[SecurityRatty] tag: 103-thousand

Logging Web Traffic with Httpry

Fri, 13 Jun 2008 13:46:00 +0000

I don't need to tell anyone that a lot of interesting command-and-control traffic is sailing through our Web proxies right now. I encourage decent logging for anyone using Web proxies. Below are three example entries from a Squid access.log. This is "squid" format with entries for user-agent and referer tacked to the end.

Incidentally here is a diff of my Squid configuration that shows how I set up Squid.


r200a# diff /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.orig 
632,633c632,633
< acl our_networks src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
< http_access allow our_networks
---
> #acl our_networks src 192.168.1.0/24 192.168.2.0/24
> #http_access allow our_networks
936c936
< http_port 172.16.2.1:3128
---
> http_port 3128
1990,1992d1989
< logformat squid-extended  %ts.%03tu %6tr %>a %Ss/%03Hs %<st
 %rm %ru %un %Sh/%<A %mt  "%{Referer}>h" "%{User-Agent}>h"
< 
< 
2022c2019
< access_log /usr/local/squid/logs/access.log squid-extended
---
> access_log /usr/local/squid/logs/access.log squid
2216c2213
< strip_query_terms off
---
> # strip_query_terms on
3056d3052
< visible_hostname r200a.taosecurity.com

If you worry I'm exposing this to the world, don't worry too much. I find the value of having this information in a place I can find it outweighs the possibility someone will use this data to exploit me. There's much easier ways to do that, I think.

The first record shows a Google query for the term "dia", where the referer was a query for "fbi". The second record is a Firefox prefetch of the first record. The third record is a query for a .gif.


 1213383786.614    255 192.168.2.103 TCP_MISS/200 9263
 GET http://www.google.com/search?hl=en&client=firefox-a&rls=
com.ubuntu%3Aen-US%3Aofficial&hs=Hqt&q=dia&btnG=Search -
 DIRECT/64.233.169.103 text/html "http://www.google.com/search
?q=fbi&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:en-US:official&client=firefox-a"
 "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20060601
 Firefox/2.0.0.14 (Ubuntu-edgy)"

 1213383786.704     76 192.168.2.103 TCP_MISS/200 2775
 GET http://www.google.com/pfetch/dchart?s=DIA - 
 DIRECT/64.233.169.147 image/gif
 "http://www.google.com/search?hl=en&client=firefox-a&rls=com.ubuntu%3A
 en-US%3Aofficial&hs=Hqt&q=dia&btnG=Search" "Mozilla/5.0 (X11; U; Linux
 i686; en-US; rv:1.8.1.14) Gecko/20060601 Firefox/2.0.0.14 (Ubuntu-edgy)"

 1213383786.717     81 192.168.2.103 TCP_MISS/200 1146
 GET http://www.google.com/images/blogsearch-onebox.gif -
 DIRECT/64.233.169.99 image/gif "http://www.google.com/search?hl=en
 &client=firefox-a&rls=com.ubuntu%3Aen-US%3Aofficial&hs=Hqt&q=dia&btnG=Search"
 "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20060601
 Firefox/2.0.0.14 (Ubuntu-edgy)"

What if you're a security person who can't access Web logs, but you have a NSM sensor in the vicinity? You might use Bro to log this activity, but I found something last year that's much simpler by Jason Bittel: Httpry.


r200a# httpry -h
httpry version 0.1.3 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2008 Jason Bittel 
Usage: httpry [ -dhpq ] [ -i device ] [ -n count ] [ -o file ] [ -r file ]
              [ -s format ] [ -u user ] [ 'expression' ]

   -d           run as daemon
   -h           print this help information
   -i device    listen on this interface
   -n count     set number of HTTP packets to parse
   -o file      write output to a file
   -p           disable promiscuous mode
   -q           suppress non-critical output
   -r file      read packets from input file
   -s format    specify output format string
   -u user      set process owner
   expression   specify a bpf-style capture filter

Additional information can be found at:
   http://dumpsterventures.com/jason/httpry

In the following example I run Httpry against a trace of the traffic taken when I visited the site shown in the Squid logs earlier.


r200a# httpry -i bge0 -o /tmp/httprytest3.txt -q -u richard
 -s timestamp,source-ip,x-forwarded-for,direction,dest-ip,method,host,
 request-uri,user-agent,referer,status-code,http-version,reason-phrase
 -r /tmp/test3.pcap
r200a# cat /tmp/httprytest3.txt

