Author Archives: Mark Kelly

About Mark Kelly

Information Technology Security Consultant

Are you protecting your most important information assets?

Information security sometimes feels like a never ending challenge. There are a thousand different things that need to be done from patching systems to educating employees and any one hole can mean big problems. Smart companies have realized the impossibility of securing every asset and have changed the theatre of the information security battlefield.

Effective information security management is no longer about trying to stop every little problem that can go wrong that is an impossible task with failure guaranteed. Leading businesses are now focused on securing the intellectual property and operations that are most critical to their competitive advantage. This new approach is more advanced than previous information security approaches that attempted to throw information security controls against the wall in hopes that enough stuck to keep bad things from happening.

What are the advantages to approaching information security based on a critical asset protection model?

  • Helps focus your information security investment towards protecting the most important assets that matter.
  • Makes information security more manageable and makes realistic assumptions vs. assuming you can protect everything.
  • Allows you to be more specific about your information security objectives vs. operating in a more abstract manner.
  • Increases security oversight over important assets/business processes and enables customized monitoring specific to those resources

What are the challenges in implementing a risk based critical asset information security model?

  • Initially many organizations will struggle with answering the question about which assets are truly critical.
  • Requires a more collaborative model of information security with deeper level of engagement needed with key business partners. Many information security organization struggle with understanding which assets are truly critical because there is an insufficient understanding of how the business really works.
  • Requires a change in mindset from trying to secure the perimeter and keep the bad guys out to assuming they are already inside and layering your controls to focus efforts on protecting critical assets. This is not to say that firewalls and other perimeter based control mechanisms are obsolete only that they have proven ineffective as the primary mechanism of protecting an organizations critical intellectual property.
  • New security tools will be needed to help protect down to the data layer and assist in blocking advanced threats.

If your information security organization is still operating with a secure the perimeter mentality as your primary focus you risk becoming obsolete. More is expected of an information security organization in our knowledge based economy. You are expected to understand the business at a sufficient level to know what intellectual property and business processes are critical to ongoing success of your company. This requires deeper business knowledge and business relationships to help validate that you are focusing on the right things.

Help a friend by passing on these useful information security tips
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

WordPress website error site reverting to old version

I have been noticing an intermittent problem with this website over the last 6 months or so where the site was reverting to a very old version of the site that showed my old design log and only old posts. At first I thought I had a cache problem on my pc and attempted to flush my local dns hoping that would resolve the issue. The problem manifested itself across multiple machines so I quickly realized that was not the solution but did not seek a more permanent fix since the problem was very intermittent in nature and I have been extremely busy (not a good excuse). When the problem reoccurred today I had finally had enough and logged a ticket with my web hosting support company to work on a permanent resolution.

Problem: Website for this site was having a problem and was reverting to an old version of the site (with an old logo design) and only showing posts as of 1/2012 and older.

Impact: Site design looked dated and visitors were not seeing the improved design/layout of the site or the new material posted on the site. I also suspect this hurt the site from a search engine perspective and lost traffic due to the site appearing old due to lack of new content.

Actions taken to attempt resolution: Thought problem was DNS related so flushed my local dns cache but realized something broader was going on when problem was found across multiple machines. Attempted to research problem using google search engine but most guidance was regarding webmaster tools related options and did not seem applicable. After failing to find a satisfactory fix I logged a support ticket with my webhosting provider.

Root Cause: I had to provide my webhosting technical assistance people admin access to the site and specify what database was used by the site. I created a unique temporary account/password for them and they completed the analysis and resolution very quickly. The root cause of my problem was found to be a corrupted WordPress table and once this table was repaired using the PhpMyAdmin tool the site is now displaying as it should be.

Lessons learned: Do not wait extended periods of time to deal with a problem. I could have had this issue resolved much sooner if I would have taken immediate action and logged a support ticket. The lunarpages support team was very helpful and quickly solved this issue once I provided them the needed access and confirmed the database id.

Information Security Implications: As mentioned above I had to provide site admin credentials to the technical support team to troubleshoot the problem. I followed the following security best practices during the interaction:

  • Had a full backup of my site before the work began
  • Created a unique temporary admin account just for this purpose
  • Deleted the account as soon as my support ticket was closed out successfully

This turned out to be a pretty good operational/security case study so I thought it would be useful to document and share.

