[SecurityRatty] tag: courses

Software testing best practices vary by context

Thu, 31 Jul 2008 11:27:13 +0000

Software testers who want to follow best practices should understand their own projects and unique situations first. Expert Karen N. Johnson explains why best practices are dependent on context and how testers can figure out their best courses of action.

Easy Google Income

Tue, 29 Jul 2008 13:58:49 +0000

Here's an interesting piece of spam trying to cash in on the Google name that could wind up being quite costly for anyone willing to take a chance and see what it's all about. This was sent to one of my friends:

Click to Enlarge

Is it a good thing or a bad thing that the office is based in the West Indies and to unsubscribe your email goes to Romania? At any rate, they don't seem to want my patronage - unfortunately, I'm not particularly interested in free iPods or a Nintendo Wii so a few clicks later and I'm where I should be:

Click to Enlarge

At the bottom of the page, it says "Google does not sponsor, endorse, and is no way affiliated with Easy Net Income or this promotion."

Well, they could have fooled me what with all the Google material they've splashed across the site. The quote in the box is interesting, too: "Riches range from a few hundred dollars a month to $50,000 or more a year".

Go hunting on USA Today though, and the quote doesn't have anything to do with something called "Easy Google Income" - it's to do with Adsense. Bits missing have been reinserted and bolded:

"Tales of AdSense riches range from a few hundred dollars a month to $50,000 or more a year, though high-dollar paydays are rare. They require a Web site with tons of traffic and the ability to put in 18-hour days working the system.

I think the missing parts are kind of important, don't you? Of course, the CD title clearly makes you think you're going to get some mysterious money magnet, but stops short of telling you whether it would be a program, ebook or magical leprechaun.

In fact, what happens is you apparently sign up for the CD at the cost of subscribing yourself to some kind of "free trial" - at the end of which, you have to pay $39.90 a month for access to training courses to "Internet Wealth University" (I swear I'm not making this up). There's also an "activation fee" charged immediately to the card you subscribe with, though I'm guessing you only enter your details once you've entered your name / address and moved onto the second page (which I'm not about to do, in case you were wondering).

Internet Wealth University must have an awful lot of poor students, going by the problems people are having unsubscribing.

"When you try to call the company, you get an automated answering system that tells you all representatives are busy and then puts you on hold-forever, or they disconnect you after 5 minutes!"

Indeed, there's quite a lot of people wondering what this is all about, including the inevitable concern over billing issues.

Our advice? Steer well clear. There is a lot of money up for grabs here, but it's all being netted by the people running these websites. Their customers don't appear to be so lucky...

Fundamentalism in Risk & Security

Tue, 08 Jul 2008 09:16:04 +0000

FEAR AND LOATHING IN DAYTON, OHIO

Had a great time Sunday with Rob Newby. We solved the world’s problems over deep fried whitefish and french fries (fish & chips to him). It was a very good time, even if my driving did make him a bit uneasy. If I may quote myself (said in an attempt to soothe Rob’s uneasyness about being lost in the car of a complete stranger in a strange country):

If your life doesn’t imitate the surreal aspects of a Douglas Adams book at least once a day, you’re just not living right.

Aside: Bruce Scheier already has too many awards and too much recognition, so go vote for Rob instead :) : http://robnewby.blogspot.com/2008/07/award-up-for-grabs.html

SEPARATION OF CHURCH AND (CURRENT) STATE

Rob and I spent some time discussing risk and security, and our conversation circled around the (now) recurring blogo-topic concerning the State of the Practice. It’s a favorite topic of mine, so I’ve been delighted that it has reappeared in blogodom.

Rob writes about it some here in PCI the Priest. LonerVamp’s and Richard Bejtlich’s blogs talk about Galileo, his confrontation with his church, and lessons we can learn from history (there’s nothing wrong with them recycling the meme, IMHO - because I, for one, never got closure the first time). Jon added a nice quote from Feynman today that’s also inline with the meme.

I’m not going to belabor the analogy, the “art vs. science” misnomer, nor discuss the problems with our various canon (PCI, ISO, CoBTI, COSO, blah, blah, blah). Rather I’d like to talk about some essential things I think our industry needs to “sort out” before it can move on towards a more scientific view of the world. And by “sort out” of course, I mean agree with me on

CAN’T WE ALL JUST GET ALONG?

1 - Can we agree that risk is a probability issue?
Now obviously, you can retreat in probability theory a century or so and claim that risk is a Knightian uncertainty and that we just can’t “know” it. Have fun. But you should know that there’s the catch - “security” is also a probability issue. So I’m betting that you can’t know “secure” for much of the same reasons Frank Knight would argue we can’t know “risky”.

