StoreSecurity SalonInto The BreachContact

onTour Updates - where is Michael Santarcangelo?

August 19, 2008 · by SecurityCatalyst

Greetings from Sierra Vista, Arizona with a long overdue update. While I may have been quiet (rare, I know), I have not been idle.

A few months ago I was focused on tracking down security fundamentals - and how they need to be applied; last week I was able to craft an intense training section that brought a group of professionals through a unique training class designed around that very concept. It was a great week and really has me energized (despite the need for sleep).

I also shared some insights from Into the Breach with a group at Fort Huachucha yesterday. The best part - for everyone, myself included - was the hour-long conversation that ensued after the keynote. We talked about current challenges and how we can face them by addressing the true problems (not the symptoms) and how to engage people to take responsibility while increasing our ability to hold them accountable.

We are going to take some time today to visit Bisbee, AZ before heading up to Tempe, AZ tomorrow. This is our final “pre-tour” trip as we work out the kinks of driving cross-country in the RV multiple times a year, running the business and spending time as a family. This trip was much smoother than the spring “expedition” and we are already looking forward to the onTour launch in September!

As we make our way back to NY, here is our schedule for the next two weeks:

Phoenix, AZ

I love Phoenix and look forward to catching up with a lot of good clients, friends and even some new faces.

Arrive: Wednesday, August 20, 2008

Depart: Friday, August 22, 2008

Staying here: http://www.apachepalmsrvpark.com/

 

Dallas, Texas

We have a lot of friends that we hope to see while we stop in Dallas. The best part of traveling by RV is the complete flexibility to see clients, potential clients and friends (most of whom were once clients or will be clients). We really enjoy life as a family and seeing the country in a way that allows us to work with people we would chose to spend time with!

Arrive: Saturday, August 23

Depart: Monday, August 25

* we have not yet picked a park, but these are the top three options - have experience or insight? Drop me a line *

http://www.treetopsrvvillage.com/

http://tradersvillage.com/en/grandprairie/rv

http://www.cowtownrvpark.com/

 

Atlanta, Georgia

** Will be meeting some friends and potential clients to discuss how Into the Breach influences “Awareness that Works”; I love the opportunity to discuss my passions and share research. I’m really pumped about this!

Arrive: Tuesday, August 26

Depart: Thursday, August 28

Staying here: http://atlantasouthrvresort.com/

 

Potential other stops on the way “home”

  •       Considering a brief stop in Charlotte, NC
  •       May take one more trip to Hershey Park (need to find a connection at the Hershey Chocolate company - we’re there so much!)

Are you along our path?

If you are along our path or in one of the cities where we are touching down, I would love to meet, say hello and can offer you a preview copy of Into the Breach!  I am currently tweaking the onTour website in time for our September launch and will be announcing the 6-week onTour Fall leg in about a week or so.

 

Other Quick Updates

  •       Four podcasts are lined up, including the Pop Culture Security, Breach Breakdown and Security Roundtable!
  •       Despite my compressed schedule, my brain has not stopped; I have been working on a series of articles to share
  •       I have a special report on “freeware” that I will be releasing next week; this was a real change in thinking for me and I look forward to sharing what I learned with you.

 

Book Updates

  •       The kindle book should be available this month
  •       The eBook should be available this month
  •       The hardcover book will be available September 16, 2008 (we’ll be picking up 500 copies on our way to Nashville, TN)
  •       The book can be pre-ordered here: http://atlasbooks.com/marktplc/02353.htm

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Catalyst onTour, Into the Breach | Print this post Print this post | | Comments

Congress Targets Online Advertising

August 15, 2008 · by patrick.romero

Patrick Romero, CIPP

It appears that Congress is finally going to get involved in the regulation of behavioral targeting by internet companies. Representative Edward Markey (D-Mass.), head of the House Energy & Commerce Committee, says he and others plan to introduce comprehensive online privacy legislation in the coming congressional session. The law would require companies to collect the share the surfing habits of consumers only if individuals opt-in to the monitoring.

The issue of online behavioral tracking by online search engines, such as Google and Yahoo, for advertising purposes has been gained significant attention. Earlier this year, the FTC held an open forum on how to develop industry best practices in order to ensure the privacy of online consumers. While there was hope that the industry would police itself, it appears that eventually there will be some Congressional oversight as to what information can be collected from users online.

The lack of transparency that is the current model among online advertisers has proven to be problematic. Consumer and privacy organizations have stated that individuals should always have to opt-in whenever their personal information is being gathered and they should always be aware of any monitoring of their online activity. Recent incidents have proven this to be true. Facebook recently faced public backlash when it set up its beacon program through an opt-out policy. The company was forced to issue a public apology and is currently being sued by its members for violating their privacy.

