CSO

Apr 19

monday volcano news roundup

By alberg CSO, travel security Comments Off

From the BBC News website… this map shows today’s ash situation… does not look too good as far as trans Atlantic flights from the States to Northern Europe and vice versa, but I am hearing that some trans Atlantic services are resuming (see @AirlineRoute for updates).

However, it looks like the European travel situation should be getting better tomorrow, as the EU replaces a blanket ban on air travel with a more focused and layered approach. European air space will be divided into sectors described as “no fly zones,” “limited service zones,” and “open airspace,” based on the amount and dispersion of ash from Iceland’s volcano, according to the BBC. I get the first and last categories, but I don’t know that I would want to go on a flight in the “limited service zones” – does this mean they are sorta safe? In a press release issued today, Eurocontrol (the air traffic agency for the EU) had this to say…

“…while the initial reaction by the States was prudent and reduced risk to an absolute minimum, it was now time to move towards a harmonized European approach (set out below) that permitted flights – but only where safety was not compromised… Accordingly a limited “No-fly zone” will be established by the States concerned, based on forecasts from the VAAC. EUROCONTROL will provide the data and the forecast to States every 6 hours. Aircraft Operators will be permitted to operate outside this zone. In their decision as to whether to fly, they will be supported by shared data including advice from the scientific community (meteo, volcanic ash proliferation etc.) – including safety assessments supported by tests under the oversight of the competent Safety Authorities. The conference also concluded that, in time, it should be possible to move towards an approach in which full discretion is given to Aircraft Operators.”

Earlier today, a mislabeled webcam in Iceland led to false news reports of yet another volcano erupting. Turns out that it was the same volcano continuing to erupt. D’oh!

Looking for some stories and advice from the people affected by this whole mess? Searching for #ashtag on Twitter yields a fascinating real time look at what’s going on – and makes you glad not to be traveling…”

Oh, and by the way, here is how (and how not to) pronounce the name of the Icelandic volcano…

Tagged with: volcano

Apr 18

don’t want to make an ash of myself…

By alberg best practices, CSO, travel security Comments Off

One of my responsibilities at work is to make sure that our employees are safe while traveling. Until today, this week’s Icelandic volcanic eruption was a no brainer… flights in the affected area were cancelled for safety reasons. Now, the airlines and the EU have been performing test flights to see if it is possible to restart flights in Northern Europe in spite of the continuing eruption. KLM flew a plane (with no passengers on board) from Duesseldorf to Amsterdam on Saturday without incident, although at lower altitude than normal. Similar flights by BA, LH and AF also landed without incident. Given the magnitude of the economic losses and travel chaos being caused by the cessation of air traffic, I can understand why folks are anxious to get planes back into the air. However, not everyone is a fan of this plan… the Finnish airforce ran their own tests using F-18 fighters and concluded that even short term exposure to the ash cloud caused damage to the planes’ engines. And tests run by NASA showed that even very thin clouds of ash could significantly damage jet engines.

So… what if the EU decides to reopen Northern Europe’s airspace? What travel advice do I provide to my colleagues? Should people currently stuck waiting for flights to or from the region take one of the first flights? Personally, I would not be ready to get on a flight to LHR today if the air space were to reopen whilst Eyjafjallajökull is still being uppity. And I would be hesitant to get on a plane which had flown through the ash for some time after the eruption ceases, since damage to engines may manifest itself over time. For now, the airways are still closed, so this is a hypothetical question. But if the EU and airlines decide that the risks are acceptable, people are going to want to get home or make trips for business. Coming up with a travel policy which balances risk with the need to conduct business is going to be a challenge – especially if this eruption continues for a long period of time or if it is a precursor to a much larger volcanic event. Stay tuned…

Apr 07

the maley affair take two

By alberg best practices, CSO Comments Off

So after meeting Bob Maley, the former CISO of the Commonwealth of Pennsylvania, at this week’s CSO Perspectives conference in Santa Clara, CA, I am having some second thoughts regarding my earlier posting regarding his firing. While I still feel that the Commonwealth was technically within its rights in firing him, it seems to me that the people of Pennsylvania were done a disservice by the Commonwealth’s actions. Bob seems very passionate about the responsibilities of stewardship of citizens’ information and it sounds like he implemented a number of impressive initiatives to better protect that data. Yes, he did speak at RSA in spite of being told not to, but it seems to me that his heart was in the right place and that he took a calculated risk in order to highlight the need for application security in e-government. There also seems to be a political element t0 all of this (transition of administration stuff) as well. In the end, after meeting the guy, I came away impressed that he was willing to gamble his job (and lose that gamle with grace) in an effort to make e-gov initiatives safer for us all.

