What is that shiny new thing you've got there?

New tech gadgets are coming into the marketplace making many people drool.  The newest ones usually receive the most 'cool points' from friends and other employees.  These shiny new tech devices are working their way into the federal workspace with the belief that 'Johnny' will be more productive.  John Zyskowski of Federal Computer Week offers several suggestions to ease the secure introduction into the workplace in the article at:  http://fcw.com/Articles/2011/09/26/FEAT-mobile-consumerization-plans.aspx.

This article unfairly points at Information Technology folks being a speed bump for hip users in their quest to become more productive with these new devices.  The first suggestion is for IT to "deal with it" and allow hip young users and the big bosses to start using theses devices the same way these folks use the same devices at home.  Wow, kind of sets a negative tone...

The second suggestion is to "standardize, but not where you think" meaning that the centralized applications and security settings should be configured to work with any device.  The author mentions that using devices in 'the cloud' via a virtual connection results in simple screen scrapes where no data resides on the end user device.  Sounds pretty simple...

The third suggestion is to "let users break out the plastic" meaning users contribute to the costs of using the device in a "bring-your-own-device" to work program.  End users share the costs with the agency so the user and the agency both chip in.  Nice, but might bring on some issues with where data is stored and access issues.

The fourth suggestion is to "cover all the security bases" which would require that specific requirements are met on the user device including encryption, remote management to wipe the configuration of a lost device, user passwords, patch management, identity management and two-factor authentication.  This is smart and should be incorporated into the management of all devices.

The final suggestion is for IT workers to develop the applications to enable these cool folks to use the devices.  The author recognizes that most applications were developed for standard computers so he suggests that the applications be converted to web enabled applications to enable them to be compliant with the HTML5 standard predicted to be ready in a couple years.

The suggestions are good, however, many are not practical.  First, Vivek Kundra, the recently separated first federal CIO, started several initiatives last year including the effort to consolidate data centers.  This consolidation is smart, but this effort is the cause of great efforts to ensure the consolidations do not halt the productivity of federal employees sitting at desks right now.  It's not simple to relocate circuits and servers and redirect clients. 

Second, the federal budgets are not growing.  The public is led to believe that federal agencies are "fat" now with an abundance of equipment and services.  I'm afraid that isn't true at the agency where I work.  Devices get old and need to be replaced, maintenance contracts need to be renewed, backup devices need to be updated and documentation needs to be updated.  Turns into a lot of money going to these not-so-sexy or shiny purchases.  Furthermore, in order to implement applications and security settings with devices, additional equipment may need to be purchased, configured, tested and documented in federally mandated security documentation. 

Third, the federal government has an obligation to her citizens to prevent data loss.  Many devices rely on good faith with the user to establish a VPN connection (i.e. it's not automatic).  Some devices won't allow a VPN connection to run, some don't have sophisticated patch management or identity management and most do not allow two-factor authentication.  Furthermore, a cloud computing providers study by Ponemon Institute released in April 2011 "do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers".  


It is critical that the federal government provide an environment where employees can be productive.  It also has an obligation to provide security of the data.  It's critical to balance the two even if that means Johnny has to wait to use his shiny new toy.

Japan's first cyber attack

Reuters announced that Japan's defense industry sustained their first cyber attack on September 19, 2011.  http://www.reuters.com/article/2011/09/19/mitsubishiheavy-computer-idUSL3E7KJ0BD20110919

Hackers gained access to computers at one or more of its submarine, missile and nuclear power plant factories on August 11 marking the first known cyber attack on Japan's defense industry.  The article states that 80 computers were infected with computer viruses including eight types of Trojan horses.  The plants build missiles, aircraft wings, submarines, components for nuclear power stations and escort ships.  The article suggests a possible reason for the attack being a partnership with Boeing and interest from other countries in the project.

A sad issue for the country of Japan, especially after the recent devastation of the tsunami.

Hacking can't always be prevented, but it makes sense to ensure that anyone using a computer protect the computer to the greatest extend possible.  Several ways to protect your home computer at low or no cost include:

1.  Install a reputable virus protection program on your computer and keep it up-to-date.  Virus protection programs can be purchased for at very low cost during holiday weekends (Labor Day, Veteran's Day, Thanksgiving, etc.) using rebates at computer stores.  I like Symantec.  There are also several good free programs such as AVG that offer good protection.

2.  Install a hardware and software firewall.  It is important to install a hardware firewall, also known as a router, on your home network.  A hardware firewall offers first defense against hackers attempting to get into your home computer.  A software firewall enhances your fortress against attack if the hardware firewall is penetrated so a software firewall is also a must.

3.  Malware, spyware and adware are becoming a larger problem.  Malware is malicious software designed to interrupt your computer or network.  Malware includes spyware (such as a keylogger) and adware.     Several anti-virus software programs include spyware detection/removal.  I recommend you use a virus protection program that includes malware/spyware detection and removal.

4.  Update your computer regularly.  Microsoft regularly finds vulnerabilities and provides "patches" to resolve.  Several other programs you may have installed such as Adobe Acrobat Reader, Flash and  JAVA release regular updates.  Many of these programs notify you when updates are available.  Many other programs have a link to update the software in the "Help" or "About" sections.  Update your software.  If you don't run the software anymore, un-install it.

