From the online mail bag
In response to April's editorial:
I am in violent agreement with your editorial. However, the problem with all these high-end, strategic meetings in Washington, D.C. is they bring in the big players and only the big players, CISOs, CSOs, CEOs, from Fortune 500 companies. This results in all generals and no soldiers. They need to bring in some people working in the trenches to talk to Congress. A private's recollection of what it is like to be shot at is a great deal fresher, than a general's.
Richard Starnes, Commonwealth Office of Technology, State of Kentucky
I'm glad someone is finally speaking out about the lack of talented security leadership, but I fear it will never be corrected. Having worked in government for many years at the state and federal level, I left public service for the private sector disgusted with political hacks who are more interested in who you know than what you know.
I'm sure they will find some political dandy to be information security czar, but count on the various security interests and three-letter agencies to jockey about finding ways to undermine any concerted effort to an overall solution.
If the future information security czar is reading SC Magazine, as he/she should, take note of the reasons security talents shun government work: poor pay, lack of appreciation for ideas outside the ‘status quo,' the general politics, and lack of strong leaders.
Ms. Armstrong is absolutely correct: there is a dearth of talent, but I believe most tech types just don't have the political skills necessary to woo the Washington brass. Somebody prove me wrong, please!
In response to the story: IBM's Truskowski calls for securing the smarter planet:
Managing change and having the flexibility to react to a new dynamic is interesting. I don't agree that there is only so much you can do to mitigate risk once a technology is deployed. Security must be embedded in the business case and assessed based on the technology being used to innovate. I wouldn't recommend storing sensitive, financial or medical data without a strong business model that provides not only the technology, but also the operational security processes, and addresses liability for damages if data were to be compromised. Security from device to data center can be more secure today when enforcement and runtime control is used to ensure that only authorized changes are implemented and deployed to assist corporations in dealing with the human factor.
In response to a April 9 news story, Conficker worm updated to send spam, hawk fake AV:
If you are infected with scareware, the software will falsely inform you that your system is infected with other viruses than itself. So you are actually infected, but the infection falsely warns of other infections, and promises to clean them when you purchase.
In response to a April 10 news story, Survey finds that SMBs often lack basic security:
This shouldn't be a shock to anyone. In addition to having dedicated technology teams, large companies are typically under greater scrutiny to ensure regulatory compliance. Further, increasing security budgets in these smaller business entities won't help much if non-technical managers continue to determine security strategy and controls implementation.
In response to a April 2 news story,DDoS attacks hit major web services:
All of the best intentions can't completely stop Conficker, but take defensive action by being less vulnerable. Prepare yourself now, by keeping your Microsoft updates current. If you updated in March, you are already protected, as March's update contained the patch. Be sure your anti-virus program is a good one. Most important is that anti-virus programs are kept up-to-date as well, because previous versions of the worm may have limited its functionality. Check that your firewall is on. Visit the Microsoft site, download and apply the Conficker patch. Create strong passwords that include numbers and special characters. If searching for information on Conficker C, exercise caution in which sites you visit. Don't fall for pop-up ads that announce your PC is infected. These ads lead to sites that can install the worm and other malware onto your PC. Stay on guard to avoid becoming Conficker's collateral damage!
This is not about Microsoft patches. This is about a distributed denial of service against DNS.
David CISSP CEH GAWN
Cyberspace 9/11 is here. A trojan worm is causing havoc to companies such as Time Warner Cable, Register.com and UltraDNS, owned by Neustar, and to millions of their customers throughout the United States and Europe.
Although both Time Warner Cable and UltraDNS claim to have the problem under control, Register.com is in its third day with no end in sight. Larry Kutscher, CEO of Register.com said: “unnamed persons all over the world are trying to attack us. Every time we get it under control, it morphs into another attack. It's morphed at least three to four times. It keeps changing direction.”
Where are you FBI, CIA, FEMA and our newly elected DC Chief Technology Officer Vivek Kundra…can you hear me? We're under attack and no one is minding the store.
Name servers have always been a concern (weak point) with the internet. Most people do not know how they work and put little effort into them. I had clients that were freaked out because their websites were down (registered with register.com). Their best IT people were confused as to what to do. I fixed their problem in five minutes. Within the hour everything was fine with their domain. Have multiple name servers in multiple places and understand how they work. Register.com did not have a contingency plan in place as they thought they were too big for this to happen to them. I'm still curious if it was an overload of the nameservers or a flaw that a specific query was crashing the nameservers.
It was massive amounts of DNS queries being sent to each of their name servers. The actual queries were legitimate looking and well-formed queries. It could have overloaded their name servers and/or their bandwidth. The company I work for was hit by the same attack. Our downtime was about 20 minutes or less, but the attack was massive and the only thing that saved us was having name servers on separate networks with huge pipes.
The opinions expressed in these letters are not necessarily those of SC Magazine.