Protecting Kids Online

Image via Wikipedia

One of the issues I’ve been struggling with over the past ten or so years is how to protect kids online. The Internet offers a world of opportunities. People of all ages share photos and videos, build online profiles, text each other and create alter egos in the form of online avatars. These ways of socializing and communicating can be fulfilling, and yet, they come with risks:

• Inappropriate Conduct: The online world can convey a false sense of anonymity and kids sometimes forget that their online actions have real-world consequences. 
• Inappropriate Contact: There are people out there that have bad intentions; predators, bullies and scammers.
• Inappropriate Content: Kids can easily come across pornography, violence or hate speech online.

Some questions to ask yourself as an adult:

1. Do you think your child knows more about the Internet and technology than you do?
2. Do you think you know more about communicating respectfully off-line than your child does (parents don’t have to be tech-savvy to know a lot that’s relevant to this topic)?
3. How much time do you think your kid spends online each day? Each week? That includes time on their phones!
4. What are your kids’ favorite websites or online games?
5. Do your kids have their own computers? Do they have cell phones?
6. Do you supervise what your kids do while online and offer guidance, or are they allowed free rein?
7. What are your main concerns about online safety?
8. Do you text? Do you text with your children?

It’s also a good idea to talk with your kids about online safety. To kick things off, here are some questions you can ask your kids:

1. How much time do you spend online?
2. What do you like to do online?
3. Do you sleep with your cell phone in reach?
4. Do you post pictures online? 
5. Have you every posted or sent anything you later regretted?
6. Have you or one of your friends ever received a text message that was hurtful or mean-spirited?
7. Have you ever talked to your parents about something that bothered you online?
8. Have you ever talked to another adult bout something that bothered you online?

Make your conversation interactive. Ask your kids how they might have handled an incident that involved sharing too much information, cyberbullying, posting embarrassing photos or sexting.

For more information, the US Government has created OnGuardOnline.gov, a site that provides practical tips from the federal government and the technology community to help you guard against internet fraud, secure your computers and protect your privacy. The project is managed by the Federal Trade Commission, the nation’s consumer protection agency, and includes more than a dozen federal agencies.

Additional Resources

• OnGuardOnline.gov - Practical tips from the federal government and the technology community to help people be on guard against Internet fraud, secure their computers and protect their privacy.
• FTC.gov/idtheft - The Federal Trade Commission's website has information to help people deter, detect and defend against identity theft.
• StaySafeOnline.org - The National Cyber Security Alliance seeks to create a culture of cyber security and safety awareness by providing knowledge and tools to prevent cyber crime and attacks.
• CommonSenseMedia.org - Common Sense Media is dedicated to improving the lives of kids and families by providing trustworthy information, education and voice they need to thrive in a world of media and technology.
• GetNetWise.org -  A project of the Internet Education Foundation, the GetNetWise coalition provides Internet users the resources to make informed decisions about their and their family's use of the Internet.
• CyberBully411.org - CyberBully411 is an effort to provide resources for youth who have questions about or have been targeted by online harassment.
• ConnectSafely.org - ConnectSafely is for parents, teens, educators and advocates for learning about safe, civil use of Web 2.0 together.
• iKeepSafe.org - iKeepSafe educational resources teach children of all ages, in a fun, age-appropriate way, the basic rules of Internet safety, ethics and the healthy use of connected technologies.
• NetFamilyNews.org - A nonprofit news service for parents, educators, and policymakers who want to keep up on the latest technology news and commentary about online youth, in the form of a daily blog or weekly email newsletter.
• NetSmartz.org - The NetSmartz Workshop is an interactive, educational safety resource from the National Center for Missing & Exploited Children.
• WiredSafety.org - WiredSafety provides help, information and education to Internet and mobile device users of all ages.

Schedule Emails to be Sent Later in Gmail

Image via Boomerang for Gmail

I have happily been a Gmail and Google Apps account holder for several years. A feature that I felt had been lacking was the ability to schedule emails to be sent at a later date. I've searched for various solutions ... all of them disappointing ... until recently when I came across Boomerang for Gmail which does just that; it lets you write an email now and schedule it to be sent automatically at a scheduled time. There are both Google Chrome and Firefox plugins for Boomerang. The plugin adds a “Send Later” button in Gmail. It doesn’t get much easier than that to schedule emails for sending at a later date.

If you're interested in using Boomerang for free, here's the link: Boomerang for Gmail

Water System Attack on City Water Station Destroys Pump

Image via Wikipedia

Last week a disclosure was made about a public water district SCADA system hack. There have been several reports in the press concerning the attack on control system of the city water utility in Springfield, Illinois and the resulting burn-out of a pump. Law enforcement is investigating.