Industry leaders have been hoping that federal legislation will not be needed. However, companies continue to expand their ability to collect and monitor the information of internet users without clear policies protecting consumer privacy. It appears now that Congress will finally get on the bandwagon and clear the fog on the rules of online surveillance.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection | Print this post Print this post | | Comments

Preview Copies of Into the Breach - Available Now

August 8, 2008 · by SecurityCatalyst

As I wrap up my week in Las Vegas and prepare to head to Sierra Vista, AZ, I will be offering preview copies ofInto the Breach. I’m going to wander down to the Vegas strip this afternoon/evening - if you’d like to get your hands on a copy, please send me an email (michael at this domain) or direct message me on twitter: http://twitter.com/catalyst

We are heading out from Vegas Saturday morning and will stop briefly in Phoenix around noon. We’re hoping to meet some friends for a quick bite to eat and then head on down. We’ll be coming back through Phoenix on the 18th and tentatively sticking around for a day or two.

I have a “Protect Your Business by Managing People, Information and Risk” keynote on the morning of the 18th - and would be happy to explore working with your team as we work our way back across the country. I have an intense 10 days in front of me - but continue to develop content for the blog, have some special reports I look forward to sharing and more awareness and breach podcasts coming up.

I am also working to publish the updated fall speaking schedule - which will see us criss-cross the country, providing many opportunities to meet, work with companies and families around the country and have some fun!

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Catalyst onTour, Into the Breach | Print this post Print this post | | Comments

Don’t Ignore the Facebook Virus

August 8, 2008 · by SecurityCatalyst

By David E. Stern, CISSP

Every day, dozens of new vulnerability or virus alerts are released to warn and inform the public. The IT community, including those in IT security have become fairly numb to these alerts. For the most part, as long as patches are pushed out, and antivirus signatures are kept up to date, these releases make little impact. The occasional worm or botnet will grab headlines, but the accompanying vigilance soon fades. It’s an unfortunate consequence of the virulent Internet environment.

I have never had much interest in using my Facebook account, so when I saw the advisory relating to Facebook and Myspace virus activity, I let it fade into the background noise. In fact, my inbox was filling up with “silly” Facebook notifications to the point of annoyance, so I logged in with the intention of clearing out my connections. Taking stock of the large number of friend associations that I had led me to an AHA moment; EVERYONE uses Facebook.

Facebook isn’t just a toy for feinding teens. It is used by people of all ages on all of their computers, whether at work or at home. It is a fertile breeding ground and conduit for Web 2.0 content. In this case, it is the perfect launch pad for a worm: huge market penetration and a very large and mainly clueless wetware population.

The same can certainly be said about most other virus outbreaks. But in the case of Facebook, there are simply too many good reasons to make that fateful click. Users may think twice about falling for a phishing scam or even clicking on the dancing pig, but Facebook is the forbidden apple. I am not advocating taking any actions against Facebook use. The resulting effort would be a waste of time.

Consider the following example: A toy manufacturer announces a recall of a popular toy due to dangerous chemical contained within. Your child doesn’t have the toy, but you will probably want to make sure that his school and friends don’t have it either.

Take the time to generate an internal email blast warning all employees to be extra careful. Spend a little more time looking at security logs. Finally, take a walk over to the help desk manager and ask him to keep an eye out for increased ticket volume.

Don’t ignore this one.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection | Print this post Print this post | | Comments (1)

Weekend Catchup: SCC Discussion Forum Update (July 26 2008)HeThedi

July 26, 2008 · by SecurityCatalyst

The discussions continue to expand and inform in the Security Catalyst Community. Here are some of the recent hot conversations (including some I have listed before; this week they really exploded). 

With Blackhat/Defcon approaching, here are two discussions related to that:
Want to participate in the next Security Round Table? We are recording the August SRT on Monday night using TalkShoe so you can listen in!

Join the in the Discussion!

The Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Security Catalyst Community | Print this post Print this post | | Comments

Going to Blackhat? join the “impromptu” onTour Tailgate

July 25, 2008 · by SecurityCatalyst

With more details to come soon, we launch the next Catalyst onTour Adventure on Tuesday. After a quick stop at Hershey Park, we’re heading through Ohio to pick up some books and then into KC for the weekend. We’ll arrive in Vegas on Monday.

A few of us have been kicking around pulling together an informal, low-key, low-stress gathering while in BH. Since we’re bringing the RV (the whole point of the onTour approach), this is a good time to work out the “onTour Tailgate” series. 

