Know your smartphone

So many people are buying smartphones, I thought it might be wise to throw in a cautionary note about just how powerful these devices are. The smartphone of today is more powerful than the laptop of a few years ago. Along with the widespread adoption of these devices come the increasing of their risk profile. That is to say that the more popular something is, the better a target it becomes for those who have less than good intentions. Currently there haven't been any really nasty attacks seen in the wild yet. The devices are definitely prime targets, and you can be sure that the bad guys are working hard at trying to figure out how to leverage this technology in order to get at your information. This article discusses some potential nastiness on the Android platform. Security vulnerabilities have been well advertised on the iPhone which have, or should have, prevented their widespread adoption for corporate use. Currently the Blackberry remains the most "secure" platform for business use by employing active encryption of the contents at the expense of the "cool" factor that Android and iPhone show off. the iPhone 3GS offered encryption but the operating system kernel automatically decrypted the contents of the phone when you extract the data for analysis. Effectively, this means the iPhone is NOT compliant with the standard corporate policy requiring encryption at the device level; but don't take my word for it. To be fair, I don't believe Android even makes the veiled attempt that Apple makes and makes their sdk freely available to the world. Device-level encryption for both of these platforms needs to be off-loaded to a third party to adequately secure your data.

So, beyond your data NOT being secure, take a minute and think about how inter-woven this device is into your life. How much data, personal and professional, is on there. If I had complete access to your phone what could I learn about you, your family, or your work. I don't know you, but I bet it's a lot ;-). This week, Google removed two applications from all Android-based phones to protect their users. There is some debate on whether this is Google's business or not but that's not an interesting argument to me. I will follow this up with a video that demonstrates application installation on the Android platform and how we should be aware of what we install and the access that application should or should not need to the different functionalities on your phone. As a good rule of thumb try to remember that no one is as interested in protecting your data as you are. That means that if you're not interested, then no one is going to do that for you.

Current Projects in Smart Grid Security

I have been immersed in smart grid projects and have been learning a lot about this industry. here are few of the many projects I have been fortunate enough to be a part of.

I am currently a security engineer for the Smart Grid Engineering team at EnerNex. I am supporting cyber security and systems architecture for the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), Open Home Area Network (OpenHAN), and Smart Grid Networking (SG-Network) groups. I have been contributing to the UCAIug Home Area Network System Requirements Specification, SG Network System Requirements Specification, Distribution Management (DM) Security Profile, and other blueprint documents for the Smart Grid Security (SG Security) group. I also recently joined the Smart Grid Interoperability Panel (SGIP) as a member of the Cyber Security Working Group (CSWG) which is developing a comprehensive set of cyber security requirements for the smart grid. Mostly this means I listen to incredibly brilliant people prepare and engineer the smart grid while trying to learn as much as I can about how electric power works. Occasionally, I have some input based on past experiences concerning cyber security best practices or security architecture. It's truly an honor to be working on these projects with such a diverse group.

Vulnerabilities

I have been listening and watching some really good talks online about discovered vulnerabilities and new threat and attack vectors. While you must take hacker and pen tester claims with a grain of salt, there is something to be said for some of the tools and demonstrations I have seen over the past year. In particular, I am impressed with the social engineering efforts I have seen. I am really looking forward to trying out some of the tools I saw last week which really demonstrate what lack of user education and awareness can do when coupled with a little bit of technological ingenuity. These methods would likely have a 75% or higher success rate and, when successful, will completely compromise your target. Now I guess the question some will have is "How do I prevent it?" I love to hear that question, it's much more refreshing than hearing "that can't happen here" or "we're the best.." and yeah I have heard people boldly state that.

There's no new method of prevention, Information Security (or Cyber Security) is not difficult or overly complex. It consists of understanding current threat and attack vectors, knowing where your organization is deprecated or deficient, and mitigating or remediating those deficiencies. The problems pop up when you either hire the wrong people to defend your enterprise or you hire the right people and do not give them the funding and authority they need to accomplish their mission. Having worked in several different environments, it's pretty rare that the absolute wrong folks are hired but it definitely happens and you might be surprised at the types of places that have that issue. More often, I have witnessed the lack of authority and funding for security. Now, we could go into what make people "right" or "wrong" for these positions but if you work in infosec and don't know what I mean when I say that then I can't really help. It's kind of like being able to point out that one annoying relative every family has; if you can't identify who that is in your family, it's probably you. If it's you, no problem there's plenty of training and reading that can bring you right into the loop if you want to be there. I recommend SANS for training, and their certification process. If you really want a deep dive from the community you are doing yourself a disservice if you don't check out DefCon and BlackHat. Other good cons include Shmoocon and CanSecWest. I am sure there are more but these are what came to mind. If you know of some good cons that really educate folks please post them. The more information we can get out there together, the better we can defend our infrastructures.

Awesome!

SANS Training coming up

Check out this link to my upcoming SANS training here in Knoxville. Save some time and money and take a SANS mentor class locally.

Adobe is finally patched

Last week Adobe released a patch for some vulnerabilities that have been plaguing the Internet since June of last year. Adobe has products that make for great attack surfaces because it works on Windows, Linux, and Mac. The latest exploit was cross-platform making the attack pretty scary by allowing an attacker to take complete control of your system.

In order to protect your computer, go to their website (http://www.adobe.com/) and download the flash player update. This update is for Adobe Flash and is considered a complete re-write of their flash player. The flash player vulnerability was quite serious and can be exploited through a web page or a pdf document. If you want to know more about the update/vulnerability, read this page.

Laptop Backpack

About a month ago I began a search for a laptop bag for my 15.6" Dell laptop. I had no idea it would turn into a quest to find just the right features, and how rare some of these features are. Since I plan to be traveling I wanted to make sure the pack was large enough to carry two laptops and an overnight change of clothes. Because I wanted a fairly large pack, it needed to have compression straps also. This eliminated the wildly popular and functional Wenger series that I had been eyeing. Although they had great capacity, and the ability to stand independently, they lacked a few other essentials. That was a big letdown because those are nice bags. I particularly liked the steel cable handle they put on the top. The other essential feature I wanted was the ability to attach a carabiner, d-ring, or s-biner. I carry a rain shell instead of an umbrella and like to attach it to the outside of the bag. I considered a waist belt optional but if it had a waist belt it had to be more than a half-inch strip of fabric AND it had to be stowable.

The ONLY bag I found to satisfy all of this criteria are the bags made by Spire USA. Even the bags made by North Face, Mountain Hardware, and other "real" packs lacked several features. If they had the features, they didn't seem to be well oriented for IT-related use. The Spire Torq seems perfect for me. Initially, it was hard to transition from a messenger bag, but I have persevered.

The stuff from Spire isn't cheap, but it's worth it.

Accessdata Merging with CT Summation

I got this link in an e-mail today:
http://www.accessdata.com/downloads/media/AD_Summation_MERGER.pdf

I am a big fan of AccessData's Ultimate toolkit, and other forensic software, but was shocked to see they were merging with someone else. I hope both companies do well and I will begin researching CT summation soon. My guess is that Accessdata just wanted a bolt on EDiscovery solution. If so, brilliant move.