Computer and Internet policy in the workplace, Part 2: The Ideal Policy

The ideal policy must balance productivity. It has to focus on actual results of policy change, not a theoretical ideal. First, you need to identify what problem you have that you want to develop policy to solve. Policy for the sake of policy is worthless. Once the problem is identified, say your employees are spending too much time on webmail, then develop a policy to counteract it, working in small steps at first. Next, evaluate your small-step policy change. If it has accomplished what you set out to do, then do not proceed any further. If it has not, then take another small step. The goal is to rarely backtrack on policy. If you have to backtrack then people will lose respect for the policies you implement and further policies will need to be even more drastic in order to have any effect. Read the rest of this entry »

I have some first hand knowledge of several different ways of handling policy in the workplace. This article is the first in a series that will discuss those, some theoretical ideals, implementation and awareness techniques, and pitfalls to implementation. Policy usually seeks to maintain safety for proprietary company data, employee privacy, public relations/image reasons, and for employee efficiency reasons. Failure to create or implement policy effectively has all the opposite effects. Read the rest of this entry »

Wired has a description (warning: language) up about how the guy hacked into Palin’s email account at Yahoo. I am not sure that hack is the right word since this was more of an exercise in social engineering and search engines. What bothers me most about this article is how it describes the “hacker.” Some poor kid in his dorm room at college has enough foresight to get behind a proxy (even if it is just one). Not only that, but his own description of his activities demonstrates forethought.

The hacker said that he read all of the e-mails in the Palin account and found “nothing incriminating, nothing that would derail her campaign as I had hoped. All I saw was personal stuff, some clerical stuff from when she was governor…. And pictures of her family.”

His story is of someone who was more worried that he would get caught than worried that he was doing something wrong. This is someone who is morally stunted and needs crash remedial training before he ends up in jail for a crime that may actually hurt someone. He will probably end up with some jail time for this, or at least some community service, because the only thing he really did was to violate someone’s privacy. I am assuming that he didn’t make copies of the data or post that data on the Internet and that someone subsequent did that. His second stupid move was posting the password on a forum which instead of making him seem more anonymous is just going to increase the charges against him and the interest of the authorities to catch him.

He tried to derail her campaign. That’s should be wrong no matter what your political viewpoint is.

Here to ask why has a post about this with some good tips. I have another few -

• Use a different password for every website. Here’s how I do it: I use Roboform to generate and save passwords. Most passwords are 12 characters or more and randomly generated. There are relatively few passwords that I need while away from my computer, so it isn’t a problem. For those I use something with slightly lower number of random characters and numbers, but it is still complex.
• Change your birth date and other personal information slightly when registering on sites. Most sites that ask for your birthday just want to know that you are over 13 or 18 or whatnot. This means you will have to remember your fake birthday just in case you need to reset your password. Here’s a tip: Use the birthday of someone you know.
• Randomize security questions and answers. I back up my passwords in many different places, all encrypted, so I’m not going to lose them. When a website allows me to randomize questions and answers I use my random character generator within Roboform to generate the answers and then save them in a notecard. The name of your first pet can be a4lzioE0lPJY, and the name of your high school was 58PiZgotJD1A.
• Watch your account for strange activity. Google has a newish feature that shows where login activity has or is occurring and allows you to sign out sessions if you accidentally left your GMail account active on another computer, for example. I use Fastmail which has had the loging feature for a long time. Most banks and places where privacy is important will also display your last logged in time and IP. If they don’t, ask them to start.
• Change your password if you have the slightest doubt that something is going wrong. With Roboform this is easy, and I can sync up my USB Roboform2Go and backups quickly enough.

I saw a very strange article today where someone tried to argue that SaaS (Software as a Service) changes the CIA (Confidentiality, Integrity, Availability) paradigm (Triad). I was confused and read on only to find that there was no argument within the text to back up that statement. In fact, Availability was used as an argument against itself. I started to write a comment, but then it got too long and I realized that I was probably just going to offend the guy because of something he wrote out too quickly without reading it over. I’m sure I’ve already written something like that myself, or if I haven’t yet I will.

First, here is an explanation of the CIA Triad in a nutshell. These are the core principles of information security:

Confidentiality refers to preventing disclosure of information to unauthorized systems or people. Integrity refers to the data remaining in the system the same way it was put in – that it can’t be modified without authorization. Availability means that the data is available when needed and that security controls and systems that house the data are functioning correctly.

