How about a date?

Posted by on Jun 29, 2009 in Business | 3 comments

Sometimes in security, and life in general, it’s the seemingly small issues that cause problems.  As the saying goes, “The devil is in the details.”

Take dates for example.  If I were to suggest we meet for a 10:00 coffee on 07/10/09, when should you show up?  Most of you would assume that 09 is 2009.  Then you’d hope to infer from other information whether I meant July 10th or October 7th.  Those who know I’m a night owl might wonder if I mean 10 p.m., while my old army buddies would assume that if I meant 10 at night I’d write 22:00.

About ten years ago, software developers and IT managers were in hectic race against the clock. In many cases they just didn’t know what would happen when computers using two digit dates rolled from 99 to 00.  Or 100. And it appears  that in the past 10 years we’ve learned very little about standardization.

Of course there are those who don’t bother with the year at all.  The yogurt in my fridge reads JL13.  At least I can figure out that they mean July 13, and I can hope that this container didn’t somehow get shoved to the bottom of the pile for a year.  Or even worse, the dreaded “Best before 08/01.” Is it good for another month and a half, or should I carefully double bag it and put it in the trash without disturbing whatever new life form might dwell beneath the lid? It just doesn’t make sense to force product manufacturers to put a date on something if we can’t be positive what it means.

Fortunately there is a simple solution:  Adopt the international standard, ISO 8601. Unlike many ISO standards, it isn’t all that complex.  June 22, 2009 is 2009-06-22 or 20090622.  10:00 a.m. is 10:00:00, and 10:00 p.m. is 22:00:00. Provisions exist for omitting seconds, etc., if they aren’t required.

Isn’t today a good date to become part of the solution?

PCI Security Presentation

Posted by on Jun 22, 2009 in Business, Security | 0 comments

There’s a lot of information about the Payment Card Industry Data Security Standard (PCI DSS) on the Internet, but if you’re looking for a good overview, check out eNable’s Quick Guide to PCI Compliance video.  Their fifteen minute presentation is both technically correct and presented in language that anyone can understand – a refreshing change from many security presentations.

If you accept credit cards, you’re required to comply with the PCI DSS standard. There are ways to simplify PCI compliance requirements, especially for small businesses, but it all starts with understanding what those requirements are.  If you business accepts credit cards, you owe it to yourself to watch this video.

What is security?

Posted by on Jun 15, 2009 in Security | 0 comments

One of the reasons that security programs aren’t always as effective as they should be is that organizations of all sizes often fail to ask the most important question: What is security?

Security is often categorized as physical security, personnel security and information security. Much of the reason is historical.  Back before computers, corporate security people were concerned primarily with physical assets.  The area of personnel security evolved with background checks and security clearances and then expanded into workplace violence prevention and ensuring the safety of employees at work and when they travel.

Then computers came along, and the complexity of these new systems gave birth to “computer security”.  Over time the “computer” field became known as “information technology” and “computer security” became “information technology security”.  Some time after that it finally dawned on people that the focus should be protecting information (as opposed to “information technology”) and since then the term “information security” has increased in popularity.

Within the information security field, the buzz phrase, “Confidentiality, Integrity, and Availability” describes its goals:  Protecting information against unauthorized disclosure, ensuring that it is not inappropriately modified and making sure that authorized user can actually use it.  Every so often somebody (commonly a vendor representative trying to push their product) tries to expand this definition by adding a fourth or fifth, but in doing so they usually succeed only in proving that they don’t understand information security.

In some organizations different people or groups are responsible for different “types” of security.  They often use different language, different processes and their failure to co-ordinate activities often increases security risks.

So what is this security thing anyway?  Security is simply about protecting assets.

Physical security is about protecting company assets.  But so is personnel security.  While I’m certainly not suggesting that a company owns employees, they are assets.  Their ability and willingness to work is of great value to the company – without them very little could get done.  If a company fails to protect employees, and they are unable to work, that constitutes a loss.  Failure to comply with laws and regulations regarding the protection of employees also impacts other assets including employee and public relations and monetary losses due to fines or civil damages. All political correctness aside, employees are valuable assets that require protection.

