High Five for Week Ending 20-Dec

Published on December 20, 2009 by in High Five

0
High Five for Week Ending 20-Dec
HighFive 300x275 High Five for Week Ending 20 Dec

Weekly High Five lists the most interesting, compelling, and/or useful links of each week.

Welcome to the “Threats and Opportunities” version of the High Five.  This week’s links describe some things to be concerned about in 2010, and some trends to be excited about.  The last link is an absolute must watch video!

#5: Hackers are defeating tough authentication, Gartner warns

Another day, another scary article about how online identities are being compromised. The takeaway here is to become a more intelligent Internet user and take responsibility for your online accounts (for more information on this subject, see “How to Spot Phishing.”

Link: Computer World

#4: Green light for internet filter plans

From the “Big Brother Is Watching” department, Australia is considering forcing Internet service providers to install web site filtering to remove criminal content. All the same questions apply here. Who decides what’s criminal? How do you implement it? The reality is that this very easily thwarted and kids, criminals, and deviants will be able to get around it within hours of the filters being put in place.

Link: ABC News Australia

#3: The 12 Days of Christmas: Website Disaster Style

This is a very creative and effective article that describes some fundamental yet all to common mistakes that are being made with regard to web site design and architecture. It makes them very understandable to the noob (newbie).

Link: SEO.com

#2: What Matters Now

Meaningless coincidence; last week’s #2 position was also a post from Seth Godin. This is a free e-book that is a compilation of observations and advice from scores of the leading thinkers of our digital age.  I don’t even know where to start with this, as there is so much information, advice, and inspiration in this document.  You must check it out.

Link: Squidoo

#1: Forecast for 2010: The Coming Cloud ‘Catastrophe’

This is a really unfortunate title that appears to be a typical “least common denominator” appeal to fear mongering. However, this video and article provide ten predictions for next year that are fascinating and extremely thought provoking. In fact, the cloud catastrophe prediction is just on of ten, and in my opinion the least interesting.  There is one prediction about journalism and the media with which I completely disagree. However, I’ll be authoring a post soon on the trends that are predicted in this story, and many of them can be summarized with this recommendation; “THINK SMALL.”  This is a must view video!

Link: Business Week

Feel free to provide your thoughts and/or contributions…

Continue Reading

High Five for Week Ending 25-Oct 2009

Published on October 25, 2009 by in High Five

2
High Five for Week Ending 25-Oct 2009
HighFive 300x275 High Five for Week Ending 25 Oct 2009

Weekly High Five lists the most interesting, compelling, and/or useful links of each week.

This week saw a couple of major releases; Windows 7 and a new Facebook user interface.  On its surface, the new Facebook “Live” and “News” streams may seem innocuous, if not confusing, to most, it is an obvious reflection of their recent hiring of the FriendFeed founders and indicates their intent to leverage real time search as part of their business model.

#5: How To Build A WiFi Home Surveillance System With Your PC

Our next door neighbor’s home was broken into a couple of weeks ago and suffered significant loss.  I’ve been researching various surveillance options and found this:

http://www.makeuseof.com/tag/how-to-build-a-wifi-home-surveillance-system-with-your-pc/

#4: Email Being Replaced by Social Networks? Not So Fast Wall St. Journal

As someone who is just slightly obsessive compulsive, I love symmetry and this week’s #4 post provides the perfect follow up to the Wall St Journal article that was last week’s #4, “The End of the Email Era.”  This predictable response from email marketing provider Vertical Response” provides some lucid arguments against the somewhat overstated conclusions in the Wall St Journal article

http://blog.verticalresponse.com/verticalresponse_blog/2009/10/email-being-replaced-by-social-networks-not-so-fast-wall-st-journal.html

#3: New Views for Your Home Page

The new look of Facebook’s home page is no surprise to those of us who have used FriendFeed.  Recently, Facebook acquired the talent behind that social networking site and promptly gave it the “Friendfeed treatment.”  The thing that flabbergasts me is that Facebook did not publicize this change ahead of time, or provide users with a link to this otherwise obscure blog post that explains the how and why of the changes:

http://blog.facebook.com/blog.php?post=162536657130

#2: Lifehacker’s Complete Guide to Windows 7

Those of you who have suffered through Windows Vista with me should run, not walk to upgrade to Windows 7.  I’m still waiting for my free upgrades to ship, but the reviews I’ve read are unanimous in their praise that W7 absolves the worst sins of the horror show that was Vista.

http://lifehacker.com/5386953/lifehackers-complete-guide-to-windows-7

#1: Scan of Internet Uncovers Thousands of Vulnerable Embedded Devices

This article covers a serious networking threat to many home users.  If you use a home wireless router to connect your PCs to the Internet, and you’ve never changed the default administrator account password you are in danger!  This vulnerability has been addressed in recent years by Linksys and other manufacturers by requiring a password change before the device will work, but there are still thousands of devices in use that were taken out of the box, plugged in, and never touched again.  The problem is that these routers are exposed to the Internet and all have the same factory default username and password, which allows hackers to take control of your router and, potentially, gain access to your home network.

http://www.wired.com/threatlevel/2009/10/vulnerable-devices/

Feel free to provide your thoughts and/or contributions…

Continue Reading

Introduction to Cybersecurity

Published on May 5, 2009 by in Best Practices, How To

0

This afternoon I presented “Introduction to Cybersecurity” to members of the New England Water Works Association in New Haven, CT.  The presentation focuses a recurring theme of this blog; no/low cost options for improving security.  This particular presentation focuses on the particular challenges faced with securing SCADA (Supervisory Control And Data Acquisition) systems.

