Link: http://titssn.net

Good day to you,

TITSSN is very pleased with our new president’s focus on the national cyber infrastructure as it had been one of our most intimate concerns during him campaign. Our motto over the years has been that the problems being faced in the IT Security space was not an industry one, but a people one and as such warrants the need for a more global concerted effort towards its education and awareness initiatives. The impacts and effects of the IT Security Threats Landscape reverberates through ever layer of our lives at home, school and work and as such is more than just a simple issue at hand. Yet, unchecked, these issues are not getting the time and attention needed to be seen as serious as they really are today for tomorrow.

The infrastructure of our country relies heavily on a strong technology backbone and unless the proper security education and awareness is provided at all levels, our points of vulnerabilities and exploitation increases with every new device, gadget or piece of technology that is added to it. It is for this reason that over the past few years, we have risen to the challenges of promoting the education and awareness values of IT Security and why it is imperative that people understand the real impact and effects it has on us as a people. This isn’t an issue that is for us as individuals, it is about how we as individuals creates an impact that affects others through the use of messaging (email, IM and text), browsing, file sharing, peer-2-peer networks and general PC etiquette.

I am as much a risk to you as you are to me and thus the global infrastructure is at risk unless we cultivate this mindset of security consciousness. This new era of warfare is a technological one that allows an individual to sit at a PC and launch massive targeted attacks against people, processes, critical infrastructure, governments and countries, without even knowing who you are nor do they care of the intended impact. The need to create hysteria and massive downtime effects drives them to do this without any regard for those who suffers the effects. This is where we are today and is why we need to do this sooner than later.

This is the reason why we kicked off our Secure Minds Initiative to create an educated/aware resilient global network of IT Security Minded people who can secure and protect themselves from IT/Internet threats. We want this administration to realize the need for integrating IT Security into the lower school systems so that our youths can better be prepared for the technology age ahead before they reach high school and college levels. Educating their young minds will help to strengthen the weakest links and bind the chains of the infrastructure much more secure. Parents should also play their part and not leave this up to the school systems to foster this needed education and awareness of basic internet/technology best practices.

As internet broadband services become more mainstream to the average user and the connection speeds increases, the effects of the IT Security Threats Landscape bears heavily on those who are not properly secured and protected either through the protective solutions or just the educational awareness of how to be more secure. The increase in use of instant messaging, social networking and email adds an immeasurable list of ways in which we are at risk. Our future is very strong with the presence of technology at the heart of it and no matter how much we invest in it, the needed for better education and awareness will circumvent whatever is put in place because the human element plays such a significant role in these issues.

We will continue to provide the public outreach and educational programs needed to facilitate the enhancement of this needed resource for our people across the board. Our community outreach programs add the needed one on one communications and access to our IT/Security professionals who are able to talk with community members about these issues and are there as a local go to resource. We are integrating these educational resources into social networks and services to enhance the safe, secure and collaborative resources they provide. We don’t have to fear technology, we just need to secure it by having the proper education and awareness backed by the needed useful solutions.

As in anything we do at this level, there are those who talk about these issues and then there are those who listen and decide on what next steps to take. Here at TITSSN we cover the entire process of listening, research and development, training and awareness and providing local hands on resources to people, processes and things to complement the circle of competence and confidence. Delivering the message of IT Security doesn’t take high levels of technical skills or levels of specialty in the space, it takes the simple understanding of why this is an important part of our world today and why we need to take an active part in being stronger links in the chain of our infrastructure.

Applying the configurations and settings does require that you be aware of what is needed, how to do it and what the effects will be. This does require some level of technical understanding as the impacts of not configuring it properly can lead to bigger problems. And so the process of this initiative is a staged one, one that begins with creating the resources for providing the education and awareness, the other for promoting those resources and then delivering them effectively. As we look forward to this new era of change(s), one tends to feel a sense of wow, what is going on, are we ready for this and if not, do I have a choice. It is not a question of if, but when, and it is that when we must prepare for.

