policy enforcement

Sep 11 2008   4:36PM GMT

RANT: Am I responsible for training technology staff at other companies?

Posted by: Troy Tate
administration, awareness, blog, Data security, design, CIO, firewall, DataCenter, DataManagement, Networking, WAN, Security, Policy, policy enforcement, risk

You may have seen in one of my past blog posts that we relocated a site over a weekend. As a result of that move we are continuing to clean-up various network access issues for services that existed in the old facility but are not available at the new facility.

In the old facility some of the users were required to use a kiosk or standalone computer to access customer extranets using VPN. We wanted to make this easier in the new facility and get rid of the standalone computers and internet connections. As we approach each instance of VPN access, we have to ask the standard questions of what is the destination IP address and what ports need to be opened on the firewall for this service. I recently came across a customer technology staff member at another organization who was responsible for the remote access service but could not answer these standard application questions. The answer I was given was just open any-to-any ports for their destination IP (at least he knew their IP address for this service). I don’t think this was a junior staff member either answering the question. This is the person responsible for interfacing with suppliers!

Well, after walking around and burning off some frustration, I took some steps to try to identify how the application works and make firewall changes according to what I discovered. Working with my managed security partner I went through the following steps:

1. Configure a private client machine and designate as single source of traffic.

2. Define firewall rule to permit any traffic from this client to the destination IP.

3. Run VPN application  and capture details about TCP/UDP ports during the conversation.

4. Close the any-to-any rule and open ports discovered in step #3.

Well, things did work pretty well but apparently there are some other ports needed to be opened, so once again I am asking this customer to help us as their supplier to gain access to their network. We will see if I have to get someone else involved in his organization even though I was told he manages this by himself.

hmmmm… so have you ever had to train someone at another organization that you deal with how to do their job?

Sep 2 2008   6:22PM GMT

Operation Sentinel - Manhattan becomes “Big Brother”

Posted by: Troy Tate
dhs, homeland security, awareness, blog, Data security, Security, Monitoring, Policy, policy enforcement

Hopefully you have read my previous blog entry about IT Equipment Search & Seizure at US Borders. Well, if that is not enough to make you think Big Brother is here and watching, then take a look at the article NYPD seeks to screen vehicles entering Manhattan. This could be come one of the grandest IT endeavors of all time. How do you track these vehicles? What criteria do you capture to be able to determine a threat or not? The article mentions images and radiological readings. I think that authenticating and ensuring readings and images are accurate would create a market need for supercomputer implementations in New York City. How often are the radiological scanning devices calibrated and tested? What skills does someone need to be able to do that? Can cameras be fooled and images wrong?

Who is paying for all of this for NYC? Is this really where the city should be spending its dollars on risk mitigation? Maybe someone should share my thoughts on managing risk & vulnerability.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 21 2008   8:08PM GMT

IT Equipment search & seizure at the US borders

Posted by: Troy Tate
intellectual property, data loss, government, administration, awareness, blog, Data security, design, CIO, IT education, DataManagement, Mobile, Networking, internet, WAN, Security, forensics, Monitoring, Policy, online identity, policy enforcement, reporting, research, risk

I have recently been hearing some rumblings about this issue. I work for a firm with international locations and have travelled out of the country myself. So, this is a personal issue.

What I am referring to is the situation described in this article by David Jonas of The Transnational: Airport Laptop Seizures Debated in Washington. I know that I should have nothing to worry about if I do nothing wrong like any law abiding citizen of the world. However, what about the risk to an organization’s intellectual property?

Look at the comment …the laptop seizure policy is not analogous to physical searches of persons and belongings at airports: “Not only does the government get access to an unprecedented wealth of material with a laptop border search, but the government now has the ability to copy, store and analyze that information at its leisure. In traditional border searches, travelers carried their suitcases with them once they cleared customs. With laptop border searches, the government can keep everything in the computer in perpetuity.” So, who is responsible for the data once it is out of the traveller’s hands? What is the care & duty of the government with regards to a company’s intellectual capital?

This issue seems like a bureaucratic (and maybe totalitarian leaning - think “Big Brother”) nightmare! Who would be considered the appropriate person to review the data on a device? What is their liability if the device or data is damaged during their review?

I know I don’t have an easy answer to these nagging questions and it will take much better minds and skills than mine to work through the protection and liability issues for an organization. What mechanisms do you use to protect equipment and data during travel? Maybe this situation is a boon to shipping organizations. More people may be shipping their gear ahead of them when travelling across the border or use equipment at a remote site and transfer data across a network.