# httpry version 0.1.3
# Fields: timestamp,source-ip,x-forwarded-for,direction,dest-ip,method,host,
request-uri,user-agent,referer,status-code,http-version,reason-phrase

06/13/2008 15:03:06     68.48.240.186   -       >       64.233.169.103  
GET     www.google.com  /search?hl=en&client=firefox-a&rls=com.ubuntu
%3Aen-US%3Aofficial&hs=Hqt&q=dia&btnG=Search      Mozilla/5.0
 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20060601 Firefox/2.0.0.14
 (Ubuntu-edgy)      http://www.google.com/search?q=fbi&ie=utf-8&
oe=utf-8&aq=t&rls=com.ubuntu:en-US:official&client=firefox-a       -       
 HTTP/1.0        -

06/13/2008 15:03:06     64.233.169.103  -       <       68.48.240.186  
 -       -       -       -       -       200     HTTP/1.0        OK

06/13/2008 15:03:06     68.48.240.186   192.168.2.103   >       64.233.169.147 
 GET     www.google.com  /pfetch/dchart?s=DIA    Mozilla/5.0
 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20060601 Firefox/2.0.0.14
 (Ubuntu-edgy)     http://www.google.com/search?hl=en&client=
firefox-a&rls=com.ubuntu%3Aen-US%3Aofficial&hs=Hqt&q=dia&btnG=Search -      
 HTTP/1.0        -

06/13/2008 15:03:06     68.48.240.186   192.168.2.103   >       64.233.169.99  
 GET     www.google.com  /images/blogsearch-onebox.gif   Mozilla/5.0
 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20060601 Firefox/2.0.0.14
 (Ubuntu-edgy)     http://www.google.com/search?hl=en&client=
firefox-a&rls=com.ubuntu%3Aen-US%3Aofficial&hs=Hqt&q=dia&btnG=Search -      
 HTTP/1.0        -

06/13/2008 15:03:06     64.233.169.147  -       <       68.48.240.186  
 -       -       -       -       -       200     HTTP/1.0        OK
06/13/2008 15:03:06     64.233.169.99   -       <       68.48.240.186  
 -       -       -       -       -       200     HTTP/1.0        OK

As you can see, the format here is request-reply, although the last four records are request,request,reply,reply.

Although I first tried Httpry straight from the source code, in this case I tested an upcoming FreeBSD port created by my friend WXS. If you give Httpry a try, let me know what you think and how you like to invoke it on the command line. I plan to daemonize it in production and run it against a live interface, not traces.

Technical glitch blamed in The Princeton Tower Club breach

Tue, 13 May 2008 05:20:10 +0000

Technorati Tag: Security Breach

Date Reported:
5/8/08

Organization:
The Princeton Tower Club

Contractor/Consultant/Branch:
None

Victims:
Former club members

Number Affected:
103

Types of Data:
"names and social security numbers"

Breach Description:
"Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning."

Reference URL:
The Daily Princetonian
United Press International
Asbury Park Press

Report Credit:
Rachel Dunn and Josephine Wolff, The Daily Princetonian

Response:
From the online sources cited above:

Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning.

The document was attached to an apparently unrelated e-mail that informed current members about a club event.

The spreadsheet was attached unintentionally because of "a technical glitch," Tower graduate board chair Greg Berzolla ’87 said
[Evan] Really? A technical glitch? These types of breaches are usually the result of human error.

"The [spreadsheet] file wasn’t even available on the hard drive [of the computer that sent the e-mail]," Berzolla said. "[The e-mail system] took an old e-mail and used it as a template [for Wednesday’s e-mail] as near as we can guess. It’s not a system very many people use or understand, that’s the problem."

"I cannot comment on [the glitch] because I don’t understand it," he said. "I didn’t figure it out, I think the club technical chair [did]. [Tower president] Stephanie [Burset ’09] tried to explain it to me, but I think she doesn’t really understand it either."
[Evan] At least he is honest.

Burset said in an e-mail that Pine, the e-mail system Tower currently uses, is "fairly antiquated, but our tech chairs have assured me that nothing like this can ever happen again," and added that "we plan on switching to a new client whom is more secure and easier to use."
[Evan] I am concerned by statements like "nothing like this can ever happen again". We still don't know why it happened in the first place.

