The idea really revolves around providing an interactive, hands-on experience for kids and their parents which includes things like:

• Low-impact martial arts/self-defense training
• Online safety (kids and parents!)
• How to deal with CyberBullies
• Gaming competitions
• Introduction to Programming
• Basic to advanced network/application security
• Hacking hardware and software for fun
• Build a netbook
• Make a podcast/vodcast
• Lockpicking
• Interactive robot building (Lego Mindstorms?)
• Organic snacks and lunches
• Website design/introduction to blogging
• Meet law enforcement
• Meet *real* security researchers

Visit hackid.org and follow them on Twitter @hackidcon.

Let’s pause for a second and let me explain one thing. I say ISO 17799 because that’s what I have known it as for years and that is what you are most likely to find in searching. This standard comes from BS 7799. It  was been revamped and is now known as ISO 27002. That being said, I will continue to refer to it as ISO 17799 for the reason mentioned above. Carrying on…

So what exactly is ISO 17799 going to give you? Good question. It provides guidelines for what an organization should have in it’s security program. It gives advice from a thousand foot view on major components that should be in the security program. The areas it covers, called clauses, include such topics as security policy; organizing information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development, and maintenance; information security incident management; business continuity management; and compliance.

I hope this helps get you started in security program and don’t hesitate to ask questions.

It’s probably easier to define what isn’t in a security program, than what is in it! That’s right, security is going to touch almost every aspect of your organization. Every organization is different, they all have their own threats, compliance issues, business lines, risks, etc. Even in the same industry, the security program requirements can vary greatly. However, they all typically have the same basic elements.

Every organization has assets. This is what we are defending and we’ll call this tier 1. Assets can be systems, knowledge, data, people, etc. It just depends on the organization, and if applicable, it’s business lines. Tier 2 are the elements influencing tier 1. Assets are protected by network security, physical security, system/software lifecycle security, and communication security. Factors effecting the assets and security of the assets include threats and threat management, compliance with policy (note, we are not talking regulations, that comes at a higher tier), metrics for evaluating our security (defined in a higher tier), vulnerability management, and incident response. Elements that drive tier 2 and therefore will be called tier 3 include personnel security, risk assessment, audits, business continuity planning (BCP), metrics development, process management, threats and vulnerabilities (yes they appear here as well as this level is also being protected), data classification, and  process management. Tier 4 is the final tier we will cover. This however can be expanded to additional tiers depending on complexity of organizational structure and regulations/laws, but we are talking basics here. Tier 4 includes, regulations, laws, risk analysis, the overarching security program, policy development, process development and monitoring, governance model, and organizational security.

In some capacity, your organization MUST have each of these components to have an effective security program. I know, that seems like a daunting task. It is no small undertaking to establish all that, and if the company has grown for years without it, it will be extremely difficult to change the culture of the organization to be accepting of such a wide sweeping change. Remember though, if you followed part 1, you have the authority of the board and CEO. This is a mandate. If not, you’re wasting your time. That isn’t to say, be ugly about it. In fact, just the opposite. The people that need to be involved in this process (which is pretty much everyone in the organization in some aspect) MUST want to participate or they won’t live up to their end. A great way to start is training your employees on how to protect themselves from predators. This will get them engaged and thinking about security in new ways.

Most companies have no idea where to begin trying to get a handle on all those elements. Fortunately, you are reading this article to help you on your way. There are plenty of great resources out there for best practices guidelines. ISO 17799 and it’s successor is a fantastic resource. It is an internationally recognized standard for information security governance and provides high level recommendations for enterprise security programs. Divided into two main parts, the first is an implementation guideline and the second is an auditing guide.

As suggested in part 1, security should be top down. Meaning the board down to upper management, middle management, and finally the staff. A bottom up approach in which the IT department tries to initiate a security program is less effective, won’t get full buy in from other departments/business lines, and is doomed to fail. Other than the obvious lack of buy in from others, it is generally focused on technology and leaves all other vectors of attack untouched. The people actually responsible for protecting the assets must be driving the program.

Contact Shades of Gray Security to find out how we can help you setup and manage your security program today!

But I digress, this series of articles is about the hows of starting a security program, not the whys. Keeping the various sizes and roles of companies I have either worked for or with in mind, I am going to give some pointers on how to get the ball rolling on this daunting task.