This situation is definitely one to watch and be concerned about as world citizens.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 20 2008   6:19PM GMT

Did you see this? - Need some Exchange advice/support

Posted by: Troy Tate
administration, anti-virus, awareness, design, howto, CIO, DataCenter, DataManagement, Exchange, email, Exchange 2007, Outlook Web Access, OWA, spam, Microsoft Windows, Powershell, CA, certificate authority, digital signatures, Policy, Performance, policy enforcement, RSS, tools, blog, toolkit, web, website, wiki, www

Maybe you have already read my post about implementing new Exchange 2007 mailboxes for over 2000 users. If not… look here. So, as you see from this event, ongoing support for these global users on a new messaging system is going to be a real challenge.

I found a great blog posting with links to some excellent Exchange resources. Keep this in your toolkit for those times you just can’t find the answer elsewhere to those nagging Exchange problems. I see lots of other IT people struggling with this system and looking for support here at IT KnowledgeExchange.

Some other Exchange resources I recommend are:

Microsoft Exchange Server Resource Site

E-mail archiving

Seven ways to organize your e-mail

MessagingTalk.org - Portal for Microsoft Exchange Messaging & Collaboration

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 14 2008   2:58AM GMT

Managing risk & vulnerability

Posted by: Troy Tate
administration, awareness, Data security, design, CIO, IT education, DataCenter, DataManagement, Security, antivirus, forensics, honeypot, malware, Monitoring, Policy, policy enforcement, vulnerability, risk

Jotting some quick thoughts here after answering a user post. Thought I would place the same information here for all to see. This list is by no means complete and your thoughts are always welcome.

Some ways to measure risk include:

How valuable is the asset?
How much of a threat exists?
What is the impact if the system/service is exploited?
Is the vulnerability rated high/medium/low?
Can the risk be reduced?
How easily can it be reduced considering costs, technology, staffing & skills?
What is the probability of the vulnerability being exploited?

You are asking yourself:
What are you protecting?
What can happen to it? - How can it happen?
What does it mean to the business?
How can the risk be reduced?
How likely is it to happen given the existing conditions?

Risk assessment goal: identify & prioritize risks.
Risk management goal: manage risks to an acceptable level. This can be done by:

• Mitigate: select controls; implement; monitor
• Transfer: purchase insurance
• Accept: do nothing
• Avoid: discontinue activity

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jul 25 2008   12:58PM GMT

I know who I am - Do you know my name?

Posted by: Troy Tate
administration, awareness, design, howto, blogging, Database, DataCenter, DataManagement, Development, Exchange, email, Exchange 2007, Microsoft Windows, Browsers, subscriptions, troubleshooting, internet, Security, Policy, online identity, policy enforcement, reporting, research, website, wiki, www

If you read my previous post then you know we recently went through a major e-mail system migration. Part of that e-mail migration included moving from various naming conventions (firstname@domain.com, firstname.lastname@domain.com, FirstInitialLastName@domain.com, etc.) to a single naming convention of firstname.lastname@domain.com. Of course this was a huge undertaking and also a political move. One thing I am sure of is that the users will never understand the discussions taking place behind the scenes and will continue to take place about names of other non-user specific mailboxes like a project engineering team or an application mailbox.

Another thing which struck me during this process is that we netizens are identified by our e-mail address in many places on the web. Have you ever looked to see how many places you are identified by your e-mail address? I had to take some time and go out and change my e-mail address wherever the old one was in use. That is not a easy task let me tell you! First of all I went through the mailing lists I subscribe to. I went to their websites and tried to find the area to change my profile’s e-mail address. There are some sites where I could never find this and/or could not change it. So, webmasters & publishers…. please make it easier for your subscribers to modify their e-mail address or credentials! There is this need for companies that may get purchased or change names. There is the need for the users who change names when getting married or divorced…. this should not be as difficult as I found it to be.

In the end, I’m not sure what I will be missing out on when we go back and clean out all of the non-standard names which we will likely do by the end of the year.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jul 17 2008   2:10PM GMT

Did you see this? - Microsoft Security Compliance Management Accelerator toolkit

Posted by: Troy Tate
Data security, design, DataCenter, Microsoft Windows, Security, Monitoring, metrics, policy enforcement, reporting, tools

Monitor the security compliance state of your IT environment for computers running Windows.