The e-mail was sent by Tower officers from the tower@princeton.edu account to the roughly 200 current club members.

Tower officers sent another e-mail to the club yesterday asking members to delete the message from their mailboxes "out of respect for ’07."

Berzolla said he believes the risk of identity fraud is "extremely limited"

"It’s hard for any kind of fraud to occur that quickly," he said of the incident. "I feel confident that our club members are not going to use this information badly."
[Evan] It only takes one person. It should also be mentioned that one or more of the destination email accounts could be a shared account and that these emails were sent in clear text (subject to the possibility of interception).

"[The breach] would have had to have been intentional [for there to be legal repercussions]," Berzolla said.
[Evan] Do you have to demonstrate intent to argue negligence (The failure to use reasonable care)? I'm certainly not a lawyer, but I think that there are cases where victims have been awarded damages when there was not intent to harm on the part of the defendant. I don't really advocate lawsuits anyway, but I am just stating what seems obvious to me.

Tower will pay for an identity theft protection services for the affected individuals next year.

Berzolla hopes this measure will assuage any possible threat of legal action from former members against the club. "I don’t expect there to be any problems, but just in case," he said.

The social security numbers on the spreadsheet were collected as part of the process of signing in new members several years ago, Berzolla said. Tower no longer requires its members to submit their social security numbers, he added.
[Evan] It is a good practice to not collect information that isn't required to conduct business. The Tower Club would be well advised to go through the information they currently possess and purge the information they no longer need.

Victim Reaction:
"I had no idea this happened, and frankly, I’m baffled and a little pissed off," Valerie McConnell ’07 said

"Now that I know that the social security numbers weren’t sent out on purpose, I’m not pissed off," McConnell said. "I think my identity is ok. I can’t imagine anyone in the club trying to steal my identity (not that there’s a lot to steal right now anyway)."
[Evan] I think I would still be pissed off. Identity thieves are not all stupid. Many of them will hold on to the information for a year or more before using it or selling it.

"[The incident] is a mistake; it shouldn’t have happened," Beylin said in an e-mail. "However, with the number of times I’ve handed out my SSN this year while seeking financial services or apartment hunting, it’s really not my biggest source of concern for identity theft."
[Evan] This is a good point. Have you ever thought of all the times you have given out your Social Security number? All of your employers, schools, insurance companies, banks, mortgage companies, credit card companies, etc. have your number. The same number used for identification and authentication. A recipe for disaster?

Commentary:
The Tower Club does not handle personal information any worse than most other organizations. It seems like they just didn't know any better. It sometimes makes me nervous.

Past Breaches:
Unknown

Speaking of Security Podcast #103

Sun, 04 May 2008 20:00:00 +0000

EMC PowerPath Encryption with RSA

Happy Cinco de Mayo and welcome to the latest Speaking of Security video podcast. Today Host Paul Joyal speaks with Colin Bailey of EMC and Katie Curtin-Maestre of RSA, The Security Division of EMC, about this new scalable solution that leverages RSA Key Manager for the Datacenter.

The 103 Best Free Security Utilities

Wed, 16 Apr 2008 06:07:52 +0000

Competition drives prices down, regardless of the industry. With a crowded field of vendors jockeying to be the trusted source of computer security for your home and office, prices for many of the ess...

Stolen Davita laptop with dialysis patient data at risk

Thu, 06 Mar 2008 12:50:24 +0000

Technorati Tag: Security Breach

Date Reported:
3/3/08

Organization:
Davita*

*"DaVita provides dialysis services for those diagnosed with chronic kidney failure, a condition also known as chronic kidney disease (CKD). We have over 1,300 outpatient dialysis facilities and acute units in over 800 hospitals. We are located in 42 states and the District of Columbia, serving approximately 103,000 patients." - Source: Davita "About Davita" page

Contractor/Consultant/Branch:
None

Victims:
Current and/or former patients

Number Affected:
Unknown

Types of Data:
Insurance filings for dialysis services, which includes "name, social security number, medical insurance coverage information, and/or other personal and health related information"

Breach Description:
A laptop containing sensitive personal information belonging to current and former patients of Davita has been stolen from a worker for the company. The laptop was password-protected, but did not employ encryption.