[UPDATE] 11/29/2011 - Department of Homeland Security officials are now saying that the water-pump failure in Illinois wasn't cyberattack after all. READ MORE

ICS-CERT Report - (ICSB-11-327-01—ILLINOIS WATER PUMP FAILURE REPORT)

Related articles

• Feds Investigating Water Utility Pump Failure As Possible Cyberattack (yro.slashdot.org)
• Feds investigating Illinois 'pump failure' as possible cyber attack (cnn.com)
• Hackers Attacked U.S. Water Utility; Destroy Pump (wired.com)

Operation Ghost Click

The FBI is seeking victims in a DNS Malware Investigation for the case of UNITED STATES v. VLADIMIR TSASTSIN, ET AL. Specifically, the FBI is seeking information from individuals, corporate entities and Internet Services Providers who believe that they have been victimized by malicious software related to the defendants. As you know form the news blurbs that I've been sending out, this malware modifies a computer’s Domain Name Service settings, and thereby directs the computers to receive potentially improper results from rogue DNS servers hosted by the defendants. 

On your own systems, and the systems you manage, it's recommend you check the DNS settings and register as a victim of the DNSChanger malware if the DNS entries have been modified to point to the defendants' DNS servers. Complaints can be filed here: https://forms.fbi.gov/dnsmalware

For more information, including steps on how to check your DNS settings, go to http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf.

Related articles

• FBI's Operation Ghost Click takes out operators of DNS Changer malware network (nakedsecurity.sophos.com)
• Operation Ghost Click: DNSChanger Malware Ring Dismantled (garwarner.blogspot.com)
• FBI's Operation Ghost Click Busts Operators of DNSChanger Malware (techie-buzz.com)

Department of Defense Cyberspace Policy Report

Image via Wikipedia

The Pentagon published their most explicit cyberwarfare policy to date. The report states that, if directed by the president, the DoD will launch "offensive cyber operations" in response to hostile acts. Hostile acts may include "significant cyber attacks directed against the U.S. economy, government or military,".

Here's a link to the report:

http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Report_For%20webpage.pdf

Cyberspace Security Review

On Friday (May 29, 2009) President Obama announced the nation’s plan to defend against attacks on the nation's computer networks; a “strategic national asset.” This plan includes appointing a Cyber-Security Chief, whom he has not yet chosen, in the White House. Obama will sign a classified order within the coming weeks that will create the military cybercommand.

He stated that cyber-criminals have cost US citizens over $8 billion worth of stolen data and that the figure worldwide was up to $1 trillion.

The announcement came with the release of the Cyberspace Security Review, a 76 page document that had 60-days to be completed from the date of the initial request. The Cyberspace Security Review explains how the US intends to secure its critical network infrastructure. It was stated that the review was necessary because, “America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration”, and that, “our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information.”

The Cyberspace Security Review made the following 10 recommendations for near-term action:

1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.
2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.
3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.
4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.
6. Initiate a national public awareness and education campaign to promote cybersecurity.
7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
8. Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement.
9. In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

What is promising about the Review is that there's repeated focus on outcomes as opposed to the inputs. Too often forward progress is hindered by the inefficient efforts of trying to define process before goals and objectives are clearly defined and understood. Rather, the Review consistently attempts to make it clear what the strategic outcomes are, and from those objectives, the development of process will be guided.

The Review also states, “Other structures will be needed to help ensure that civil liberties and privacy rights are protected.” The inclusion to help protect our privacy and civil liberties is an indication of the balanced intention of the plan.

Money will also be set aside for research and development of security technologies, from which there will be significant opportunity.

What I'm not certain about is the overall effectiveness the Cyber-Security Chief will have. Specifically, the position will not have direct access to the president. As a result, this position may not be high-level enough to prevent the almost certain bureaucratic nonsense, internal bickering and games that could waste millions/billions of dollars.

Though the Review solely focusses on defensive measures, I'm also curious what efforts are underway, if any, towards the development and potential use of cyberweapons.

Overall, the document doesn't suggest that there will be any major changes that will affect the private sector within the near term. The Review recommends specific changes to the direction of future US policies. Within the mid-term I imagine that lawmakers will develop regulations that will require the sharing of security incident data from the private sector with the government, presumably tempered with the commitment to ensure civil liberties. I anticipate that we will also see more emphasis put towards penetration testing and incident response.

Steve

###

How ITIL Can Improve Information Security

By: Steven Weil

Introduction

ITIL - the Information Technology Infrastructure Library - is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment.

Interest in and adoption of ITIL has been steadily increasing throughout the world; the numerous public and private organizations that have adopted it include Proctor & Gamble, Washington Mutual, Southwest Airlines, Hershey Foods, and the Internal Revenue Service. In addition to the often touted benefits of ITIL - aligning IT with the needs of the business, improving service quality, decreasing the costs of IT service delivery and support - the framework can aid the information security professional both directly (there is a specific Security Management process) and indirectly.