The nice folks at CSO Magazine published a good article on the topic… read it and decide for yourself.

Apr 06

of notebooks and ipads

By alberg best practices, CSO Comments Off

Disclaimer to those of you reading this at my place of employment: Nothing in this post indicates a change to any existing corporate infosec policies… it is simply my first step in trying to figure out how to deal with those meddling kids and their durn iPads!

Just about everyone at my workplace carries around a notebook (of the dead-tree variety) to take notes during meetings. I’m sure that in the wrong hands, access to said notes could reveal information about the company that would better be left unrevealed to those outside our little commercial cabal. However, I have not (and would not, for fear of snickering) sent out an email warning employees not to use unauthorized paper based storage devices in the course of their work. As much as I would love to have a data leakage protection client (in this case, a security guy reading everything written in said notebooks as it is written and tearing out offending pages) and remote data destruction capabilities (security guy who sets notebook on fire if it is stolen), both the company and the employee might have some legitimate concerns about such an arrangement.

Which brings me to the iPad. I have using my shiny new iPad for the past few days to take notes at the CSO Perspectives 2010 conference and have come to the conclusion that it is a great device for the consumption of media as well as a great note taking tool. Which begs the question: How are notes taken on an electronic device (iPad, non company phone, non company laptop) different than those ensconced in dead-tree notebooks?

In some ways, a properly configured electronic device (one with a password required for access) seems to be a more secure note taking device that the trusty Moleskine. Should a nefarious person acquire my Moleskine, the only barriers between them and any juicy secrets contained therein are my atrocious handwriting and my use of eccentric and non standard abbreviations. Should the same evildoer swipe my spiffy new iPad, they would get 10 tries to guess my device passcode, after which all data on the device would be erased. Now, the passcode is only a 4 digit number, but the odds are that it would take more than 10 guesses for our evildoer to come up with the code.

Add the cloud, in the form of Evernote and other such services, and the issue gets a bit more complicated. Evernote has a great iPad app which allows you to take written and audio notes on the iPad, attach files to those notes and sync them with servers somewhere in the cloud. I love Evernote for personal stuff – it allows me to access notes from multiple devices and serves as an upgrade to my meatware memory. Of course, as a security professional, I know better than to save anything work related in my Evernote account. The web based Evernote client means that our hypothetical evildoer could access all of my notes (and search for the good stuff) if they could guess my password. I am not so sure that all of my colleagues would make the same risk/benefit calculation that I have.

So, as a paper notebook replacement, iPad seems to provide a reasonably secure place to take and keep personal notes if it is properly configured with a reasonable passcode and data erasure feature. It is important to understand that the protection provided by this configuration is not absolute… a variety of tools exist for the iPhone/iPad platform to extract data from these devices sans passcode, so a determined attacker will be able to get at your notes. My plan for the iPad as a notebook replacement?

Configure a passcode and data delete policy as well as auto locking of the device.
Using the device only for notes that I would be comfortable having written in my old Moleskine.
Being aware that the security of notes in the cloud is outside of my control and not entrusting corporate info to cloud services.

Next step… how to communicate this use case to business people whose main focus is doing business… I feel another blog entry coming on here… but my next iPad piece will focus on another aspect of the device – as a way to carry around (and share) content. Stay tuned.

Mar 25

a plea to security vendors…

By alberg CSO, worst practices Comments Off

Have I got a deal for you...

Every day, I get at least 5 emails from vendors wanting to set up a meeting or web demo of their latest and greatest product as soon as possible. Of these, two or three will be totally unrelated to security. The rest are security related, but almost all of the messages are obviously canned (some with the wrong salutation as a result of mail merge errors). The vendors sending them have no idea what my company does (no, I don’t care about PCI compliance as we are an institutional brokerage) and tend to be from obscure companies. I usually ignore these messages, and block the sender from further contact.