First, let’s talk about what security is, and isn’t. It isn’t just having a policy and then turning to network defense appliances and washing your hands of the idea, mission accomplished. If your security program isn’t mandated by the board, mapped to all business lines, legal and regulatory requirements, and threat agents, it isn’t complete. It also isn’t enough to guard the perimeter while leaving the internal network in shambles. Likewise, if you don’t have data classification, you can’t move forward in a security program. After all, what is it you’re protecting and why? How can you have a risk assessment if there isn’t a metric for what is at risk?”If you don’t eat your meat, you can’t have any pudding! HOW can you have any pudding if you don’t eat your meat?!” Wait, I’ve gone off topic again. Anyway…

Let’s agree we need security and doing the above things simply isn’t cutting it. What are the first steps to getting your business security focused? Dive in and start applying patches? Install that much needed IPS? Write policies? No. Our first steps are crucial and should happen in rapid succession.

The board, CEO, and so forth, all must be on board with this. If there is no mandate coming down from the top, hang it up, go home, forget about it, game over man… game over.

First and foremost, let’s agree we need qualified people architecting it. I know most people may laugh, but I have tragically seen unqualified people put in the position of managing security. This is NOT a job to be given to someone because they have seniority. You will FAIL. This director must report directly to the CEO and board. It is not in the best interest of security to report to the CIO, CTO, network director, etc. It is not in their best interest to have anything negative reported by the security department and it will therefore not be. A security team is not a political football to be used to give the board and CEO false hopes of a safe network by the network director all the while not letting them do their job because he may look bad. You will FAIL. It is not a department that needs to be a clapping monkey doing cheap tricks to impress upper management with “quick wins.” If anyone ever thinks about uttering the words “quick win” toss them out ASAP. You will FAIL. That’s another thing, if someone says you won’t fail, toss them out. You WILL FAIL. The difference is, how graceful you fail. Did you fail and know within seconds? Hours? Days? Years? Did you ever find out?

So for our first step, and end to this first installment, we need sign on from the board and CEO. We need qualified people in place to architect this program, we need the team to report directly to the board and CEO. If this is going to be a political football and for some reason, no one can put on the big boy pants and enforce the program, I would venture to say your best bet is to outsource the entire program.

Contact Shades of Gray Security to find out how we can help grow your security department.

Everyone always hears what “they” say about them, social networking sites are dangerous, they are vulnerable, people can hack your computer through them, viruses spread through them, etc. Immediately, the site in question gets smeared. Interestingly, to me anyway, is it doesn’t seem to slow the acceptance and use of these sites at all. New contenders spring up out of no where, exploding onto the scene like the first time you see Jaws break the surface. There is no question, Web 2.0 (I really dislike buzz words, especially that one for some reason) has radically changed the Internet.

That being said, what makes these sites more vulnerable than any other site you visit? Nothing, really. At least at their core. The only thing that really makes them more vulnerable is the fact that so many people use them they become highly prized targets. I said at their core though. That’s where things get tricky. Most of these sites are not really all that bad when standing alone. This is where Web 2.0 and mashable buzz words start reeking havoc. At it’s core, most of the sites are not bad, but opening up an API to allow extensions, or applications to be installed on the profile starts to become a problem. Some sites that offer too much control to the user (hi MySpace) also present problems. If nothing else, giving novices access to design their own completely tasteless site to look like some horrid thing from the early 90′s is just plain wrong. More often than not, I come across profiles that don’t even load right, at least I hope they don’t. I’d hate to think someone intentionally wanted their profile to scroll a mile to the right to see the second column of the page. At least it appears we are trending away from this, first FaceBook restricted users to a basic template so all profiles are uniform, and now twitter doesn’t allow a user much of anything other than basic update functionality and a hand full of backgrounds from which to choose.

Don’t believe me? Look at twitpwn.com and the Month of Twitter Bugs going on over there. we are at day 8 and so far, all the vulnerabilities are from vendors using the API and messing things up. This isn’t to say Twitter is not without it’s problems, but the trend of mashable applications integrating with a wide variety of other applications far outweighs the problems a single source may have. This is only natural.

So let’s move forward in terms of what are some of the most dangerous aspects and weaknesses of social engineering, I mean networking, sites.

CLASSIC SOCIAL ENGINEERING PITFALLS

Let’s start here. How many people put a little too much data on their profile? How many of those people expose that profile to the general public, not just their friends. How many of those friends online are actually, you know, friends? Is it easy to find what high school you attended (hello FaceBook)? Do you use the “What high school did you attend?” security question for your login to your bank? Really? So I can easily obtain most of those so called personal security questions just from browsing your profile(s)? Hmm, not too good.

Other problems may come of you tweeting too much information about your company. Having problems with a firewall? Planning a large roll out of network gear? Did you just tell the world there is a major shift in the topology of your network and it may be down, disrupted, and certainly may not be looked at as closely during the event? Tsk tsk. Revealing insider deals that could effect stock? Oops!

