NIST glossary

NIST Updates their IT Security Glossary

The National Institute for Standards and Technology recently updated their glossary in Interagency Report 7298.  The report is great, not only does the document provide a definition of the term, it also provides the source of the term.

A few terms I hadn't seen previously include "No-Lone Zone (NLZ)" which is a term that defines an "area, room or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other."  The term has to do with information assurance and protection of data.  In a NLZ, two authorized individuals who act as a check and balance system to protect the integrity of data by verifying that tasks are completed appropriately and all safety requirements are completed.  The two people verify that the other person completed the tasks as ordered.

This document may be a great way for people new to the IT Security area to find out what a term means then the individual can refer to the source document to get additional details.  The source document is CNSSI-4009.  I googled CNSSI-4009 and found references to CNSS.gov.  CNSS is the Committee on National Security Systems.  CNSSI-4009 is the National Information Assurance Glossary that was last revised in April of 2010.  The information in this glossary was exactly what was posted in the NIST glossary.  I did a little more research and found this image (source:  http://commons.wikimedia.org/wiki/File:No_lone_zone.jpg)

A little more research provided me with a wikipedia site that told me that the Two-Man rule was used for the protection of nuclear weapons, (as in the Minuteman Missile sites where two people were required to launch a nuclear weapon) and to protect COMSEC materials and manuals.

I bookmarked this website.  This is a nice reference when looking for information or even to learn about something new.

The time has come...

SC Magazine is leading with the story

Monster breach hits South Carolina taxpayers.

Unfortunately this shouldn't come as a surprise to anyone anymore.  According to the report in early September "unknown hackers "probed" agency systems, and sometime in the middle of the month, they were able to access the data that was stolen".   Details related to the breach were limited to the comment that it was tied to a "server issue" by South Caroliana Department of Revenue spokesperson Samantha Cheek.

Folks, the breaches aren't stopping.  We have insecure wireless networks, servers, code and sloppy employees out there.  We've got journalists and CEOs pushing BYOD (bring your own device) and cloud technologies.  The "cool kids" are all over implementing these new ideas.  It's likely we still have folks with unencrypted tapes and computers sitting in their vehicles.  Wake up folks!  We are not ready to bring our own devices!  It's clear that the criminals are more persistent than the industry. 

Something has got to change.

Can we MAKE programmers write more secure code?  Secure the networks?  Quit buying equipment from foreign companies who insert backdoors and insecure code?  How about that cloud?  Is your information hosted in a country where privacy laws allow them to access the data you think is secure?

Social security data is the basis for critical functions for Americans.  Our social security number is the identifying number that is used to store our credit score, social security eligibility, health records (in many cases), tax records, as well as a host of other important data. 

What can we do to protect ourselves?!!  Clearly consumers cannot secure the data center or the programming running systems.  We can freeze our consumer credit (Equifax, TransUnion and Experian), stop using credit or isolate ourselves from society by living in a cave.  It's a lot of trouble to freeze your credit if you want to buy anything.  Most people couldn't live without some type of credit and living in a cave is not going to work for most folks.

Obviously the solution is to ensure equipment, software and people do the right thing for existing and future equipment.  The other solution is to increase the scrutiny used when approving loans, credit cards or anything else used to modify or use information tied to social security numbers and associated personal information. 

Do you hear me Dell?  Don't send a TV out when some yayhoo opens up a credit card and buys a $5,000 TV without scrutinizing the request.  Put additional checks and balances into the equation.  Weeks later you find out that the television went to someone other than the person it was billed to.  The system ain't workin'.

I'm still a paranoid consumer and I hope you are too.  I want to see more scrutiny out there folks! 

Tampering with PIN pads

It was reported this week that the PIN pads at Barnes & Noble were replaced with skimming devices in 63 stores.  These external skimming devices were unwittingly used by customers whose credit card numbers were compromised and in some cases used. 

