The IT Security Attaché

Good day to you,

If you are a security vendor that provides solutions for mobile devices I am interested in talking with you about being a part of our MESS in February. Please feel free to contact me directly for further discussion.

Here is more information about the summit.

The Summit will be focusing on the proliferation of mobile devices (laptops, Tablet PCs, Pocket PCs, UMPCs, Smartphone’s, media players, mass storage devices and add-on cards) and the threats they present to the consumers/businesses and the data that resides on them. We will provide the products and solutions that will allow the management and control over these devices through the endpoints.

Live hands on demos will be available. There will be test/demo systems configured and setup to facilitate the effective use of the information and products being presented and demo’d. There will be mobile devices from the industry vendors such as HTC, Palm, Motorola, Google, Samsung and more.

We are all aware of how these devices can be used to steal data/information off the target system unbeknownst to the user.

The Summit will focus on 3 key areas of mobility and security.

1. The Devices – A look at the mobile devices on the market today.

a. Netbooks, Laptops, Tablet PCs, Mini PCs, UPMCs
b. Smartphone’s/Pocket PCs – HTC’s, Motorola’s, HP Smartphone’s, Samsung, Cell phones
c. Apple’s iPhone and Google’s Nexus One
d. Media Players – iPod’s, MP3 players and more
e. Mass Storage Devices (USB Flash drives, Compact and SD cards, mobile phone memory sticks, and more)
f. Wireless capabilities – Infrared, Bluetooth, Wi-Fi, WiMax,
g. The Operating Systems – Windows Mobile, Symbian, Apple, Android

2. The Threats – A look at the threats that affects these devices and how they are targeted and attacked from internal and external sources.

a. Viruses/worms proliferation from devices to network to world.
b. Unauthorized connectivity to and from unscrupulous devices and sources (wired and wireless).
c. The use of these devices for storing critical business data and information.
d. Sharing data and information to and from the device through messaging and wireless connectivity.
e. The availability of over the air messaging and other communications tools and the problems they present.
f. Data loss/Theft of these devices and the business impact it presents.
g. Addressing the myths about over-the-air wiping of the device and why it is not effective today. The device is still a threat if lost.

3. The Protection – How to manage, protect and secure these devices from the threats.

a. How to manage the devices on and off the network.
b. How to protect and secure your endpoints from these unauthorized devices.
c. How to secure the devices against malicious codes (viruses, worms, Trojans, keyloggers, hackers) with viral protection.
d. How to secure the data/information residing on the devices local store and storage cards with data encryption.
e. How to secure the wireless connections of the device.
f. What to do in the event of a device loss or theft – the incident alert/response, damage control and alerting process.
g. How to make the over-the-air wiping feature effective and to mitigate the loss of data if device is lost.

Please feel free to share this request with any vendor that may find it of value.

Thank you and have a great day,

~Brett A. Scudder~

Good day to you,

On May 1^st 2009, TITSSN answered the call of providing a converged resource to address the needed online training, education, awareness and resources of the technology and security issues and challenges facing us today for tomorrow. As leaders in this field we understand the challenges being faced in dealing with the day to day management, learning and happenings of these threats and their impacts. While countries, companies and organizations are falling victims to these attacks, industries are suffering through the loss of revenue, privacy and productivity, and people are feeling and seeing the real effects of the real world we live in where the internet brings us together as a global connected network filled with valuable resources and resistance is futile, it is everywhere and is not going away.

We are still not seeing enough being done to educate people across the board and make them aware of these issues and their true impacts and so we’re taking the network to a higher level towards this initiative.

IT Security is a people problem, not an industry one and as such must be addressed effectively and accordingly.

So it is for this reason that we choose to build a social community to address these things together and to provide the training, education and awareness by the people who can speak of and about them at all levels, those who develop them, those who sell and support them, those who are out in the field fighting the good fight to prevent, mitigate and stop the growing rates of infections and compromises and those who want to learn more about being safer and secure together in one place. This is a work in progress and as we grow, so we’ll learn and so we’ll adjust to the need for changes. This is what we do on a daily basis as TITSSN continues to deliver its messages of security education, training and awareness now for a more secure future. We will be moving our operations into the social network immediately to help enhance the collaborative values, resources and functionalities.