Every once in a while, a vendor does something to distinguish themselves from the pack… the other day, a salesman for a vendor who shall remain nameless sent me a canned “I would like to arrange a meeting with you” message, which I opened, looked at and deleted. There must have been a web bug in the html, because this email was followed by a message which stated that the salesman “noticed I had read the email” and reiterated the request for a meeting. Bzzzzzt!

I find this kind of behavior invasive and creepy and that particular vendor will need to be offering a machine that turns water into gasoline before I will want to talk to them ever again – and I would insist on a different salesperson. It is one thing if I visit your web site, provide my contact information and give you permission to email me, but to spam me and then spy on me puts you and your company on the fast track to al-blivion as far as I am concerned.

Salespeople, I understand that you guys have a tough job and that recent economic conditions have made that job tougher. But please realize that sending spam (while quite effective for dodgy pharmaceutical sales, offers of great wealth from Nigerian princes and attempts to infect PCs with malware) is not how to sell enterprise security products that cost tens or hundreds of thousands of dollars. Want to sell to me? Get a good reputation and good PR – I will find you. If you are going to contact me, take a few minutes to learn something about my company before you email. And don’t cold call me – all I can think of when I get a cold call from a salesman is Jack Lemmon in Glengarry Glen Ross.

Rant over…

Mar 16

CSOs need to walk the walk before they talk the talk

By alberg CSO, online security, worst practices Comments Off

According to this article from CSO Magazine’s web site, “several security execs expressed surprise” over the CISO of the Commonwealth of Pennsylvania found himself unemployed after making a speech at the RSA Security Conference describing a cyber security incident at his state’s motor vehicle agency without getting prior approval. As a CSO myself, I don’t understand why anyone is surprised – I think that this firing was pretty easy to predict and, unfortunately, deserved.

Yes, the incident that the CSO talked about was pretty minor – it involved what sounds like an application error that allowed some people to jump the line when scheduling driving tests – but that is not the point. Like most organizations, Pennsylvania’s government has a policy requiring employees to get prior approval before disclosing official matters. I am sure that the CSO was aware of this policy and as a security professional and as a C level employee, he had a dual responsibility in this matter – to follow policies like any other employee and to set an example for others in his organization to follow in security matters. He also had a responsibility to protect the image of his organization… at the very least, before speaking about this kind of an incident in public, he should have made sure that management was on board and that there was a public relations plan for any negative blowback.

Could this incident have been discussed in public without the need for firing? I think so, although the final decision should have come from management. Had the CSO given them a chance to weigh in, his participation in the RSA panel could have been a positive event for the DMV – showing lessons learned and all that.

If this particular CSO reported to me, I would have some serious questions about their judgment and their ability to safeguard confidential information. I think it would be really difficult to regain that trust after this kind of incident.

Don’t get me wrong – I feel badly that this person was fired – this was probably one negative incident in a career filled with accomplishment and service. But in the end, he made the choice that ended his employment.

OK – I just can’t resist one thing… The Security on this site page of the DMV’s website recommends the use of Netscape Navigator 4.7 or IE 5.0 or greater as secure browsers and then goes on to tout the agency’s use of the “most recent versions of security software”… DOH!

Next Entries

Free WordPress Themes

Twitter - @alberg

"There are those who are happy and those who are wise" - D. ByrneFebruary 2, 2012 2:30
Android malware alert... http://t.co/3BOIl1iBJanuary 29, 2012 10:18
@White_Woolf I have been pushing for this as well, but just can't get Seth on board... life is cruelJanuary 23, 2012 3:12
My momma said, to get things done, you better not mess with Major Tom.January 18, 2012 2:27
malware hijacks us dod smartcards for access to secret stuff... http://t.co/fZDylFxwJanuary 13, 2012 8:34

FYI

Everything you read here has been written by Al Berg, who, by day, is in charge of Security and Risk Management for the best darn Institutional Equity marketplace on this planet. The opinions expressed in this blog are mine and do not represent those of my employer or anyone else.