What is Privacy?

Its an interesting question to ponder… What is privacy?

Lets look first at the definition of privacy from Merriam-Webster.com:

For the purposes of this conversation I believe the important word in that definition is the unauthorized part of “unauthorized intrusion”.

I believe privacy means Choice. It means that you as a human being have the choice on what to share, to whom, and when. I believe this is a fundamental right for every human.

Now this seems to be straight forward, but for some it seems controversial at times. Some people will claim that there is no privacy left in the world, that everything is already ‘out there’, so what is the point? I do not agree with that sentiment, and moreover, I believe that almost everyone has a unrealized and deeply rooted sense of privacy in their daily lives.

We have walls on our houses, we have curtains on our windows, there are doors on the bathrooms. Look at it like this, how many people would utilize a completely glass bathroom in a restaurant, where all patrons would be able to see you conducting restroom activities? Point in fact, there are many comedic videos of this very thing on YouTube, and most people see the glass, and immediately decide to ‘hold it’.

What about publishing the content of your internet browser history, or the texts on your phone, or pictures? Would you be comfortable sharing with the world all the content of your phone? Some people would hand over their phone without hesitation, while others would nervously and protectively slip their phone in their pocket and walk away. I think both sides are okay. You have the choice to share or not.

When privacy is no longer a choice, is when it becomes a problem. I believe that the new privacy legislation in the world is a recognition that a person should have that choice again, and if they decide to share, great… if they decide not to share, that is great as well. While there are a few exceptions, giving people the choice not only protects their rights (and at times their safety), it also shows them respect and dignity as a human being.

The Art of Privacy

I feel bad that I have not posted in a while to the blog. With starting the Certificate in Privacy and Cyber law and with the pandemic, my time over the last 6 months has been limited.

However, I have recently presented at the EDUCAUSE Security Professionals Conference 2020 and after some great conversations with people, I have an additional ‘The Art of’ series I want to present.

The Art of Privacy, will be a background series of the history, concepts, and implementation of Privacy in the world and in organizations. Hopefully people find it useful and maybe entertaining.

I hope everyone is doing well!

-Jonathan

Border Security to Border-less Security

With the unprecedented move to telecommuting in the last week for many industries, it is critical for security teams to understand that many traditional security measures become difficult for the organization to maintain, thus needing a different mindset.

The idea of maintaining border security on your organization’s central network is changing to the need to maintain the border of each device that is outside of your environment. Basically, we have gone from a form of macro security to micro security.

Here is a familiar checklist that I am using moving forward:

1. Do you know what hardware is being used by your employees to access critical services? Is it organizational or personally owned?
2. Do you know what software they will be using?
3. Do you have some way to conduct and report on a vulnerability assessment of their device?
4. Is the devices administrator accounts being managed correctly? Do you have a policy on how administrative privileges are used?
5. Is the operating system, software, and hardware of their device setup and maintained in a standard secure configuration?
6. What kind of logging are you getting from the device on its current security state?
7. Does the computer have appropriate protections on the mail client and browser? What browser add-ons are allowed? What security features are required?
8. Does the device have appropriate malware protection?
9. What services and network access is allowed on the device? Do you have a standard configuration? Can you check whether the configuration has been modified?
10. Does the device have a process for backup and/or recovery? Do you have the ability to recover the device remotely?
11. Is the host based firewall setup correctly? Do you have a standard & secure configuration?
12. Does the organization have appropriate controls around the critical services to allow remote users to access securely?
13. Is the data on the remote device appropriately encrypted & secured?

Obviously these are the first 13 of the CIS Top 20 Security Controls, applied to individual devices in our environment. However, as our security posture has significantly changed in the last week, I feel they are important to evaluate again, and apply to the current situation.

Good luck everyone, the world has changed around us, but our goals to defend and protect are the same!

DoD now requiring minimum cyber security controls from its contractors.

Department of Defense is now requiring contractors to meet a standard level of cyber security protection.  The “Capability Domains” seems to be a mix of the various standard controls that the IT Security profession has been promoting for years (ie. CIS top 20).

I can definitely see this as a requirement that gets adopted by other departments, such as the Department of Education, FTC, etc.

thoughts?

