Eigen's Rules of Thum

Do You know Where Your Previous Mobile Phone Is?

Cell phone companies are tempting us more and more with phones that act as PDAs (Personal Data Accessory??), send and receive email, surf the Web, have bigger capacity to store documents, are music players, cameras and oh, by the way: a phone. And in the coming years some have proposed utilizing your phone to pay bills and buy stocks.

It’s wonderful and terrible all at the same time. There is no standard procedure for wiping a phone’s information. Phone manufacturers have proprietary hardware, and have been extremely reluctant to release information to software developers who could provide us with a way to wipe the phone and its’ memory. As a result, we have millions of phones available with sensitive data, on an open market. Thank you manufacturers, for protecting the consumer? As usual, no one really thought about security, not to mention privacy.

Three years ago, Graham Clements - A managing director for a subsidiary of Japanese packaging multinational Ishida - decided to get rid of his BlackBerry and turned it in to his IT department for recycling. At the start of this month that BlackBerry was one of the top items on the agenda at the first board meeting that Clements had called since his return from vacation - because the data on it had come back to haunt him.

Instead of being recycled, the BlackBerry, like millions of other mobile devices every year, had been passed on to a company to be sold. On Clements’s device were business plans, details of customer relationships, information on the structure of the company, details of his bank accounts and details about his children. Ouch.

Fortunately, that BlackBerry was among several that were recovered from mobile phone recycling companies as part of a study into data loss on mobile devices. It’s a significant issue that many companies have not addressed.In a 2006 survey by the Business Performance Management Forum (BPMF), nearly half the respondents reported that at least 25 percent of all mobile devices in their organizations carry mission-critical information and applications.

Imagine having a computer that you could never wipe clean of any of your confidential business activities. Instead of recycling, we can only destroy the items. Mobile device security software commonly available can secure the device, but cannot wipe it. If anyone knows of a good wipe program, please drop me an email.

Some folks leave their SIM cards in the phone they return to corporate headquarters, along with their messages and documents. Taken any pictures on that phone you wish you hadn’t? That office Christmas party where your senior manager got drunk and acted up? They’re probably still there.

I’ve just thought of a new Rule of Thumb: There’s no such thing as DELETE on a cell phone/PDA/camera. We must act accordingly until assurance can be confirmed about wiping these devices. If it cannot be wiped, it must be destroyed, which is not exactly “green” in any corporate environment.

My old one (a Palm) is in my desk drawer, kept for parts because my spouse is still using a Palm. Where’s yours? What was on it?

ATMs - Automated Theft Machines

It’s absolutely fascinating (in a nerve-wracking sort of way) to read about how many different ways there are to use ATMs to capture (and steal) accounts and PIN numbers. From there, it takes very little time to create a fraudulent card and spend what you can before the bank catches up. It’s a triumph of hardware over software. Thieves simply work around the software controls to capture the information they want.

For example, the concept of “skimming.” Typically, thieves attach a device to the outside of the ATM that records the magnetic stripe information as you insert it. They also need a camera of some sort to capture the PIN as you type it in. For a classic example, with pictures you can see that the card skimmer fits in front of the regular card slot. For PINs, the clever placement of a pinhole wireless camera makes it all way too easy.

Thieves tend to get endlessly creative: One fellow bought his own ATM equipment and kept moving it around from place to place in order to capture information. He was good enough at it to collect at least $4 million, and is still at large.

More losses come from retail ATMs (those found in supermarkets, convenience stores, gas stations, or other non-banking environments) where there are less stringent controls and only casual observers. In May of this year, the ATM at one gas station was rigged, with at least 80 victims. When he was finally apprended, he had stolen more than $185,000. Ouch.

There are about 360,000 ATMs in the United States, according to Bankrate.com Only half of them are at a bank.

The ATM designers are moving to internal card readers and other techniques to eliminate external skimming devices, but when you can buy your own ATM and move it around, controls on sales of such machines must be tightened.

Rule of Thumb: If I don’t go to the bank for gas, I won’t go to the gas station for money.

Eigen’s 2008 InfoSecurity “Rules of Thumb”

Rule #1 - You can pay now, or you can pay later, but if you choose to pay later, you will pay MORE.

Rule #2 - You can outsource function, but you cannot outsource responsibility.

Rule #3 - A classic, shamelessly plagiarized: “Faster, Better, Cheaper. Pick TWO.”

Rule #4 - Make NICE with your auditors, no matter how dumb they are.

Rule # 5 - The volume of company executives screaming about the “cost” of information security is the direct inverse of how little money they’ve put into it in the past.

Rule # 6 - Don’t expect the best audit from the cheapest bidder. You get exactly what you pay for. Unless, of course, that’s exactly what you want. See Rule #1.

Rule # 7 - Compliance with regulations is a Gentleman’s C.

Rule # 8 - If you have “checkbox security,” you will have a box full of checks. Paid to other people.

Rule # 9 - The skills of your IT people directly relate to the training they receive. See Rule #1.

Rule #10 - No more acronyms! PCMCIA.

It’s Not Your Mother’s Firewall Anymore - Part I

In the northern part of Maine, (north of Portland, where I live) folks go about their business without locking their doors or even leaving their cars running while they go into the store. (When it’s -10 degrees, it’s good to have the car run a little more). This describes the fundamental trust the people there have in their community and their neighbors. If you drive by a sign on a driveway that advertises fruits or vegetables for sale, often there will be no person there to collect the money, just a basket with a “thank you” tag. During the winter, folks on the highway will pull over and run down the bank to help a car that has just slid off the road.

The bigger businesses do lock their doors, because they don’t know everyone who might come into their store, and don’t trust unknown people to care or pay for their merchandise.

Fifteen years ago, many businesses did not have a firewall between them and the Internet. You couldn’t pay for something online, or do business-to-business operations. The value of the information was lower, and there was a higher level of trust.

The other issue that came along was the limitation of IP4 addressing. NAT (Network Address Translation) allowed networks of any size to use non-internet routeable subnets as long as they were behind a firewall that had an outside (Internet-facing) legal IP address. (It’s why you don’t see addresses on the Internet for the 10.x.x.x, 172.16.x.x and 192.168.1.x).

Turns out that NAT and firewalls made perfect friends; behind a NAT enabled firewall, a huge network could exist and have all private IPs that the Internet cannot route to or see. The firewall acts as a gatekeeper and monitor, with an internal NIC (Network Interface card) that has an internal private address and an external NIC for Internet communications.

Today, I can ping a server in Russia on my desktop, and that server in Russia could ping me back, if I were not behind a firewall. My Northern neighbors, many of whom have a computer at home, can also ping that far away server. Our “neighbors” on the Internet are people we do not know, and many of them have the ability to “break in” without ever having to knock on our doors or even try the lock. There is zero trust on the Internet.

What does this have to do with IT Auditing, for heaven’s sake? Well, I see too many firewall configurations set up without any safeguards against the bad Internet neighbors. And I see too many auditors who say, “Oh, you have a firewall, that’s good.” They never ask to see the configuration and examine it carefully. (Security by checklist) Management seem to think that just having one is enough. They don’t send their folks to be trained on how to use it, or they outsource the management of their firewall and never inspect the rules or the logs.

Eigen’s Security Rules of Thumb #2: You can outsource function, but you cannot outsource responsibility.

I’ve seen outsourced firewalls that allowed every single IP address of the vendor access into the firewalled company’s network. It was easier for them to get to other network devices they managed, but there were no access controls as to who on their network could come in, or any logging, either. No one from the company looked at the configuration until I came along and said, “Why do they need that?”