Have you been partying and posted pictures of you drinking heavily and acting less than professional? That could effect your current employment severely. It could hurt your employer’s relations with it’s clients. It could hurt your future employment when you get canned for it and the prospective employer finds it. If you’re going to stand a chance of being found by an employer or if you are mixing personal and business data on a profile, remember to keep it clean and that anyone can see it.

Knee-jerk comments are very difficult. People explode and in a fit of rage, post a status update, or tweet something. No amount of wishing is going to put the genie back in the bottle. This “new media” is incredibly dangerous when it comes to blurting things out. If they say friends don’t let friends drunk dial, how much worse is it to tweet drunk?

I’ll close this section with one more idea. I can’t tell you how many of my friends post messages on FaceBook regarding their upcoming vacation, post what they are currently doing on vacation, and finally let us know when they are coming home. While I enjoy seeing pictures of you all enjoying yourselves in Hawaii while I sit suffering the oppressive heat of Louisiana, those pictures can wait until you come back.

This is only worsened by accepting anyone who wants to be your friend. I know it’s hard to ask for proof you know someone and you don’t want to be rude and not reciprocate a follow on Twitter, but please consider what you are saying and whom you are saying it too. Even if you personally know and trust everyone in your friend list, maybe it’s a bad idea to say it anyway. After all, do you know all their friends? How many times have you seen a picture of a friend posted on FaceBook, went to comment, and then realized you couldn’t because it was on someone else’s profile who is not your friend. Comments spread people. Loose fingers sink much more than the ship, much much faster.

Passw0rds, P@ssw0rds, P@$$words

With all the sites nowadays you have to login to, that’s a lot of passwords to remember. Are you using the same password for all your social networking sites? Come on, admit it. Do all those sites use encryption, or are you sending your credentials in clear text? In other words, do you see https instead of http in te address bar? Look at myspace.com next time you log in and tell me what you see. If you are using the same password at all these sites, and one of them gets compromised by either an attack against the site itself dumping all the account data, or something that attacked you, there is considerable damage to be had. Now you stand the risk of disinformation and malware being sent out from all your accounts without your knowledge. Do you use the same password to bank with? Tell me you don’t! Please!

This brings us to the next major section of the article. Actual attack vectors on these sites. We need to look at client side attacks, vulnerable “applications,” and worms. It all comes back to the user. The term “click happy” I think aptly defines our society. Especially on these sites. My friend posted it, so it must be safe for me to click that link right? Really? Maybe he thought that too before getting hacked by Mary, who thought that of Tom, who thought that of Steve, who said Jan would never mess with him and then… well… Jan was just plain stupid. It happens. We all know it. Someone at the office always invariably opens the email attachment excited to see the ecard they were sent. It doesn’t matter how often it happens. After that, it spreads as if coming from you. Don’t be so quick to click! Do I need to mention tinyurl and the likes? All the URL shortening are absolutely perfect for funneling malicious links to unwitting click happy victims.

Vulnerability Plugins

The growing mashable market allows for all sorts of disasters to be creep in. As I stated earlier, look no further that the Month of Twitter Bugs. Sites such as FaceBook and now myspace are allowing third parties to write applications that can be added to your profile. The more functionality applied to an application, the more likely vulnerabilities will be introduced. I grew up in a different time in the computer world apparently and I’m only in my mid-thirties. We were drilled with a few basic ideas in college, one of which was KISS. Keep It Simple, Stupid! What happened to that? Has it become Mashup Extremely Susceptible Systems? Sorry for my lack of creativity there. It’s certainly a MESS anyway.

Spyware, Worms, and Woes

People always hear these sites are dangerous, but don’t hear why. This informational gap is ripe for popup ads for spyware claiming to protect you. The same old tricks on any other websites, but now targeted to the perceived threats of social networking.

Just like you have heard a million times before with email, your friends list can be used to spread worms. Google‘s own social networking site Orkut had a worm problem that hit the news a while back. It’s really no different on these sites than on your email system. In fact, worms here are probably a little easier in that they will effect all users in as much as allowing it to spread if not directly affecting the user’s machine. Meaning, say I run linux and Thunderbird is my email client, well a worm hitting Windows and Outlook probably won’t mess up my system nor will it be able to use my contact list to spread. Not so in social networking contacts. The worm can still spread on the site, harvest your data there and move through your contacts list. In fact, it can do all that without even needing you to log on. I am quite stunned there haven’t been more.