I personally am supportive.  I have found that for every organization that does IT Security well, there are 10 more that “don’t have the resources”.  This might give IT the extra push to convince their leadership of the need to hire (or train) security professionals and implement basic security controls.

-Jonathan

https://www.bleepingcomputer.com/news/security/dod-to-require-cybersecurity-certification-from-defense-contractors/

The “Cyber Workforce: Do we have an employee shortage, or an employer shortage?

“The U.S. will have as many as 3.5 million unfilled cybersecurity jobs by 2021.”

I received that sentence in an email yesterday. I was curious to where these numbers come from? How do you calculate this sort of shortage? I understand it was intent to be a ‘shock and awe’ type of message, but I believe that such statements are inconsiderate and ignorant of the bigger issue of the future of ‘cyber’.

I don’t believe we have an employee shortage in the traditional sense. I know many people who are experienced IT Security professionals who are without a job right now. I also know that many ‘cyber’ students are graduating and only finding work in tier 1 support positions. Anecdotally, this seems to be in direct contrast to the original statement of 3.5 million unfilled positions.

I believe the real problem is not that we have unfilled positions, it is the fact that employers are not hiring security professionals.

Another comment I hear often is that security professionals are being pulled to other parts of the country (east/west coasts, major cities, etc.). Which I believe is a generally true statement, but cyber problems are not just on the coasts or in big cities. While I am glad that some organizations in those geographical areas are supportive of the IT Security industry and are drawing applicants, are we not having the same security problems in the local community?

In the last week or so, I have spoken to 3 organizations locally that do not have, nor are they looking for security professionals for their organization. They were having a variety of security/compliance issues, some of which would have been easily mitigated with the addition of qualified security staff. In a few hours I am participating in a panel discussion with some security colleagues in front of 50-70 small business owners, most of whom do not have security professionals.

I do believe we have an employee shortage in the industry, but it’s not because we have open positions, it is because we have organizations who are not hiring qualified/skilled professionals. We have more ‘cyber’ student/training programs than ever before in history, more prospective employees with security skillets, but we still have organizations who have no security staff.

What is the solution?

While I have some ideas, I’m looking for your thoughts?

Within the security industry I believe we need to do more outreach to the community and into other industries.

• Last fall I called in a favor and was able to provide a security presentation to a local HR conference. They loved the content and hopefully it helped them have more ‘cyber’ conversations within their own organization.
• This coming spring I am teaching a couple of classes at BSides that are specifically designed for non-technical staff. I want them to see cyber-attacks first hand so we can discuss what they are, why they happen, and how an organization can defend against them.
• The local ISSA chapter is working with the K-12 schools in a steering committee capacity, providing security experience and discussion for their IT staff.
• We have recently discussed having a ‘track’ at future security conferences that is for non-security attendees, and specifically inviting management of a variety of non-security industries to attend.

I know these are small things, but I believe that the more outreach we can do to help organizations to be aware of the need and value of having security staff and a security program, the better the overall community becomes. If more organizations are aware of the need for a security program, the more security professionals would be employed, and the organization would hopefully be better defended.

What other things can we do to engage the community and help support stronger security awareness?

History of IT

For the last few days I have been watching old episodes of ‘The Computer Chronicles’. Its amazing the computer advancements in the late 80’s and early 90’s. The technology for the hardware, such as monochrome to color screens, battery life, size, etc., were making huge jumps every year. It was an amazing time for computers.

Then came the Internet and Windows 95! It is fascinating the ‘new’ things they were talking about at the time… Drag and drop, ‘My Computer’, ftp, html…. Things that we take for granted now, but at the time they were new concepts that nobody knew about.

I don’t always appreciate how far technology has come in the last 30 years, but its actually been pretty fantastic!

If you are interested, do a search on youtube for ‘The Computer Chronicles’ and enjoy!

Incident Response: Command Line Log Redaction

During a recent incident response, it was necessary to take a very large text file (70,000 lines, about 25,000 printed pages), query and redact information to pass to the incident response team. With some command line processing I was able to redact personal identifiers (MAC address, and Username) except for the ones in question.

I have included the process below. While it can certainly be improved, it is a prime example of the kinds of tasks that may be required on short notice during an incident response.

It is incredibly important to test, retest, double retest your code and resultant information to ensure you do not change the integrity of the original logs and/or fail to redact appropriately (which failure may violate several federal compliance’s). Also make sure you provide a copy of your code and process for independent review to the incident response team.