Since my Tuesday event got cancelled, I am looking at hosting people at our location on Tuesday, 4-7p. This allows time for BH and the evening parties - but also a chance to unwind and meet new people, make some friends, unwind. Depending on when people come in, I’d be happy to consider Wednesday or Thursday, too. (note: if you cannot make it Tuesday but want to meet/speak - shoot me a note and we’ll connect).

I know there are a lot of parties, events with booze and such. I see this as a chance to pull together, meet each other and have some time to kick back. There are no sponsors for the tailgate (though I wouldn’t refuse ‘em); instead, this is a self-supported event where everyone brings something and makes new friends. 

Details

Unless otherwise noted (or encouraged to go a different direction), plan for Tuesday 4pm. Here: http://www.oasislasvegasrvresort.com/

 

Companies Coming to Vegas

I am working on publishing a criteria list for pitches. I like learning about different solutions - but I want to make it easier to pitch me and explain the value. Look for something in the next 10 days. Meantime, if you’re going to be at BH and want to share your vision - shoot me a note and we’ll connect. I’ve already declared where I’m staying - and happy to meet anyone at the “rolling office.”

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Catalyst onTour, Security Catalyst Community | Print this post Print this post | | Comments

Security Catalyst Show for 23 July 2008 | Breach Breakdown with Adam Dodge

July 23, 2008 · by SecurityCatalyst

With Into the Breach about to go to print, it is time to start looking at what we can learn from security and privacy breaches. Adam Dodge and I — along with some guests — are going to take a monthly look at a noteable breach or two in an effort to learn and share insights. We plan to keep these episodes short, and peppered with insights that make the breaches real. We will cut through the hype and present useful information.

PS: Hardcover books are scheduled to be available September 16th. Preview copies are available today and I’ll have a stack at Blackhat and during the next Catalyst onTour trip!

Meantime, check out Adam’s excellent site: http://www.adamdodge.com/esi/

Breach Breakdown Show 1 - Ohio University
Note: until the fix for podpress is released, please note the direct link for the program. iTunes listeners should not be affected: http://www.securitycatalyst.com/podcast/TSC-20080723.mp3

Story of the breach
The story is not just about one single breach, but a group of security incidents discovered by Ohio University within weeks of each other.
 - The first breach was discovered on April 21st when the FBI notified the university that a computer in the Technology Transfer Department had been compromised. The FBI had been investigating another unrelated crime when they discovered the compromised computer. The university discovered that the Technology Transfer server contained personal information on 35 individuals.
- The second breach was discovered on April 24th when the IT staff noticed that an Alumni database server was being used to launch a Denial of Service attack against an external target. This alumni server contained the personal information on 300,000 individuals and organizations including over 137,000 SSNs. When investigating this incident, the university discovered that alumni server had been compromised as far back as 2005 and had been accessed by domestic and international IP addresses. This server should have been removed more then a year before the breach was discovered and it was assumed by the IT department that it had been. This means the server had not received any updates or patches for more then a year.
- The third breach was discovered on May 4th when the university noticed that someone gained unauthorized access to server housing information used by the university’s Hudson Health Center. The compromised server contained personal information on 60,000 individuals.
- The fourth and fifth breaches were discovered on May 23rd when a forensic scan detected that a server housing IRS 1099 forms for vendors and contractors and a server used for online business transactions containing personal and credit card information had been compromised. 

In the end, 5 servers were found to be affected. All told, 367,000 personal files containing 173,000 SSNs were compromised. Emergency repair and notifications cost the university over $800,000.

The university fired 2 IT administrators and the CIO resigned.

What was the response
Ohio University’s response this series of breaches has been, for the most part, outstanding. As one would expect, all of the affected servers were immediately taken offline and investigations launched. However, there is much more to the university’s response then simple rote take down and investigate. 
- The university spent a large amount of time and money notifying those affected. The university utilized web pages, e-mail and postal mail to alert over 300,000 individuals about the different breaches. The result, the university received over 8,000 calls to the information hotline, 800 e-mails and letters of complaint and over 35,000 hits to the web site about the breaches. 
- The university spent nearly $100,000  on breach notifications
- The university formed an IT-oversight committee
- The university hired consultant firms to perform full risk assessments 
 - The findings were that the IT office was significantly understaffed and the outsourcing the university had was doing was not a good option for the future.
- From these findings that committee put together a 20-point action plan titled “Blueprint for Building a World-Class IT Function at Ohio University”
- Within three weeks of the breaches the university had spent $750,000 on emergency response fixes and will likely need an additional 7-10 million based on the consultants report.
- Ohio University has continued to talk about this breach openly and honestly.
 - OU President Roderick McDavis wrote an essay for the Chronicle of Higher Education titled “What Ohio U. Learned From a Major IT Crisis”. In this eassy McDavis is candid and open about the breaches and states that the Ohio University community did not take IT seriously enough. As for one of the key lessons learned by Ohio University, McDavis states that continuity is key and that it is important to openly share positive and negative information.
- These are more then just words in an essay. Ohio University has taken the opportunity to speak publicly about these breaches including a seminar at the 2008 educause security professionals conference.

