Security at any Cost?

I am a FIRM believer in securing systems and data at a level equivalent to the value of the systems or data or the risk associated with the loss of the data or system.  But I have to draw the line when securing data or a system results in interruptions to the operation of what was, up to this point, a secure and well-run system.

Let me use an analogy here to make my point:  When you carry cash, checks, and/or credit cards (CCC), you carry them in a purse or wallet which then goes into your pocket.  You don’t put your CCC into a safe and carry the safe around, do you?  You don’t keep your CCC secured away at home and then run back home every time you need access to CCC to make a purchase, do you?  And we are talking about items that could result in your losing a significant amount of money, or worse, identity theft.

Drawing on this analogy and applying it to systems and data – how much security is too much security for your systems and data?

Do you spend much of your day working through the security mechanisms just to access your systems/data?  Are your systems/data so important that they must be very difficult to access?  Isn’t the purpose of having your data in electronic form so that it is readily available and easy to access?

Stepping back, maybe it is worth looking at what the security folks are trying to do.  Obviously, they are trying to protect data and systems from being breached, compromised, or lost.  Sounds good, right?  But their idea of protection may be so draconian that you have a difficult time accessing your email or accessing and editing a document.  I understand the security viewpoint that any individual piece of information may not be important enough to merit protecting, but when you put together a finite number of pieces of information, that may become something worth protecting.

And here we get back to the question – protect the systems and data at what cost?

Sorry to say that I don’t have any answers here.  But I do want to make a few points:  Security personnel should spend some time and brain cycles understanding the value of the systems/data and the risk of them being compromised, breached, or lost.  It is much easier to apply a blanket security policy, but seldom does one policy truly fit all.  If security personnel understand the systems/data and their function and value, maybe they will craft an appropriate security policy that strikes a balance between making the systems and data available to authorized users and protecting it from the bad guys.

As always, please let me know if you have questions or comments, and I will do my best to address them.

Advertisements

Whitelist or Blacklist Applications?

I get this question a lot from folks – both as it applies to mobile devices and also as it applies to the managed network in general.  Here are my thoughts.

A blacklist is a list of applications that are not allowed.  A whitelist is a list of applications that are allowed.  It is that simple.  In my opinion, a whitelist is MUCH easier to manage than a blacklist.

Why?  Because you know the applications that you want your users to have access to.  It is a finite, limited list, and if a new allowed application comes along, you can easily add it to the whitelist.  It should always be a fairly small list.  On the other hand, a blacklist is an infinite list of applications that are not allowed.  Can you imagine managing this?  How on earth do you manage this list without knowing about every application on Earth?  Granted, you could create a blacklist of applications already installed in the computing device that you don’t want the user to run and then lock that computing device’s image so that no additional applications could be installed, but that is more work.  This “image lock” method makes it difficult to push AV engine and signature file updates as well as Operating System patches.

Now with a whitelist, you still have to manage a list, but you know what applications you will allow.  And you can easily add to the list if needed.  Everything else is not allowed.  Now, this still allows a user to install pretty much anything they want, but they can not run it unless it is on the list.  And chances are good that the install will fail, as the install program will almost certainly not be on the list.  You may also have issues/difficulties with AV and Operating System updates/patches.

Bottom line – whitelists are easier to implement and manage, plus, they don’t require image lock.  You will have to figure out AV and Operating System updates/patches in either case.

As always, please let me know if you have questions.  I will do my best to answer or clarify.

And now for a few words about securing PDAs

Not everyone needs a SME-PED (a secure mobile messaging device developed by the NSA).  But a lot of people carry Personal Digital Assistants (PDAs) or Personal Electronic Devices (PEDs).  For this post, I will call them Mobile Devices (MD).  These MDs include Blackberry, Windows Mobile, iPhone, and any other phone/device that lets you do email, SMS, MMS, pictures, or store any kind of data on it.

Imagine that you are out a restaurant.  You are having a nice meal.  You brought along your MD, because you never leave home without it.  You have it sitting on the table near you (or in your coat pocket or wherever).  You have it set up to synchronize your work email as well as your personal email.  You store your contacts (work and personal) on the device, and you also keep a couple of Notes on the device that have some password/PIN/account info in them.

You get up to use the restroom.  You leave your coat behind.  You return and finish your meal.  You leave the restaurant.  You get into your car and decide that you will check email before you head home.  You reach for your MD and realize that it isn’t there.  You run back into the restaurant and back to your table, but your MD is not there.  You ask the server and manager if they have seen one or if one has been turned in.  They have not.

Time to panic?  Maybe not.  Do you have the device set to time out after a certain amount of time?  Do you have a password or PIN set to unlock the device?  Do you have encryption technology on the device?  Do you have anti-virus software installed on the device?  If you can answer “Yes” to most or all of these questions, then you can rest easy, because you are out a few dollars for the device and some pain calling your carrier and having the phone/SIM killed.  Then you have to go out and get a new phone/plan and rebuild it.  Painful?  Yes, but not as bad as it could be.