This article will provide a general overview of ITIL and discuss how ITIL can improve how organizations implement and manage information security.

ITIL overview

ITIL began in the 1980s as an attempt by the British government to develop an approach for efficient and cost-effective use of its many IT resources. Using the experiences and expertise of successful IT professionals, a British government agency developed and released a series of best-practice books, each focusing on a different IT process. Since then, ITIL has become an entire industry of organizations, tools, consulting services, related frameworks, and publications. Currently in the public domain and still evolving, the 44-volume set of ITIL guidelines has been consolidated into 8 core books.

When most people discuss ITIL, they refer to the ITIL Service Support and Service Delivery books. These contain a set of structured best practices and standard methodologies for core IT operational processes such as Change, Release, and Configuration Management, as well as Incident, Problem, Capacity, and Availability Management.

ITIL stresses service quality and focuses on how IT services can be efficiently and cost-effectively provided and supported. In the ITIL framework, the business units within an organization who commission and pay for IT services (e.g. Human Resources, Accounting), are considered to be "customers" of IT services. The IT organization is considered to be a service provider for the customers.

ITIL defines the objectives, activities, inputs, and outputs of many of the processes found in an IT organization. It primarily focuses on what processes are needed to ensure high quality IT services; however, ITIL does not provide specific, detailed descriptions about how the processes should be implemented, as they will be different in each organization. In other words, ITIL tells an organization what to do, not how to do it.

The ITIL framework is typically implemented in stages, with additional processes added in a continuous service improvement program.

Organizations can benefit in several important ways from ITIL:

• IT services become more customer-focused
• The quality and cost of IT services are better managed
• The IT organization develops a clearer structure and becomes more efficient
• IT changes are easier to manage
• There is a uniform frame of reference for internal communication about IT
• IT procedures are standardized and integrated
• Demonstrable and auditable performance measurements are defined

ITIL details

ITIL takes a process-based approach to managing and providing IT services; IT activities are divided into processes, each of which has three levels:

• Strategic: An organization's objectives are determined, along with an outline of methods to achieve the objectives.

• Tactical: The strategy is translated into an appropriate organizational structure and specific plans that describe which processes have to be executed, what assets have to be deployed, and what the outcome(s) of the processes should be.

• Operational: The tactical plans are executed. Strategic objectives are achieved within a specified time.

A description of each of the numerous IT processes covered by ITIL is beyond the scope of this article. What follows are brief, general descriptions of the ITIL processes that, along with the Security Management process, have a significant relationship with information security. Each of these areas is a set of best practices:

• Configuration Management: Best practices for controlling production configurations (for example, standardization, status monitoring, asset identification). By identifying, controlling, maintaining and verifying the items that make up an organization's IT infrastructure, these practices ensure that there is a logical model of the infrastructure.

• Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services. These practices ensure that normal service is restored as quickly as possible after an incident occurs.

• Problem Management: Best practices for identifying the underlying cause(s) of IT incidents in order to prevent future recurrences. These practices seek to proactively prevent incidents and problems.

• Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable.

• Release Management: Best practices for the release of hardware and software. These practices ensure that only tested and correct versions of authorized software and hardware are provided to IT customers.

• Availability Management: Best practices for maintaining the availability of IT services guaranteed to a customer (for example, optimizing maintenance and design measures to minimize the number of incidents). These practices ensure that an IT infrastructure is reliable, resilient, and recoverable.

• Financial Management: Best practices for understanding and managing the cost of providing IT services (for example, budgeting, IT accounting, charging). These practices ensure that IT services are provided efficiently, economically, and cost-effectively.

• Service Level Management: Best practices for ensuring that agreements between IT and IT customers are specified and fulfilled. These practices ensure that IT services are maintained and improved through a cycle of agreeing, monitoring, reporting, and reviewing IT services.

There is also a Service Desk function that describes best practices for establishing and managing a central point of contact for users of IT services. Two of the Service Desk's most important responsibilities are monitoring incidents and communicating with users.

Figure 1 depicts the above processes, showing how the Service Desk function serves as the single point of contact for the various service management processes.

Figure 1. ITIL Service Management Processes

More detailed information about the above processes and Service Desk function can be found in the references listed at the end of this article.

ITIL and information security

ITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels. Information security is considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained.

