the data where it sits and ensuring that the applications we publish are developed as securely as possible.

Point number 3: Finally, Mr. Coviello said that information security must become business aligned.  We used to be fear driven, i.e. we must protect ourselves from the evil out “there”. That has morphed into our current situation where we are often compliance driven, i.e. regulation x must be complied with therefore we must do y. The next step is to be business driven.  We need to understand what the business needs to accomplish, what the keys to the kingdom are, and how to protect them in a manner that is risk appropriate and as unobtrusive to the user as possible.

I agree with all the points he made. It will be a challenge, but we will benefit greatly if we can become an integral part of the business process and start protecting the crown jewels instead of the walls that contain them.

Managing your own Security Career
Chris Batten – Managing Director, Acumin

Mr. Batten offered some insight into how to manage you information security career.  His prescription for managing your career is summed up in three statements:

  1. Know yourself
  2. Know others
  3. Do a gap analysis

Know yourself: If you don’t know yourself, i.e. strengths, weaknesses, goals, how can you plot a course to get you to where you want to go.

Know others: If you don’t know what others expect or how they perceive you, how can you navigate the course you have plotted to get to where you want to go.

Do a gap analysis: Once you know yourself, know others and have determined where you want to go, do a gap analysis of where you are now and what the next step is in your chosen course. Notice the next step part.

He mentioned that planning for ten years down the road is probably not the best use of your time.  Things change.  Another statement he made is the career path should be your career path, not the company’s career path for you.  Determine what you want to do and make that happen either.

A Dialogue with ENISA
European Network and Information Security Agency

In this press only event, ENISA presented two white papers, one which has already been published, “Security and Privacy in Massively Multiplayer Online Games“, and “Web 2.0 Security and Privacy” which will be released in the near future.  The summaries were both interesting.

I never realized that there was so much real money at stake in the virtual worlds that have been developed in the last few years. Time became short, so we did not have a chance to talk much about the Web 2.0 paper, but a couple points that were raised are that users are going to be faced with more and more behavioural marketing and that the browser is the new OS. Not suprising, but intersesting none the less. I will be reading up on it when it is pubished and will report back then.

While I went to several other talks, these three were the most interesting to me and this is long enough already 🙂 Updates for Days 2 and 3 will be along in the next couple days.


Interesting Information Security Bits for 11/01/2008

November 1, 2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

  1. PortSwigger.net – web application security: The Month of Burp Pr0n
    Looks like a major release of the Burp suite is just around the corner. Keep your eyes open.
  2. I-Hacked.com Taking Advantage Of Technology – RJ45 Ethernet Loopback Cuff link/Keychain
    Ax0n has an neat little project posted on i-hacked that shows you how to create an ethernet loopback tester. Bonus: They can be used as cuff links or easily carried on your key chain.
  3. Blackhat Webinar: Clickjacking and Browser Security
    The next Blackhat Webinar has been announced. Jeremiah Grossman will be talking about Clickjacking. Date: November 20th, 2008 Time: 4:00 pm ET/1:00 pm PT

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.


Interesting Information Security Bits for 10/31/2008

October 31, 2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

  1. spylogic.net – Facebook Privacy & Security Guide Released
    Tom has released his Facebook Security & Privacy Guide. You really should take a look if you have a Facebook account.
  2. Tips for getting started in information security – Kees Leune
    Kees gives those interested in entering the information security profession some really good things to think about and offers up some practical guidance that is will realy help new entrants focus on getting where they want to go.
  3. Freeform Comment: View from the defence: seven reasons for security as a service
    An article by Jon Collins summarizing the panel he hosted on SaaS at RSA Europe. Some good points are made in its favor.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.


RSA Europe 2008 – Day 3

October 29, 2008

Today is the last day of RSA Europe 2008.  I have really enjoyed being here and have attended some very interesting sessions which I will be posting about in the near future.

Today’s agenda is shortened since the last keynote ends at 13:30.  For those who are interested, here are the sessions I will be attending.

Lessons Learned from Société Générale – Preventing Future Fraud Losses Through Better Risk Management
Joseph Magee, Chief Technology Officer, Vigilant, LLC.
This session explores how information security technology could have detected the fraud in this case and how it can be used to prevent it in the future

Virtual HIPS are Growing – Whether You Like It or Not
Brian O’Higgins, CTO, Third Brigade
This session analyzes three approaches to virtualized intrusion prevention, inlcuding host iontrusion prevention systems.  It discusses the advantages and disadvantages in the management and architecture of each approach and incldes attack demonstrations on virtual machines.

Crash Course: How to become a Successful Online Fraudster
Uri Rivner, Head of New Technology, RSA, The Security Division of EMC

Learn how to defraud your favorite financial service! Uncover the latest tools, methods and best practices! Scalable Phishing techniques; Crimeware you can afford; Defeating 2-factor authentication. Or – if you happen to be on the other side – use these insights to develop a better strategy for protecting your consumers agains fraud.

Don’t Bother about IPV6? Beware: It is Already in Your Networks
Andrew Herlands, Application Security Inc.
IPv6 is the next generation of IP addressing and is already enabled by default in several OSs: Microsoft Vista, Linux, etc.  Transition mechanisms are also in place and allow IPVv6 to run into tunnels over your esisting IPv4 network. This session explains the transition mechanisms, the threats and proposes mitigation techniques.

ICO – Higher Profile? Stronger Powers? More Effective”
Richard Thomas, Information Commissioner, Information Commisioners Office, U.K.
The landscape of information security is ever-evolving.  How can organisations learn from the mistakes of the past?  How do we manage the risks?  What does the future hold?  How is the role of the Information Commisioner’s Office (ICO) being strengthened?  What will be the ICO’s approach?  Richard Thomas will be discussing the lates developments and topical issues to answer these questions and more.

Security Cultures and Information Security
Baroness Pauline Neville-Jones, Shadow Security Minister, U.K.
Baroness Neville-Jones will assess the culteral problems in the Government’s handling of data.  She will make clear the pressing need to improve leadership, governance and accountability structures for data handling.  She will also assess the threats to the infomation networks on which Government Departments and critical sectors depend and will cal for the Government to give concerted attention to the security of these networks and systems – as part of which it must develop partnerships with the private sector.

Have a great day!


Technorati Tags:

RSA Europe – Day 2

October 28, 2008

Hello again people.

In a bit of a time pinch, so here is the agenda for the day for those who care 🙂

  • ‘The New Face of CyberCrime’ film screening and panel
  • Blinded by Flash: Widespread Security Risks Flash Developers Don’t See
  • Why Security Programs Fail
  • The Future of Privacy
  • Security in the Era of Identity 2.0
  • Hackernomics
  • DLP: What will be
  • The Many Faces of Social Engineering

Should be an interesting and busy day.