MyITSecurity Blog

RSA Conference 2011

myitsecurity — Tue, 15 Feb 2011 04:01:59 +0000

I finally made it to the RSA security conference. I will blogging the interesting things which I see and hear.

For those of you who do not know the RSA conference is the largest IT security conference each year. Most vendors announce new products or discoveries at this event.

It should be fun! First up the Keynote presentation.

Preparing IT Departments for the Influx of Mobile Devices

myitsecurity — Mon, 06 Dec 2010 17:26:33 +0000

Financial Post reporter Matt Hartly interviews me on Preparing IT Departments for the Influx of Mobile Devices.

Latest Trends in Web Security

myitsecurity — Mon, 06 Dec 2010 17:23:05 +0000

Financial Post report Matt Hartly interviews be about the Latest Trends in Web Security.

IBM Emphasizes the Importance of Secure Data and Systems On A Smarter Planet

myitsecurity — Mon, 30 Aug 2010 12:29:26 +0000

I recently had the opportunity to discuss the importance of Security on a Smart Planet.

IBM Commercial: RFID Technology Tracks Medical Supplies to Keep Counterfeits Off Shelves

myitsecurity — Mon, 30 Aug 2010 12:24:14 +0000

I was recently cast in IBM’s latest Smarter Planet TV commercial.

I want a job in IT Security…

myitsecurity — Tue, 18 May 2010 19:53:51 +0000

I am frequently asked by people “I want a job in IT Security, how do I get one? or What certifications should I get to move into IT Security? This always a tough question to answer. It often starts with “it depends…” because it does depend on what you want to do in IT Security.

I break down IT Security into these groups;

Security Management & Governance
Security Research & Development
Security Operations
Security Forensics & Investigation
Security Consulting

Each area has different skill sets and certifications which demonstrate that skill. Now certifications are great I have several myself but keep in mind a certification will only say at some point in time I knew enough to pass a test. This is not real world experience and most employers know the difference.

As base I always tell anyone interested in security to pursue the CISSP certification this a well-respected and vendor agnostic general security certification. You will see it referenced in most IT security job postings as a requirement or “nice to have”. The CISSP is also good in that it requires an experience component to get the certification. So you need to have actually done some security before you can be certified. Something for the new security professionals to strive for.

Nothing beats good old fashion experience and the best way to get experience is to start at the bottom. If you are new to the workforce this is not usually and issue. Find some entry-level IT security analyst, network analyst, or application testing job and get started. The experience gained in these positions will apply directly to future positions and different IT security roles.

If you are seasoned professional with a few, ok several working years under your belt starting over is not always an option. I know if I told my family I was quitting my high paying job to start over at the bottom of a new career I would have some strange looks for sure. I often consul these individuals to look at the skills they already have leverage those by looking for IT security positions with similar skill sets. For example if you have been and IT operations manager for many years switching to managing IT security operations is not a big jump. Or if you have been doing application testing for general performance learning the skills such as security development lifecycle and fuzzing is not a huge stretch either. Now the job pool is likely smaller and may take longer to find that position but they are out there.

As for certifications. There are two camps in IT Security; Certifications are a must and Who needs certifications! Hiring managers and human resources can relate to certifications and measurement of skill. I recommend them for your resume. Do not think a certification is a guarantee of a job far from it. Certifications show employers you have obtained a baseline level of knowledge and experience for which to compare you against other candidates.

Here is a list of certifications in no particular order grouped by my IT security career groups. You can google the acronyms for more details

Security Management and Governance: CISM, CISA, CGEIT, CRISC, GSLC, ISSMP, CAP

Security Research & Development: C|SP, GSSP,GREM, CSSLP

Security Operations: Vendor certifications specific to the tools you plane to use – Cisco, Symantec, Microsoft, McAfee, Websense etc., GIAC certifications

Security Forensics & Investigation: C|HFI, C|EH, C|IH, EnCE, GCFA

Security Consulting: C|NDA, LPT, C|SS, G7799, GCSC, ISSAP, ISSEP

So the long and short of becoming a security professional with career in IT security is find a way to gain some experience in a security field and start developing a resume which conveys that skill and experience. Training is good but nothing beats good old fashion experience whether you start at the bottom or translate current skills in to security skills experience and skill are paramount in this growing field.

How deep is your moat? The de-perimeterization of todays networks.