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

March 3, 2008
New Hampshire Department of Consumer Affairs
Attn: Consumer Protection
33 Capitol Street
Concord, NH 03301
Dear Sir:
The purpose of this letter is to notify the New Hampshire Department of Consumer Affairs that OVA Renal
Healthcare, Inc. ("Company") recently discovered that it sustained a loss of personal information
[Evan] I copied this from the breach notification letter because there are some interesting points. I don't think there is a "New Hampshire Department of Consumer Affairs", per se. The New Hampshire Department of Justice handles these matters. Secondly, the letter starts out with "Dear Sir". The New Hampshire State Attorney General is Kelly A. Ayotte, a woman.

Dear ______________
On behalf of your dialysis provider, we are writing to inform you of a recent incident which may have resulted in the unauthorized acquisition of your personal information.

Recently, a teammate's laptop was stolen.

Although the laptop is password protected, the hard drive contains --along with numerous other non-related documents -documents involving insurance filings for dialysis services.
[Evan] #1, password protection is little more than no protection. #2, why do I care about the non-related documents?

The documents may contain your name, social security number, medical insurance coverage information, and/or other personal and health related information.

The theft was immediately reported to the proper legal authorities.

While law enforcement officials estimate that over two million laptops are stolen annually for resale, we suggest you take all necessary proactive steps to protect against the possibility of identity theft.
[Evan] In my opinion this is a statement meant to minimize the situation. Maybe there are over two million laptops stolen annually for resale, but if I were a victim, the only laptop I care about right now if the one that was just stolen from Davita that has my poorly protected information on it!

We take privacy very seriously, and sincerely apologize that information was compromised resulting from this theft.
[Evan] Anybody can say that they take privacy very seriously, but let's put our money where our mouth is and demonstrate this claim. Why was personal information on the laptop in the first place, and why wasn't the laptop encrypted?

While we remain hopeful that this theft was merely a petty crime looking for things of value, we felt that outreach to you was warranted.
[Evan] Hope only goes so far.

We are taking extra precautions to minimize the chance of this happening in the future.
[Evan] Like?

If you have any questions, please contact DaVita's Guest Services Customer Center at 1-866-987-7454.

Please note that you may be asked to provide the following reference code: TQO208.

Commentary:
Another lost or stolen laptop containing sensitive personal information that did not employ a minimum level of protection (in my opinion).

Do you think I am being too harsh in comments? Don't collect personal information unless you can provide a "reasonable" level of security assurance. Storing personal information on a laptop without encryption or other controls and relying on password protection is not "reasonable" to me.

Past Breaches:
Unknown

More CNET Sites Under IFRAME Attack

Thu, 06 Mar 2008 07:50:57 +0000

News is spreading fast, appropriate credit is given, but not as fast as the IFRAME campaign targeting several more CNET Networks' web properties besides ZDNet Asia, namely, TV.com, News.com and MySimon.com which I'll assess in this post. In the time of posting this, no other CNET sites are involved in the campaign, including ZDNet's international sites such as, ZDNet India, ZDNet U.K, and ZDNet Australia, but the abovementioned ones. And so, we have three more sites part of CNET Networks' portfolio, getting injected with more IFRAMEs, abusing their search engine's local caching, and storing of any keyword feature, in a combination with a loadable IFRAME.

What has changed for the past 24 hours, despite that the now over 51,900 pages at zdnetasia.com continue to be indexed by search engines? The folks at ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible. However, the same IPs used in this IFRAME campaign, including two new domains introduced have been injected, and are loading at TV.com, News.com and MySimon.com, again pushing the rogue XP AntiVirus, the rogue Spyshredderscanner, as well as another fake codec MediaTubeCodec.exe, hosted and distributed under two new domains.