The IT Security Suite Network’s Technology / IT Security Social Network is a place where people come together to create a vibrant, resourceful, strategic and secure social atmosphere of networking, training, education, awareness and collaboration for, on and about technology and securing them.

We invite you to participate in the full functions and features of our network as we build on it to enhance its values and mission for the future. We ask that you share the word with your associates, friends, peers and everyone that is interested in the world of security and being more comfortable and secure in it. This network is specifically geared towards technology, IT Security and everything in and about it.

The focus of this social network is to build greater education, awareness and provide the services and support needed to maintain the secure presence and stability of all infrastructures (homes, businesses (all sizes and types), schools, churches, etc) for all. Everyone is affected at all levels and so we must cultivate an open concerted atmosphere to address issues effectively.  We look forward to your participation in this effort as a leader, contributor, reader, advisor or just a member wanting to learn more. Please adhere to the policies and rules of the network so that all may find a common group to collaborate in.

The networks address is http://titssn.org.

Features include:

Real-time chats

Blogging

Audio/Video/Text IM

Discussion groups

Polls

Events calendar

Products/Solutions recommendations

Featured products, people, service providers

Our own publications (recommendations, best practices, guides, reports, findings and educational info)

And much more.

Discussions and groups that are up and running:

Application Security – developing secure applications and standards

Breach Notification Laws – country/state laws

Business to Business IT Security “BtBITS” – businesses protecting each other’s interests

Cloud Computing/Security – Issues, concerns, development, education and awareness

Computer Forensics – Data and Network

Cybersecurity – myths, issues, concerns, development, education and awareness

CyberWar – on, about, awareness, information, collaboration

Data Security – securing the data/information

DCITSUG – Washington DC IT Security Users Group

Emergency Security Response Program “ESRP”

Endpoint Security – What are they, why they are vulnerable and how to protect them

Hacking Unleashed – Ethical/Unethical – the world of hacking

I-CON Science and Technology Conference

Identity Theft – prevention, support and solutions

Incident Response – What happens when something goes wrong/bad?

IT/Security things/issues that make you paranoid

IT Security Best Practices – General

IT Security Facts and Myths

IT Security Leaders

IT Security Requests and Support

IT Security Service Providers ~ITSSP~

IT Security Training and Development – General

IT Security in our educational institutions – curriculum upgrade

Microsoft Small Business Server Security – Securing the server and components

Mobile Security – securing the mobile users/devices and they data they host

Managed Security Services Providers “MSSP”

NYeWin – New York Enterprise Windows Users Group

NYITSUG – New York IT Security Users Group

NYSBS – New York Small Business Server Users Group

Online Security – Securing your online experience

OWASP – Open Web Application Security Project

PAITSUG – Pennsylvania IT Security Users Group

PC Security at home

Perimeter Security – securing the perimeter

Physical Security – a critical part of your security model

Ready Rockaway – Disaster/Emergency Preparedness

Small Business IT Security – securing the small businesses

SPEAK – Security Professionals Engaged in Advanced Knowledge

Social Networkers United – the future belongs to us

Social Networking – security, trends, myths and best practices

TITSSN’s Adopt an Institution Program – ~AaIP~

TITSSN’s Code of Honor – Advocates for the future of professional Messaging

TITSSN’s Code of Honor – Advocates for the future of IT Security Education and Awareness

TITSSN’s ENGAGED ~ENabling Greater Awareness, Growth and Educational Development~

TITSSN’s General Network Members

TITSSN’s IT Security Community Outreach Program ~COP~

TITSSN’s IT Security Scholarship Program ~ITSSP~

TITSSN’s Secure Medical Protection Program ~SMPP~

TITSSN’s Secure Mobile Professionals Network ~SMPN~

TITSSN’s Secure Minds Initiative

TITSSN’s Small Medium Business IT Security Summit ~SMBITSS~

TITSSN’s Windows 7/Vista SP2/Windows Server 2008 SP2 Testing and Development Group

The Compliance Suite (Regulatory/Non Regulatory)