Cross-Site Scripting (XSS)

Don’t ask me why it’s XSS, not CSS. CSS was taken already I suppose. Anyway, this is a common attack vector effecting all web applications. The major difference here is again, these attacks are coming from a perceived trusted source. Why would Billy try to steal my cookies? A simple injection onto a blog, or profile that then get’s replayed every time someone looks at it could be devastating.

Air Flashes in the Silverlight

I’ve saved the final frontier for last. Adobe Air, Flash, and Microsoft Silverlight are common technologies that increase the attack surface of any site. They are becoming increasingly popular. Naturally, the prolific use of Flash is one of the evolutions that make Facebook and MySpace so lucrative to attackers. As anyone with a profile knows, these technologies are extremely pervasive, as well as fun, when doing social networking. Unfortunately, a recent exploit in Adobe Flash has become a huge security threat. Experts say that so far hundreds of thousands of Websites have been compromised, including thousands of networking site pages, as the result of the Flash exploit loose in the wild. These technologies and there increasing use for their eye candy factor have naturally drawn the attention of attackers.

Conclusion

The main thing to realize is that regardless of the method of attack, you should always be aware that your profile can be exposed. Responsible disclosure of your personal and company data is crucial. Always assume that your data will be stolen and that the worse possible person to see it will eventually see it. If you think your boss will get mad if they read something, its probably best you not post it. If you wouldn’t invite that stranger into your home, you probably don’t want to invite him into your profile either. If you don’t put out a neon sign in your front lawn announcing you’re on vacation, you probably don’t want to put it on your profile either.

Go on, have fun on that vacation, we can wait to see the pictures.

Sleep well kiddies.

-Twisted

I walked in the front door and up to the first desk I saw. “Welcome to First National FCU, can I help you?”

“Yes ma’am, I’m here to do a walk through inspection. Is Ms. Doe available?” No way she is, why would she be?

“No sir, she’s out for lunch, but I can help you.” Oh perfect, the manager isn’t here, how did I know that was going to happen? Fortunately this lady, a loan officer perhaps, is going to help me. She proceeded to tell me she was in charge while the manager was out and told me of numerous locations reported to have ants. In my career, I have found that ants are a very big problem in filing rooms for some reason. Anyway, sure, let’s take a tour and look at those ants.

After taking me on an extensive tour of the facility showing me locations of reported problems, she excused herself and let me get after measuring rooms to get the cubic footage because my employer charges by that and all.

Rounding a corner, I walked into the filing room, again, the person at the computer in this room reported bad ant problems. “Do you need me to step out so you can work?” he asked. “If you don’t mind, I can go ahead and take care of this ant problem for ya right now,” I replied. He quickly excused himself and shut the door on the way out.

Did I mention, I’m not a pest inspector? “What do I know about pest control?”

“What do ya know, he left the computer unlocked. Looky here, account data.” A local printer and Ctrl-P, thanks for the help. Now let’s dig through these filing cabinets and look for some hot files to photograph. “Why it’s Ms. Doe’s account.” Click. “Here’s a few large business accounts, I’m sure these are worth some money.” Click click click. Oh, almost forgot, just for a nice touch, I brought canned air. Better make sure I spray it from time to time to sound like I’m spraying for bugs to avoid suspicion. I later learned the showboating wasn’t so important, but this was my first assignment as a pest inspector, and what do I know about pest control?

For grins, I opened all the filing cabinet drawers, stood on the desk, and took a few pictures of the room. Now let’s move on.

After packing back up, I slipped quickly out the door. My helpful evacuee was not to be seen but the ladies outside looked up at me. I had forgotten the goggles and dust mask I had donned in case someone busted in while I had those drawers open. “Oh, better tell him not to go back in there for at least 30 minutes, but that ant problem you have is solved.” Yeah that’s right, that would give the evilest of criminals a good thirty minutes to get away before the explosives go off. Scary, ain’t it?

That was one of several frighteningly similar social engineering engagements I have been on across the country over the past few years. I have been in several organizations such as this, too many to count. As I mentioned, I learned the extra touches were not needed. No one cares. If they do, they don’t question it anyway. I have never failed. Not once. I’m not bragging on my skills, it’s just that bad.