Which sites are currently targeted?
ZDNet Asia - currently has 51,900 injected pages
TV.com - 49,600 locally hosted IFRAME injected pages
News.com - 167 locally hosted pages, injection is ongoing
MySimon.com - currently 4 pages, the campaign is ongoing

Which domains and IPs are behind the IFRAMEs?
do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21

Where's the malware?
It's there, you just have to triple check different IFRAME-ed search results and finally you'll get to install XP AntiVirus 2008 and a fake codec, the only two pieces of malware currently served. What's important to note is that this is the current state of the campaign, and with the huge number of IFRAME-ed pages in such a way, targeted attacks on a per keyword basis are possible, and since they ensure you're served on the basis of where you're coming from, things can change pretty fast. These are all of the domains that follow after the IFRAME redirects for all the campaigns currently detected, and the detection rates for the malware from the last campaign :

hotpornotube08.com (206.51.229.67)
hot-pornotube-2008.com (206.51.229.67)
hot-pornotube08.com (206.51.229.67)
adult-tubecodec2008.com (195.93.218.43)
adulttubecodec2008.com (195.93.218.43)
hot-tubecodec20.com (195.93.218.43)
media-tubecodec2008.com (195.93.218.43)
porn-tubecodec20.com (195.93.218.43)
scanner.spyshredderscanner.com (77.91.229.106)
xpantivirus2008.com (69.50.173.10)
xpantivirus.com (72.36.198.2)
bestsexworld.info (72.232.224.154)
requestedlinks.com (216.255.185.82)

MediaTubeCodec.com
Scanner results : 11% Scanner(4/36) found malware!
Time : 2008/03/06 16:38:39 (EET)
File Size : 85520 byte
MD5 : 25708e1168e0e5dae87851ec24c6e9f7
SHA1 : 33b502b13cab7a34bb959d363ae4b7afd23919a6
AVG - I-Worm/Nuwar.P
Fortinet - Suspicious
Prevx - TROJAN.DOWNLOADER.GEN
Quick Heal - Suspicious - DNAScan

Tries to connect to websoftcodecdriver.com; websoftcodecdriver2.com and 77.91.227.179, in between listening on local port 1034. The downloader tries to drop Adware.Agent.BN - "Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer." and RogueAntiSpyware.AntiVirusPro - "RogueAntiSpyware.AntiVirusPro is a Rogue Anti-Spyware product which comes bundled along with a malicious downloader. It is downloaded and installed without the users consent."

Spyshredderscanner.exe
Scanner results : 42% Scanner(15/36) found malware!
Time : 2008/03/06 17:02:23 (EET)
File Size : 33224 byte
MD5 : bc232dbd6b75cc020af1fcf7cee5f018
SHA1 : fc2f70fd9ce76fe2e1fe157c6d2d8ba015ad099f
Detected as : Win32.FraudTool.SpyShredder; Downloader.MisleadApp

Again opening local port 1034 and tries to connect to 69.50.168.51, ATRIVO = RBN's well known netblock.

Who's behind it?
It's all a matter of perspective, if you look at the IPs used in the IFRAMEs, these are the front-end to rogue anti virus and anti spyware tools that were using RBN's infrastructure before it went dark, and continue using some of the new netblocks acquired by the RBN. However as I've once pointed out in respect to the New Media Malware Gang and its connection with the RBN and Storm Worm, for the time being it's unclear which one of these is the operational department if any, of the RBN is vertically integrating to provide more than the hosting infrastructure, and diversify to malware, or spyware installation on a revenue-sharing basis participating in an affiliate program.

This malicious campaign will continue to be monitored, particularly the RBN connection, and whether or not they will start targeting CNET's other sites.

Crude oil and gold at all time highs, US manufacturing at 5 year low, feel like buying some security?

Mon, 03 Mar 2008 08:11:29 +0000

Was looking around the news this morning trying to find something to blog about. At the same time listening to CNN drone on about the economy. Gold hit an all time hight today at $991 an ounce, crude oil at another high of $103.5, while the dollar tumbled and US manufacturing hit a 5 year low. Just not a pretty picture. My thoughts begin to wander to what effect our economy is going to have to have on the IT industry and security in particular. I have seen pundits on both sides of this question. Some say that in tough times business has to be more efficient so IT spending is likely to remain constant and may even increase. Others say that of course as budgets tighten, IT and security are going to take their share of hits. I tend to believe the second camp. Security budgets are always being squeezed even in good times, I can't help but think they will take a bigger hit in bad times. Unless you can really show a real ROI (and lets not get into the "is there an ROI with security" stuff) or there is a compliance gun to their head, I believe that companies will slash and burn their security budgets as things get tighter.

So what is the answer? Not sure, but maybe hedge your bets by devoting more to international sales on the chance that they will not be as effected as US based companies with this economies? What do you think?

