Effective security patch management is probably the number one security control

Effective security patch management is probably the number one security control that can have the greatest impact in your company. It is crucial that you have processes in place to ensure regular, timely, and enterprise-wide patching. Always first test patches on a pilot group, and be sure to include third-party apps. We still see folks concentrating on MS patch Tuesday. The trickiest part will be minimizing the excluding of systems, as owners and certain vendors will still make claims that you can break their apps. Isolate systems that cannot be patched effectively, utilizing VLANS and firewall rules. Long term, look to replace these systems whenever possible. Actually, contact the vendor of these systems directly to discuss; do not take App owners’ or System Admins’ word on the patch issue. Companies are much more responsive now to demands from InfoSec. Good luck!!

InfoSec policies say “what”, procedures say “how”

InfoSec policies say “what”, procedures say “how”. We all know that we need to have a full set of Information Security policies. But, how many of us do not include procedures in policies? Getting a policy approved can be a big deal, often needing Exec Mgmt, HR, and possibly union approval. They typically do not change very often, but procedures change regularly. You don’t want to jump through all the approval hoops to make the required change in procedures. Keep them separate! Of course, you do want to review policies annually and when significant infrastructure changes occur. #informationsecurity #infosec #cybersecurity #dataprotection #policiesandprocedures

Are you practicing good configuration management?

Are you practicing good configuration management? Are you ensuring that a standard image is created, is regularly updated and tested, and is deployed everywhere, especially on admin and developer systems? Also, be diligent so all systems are hardened. Turn off all services that you will not be using. And for any changes, make sure that you have established and tested a change management process. Form a Change Management Board that meets regularly. Make sure the Board has key players from Application Security, Security, Field Support, System Administration, and Network Management. The Board needs to meet regularly (weekly?) to review all past and upcoming changes. A process should be established that classifies changes, so that minor updates/changes can be made in a timely fashion, without the Board having to meet. All changes need a back-out plan and should be as transparent to the users as possible. But all significant changes need to be announced ahead of time. Happy config/change management! #configurationmanagement #changemanagement #configmgr #hardening

Edmond Momartin, CISSP, CISA has been awarded ISSA Senior Member

With great pride we acknowledge a longtime volunteer and former ISSA Los Angeles Board member Edmond Momartin, CISSP, CISA for attaining Senior Member at Information Systems Security Association (ISSA). #issa #issala @issa @issala

Treasure Trove of Credentials Exposed

There are 773 million email addresses and 21 million passwords in a list circulating in the hacker community that is a compilation of many smaller lists taken from past breaches and has been in wide circulation. Some lists date back to 2015. Despite its recycling of previously breached credentials, the widely available list no doubt makes it easier than ever for even unskilled hackers to capitalize on the bevy of breaches that have occurred over the past decade. My personal advice for your accounts: 1) It’s important to change your passwords regularly, and to use different passwords for each service/site you frequent. That is almost impossible to manage. But, you can sign-up for a password manager (more on that below) 2) Enable two factor authentication for your password vault 3) Set a reminder each day to change AT LEAST ONE of your passwords to a string of 20+ random characters 4) Start enabling two factor authentication on sites that support it (email, online banking, social media) If you do this, you'll negate the black market value of credential dumps like this one. Use a Password Manager; many have free versions. https://www.cnet.com/news/the-best-password-managers-directory/ Want to check if your email account was discovered in any data breaches? Go to HIBP (Have I Been Pwned): https://haveibeenpwned.com/ Want to check if your passwords have been previously exposed in data breaches? Pwned Passwords has 551,509,767 real world passwords. If your password shows up, change it IMMEDIATELY.

The Evolving role of the CISO

The CISO's role has been evolving over the years. It is moving away from so much emphasis on compliance and monitoring towards a more strategic role, particularly as CISOs get more and more access to the C-Suite. A key to success as a CISO is collaboration with and understanding the work of other business units. A large part of the job is not about technology at all. It is about relationships, project management, and learning about several parts of the business. It is a good CISO's job to adequately assess and point out the risks to the business of various projects and business practices. What are other key elements that are part of the strategy of a successful CISO? Have you initiated a balanced Security Awareness Program? Is security baked in to your company's SDLC? Are you regularly running scans of both your network and your applications? Are you monitoring your network to detect unusual activity? What about when that dreaded intrusion into your network occurs? Do you know what to do? What about third party risk? Do you have adequate InfoSec policies, standards, and procedures?