Many consumers are aware of security breaches such as the T. J. Maxx/Marshalls incident in 2005 when customer data was intercepted by poorly secured wireless access points.  The breach where social security numbers and other sensitive information was lost when a Veteran's Affairs database on a laptop was stolen from an analyst's home in 2006.  In 2011 77 million Sony Playstation accounts were hacked.  The list certainly doesn't stop there.

How do we protect ourselves?  Consumers often have no role in the security of their information.  Consumers are often the victims of the reckless or careless actions of others.  I have a few suggestions:

Protect your computer.  Install and maintain a virus protection suite that includes malware protection.  Ensure your computer has up-to-date patches for software on the computer including the operating system (Windows, Mac os, etc.) as well as updated software patches.  Backup important files to a separate thumb or hard drive.  Provide physical protection for that drive.

Minimize the amount of information you provide online retailers.  Do not set up accounts where your credit card data is saved on the retailers server. 

Protect your passwords.  It's important that you create a unique password for each account you use.  Consider using a password safe where you can store your passwords electronically in an encrypted file on  your computer.

Consider using a separate credit card  for online purchases.  Many people have a credit card with a nice credit limit that they use for most purchases.  If that card is compromised the credit limit might allow a thief to rack up lots of charges.  Transferring funds to a separate card to cover expenses will lower the potential amount of hassle.  Several retailers offer reloadable cards that can be used for online purchases to limit your exposure.

Ask the cashier to swipe your card.  The Barnes & Noble breach was limited to the customer PIN pad.  Hand your card to the cashier and ask him or her to swipe your card. 

Know where to go if the worst happens.  Visit OnGuardOnline.gov to learn how best to respond if you become a victim.

Stay safe out there!

Most people over the age of 20 may remember the show, The Weakest Link.  With relation to information security the weakest link is the human link.  Firewalls, encryption, passwords and other security measures cannot stand up to the breeches made by people.

Some people have an attitude that the information they're responsible for isn't that important so they treat it casually, leaving passwords out in the open or putting sensitive information in the trash can.  Social networking sites such as Facebook are another place where employees can easily post confidential information such as drawings, schedules or information about people.  It seems harmless.

Wireless networking allows people to be more productive everywhere.  We see users in aiports working on laptops.  iPads and other micro computers allow people to easily transport data outside their offices.  Encrypting these devices and adding passwords allows a safer way to store data outside the workplace.

Information security is everyone's job.  Employees "swim" in the same fishbowl as other users on their network.

What are you doing to maintain the integrity and security of the data you use?

An incomplete investigation...

Many American households have access to the internet in their home.  It is common for residents to install a wireless access point to allow access on devices all over the house. Some people purchase a wireless access point and simply plug it in without any consideration for securing it.  The Milan family in Evansville, Indiana installed an unprotected wireless access point in their home. They are probably regretting that decision...

Two residents of the Milan house, a grandmother and her eighteen year old granddaughter were watching the Food channel in the living room when a SWAT team broke in throwing in a stun grenade after smashing through the door and windows.  The SWAT team was responding to information that a device on the Milan's home network had posted the following message online:
"Cops beware! I'm proud of my country but I hate police of any kind. I have explosives :) made in America. Evansville will feel my pain."

The police invited the media to their bust, see the video.

The alleged perpetrator did not reside at the Milan residence.  The alleged offender who used the Milan's wireless network to post the threat was found on the same street but in a different house.  The police knocked on the door of the real offender's house (versus busting in the doors and windows).



Why didn't the police consider the possibility that the threat came from an external user of the unsecured wireless network?  Hmmm... no IT training?  It's clear that police did not fully investigate the threat.  A drive-by of the house would have demonstrated that the wireless access was unsecured.  That is a simple step that may have caused a reasonable person to at least examine the possibility of the threat residing outside the Milan home.  A simple wireless device would have shown the range of the wireless network so that other suspects could have been at evaluated before breaking down doors.  It's difficult to say what a preliminary investigation of the Milan home residents would have found, but that would also have been a prudent investigative step.  Bottom line is that a better preliminary investigation may have established a more sound approach.   

It's critical that police fully investigate an incident before breaking down doors and windows.  It's also a good reason why you need to secure your home wireless network...