I’ve heard many people argue against the need for the Availability piece as it doesn’t sound as interesting as the rest of it. Of course the data needs to be available, but what does that have to do with security? Joe Technician keeps the systems available. The problem is, if the system is not available, then it is not valuable, and if it is not valuable, then it is not worth using. Availability also refers to security controls being in place at all times. If the security controls for a system suddenly become unavailable, say a log file fills up and no mechanism for rotation or offloading that file is in place. Subsequent actions taken on the system may compromise Integrity, and in fact simply because the logging facility was not available we may have an Integrity or Confidentiality issue.

I understand what the article was trying to say about increasing exposure to Integrity and Confidentiality by going to a service based environment because you will be offloading sensitive information to a 3rd party, however SaaS also increases Availability issues as well. Instead of running Word on your desktop, which works whether or not you are connected to your LAN, the Internet, or anything else, now you are relying on Google (for example) to provide your word processor over the Internet. Your 3rd party still has to get you the service. In providing SaaS, both the provider and the buyer need to consider Availability just as much as Confidentiality and Integrity.

I’ll give you a simple example. I can run your company’s ERP system for you. I’ll design the system so well that after you put data into it no one will be able to get it out. I’ll make it so safe that no one can make unauthorized changes. Actually, we will take your ERP system, unplug it, and stick it in a double locked vault where I know one combination and you know the other. That satisfies Confidentiality and Integrity completely, but ignores Availability.

Some businesses or systems within a business naturally emphasize parts of CIA over others. For example, there is a company that sells a USB key that has an internal self-destruction mechanism if an authentication is failed too many times. There are cases where availability of that data should suffer. If I am bringing a copy of proprietary company confidential information from one place to another, this might be the best means to transport it. If someone steals the USB key or I lose it in transport, I want to be assured that the data will not be available to whoever found it or be able to be modified by someone sneaking into my hotel room in the middle of the night. In this case I am willing to sacrifice some availability, for example if I forget my own passkey, for the sake of Confidentiality. This in no way negates the CIA triad or changes its paradigm. The USB key still must be available to me in order to be useful. I need to be able to put data on it, and it needs to be possible for me to bring it from one place to another. Once there, I need to be able to authenticate to it and decrypt the data that is there. In other words, the data must be available else I’d never buy such a device. The manufacturer still has other availability challenges such as how to decrypt and unlock the device on an alternative operating system (making it more available), or how to alert the user if someone was trying to guess the password since the last time it was successfully accessed (protection system availability).

In fact, each piece of the triad is intrinsically linked to each other piece in a delicate balancing act. As I said, it is easy to have a completely Confidential system if there is no Availability (try a pipe to /dev/null). When an end user asks for a network share behind the firewall to be available to a customer in another company, then we suddenly have much more need for security in the forms of Confidentiality and Integrity, but it was Availability that triggered the request. If we forget that Availability triggered the request, then we might as well not worry about the additional Confidentiality and Integrity needed to satisfy that unneeded Availability.

CIA is intrinsically linked and each piece must be considered in developing any system, including SaaS. There is no paradigm change. I know the author of the article knew this, because he argued points against his own thesis. It got me thinking about stuff though, and that’s always a good thing. I didn’t write this to offend or pick on anyone. If there is something I’ve overlooked or misread about the original article I’ll be glad to have it pointed out to me, because I just don’t understand it the way it was written.

Noscript is one of my essential browser tools. What it does is intercept java, flash, and other script including executable content on a Firefox browser and keeps it from executing until the user specifically whitelists the site. It can be an inconvenience to someone who doesn’t understand the dangers that exist on the Internet, however it doesn’t save us from every danger out there.

It seems someone at ZD Net noticed it recently. It’s nice to know that Noscript protects from specific Zero Day attacks too.

If you use Firefox (and you should) then you should use Noscript to complete your safety net.

It is rare when the XSS detection triggers, but even for someone that browses as carefully as I do, it can. In fact there are some times when I am browsing through things that aren’t necessarily all on the up-and-up. I had a PC that I needed to hack into a couple weeks ago and my traditional tool is ophcrack over at SourceForge. They recently updated the tool and it no longer performs as it did – very disappointing. I downloaded a previous version and let it crack away on the target computer, however it couldn’t reveal any of the passwords. I did some searching for an alternative tool, and as you can guess that led me to some shady websites. With Noscript I didn’t worry at all.

The one thing that Noscript doesn’t save us from is a trusted site that we’ve whitelisted that was subsequently cracked. If the defacement includes posting compromised code, then it will execute just as if it were trusted.