Here is a true story (names/locations have been removed to protect the stupid).  I got a call several years ago from one of my users asking me to “kill his device”.  I asked him what had happened to it, and he told me that he had lost it.  When I hung up with him, I decided to call the phone number of the device.  I did, and the device was answered, but no one was there.  I sat on the line for 5 minutes or so, listening to background noise, and I soon realized that the device was near a cash register.  I started saying “Hello” over and over again.  I did this for about a minute, and finally, a confused woman picked up the phone and responded “Hello?”  We had a brief conversation.  I found out that she was a server at a restaurant down the road from where I was working at the time.  I asked her to set the device aside and told her that I would be down in a few minutes to pick it up.

I retrieved the device and brought it back to my office.  I noticed a couple of things:  There was no PIN/password protecting the device.  It had the user’s business email synchronized to it (up to the minute I was holding the phone).  It had the user’s contacts, calendar, and some notes.  One of the notes had his account login information for several business critical systems (including username, password, and account number).  I also found a note with some of his personal information in it.  Bad?  YES.  But this is not the worst thing that could have happened.

Can you imagine if someone else had found it?  And what if that person was a bad guy?  Fortunately for the user, I recovered it, and I proceeded to wipe the device and rebuild it.  I will let you all use your imagination to form a picture of what might have happened if a bad guy had found it.

Bottom line – protect your mobile device.  You need a PIN/password to unlock the device at the VERY least.  You should also have AV software if you do email, web, or texting on the device.  If you are storing personal or professional information that could be considered private, you should strongly consider getting encryption software for the device.  Protect yourself by protecting your data.  It only takes a second to unlock your device (if you remember your PIN/password).  But it may take you weeks or months to recover from the theft of your personal or professional information.

As always, please let me know if you have questions about this.  I will try my best to answer them or clarify what I was trying to say.

A few more thoughts about securing data

Yesterday, I posted a lengthy discussion of securing personal data (including email). After doing so, it occurred to me that I forgot to talk about encryption.  Short and sweet – if you have data on your computer that you believe (for whatever reason) is so private that something terrible would happen if it ever saw the light of day, then you should strongly consider encrypting your data.  This can be done using a variety of tools available, or if you have Vista and a machine with TPM, you can use BitLocker (part of Vista) to encrypt your hard drive.  I am not going to go into how to do so here, as there are plenty of well-written articles on how to use BitLocker.

Bottom line – if you are worried about your data on your home computer (especially your laptop), strongly consider encrypting that data.  As always, if you have questions, please let me know, and I will do my best to provide a coherent and clear answer.

Ruminations on Securing Data

A couple of caveats:  These are my personal thoughts/ideas.  They are in no way to be associated with my company or my current project.  I am not pointing fingers at anyone in particular, nor am I calling anyone stupid.  I am simply trying to get people to think about the impacts of security policies on the daily personal and business functions.  The instructions below are either as generic as I can make them (since I don’t know what WiFi gateway device you are using) or they are specific to Windows Vista (since that is what I am using).  Please let me know if you have specific questions about Windows XP or Linksys/Belkin WiFi units, as I have experience with and access to both.

I think we can all agree that it is important to protect data.  I think we can also agree that some data need more protection than other data.  Protecting your personal data is critical to mitigating the risk of identity theft.  You shred mail that has your personal data in it (don’t you?).  You protect your Social Security Number (don’t you?).  You keep a close eye on your credit cards and your Driver’s License.  But how well do you protect the data that is on your computer?

Do you ever access your email from a kiosk (at the library or at an Internet Cafe at K-Mart)?  Do you ever use a Starbucks Hot-Spot?  Do you ever war-drive and find some sucker whose SSID is still linksys?  How do you protect your data in these cases?  Doing any of these things puts your email at risk of being intercepted/infiltrated by someone looking for personal/professional data about you.

Does your desktop/laptop have a password that must be entered before it can be accessed?  Do you regularly patch your system and your Anti-Virus/Anti-Spyware software?  Do you use MAC filtering and WEP/WPA for your home WiFi?  Have you renamed and disabled the Administrator and Guest accounts on your computer?  Have you changed the default SSID, administrator account, and password on your home WiFi?  If you aren’t doing all of these things, then you are putting your email and data at risk of being harvested.  You also put your computer at risk of becoming a virus-bot.

You might be thinking a couple of things at this point:  What can I do to protect myself, and where is it OK to access my email/the Internet when I am not at home?