Mental illness, Homelessness, and our Security

You might ask: Why are so may people with Mental Illness out on the streets or homeless? President Reagan has most of the responsibility why so many people with mental illness are homeless. At least one third of those living on the streets and half of our jailed population suffer from mental illness, and should be in institutions specifically designed to help these individuals. During his presidency in 1980 (a sad time), Regan stopped funding federal community mental health centers, thus removing services for those people who suffered with mental illness. While he was the governor of California, he had done something just as cruel and he released over half of the mental hospital patients in the state. He even passed legislation wiping out a requirement for involuntary hospitalization for those with mental illness. As so often is the case, as the president goes, so goes the country. As a result, states followed suite, and started to open the gates of mental institutions throughout the country. Ironically, in 1981, President Reagan was shot by John Hinckley Jr., who had mental illness. Is there a connection with so many of the shooters out and about hurting and killing so many innocent people and President Reagan? I think so!

Watch out for Email Scams About the Olympics

There are reports that hackers are using a 2018 Winter Olympics Phishing Campaign that hides malicious attacks inside of an image! Why is this particularly dangerous? Not only does hiding the attack inside an image help it evade detection, but once it actually runs, it uses a technique that generally won't get picked up by traditional antivirus solutions. How is the Attack being Done? The attack is being delivered via phishing emails disguised as alerts from the country's National Counter-Terrorism Center, with malicious Word documents attached. Once opened, the Word doc encourages readers to enable content. DO NOT ENABLE CONTENT. The tricky aspect of this attack is that no download of the actual image is necessary: malicious code can be run from either downloaded images or images hosted on the web. That means an attacker doesn't necessarily need to download an image onto a machine in order to get the malicious code to run on that machine. What to do to protect yourself and your company • Do not to open email attachments from senders you don't know: You should be especially wary of Word documents that ask you to enable content/macros. • Do not click on any links in an email

Third Party Risk

A phone call or personal meeting are often crucial for success when dealing with third parties that have access to your critical or confidential data. East coast partners like morning meetings; I think they take great pleasure in doing this to us Californians to get back at us for the amazing weather we have. When we have business partners, we have to get assurance that they are practicing appropriate security and have a mature security program with good security controls. Make sure you have security standards to share with your partners, and ensure that they can follow them. These standards should cover contract language, their development environment, coding standards, ongoing assessments of their systems and processes, and much more. The last thing you want is for a breach of your data to occur and you had not done adequate assessments of your business partner.

How to secure budget for some key initiatives; a sales pitch to the C-Suite - Build a presentation on the increase in cyber risk to the company - Goal is to convince the C-Suite that ownership of risk needs to be at their level. You need to build a culture of security awareness throughout the organization The CISO must hone their skills as a salesperson or public relations master. Security must be sold as a crucial part of the business culture of the organization. Concise points with little to no technical information is crucial if you want to keep the level of attention of the key decision makers. Rehearse your sales pitch and keep it short. Graphs and charts with red/orange/green representing current status seem to be examples of good approaches. The absolute last thing you want to present is the number of attacks, or, for that matter, the number of anything! Talk risk, likelihood, and potential impact to the business. Speak in “businessese”.

What do you do if you suspect you have a phishing attack? What is your response plan? Does it include: Request forwarding, as an attachment, of the suspicious email? Analyzing the url links, headers, sender address, business need or applicability? Were there any attachments? If yes, filter through Virus Total or some other reliable online tool looking for reported vulnerabilities. If the attachment or url are malicious, check the logs for user activity and be sure to interview the user or users. Interviewing the user is important to ascertain if they either intentionally or inadvertently clicked on a link to a possible malicious site. But review the logs, as often users either don’t recall, or will not admit their behavior. Clearly some technical knowledge and skills are necessary to address this possible security incident. But there also is a project planning aspect to managing this. Having a good Incident response process has always been important, but with the proliferation of phishing attacks on all businesses and organizations, never more so than today. This must be one of your highest priorities. Mock drills are an essential part of this process. Just like testing backups, testing your IR plan is crucial. You have to know if you have been breached.

Synergy Between the CISO and Application Development

CISOs must work collaboratively with the heads of Application Development to ensure a Secure Development Life Cycle process is being implemented and followed. Developers must be following our secure coding standards. Are secure ESAPI libraries being used? ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. An effective CISO must have some knowledge of Application Security best practices. OWASP, the Open Web Application Security project is a great resource for this. It is a not-for-profit international organization of volunteers who are passionate about secure coding and development. Most CISOs I have known, other then the few who came up as developers, are admittedly weak in this area, and will often rely heavily on the myriad of tools and projects from OWASP. The most recognized is the OWASP Top 10, a broad consensus about what the most critical web application security flaws are. Part of a good Application Development Security Strategy is having both static and dynamic application vulnerability scanning in place. These scanning tools cannot be run out of the box; they need configuration.