But if risk (and security) is a probability issue, however, then we’re going to have to do better than “A’s in three college courses in statistics” to address the problem. We will have to do as Curphey (and others) suggest and bring elements of other disciplines to bear on our problem space. Let me suggest probability theory and economics as fine, fine places to start.

2 - Can we agree to stop measuring stupidly?
We have to agree that Ordinal Scales are not measurements, and Interval Scales are not useful measurements?

I had a post titled “More Ways To Confuse Your Auditor/Assessor” but it turned out to be a pretty cruel discussion about how we tend to try to act like our calculations based on ordinal or interval scales are useful (hint: insist that your auditor/assessor/consultant replace the label “one” with the label “zero”).

Note that if risk is a probability issue, then we’re going to have to throw out the concepts of measuring in any scale other than a ratio anyhow.

3 - Can we agree on a (good) taxonomy?
We’re going to have to do (much) better than ISO 27005 (nudge, nudge).

4 - Can we agree we need to do a better job with our data?
We’re going to have to do better with measurements, metrics, models and testing.

It’s a shame that honeypots tend to be under appreciated.

5 - Can we agree to test that data and share it with each other?
We may not need to share specific data, but we will need to share when a model falls down.

I’d like to be as idealistic as some of my fellow ‘New Schoolers’ and suggest we’ll someday all be sharing data together, but I’m skeptical. But that doesn’t mean we can’t demonstrate where results from the models we use are not repeatable, consistent or logical. One thing Rob and I talked about at length yesterday was the ability to disprove a model using realistic but “substitute” or sanitized data. There’s gonna be a TON of work to be done here, and that work will take not years but careers. Which begs a great question:

Is it the sharing of data that we need, or the sharing of models?

HELP ME OUT, HERE
That’s my list of 5 fundamental concepts I wish we could move past. Let me ask you - what else am I missing? What’s it going to take to get past our current malaise? How does the New School reach critical mass? Who is going to help us agree in a centralized manner?

Your comments or own blog posts are most welcome (please include a trackback or post here)

Even the Rich and Famous pay the price for being Dishonest and Unethical

Sun, 29 Jun 2008 12:05:00 +0000

All of our courses - in the U.S. and over seas, begin with the same message - ETHICS is the keystone of our profession and our success. It's a shame that famed litigator - Richard "Dickie" Scruggs forgot that lesson.

In yesterday's Washington Post, the headline reads; "Famed Litigator Gets 5-Year Term for Conspiracy to bribe Judge". For those who are not familiar with him, Scruggs became one of the wealthiest and most famous lawyers in the country by taking on tobacco, insurance and asbestos companies.

What did he do? Well, for starters (and what they were able to prove), he attempted to bribe Lafayette County Circuit Court Judge Henry Lackey by offering him $50,000.00. U.S. District Judge Neal Biggers Jr., called Scruggs' conduct "reprehensible" and told him that he picked the wrong Judge to bribe. In addition to the 5 year jail term, he was fined $250,000.00 and lost his law license.

You really got to love it when Justice is rightfully served. Unfortunately, it makes me wonder how many more sleazy lawyers around the country and unethical Judges are not getting reported and prosecuted. It is a little too hard to believe that Scruggs is the only dirt-bag in the legal profession. We welcome the message it sends out; "nobody is above the law".

Like most, if not all common criminals, Richerd Scruggs became greedy. In 1990, Scruggs became famous for suing tobacco companies and winning lawsuits that resulted in a $206 BILLION dollar settlement. If his take of that was just 10%, he walked away with a cool $20.6 Billion dollars. A film was even made about the case - "The Insider" starred Al Pacino and Russell Crowe.

A decade later he is trying to bribe a Judge with $50,000? I would say it was a combination of greed and power going to his head. Maybe that is why the "Post" reported that he nearly fainted and swayed from side to side when the Judge scolded him. He had to sit down before the sentence was read out. He must have believed that he was untouchable.

It's just a shame that he wasn't touched with a heavier sentence. A twenty year sentence would have sent out an even more powerful message. Still and all, the idea of wearing a prison jumpsuit and eating balogna sandwiches is probably like a life sentence to someone who believed themselves to be above the law.

The article claims that many high profile friends petitioned Judge Biggers for leniency when sentencing Scruggs. He's lucky I am not the warden at his jail. I think he would be a perfect candidate for the toilet cleaning squad.