You can protect your computer and data while at home in the following ways:

  • Make sure that your desktop/laptop has a password that must be entered before it can be accessed
    • Make it complex (at least 2 upper-case letters, 2 lower-case letters, 2 numbers, and 2 special characters)
    • Make sure it is NOT your name, your child’s name, your pet’s name or anything obvious like that
    • Change it every three months
  • Regularly patch your system and your Anti-Vuris/Anti-Spyware software
    • If you use Microsoft’s operating systems (Vista or XP) turn on automatic updates.  This will download and install all critical patches (which are usually the security patches).  This may result in unexpected restarts of your system, so make sure you save your work before you go to bed (especially on Tuesdays).
    • Make sure you are running anti-virus software AND anti-spyware software.  There are some VERY good FREE home use products out there that you can use.  I like Avast.
      • Make sure they have the latest engines and signature files.
      • Make sure they are set to actively scan (incoming emails, inbound connection requests, downloading documents) and also make sure that they are set to do a full system scan once a week.
  • Rename and disable the Administrator and Guest accounts on your computer
    • Right-click “My Computer” or “Computer” and select Manage.
    • In the window that opens, select Local Users and Groups.
    • Select Users.
    • Select the Guest account.
    • Right-click it and select Rename.
    • Rename it to something else (it doesn’t matter).
    • Right-click it again and select Properties.
    • On the General tab, select the check box for “Account is disabled”.
    • Repeat this for the Administrator account.
  • Use MAC filtering and WEP/WPA for your home WiFi
    • Record the MAC addresses of each NIC that will be used to access your home WiFi.  Enter it into the MAC filtering area in the administrative console for your WiFi.  You can find the MAC address by getting to a command prompt (Start, Run, “cmd”, OK) and then typing “ipconfig /all”.  The MAC address will be something like 00-1C-23-53-94-6B.  Make sure you get the address for the NIC that is connecting to your home network.
    • Assign only the number of IP addresses to your home segment that you will be using at any one time.  I have mine set up for 8 concurrent connections.
    • Use some form of security.  WEP is better than nothing.  If your WiFi, Operating System, and NIC support WPA, then use that.  Any security is better than none.  If I am war-driving, I skip right over those hot-spots I find that have security, because I can ALWAYS find one that has none.
  • Have you changed the default SSID, administrator account, and password on your home WiFi?
    • Change the SSID on your home WiFi to something other than the default
    • If you can, change the name of the Administrator account
    • CHANGE THE DEFAULT ADMINISTRATOR PASSWORD!!!

If you MUST access your email while you are away from home:

  • Do NOT war-drive unless you have a completely patched and protected machine
  • Do NOT use a Starbucks (or any other) hot-spot unless you have a completely patched and protected machine
  • Minimize your time doing anything that involves personal data, usernames, or passwords while war-driving or using a commercial hot-spot
  • If you are at a library or Internet Cafe (using one of their machines) try to avoid doing anything that asks you for a username or password.  You have NO IDEA what kind of spy-ware is on these machines.
    • When you are done, make sure you clear all locally cached data from inside the browser (cookies, history, downloaded files, temporary files, etc)
  • If you find yourself often connecting in these circumstances, consider setting up and using a “junk” email account that is used only for sending generic emails to known (by you) email addresses.  Do not store any email addresses or old emails here.  That way, if it gets hacked, you don’t lose much, and you don’t expose your contacts to spam or phishing attempts from your email account.

Some general thoughs/recommendations:

  • Learn to recognize phishing attempts
  • Stay away from porn sites – these will often try to install some sort of spy-ware/malware on your computer
  • Stay away from phreaking/hacking/cracking sites – these will often try to install some sort of spy-ware/malware on your computer
  • NEVER give out your personal information (username, password, SSN, birth date, full name, mother’s maiden name, place of birth, etc) unless you are ABSOLUTELY sure you are speaking with someone trustworthy.  For example, if I call the number on the back of my credit card, I can expect to provide my credit card number and some other piece of personal information.  I initiated the contact, so I have to verify who I am.  I will NEVER tell anyone who calls me anything about me or my family.
  • Along the same lines, you will NEVER receive an email from your bank, eBay, PayPal, etc asking you to “click here to verify your account”.  Any email that asks you to “click here” or else (something bad will happen like your account will be suspended, etc) is a phishing attempt.  Hover over the link.  It may look like it is from eBay, but unless the link has “ebay.com/” in it, it is not from eBay.  If you want to make sure that everything is OK, open a new web browser, type http://www.ebay.com, and log in with your credentials.  If something is wrong with your account, you will see it once you have logged in to the legitimate site.
  • NEVER click on a link in an email (your Anti-Virus product should protect you if you goof up, but better to be safe)
  • NEVER launch an attachment that you were not expecting

Be smart, be safe, be secure.