Great Conference in Los Angeles The Eighth Annual ISSA-LA Security Summit is coming to the the Universal City Hilton on Friday May 20th. On May 19th there will be four in-depth training classes at unbelievably reduced pricing. Jack Daniel, one of our industry’s most well respected experts, will deliver the Opening Keynote. Cory Doctorow, co-editor of the popular weblog Boing Boing and a contributor to The Guardian, Publishers Weekly, Wired, and many other newspapers will deliver the Closing Keynote. Of course you are getting many emails to attend lots of conferences, but the line-up of speakers at this Summit is of the highest caliber. Are you a CISO or want to rub elbows with CISOs, and learn about the key issues? Come to the CISO Forum and hear from Malcolm Harkins, ex-CISO of Intel and Mark Weatherford, former DHS First Deputy Under Secretary for Cybersecurity, and the former first CISO of California. Are you in Healthcare? Join in the Healthcare Privacy and Security Forum. Want to learn how to properly protect your applications? Come listen to Jeremiah Grossman, founder of Whitehat Security, Jim Manico, OWASP Board member and Java expert, and Chenxi Wang, former VP at Forrester. And our world class speakers don’t stop there. We have Bob Bigman, Former CISO of the CIA, Dr. Robert Pittman, CISO, LA County, a Law Enforcement Panel, and a CTF for those who are technical experts. And don't forget our exciting panel: Privacy vs Security, Apple and the FBI. Visit: summit.issala.org and sign up now to join 1,000 of your peers, before prices go up April 20.

Looking Back at 2015

As we look back at 2015, we find ourselves thinking about a tumultuous year. IoT has finally hit center stage, with the potential to revolutionize our society, while at the same time setting the clock back in advancements in Information Security. Security companies continue to be absorbed into IT companies, a trend that started 5 years ago and just keeps on rolling. Mass shootings on the domestic front have increased the cry for more gun control, while ISIS has gained even more prominence, and is utilizing social media more than any terrorist organization before. Many of us find ourselves troubled and in deep thought as we still have two recent horrific events fresh in our minds, one in Paris, and one in our own backyard in San Bernardino. These physical attacks come in the midst of years of ongoing successful cyber-attacks, creating a world where both our personal and online safety are being assaulted. We must stand strong and united, and networking organizations such as ISSA-LA have a large role to play. ISSA-LA has hundreds of fellow professionals as a part of our community, and the more we share, the more we meet and talk together, the better we will all be prepared for the next attack. Sadly, for cyber-attacks, it is now not a matter of if, but a matter of when. For the more dramatic and scarier physical attacks, we must not think of compromising what and who we are, by allowing any reductions in our freedoms. We cannot lose our identity as a great country founded on the principles of FREEDOM. After 9-11, the Patriot Act was such a compromise. It led to the NSA surveillance activities, where all of us were spied upon by our own government. Obviously we find ourselves in a very difficult situation. If our loved ones were lost in one of these physical attacks, we would most likely be filled with rage and unbelievable sadness, and probably be willing to sacrifice individual freedoms to stay safer. In some areas of life, many Americans appear willing to accept additional hassles, with airline travel coming to mind. We must be careful not to become who we are protecting ourselves from.

ISSA-LA and HIMSS Southern California present the Third Annual Healthcare Privacy and Security Forum, June 4th at the Los Angeles Convention Center.

This event will bring together leaders in Privacy, Security, and Risk Management within government and private industry for a day of collaboration, networking and presentations by leading Privacy and Security professionals.

We are pleased to have two world class Keynote Speakers

Bruce Schneier, Chief Technology Officer of Co3 Systems

- Fellow at Harvard’s Berkman Center

- Board Member of EFF

and

David Kennedy, Founder and CEO of TrustedSec

- Co-Founder and CTO Binary Defense Systems (BDS)

REGISTER NOW

BECOME A SPONSOR

AppSec California 2014 an off-the-charts success

Surf, Sand, Security! Over 250 people got together at the Annenberg Community Beach House and discussed security on the shores of Santa Monica, California. An All-Star cast of speakers spent two days sharing their knowledge with conference attendees and each other in between breaks looking at the blue waters of the Pacific Ocean and volleyball players on the sands adjacent to the conference. A more perfect setting would have been hard to imagine.

https://appseccalifornia.org/

Video recordings of the 2-day event will be posted next week.

Plans are already under way for AppSec California 2015 at the same location.