Contributing to the Official CISSP Courseware

Sun, 15 Jun 2008 14:53:16 +0000

I promised a while ago to let you all in on some of the various projects I’ve been working on over the past few months. One I haven’t shared with you yet is my participation in contributing as a SME to the official (ISC)2 courseware for CISSP certification.

It’s a huge undertaking with 10 domains chock full of every security topic you can imagine, 20 contributing SMEs from all over the worls, a handful of editors and 1 man to bring it all together. Our team leader, Dean Bushmiller has been the Project Manager for both versions 8 and 9 of the CISSP courseware and does an amazing job.

Each of the SMEs and editors have put a lot of thought and time into the materials, in an effort to create the best and most relevant content, topic arrangement and flow possible. You’ve seen how big these books are- that’s a lotta’ stuff to pull together and I admire the group, especially the domain wranglers and Dean, for keeping it all on track.

It’s a strange and exciting project. I can’t say it’s completely foreign to me, many years ago I created content for advanced Microsoft Office courses and developed official Computer Competency Training for K-12s for use in schools here. However, a project with this much mass is definitely unique.

So, that’s another little project I’ve been working on for the past several months… and will be continuing for several more. On those occasions I drop off the face of Blog World, it’s sometimes because I’m using every free moment to try and keep up with these types of projects and deadlines.

# # #

University of South Carolina Moore School of Business breach

Mon, 09 Jun 2008 09:38:01 +0000

Technorati Tag: Security Breach

Date Reported:
6/9/08

Organization:
University of South Carolina

Contractor/Consultant/Branch:
Moore School of Business

Victims:
"faculty, staff and students"

Number Affected:
~7,000

Types of Data:
"some personally identifiable data"

Breach Description:
"The University of South Carolina is warning about 7,000 faculty, staff and students that some of their personal information was on a desktop computer stolen from an office at the business school."

Reference URL:
The State

Report Credit:
The State

Response:
From the online source cited above:

The University of South Carolina is warning about 7,000 faculty, staff and students that some of their personal information was on a desktop computer stolen from an office at the business school.

Monday evening, May 26th, 2008 computer hardware containing data files was stolen from the Dean’s Office

"Among the items was a desktop computer belonging to Deputy Dean Dr. Scott Koerwer,"
[Evan] I am semi-sure that a business case could be made to allow Dr. Scott access to confidential information, but there should be NO business case allowing for the storage of this information on the desktop computer he uses. I also doubt that he needs access to Social Security numbers.

"As a result of the computer being stolen, we feel it is possible that some personally identifiable data could have been compromised."

There is a possibility that some personal information such as social security numbers, annual pay, and term of service at the University may have been compromised.

As soon as the unauthorized access was discovered (May 27, 2008), USC initiated its incident handling procedures, which includes notification of affected individuals.
[Evan] I am glad to read that USC has incident handling procedures. Many organizations do not.

university officials have no evidence anyone's personal information was accessed
[Evan] It's probably too soon for evidence.

"We feel the responsible thing for us to do is to notify those persons whose data was contained in the computer, and advise them of the fact, and share with them some useful steps they may want to take for additional protection,"

the university is notifying about 130 faculty and staff at the Moore School, and just under 7,000 students who took business courses in the last academic year

the university’s Division of Law Enforcement and Safety and Office of Information Technology are investigating the matter

The Moore School of Business has taken precautions to minimize future security risks.
[Evan] Like what? Anybody can make a statement like this. People should be provided with some details. Details that don't give away too much, but enough to instill confidence. This statement means little to me.

Deputy Dean Koerwer circulated a letter to students dated June 6 that suggested some steps they might take to protect themselves from identity theft.

Guidance regarding the burglary, including answers to frequently asked questions that we anticipate on identity protection, identity theft, and precautionary measures is available at the University’s website: www.sc.edu/identity/index.shtml

We deeply regret any inconvenience or concern that this incident may cause. We assure you that the University, along with the Dean’s Office, is working diligently to prevent this type of incident from recurring.

Please know that the university faculty and staff are committed to protecting all personal information.

Commentary:
This is a physical, administrative and potentially logical information security breach. There is no information provided about what physical controls were present to prevent an intruder from stealing the desktop computer, so it is difficult to comment. There is little information provided around the administrative controls in place, but we can imply some things. Due to the fact that the school did not state that the storage of confidential information on client computers is prohibited, maybe we can assume that it is permitted. There was no mention of encryption, so I question whether or not this is a logical control that may have been lacking.