How to Install DoD Root Certificates on Windows Mobile Devices

Installing the DoD Root Certificates

Prerequisites:

Mobile Device Center/ActiveSync (depending on your Desktop OS) is installed on the “host” system (e.g., desktop/laptop computer).

NOTE – The certificates can also be moved to the device by placing them on a compatible micro/mini-SD card.  If this is the chosen method, skip to Obtaining and Installing the DoD Root Certificates.  Once that is complete, copy both certificates to the storage card, insert the storage card into the mobile device, and then skip to Installing the Root Certificates on the Mobile Device.

A Standard partnership is not required; a Guest partnership is sufficient.

Connecting mechanism (e.g., USB cable or Cradle) is attached to the “host” system.

The DoD Root Certificates have been downloaded to the “host” system desktop (see Obtaining and Installing the DoD Root Certificates below).

Microsoft ActiveSync/Windows Mobile Device Center Download

For Windows XP and earlier Operating Systems

Download ActiveSync 4.5 from http://www.microsoft.com/windowsmobile/en-us/help/synchronize/activesync-download.mspx.

Follow the instructions on the website for downloading and installing.

For Windows Vista

Download Windows Mobile Device Center 6.1 from http://www.microsoft.com/windowsmobile/en-us/help/synchronize/device-center-download.mspx.

Follow the instructions on the website for downloading and installing.

Obtaining and Installing the DoD Root Certificates

Go to this website.

Follow the directions there to install BOTH DoD Root certificates onto your desktop/laptop (make sure that you install them into “Trusted Root Certification Authorities”).

Once the DoD Root certificates are installed, click Start, Run, and type “certmgr.msc” then click OK.  This will launch the local machine’s Certificate Manager.

041009-1323-dodrootcert1.png

Select Trusted Root Certificate Authorities and then select Certificates.  Select the DoD CLASS 3 Root CA.

041009-1323-dodrootcert2.png

Right-click, select All Tasks, and select Export.  Click Next.

041009-1323-dodrootcert3.png

Leave the default (DER encoded binary X.509 (.CER) and click Next.

041009-1323-dodrootcert4.png

Select the Desktop as the destination for the file, give it a name, and click Save.

041009-1323-dodrootcert5.png

Verify the choices and click Finish.

041009-1323-dodrootcert6.png

You should see the status box below.  Click OK.  You MUST repeat this process for the DoD Root CA 2.  You should end up with 2 .CER files on your desktop.

041009-1323-dodrootcert7.png

Copying the Root Certificates to the Mobile Device

Start ActiveSync or Mobile Device Center on the “host” system.

Power on the mobile device and place it in the cradle (or other connecting mechanism).

Open “My Computer” from the “host” system desktop.

In “My Computer”, traverse to “Mobile Device” and double-click on the object.

Double-click on the folder named “My Documents”.

Copy the DoD Root Certificate files from the “host” system Desktop to the “My Documents” folder on the mobile device.

Installing the Root Certificates on the Mobile Device

On the device, choose “Start”

Choose “Programs”

Choose “File Explorer”

Click on the drop-down below the “File Explorer” title-bar

Select “My Device”

Select “My Documents”  or “Storage Card” (depending on which method you used to copy the certificates to the device).

Select each certificate individually by tapping on it.

This will initiate an install of the certificate.  You must do this for BOTH of the DoD Root Certificates.  When this is complete, remove the mobile device from the cradle or USB connection (if that method was used to copy the certificates) and perform a “Soft” reset on the mobile device per the manufacturer’s instructions.

Apriva Sensa Bluetooth Pairing

Pairing the CAC Reader with the Windows Mobile Device

  1. Connect the reader to the device using the USB cable and dongle supplied (connect the cable to the PDA port on the device, not the PC/CHARGE port)
  2. Insert your CAC in the reader
  3. Power on the reader (button on top)
  4. Enter your PIN and choose OK
  5. This should unlock the device and put you at the Today screen on the device
  6. Choose Start
  7. Choose Settings
  8. Choose the System tab
  9. Choose Apriva Reader
  10. Choose Pair (takes about 20 seconds)
  11. Once complete, choose OK to close the pop-up window
  12. Choose the Bluetooth radio button (takes about 4 seconds)
  13. Once complete, choose OK twice to return to the Today screen
  14. Remove your CAC from the reader
  15. Disconnect the reader from the device

Launching Sensa Mail

  1. Insert your CAC in the reader.
  2. Power on the CAC reader.
  3. Choose Sensa Mail.
  4. Enter your PIN and choose OK

Error Messages

Attempting to open an encrypted message, or attempting to sign an outgoing message without the CAC inserted (or if the reader is powered down or out of range), the user will see the error message displayed at the right.

To resolve this error, the user should insert the CAC, power on the reader, choose OK, and try the action again. If this does not resolve the error, the user should soft-reset the device and try again.