Help a friend by passing on these useful information security tips
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

How to fix a security certificate error while browsing the internet

The last week or two the pc only used by the kids had been having problems with a security certificate error when they were trying to browse the internet. The browsing eventually got where it needed to go but only after extra clicks of accepting the risks of going to a potentially bad site and adding an exception in the browser. The problem was happening with both Internet Explorer and Firefox browsers so I assumed that a virus was causing the problem.

I performed some basic antivirus scans using the free AVG antivirus software installed on the machine as well as Spybot Search and Destroy. Nothing overly incriminating was found by either scan only the expected low/mid risk cookies always found. I was a bit surprised at this result so started looking for some other alternatives of what could be wrong.

After a bit of research I was able to find a documented case that closely matched my situation. The suggested advice was to check the date on my pc because if the machine is dated in the past with an incorrect date this has been known to cause a problem with internet security certificates. Sure enough the machine had been reset to the original date of when it was purchased and the issue went away after the date was corrected.

Quick Summary:

Problem: Common area machine was generating security certificate errors/warnings while browsing the internet with multiple different browsers (firefox, Internet Explorer etc..)

Solution: Check the date on the machine and make sure it is at the current calendar day. The pc had somehow been reset to default settings and was dated back to 2007 which was the source of the problem.

Help a friend by passing on these useful information security tips
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

iPhone 4s security accessories

 

 

 

 

 

 

 

Orders for the iPhone 4s are smoking hot and the volume is only going to ramp up between now and the Christmas season. With a new phone comes the need for new accessories to make your phone more attractive and keep it in good working order. Protective security cases and screen films are essential to help keep your iPhone 4s from suffering damage due to an accident.

iPhone 4s Cases – By choosing a case for your iPhone 4s you can help protect your smart phone from drops, scratches and other wear and tear related issues. Cases are must have accessories to help secure your iPhones and avoid costly repairs.

Boost Protective Case – Attractive black protective case is comfortable to the hand and lightweight which are important features to ensure you will continue to use it day in and day out. This case also provides extended battery benefits so it is one of the higher end cases available for your iPhone 4s.

splash VAPOR Slim-Fit Flex Case – This case is made of soft silicone which helps offer protection while keeping the weight in check. Fits nice and has been noted as high quality in the reviews and lists at a nice price of $14.95.

QuickFlipCase for iPhone 4/4S – Case is highly rated on Amazon.com and noted as a good value for the money. Has a useful belt clip that will give you the look of an Old Western gunfighter if you draw your iPhone 4s quickly from your belt. I’m your huckleberry..

OtterBox Commuter Series Hybrid Case – The normal OtterBox cases were noted as being a bit bulky but the Commuter Series is free from that problem and comes in a variety of colors unlike some of the other cases. I am partial to the white/black model which is linked.

Elago slim fit case – This case is priced at the very low end of the spectrum but offers solid value and extra protection for the price. Many of the reviewers were impressed with the slimness of the case and how it felt natural in their pockets.

Tuneband for iPhone 4/4s -Offers front and back device protection and the unique feature of an arm strap for runners and other people who want to take the iPhone 4s on the extreme go. Available in black, pink, purple, red, and glow in the dark.

iPhone 4s Screen films/protection – To help reduce glare, smudging and lower risk of scratch for your iPhone 4s display.

Halo Screen Protector Film – High quality low cost films are a good option to protect your phone screen and keep the smudging/glare problems to a minimum.  $5.95 for 6 films is not a bad deal at all.

splash Masque Clear Screen Protector – 5 pack of films is very affordable and has had mainly good reviews noting its easy bubble free installation and good fit.

AcaseView Screen Protector Film – Another quality film option this one comes in a pack of 6 for $7.25.

iPhone 4s car mounts – Helps securely mount your device in your car to function as a gps or for other hands free use (please be safe and obey local laws). Remember phones can become projectiles in sudden stops or accidents so it is important to securely mount them and keep them off your seats.

Kensington SoundWave Sound Amplifying Mount – Higher end then the one recommended below and my top choice for a reasonably cost mount.

Kensington Quick release car mount – Kensington is a trusted name in the security lock/mounting industry and this mount is highly rated from those who have purchased it.

Black Ultra Durable Compact Car Mount – Not yet rated due to newness

Motorcycle Handlebar Mount – For motorcycle enthusiasts this product is relatively knew but an intriguing option (be safe on the bikes please)

Happy and secure iPhone 4s’ing!