Finally, there’s “information security”.  Today information is an asset.  While computers and networks can be complex, and different skills are required to protect digital information, in the end it’s all really just about protecting assets.

The human firewall

Posted by on Jun 8, 2009 in Security | 6 comments

During the last decade a lot of money has been spent trying to protect information systems. Firewalls, intrusion detection systems, two-factor authentication and other technical controls sometimes make good business sense when applied as part of comprehensive security program.  But what we’re not good at yet is the human firewall.

Scott Wright, an Ottawa-based security consultant and publisher of securityviews.com explained,

“Despite having spent 12 years working with constantly improving security technologies, I’ve seen an increasing trend toward generally greater risk and losses to businesses and home computer users. All signs point to the human factors as being the weakest link. It doesn’t matter how well you make the valve in a rubber tire to keep the air in, if the rubber is not consistently good quality, it can be easily punctured. So, I felt that it was important to start working on this problem in an innovative way that had a chance of making a difference in effecting cultural change across an entire organization.”

In addition to speaking and writing on security awareness, Wright also conducted some interesting research:

“The Honey Stick Project was originally devised as a way to gather data about how well people handled a simulated risk scenario – that of an infected USB Flash Drive. Because these devices can contain targeted threats or viruses that can evade common anti-virus programs, people should not plug unidentified USB drives they find in public locations into their computers at work or at home. In fact, it’s a good idea to only use your own device, and not share it with other people, to reduce the risk of infection.

The devices contain simple and safe HTML files with no active programs. I rely on people simply double-clicking on a file when the device is plugged into their computer to load the file. As long as they are connected to the Internet, and the user hasn’t taken any precautions to prevent the the browser from starting, an event is logged at my web server. After deploying 50 devices in places like Ottawa, Toronto, Tremblant and Las Vegas, over 60% of them have been used, which indicates that the finder didn’t do anything to prevent their computer from becoming infected. This tells me that at least 60% of the people who find these devices make poor risk decisions that could result in their home or office computer becoming infected with a virus or botnet.”

Perhaps it’s time we put more emphasis on security awareness training?

Driver’s Licence with RFID – A bad idea

Posted by on Jun 1, 2009 in Security | 0 comments

Starting today, Passports or Enhanced Driver’s Licences will be needed to drive across the Canada/US border. I don’t have any issue with requiring proof of identity and citizenship to cross an international border, and I really like the concept of offering a wallet-size alternative to the passport. But adding RFID to that wallet-sized card is a bad idea.

If you’re a Canadian citizen, reside in Ontario, and have a driver’s licence you now have the option of paying an additional $40, attending an interview, and obtaining an Enhanced Driver’s Licence that will be accepted in lieu of a passport when driving across the boarder. Within the card is an RFID chip so that you can hold it up to a reader, and by the time you reach the border agent they’ll have your information on their screen. According to the Government of Ontario web site, the RFID chip only sends a unique identifier and not your personal information. The Canadian and US governments then allow each other to access their databases. Using a unique identifier is much better than, for example, allowing anyone with a RFID reader to directly obtain your name, address, etc. However, those citizens who choose to obtain an Enhanced Driver’s Licence will be carring an RFID chip with them almost everywhere they go. And it can be read at least 10m way by anyone with the right equipment.

Today the technology is new, readers are expensive and few people have the cards. But imagine what might happen if they become popular in a few years:

On Sundays, you go to your favourite store. The RFID reader at the door logs your entrance, and readers strategically located around the store track your movement. You pay for your purchase with cash, but a reader at the register associates your unique identifier with the details of your purchase. A few months later you don’t have cash with you and you use your credit card. Now they add your name. The next week they’re taking a survey and ask your postal code, and it is added to the database. A year goes by and in a moment of weakness you fill in an application for a store loyaly card. The information you supply is added to the database. Later the store is purchased by another company that also has customer database, and they combine the data.

What we often fail to consider is that the ability to uniquely identify an individual allows us to build a database and leverage that information both before and after the event. In many cases we choose to provide information, and that’s ok. But adding technology that allows anyone with an RFID reader to start collecting it is a bad idea.

Personally, I’ll stick to my passport and only carry it when I travel.

What’s your plan?