Information security is a holistic discipline and the controls I mention above are a very, very small part of the big picture.

Past Breaches:
September, 2007 - University of South Carolina Mistake Leads to Breach of 3,199 Records

SANS Contributes To IMPACT

Wed, 21 May 2008 19:02:31 +0000

SANS is ponying up coin for the “International Multi…” well, short form is IMPACT. It’s an interenational group for fighting ~~cyber~~ computer crime, terrorism and things that go bump in the night.

From GCN:

The SANS Institute has announced a $1 million contribution to the International Multilateral Partnership Against Cyber-Terrorism (IMPACT) and started sharing technical information with the organization.

The two groups plan to expand developing countries’ online security resources, they said yesterday in an announcement issued at the IMPACT World Cyber Security Summit in Kuala Lumpur, Malaysia.

IMPACT and SANS plan to start by launching the Improved Cyber Defenses Though Cybersecurity Training and Skills Development activity. That project will conduct hands-on courses in core cybersecurity activities such as forensics, intrusion detection and penetration testing, they said.

The training project is aimed at providing world-class training to cybersecurity specialists working in every country, regardless of income level.

The joint project will emphasize building strong cyberdefenses, increasing cybersecurity training, promoting secure application development, and improving early-warning systems and the distribution of systems security news.

“Everyone on the Internet is connected. Weak security anywhere puts all other users at risk,” said SANS founder Alan Paller. “By investing in improving cyberdefenses and more secure application programming in the developing world, we hope we are helping to improve cybersecurity everywhere.”

Deducting 10 points for cyberdouchery overuse of “cyber”.

Article Link

Stokes County Schools laptop missing after Spring Break

Mon, 21 Apr 2008 09:13:47 +0000

Technorati Tag: Security Breach

Date Reported:
4/14/08

Organization:
Stokes County Schools

Contractor/Consultant/Branch:
West Stokes High School
South Stokes High School
North Stokes High School

Victims:
Students

Number Affected:
400 - 800

Types of Data:
"names, test scores and Social Security numbers"

Breach Description:
"STOKES COUNTY, N.C. -- A school computer containing the names, test scores and Social Security numbers of students from three Stokes County high schools was stolen from a locked closet, authorities said."

Reference URL:
WXII Channel 12

Report Credit:
WXII Channel 12 News

Response:
From the online source cited above:

STOKES COUNTY, N.C. -- A school computer containing the names, test scores and Social Security numbers of students from three Stokes County high schools was stolen from a locked closet, authorities said.
[Evan] This is the third breach affecting secondary schools in April alone. The others were 'Breach affects "every student enrolled at Joliet West High School"' and 'Students breach Williamsville Central School District security'.

The school system sent home a letter to parents last week notifying them of the theft, which affected between 400 to 800 students at West, South and North Stokes high schools.

"Wednesday after we returned from our spring break, a teacher notified us that she had misplaced (the) laptop computer," said school system superintendent Dr. Stewart Hobbs.
[Evan] This is one of the reasons why laptop computers required extra care and control.

The computer was used for scoring exams in the career and technical courses, the school system said.
[Evan] What I don't fully understand is why Social Security numbers are necessary to score exams?

And though the computer contained personal information, Hobbs said he doesn't think the information can be accessed.

"All information stored on the computer is protected by two separate security systems, each of which requires a password," the letter stated.
[Evan] Two "separate security systems"? What does this mean? I assume that one "security system" is the Windows logon password, but what is the other?

"Any time any type of computer, especially if it has student information that's missing, this is of importance to us," Hobbs said.

Commentary:
The facts surrounding this breach are scarce. It seems as though the school uses Social Security numbers as student identifiers as opposed to self-generated IDs. If true, then this is a poor choice. We could speculate on other matters such as laptop encryption, physical security, and other information security issues, but it would only be speculation. The point of the matter is that we have another unnecessary exposure of personal information.

Past Breaches:
Unknown

Stolen personal laptop may have Memorial University student info

Tue, 05 Feb 2008 11:57:10 +0000

Technorati Tag: Security Breach

Date Reported:
2/5/08

Organization:
Memorial University

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
150

Types of Data:
"private information"

Breach Description:
A personal laptop computer was stolen from the home of a Memorial University professor while he was out of town that may have contained sensitive personal information belonging to students of the school.

Reference URL:
Memorial University new release
Canadian Press story

Report Credit:
Memorial University

Response:
From the online sources cited above:

Email Message from Newsline:
As you may know from a MUN Today article, a laptop stolen from a Memorial professor's home may have led to a breach of private information.