 

Help a friend by passing on these useful information security tips
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

iPhone 4S Security

The release of the iPhone 4S caused quite a stir because it was not what everyone was expecting. Many of the pundits were boldly pontificating about advanced new features that would be introduced via “iPhone 5”. Instead they got the iPhone 4S which didn’t match expectations but it has been a pre-order bonanza anyway. It seems Apple can literally do no wrong right now. I decided to order an iPhone 4S (32GB memory black model) and hope to get it towards the end of the month.

When it comes to securing your iPhone 4S not a lot has changed at this point. The iOS 5 update is expected very soon which will likely introduce some security changes worth mentioning so I will provide an update when that hits the street.

Basics of iPhone 4S Security steps:

Set a private pass code to prevent others from accessing your iPhone 4S. If you do not set up a password you are at a bigger risk of having someone snoop or send prank texts/emails from your phone. Remember your code because if you forget you must do a restore.

Select General > Passcode Lock and enter your 4 digit passcode

Set password expiration parameter (which defines how long iPhone 4S will remain unused before pass code needs to be entered). A setting of 30-60 is a good idea.

Select General > Passcode Lock> Require Passcode then select the value you want

Disable Bluetooth if you do not use it. Bluetooth related vulnerabilities have gone from theoretical to actual problems being exploited so if you are not using it definitely turn it off.

Select General > Network and turn Bluetooth off

Set a voice mail password to prevent busy bodies or sleazy European tabloids from accessing your voice messages. Select a pin that will be easy for you to remember but not easily guessable by others (same concept as your debit card pin)

Select phone > Change Voicemail Password

Lock your SIM card to secure your sensitive information located in memory.

Select phone > SIM PIN and turn it on. The manual mentions the default iPhone SIM PIN is 1111 unless the carrier has changed it.

Backup your phone data every few months so that you will not lose your phone lists, pictures and other customized settings. This will be useful if an update goes wrong and your phone requires a total restore.

Install iOS firmware updates when they become available. iOS 5.0 is expected very soon and will contain new functionality and security fixesThe recent passcode bypass vulnerability will be updated in a November update and in general when hardware or software is updated by a vendor it is often is due to security vulnerabilities so it is best to stay current with these important updates.

Only join WiFi networks that you trust or you risk having your information intercepted and possible identity theft.

Use Find My iPhoneFind My iPhone is Apple’s free app that helps recover or remotely wipe your iPhone 4S if you lose it or it gets stolen.

You also have the option for installing additional security applications to provide anti-virus and password related functions. If you are interested in additional security applications for your iPhone 4S be sure to review the best of itunes security store post.

Help a friend by passing on these useful information security tips
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

Free antivirus software – How effective is it?

Are you tired of paying for commercial antivirus software? Antivirus software providers are savvy about turning the cost into a required annual financial outlay to allow you to continue to receive current antivirus signatures. I always anted up the cash because I was not willing to go unprotected and increase my risk of picking up a nasty system damaging worm or virus.I was also skeptical about free antivirus solutions dismissing them as inferior without ever giving them a fair shot. I give Norton and McAfee a lot of credit they convinced me that I should not consider free alternatives without direct marketing campaigns saying so.

My epiphany came when the 3 month free Norton subscription ran out for my new Gateway laptop. I decided I no longer wanted to continually pay for antivirus software and committed to giving free alternatives a real chance. After doing some research I narrowed down my list of contenders to AVG and Avast Free Antivirus. After completing my research I decided to go with Avast and have been delighted with my experience using their free antivirus product. Avast free antivirus seems to update itself as frequently as its commercial competition and  has an easy to use user interface as well. I use the Avast product in an identical manner that I used to use Norton and have had no negative effects to my pc in over 6 months of use. I have been converted from a free antivirus skeptic and will never go back to using a commercial offering as long as quality free options like this exist. Consider your own antivirus needs and consider if the commercial product you are using is worth the 30-50$ a year per machine fee when you can get equivalent protection by using Avast.

Quick summary:

Who should be using free antivirus?

Individuals who need protection for their personal systems and balk at the recurring fees commercial offerings charge

Who should continue using commercial products?

Businesses that require more central control and administration of their antivirus solution

Be sure to check out our review of the top 5 free security tools.

 

Help a friend by passing on these useful information security tips
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

Information security issues can lead to bankruptcy

Information security is often an after thought at best for many small to midsize businesses. DigiNotar, a Dutch certificate authority, is a great case study on what can go wrong when adequate information security controls are not put in place. DigiNotar was severely compromised leading to the undermining of the very core that their business was built on, trust and authority. The end result was an information security related bankruptcy that was preventable. What went wrong at DigiNotar and what can you learn from their experience?