The Framsyn Initiative

The IT Security Threats Landscape ~TITSTL~

The Privacy Suite – it’s all about privacy

Viral Outbreaks – containment, response, prevention

Viral, Spyware, Malware Detection and Removal – the growing trends

Voices of IT Security

Wireless Security

Government Security Mandates, Protocols, Policies and Response

US – CERT – United States Computer Emergency Readiness Team

US – CIA – Central Intelligence Agency

US – DHS – Department of Homeland Security

US – FBI – Federal Bureau of Investigation

US – NSA – National Security Agency

These are just a few of the topics, issues and groups that are available as we start off on this journey together and when you join us, you too can add to what is there if there is something of interest that is missing.

We look forward to your support and we know this will be of great value for you.

Thank you very much and have a great day. We apprecilove your business and support and look forward to serving you more.

~Brett A. Scudder~

The IT Security Attaché

Good day to you,

I would like to take this opportunity to share some very critical information with the self employed and home based business owners about the state of The IT Security Threats Landscape ~TITSTL~ and how it affects you. This is a discussion I have every day as more and more people in these categories are finding out the real effects and impacts of these threats are not excluding them and that they fall very much into the mix of it. As the economy tightens its grip on our lives, those who are being laid off are turning to home based and self employed business thus sparking an increased growth in this area of business. The SMB space has grown tremendously since his recession and to that end has become a serious security issue for us security professionals as we look across the IT Security Threats Landscape horizon.

Therefore, the reality of the issue must be faced thus bringing the question of, what am I to do about it.

I have published numerous articles on these threats, preventative measures and how to deal with the security issues of today and tomorrow on my blogs but I am going to do this as a summary of those here.

First let me say this, if it requires a security patch (let’s just keep it at security for now), it is vulnerable.

What does this mean?

Simple, any operating system, Microsoft, Mac, Linux, Solaris, you name it, that requires a security patch for any reason is vulnerable. The patch is to prevent exploit of the vulnerability right so it is a security risk.

I had to get that out of the way so that we wouldn’t get into the ridiculous argument of which is more secure than the other. The way I see it is simply that, if a door is left open for anyone to come through it, the length of time left open versus the threat that comes through it is just as critical. So, any open door is a threat no matter where. What comes through it may differentiate the severity. They all have their insecurities at some point but how the vendor/developer addresses it lessens the impact and wide scale visibility of the issue. While some may announce these vulnerabilities and findings, other may patch/update them behind the scenes thus limiting the visibility and knowledge of the user.

Second, anti-virus alone is NOT going to protect you from the threats of today. It takes a multi-layered approach and as such, the various layers of protection must be enforced. So telling yourself that you have anti-virus protection on your PC is being as naïve as saying the threats doesn’t affect me and i’m not worried about them. While it is true that most anti-virus vendors are bundling multiple threat protection/prevention layers into their solutions, the proper configuration becomes the caveat to that solution. While many deploy with an out of the box config, there will be tweaks needed to customize it to your environment and needs. So one must understand what is being deployed and if it will provide the layers of protection needed.

So why is IT Security so serious for me as a self employed or home based business?

Well, ask yourself these questions,

What is it that you do and how do you do it?

Do you use email?

Do you send emails to customers/clients/partners/associates/potential clients?

Do you leverage the powers of social networking/media (Twitter, LinkedIn, MySpace, Facebook, Ning and the list goes on) today?

Do you use IM for personal and/or business use?

Do you browse the internet for data/information on whatever you’re working on or researching?

Do you do online banking or shopping?

Do you download multimedia contents from the web (music, movies, flash videos, etc)?

Do you download online presentations (PDF, PowerPoint)?

Did you know that PDF files presented one of the biggest security risks over the past 2 years but is the most widely distributed online document format?

Do you have a printer or some media player connected to you system(s) at home or in the office?

Do you have any applications running on that system aside from the operating system?

Do you know of the Breach Notification Law in your state and what it means for you?

When was the last time you downloaded a keygens or crack file to open full access to that app or game you really wanted but didn’t want to buy/pay for?

