by Ross Sivertsen | Jan 20, 2010 | Blog, Uncategorized
The companies SanDisk and Kingston offer encrypted USB Flash Drives which have been certified by NIST according to the FIPS standard in order to be used by the American army forces and government. Members of staff of the SySS GmbH have managed to bypass the entire protection of the USB sticks. Independent from the password in use, respective encrypted data can be reconstructed within seconds. Read our publications: Paper SanDiskPaper Kingston
via www.syss.de
I’ve been a fan of encrypted USB thumb drives for some time. I’ll go out on a limb here and say that I have carried one around with me for a couple of years. In the associated article, SySS a German Security Analyst firm made this announcement in a white paper published in December 2009.
With the ubiquitous presence of USB thumb drives (you can get them at the grocery store checkout stand for crying-out-loud) and the enormous capacity of these drives, people are carrying around massive amounts of data on them. Most of the data floating around are all about Aunt Sally’s 4th of July picnic pictures, but in fact these drives represent a real security risk to the enterprise.
It wasn’t that long ago that the capacity of entire corporate networks amounted to less than the capacities generally available on these ultra-portable devices. Not to mention, how many of you are carrying or transporting your personal information around on these things? Social Security Numbers? Drivers License Numbers? Credit Card Information? How about your Quicken files?
What happens if these drives are lost or stolen?
Several manufacturers recognize these risks and have designed hardware encrypted USB drives. In a nutshell, these drives take the information you put on them, and using sophisticated hardware, encrypt the information using a secure data protection algorithm.
This algorithm, AES (Advanced Encryption Standard), is an advanced encryption standard adopted by Uncle Sam to secure information used by the Federal Government. Properly deployed anybody using USB drives employing this standard can rest assured that their private information is private.
You’d think you’d be safe, and I won’t get in to the technical details, because it is really subtle. But there are some manufacturers of these secure USB drives, that improperly employ the standard, and subsequently make these devices subject to cracking. The attacker doesn’t even have to KNOW YOUR PASSWORD, talk about a false sense of security. The list of manufacturers can be found in the attached link, and in all fairness, they have been notified and a patch is published to resolve the vulnerability.
That said, I’m not big on product endorsements, but IRONKEY bears a mention here. I’ve used IRONKEY secure USB drives for a while, and they were never a vector for the vulnerability mentioned. They employ a rock solid hardware/software combination to secure the data on these devices. You can find these secured USB drives at www.ironkey.com.
So you thought your data was secure?
Hmmmm…
by Ross Sivertsen | Dec 30, 2009 | Blog, Uncategorized
I'm surprised at how complicated the subject of project planning has become. I have served on the board of directors of a couple of non-profit organizations, and as the CIO of a small publicly traded company.
It’s surprising to me, though, how many organizations either
can’t or don’t think in those terms. Project management is seen as either too
complex, or out of reach for some organizations.
From my experience, simplicity is a key factor in planning
and communicating projects.
I believe anyone would agree that in terms of process
maturity just beginning the act of planning, and thinking in terms of some
things must be done before others, takes a project from being ad-hoc to almost
achievable.
So, for me, I boil project management down to few very
simple things:
- Before you do ANYTHING else, decide where you
want to go, and clarify the goal with all of the project stakeholders. As the cliché
states, “when you don’t know where you’re going, any road will get you there”
is true in both life and managing projects.
- Once you’ve identified the goal in terms of
where you want to go, start listing out the what’s about what the goal looks
like when you’re finished. I break requirements gathering in to very simple to
understand pieces of information, I also don’t use the term “requirements” I use
something more approachable like a “Needs List.” Each need (requirement) have 5
attributes:
a.
For each requirement use some type of unique
identifier, I use numbered lists, but they could be anything simple and unique.
b.
Describe the need (requirement) in 4th
grade English. It’s easy to have an academic understand the requirement. But when
you can describe the need so that your 4th grade daughter or son can
understand it, then chances are YOU understand the requirement. Don’t be overly
legalistic here, if the need appears to be too ambiguous then you should strive
for further decomposition of the need in to more chunks until you have a good
simple explanation of a single requirement in a sentence or two.
c.
Describe what the need looks like if it’s
successfully filled, oddly enough, it’s the success criteria for the need being
completed. Again, I don’t make it more complicated than it needs to be. The law
of parsimony definitely applies here.
d.
Then describe in as simple of terms as possible
how to check to see if the success criteria has been met. This then becomes the
basic test of completing the requirement.
e.
Finally, any additional comments.
So, a good requirement (IMHO) might look
something like:
– Need #1
– Description: All information must usable on
multiple computers.
– Success Criteria: Information can be transported
to different computer and used by the same application.
– How to check the success criteria: With the same
application on two different computers; use the information from a portable
drive on a different computer than the computer that first saved the
information.
– Comments: The removable drive does not need to
be a USB thumb drive, it can be any number of removable storage devices, as
long as it is reasonably portable.
- Once I’ve created a needs list, then I create a
list of risks that might derail the project; again, simple is better. Risk
management and mitigation can get complicated quickly, but just getting people
to think about risk to a project is a big step to a successful project. A
simple risk list relates to back to the project’s goals and needs. So a simple
risk list has 5 attributes:
a.
The risk list starts with, again, a unique
identification of the risk itself. Like the needs list I use a numbered lists.
b.
No risk is arbitrary, and every risk should
relate either to a clarifying component of the project goal, or one of its
needs. So, identify the relationship here as a reference to the number of the
need item, or if I have a numbered list for a clarifying component of the goal,
I list it here.
c.
I then describe the risk in a simple sentence or
two, in simple English.
d.
Then I rate the impact on the project as either
high, medium, or low.
e.
Finally, describe in a single sentence or two in
simple English the current plan to mitigate the risk.