Washington Ignores Cyberattack Threats, Putting Us All at Peril

Tue, 26 Feb 2008 01:00:00 +0000

S.O.S. When a massive freighter packed with a $103 million cargo tilts onto its side in the North Pacific, a team of deep-sea cowboys gets the call. Inside the epic struggle to save the Cougar Ace.

Malware Serving Online Casinos

Thu, 29 Nov 2007 13:37:13 +0000

Don't play poker on an infected table part two. The following three online casinos are currently serving embedded malware in the form of IFRAMES and the average javascript obfuscation.

The first one is poker.gagnantscasino.com (213.186.33.4) with current obfuscation loading statistics-gdf.cn/ad/index.php (116.0.103.133) where another obfuscation loads, deobfuscated attempts to load p423ck.exe (Zlob) at statistics-gdf.cn/ad/load.php, playing around with the host for too long results in zero malicious activity, at least they make you think so. Here's another internal URL statistics-gdf.cn/ad/index.php?com

Detection rate : Result: 7/32 (21.88%)
File size: 43008 bytes
MD5: 08f445712adcef5ef091378c51bbbaaa
SHA1: 3478fe6a600251b2ee147dbd50eaf4f204a884cb

Last week's obfuscation at this online casino was pointing to traffmaster.biz/ra/in.cgi?5 which is now down.

The second casino is fabispalmscasino.com (82.165.121.138) with current obfuscation attempting to connect to the now down stat1count.net/strong, a host residing on a netblock I covered before showcasing a scammy ecosystem. The third one is sypercasino.com which was resolving to 203.117.111.102 early this week, and taking advantage of WebAttacker at sypercasino.com/biling/index.php. Now it resolves to 58.65.236.10 and promotes banner.casino.com/cgi-bin/SetupCasino.exe

Detection rate: 9/32 (28.13%)
File size: 194077 bytes
MD5: 26da6f81349ff388d08280ababab9150
SHA1: f20e8fee439264915710f9478ec1e74583563851

It's interesting to monitor how people behind these manually change the obfuscations to further expand their connections with other scammers, or services and attack approaches they use, and even more interesting to see it happen on-the-fly just like meds247.org for instance.

Don't play poker on an infected table.

Are you attending RSA Europe 2007 ?

Sat, 13 Oct 2007 13:36:56 +0000

If you are attending RSA Europe 2007, please consider attending my presentation which is at 1:00 PM on Monday (which is the first day of the conference). The presentation is a part of the Professional Development track (PROF-103) and is titled:

Basics of the Quick Business Case:

How to Champion Your Next Information Security Initiative

The primary goal of the presentation is to help technologists, like myself, become better at influencing change and championing innovation in their organizations. That said, I also hope there is a lot of valuable information for executives, managers, and line of business stakeholders who can use these concepts to coach and prepare the individuals who are presenting innovative ideas to (or for) them. It is truly my hope that there is ’something for everyone’ in this presentation.

Here are more details from the conference site…

Session Abstract:

This session will focus on creating and presenting Quick Business Cases: brief, six-part presentations documenting particular opportunity for innovation and seeking organisational buy-in and support. The entire enterprise benefits from better communication about innovation, and this presentation’s goal is to better enable every participant’s abilities to champion it.

Detailed Description

Attendees will be presented with a set of ideas and tools focused around making them better Champions of innovation in their organizations. The presentation will begin by discussing why it is difficult to influence change and innovation, including a discussion of some of the specific problems Information Security and Risk Management professionals face. The presentation will then focus on how to construct a Quick Business Case, and how to use the Quick Business Case as a tool not just for communication but also to validate and refine the business case itself. The Quick Business Case itself is a six-part presentation that can be used as a tool to both overcome the “blank page” problem and quickly start documenting the innovation as well as structure the presentation to overcome common business communications challenges. In addition to the preparation of the document itself, we will also discuss strategies for using the Quick Business Case to develop a communications plan to validate your current ideas, learn more, and build consensus for the business case. The Quick Business Case is not intended to replace a full Business Case or Business Plan, but is a tool to document an opportunity and determine organizational interest. Of course for some initiatives or organizations, the Quick Business Case may prove sufficient for a final decision. A key goal of the presentation will be to make these techniques accessible to small teams, not requiring large budgets.

Cheers, Erik

Art of Information Security would love your feedback !

Are you attending RSA Europe 2007 ?