Welcome to Kraft Kennedy

BitLocker is quickly becoming standard in Kraft Kennedy’s Windows 7 deployments for clients with Windows 7 Enterprise licenses.  BitLocker is easy to configure and enable automatically during MDT or SCCM workstation builds.  Enabling BitLocker automatically via 3rd party tools is also rather simple.  Combined with ease of deployment, BitLocker’s ability to backup encryption recovery keys in Active Directory make it a very attractive option for clients looking to implement manageable desktop and laptop encryption.

Microsoft provides ample documentation describing the process for enabling Bitlocker in the enterprise.  There are only a half a dozen or so steps required to prepare then Active Directory environment and then a few minor modifications to the SCCM or MDT task sequence to enable BitLocker during builds.  In the field I have found there is one area where the BitLocker documentation is lacking and thought I would share this tip.

Continue reading…

The August Scientific American contains an encouraging article for anyone helping organizations reduce information security risks:  “How New York Beat Crime,” by Franklin Zimring.  Many times it seems like the criminals are winning in the battle for security on the Internet.  I lived and worked in NYC (Bronx, Brooklyn and Manhattan) in the 1980’s and 1990’s and vividly recall the many neighborhoods that were not safe after dark.  It really seemed like the streets had been lost to criminals.  My personal experience includes one apartment robbery and two car thefts. I still recall trying to drive off in my car after two of its wheels had been removed and the car mounted on cinder blocks.  Now, however, I am hard pressed to think of an unsafe NYC neighborhood.

The story behind New York’s improvements can provide insight into how to reduce information security risks within enterprises, both law firms and their clients. 
Continue reading…

Most IT Managers work hard to patch systems and applications, making sure the latest high risk security vulnerabilities are closed off.  This is great, but it is critical not to forget social engineering vulnerabilities.  In fact many computer hacks have a major social engineering component.  Law firms are built on trust and are particularly vulnerable to this type of attack.

I was reminded of these vulnerabilities through recent local and national news headlines.  First was the August 1 conviction in Nashville, TN of Josh Holley.  Holly entered a plea of guilty to possession of stolen credit card numbers.  But he first gained notoriety by hacking Miley Cyrus’ MySpace and gmail accounts.  How?  By social engineering a MySpace administrative worker.  Then there was the conviction in Knoxville, TN of David Kernell last November for hacking into Sarah Palin’s email account.  How did he do this?  Simply by resetting her Yahoo password, using guessed answers to the security questions.  His case is on appeal; I’ll be curious to see what the 6^th Circuit decides.  I’m anticipating more hacking in the upcoming national election.

These social engineering techniques are described in great detail in Kevin Mitnick’s new book:  Ghost in the Wires (2011).  I don’t like paying a convicted felon, but this book is a good education and I recommend it for security managers.  Kevin was the master of social engineering and isn’t hesitant to describe all his tricks.  These include reconnaissance (now easy for anyone to do using Google), tailgating, impersonating insiders, dumpster diving and many others.  His most effective technique was to impersonate inside staff, when communicating with other inside staff.  With a little background information, this method worked repeatedly.

If you don’t take steps to mitigate social engineering methods in your organization, you are leaving open big security holes.  Technology won’t close those holes.  One step is to include this topic in your awareness training.  You should include details of real attacks, not just generalities.  A second method is to include social engineering when conducting outside penetration testing.  The results will help drive home the message that, despite all our security technology, it can still be easy for attackers to break in.

I tend to read any legal cases about information security, because they are one source where accurate root cause information on breaches can be found.  Two very interesting decisions on security at banks were recently published.  One is the May 27 US District Court decision on Patco v. People’s United Bank.  An even more recent decision is Experi-Metal v. Comerica Bank, June 13, US District Court.  Both cases involve online transactions with large sums being fraudulently transferred out of business accounts and to Eastern Europe.  Unfortunately, these cases are not uncommon.  The first one I became aware of was Joe Lopez v. Bank of America; Lopez lost $90,000 back in 2004 in a wire transfer to Eastern Europe.  Last year my neighbor’s business lost over $300,000.  In this case, the funds were recovered through timely efforts of the FBI and their counterparts in Latvia.
Continue reading…

The overall theme of this series on SCCM Desired Configuration Management has been to provide you with a low-level understanding of the mechanics of DCM, give you a sense of the wider business context in which it is useful, and give you the tools to pursue your own enterprise IT management goals. This final post covers one additional freely-downloadable baseline, no great shakes in and of itself, but emblematic of what the future likely holds: plugging third party baselines into DCM to validate our organization’s compliance with a neutral standard. We then conclude with a technique for helping to make PCs self-remediating when they are found to be out-of-compliance.