ITIL breaks information security down into:

• Policies - overall objectives an organization is attempting to achieve
• Processes - what has to happen to achieve the objectives
• Procedures - who does what and when to achieve the objectives
• Work instructions - instructions for taking specific actions

It defines information security as a complete cyclical process with continuous review and improvement, as illustrated in Figure 2:

Figure 2. Information Security Process

As some organizations look at Implementation and Monitoring as a single step, ITIL's Information Security Process can be described as a seven step process:

1. Using risk analysis, IT customers identify their security requirements.
2. The IT department determines the feasibility of the requirements and compares them to the organization's minimum information security baseline.
3. The customer and IT organization negotiate and define a service level agreement (SLA) that includes definition of the information security requirements in measurable terms and specifies how they will be verifiably achieved.
4. Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided, are negotiated and defined within the IT organization.
5. The SLA and OLAs are implemented and monitored.
6. Customers receive regular reports about the effectiveness and status of provided information security services.
7. The SLA and OLAs are modified as necessary.

Service level agreements

The SLA is a key part of the ITIL information security process. It is a formal, written agreement that documents the levels of service, including information security, that IT is responsible for providing. The SLA should include key performance indicators and performance criteria. Typical SLA information security statements should include:

• Permitted methods of access
• Agreements about auditing and logging
• Physical security measures
• Information security training and awareness for users
• Authorization procedure for user access rights
• Agreements on reporting and investigating security incidents
• Expected reports and audits

In addition to SLAs and OLAs, ITIL defines three other types of information security documentation:

• Information security policies: ITIL states that security policies should come from senior management and contain:
• 1. Objectives and scope of information security for an organization
  2. Goals and management principles for how information security is to be managed
  3. Definition of roles and responsibilities for information security
• Information security plans: describes how a policy is implemented for a specific information system and/or business unit.
• Information security handbooks: operational documents for day-to-day usage; they provide specific, detailed working instructions.

Ten ways ITIL can improve information security

There are a number of important ways that ITIL can improve how organizations implement and manage information security.

1. ITIL keeps information security business and service focused. Too often, information security is perceived as a "cost center" or "hindrance" to business functions. With ITIL, business process owners and IT negotiate information security services; this ensures that the services are aligned with the business' needs.
2. ITIL can enable organizations to develop and implement information security in a structured, clear way based on best practices. Information security staff can move from "fire fighting" mode to a more structured and planned approach.
3. With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change.
4. ITIL establishes documented processes and standards (such as SLAs and OLAs) that can be audited and monitored. This can help an organization understand the effectiveness of its information security program and comply with regulatory requirements (for example, HIPAA or Sarbanes Oxley).
5. ITIL provides a foundation upon which information security can build. It requires a number of best practices - such as Change Management, Configuration Management, and Incident Management - that can significantly improve information security. For example, a considerable number of information security issues are caused by inadequate change management, such as misconfigured servers.
6. ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate. Many managers can't "relate" to low-level details about encryption or firewall rules, but they are likely to understand and appreciate ITIL concepts such as incorporating information security into defined processes for handling problems, improving service, and maintaining SLAs. ITIL can help managers understand that information security is a key part of having a successful, well-run organization.
7. The organized ITIL framework prevents the rushed, disorganized implementation of information security measures. ITIL requires designing and building consistent, measurable information security measures into IT services rather than after-the-fact or after an incident. This ultimately saves time, money, and effort.
8. The reporting required by ITIL keeps an organization's management well informed about the effectiveness of their organization's information security measures. The reporting also allows management to make informed decisions about the risks their organization has.
9. ITIL defines roles and responsibilities for information security. During an incident, it's clear who will respond and how they will do so.
10. ITIL establishes a common language for discussing information security. This can allow information security staff to communicate more effectively with internal and external business partners, such as an organization's outsourced security services.

Implementing ITIL

ITIL does not typically start with IT - it is usually initiated by senior management such as the CEO or CIO. As an information security professional, however, you can add value by bringing ITIL to the attention of senior management. With the framework's rapidly increasing adoption, your organization might already be talking about ITIL; letting your management know specifically about ITIL's information security benefits can help spur its adoption.

Implementing ITIL does take time and effort. Depending on the size and complexity of an organization, implementing it can take significant up front time and effort. For many organizations, successful implementation of ITIL will require changes in their organizational culture and the involvement and commitment of employees throughout the organization.

Critical factors for successful ITIL implementation include:

• Full management commitment and involvement with the ITIL implementation
• A phased approach
• Consistent and thorough training of staff and management
• Making ITIL improvements in service provision and cost reduction sufficiently visible
• Sufficient investment in ITIL support tools

Conclusion

Information security measures are steadily increasing in scope, complexity, and importance. It is risky, expensive, and inefficient for organizations to have their information security depend on cobbled-together, homegrown processes. ITIL can enable these processes to be replaced with standardized, integrated processes based on best practices. Though some time and effort are required, ITIL can improve how organizations implement and manage information security.

Author Resource: Steven Weil, CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, WA. Mr. Weil specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning, security assessments, and information security management. He can be reached at sweil@sla.com.

Article From: SecurityFocus