Lessons learned from DigiNotar information security incident

The more your business relies on trust the greater your information security risk and the more controls you need

Trust is based on your reputation and when you are in a business requiring a high degree of trust it can be game over when a big incident occurs that hits to the core of your model. There is a direct relationship to how much your business relies on trust and how much information security you need. The final straw was when the Dutch government lost confidence after inadequate disclosure and revoked their trusted status.

Full prompt disclosure is the best way to recover your reputation

DigiNotar detected a problem with their certificate authority infrastructure nearly a month before the incident blew their business out of the water. They failed to make adequate disclosure causing their customer to question the trust they had placed in DigiNotar. What if DigiNotar came clean in the beginning? Perhaps they would have been able to salvage the company.

Full security audit needs to be conducted after their is reasonable cause to believe a serious security event has occured

The primary goal should be to determine the method of attack and seek to eliminate sources of vulnerability and to clean affected systems. The security review should be conducted by professionals and it could get quite expensive but it is necessary to prevent worse events such as total implosion of the business. If a full audit and full disclosure occurred the company would be likely still exist.

Are you auditing and controlling the right high risk business activities?

DigiNotar’s compromise led to the creation of 531 unauthorized certificates. If this control was reviewed closer and followed up on with quick terminations and the actions described above the company would still be in business.

Effective information security controls can make the difference between prosperity and bankruptcy. The choice is yours. To help make sure your business is taking information security seriously be sure to review our information security essentials for small and mid size businesses

Help a friend by passing on these useful information security tips
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

Information Security Insurance

Information security insurance is designed to protect an individual or business against the risk of possible loss due to information security incidents. Similar to other forms of insurance the policy holder pays a monthly/annual premium to the policy issuer for the agreed to insurance plan.

Why might you need information security insurance?

The more your business relies on information systems to operate the more at risk you are if a catastrophic incident affects critical systems.To help manage risk to more acceptable levels information security controls are implemented to protect against various threats. Information security audits are another risk reducing measure a company can take to help validate the effectiveness of their information security controls and document any weaknesses for prioritization and correction. Many companies choose to self insure and pay any information security incident expenses out of pocket vs. pursuing direct insurance although the number of companies obtaining insurance is increasing at a dramatic rate. If you are under the impression that your traditional insurance policies will cover you for technology related risks now is a good time to validate that assumption. Lastly, if you are involved with a start-up it is sometimes a requirement for VC providers that information protection insurance be active to protect their future investment in your company.

Examples of events that can be insured with information security insurance

  • Unauthorized system or network access
  • Theft of sensitive intellectual property
  • Fraudulent ebusiness or online banking activity
  • Lack of availability of systems
  • Disaster Recovery
  • Technology errors and omissions

What are typical costs from an information security incident?

  • Cost of investigating source of incident and scope of systems breached – Expert investigators are very expensive so expect to pay mid to upper 5 figures or even into the 6 figures to investigate and clean up a security incident
  • Cost of loss business – Business that is lost especially if it is not recoverable could amount to significant costs.
  • Cost of lost employee productivity – If your employees can not do their job you still have to meet payroll and other financial obligations
  • Cost of breach disclosure notifications and customer protection measures – If sensitive customer or employee data is lost while under your care you are likely financially obligated to notify and offer credit protection measures to minimize their risk of identity theft.
  • Worst case scenario is inability to recover from an incident leading to failure of the company

Final tips on information security insurance

If you desire information security insurance your first stop should be to try add the coverage via your existing insurer. If they do not offer the service or the cost is too high you should shop around to get the coverage you are looking for. It should be noted that the information security insurance industry is very immature and there is a lack of standardized offerings. When comparing different insurance options be sure to get everything in writing and validate that you are comparing equal coverages when assessing different companies.

Help a friend by passing on these useful information security tips
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

Best ipad 2 leather cases

The classic look of leather is a great way to protect your ipad 2 with style. iPad 2 cases are a great way to minimize the chances of your ipad cracking if it suffers an unexpected drop. A case can also offer stability and visibility improvements (if you choose to use the various stand options that many cases have) There are a lot of cool case options for the ipad 2 from metallic looking enclosures that fit with the Apple mystique but if this is not your style choosing leather is a great alternative. An important factor to note is that any case is going to add bulk to your ipad 2 so there is a bit of a trade-off between bulk vs. physical security.

