Making a (Security) List And Checking It Twice

Jude looks back on a year of security challenges and gives Santa his wish list for next year

Dear Santa, I've been a good corporate security manager this year. I haven't deliberately obstructed any projects merely because I don't like the project staff. I've tried my best not to rant and rave at senior management any more than absolutely necessary. I've used words like empowerment and paradigm whenever possible in meetings. I may even have helped improve the security of our company a little bit. Maybe.

Please bring me some presents this year. Last year, you gave all your presents to those Y2k contractors, who seemed to disappear quickly afterward with much of our budget.

1pixclear.gif
1pixclear.gif
1pixclear.gif

Security Bookshelf

Linux in a Nutshell: A Desktop Quick Reference, by Ellen Siever (editor) et al. (O'Reilly & Associates, 2000). This book is a very good quick reference, and it comes recommended not just by me but also by the local Linux guru in my organization.

Learning Red Hat Linux, by Bill McCarty (O'Reilly & Associates, 1999). This easy-to-follow basic primer on Linux could benefit from a bit more troubleshooting advice. It got me started on Linux, but when things went wrong, I had to go somewhere else to find answers.
1pixclear.gif

Yes, Jude, There Is a Santa Claus

For Christmas this year, I would like:

• The resumes of some security staffers who know enough about the technology to keep up with our engineering teams, who have a professional enough manner that I could let them near our end users, who have a positive and supportive attitude, and who have at least some knowledge of security. Do such people exist? If they do, I'm having a hard time finding them.

• A magic wand to wave over our users to make them understand what encryption is, what they can use it for, and that if they lose their key, we can't just give them another one, no matter how loudly they shout at us.

• An antivirus management product that will tell me at a glance how many of our machines are up-to-date and what it plans to do about the out-of-date ones, and that tracks infections across workstations in real time.

• An antivirus reporting tool that reports infection statistics graphically by user, location and department, so that I can see patterns and trends emerging.

• Department managers who come to me and say, "Jude, we're starting a new project and we'd like your input now so that we can build this system securely right from the start."

• To be called in as a consultant on a particularly juicy hack at another company so that I get all the fun of the investigation but none of the fallout from the break-in.

• More time. I seem to keep running out of it.

• Windows 2000 to be installed across our company. I know that in previous years, I've asked you to magically remove Windows from all of our machines and replace it with a better operating system, but I think Microsoft may have gotten it right this time. I particularly like the Active Directory idea, the certificate authority shipped as standard, the easy and intuitive machine security policy interface, the encrypting file system and the smart-card log-in function. Yes, I know it's not perfect, but overall, I think it's pretty good.

• Someone to help me work out what I'm going to say to my children when they're old enough to ask me what I do all day. Actually, I'd like someone to explain it to me, too, please.

• A telephone that recognizes salesmen cold-calling me, puts them on hold and plays endless experimental fusion jazz until they go away.

• An intrusion-detection system that doesn't have so many false alarms. No, I don't know how they're going to do that, either.

I don't know whether you're going to be able to fit all those presents under the tree. If you run out of space, or if I've asked for too much, then forget all the other presents and please just give me a bit more time.

Sincerely, Jude

P.S.: All my colleagues tell me that you don't exist, but my manager says you do. At least he says that you're my only hope of getting a bonus this year, which I think is the same thing.

Scrooged by a Virus

I'm not feeling very festive at the moment. We've just had a virus attack that exploited the most tenuous set of coincidences in order to take root and start deleting files, and our vendor support line got forwarded to an engineer in a bar somewhere who declined to help because he was eating at the time. He did promise to call us back later, which is nice of him, I guess, but we're still waiting for the call. Our vendor account manager is coming in for a meeting in a few days, so I'll vent my feelings by shouting at him.

The virus managed to weasel its way past four layers of antivirus defense. First of all, we had an unfortunate outage of our otherwise pretty reliable antivirus scanner on our main mail gateway. It crashed under a deluge of backed-up e-mail following a mail system outage and was down for 20 minutes. During that time, six separate e-mail worms made their way through the gateway to our internal mail servers.

Our internal mail servers also have antivirus protection, and five of the six worms were stopped dead. However, the sixth worm got to a server that hadn't been updated with the latest patch to the antivirus scanner, and the scanner failed to even notice the Visual Basic script attached to the e-mail, let alone check it for viruses. So the server forwarded the infected e-mail to the user's mailbox.

The user's workstation antivirus software was out-of-date, so when she opened the Visual Basic script attachment on the e-mail (the e-mail subject line was "US PRESIDENT AND FBI SECRETS"; somehow, she failed to notice that this wasn't a business e-mail), the worm activated and deleted 4,922 files.

Actually, they were 4,922 JPEG, MPEG and MP3 files, so I think the worm probably did us a favor by giving us a bit of disk space back. Our scanners did stop the worm when it tried to send itself on to everyone in her address book, so we did manage to contain the infection.

Well, it's the end of a year, and I've been in this job for eight months now. In a way, it doesn't feel like long at all, as I'm still trying to get some things sorted out that I started in my first few weeks. But looking back, I think it's been time that was pretty well spent. I'm sure I've made a difference to the company's security, and I'm pretty sure I've done an OK job.

Talking the Talk

When I joined the company last Spring I was a bit daunted by the sheer scale of the job, but I have coped, just about. Mostly, I've coped by focusing less on our business applications and concentrating on securing the underlying infrastructure. We're beginning to get our antivirus protection sorted out now; our rollout of Atlanta-based Internet Security Systems Inc.'s security scanning software is just beginning to bring good results; and I've got the go-ahead to start on the project to give all our users smart cards in place of their Windows passwords.

However, I think my biggest achievement has been talking. I've talked and talked to everyone who would listen and many who wouldn't, explaining to them what needed to be done about security, why we ought to do it and how they could help. I've talked to everyone, from junior staff to the highest levels of our management. I've talked until I lost my voice, and then I whispered instead.

My biggest achievement this year has been to help convince people that something needs to be done. That sounds like such a trivial achievement for eight months' work, but it's been a hard eight months. Now that people are convinced, next year will be the time to start doing projects in earnest.

Merry Christmas, everyone.

• This journal is written by a real security manager, "Jude Thaddeus," whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com and at www.sans.org to help you and your security manager better solve security problems. Contact him at jude.t@lycos.com or head to the forums. (Note: Registration required to post message; anyone may read messages. To register for our forums, click here).

Copyright © 2000 IDG Communications, Inc.

  
Shop Tech Products at Amazon