Intro To Cybersecurity

View more presentations from Jon Dipietro.

During the presenation, I stressed the point that humans are the weakest link.  I wish it had occured to me to embed the following video of Kevin Mitnick demonstrating social engineering techniques:

Remember, people are the weakest link.

Continue Reading

Top 5 No-Cost Cyber Security Practices

Published on January 9, 2009 by in Best Practices, How To

1
MrOblivious
officetheif Top 5 No Cost Cyber Security Practices Is cyber security a technology problem or a people problem?

Cyber security is complex, highly technical subject that is best left to the Asperger-nerd in the computer room battling against the pimply-faced hacker sucking down Mountain Dew in his mother’s basement, right?  It’s a cat and mouse game that pits the white hats against the black hats, the antivirus computer scientists against the hackers, right?  It’s certainly not the realm of the average small business owner, right?  Wrong, wrong, and wrong!

What if I told you that human error was more responsible for data breaches in 2008 than hacking?  What if I told you that hacking was third on the Identity Theft Resource Center’s (ITRC) categorized list of data loss methods?  The reality is that cyber security is a people problem first and a technology problem second.

More Awareness, Less Reliance

mroblivious 150x150 Top 5 No Cost Cyber Security Practices

Most organizations are oblivious to the weakest link in the security chain

I’ve come to a remarkable, if not depressing realization in my information technology career.  Over the last 20 years of consulting, I’ve visited scores of clients in hundreds of facilities and I can easily count the number of times I was ever given any sort of cyber security orientation – exactly once.  I’ve walked into propped-open back doors of more manufacturing facilities than you can shake a stick at, and more often than not waltzed right up to a machine control panel, hooked up my laptop, and started pounding away at the keyboard while smiling and waving at trusting operators I had never before met in my life.  The realization is this; the vast majority of companies, large and small alike, is completely oblivious to the weakest link in the security chain; people.

The misperception that cyber security is all about technology is a serious mistake that is made by both small and large businesses.  The small businesses often believe that they are not sophisticated enough to employ their own cyber security programs and, therefore, either ignore it altogether or simply outsource it to an IT subcontractor.  The large businesses spend millions of dollars on intrusion prevention systems, biometric security, and other sophisticated technological countermeasures.

Hopefully by now I’ve made the point that cyber security is about much more than firewalls, Trojans, and keyboard loggers.  So without further delay, here is a list of five no-cost practices every organization can implement that will go a long way toward securing their data.

Use Passwords, Use Them Well

OK, show of hands… how many of you are rolling your eyes?  It sounds obvious, but password laziness and ignorance is still the number one vulnerability for computer systems.  I understand how painful it is these days to maintain all of the user names and passwords in our lives these days.  However, it is the world we live in and we must accept it and follow these bare minimum password practices:

  • No shared passwords:  This is especially common in process automation where there are many users of the same machine.  Everyone must have their own unique user name and password.
  • Complex passwords:  Use combinations of letters and numbers, preferably composed of one or more words that are not in the dictionary.  Why?  Read this article about Dictionary Attacks.
  • Change passwords:  This is probably the most annoying of these three practices, and I confess that it aggravates me to have to do.  However, changing passwords periodically is one of the best ways to prevent misuse of a password that is unknowingly (or even deliberately) disclosed.

Utilize Automatic Updates

Unpatched operating systems and out of date virus definitions are like the gimpy prey of a flock; they are the first to be targeted by the hunter.  Many computer viruses and other exploits rely on software vulnerabilities that are typically patched within days or weeks.  However, it is not at all unusual for me to see network servers out of date by more than a year.  Another common problem is for antivirus subscriptions to expire, preventing the virus definitions from updating.

Clean House

Every program loaded on a computer is a potential vulnerability.  The fewer of them there are, the better.  A typical Windows PC has loads of “crap-ware” installed on them that can and should be removed using the Add/Remove Programs option in Control Panel.  Additionally, there are Windows Components (e.g. Messenger, Media Player) that should be removed if not used.  Finally, there are usually Windows Services running by default that are not used.  This particular cleanup is generally left to computer professionals, as it is not always obvious which of these is required and disabling the wrong service can lead to “unexpected behavior.”

Create Policies

There are many reasons for establishing written computer and internet policies for employees.  One, of course, is legal liability for the employer.  The other is (or at least should be) educational.  It’s not enough to write up these policies; they need to be presented and explained in an open environment to ensure that they are understood and appreciated.  These policies go far beyond telling users they can’t surf porn on the company’s computers.  They need to include things like proper care and usage of portable storage devices, remote access procedures and policies, e-mail policies, etc…  You can find a list of templates at the SANS Security Policy Project web site.

Protect Sensitive Information

Insiders and subcontractors are another major vulnerability and care must be taken to provide information necessary for them to do their jobs, but no more.  This is especially true of subcontractors, of which I am one, who are frequently given and/or create sensitive documents, diagrams, lists, and other data.  It is important to establish guidelines for its use to ensure that the information is handled with care and returned or disposed of when the job is complete.  As incredible as it sounds, a subcontractor published a complete schematic of Pearl Harbor Naval Base’s power monitoring control system in a white paper available publically on the Internet (I just checked and the information has apparently been removed).

The Bonus Round

What is the hacker’s #1 tool of the trade?  I’ll give you a hint; it has nothing to do with computers.  It’s called Social Engineering and you can read more of it in my blog, “The Hacker as a Magician.”

Feel free to share your own anecdotes and pearls of wisdom on the subject.  What are some of the head-shaking moments you’ve witnessed?  Are there any “doh!” moments you care to share?

Credits and citations:

Continue Reading