Cyber safety at St. Mark Lutheran

Gail Larrow invited me to speak at St. Mark Lutheran school on cyber safety.┬á It was a pleasure to speak to the students there and to find out how they are using technology.┬á Honestly, I didn’t even recognized some of the technology they mentioned.┬á However, I was able to offer them a lot of information on how to protect themselves online.┬á Here is a copy of the presentation.

Security Awareness: 360 empowerment for cyber defense

A few days ago, I delivered a training session on security awareness.  The employees who attended the training discussed quite a few items that they will bring back to their management that I hope will inspire some culture change and a differing view on information security.  Here is the presentation if you would like to view it.

Safe computing in a digital world | The Union Club

It is a dangerous world out there in cyberspace with organizations losing corporate secrets or private customer data almost daily.┬á Protecting yourself, however, doesnÔÇÖt have to be difficult and neither should it be left to those in IT.┬á The keys to safe computing in a digital world can be yours.

The event will be presentation, and question and answer.

The value to attend is to learn how to secure the privacy of your information that is routinely exchanged and stored digitally.  Cybersecurity is in the news.  Even President Obama discussed it in the State of the Union Address in February.

Privacy matters even for those who don’t care

There are so many ways to share on social media today and users, especially the younger generation, are sharing almost everything.  The problem is that some data is not meant to be shared.  A culture of sharing is developing that can be quite harmful for businesses and the confidential information they hold.  It is even more important in this day and age to educate employees on what they can and cannot share.  Consider implementing a social media policy that specifies sharable data and data that must remain confidential along with sanctions for those who violate the policy.  Make sure that all employees are aware of the policy and why it is in place.  Lastly, make sure the policy is enforced through both technical and procedural controls.

Awareness, DoS and third party breaches top security concerns of 2013

A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media and Telecommunications (TMT) companies suffered a data breach.  88% of these companies do not believe that they are vulnerable to an external cyber threat such as hacking.  Rather, the three highest threats were employee errors and omissions, denial of service attacks and security breaches by third parties.

Awareness is a critical factor here and Deloitte lists it as one of the top three security initiatives of 2013.┬á 70% of TMT companies responded in the survey that employee mistakes were an average of high vulnerability.┬á The risks, as stated by Deloitte, include, ÔÇ£talking about work, responding to phishing emails, letting unauthorized people inside the organization, or even selling intellectual property to other companies.ÔÇØ┬á To counter this, companies are conducting awareness training, often through security firms with experience in the area, and creating materials that employees will see on a regular basis to remind them of their responsibility to protect the data they work with.

Denial of Service (DoS) attacks was also rated a high threat.┬á DoS attacks overload targeted information systems making them slow to respond to requests or taking them down entirely.┬á Due to the relative ease of conducting a DoS and the criticality of information systems to todayÔÇÖs businesses, it is no wonder that DoS makes the list.┬á These attacks are often triggered by saying something that irks a hacker group or by opposing a hacker group of their interests.┬á Organizations can protect themselves by monitoring the messages they are sending especially through social networking and by working out an incident response plan for handing a DoS attack that includes the public relations factors in addition to the technical ones.

Breaches by third parties are at the top of the list party because the average company deals with so many third parties in the course of doing business.  In fact, 79% of respondents said the sheer number of third parties they deal with would be an average of high threat.  With so many third parties, it is difficult to determine if each has a sufficient level of security to adequately protect the data they work with and, as I all know, security is only as effective as the weakest link.  Organizations have responded by more thoroughly screening third parties and assigning them a risk rating for the type of data they will be working with through a process called vendor risk management.  The third party then needs to demonstrate security that is in line with the risk rating they have.  This process is required by regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and Health Information Portability and Accountability Act (HIPAA).

The threat landscape of 2013 continues to grow and companies are tasked with more responsibility to protect the data they work with.┬á As can be seen from DeloitteÔÇÖs survey, security awareness, denial of service and third party breaches are three major concerns for companies in 2013.┬á To protect themselves, companies can conduct security awareness training, create incident response plans, and screen third parties who work with sensitive data.

Detecting data breaches through security awareness

Most data theft occurs by insiders.┬á These are the people who would usually be considered very trustworthy but some incident or life change occurs that motivates them to commit a crime.┬á An evaluation of cases of insider theft has provided statistics useful in identifying the types of employees who are most likely to threaten information security.┬á Surprisingly, itÔÇÖs not the underpaid computer guru working in the server room.┬á According to data from the Software Engineering Institute at Carnegie Mellon University, information theft is more likely to occur with those who serve in a managerial capacity in a non-technical role.┬á These individuals are usually between the ages of 26 and 40 and they are more likely to steal business data than Personally Identifiable Information (PII).

Equally important is that very few data thefts were discovered by the use of technology.  Rather, security awareness and incident response played a greater role in the detection of these crimes. Unfortunately, these competencies are neglected in many businesses.  The majority of cases were detected by employees who reported suspicious or unusual activity, customers who complained or by auditors.