TITSSN is that leading force providing the pathway of resources, education, awareness, services and deliverables to compliment this new era of technology and its focus. We look forward to bringing this whole process together for those who are looking to be more aware of how to protect their privacy, intellectual property and identity on and offline. There isn’t a line between both as they are very much intertwined, it is the knowledge of how and why that create a blur in the mindset to think that the online and offline worlds are truly separate. We must get past this level of thinking and move forward with the mindset of convergence as we brace ourselves for these upcoming changes.

We welcome this new administrations focus on these issues and looks forward to working with them towards a more converged and resourceful technology experience. We are here and will answer the call if and when needed, to take these initiatives to the next level.

Thank you and have a great day,

~Brett A. Scudder~
President/Chairman/IT Security Attaché
~TITSSN~

Link: http://titssn.net

Good day to you,

First I want to say many thanks to Mr. Hamlett for coming out and spending the evening with us to take an in-depth look at the Microsoft world of Virtualization. Thank you sir.

I also wanted to say thank you to those who came out to the meeting as
well.

I wanted to send a follow up of our meeting last week and share two presentations that were offered. It was an awesome session and Mr. Hamlett gave us a good look at the Microsoft virtualization/Hypervisor setup, config, security infrastructure and why this is becoming a major adoption for many organizations.

Mr. Hamlett also linked up with Steve Riley who is a world renowned security guru at Microsoft and we had the opportunity to have him on the phone to talk more about any questions or issues we may have in understanding securing Virtualization. The timing was a bit off as he was travelling and the planned time of his availability was thrown off and so we’re going to schedule a conference call with him do any questions/concerns/issues will be addressed for you.

I will be posting a thank you on his blog here http://blogs.technet.com/steriley/ and i’m asking for a few comments of thanks from the group as well. I want him to realize that we apprecilove his time and effort to work with us and to be a resource for us if/when needed. Please take a minute to say thank you from TITSSN.

Here is the video of his TechEd presentation on virtualization and security http://titssn.net/events-archive/Jan-2009-Virtualization/. I decided to share this with everyone as it is a major topic of interest across the board. I am sure you’ll see and learn a lot of interesting things from it. We had an awesome discussion around the presentation that Mr. Hamlett did an awesome job of sharing some insight, recommendations and guidelines on. The Virtualization_SCVMM PPT is one that Mr. Hamlett presented at another location and he decided the content was appropriate to share with us as well.

We will have a follow up hands-on workshop where we’ll be building out a virtualization infrastructure from the ground up so please stay tuned for that update. I’m working on that for our February training and development workshop so as you can see, were putting a lot of quick time and attention to this. This year we’re focusing very heavily on this area of technology and you’ll be seeing a lot more on it.

So, please remember to say a little thank you to Mr. Riley ok.

Thank you very much and have a great day. We apprecilove your business and support and look forward to serving you more.

~Brett A. Scudder~
The IT Security Attaché | http://theitsecurityattache.com | Blogs http://theitsecurityattache.com/blogs

Link: http://www.nytimes.com/2009/01/14/technology/internet/14cyberweb.html

Hi all,

I really had to bring this to your attention and if you’d like to add your thoughts that’d be great. The report has prompted my desire to see the real report that was submitted for them to come to this conclusion. I’d like to have a sit down with them to shed some light to the issues from another angle, the "unreported cases".

As I said, there’s a lot that goes on that doesn’t get reported so where does that info go and what influence (if any) would it have on the real state of affairs about online threats to children. Children are being used as backdoors and an access point to private/personal information about the family, the home and financial status, not just for sex or sexual acts.

If there wasn’t a threat why do we have taskforce and other agencies manning it?

I guess you can tell that i’m very worked up over this one huh. It just shows how limited the mindset is at that level. It’s like saying if I teach the children to secure the door by always locking it I don’t have to worry about the windows.

————————————
The question on LinkedIn.
http://www.linkedin.com/answers/using-linkedIn/ULI/398900-3071950

Your thoughts - "Report Calls Online Threats to Children Overblown". What do you think, is this for real or not?

Good day to you,

When I see an article like this I tend to sit back and go wow, where have I been living and what have I been seeing/hearing or, am I in denial to the truth. I have always said that we, the people in the field who live and die working in the field, have always seen thing different from the people in these high level positions and is why they fail to implement the proper things needed because there is in synergy between us and them.