A good risk item (IMHO) might look
something like:
–
Risk #1
–
Relating to: Need #1
–
Description: Drives used for in the application may
fail during transportation between workstations.
–
Impact to project: High
–
Current Mitigation: Insure that storage devices
used for the application are hardened to withstand severe environments with a
failure time of no less than 50,000 hours of use.
- Finally, using the information from one two and
three above, put together a simple schedule of high level milestones for the
project, simpler, here, is always better. I typically start out with no more
than between 6 and 10 milestones, depending on the project, and refine the
schedule from there.
From these four basic elements, in very simple terms, look
what has been accomplished:
A project goal statement has been created- Objectives in the form of clarifying statements
to the goal have been defined
- A list of requirements has been created
- A remedial test plan has been created through
the use of success criterion and criterion checks
- A simple risk management plan has been created
through identifying and quantifying the risks
- A risk mitigation plan has been created through
mitigation identification.
The project management purists would criticize the
simplistic approach to project planning I’ve listed here, but keep in mind that
not all projects need a PMP, and complicated earned value analysis.
“It's not
the plan that is important, it's the planning.” –Dr Graeme Edwards
by Ross Sivertsen | Jan 24, 2008 | Blog, Uncategorized
Link: Ten Things Your IT Department Won’t Tell You – WSJ.com.
OK, so my network manager sends this link to me yesterday as he was perusing the internet for some research I have him doing on locking down user profiles.
Now, honestly, I don’t consider myself to be the IT Nazi, I really don’t. I always contended that my role in an organization is to protect the company’s information assets from attack, and compromise. But it always, and I mean always seems to be at odds with the general user community.
We in IT are always in a precarious position, between protecting the systems, information, and infrastructure that IS the life blood of our organizations, and the seemingly endless cry from the general community that we are inhibiting their productivity and contributing to the malaise of the workplace.
What sort of raises my blood pressure about this article isn’t that it’s a how-to on circumventing the measures we’ve put in place (the perimeter of an organization is porous, always has been, always will be, whether or not it involves technology). What raises my blood pressure over this article is the general cavalier tone the article takes. Here’s a way to get around "the man" Vara claims, and it’s not really that difficult.
Well maybe not, and there are always exceptions, but the security measures we put in place are in place to protect the organization (from which you draw your paycheck) and you (from yourself, quite frankly). And if everything is consistent, it levels the playing field, and makes anomalies easier to find.
So here we go again, round two of the great debate of IT…
by Ross Sivertsen | Dec 18, 2007 | Blog, Uncategorized
Link: » Mac versus Windows vulnerability stats for 2007 | Zero Day | ZDNet.com.
I’m not big on the Windows vs. Mac vs. Unix vs. Linux vs. etc discussion. During the course of my entire career, this whole discussion has been irrelevant. Much in the same way how a particular professional sports franchise is doing in any given season. Guess what? It’s all hammers and nails. Use the right tool for the right job, you wouldn’t use a 16oz hammer with a 2 penny nail.
Well now to add fuel to the Windows fire, this article today on ZDNet points out an interesting statistic, apparently Mac OS over the last year has had more critical vulnerabilities than Windows (243 for Mac OS versus 44 total for XP and Vista). Now, before this starts a riot, let me point out that this argument has nothing to do with anything except this following point:
It matters not what hardware/software/system combination any person/organization uses. Personal security and the security of organizational assets requires diligence from all parties involved and doesn’t rely on a system combination. If it is made by human hands, it’s flawed.
Gone are the days when we could leave our computers unlocked as much as gone are the days that we could leave our front doors unlock. It doesn’t mean it’s a cruel world, it just means that nobody is responsible for keeping our house in order except us. Part of being responsible adults is recognizing that WE must keep vigilant watch over our house, and that no person/system/software is going to do it for us.
So keep the doors locked, don’t let the newspapers or mail pile up on the porch or mailbox, and keep your systems updated and patched, because that’s what responsible adults do.
by Ross Sivertsen | Aug 23, 2007 | Blog, Uncategorized
Well, that about covers it doesn’t it?
I’ve been listening to "The Power of Now" by Ekhart Tolle, he makes some very good points. Now, while I’m not a "new age" spiritualist, I’m fairly traditional in my monotheistic beliefs, and I do believe he has something to say, primarily that we spend too much time letting our minds rule our lives (an interesting observation given my nickname is ‘Analysis Paralysis’). The aphorism "don’t borrow worry, tomorrow has enough worries of its own" is a good way of putting it; living in the now helps us combat the fears we conjure up in our mind about "worse case" scenarios.
Here’s the funny thing though; through my graduate studies, I have a graduate education in Information Security/Information Assurance and it seems to me that these studies along with the whole notion of security altogether is contradictory to the points Tolle makes in his book. Wendell Phillips oft quoted “Eternal vigilance is the price of liberty,” made in reference to the slavery movement of the 19th century prior to the American Civil War, is used as a mantra for the homeland security, and information assurance disciplines.
I’ve had this nagging voice, all during the time I was attending grad school, saying to me “Are you being a fear monger?” My struggle has been how I reconcile the lessons learned about securing our future with the connecting to peace through the “Now.” Are they mutually exclusive? As I write this, I believe they are not. One becomes a practical function of the other. As a practical matter, insuring we bring peace to our lives through connection with the infinite requires attention to that around us wishing to impose dissonance.
So where is the balance between the “Now” and vigilance? It sits with every one of us along with the recognition that there are those whose motivations for “peace” are only articulated as vigilance. “Quis custodiet ipsos custodes?” as Juvenal puts it requires that WE watch the watchmen. Separation of power insures that NO one holds all the keys to the kingdom, and WE can experience the peace we are all, me included, desperately seek.