In today’s IT environment, the ability to comply with regulations and industry standards, such as the Sarbanes Oxley Act, is a source of deep concern for many organizations. In addition, organizations need to manage risks resulting from emerging threats and changing conditions within their IT infrastructures. As a result, organizations need sound methods that they can count on to understand the state of the security settings in their IT infrastructures, assess the compliance of a security baseline, and demonstrate that compliance requirements have been met.

To help organizations address these challenges, Microsoft has created the Security Compliance Management toolkit. The toolkit provides best practices from Microsoft about how to plan, deploy, and monitor a security baseline. In addition, the toolkit provides remediation recommendations to address security baseline issues. The toolkit also offers a proven method that your organization can use to effectively monitor the compliance state of recommended security baselines for Windows Vista®, Windows® XP Service Pack 2 (SP2), and Windows Server® 2003 SP2.

Jul 8 2008   5:12PM GMT

Browser warnings - Danger Will Robinson! - or did it just cry “Wolf!”?

Posted by: Troy Tate
Data security, Google, Firefox, anti-virus, awareness, botnet, honeynet, IT education, Development, Security, antivirus, forensics, honeypot, malware, Policy, metrics, online identity, policy enforcement, reporting, web, website, www

I sometimes browse the internet using Firefox. I say sometimes because Internet Explorer is the standard browser at my company and Firefox is not supported by IT. Well, since I work in IT, sometimes you have to test things on behalf of users and also to see how certain sites are different depending on the client browser.

Well, I recently upgraded Firefox to v3. It does seem much better than v2 although some of my useful addins are now broken (when will YSlow get fixed for v3?). One of the new features of Firefox v3 is the ability to report to the user if the visited website is a known potential malware site. This is a good feature! It provides the user with some useful information and education about the dangers on the internet. However, how accurate is this feature? What if you are visiting a trusted website that you frequently visit and now get this message?

For your information, this is the message that you will see when you attempt to visit a site deemed as risky.

Reported Attack Site!

This web site at certification.xxxxxxx.org has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

I blanked out the actual website address above. However, those of you with a bit of detective in you are likely going to figure it out.

What is interesting about this particular warning message is that it is referring to a website that has security as a guiding principle. When you see this message in Firefox, you have three options presented:

• Get me out of here!
• Why was this site blocked?
• Ignore this warning - in very tiny print at bottom of message.

I was curious as to why this site would be considered as a danger. I clicked on the Why was this site blocked? option. The report I received was interesting and as I mentioned earlier, could this be an example of someone crying “Wolf!”?

The report was as follows:

What is the current listing status for certification.xxxxxxx.org/?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 6 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 07/06/2008, and the last time suspicious content was found on this site was on 07/06/2008.

Malicious software includes 1 scripting exploit(s). Successful infection resulted in an average of 3 new processes on the target machine.

Malicious software is hosted on 3 domain(s), including lokriet.com, clrbbd.com, catdbw.mobi.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including catdbw.mobi.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, certification.xxxxxxx.org/ did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

• Return to the previous page.
• If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.

This is great educational stuff, but did it really happen to this particular website? I don’t know, but apparently Google does. With the report of just one incident, does it make this site really worth the notification? How many incidents should it take before a site is considered malicious and who determines what malicious is?

Just something else to mull over in your copious time as you go perusing websites in Firefox.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jun 18 2008   7:25PM GMT

Did you see this? - 10 Cool Powershell scripts virtual lab

Posted by: Troy Tate
Powershell, administration, howto, DataCenter, DataManagement, Development, Exchange, Microsoft Windows, Microsoft, troubleshooting, Networking, Security, policy enforcement, reporting, tools

Microsoft has some great virtual labs which can give an administrator some quick education over a lunch hour or a short period of time. One of these virtual labs is the 10 Cool Powershell Scripts lab. If you have not started with Powershell, then this may help you get moving in the same direction that Microsoft is moving… back to the command line!

Enjoy & keep your skills fresh.

Jun 18 2008   5:26PM GMT

Did you see this? - Infosecurity Magazine RSS feed

Posted by: Troy Tate
anti-virus, awareness, botnet, Data security, DataCenter, Networking, IT education, Security, antivirus, CA, digital signatures, forensics, honeypot, malware, Monitoring, Policy, SSL, metrics, policy enforcement, reporting, RSS, research, tools, web, website, www

Infosecurity Magazine has a very good RSS feed to keep yourself up to date on events/issues and technologies. Check it out!