Factors when considering a case for your iPad 2

  • How much bulk does the case add to your ipad?
  • How snug does the case fit to protect all four corners?
  • Quality of the leather the case is made of
  • Personal choice as to attractiveness of design/style
  • Cost

Here is a rundown of the highest rated ipad 2 leather cases that are well reviewed and loved by those that have made the investment to protect their device.

Bear Motion Leather Case with 3-in-1 built in stand – Elegant and conservative this highly rated leather case/stand is noted for its high quality leather and high quality snap magnets. This case is also noted for its high quality stand that greatly helps with reading on the ipad.

Yoobao 3-in-1 Leather case with built in stand – The general consensus is this is an attractive 5 star case that is a top option if you want a leather case. Yoobao is a well respected brand in the ipad case market and their raving fans demonstrate that there is a lot to like about this case.

Toblino 2 Leather Case – Famous for high quality leather and perfect fit around all four corners this ipad 2 case is a high end option for extra protection.

Targus VuScape Cover/Stand – Targus is sort of the workman horse brand of protective cases so their alternatives can always be considered. Others listed above are more attractive but these are functional and get the job done.

Snugg ipad 2 Leather Case with flip stand – Leather has a traditional worn in look to it and the general opinion from the reviews is that it works as advertised at a nice price. Not my top pick but included for the value conscience consumer seeking an affordable case.

For those of you looking for colored leather ipad 2 cases here are some options:

rooCase Premium Leather (red)

Bear Motion Case (brown)

Targus (blue/black)

If you decide to purchase a protective case I think you are making a wise decision. Your chance of having your ipad 2 suffer accidental damage like a screen crack can be significantly reduced by choosing the right case.

 

Help a friend by passing on these useful information security tips
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

How to run an incident management process

The primary purpose of an incident management process in the IT operations or security fields is to quickly restore normal service operations to minimize the impact on normal business operations. Here is a rundown of a typical incident response situation:

1. Operations business critical or security related incident is reported to the help desk by an end user or automated monitoring system. It is important for the help desk to get detailed information about the exact nature of the problem including a detailed problem statement of what is not working. The help desk should document the specifics into the problem log for documentation purposes.

2. Help desk reviews issue and support scripts and determines the business impact of the issue and if the issue should be escalated as a high priority item

3. Help desk follows documented escalation process and begins to form a system restoration team (as detailed by the application/system support script)

4. System restoration team assembles on a designated global phone bridge with intent of getting all people necessary for system restoration.

5. For a high priority application type problem without a clearly defined problem it is typical to get the end to end support team on the line. Typical system restoration participants are

  • Application support team member
  • Server support team member
  • Database support team member
  • Network/Firewall team member
  • Someone who can test functionality/items as needed (often a business user)
  • Facilitator of the incident response call

6. Facts surrounding the event are discussed with the combined team so everyone is aligned on the problem that needs to be solved. The incident response facilitator should be the primary voice of the system response team and keep the team on track with the primary goal to restore normal business operations

7. Depending on the severity of the problem it is important to keep relevant stakeholders updated to the progress and expected duration of the problem (if known). Communicating effectively is one of the most important things that needs to be done during an incident to set proper expectations and keep those affected informed. Effective communication is one of the key things that can be done to help minimize the likelihood of unneeded political escalation of the event.

8. It is best practice to keep the phone bridge open until the problem is resolved to maintain problem solving momentum. If the problem is expected to run too long to make that practical it is good to define the needed update times and schedule the sessions as needed.

9. It is important to validate that the service has been restored to normal prior to disbanding the system restoration team. This is best done by validating with an end user on the bridge.

10. Before terminating the call the team should make sure the incident diary is updated with information about what was done to resolve the problem. In addition, any information needed for the RCCA should be assembled while the incident is still fresh in everyone’s mind.

Important points about the Incident Management process

  • There is sometimes a tradeoff between quicker restoration vs. collecting system log and other information in event to find a root cause of the problem. This conflict should be managed appropriately depending on the likelihood of finding a true root cause (which is very desirable to prevent future problems) vs. faster restoration of the affected service.
  • It is important that the system restoration team facilitator be in charge of leading the assembled resources to maintain an orderly process. Too many chefs in the kitchen will not help restore service in a more timely manner.
  • Documenting the problem ticket regularly through the process is important for tracking status, communicating updates, and as a source of data for the future root cause analysis.
  • Opening a group chat room for the system restoration team is a good way to share technical information without sidetracking the phone bridge directing resolution of the problem. It also serves as a nice log for the problem diary and a potential source of information for the root cause analysis.
Help a friend by passing on these useful information security tips
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks