Archive for May, 2010

Tylenol Redux — Institutional Amnesia

in 1982 a crazy person put cyanide laced capsules in several bottles of Tylenol painkiller and put them back on the shelves of drugstores for sale. Several people died or became ill as a result. I’ve often talked about this case primarily to highlight the wisdom of dealing with crises proactively to minimize the potential damage. In 1982, we had not yet had a case where toxic chemicals were placed into over-the-counter bottles with such dramatic effect. There was no precedent; no one knew what to do. But the McNeil company, makers of Tylenol (now subsidiary of Johnson & Johnson) didn’t let that stop them from mounting what in retrospect still appears to be one of the most adroit crisis response efforts ever mounted by a company in response to a crisis that threatened its very existence. Read more…

Categories: Uncategorized Tags:

Bye, Bye, FISMA

Last week Jerry Davis, NASA’s information security chief, sent a memo that directed system managers to move away from FISMA certification of systems in favor of continuously monitoring computer systems for vulnerabilities and reporting security threats in real time. Until then, NASA had to undergo FISMA audits. Under NASA’s new direction, this agency must submit yearly status reports describing the security condition of its computing systems and networks as well as whether or not vulnerabilities that have been discovered are within acceptable levels of risk. A major catalyst for this change was testimony provided by Federal CIO Vivek Kundra before the US House Government Management, Organization and Procurement Subcommittee. Kundra argued that the US government’s approach to information security needs to be far more risk-based. Additionally, Davis said that he felt that the Obama Administration was supportive of a move towards a more risk-based approach to information security. Read more…

Categories: Uncategorized Tags:

Security Operations Centers (SOCs)

Early in my career in information security I developed and managed a national incident response team. Soon after the team became operational, team members started to realize that we needed a room from which we could track incidents and coordinate handling them. Not long afterwards, we were granted exclusive use of a room with special locks and plenty of whiteboards—this became our “war room.” We had to deal with an increasing number of incidents every year, and were thus constantly in our “war room,” scrambling around like crazy. Without it, I do not know what we would have done.

I just had a discussion about SOCs with Yvonne Vega of NetForensics. A SOC is very similar to an incident response “war room,” only in a SOC, the scope of operations is much larger. In a recent white paper, CA describes SOCs in the following way: Read more…

Categories: Uncategorized Tags:

Certification Gadflies

I’ve already written several blog entries concerning information security certifications. I do not want to keep beating a dead horse, so to speak, but certification-related issues keep surfacing to the point that I need to get a few things off of my chest. I recently read the resume’ of someone I know well. At the top of this resume’ eight information security certifications were listed. Sometime after I had read this resume’, this person told me that he planned to get yet another certification in the near future. Read more…

Categories: Uncategorized Tags:

Your Car: The Next Target of a Cyberattack?

There are so many new security risks emerging all the time that we barely have time to keep up with any single one. But there is a new, potentially horrific risk that demands our attention—“car hacking.” Researchers at the University of Washington and University of California-San Diego have discovered a way to attack a network that is built into most automobiles nowadays. This network, called the “Controller Area Network (CAN),” provides control over numerous functions such as anti-lock brakes and anti-rollover mechanisms. It also regulates fuel flow to save gasoline. The researchers showed that in cars with built-in wireless networks such as Bluetooth it is possible to gain unauthorized remote access and then inject code that initiates undesirable and potentially unsafe actions such as making a car unable to brake even though the brake pedal is pressed, turn the engine off, sound the horn, lock the doors, open windows, turn the air conditioning and the radio on and off, display falsified speedometer readings and more. The researchers have demonstrated proof-of-concept at an abandoned airport in the state of Washington by running a program called “CarShark,” which remotely sends control instructions to CANs with no authentication whatsoever required. Read more…

Categories: Uncategorized Tags:

Are We Really in Touch with Cost-Benefit Ratios for Controls?

The world of information is truly fascinating. At the same time, however, the amount of information security related-risk in this arena is so great that it is very possible to lose awareness of certain realities of which others, particularly those in executive-level management, IT, and other critical functions, are keenly aware. Read more…

Categories: Uncategorized Tags:

Guest Editorial: More Questions about Information Security Research

For only the second time since I’ve been blogging on this site, I feel compelled to publish the comments of someone who reacted to something I wrote. I know the author, Kevin Spease (the president of the ISSA-Sacramento Chapter), rather well, and his timely and poignant analysis of the growing controversy concerning “play for pay” research institutes could not be better written. Here goes–enjoy. Read more…

Categories: Uncategorized Tags:

Is Draconian Security the Answer?

Let’s face it—the US is losing badly in a cybersecurity and information warfare struggle (even through President Obama’s cybersecurity czar seems to be in a state of denial concerning this situation). US and UK government systems have been repeatedly riddled with data extrusion attacks that began years ago with the onslaught of attacks dubbed the “Titan Rain” attacks (or possibly even before). US corporations have not been spared from the same fate, either, as evidenced by the more recent so-called “Aurora” attacks. Organizations have implemented firewalls, intrusion detection systems, intrusion prevention systems, network access control, identity management systems, data loss prevention systems (some of which are decisively better than others), virus walls, password filters, password checkers, anti-virus software, Trojan detection software, endpoint security measures, and more. Although these measures have done some good in terms of repelling attacks, they have failed to adequately safeguard systems, applications, data, databases and networks from a large a percentage of attacks, particularly those originating from the Peoples Republic of China, currently the number one international cybersecurity saboteur nation.

The information security community has not idly watched the events and trends that have occurred. Man Read more…

Categories: Uncategorized Tags:

Mobile Device Applications Security: Part 4

This blog posting is the last in a series of four on mobile device applications security. The prognosis is not good—I’ve repeatedly tried to drive home the point that there is little if any security built into these applications, with the exception of applications that utilize Microsoft’s trusted application model. Interestingly, some app stores claim that applications are “screened” before they are available through the store, but what is meant by “screening” is not clear. It appears that powers-that-be behind the Apple iTunes App Store are more concerned about potentially offensive application content within its applications than anything else. Those in charge of the BlackBerry App World appear to care mostly about weeding out applications that are likely to cause BlackBerrys to crash or hang. And Symbian’s application screening process appears to consist only of scanning for viruses and eradicating them if they are found. But even if app stores were to offer only truly secure versions of applications, bypassing the stores altogether to obtain basically the same, but less secure versions of applications that an app store offers would be easy. Read more…

Categories: Uncategorized Tags: