by Ross Sivertsen | Jan 20, 2010 | Blog, Uncategorized
The companies SanDisk and Kingston offer encrypted USB Flash Drives which have been certified by NIST according to the FIPS standard in order to be used by the American army forces and government. Members of staff of the SySS GmbH have managed to bypass the entire protection of the USB sticks. Independent from the password in use, respective encrypted data can be reconstructed within seconds. Read our publications: Paper SanDiskPaper Kingston
via www.syss.de
I’ve been a fan of encrypted USB thumb drives for some time. I’ll go out on a limb here and say that I have carried one around with me for a couple of years. In the associated article, SySS a German Security Analyst firm made this announcement in a white paper published in December 2009.
With the ubiquitous presence of USB thumb drives (you can get them at the grocery store checkout stand for crying-out-loud) and the enormous capacity of these drives, people are carrying around massive amounts of data on them. Most of the data floating around are all about Aunt Sally’s 4th of July picnic pictures, but in fact these drives represent a real security risk to the enterprise.
It wasn’t that long ago that the capacity of entire corporate networks amounted to less than the capacities generally available on these ultra-portable devices. Not to mention, how many of you are carrying or transporting your personal information around on these things? Social Security Numbers? Drivers License Numbers? Credit Card Information? How about your Quicken files?
What happens if these drives are lost or stolen?
Several manufacturers recognize these risks and have designed hardware encrypted USB drives. In a nutshell, these drives take the information you put on them, and using sophisticated hardware, encrypt the information using a secure data protection algorithm.
This algorithm, AES (Advanced Encryption Standard), is an advanced encryption standard adopted by Uncle Sam to secure information used by the Federal Government. Properly deployed anybody using USB drives employing this standard can rest assured that their private information is private.
You’d think you’d be safe, and I won’t get in to the technical details, because it is really subtle. But there are some manufacturers of these secure USB drives, that improperly employ the standard, and subsequently make these devices subject to cracking. The attacker doesn’t even have to KNOW YOUR PASSWORD, talk about a false sense of security. The list of manufacturers can be found in the attached link, and in all fairness, they have been notified and a patch is published to resolve the vulnerability.
That said, I’m not big on product endorsements, but IRONKEY bears a mention here. I’ve used IRONKEY secure USB drives for a while, and they were never a vector for the vulnerability mentioned. They employ a rock solid hardware/software combination to secure the data on these devices. You can find these secured USB drives at www.ironkey.com.
So you thought your data was secure?
Hmmmm…
by Ross Sivertsen | Dec 30, 2009 | Blog, Uncategorized
I'm surprised at how complicated the subject of project planning has become. I have served on the board of directors of a couple of non-profit organizations, and as the CIO of a small publicly traded company.
It’s surprising to me, though, how many organizations either
can’t or don’t think in those terms. Project management is seen as either too
complex, or out of reach for some organizations.
From my experience, simplicity is a key factor in planning
and communicating projects.
I believe anyone would agree that in terms of process
maturity just beginning the act of planning, and thinking in terms of some
things must be done before others, takes a project from being ad-hoc to almost
achievable.
So, for me, I boil project management down to few very
simple things:
- Before you do ANYTHING else, decide where you
want to go, and clarify the goal with all of the project stakeholders. As the cliché
states, “when you don’t know where you’re going, any road will get you there”
is true in both life and managing projects.
- Once you’ve identified the goal in terms of
where you want to go, start listing out the what’s about what the goal looks
like when you’re finished. I break requirements gathering in to very simple to
understand pieces of information, I also don’t use the term “requirements” I use
something more approachable like a “Needs List.” Each need (requirement) have 5
attributes:
a.
For each requirement use some type of unique
identifier, I use numbered lists, but they could be anything simple and unique.
b.
Describe the need (requirement) in 4th
grade English. It’s easy to have an academic understand the requirement. But when
you can describe the need so that your 4th grade daughter or son can
understand it, then chances are YOU understand the requirement. Don’t be overly
legalistic here, if the need appears to be too ambiguous then you should strive
for further decomposition of the need in to more chunks until you have a good
simple explanation of a single requirement in a sentence or two.
c.
Describe what the need looks like if it’s
successfully filled, oddly enough, it’s the success criteria for the need being
completed. Again, I don’t make it more complicated than it needs to be. The law
of parsimony definitely applies here.
d.
Then describe in as simple of terms as possible
how to check to see if the success criteria has been met. This then becomes the
basic test of completing the requirement.
e.
Finally, any additional comments.
So, a good requirement (IMHO) might look
something like:
– Need #1
– Description: All information must usable on
multiple computers.
– Success Criteria: Information can be transported
to different computer and used by the same application.
– How to check the success criteria: With the same
application on two different computers; use the information from a portable
drive on a different computer than the computer that first saved the
information.
– Comments: The removable drive does not need to
be a USB thumb drive, it can be any number of removable storage devices, as
long as it is reasonably portable.
- Once I’ve created a needs list, then I create a
list of risks that might derail the project; again, simple is better. Risk
management and mitigation can get complicated quickly, but just getting people
to think about risk to a project is a big step to a successful project. A
simple risk list relates to back to the project’s goals and needs. So a simple
risk list has 5 attributes:
a.
The risk list starts with, again, a unique
identification of the risk itself. Like the needs list I use a numbered lists.
b.
No risk is arbitrary, and every risk should
relate either to a clarifying component of the project goal, or one of its
needs. So, identify the relationship here as a reference to the number of the
need item, or if I have a numbered list for a clarifying component of the goal,
I list it here.
c.
I then describe the risk in a simple sentence or
two, in simple English.
d.
Then I rate the impact on the project as either
high, medium, or low.
e.
Finally, describe in a single sentence or two in
simple English the current plan to mitigate the risk.
A good risk item (IMHO) might look
something like:
–
Risk #1
–
Relating to: Need #1
–
Description: Drives used for in the application may
fail during transportation between workstations.
–
Impact to project: High
–
Current Mitigation: Insure that storage devices
used for the application are hardened to withstand severe environments with a
failure time of no less than 50,000 hours of use.
- Finally, using the information from one two and
three above, put together a simple schedule of high level milestones for the
project, simpler, here, is always better. I typically start out with no more
than between 6 and 10 milestones, depending on the project, and refine the
schedule from there.
From these four basic elements, in very simple terms, look
what has been accomplished:
A project goal statement has been created- Objectives in the form of clarifying statements
to the goal have been defined
- A list of requirements has been created
- A remedial test plan has been created through
the use of success criterion and criterion checks
- A simple risk management plan has been created
through identifying and quantifying the risks
- A risk mitigation plan has been created through
mitigation identification.
The project management purists would criticize the
simplistic approach to project planning I’ve listed here, but keep in mind that
not all projects need a PMP, and complicated earned value analysis.
“It's not
the plan that is important, it's the planning.” –Dr Graeme Edwards
by Ross Sivertsen | Mar 10, 2008 | Blog, Business, Information Security
Quoted from http://online.wsj.com/article/SB120511973377523845.html?mod=hps_us_whats_news:
NSA’s Domestic Spying Grows As Agency Sweeps Up Data – WSJ.com
NSA’s Domestic Spying Grows
As Agency Sweeps Up Data
From the “The price of freedom is eternal vigilance” department, come this article from the front page of today’s Wall Street Journal. This is interesting for me on a number of levels; not only am I responsible for the management of my company’s information assets, and having a master’s degree in information assurance. I find this truly disturbing. The fourth amendment of the constitution prevents the illegal search and seizure of our property, but in the interest of “national security” the NSA seem to find this notion… inconvenient. Now, honestly, this isn’t anything that hasn’t been happening since before the days of J. Edgar ran the FBI, but this move of “openness”? The NSA effectively states “yeah, we’re monitoring you, and you should probably be careful.” Interesting… I could rave on about this being a fascist plot to oppress the populous by “the man,” but they’re probably already monitoring this blog.
by Ross Sivertsen | Jan 24, 2008 | Blog, Uncategorized
Link: Ten Things Your IT Department Won’t Tell You – WSJ.com.
OK, so my network manager sends this link to me yesterday as he was perusing the internet for some research I have him doing on locking down user profiles.
Now, honestly, I don’t consider myself to be the IT Nazi, I really don’t. I always contended that my role in an organization is to protect the company’s information assets from attack, and compromise. But it always, and I mean always seems to be at odds with the general user community.
We in IT are always in a precarious position, between protecting the systems, information, and infrastructure that IS the life blood of our organizations, and the seemingly endless cry from the general community that we are inhibiting their productivity and contributing to the malaise of the workplace.
What sort of raises my blood pressure about this article isn’t that it’s a how-to on circumventing the measures we’ve put in place (the perimeter of an organization is porous, always has been, always will be, whether or not it involves technology). What raises my blood pressure over this article is the general cavalier tone the article takes. Here’s a way to get around "the man" Vara claims, and it’s not really that difficult.
Well maybe not, and there are always exceptions, but the security measures we put in place are in place to protect the organization (from which you draw your paycheck) and you (from yourself, quite frankly). And if everything is consistent, it levels the playing field, and makes anomalies easier to find.
So here we go again, round two of the great debate of IT…
by Ross Sivertsen | Dec 27, 2007 | Blog, Web/Tech
For the last couple of months I’ve been working on my general internet presence, looking in to how organizations and individuals can create an effective marketing and internet presence using the technologies that have been popularized in the media over the last couple of years.
This entry isn’t really going to present any new information, but I wanted to understand, first hand, what this is all about, and you simply can’t read a book about it, I dove in and started doing this on my own.
I’ve used sites like LinkedIn for a while; it’s an easy place to be very specific about my business contacts. I’ve also played around with MySpace, and more recently Facebook. What I found in a really short time is that just in the last several weeks, I can start to see the sites I’ve created take on a life of their own.