OWASP Back in San Francisco during RSA

Jim Manico and Eoin Keary will be offering a free boot camp training on Monday, February 24, 2pm - 5pm, at Jillian's, across the street from the Mascone Center. "This intensive boot camp focuses on the most common web application security problems, including aspects of both the OWASP Top Ten and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code and understand fixes.

http://owasp.blogspot.com/2014/01/free-owasp-training-and-meet-up-in-san.html

This is great news, as OWASP had earlier pulled out of RSA and cancelled their co-marketing agreement with the RSA Conference.

Surf, Sand, Security!

Get together with your peers and discuss security on the shores of Santa Monica, California.

January 27 — 28, 2014

Come join OWASP Chapters from Los Angeles, Orange County, San Diego, Santa Barbara, and the Bay Area as we gather at the Annenberg Community Beach House to network and share information with the country's leaders in information security. 

https://appseccalifornia.org/

Quick Tips for Handling and Securing your Laptop

Treat your laptop like cash!     

 

If you had a wad of money sitting out in a public place, would you turn your back on it – even just for a minute?  Would you put it in checked luggage?  Leave it on the backseat of your car?  Keep a careful eye on your laptop just as you would a pile of cash. When outside the office, never leave it unattended.

Do not leave your laptop in your car.

Don’t allow your laptop or anything of value to be visible from outside of your car. If you have to leave a laptop in a vehicle, put it in the trunk before you depart, not when you arrive at your destination, thus avoiding anyone seeing a laptop in an unattended vehicle. Never store a laptop in the trunk over night or over the weekend.

Do not allow anyone else to use your laptop

Don’t allow your laptop or anything of value to be visible from outside of your car. If you have to leave a laptop in a vehicle, put it in the trunk before you depart, not when you arrive at your destination, thus avoiding anyone seeing a laptop in an unattended vehicle. Never store a laptop in the trunk over night or over the weekend.

Ensure that your laptop has been encrypted

All laptops should be encrypted, as they are too easy to loose or be stolen, and it is too easy to forget what you may have stored on them. Something could be confidential.

 Record identifying information and mark your equipment

Record the make, model and serial number of your laptop and keep it in a separate location. Have a luggage tag on your laptop case, labeled with your contact information.

Secure your laptop when in the office

Secure your laptop by locking it in a docking station, if available. You can also use a security cable, a locked office or locked cabinet.  Do not set the laptop on the desk and then walk away with it unsecured.

Keep it off the floor                                

No matter where you are in public – at a conference, a coffee shop, or a registration desk – avoid putting your laptop on the floor. If you must put it down, place it between your feet or at least up against your leg, so that you’re aware of it. Laptops on the floor can easily get stepped on, kicked, and stolen

Do not store your password with your laptop

 You should secure your laptop with a strong password, but don’t keep the password in the laptop case or on a piece of paper stuck to the laptop.

Be very careful while travelling with a laptop

You should secure your laptop with a strong password, but don’t keep the password in the laptop case or on a piece of paper stuck to the laptop.

Studies have shown approximately 12,000 laptops per week are lost or misplaced in US Airports!

Consider non-traditional bags for carrying your laptop

When you take your laptop on the road, carrying it in a computer case may advertise what’s inside. Consider using a suitcase, a padded briefcase or a backpack instead.

Do not store your laptop in checked luggage.

 Never store your laptop in checked luggage. Always carry it with you.

Be vigilant in hotels

If you stay in hotels, a security cable may not be enough. Try not to leave your laptop out in your room. Rather, use the safe in your room if there is one. If you’re using a security cable to lock down your laptop, consider hanging the “do not disturb” sign on your door.

Keep track of your laptop when you go through airport screening

Hold onto your laptop until the person in front of you has gone through the metal detector. Watch for your laptop to emerge from the TSA scanners.

Backup your files

 Don't forget to always ensure that the files on your laptop are copies of the originals that you  have on a server somewhere.

Very mixed day: Obama Notifies of Intent to Veto CISPA, but Gun Control Dies

The suspense is over as Obama actually stands tall again, in defense of Americans' privacy. No get out of jail free card for the corporations who want to share private data. Back to the drawing board for Congress. Can they ever get it right? We all know what is needed, but Congress is just too busy trying to manage all that lobbyist money. It's a lot to keep track of! I applaud the efforts of the ACLU in keeping the pressure on Obama; he actually used some of their language in his statements.

However, what is the deal with this lack of responsible gun control? We're not talking about taking guns away from anyone, except possibly those who are so screwed up as to fail a reasonable background check. Now, wouldn't we want this to occur? This one has the major support of the majority of Americans, but the NRA is way out of bounds here. It's almost too absurd and blatant to believe. I don't need to hear another person screaming "guns don't kill people, people do"! Some people should not have the guns that kill people.