Is something I refer to every other day.  The list has articles which has lists of things like Print Screen utilities, File Recovery tools, and the item I referred to, today:
5 Key security questions that every executive should be able to answer

I found a security flaw on a customer system, which could allow Information Disclosure.

But how to present it to management?

I looked at what Eric Cole had written on determining the Return On Investment (ROI) for any risk, and here it is:

The issue?
The FRED system baseline security setting is set at too low a security level.
The impact of this is that it would be possible for an attacker to gain access to FRED.

What is the likelihood of it occurring?
Low for external attacker,
Low -> Medium for internal attacker.

The vulnerability would require the following to exploit:
Knowledge of the FRED system.  This information is readily available, and just requires an attacker to “join the dots”

If it occurs, what will it cost?
Exposure of confidential/sensitive corporate information.
Impact to our reputation, and customer confidence.

What will it cost to eliminate the risk?
30 hours of effort to configure FRED into a secure mode.

What will it cost to reduce the risk to an acceptable level?
as above

However our users are highly resistant to good advice.
- NT Government IT Security Manager, 2003.

Which was in response to some advice I provided about the JDBGMGR.EXE Virus email which was doing the rounds.

Imagine this …

You’re an IT Security Manager for a large company.  You organise an audit of IT Security.

The external auditors identify many issues*, and you ask a support team for feedback on one issue.

When the support team asks for further details, do you:

1. say no, as it’s the whole document is security-in-confidence.
2. for the particular issue, extract the details out of the report, and provide that extract to the support team.
3. provide a link to the whole security audit report, which details every security flaw found throughout the whole organisation.

If you picked "3", you too can have a job as an "Information Warrior".

* – it’s the nature of external security auditors to find every flaw.  Some would say it would be to justify their exorbitant fees.  Poor security auditors seem to just run though the Microsoft Security Checklists, and leave it at that.

… Dale has been involved in desktop security audits since Windows 95/NT4, and its all been a blur.

It’s in the interest of external security auditors to find as many flaws as possible.  They have to justify themselves somehow, after all.

So this leads to the farcical solution where I received a security audit on our client desktop systems.

“It’s got all these issues”
said the Service Delivery Manager.

“No it doesn’t.  They have blindly followed the NT4 C2 hardening guide, and if we fix these “”problems”", the customer will not have a working system and will complain”.

Case in point, cached logons.

“Windows NT 4.0 has the capability to cache logon information in short-term memory. If the domain controller cannot be found during logon and the user has logged on to the system in the past, it can use those credentials to log on. If the Administrator disables a user’s domain account, the user could still use the cache to log on by disconnecting the net cable. To prevent this, Administrators should disable the cache. This results in a somewhat longer logon time, but prevents hackers from tapping logon information from short-term memory.”
http://www.microsoft.com/technet/security/chklist/wrkstchk.mspx

The advantage in allowing people to use cached logons, is that the user can still use their computer when the domain controller is broken.  People like bank tellers and retail staff who connect to non-Windows networks (Mainframes generally).

But for 3 years running, the external security auditors would say “it’s a security issue”.
And the customer’s IT staff would say “disable it”.

“You’ll have problems”, we’d say.

“We don’t care, it’s a security issue.”

So we’d stop cached logons, and then the network failed, the customer would complain.
“Well we did warn you.”

In years 2 & 3, we got clever.
“Mr. Customer, you had problems when you last did this.  If you change your mind after we disable it, we’re going to bill you for the fix.”

Update October 2009: Raymond Chen wrote about Cached Credentials in the July Technet magazine.

I have dozens of Virtual PC/VMware images, and can never remember the password for the things.

A cleverer guy than me (Tony Cinanni) suggested this solution:

Set a “Password Hint”.  Works with Vista as well.

To set a password hint:

1. Start the User Accounts Control Panel applet, which you can find in the Start Menu / Control Panel / User Accounts
2. Select the account for which you want to add a password hint (in the above shot, you can tell it’s LimitedUser)
3. Click Change the password.
4. Enter your password in the two locations and enter your password hint (ie. in my example above, it’s the password), type your password hint, and click Ok.
5. Done!

… I am the information warrior who adopts mixed defence strategies to combat the baddies. …

so spoke the IT Security manager, who back in 2008, described Script Kiddies as

… 8 to 12 year old teenagers …

"Script Kiddies" is actually a

derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks. It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs or exploits on their own, and that their objective is to try to impress their friends or gain credit in underground hacker communities
- Wikipedia: Script_kiddie

Saw this back in 2003, and you can find the original here:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=80765

By Eric Cole

To make sure you understand your organization’s issues, you should be asking the following questions before formulating a security plan:

1. What is my organization’s critical information or digital assets? Every company has information that’s unique to it. In some companies, this question is easy to answer, and in some cases, it’s very difficult. You have to figure out what pieces of information, if compromised, would put your company out of business or make it difficult for you to continue operating.
2. On which servers does the critical data reside? Attackers break into servers, which provide the gateway to the data. Therefore, knowing where the data is lets you concentrate your security efforts. It’s also important to prioritize servers. Most companies have a large number of servers, and not all servers have the same level of importance
3. What are the risks to those servers? Risk is composed of threats and vulnerabilities and can be reduced by countermeasures. The following is the common risk formula: Risk = (Threat x Vulnerabilities)/Countermeasures. A threat is an adverse occurrence that allows someone to do harm to you or your assets. A vulnerability is a weakness that allows a threat to be manifested. A countermeasure is an action you perform to minimize or eliminate either the threat or the vulnerability. The important thing to remember is that if you reduce either the threat or the vulnerability, the resulting risk is also reduced. You only have to reduce one of them, not both. For example, a threat is that someone can run an Internet Information Server (IIS) buffer overflow against your external Web server. The vulnerability is that your company is running external IIS Web servers. Depending on the specifics, your risk could either be high or low. From a countermeasure perspective, there are three general approaches you can take. First, you can do nothing and accept the risk. Second, you could take actions to minimize the risk. In this case, you could minimize the risk by staying up to date and apply the latest patches in a timely manner. Third, you could eliminate the risk by taking the Web servers off-line. As you can see, in most situations, reducing the risk is the most practical approach.
4. What is the return on investment for reducing or eliminating certain risks? Executives have to be concerned with the financial affect of given security decision. Spending $500,000 to fix a problem that has a 10% chance of occurring and would cost the company $100,000 if it occurs, isn’t a good ROI. On the other hand, spending $50,000 to eliminate a risk that has an 80% chance of occurring and would cost the company $800,000 if it occurs is a wise investment.

Here are the key questions you need to ask to determine the ROI for a given risk:

• What is the risk?
• What is the likelihood of it occurring?
• If it occurs, what will it cost?
• What will it cost to eliminate the risk?
• What will it cost to reduce the risk to an acceptable level?

Armed with the answers to these questions, you can spend money in the proper areas.

There is a long list of additional questions that an executive should ask, but the above questions form a foundation for all of the other questions. The above questions also give CIOs a clear view of where the problem is and how bad it is.

Remember, security is mostly about understanding your infrastructure and not necessarily spending money. Taking the time to answer the above questions will best enable you and your management peers to make sure your security dollars are well spent.

Update: Questions to Ask Your Security Vendor

This is an update on my “Wiping your hard disk, so other people can’t get data off it post”, which WordPress and Windows Live writer just erased on me.  Ironic!

One reader asked what I’ve used.  Well those programs would be: BCWipePD, Darik’s Boot and Nuke and Active@ KillDisk Professional.  Darik’s Boot and Nuke was my choice, the other two have been used by my various employers.

Free
Active@ KillDisk Free
Darik’s Boot and Nuke
CopyWipe

Not-Free
Acronis Drive Cleanser
Active@ KillDisk Professional
BCWipePD
cyberCide Data Destruction
Destroy & Destroy Lite
Disk Wipe
Drive Washer
East-Tec DisposeSecure 2008 Enterprise
EBAN 2.1 – the enterprise version of Darik’s Boot and Nuke
Iolo DriveScrubber
OnTrack – Eraser
PC INSPECTOR e-maxx
WhiteCanyon WipeDrive
WipeDrive

Disclaimer:
It’s YOUR choice as to what you use.  In Australia, the “Destroy & Destroy Lite” program is on the Defence Signals Directorate’s EPL list.

*.bat, *.cmd, *.com, *.cpl, *.exe, *.hta, *.msi, *.pif, *.scr, *.shs,
*.vbs, *.wav, *.vba, *.job, *.pcx

Something I collected some years ago, and with rework, I still use it today:

Ladies and Gentlemen,

As part of the XYZ Outsourcing Contract, ITCOMPANY Security provides several value-added security related services.  One of these is Vulnerability Scanning through coordination with XYZ IT Security.  We would like to perform this activity in the LOCATION data centres on Tuesday, May 4th beginning at 9:30 in the morning.

These scans are designed to identify configuration issues, operating system vulnerabilities, etc… so that we can make sure that the integrity, confidentiality and availability of XYZ resources are properly protected.  Only devices which ITCOMPANY has management responsibility for are included in this scan.  There will be no brute force attacks or password cracking performed as part of this activity.

As in the past, the scan will be monitored by the ITCOMPANY SERVICE MONITORING TEAM (ISMT)
In the event they see service degradation of any of the servers included in the scan.  We will immediately turn the scan off if notified.  We have successfully performed these scans in the past three years without incident.

The activity will be scheduled, reviewed, and approved by CHANGE MANAGEMENT prior to the scanning.

The notifications (this message and two others prior to the scheduled scan), CHANGE MANAGEMENT approval and the ISMT monitoring are control activities to make sure that this activity is publicized and that we are able to immediately disconnect if any adverse activity is noted.

Please let me know if you have any concerns or conflicts with this timing.

Please feel free to contact me directly if you have any questions or concerns about this activity. If there are others who should receive this communication, please forward directly to that person with a cc: to me.

Thank you in advance for your assistance and time.