ENERGY STAR Power Management Configuration Pack

Not all DCM baselines are security-related. As organizations, or society, decide that some aspect of enterprise computing is worthy of attention, baselines evolve to help IT auditors and administrators keep their eye on the ball. A simple example is PC power management. While not yet updated for Windows 7, the government’s ENERGY STAR recommendations for PCs are still worth looking at and this example shows how to adapt an older baseline for our own purposes.
Continue reading…

In the first four parts of this series, we covered SCCM Desired Configuration Management (DCM) in depth and went over the creation and use of custom baselines. Now that we understand the low-level details, it’s time to build on that foundation. Continuing our laptop security focus from last time, in this blog post we’ll look at how to use Microsoft’s Security Compliance Manager toolkit to feed security baselines into DCM.

Security Compliance Manager

One of Microsoft’s vaunted “Solution Accelerators,” Security Compliance Manager (SCM) is a freely-downloadable utility used by thousands of organizations for managing their computer security baselines. While there are third-party products that can do even more, SCM is effective in its own right and free is hard to beat. One can download recommended baselines from Microsoft for a variety of operating systems, import them into SCM, edit them and export them to a variety of formats. In addition, various third parties offer their own baselines and you can copy and build upon any of them within SCM.
Continue reading…

In the second and third parts of this series on SCCM Desired Configuration Management, we created some Configuration Items (CIs) that showcased a variety of validation techniques. Now we’re ready to turn the individual CIs into a baseline and begin using it for compliance reporting.

Creating the Baseline

Whew, creating those CIs seemed like a lot of work. Actually, it’s easy once you’ve gotten the hang of it. But we’re not quite done — now it’s time to collect these CIs together into a Baseline. Go into the DCM Configuration Baselines node, right-click the folder where you want to create your new Baseline and select New Configuration Baseline:
Continue reading…

In the second part of this series on SCCM Desired Configuration Management, we began creating Configuration Items for the scenario of establishing a corporate laptop security baseline.  We continue here with some more sophisticated queries to give you a sense of how one incrementally builds up a DCM baseline.

Configuration Items based on programmatic queries

Now that we’ve got the hang of basic validation checks, let’s try some more sophisticated tests using a bit of VBscript. The first one will verify that our anti-virus definitions file (we use Symantec in this example) has been updated within the past 7 days. Here’s how to set this up.
Continue reading…

In the first part of this series, we discussed what SCCM Desired Configuration Management is and why you might want to use it. Using the example of creating a security baseline for monitoring configuration drift on corporate laptops, we began setting up the initial framework. Now it’s time to get to the business end of our DCM baseline: creating the actual compliance items we want to track and validate in our organization’s population of laptops.

DCM: initial steps

To keep things neatly organized, we’ll create a series of folders to hold our work. A lot of our DCM efforts involve security, so we’ll create a top-level folder for that in both Baselines and Configuration Items. The ones we write ourselves we’ll put under a folder with our company name (“Kraft & Kennedy”). Microsoft and the US government also have useful compliance offerings we can download for free (we’ll cover these in a future blog post), so let’s create folders for them as well.
Continue reading…

Scenario: your company’s management is concerned about the security of the firm’s laptops. They’re mobile, people use them in public, and there’s the inevitable risk of loss or theft. In the back of your mind, several things would allow you to rest easier at night:

1. You don’t want the laptop participating in peer-to-peer (P2P) activities whether it’s onsite or off the corporate LAN
2. You are concerned about a malware hijacking technique that short-circuits name lookups for websites such as update.microsoft.com by replacing a PC’s “hosts” file with a Trojan version
3. Anti-virus definitions should be up-to-date
4. You’re using Windows 7 and want to be sure that BitLocker drive encryption is used on the C: drive

There are many other ideas, but you’ve settled on these. All well and good, but how do you translate good intentions into an actionable DCM baseline? We’ll assume that you’ve seen or used SCCM before but are unfamiliar with DCM. Not to worry, let’s dive in.

Open up ConfigMgr (the SCCM 2007 management utility). In DCM, one performs two basic tasks: setting up baselines and running reports. You do setup and configuration work in the Desired Configuration Management node, highlighted below:
Continue reading…