# #!/bin/bash
# Code to query and redact file called Preservation.txt

#search logs for 1200 as a string for 2 specific dates and send to a file

	cat Preservation.txt | grep 1200 | grep -e 2019-02-06 -e 2019-02-07 > search1200.txt

# search logs for 2400 as a string for 2 specific dates and send to a file

	cat Preservation.txt | grep 2400 | grep 2019-04- > search2400.txt

# search logs for 3100 as a string for 3 specific dates and send to a file

	cat Preservation.txt | grep 3100 | grep -e 2019-02-06 -e 2019-02-07 -e 2019-04 > search3100.txt

#replace the first.lastname of interest in all three files with value that will be ignored during the redaction

	sed -i -E 's/User\[first.lastname\]/xUser/g' search* 

#redact all usernames from the 3 files

	sed -i -E 's/User\[(.*?)\]/User[*******]/g' search*

#return the first.lastname of interest in all 3 files

	sed -i -E 's/xUser/User\[first.lastname\]/g' search*

#replace the 3 MAC Addresses of interest in all three files with value that will be ignored during the redaction

	sed -i -E 's/MAC\[AA:AA:AA:AA:AA:AA\]/xMAC/g' search*
	sed -i -E 's/MAC\[BB:BB:BB:BB:BB:BB\]/x2MAC/g' search*
	sed -i -E 's/MAC\[CC:CC:CC:CC:CC:CC\]/x3MAC/g' search*

#redact all MAC addresses except for the last 4 digits

	sed -i -E 's/MAC\[[0-9a-fA-F]+:[0-9a-fA-F]+:[0-9a-fA-F]+:[0-9a-fA-F]+/MAC[*:*:*:*/g' search*

#return the 3 Mac Addresses of interest in all three files

	sed -i -E 's/xMAC/MAC\[AA:AA:AA:AA:AA:AA\]/g' search*
	sed -i -E 's/x2MAC/MAC\[BB:BB:BB:BB:BB:BB\]/g' search*
	sed -i -E 's/x3MAC/MAC\[CC:CC:CC:CC:CC:CC\]/g' search*

To Present or not to Present, that is the question.

I was talking with a friend yesterday about presenting, and I remembered something that I learned years ago that I thought I would share:

1. When you are asked to present on a topic, you should determine what are the 3 questions you are being asked to cover? What is it that the audience is looking to glean from your time on stage?
2. Why is it that YOU have been asked to cover this topic and answer the questions. What background, experience, speaking style, does the organizer/audience find value? Did you provide that value in your presentation?
3. After you have prepped your presentation, think about the 3 questions. Did you cover them? Will your audience remember them from your presentation? If you catch an audience member after the presentation (days, weeks, months, years later), will they remember you and those things you presented?

I have had some great experiences speaking in the industry and community, and feel very fortunate every time I am asked to speak at a conference, event, or engagement. I try to be very cognizant about providing good information and value to the audience. I very much enjoy when someone comes to me afterward and says that something I had presented made an impact on how they did their job.

NIST Privacy Framework

NIST has released a preliminary draft if their Privacy Framework….

Important snippets from the article about the focus of the framework:
– the importance of collaboration between privacy and cybersecurity teams.
– it’s important to build a tool that is usable regardless of an organization’s structure.

https://www.nist.gov/blogs/cybersecurity-insights/preliminary-draft-nist-privacy-framework-here

The Art of the CISO: What comes first, the attack or security?

This afternoon I had a great conversation with a colleague about securing servers. He specifically asked what we need to do to ‘Secure’ them?

My first question was “How are they being attacked?”

Which led to a good conversation, and a discussion on the philosophy of securing computers and networks. It is very easy to throw security controls at an issue and hope for the best. On the other hand, you can look at the environment, the attack vectors, possible vulnerabilities, and deploy the necessary security controls that protect the environment in a more targeted and efficient manner.

So, we decided to look at the services, the servers, the networks, possible attack vectors, and the current logs & indicators on the server to best determine what controls will be needed and what we can effectively deploy.

In a perfect world, with unlimited resources, and zero threats, it would be easy to ‘Secure’ a computer. I am still on the lookout for any of those scenarios!