Maybe you didn’t crack/keygen it but someone did and opened a backdoor which planed a rootkit or some nefarious threats on your system(s). What happens when you use that for business purposes, what are you spreading to those you collaborate with?

Well by now i’m sure you’ve caught my drift and I don’t have to get technical for you to see how you’re affected. All these questions pose security risks in various ways and are able to be stopped, prevented and protected if the proper education, awareness and measures are put in place. Don’t ask if you’re affected or if I should be taking these things seriously, you must. You are as much a risk to me as I am to you if the proper steps are not implemented to secure your system and the data/information you have sitting on it about me, you and those you collaborate with.

That system is being used for personal and business use and at some point the access to/from or by a threat is heightened because of the lack of separation of the two. A system that is used by everyone in the home should not be the same used for doing your business. When someone in the home decides to crack that app and opens that backdoor, you’ll never know what can come through it and what your risk factor will be or are. Separate the two, business is business and personal is personal. The cost of a system today is much more affordable than a few years ago so it shouldn’t be a problem to get an extra one.

You are not a small business because you have 5 people working for you. You are not a small business because you only have 5 computers in your office or where you decide to conduct your business. To me as a security professional you are not a small business (home based or in an office) when you have records/information and access to 5000 people. A doctor who has an office with 5 employees and 8 systems managing 4000 patients’ info is not a small business in my eyes. If you’re a consultant running your own business and you manage systems or information for your clients you’re now there biggest risk because it’s your responsibility to control that. Every PC must be secured whether it is connected online or not as you never know if/when it will cross the line. This is how I see security.

When you decide to start doing business today you must consider the role you play with those in which you will be doing business and the kinds of interaction you will have with them. When sending an email from an infected system (whether you did or the resident worm) it is still coming from you and the possible effect on the recipient(s) can be adverse which may lead to legal issues.

When using social network can enhance your presence and what you do significantly, it is also an area of heightened risk both personally and professionally. Know the need and use it accordingly. Social networks are the future of collaboration but one must decide why the need and create the separation. If it’s for personal use one should always remember the impact on themselves as they are now putting themselves out there to the world. If for business, one should decide on how they want to be seen and what they would like the world to know about them and what they do. Social networking is a great thing to have and use, it’s the management and control of that presence that matters. The threats people face on social networks are the same they would face outside of it but just through a different medium. Educate yourself on these things and you will be ok.

As for the Breach Notification Law, most people didn’t even know of such laws about digital contents and its security. I strongly suggest you take a look at the law of your state and understand the legal and financial issues it presents for you. Learn it, know it, and understand it. If in doubt, reach out.

The active Conficker worm should be enough of an eye opener for you and if you don’t know what it is then you may have bigger problems that I thought. Security is not just about you, it’s about your way of life today both on and offline. I am not here to scare you but it is better to know before than after as the damage control, legal and financial issues after the fact is much worse and a very daunting issue.

As for the online scams, phishing and SPAM, it is only going to get worse and until you educate and make yourself more aware of and about them, you may fall victim to them as they are craftier than ever.

Ok so I have chatted enough and now you’re saying this is too much so I will leave a few articles of reference.  Feel free to contact me if you’d like to discuss further and in more details.

The Conficker Worm – my review

A grim day for browser security at hacker contest

State Security Breach Notification Laws as of December 16, 2008 and the Conficker worm

IT Security Education and Awareness 04-09 #1 – IT Security is a people problem, not an industry one

Apple Mac users warned of web-based malware threats RSPlug-F Mac Trojan horse distributed via HDTV website

TITSSN leverages the Twitter network for critical alerting, notification and network happenings (meetings and events) as of April 1st 2009

Security/Privacy Awareness 03-09 #1 – Do you understand the breach notification law is in your country/state, do you know what it means, all are affected.

Thank you and have a great day,

~Brett A. Scudder~

The IT Security Attaché

Good day to you,

Every day I talk with people across all vertical markets, business sizes, organizations and cultures about the IT Security issues being faced in our world today and how it impacts our everyday lives, and it is becoming one of those awakening kind of issues for many. Whether they like it or not, they know they are affected in one way or another. While most people tend to try and figure out if and where they fit into this Matrix, the recent mass media explosion of the Conficker worm created somewhat of a sense of understanding as many now saw it from a non technical aspect and as what it really is, a people problem.