The real intent of this exercise was to find out how to apply these technologies to specifically non-profits on how they can create a more effective marketing campaign, and connect with their constituents. I have a lot of material, found out a lot about what’s going on, and I’m beginning to understand the impact this can have on the organizations connecting to people.
With sites that focus on interest ranging from photos, to blogs, to music, to business contacts, social networking isn’t about Facebook and MySpace any longer. Aggregating these sites together to create a composite of interests can including event photo’s on Flickr, event music play lists on iTunes, or Virb, websites using del.icio.us and live updates using Twitter or Pownce. Organizations can even create encyclopedia articles using Wikipedia.
All of this together can be used to create a powerful marketing tool for those organizations who know how to use them, aggregate the information together, and market that to the internet. A couple of important points to remember for organizations wanting to use the Web 2.0 are:
1. It’s highly important to use a consistent look and feel, organizations have spent a great deal of energy creating their "brand," it’s important to carry that forward in an internet presence; in my own efforts I’ve started using the same picture thumbnail on every site (it’s not a picture I particularly like but it’s something I had on hand).
2. Understand the strength of each of the technologies and how to apply them, e.g. Flickr is great for sharing photos, but not for blog entries or editorials, and you wouldn’t use LinkedIn in the same way you’d use Facebook.
3. The real power behind this is not only the separate nature of each of the sites, Facebook being different than MySpace which is different than Pownce, but rather that organizations create mechanisms for aggregating this sites together to create a uniform presence, with a single static site acting as a “hub” to all other services, this is called a mashup. Very much the same way that MySpace and Facebook uses “widgets” and RSS to aggregate content from other sites.
This, IMHO, is both a good and bad thing from several perspectives; first it’s become incredibly easy, with just a little bit of savvy, to create an entire internet presence complete with contacts, networks, and so forth. That said, with Google and other search engines in the mix, this internet presence becomes the encyclopedia galactica for your life, all of a sudden it’s not as difficult as it used to be to find you in the background of a flag burning photo from college hidden. You 20 somethings, and 30 somethings, take note; the internet has a VERY long memory.
I’ll be continuing this as a project over the next several months, but in the meantime, here’s a list of my places on the information superhighway:
Connect with me on LinkedIn
My Facebook Page
MySpace Page
My Flickr Photos
Ross’ Tumblr Page
My links on del.icio.us
Follow me on Twitter
Follow me on Pownce
Follow me on Jaiku
This is the software I use posted at Wakoopa
Connect with me on Xing
My Playlists on Virb
Google me
by Ross Sivertsen | Dec 26, 2007 | Blog, Business
My wife (an accountant) and I were having a discussion on the way to my dropping he off at her office this morning, and the whole thing stuck enough of a chord with me that I thought I'd share my insights with you on the subject (imagine that).
She and her office had just completed a year end audit from their internal audit department, and I'm about to go through the same thing shortly with my yearly GCC (General Computing Compliance) audit.
Apparently the auditor assigned to their case was more concerned about tactics than strategies in performing their audit.
It's been my experience especially in assessment and audit situations, that the demeanor and background of the folks responsible for audit oversight are every bit as important as the organization and processes being scrutinized during the audit itself.
I've found that the worst personality type to have an audit oversight is a highly structured and detailed oriented individual, someone with the background of requiring compliance in strict accordance with the letter of the law (or internal procedure as the case may be).
The problem with this approach, is that like most things in life, though rules may be interpreted as binary (0 or 1, black or white), life is not binary, and mostly consists on a continuum with everything being shades along the continuum.
Such is the case with the assessment or auditing process, the type of auditor, in my belief, that makes the best of these types of situations is that of someone with the heart of a teacher. An individual that understands the strategies involved with the process under assessment, understands that situations are different for different cases, and subsequently adjust to meet the spirit or intent of the process, not the letter of it.
I'm not advocating being sloppy about assessment processes, I'm suggesting that life requires balance. And understanding the spirit of the process and measuring against the objective evidence for assessment is every bit as important as the assessment itself.
I would rather have an organization seek to understand WHY things are measured a particular way, so they can do a better job at improving the QUALITY of the process, than worrying about HOW a particular instrument was implemented to collect data for producing an assessment artifact.
In my own experience I've run across several auditors, but three of them specifically come to mind, my experience with all three have been if not enjoyable, then at the very least educational. These are all people with the heart of a teacher, professionals interested in seeing organizations succeed during the assessment process, while not allowing for sloppy process failures. They are come from different organizations and disciplines but all share the same spirit of education.
I've worked with Mary Sakary and Neil Potter from The Process Group for several years in improving the processes on our software development systems using the CMMI, as a model systems and software process improvements.
Without this spirit of education, auditors can get caught up in the HOW data are collected and loose sight of the nature of the control and risk the process is intended to mitigate. This "tactical" approach can lead to crushing rigidity in organizations where strict adherence to the law actually causes processes to fail.
So as a note, remember WHY you're assessing a process, understand the risks and measures needed to mitigate the risks, instead of getting wrapped around the axle about HOW the data are collected.
So what are the two biggest lies told during an audit?
1. "We're here to help."
2. "We're sorry to see you leave."