The professor, on returning home from an out of province trip on Jan. 18, discovered that his home had been burglarized and a laptop stolen.

The laptop was stolen sometime between Jan. 15-18, 2008.

the laptop computer may have contained students' personal information

Mr. Burns used the personally-owned laptop occasionally for university-related purposes and reports that it may have contained class lists from: Business 1000, Section 2 and Section 4, which were taught in the fall 2006 semester; and Business 7302 which was taught in the fall 2007 semester.
[Evan] A personally-owned laptop? It is good information security practice to prohibit the use of personal computers to access business information resources. This is a unnecessary and often unacceptable risk.

While Mr. Burns could not confirm that the information from those courses was actually on the stolen laptop, the university has decided to contact all 150 students who may have been affected to advise them of the possible breach.

As a result of this possible breach of students' personal information and as the privacy officer for Memorial, I want to remind all faculty and staff that they must secure all personal information (of students, employees, alumni, donors, research subjects and others) against unauthorized access.
[Evan] OK, how?

we are reminding all faculty and staff at the university, and anyone who teaches at the university and who may handle private information, to use password protection and/or data encryption on all laptops and removable media devices
[Evan] "and/or" encryption?! No, no, no. Information security policy must be cut-and-dry whenever possible. Remove the "/or" and you may have something.

“If you are not sure how to set a password for your laptop or other storage device, consult an IT support person who can assist you. As well, ask about data encryption to further secure personal information.”
[Evan] "If you are not sure" (meaning users) then you need training! It is our job as information security personnel to train the users and communicate with them regularly (awareness) about what is expected of them. This comment is way too wishy-washy for me.

Since last spring, Memorial's Information Access and Privacy Protection (IAPP) office has been developing a privacy strategy and privacy compliance tools for the university, with the assistance of a privacy consultant.

The report, together with findings and recommendations, compliance tools, and draft policy and procedures, are available on the IAPP website www.mun.ca/iapp.

Finalizing policy, procedures and planning for implementation of most of the recommendations is now under way.

We remain confident that the information that may have been exposed by this theft was minimal and cannot lead to further problems for the students affected

Commentary:
Poor practice that contributes to a increased risk involved in this breach:

#1 - DO NOT allow the use of personal computers (or equipment). Personal computers are typically not tested, not built with standard OS images, and lack the security controls in place on organization-owned equipment.

#2 - AVOID "and/or" statements wherever possible in security directives. "And/or" implies ambiguity, where security needs certainty.

#3 - DO NOT expect users to seek out security best practices. Security needs to be brought to them through regular training and awareness.

Past Breaches:
Unknown

The Amazing Alpine Golf Club, Bangkok - Thank You Starwood!

Mon, 28 Jan 2008 09:15:08 +0000

Wow! Sometimes we are reminded why they say “Amazing Thailand!”

Today I was a guest of Starwood Hotels and Resorts to play in a special Starwood golf event at the Alpine Golf and Sports Club just outside of Bangkok. Thank you Starwood and the General Manager of the Royal Orchid Sheraton, Mr. Charles Jack, who was very kind to invite me as his guest.

This is one of the finest golf courses in Thailand (and Thailand has many fine golf course!)

The Starwood folks were fantastic! Everyone was amazing. Some holes had professional golfers offering tips to help my game. Other holes had delicious Chinese and Thai food. One hole had supurb freezing cold champagne waiting to refresh us from the hot Thai sun!!

The Alpine Golf Course was really challenging, so the champagne was needed as much as appreciated. There was large water hazards on almost every hole; and some of the holes had so many large bunkers I thought I was on the beach! You could not miss a shot, because it you did, it was either in the water, the sand, on rolling hills covered with green trees - and believe me, that where I played most of the day!!

Everything was great, an amazing experience with a touch of class you can only find in Thailand, plus the added luxury of being the guest of Starwood, which is a also an unbelievable class act as well.

Being a loyal Starwood customer has great privileges, not to mention some of the finest hotel and resort properties in the world, so please, take my advice and become a Starwood member if you are not already.

By the way, I am currently staying at another exceptional Starwood property, the Plaza Athenee Le Meridian. This is a fantastic property. I highly recommend you stay at the Plaza Athenee Le Meridian if you are in Bangkok for business or leisure.

Also, when the current renovation is complete, the Royal Orchid Sheraton, where I often spends weeks at a time, is also highly recommended if you enjoy life on the busy Chao Phraya River.