As a security attaché, I have relayed this message of IT Security being a people problem and not an industry one for years but it doesn’t resonate well for many because they didn’t understand the matrix and how it worked. Now that they saw and heard of it on the TV (which is an even bigger influencer on people today), the same things we IT people have been trying to tell them now makes some kind of sense. Let us take away the fact that whether the media coverage on the TV was doing much justice or help for the issue(s), it did add a well needed visibility to the scope of the problem and that was very well needed today. It would be nice if we say a segment on the news specific to The IT Security Threats Landscape ~TITSTL~ and issues in and around it. They could bring in some professionals in the field to talk about the issues and what is going on and how people can protect themselves in it. That would be a well needed thing to see at that level today as we are going into this vast technology future of ours which we’re taking head on without looking at the real implications and effects of it.

The logic behind the issue is simple, because your system(s) are up and running and have not been wiped out nor shut down by a threat doesn’t mean it is safe, secure or threat free. In many of my health assessments I have shown the owner my findings of worms, trojans and other blended threats that are sitting on their systems because of lack of proper security solutions to protect them or the improper configuration of the solution being used. The fact that they are there is one thing, what they are doing is something else and both are critical issues to ponder.

While many will refute this fact, I have seen, worked and handled enough of these cases to state as a fact that many fall into this area of The IT Security Threats Landscape. A resident rootkit, keylogger, worm or whatever the variant may be, is actively working its way through your system and causing some form of data loss/theft or compromising the state of applications, connectivity or system stability that we security professionals deem critical. Here is another way to look at this.

If you went to the doctor for a cough that has been bugging you for a while and he says to you, you have a chest or respiratory infection would you tell him no?

If he says to you that you need antibiotics and some cold medicine do you tell him no?

Why not?

Because, this is his field of expertise and study and as such he can make this assessment based on his knowledge of the issue and the facts he has from testing you.

Are you a medical person to dispute his statement and will you seek a second opinion from someone else?

The fact that you’re still alive and well (somewhat, depending on how you define well) does not negate the reality of the issue that you are infected with something that is causing some kind of issue/effect on the body resulting in that cough which in our field of IT we would call an early warning. So, this is the same way in which we look at the IT Security issues of today and how people tend not to look at it. They haven’t gotten that early warning of a cough because the system hasn’t picked up on it yet and when it does happen, because they have not fallen and can’t get up this is not a critical issue. The system becoming slow and unresponsive is that early warning and at that stage most people tend to seek professional help depending on the need/use of the system and how critical it may be for business or even personal use.

So here we stand dealing with people who are harvesters of thousands of people’s information and things about them (whether you know or like it) and they rest idle to this decadent behavior and mindset. Yet, unchecked, their systems sit comfortably hosting these blended threats which are sending/stealing critical private, personal, financial data/information to these hackers unbeknownst to them. The careless whisper of ignorance to these issues is the driving force behind the growing success of such threats today. A hacker have so much more to gain from you giving it to them than for them having to go through getting it from you and is why the botnet issue is such a growing one today. The use of keygens, crack files, peer to peer (P2P), unpatched applications and systems makes it so much easier to exploit what is available that one tends to wonder when and where does it end. It ends with user education and awareness on and about the threats landscape and what these issues are. It end when people start taking this seriously and realizes that you’re just as much a victim as anyone anywhere if you’re not protected properly.

It ends when you stop saying I have anti-virus protection and so i’m ok when you know you haven’ renewed that subscription over six months ago and so you’re missing all the latest and greatest signature based protection that it should provide. Anti-virus alone CANNOT protect you from the threats out there today, it has to be a layered approach where various solutions are in play to cover the needed layers.

It ends when you wake up from this illusion that my OS is more secure than the other and so I don’t have to worry about these security issues.

It ends when we stop underestimating the knowledge of your youths and start educating them much early on the proper use of the internet and the functions and features of it. IT Security must be a part of the school curriculum today as technology is our future for tomorrow and they are our next generation of professionals and leaders.