So I have to ask; Do your employees know how to recognize suspicious activity?  Would they know who to contact?  Can they do so anonymously?  Lastly, does your company have an action plan for handling data theft incidents?

Disturbing security requirements you should never accept

Every once in a while, a web site will try to convince you to change your security settings.┬á I was looking for blinds the other day and I found a web site that had a great deal.┬á When I tried to customize the blinds, I was presented with this web page informing me that I needed to modify my cookie settings for first and third-party cookies in order for the site to work. I tried the site in a few browsers and this page came up each time I tried to modify my selection. This should be a red flag to leave the site immediately.┬á It doesn’t really matter what the reason is, possibly outdated code or incorrect security settings.┬á Either way, changing your security settings can make your machine vulnerable to attack.┬á┬á I’ll leave the name of the company out but here is a screenshot of the page. ┬á I sent the company an email about this four days ago but I have not received a response.


Here is a copy of the email I sent them. I have to tell you that I am extremely displeased with your┬á web site.┬á I wanted to get a quote for blinds from you but I was presented with a page that requested I modify my browser security settings.┬á I tried it on Firefox and IE on my PC and neither worked so I tried it Firefox and Safari on my mac and it still did not work with my settings.┬á There is a reason why computers block the content you have on your site and that is because it is a security risk.┬á For you to force people to modify their security settings to use your┬á site makes all your customers unsafe and I think it is very reprehensible.┬á It opens them up to an attack or loss of privacy from future sites they may visit even if your own site has no malicious intent.┬á I would strongly encourage you to update your site so that it does not require this feature. You are doing a disservice to your customers.┬á Sincerely, Eric Vanderburg ┬á Don’t let a site intimidate you into changing your browser security settings just to use the site.┬á It may look like a good deal but there could be some “hidden fees” such as personal information harvesting.┬á Just go to another site instead.┬á Companies, protect company data and your employees by enforcing browser security controls through group policies.┬á This way users will not be able to modify their browser security even if a web site tries to convince them to make a change.

Selling security as environmentally safe

Historically, ecological concerns have been significant drivers for change.┬á Topics ranging from global warming to protecting various species carry a strong emotional appeal, thus, motivating business and personal change with the ultimate goal of protecting the environment.┬á These environmental initiatives have been termed ÔÇ£green initiativesÔÇØ and they impact IT in the form of ÔÇ£green computing.ÔÇØ ┬áThe popularity of the green computing initiatives stems not only from environmental concerns but also from a financial concern. A primary goal of many green computing initiatives is to reduce power consumption as this has a direct impact on the bottom line.

This article addresses three green computing initiatives and identifies information security action items associated with each initiative. Information security is a concern when programs such as these are implemented.┬á ┬áThese initiatives are important because information security is easier to sell if itÔÇÖs green.


Green computing is not necessarily new.┬á In the early 1990ÔÇÖs, the Environmental Protection Agency (EPA) and the Department of Energy created the Energy Star program that defined, among other things, efficiency requirements for computers.┬á Restrictions have also been placed on how computing equipment, such as monitors and uninterruptable power supplies, can be disposed of.

Recently, a great deal of government spending has been focused on green initiatives.  In 2009, the American Recovery and Reinvestment Act (AARA) provided $70 billion towards green initiatives including developing more efficient energy use for equipment and software and creating more effective IT cooling solutions. $47 million of that money was allocated to the datacenter energy consumption and efficiency programs.

You might be thinking, ÔÇ£the environment is great and all but my company doesnÔÇÖt really care about that.ÔÇØ┬á It is of little consequence if your company is concerned with the environment or not because it has been proven that green computing saves money.┬á Power is expensive and these costs continue to rise, thus, making green computing an easy sell.

Is it Green?

Software Efficiency and Green Computing

Software efficiency is important to green computing because as equipment consumes less power, machines can be configured to go into a power saving mode resulting in less power being required to perform the same operations.  This initiative saves fossil fuels through the conservation of energy.

Information security practitioners are also concerned with software efficiency because the possible outcome of combining resources provides hackers with fewer options for malicious use. Advocates of consolidation and reduction efforts can claim that these are not only information security initiatives but also green initiatives.

Virtualization and Green Computing

Virtualization, in computing, is the creation of a virtual (rather than actual) version of a device, such as a hardware platform, operating system, a storage device or network resources which makes it possible to consolidate many machines onto fewer platforms.   This is especially advantageous when legacy systems can be consolidated onto newer hardware platforms.  Legacy systems often do not incorporate the latest advances in power technology and thus, are less efficient to maintain.  If these systems are virtualized, fossil fuels can be saved through more efficient power management on the newer hardware.

For information security practitioners, virtualization brings an array of advantages and disadvantages.  It can be a great option for improving security, especially availability and business continuity.  However, unless information security personnel are involved in the process and proper controls are tailored to the virtual environment, it may create more security risks than benefits.