5.  Backup your important data.  You can do this by copying data to CDROM or DVD (least expensive option), purchasing an external hard disk which may cost $100 or less or subscribing to an online service.  If you backup to a home device (CD, DVD or external drive) remember to consider where the backup is stored.  If your machine falls prey to theft or is destroyed by a fire, tornado or other natural disaster you could also lose your backup.  Store it safely in a manner that will provide a good chance that the backup will survive if the machine does not.  

Thanks for following the recommendations listed above.  Everyone who uses the internet is swimming in the same fishbowl.  One infected machine has potential to infect others.  Thanks for doing your part to halt the spread of viruses and malware.

Security shouldn't take a break (especially on vacation)

Jaikumar Viguyan reported on a breach that may affect 40,000 people who visited waterpark resorts in Wisconsin and Tennessee between December 2008 and May 2011 in the September 12 article in ComputerWorld.

The vendor handling point-of-sale systems processing credit card transactions, Vacationland Vendors, reported that they had been hacked but they did not say how, when or if they had contacted victims yet.  The vendor reported that "a computer hacker improperly acquired credit card and debit information".  The organization reported that the breach was not the result of an internal security weakness at the two waterparks.  Fo realz ya'll?  Nice way to take responsibility Vacationland Vendors!  It sounds like Vacationland Vendors didn't properly protect the information and/or they had a weakness that allowed a hacker to compromise their system.  Since we don't know the details it's hard to know whether they were keeping the credit card information in an unprotected database, the hacker had access to some component of their system for two and a half years or something else.  Taking responsibility is certainly a first step...

This isn't the first time this has happened, unfortunately.  Heartland Payment Systems compromised the security of millions of credit cards several years ago after a breach of their point of sale network was discovered. 

The Payment Card Industry finalized data security standards (PCI DSS) in 2010 dealing with the end-to-end encryption of point of sale devices, the protection of user credit card data and regular verification of security processes.  Read more about PCI DSS at this link.

Vacationers shouldn't expect to bring home credit card problems from a trip to the waterpark.  Consumers should have a reasonable expectation that they can safely use their credit card(s).  The payment card industry has worked hard to provide retailers and consumers a means of better security.  Retailers must follow these standards - no exceptions!  Consumers should watch for credit card skimmers at ATM machines and be leery of using their credit cards at sketchy places.  The news of the breach is disheartening at best.  I can only hope that consumers are notified.  It will be interesting to see if someone sues the Vacationland Vendors.  I think I'll bring cash on my next trip to the waterpark!

Didja forget something?!!

A fired IT worker from Texas broke into his former employer's computer system and deleted customer data while logged in at a restaurant's wireless network according to the Network World.  https://www.networkworld.com/news/2011/090211-ex-employee-wiped-financial-data-from-250433.html.

According to the article the former employee, David Palmer, was angry that he had been fired and his former employer had not assisted him with getting unemployment benefits.  Palmer logged into the system and used a backdoor account he created before leaving the organization.  He deleted customer payroll and software files.  Palmer logged into the system numerous times from his home as well as several wireless networks in restaurants prior to the offense.

The incident took place on January 21, 2010.  The day after the files were deleted, company staff noticed that their punch clock software and payroll records were missing.  The company contacted the U.S. Secret Service to report that there was an unauthorized intrusion into their system.  Palmer was tried in US District Court in Texas September 1, 2011 and pled guility to computer intrusion.  He is scheduled to be sentenced on November 2, 2011.

The article states that the situation is not unique.  In several cases former employees have logged into their former employers system from restaurants with the idea that their traffic wouldn't be traced back because the individual was in a public place.

This situation begs the question, What steps should an organization follow when an IT employee with administrative privileges is terminated?  Any organization firing an IT employee with special privileges should have reviewed accounts to ensure that all of the employee accounts had been removed and execute a search for unauthorized accounts were removed.  Logging may have identified that the unauthorized access occurred if it was enabled, and periodic reviews were made of the logs.

So, it's clear that both Palmer and his company did forget something.  Palmer created a backdoor account so he could log in to the system, in case he forgot something.  The company forgot something too, they terminated an employee with the knowledge to get back into their system.  The company should have set up roadblocks to prevent his re-entry or flares so they knew if he was back in the system.

Week 1

Welcome to my blog! 

On September 1, 2011, the state of California passed a law to enhance the notification process for California residents when their personal information is accessed illegally.  Breeches involving PII (personally identifiable information), credit card numbers, and other sensitive information happen frequently.  In some cases, individuals affected are not notified or are only given minimal information about the incident.  When the victim is not provided details and the extend of the incident he or she may not react appropriately.  The new California law requires that victims be provided nofitication containing "specifics of the incident, including the type of personal information exposed, a description of what happened, and advice on steps to take to protect oneself from identity theft." ( http://www.scmagazineus.com/california-blazes-trail-again-with-enhanced-breach-alert-law/article/211005/)  Furthermore, when a breech affects 500 or more individuals, a copy of the breech notification must also be provided to the California State Attorney Office.

This new law enhances the ability for victims of potential identity theft by enhancing their ability to react appropriately to the incident.  The article does not identify the timeframe when notification must occur.  

The article states former Governor Arnold Schwartzenager failed to sign this bill under his term because he thought that California citizens would not benefit from the additonal information.  It also states that he said that the State Attorney Office would not benefit from having copies of the breeches.  That is ridiculous. You can't fix something you don't know is broken... 

This law allows the state to protect her citizens in an appropriate fashion.  I hope to see other states follow suit.