myitsecurity — Fri, 22 Jan 2010 16:19:28 +0000

Perimeters have long been used in physical security to protect things; people, buildings, gold, even documents. Look at the medieval castles they were often built with high walls and deep moats surrounding them. This made accessing the castle difficult other then from prescribed entrances. IT networks were designed in much the same way. A high walls and moats where constructed using firewalls, network appliances designed to control which data could pass through them based on rules. This worked very well when all of the data and systems you needed to protect remained inside the walls. When the citizens from the castle wanted to visit another kingdom or even just stroll through the forest they need to leave the protection of the castle perimeter. This left them exposed to the threats posed by the outside world. This can be seen today in the mobile workforces many organizations are developing. Mobile computing devices like laptops and smartphones have made the stroll outside the castle walls easier. In order for users of these systems to stay connected they must connect back to the main network. VPN’s (virtual private networks) have made this increasingly easy. The problem now is each of these VPN’s is a tiny hole in your perimeter an authorised connection which traverses the firewalls you have created to protect your organizations network. Inside the network walls your systems are scanned for malware, intrusion detection systems look for malicious traffic and the firewalls protect the systems from access by the outside world. What happens when the system travels outside the walls or an outside system is used to access the network through the VPN connections. These systems may not have the same level of protection you can ensure within your network. I often refer to these mobile devices as systems with STD’s (Starbucks Transmitted Diseases) a laptop computer connect to internet through a public network such as those at airports, hotels, or coffee shops is as exposed as can be to the maliciousness of the outside world. The perimeter can only protect what you choose to keep out. If you allow systems which are carrying malware to access your network you may as well get rid of your perimeter.

What do you do then? Mobile computing is no longer a luxury it is a necessity for todays business. As I see it today you have two options keep everybody out and only expose the systems and data that mobile employees need through secure web portals or build an elastic perimeter which extends out around mobile systems and provides similar protections to that of the internal network.

No matter which option you choose basic online computer safety must be consider.

1) Ensure your operating system and applications are protected by applying the latest patches and fixes on a regular basis. Pay particular attention the software which you may not think of because it runs in the background and supports other applications things like Adobe Reader or the Java Runtime Environment.

2)Run Anti-malware (anti-virus/anti-spyware) software and keep it up to date.

3)Run a personal firewall. Most operating systems offer some form of personal firewall ensure it is on and learn how to use it.

Option 1 – Secure Web Portals

In this option the mobile system does not get access through the firewall rather the applications the user needs to access are exposed securely to outside world via a web site. Applications such as email, databases, and reporting tools can be published securely to external users can access them via web browser safely and securely. Strong authentication and encryption should be employed to ensure that only authorised users have access. In this option malware on the mobile system can not spread though the internal network because the mobile system is not connected directly the network. The mobile system will need to ensure it has followed the basic security listed above otherwise when they come back to the office and connect to the network they may still cause problems.

Option 2 – Elastic Perimeter

When I say elastic perimeter what I really mean is ensuring security controls similar to the network are deployed to mobile devices so they travel with them outside the network. For example stand-alone anti-malware software is great but an enterprise package which reports its events and logs to a central server allows administrators visibility into what is happening outside the walls. Host intrusion detection or prevention software will monitor traffic communicating with the mobile system and detect or block anything it sees as malicious. End-Point Data Loss Prevention tools ensure that only authorised data can be copied, printed, or transferred from the system. URL filtering software will prevent the user from accessing sites determined to be dangerous or non-business related. All of this combined with the basic security elements will extend the organizations perimeter out around the mobile system providing it protection and visibility to the administrators.

In summary todays mobile workers need new security models to protect them. The old days of put up a firewall and turn on a VPN will not cut it in todays internet connected world.

How safe is URL shortening?

myitsecurity — Mon, 05 Oct 2009 13:37:54 +0000

URL shortening is a convenient service offered on many websites today. It allows a user to post a URL to another site or post which may have a long link to reference it. for example:

Original URL: http://myitsecurity.wordpress.com/2009/10/05/microsoft-techdays-toronto-was-a-success/

Is shorten to: http://tinyurl.com/y8z9kwo

This type of service is very helpful when you want to post links in the often character constrained environments of social networking sites like Twitter.

Convenient Yes! Safe, maybe. You see what TinyURL, Bit.ly and other shortening services are doing is recreating a database of URL, when a user requests the shortened URL from the site they look up the full URL and forward the requesting user to that site. The shorten URL obscures the final destination of the link from the user.

Now most people are using these services for legitimate reasons. I use them myself they are great and useful. But a malicious user could post a shortened URL claiming to be to a blog post on a well known site while actually sending the user to a site which is hosting malware. By the time the user notices they are not where they thought they were going it is too late the malware has started its attack and you hope your defenses are up to the battle.

What should we do about this?

First, common sense internet computing should prevail. Only trust links from people you know. Always use a personal firewall and ensure you have active current anti-virus and anti-malware software running. This will ensure that if you receive a link which is compromised you have a good chance of stopping the malware. It also adds protection in the event that someone you know has had their account compromised and it is sending out malicious links without their knowledge.

Second, most URL shortening services offer Preview functionality which will allow you to see the full URL before it redirects you to the site. This allows you to confirm the destination is where you want to go. Now this does add time but if you are concerned about the legitimacy of a shorten URL it is worth extra time.

URL shortening is useful and convenient but like most internet technologies criminals will exploit it to their own needs. Follow the tips I have presented and practice safe computing you should be fine.

Happy shortening!

Microsoft TechDays Toronto was a Success

myitsecurity — Mon, 05 Oct 2009 12:01:36 +0000

I still have not seen the final numbers but I was happy with the turn out for my talk on Best Practices with Microsoft Windows Server Update Services at MS TechDays in Toronto. I had a lot of good questions and interest in patch management was very high especially since it was the last session of the last day.

If you could not attend the Toronto sessions please look for another TechDays event happening soon. http://www.techdays.ca