Terminal Based Computing (Thin Computing) and Green Computing

Terminal based computing is another technology that can reduce the amount of energy consumed by workstations.  Because most of the processing power is consumed on the server side where the terminal sessions are managed, the workstations can be very basic machines that require little power to operate.

Terminal based computing provides advantages to the security architecture of a company because more control can be applied over the actions taken on the terminal based environment than in decentralized client server models.  The disadvantage to information security is that the terminal environment can introduce a centralized point of attack and point of failure for an environment. Thus, additional controls  may be needed to ensure availability of the terminal servers and confidentiality and integrity of the information contained on such systems.


This article looked at software efficiency,  virtualization and terminal based computing to emphasize their inherent  green computing advantage, allowing information security professionals to present the additional value of these initiatives to decision makers.  These options are not just a safe choice; they are a green choice too.

Rogue certificate authorities destroy trust on the Internet

For more than a decade, computer generated digital certificates have made it possible to authenticate the identity of computer systems, data, and web sites by connecting a public key with an identity such as an ownerÔÇÖs name.┬á The process relies on trust.┬á ÔÇ£SecureÔÇØ websites utilize such a certificate to validate their identity.┬á This digital certificate is usually procured from a company that will verify the identity of the company administrating the site.┬á The digital certificate issued to them will be validated by a trusted root certificate authority or by a server that is trusted by the trusted root.┬á This chain of certificates is called a certificate hierarchy.┬á A small group of trusted certificate authorities is installed on computers within the operating system.┬á These authorities include such names as Equifax, VeriSign and Thawte.┬á So what happens when the system breaks down?

Last year a series of attacks took place against certificate authorities resulting in the issuance of many rogue certificates. These attacks began with a SQL injection attack against ComodoÔÇÖs GlobalTrust and InstantSSL databases resulting in the issuance of rogue certificates for,,,,, and┬á This was followed by an attack on DigiNotar where over 500 rogue certificates were issued including some wildcard certificates such as * which allowed the certificate to be used for any site.┬á In response, DigiNotar was removed from the trusted list so that all the certificates it had issued ┬áwere no longer valid.

Rogue certificates allow attackers to create illegitimate sites that are indistinguishable from real sites like eBay, Google or PNC because their certificate hierarchy can be validated.┬á Users then will be redirected to such sites through phishing or ÔÇÿÔÇØman in the middleÔÇØ attacks where a compromised host in-between the user and a legitimate site sends traffic to an illegitimate site instead.

Some viruses have used rogue certificates to make their content seem legitimate.  For example, fake AV, some Zeus variants, Conficker and more recently, Stuxnet and Duqu have used rogue certificates.  The threat of rogue certificates is so crucial  that McAfee lists rogue certificates as one of their 10 threat predictions for 2012.

In the wake of attacks on certificate authorities, security professionals are speculating whether there are other certificate authorities that are compromised but do not yet know it.  The containment action against DigiNotar was extreme but necessary given the scope of the compromised certificates.  A significant disruption of e-commerce could result if other root certificate authorities need to be similarly revoked.

There are several ways companies can protect their users from the damage caused by the use of rogue certificates.  The most important action that can be taken is to install browser patches as soon as they are released because updates to root certificate authorities will be distributed through these patches.  In order to do this, revisit your patch management policy to determine optimal patch deployment intervals and minimize the amount of time machines are vulnerable to attacks.

Similar to server hardening and other security techniques that limit asset exposure, an examination and subsequent reduction of the number of trusted certificate authorities is important in assuring safe computer usage.  Some certificate authorities are region specific, thus, they can be removed if sites in those countries are not utilized.

It is important to configure the Internet browser to check for certificate revocations.┬á Certificate revocation lists are maintained by certificate authorities who list the certificates that should not be trusted anymore.┬á Depending on the browserÔÇÖs settings, it may be accepting revoked certificates.┬á Make sure the browser is set to treat certificates as invalid if the Online Certificate Status Protocol (OCSP) connection fails.

Firefox addons such as CertPatrol, Convergence or Perspectives routinely check certificates against a collection of network notaries or against a locally stored database of certificates to further  validate certificate credibility.  These add-ons warn users when the certificates are different from those recorded elsewhere.  A change in a certificate is no guarantee that the certificate is a rogue certificate but it is a warning sign that the certificate is potentially rogue.

Attacks in recent years have shown that the certificate trust relationship can be exploited to be used to impersonate legitimate sites and services.  The best way to assure actual service  is to maintain current computer browser and operating system patches.  In addition to keeping patches current, reduce your potential exposure to rogue certificates by limiting the number of certificate authorities you trust and enforce certificate revocation checking.

For more information:

Why Diginotar may turn out more important than Stuxnet

Certificate authority hack points to bigger problems

Compromised certificate authorities: How to protect yourself

Timeline for the DigiNotar hack