Nuts and bolts Archives

Roger Johnston, a member of the vulnerability assessment team at the Argonne National Laboratory near Chicago, delivered a keynote on Wednesday at the USENIX security conference in Washington.

Boiled down here from an article posted by eSecurity Planet on his speech, are five tips Johnston says will bolster your system security. (Yes, some have been around for years.)

1. Checking off boxes on a list will not produce better security.

2. Bring in "creative, even rebellious types with the mentality of a hacker" to talk about security, the article noted.

3. Do not delegate security to engineers. "If the only people you have looking at security are engineers, you're in trouble," eSecurity quoted Johnston saying, "In general they have completely the wrong mindset about security." (Argonne boasts on its website that it employs 1,000 scientists and engineers, so, Johnston, presumably, has had experience with this.)

4. Think of security at the beginning of the project, not as an afterthought.

5. Forget thinking that security is a "winnable battle." Vulnerabilities are always there.

Deloitte pushed out a press release Tuesday on recently being named the "best iconic and overall structure" winner for the 2010 National Cybersecurity Awareness Challenge. But is it newsworthy?

From a visceral angle, it is not. Deloitte's "Think Before You Click" campaign may have edged out 80 other proposals, but no matter how much thinking a user does, it probably won't result in measurably improved security.

We all love a good catch phrase; "click it or ticket" comes to mind. But for a catch phrase to truly work, it has to work. If you drive without wearing a seat belt, a police officer sees you, it's going to cost you. But if you think before clicking a well-manicured and malicious e-mail, it's not always going to stop you from clicking. It's also not going to save your valuable information from being accessed by attackers.

I know the campaign is about much more than using a little self-awareness while computing. But the catch phrase doesn't work for me. It leads users to believe they can protect themselves in a protectionless system. I think we ought to be preaching the truth behind cybersecurity, and the relatively insecure reality that accompanies it.

Catch phrases only muddle the inadequacies, and the very serious changes that must be made to protect all users. If the catch phrase was aimed at a body of individuals that already have some security direction (i.e. federal workforce) it might be more appropriate. But for now, I say, kill the catch phrase.

Federal managers, like most workers in the private sector, do some risky things on their computers. That's what the Government Business Council, a Nextgov sister business unit at Government Executive Media Group, found when it conducted a survey of government workers' cybersecurity practices.

Here's one of the questions:

Do you follow links in e-mails from unfamiliar people or organizations?

The breakdown:

The good news is that more than half never follow links from unidentified senders. Add in the 17 percent who do so less often than several times a year, and you begin to approach three-quarters of the government workforce. But it goes downhill from there.

Nearly 30 percent of federal managers GBC surveyed (244 people) said they follow links from unidentified sources at least once a month. That sound you hear is your chief information security officer falling of her chair.

More findings from the survey later this week.

How deep is your incident and response tracking? There are a number of ways to track and log incidents. I recommend keeping copies of any relevant logs in an incident entry notebook. Every virus detection goes into this incident database, including malware incident details and usually the website access logs within the context of the antivirus incident.

A daily review of website access logs often helps too, as well as a generating incidents from an IPS log. All of this logging can be tedious, and requires a certain amount of investigation, but it helps. You'll also notice patterns start to arise, and you'll catch on to things you wouldn't have otherwise noticed. If all else fails, your memory banks will fill with useful analysis, and might help you spot an incident down the road.

Being a good security analyst is not about satisfying a checklist or an audit. It's just about having detailed records so that those records can go to work for your computer protection. There are a number of products worth using to manage your data. But I've heard good things from security analysts about SharePoint. It might be worth a look.