It’s like a cop on the street who has to deal with the everyday violence and issues but he’s able to quell them and bring peace in his areas because he’s known and knows how to deal with people. While these issues are real and happening every day, they don’t get reported back to the precinct and so the captain (or seniors) thinks all is well and can say that there district is not violent nor has issues like anywhere else. It’s not that you don’t have issues, you’re just not getting the info about them because they are not critical enough to report in or cause a major stir. Yet, unchecked, the high profile ones are added to the statistics and generate facts.

They don’t come down to our neck of the woods and talk with us to see what is "really going on" in the world, instead, they use statistics that is published by some agency or group. Well, I must be in denial because I truly see this as a growing problem and have talked with parent/student alike who have been victimized online to the point that it affects their offline experience/life.

So, before I get carried away in myself and this issue (as it really upsets me), i’d like to throw this out to this professional’s network to get your real professional insight/thoughts on the report of the report.

http://www.nytimes.com/2009/01/14/technology/internet/14cyberweb.html  

Thank you and have a great day,

~Brett A. Scudder~

Link: http://titssn.net

Hi all,

I’d like to share an article that I contributed to for Inc Technology about the "2009 Tech Security Forecast".

Please take a read at your leisure.

The article is here http://technology.inc.com/security/articles/200901/forecast.html

Thank you and have a great day,

The IT Security Attaché

Link: http://titssn.net

Good day to you,

Over the past few years we have seen a significant increase in the use messaging and with this use comes the threats of spoofing "Messaging Identity Theft", oh yes, your messaging identity is a major risk factor as well). With messaging now available on mobile devices allowing us to be anywhere and accessible at anytime, the risks associated with losing that identity is a major concern (at least for me it is).

As a security professional that provides guidance, counsel, education and awareness, I always have a very keen eye on my email messaging config and setup so as to provide authentication and validation of myself as the original sender of my messages. People turn to me for guidance and counsel in many areas of technology and if/when they receive an email message from me they believe this is valid and useful information to use. They “trust” my knowledge, recommendations and guidance and as such will use the information provided for themselves or share it with others. As one can never tell the live and trail of a message when it is sent one can only ensure that its content and information is not tampered with (or hope so).

Imagine if someone was to send an email from my (or your) address with a link pointing to a website that has malicious codes in it and the recipient’s system crashes and/or data is lost?
Or, an email with an executable file attached stating that you should rename the file by adding .exe to the end and then running it.

What would happen to my (or your) reputation and the trust of that recipient if that happened?
They wouldn’t know how to trust my (or your) messages or even me again. This could also lead to legal issues if the recipient was in a company that was impacted by the treat(s) in a major way. There could be a network wide attack, worm outbreak or some viral infection that took the company’s infrastructure down or created a SPAM relay in their system at which point that message will be used as proof of it being the cause of the problem(s).

Oh yes, I know what you’re saying, anyone can spoof your addy (email address) from anywhere but what if the message really came from your network/PC because you had a trojan/worm that you were not aware of, aha, now you’re getting the gist of what i’m saying. You’re also a risk to yourself without the proper protection and configurations in place. Sometimes it is the simple things that have the biggest impacts and effects on us as we never looked into it properly.

Now I need you to understand what i’m saying as it doesn’t only apply to me or IT/Security professionals. What I am saying to you is, no matter what field of work, study or professional you’re in, the delivery of an unplanned, unwanted or unknown message can present many challenges, it’s a matter of how you want to protect yourself from the impacts and effects. Think about privacy, think about security, and think about wrongful information/data and the dissemination of the message and contents to others outside of your intended recipients list.

This ID can be added to your mobile devices as well, thus extending the same functions and features to your device while in transit.

In 2004/5 I saw the highest spoof rates of 30-40% of my primary email address and became even more serious about protecting that identity and what it meant to me and my recipients (customers, clients, associates, partners, friends, etc.).