Even on an engagement where they set me up to fail, I won. Well, won is not appropriate. Let’s just say, they failed. The client had said a pest inspector wouldn’t work because they were in a shared space and that was controlled by the property management. That makes no sense, I had done plenty like that. In fact they are easier because the employees don’t care who the property management sends to do these jobs. Customer is always right of course so we decided on a phone guy. What do I know about phones? Perhaps, surprisingly little. I should know more, but I don’t. I could certainly mess up your lines with the equipment I bought at Home Depot though! I asked if they had their own phone guy, and was told no. They also wanted to test piggybacking and when asked if they had any sort of uniform or anything I was told no and they dress business casual. I show up and I’m escorted by, you guessed it, their internal phone guy. He wasn’t letting me do anything because they had so many problems with their phones. OK, FAIL. Now back to the hotel, a quick shave and fixing of my hair, the donning of a suit to dress over them and I returned. I was stopped by someone who I could have sworn was reading off a teleprompter with her speech about not letting me in. They did all wear the same company logo emblazoned golf shirts by the way. That was nice. So there was FAIL two. My first defeat. So I thought. I returned to the vehicle, got my computer gear bag and returned to do some pen testing. The receptionist had her head below the counter, I quickly turned into a different room. The mail room FTW. Oh look, a box full of accounts with socials and such was in there. Click click click. The client called foul, that the box wouldn’t be there normally. When I say given a long enough timeline you can get in anywhere, sometimes that timeline is much shorter than you would imagine.

I think it goes without saying that’s not the name of the bank and Ms. Doe did not manage it. Although, I’m sure I’ve been in a bank with a similar name. I don’t believe I’ve ever met a Doe though.

What can we learn from this? I’m not sure really. Invest in coffee cans? Certainly burying your money in the back yard would make it much harder for me to get a hold of your data. That’s not practical. What needs to be done is of course, awareness training. People are the weakest link in security. They always will be. You can’t firewall stupid. In my time in this field, I have found that it simply doesn’t matter what you as a security engineer does. Why come through the network and risk IDS sensors lighting me up when your employees give me the keys to your data center? No seriously, that DID happen. Come back for a future post with some tips on what to do. Or google it, I’m sure the Internet is ripe with tips on stopping this and you believe everything you see on the internets right? This article isn’t another social engineering attempt is it?

Sleep well kiddies.

-Twisted

Thanks, and good night.

By the way, apt-get install Ubuntu is the only Windows patch you will ever need.

All,

The IT department has received information that there is a very complicated Virus that has been infecting computers worldwide and there is no 100% safeguard against it. This virus is capable of doing serious damage to your PC and it is very hard to remove once a PC is infected. We have had a few reported cases here at Pwned Industries that we detected and resolved immediately. We have also verified our virus scanners are up to date.

As always, please be very cautious of any email received, especially if it has an attachment. This could be sent by an external or internal person. If you do receive a suspicious email and aren’t sure what to do, please create a service request from your desktop icon, the helpdesk website http://omgyoureallyhaveapubliclyaccessiblehelpdesk.com or call Helpdesk @ Ext 1234 [seriously, I didn't change the extension, that's really it, what are the odds?].

*****Do not open the email or attachment till IT gives you instructions*****

Very Important – If you get an IE or Windows pop up on your desktop stating it is “Antivirus 2009″ please do not do anything. Call the helpdesk @ Ext 1234 immediately. Thank you

Regards,
Innocent Victim- Network Systems Admin
Pwned Industries
Phone: 123-123-1234
Fax: 123-123-1235
IVictim@PwnedIndustries.com

“Life itself is easy. Humans and their actions are what make it hard”

What I have learned, is that Pwned Industries is infected with a Trojan and doesn’t have much confidence in their ability to detect it. They also think said Trojan is new which further sends shivers of joy up my hacker spine. How did I come about such sensitive information? Well you see, Johnny Looselips over there thought he would help his friend out by forwarding an email from his Network Admin warning about the Trojan.

In addition to sending the letter in its entirety, he also sent it from his corporate email address. Even if he had thought “gee, maybe it’s a bad idea to alert outsiders of a TROJAN running rampant in my employer’s network, maybe I should scrub identifying data,” he still sent it from his corporate email address.

Additional nuggets not to be overlooked in this prime harvest include the link to their publicly accessible helpdesk, and name and number of the admin. I’m betting I have two user names in their email addresses (the admin’s and Mr. Looselips’ who forwarded this email out). I also have the number to the help desk. “Hi, I’m Johnny Looselips and I forgot my password to the helpdesk. I got this email about this Trojan and I think I’m infected. I tried running the AV2009 tool and my computer seems to be getting worse. Please help me reset the password so I can get it fixed!” The signature line of this unfortunate Network Systems Admin, tragically sums it up “Life itself is easy. Humans and their actions are what make it hard.” Touché, good sir, touché.

As the title of this article states, there are no fire walls for stupid. Users continue to be teh weakest point in your network. What are you doing to raise awareness at your organization?

-Twisted
2387dnrqct