It ends when you start accepting the fact that you are as much a risk to me as I am to you if we’re not practicing basic IT Security best practices.

It ends when you stop taking the cheap way out of operating a business when hosting people’s private and confidential information which is priceless to them and they trust you to keep it secure. Have some respect for your customers and let them rest comfortable knowing that you have their best interests at heart in properly protecting your infrastructure.

It ends when you realize that these threats are released in the wild with no specific targets but the system(s) you’re using which unfortunately is in the homes, schools, workplaces and places of general interest.

The treats are not specific to government and their systems. It is not specific to the private or public sectors. It is not specific to the educational institutions and it certainly isn’t targeting the healthcare sector only. All are affected and are in the path of these threats because, they are all sharing the same interconnectivity transport medium, the internet and the internet respects no one and has no boundaries.

It is time that people take this as a basic part of their lives where one does not get consumed on questioning the validity or severity of the threat but questioning the readiness of themselves and their systems to face them. While our government may understand the real scope of these issues, their efforts to create effective management and policies to protect the country’s infrastructure are missing critical elements, the people and the roles they play in strengthening the protective layers or being a weak link and point of entry/compromise for what is being implemented. Unless we strengthen the people through education and awareness they will always be a weak link in the chain of protection.

When a company is hacked or they lose their data by whatever means there is, who suffers the most, the employees, the end users. The company suffers a data loss or has a breach but the actual data may be your private and confidential information. Even if the company loses its financial data, it has a much better recovery rate through insurance and such than an individual who now suffers from the loss of privacy and here in the US, credit ratings.

Think about the many places that have information about you that you consider to be private and confidential. Your employer has your social security info (and possibly family members who are covered by you), some financial info for direct depositing of your paychecks. Your 401K info. Health and life insurance info.

Your doctor has your private health records and, results. They have your family’s private info as well as some kind of visit may have been had over the years and that info is in the system.

Your bank has all your financial info and records. They may have your mortgage info as well (if you own a home). The car loan and all the info in it. Student loans and the works.

So think on these things and when you look at all of them, who is most affected in the event of a data loss or breach at any one of those kinds of organizations or businesses, you, the end user, consumer, employee.

IT Security is a people problem and must be dealt with accordingly. It is not about selling security, it’s about creating greater education and awareness about it so we can all contribute towards upholding the strengths of the protective security layers that are there for our protection.

Stop asking if this is real, ask yourself, how do I protect myself, my family, my business, my country from these elements and there effects. This is REAL.

When in doubt, reach out.

~Brett A. Scudder~

The IT Security Attaché

Good day to you,

With technology becoming a more integral part of our everyday lives and more gadgets, devices, and electronics being converged on the information superhighway (World Wide Web ), at what age do you believe we should start the education and awareness of IT/Internet Security for our youths in the school systems?

Things like,

How to browse/use the internet safely,
Instant Messaging security and best practices
Social Networking security and best practices
Mobile security and best practices.
Online predators and how they target children and how to be protected from them.
What is are viruses, worms, trojans, spyware, malware, blended threats?
What are web attacks (like drive-by-downloads) and how they are orchestrated?
What is social engineering?
What is phishing?
What is SPAM and why is it being used today?
How do these threats proliferate?
Secure messaging implementation and use.
Defense-in-depth – definition, purpose and maintenance. Anti-virus, anti-malware, firewalls and intrusion detection/prevention.

Our Secure Minds Initiative is about integrating this level of training and education in the school’s curriculum and I wanted to get your thoughts as adults, parents, educators and professionals on this matter. I have seen 10-12yrs old who can hack into a network and do some serious things that IT Pros in their adult years can’t.

Why not nurture this knowledge and ability for good?

Please make note that I didn’t ask if it should, I asked at what age should this be done signifying that I believe it should and i’m for it. Imagine having our youths graduating from high/middle schools with this advance early knowledge and what contributions they would be to the IT field. Even if they don’t become IT professionals having this education and knowledge will help any organization they join stay more secure.

Your thoughts.

Thank you and have a great day,

~Brett A. Scudder~

More answers on LinkedIn here http://www.linkedin.com/answers/using-linkedIn/ULI/394739-3071950