In 2004 I amended TITSSN’s membership and messaging policies to make it mandatory that every member must have a valid digital ID and for it to be used in all group messaging communications. The purpose was to create a better way of validation and authentication of incoming messages and allows the encryption of sensitive data/information. It also required that all documents (PDF, Microsoft Office, etc.) being created by us is digitally signed. As IT/Security professionals we must ensure that the information being sent from us is valid, accountable and does not present a threat/risk to the recipient(s) (intended or non-intended).

If you receive a direct message from me and it is not signed I advise not opening it. I will not send a message without it being signed and the beautiful thing about the digital ID is, the special tag/label it adds to the message envelop. A little red (signed) or blue (encrypted) ribbon is now added to the envelop icon. This adds the immediate visibility for the recipient to see that this is a signed message and can have the option of opening it or not. Even though it may be signed, the content within the message can also be malicious and so additional caution must be taken. On my config I have enabled the setting that tells me if the message has been changed/tampered with from sender to me. At this point it is my choice of going further and viewing the contents.

The following figures are from Outlook 2007. Whenever you install a digital ID in Outlook it adds the section with the Sign and Ecrypt options. You will not see these options if you do not have a digital ID installed.

Figure 1.
The signed message icon


Figure 2.
The Sign button


Figure 3.
The Encrypt button


We have a special way of sending/identifying messages that are not signed as circumstances will arise where one may be away from their primary system and is not able to sign it.

Some services like Yahoo groups add contents to the body of the message when collaborating in their groups. This will invalidate the cert and the recipient will get a warning that the cert is invalid. This becomes a known issue for people using certs in such instances and so one must understand the reason why this will happen and if it is worth doing.

Some companies add disclaimers to all outgoing messages and if the PKI infrastructure is not properly configured this will invalidate any cert being used by an individual within the company’s mail system. At this point I recommend using a personal account for collaboration with groups that requires this kind of personal identification. This way you will have control over the sending of the messages.

It is one of my goals in 2009 to create more education, awareness and adoption of this on a global level for people to understand what it means and the benefits it presents. A digital ID is not a security solution, it is a method of securing your messaging identity by creating a method of authentication and validation of the sender.

So where can I get a digital ID and is there a cost?

There are free digital ID providers like Thawte - http://www.thawte.com/secure-email/personal-email-certificates/index.html?click=DoYouNeedTo-SecureMail and Comodo - http://www.comodo.com/products/certificate_services/email_certificate.html. There are other free services if you do a search for them.

As for me, I use the VeriSign cert from here http://www.verisign.com/authentication/individual-authentication/digital-id/index.html and even though they offer a free 60 days trial one I invest in my messaging identity by purchasing one for the $19.95. A small $20 investment for my online messaging identity is nothing of consequence for me as see this as a critical part of my online presence, reputation and ethics.

So my question to you is,

With the growing trend of messaging and the fact that it is now the number one form of collaborating and exchanging of information, how seriously are you about protecting that identity?

Do you know what a digital ID is and its benefits?

Learn more about it here http://www.verisign.com/static/005326.pdf
Tutorial here http://www.verisign.com/static/005327.pdf

Look for more discussion on this as I am focusing on this for 2009.

Thank you and have a great day,

~Brett A. Scudder~
The IT Security Attaché

Link: http://www.facebook.com/pages/The-IT-Security-Attache/38575323030?ref=nf

Good day to you,

Here is my Facebook page which hosts my work and security related initiatives on Facebook. In my page you’ll find valuable information, recommendations and discussions that will help you to better understand the IT Security Threats Landscape and its impacts and effects on us as a people today and tomorrow.

http://www.facebook.com/pages/The-IT-Security-Attache/38575323030?ref=nf

As social networks are becoming more integrated into our daily lives and is the future of collaboration, the threats are increasing and more people are becoming infected by them. This is due to the lack of proper education and awareness on these sites and how to use them properly. I hope that by creating this central resource for sharing this needed info we will help to get the message out.

Please feel free to support the initiative and to help share the info.

IT Security is a people problem, not an industry one and as such we must treat it this way.

When it doubt, reach out.

Thank you,

~The IT Security Attaché~