What went wrong
- There were several issues at work causing these breaches, but all of them come down to McDavis’ statement that the university did not take IT seriously. 
 - In 2004, Stephen Kopp then the provost wrote to the Chronicle of Higher education that the computer services had grown through “spontaneous mushrooming of IT people on campus”. A report from a consultant confrimed this view describing the IT departments on campus as an “adhocarcy” characterized by poor communications and genderal mistrust among administrators, duplicated tasks and resources, and a lock of a unified strategic decision making. 
- Thomas Reid  director of communication-network services who was fired from the university after these breaches said he had tried repeatedly to warn supervisors about the security risks since 1998. According to Mr. Reid much of the blame can be tied to a significant reduction in IT budget, 1 million in 2 years and lack of clear IT management. Mr Reid had 13 bosses in 22 years. 
- In the end, this same exact environment can be found at many educational institutions. Ohio University was not unique in these issues.

Links for more information
OU news release about the breaches
http://www.ohio.edu/outlook/05-06/May/485n-056.cfm
An excellent breakdown of the incident (Subscription required) 
Wasley, Paula. “More Holes Than a Pound of Swiss Cheese” The Chronicle of Higher Education <http://chronicle.com/weekly/v53/i06/06a03901.htm
Articles about the breaches
Sandoval, Greg “University server in hackers’ hands for a year” CNet News.com <http://ecoustics-cnet.com.com/University+server+in+hackers+hands+for+a+year/2100-7349_3-6074739.html>
Vijayan, Jalkumar “Ohio University reports two separate security breaches” Computerworld <http://www.computerworld.com/databasetopics/data/story/0,10801,111113,00.html>
OU President McDavis’ essay about the breaches (Subscription Required)
McDavis, Roderick J. “What Ohio U. Learned From a Major IT Crisis” The Chronicle of Higher Education <http://chronicle.com/weekly/v54/i30/30b00501.htm>
A good wright-up of President McDavis’ essay
Heck, Richard “McDavis writes of computer breach in national publication” The Athens Messenger <http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9592&TM=42628.33>
Ohio University data theft web site
http://www.ohio.edu/datatheft/index.cfm

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection, Into the Breach, netcast | Print this post Print this post | | Comments (1)

SCC Discussion Forums: Hot Friday Update (July 18, 2008)

July 18, 2008 · by SecurityCatalyst

It is hot today is Upstate NY; the same is true for some forum discussions taking place this week:

Also a notice about HOPE2008 and any members attending: HOPE2008
Next Week
I have been working on a two-part approach to guide smaller companies to better protect information without increasing stress. Comes down to two questions:
1. what are the five (and only five) most important things for any company to do (and why)?
I have some ideas around this that I hope to flesh out this weekend and share for dissection and discussion in the forums. We’ll package up and present the final list.
2. once the initial five things are done (the ones that do not require any thinking), what are the next steps?
I felt like limiting this to 10, maybe 12 - but now I’m not convinced. I’d like to collaborate to build a sequence of steps; again, small business in mind. 
Look for some details and a discussion thread in the coming days. I look forward to collaborating, learning and starting to pull together some guides and resources for people. 
Note: this dovetails with the series I have been authoring on how groups can build better solutions by leveraging the stuff that already exists. I’ll be finishing that up over the next few days (the pace here has really picked up). This will be an opportunity to put it into practice!!

Join the in the Discussion!

The Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection, Security Catalyst Community | Print this post Print this post | | Comments

Security Catalyst Show - Pop Culture Security Edition - July 2008

July 16, 2008 · by SecurityCatalyst

Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information.

This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering.

Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute!

Direct Link: TSC-20080716.mp3

Call for challenges

 Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com

 Phone number is 206-350-8346

== Detailed Show Notes After the Break ==

(and by detailed, I mean… wow. Detailed - Thanks to James for pulling the links together!!)

Read the rest of this entry »

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Information Protection, Security Awareness Training, netcast | Print this post Print this post | | Comments

Security Catalyst Community: Discussion Forum Activity (July 14 2008)

July 14, 2008 · by SecurityCatalyst

The forums are off to a roaring start this week - with some insightful discussions. Sure, thinking this early in the week can be scary, but it sure pays off!

 

Join the in the Discussion!

The Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Security Catalyst Community | Print this post Print this post | | Comments

« Previous entries