We currently have 3 Information Security positions open at MIT Lincoln Laboratory. The first position is Information Technology Security Team Lead. It is position #914 on the Employment page. Rather than re-hashing all the details you can read about it there. The other 2 positions do not have job postings up yet. We need 2 IDS / IPS analysts full time. Details of the positions should be posted soon.

All 3 positions are in Lexington, MA and will require the candidates to be able to obtain at least a SECRET level security clearance. If you or anybody you know may be interested please contact me at: chris.harrington AT ll.mit.edu

Thanks!

–Chris

There was good audience participation so I only had to pull out 1 or 2 “canned” questions in the time allotted. I’ve tried to summarize the points and information that we learned from this exercise below. These are in no particular order.

1. No clear definition of NAC
One of the first questions from the audience was about barriers to NAC adoption. One of the vendors replied with the question “what does NAC mean to you?” This person wanted NAC to do machine based authentication with no posture assessment. The next speaker wanted user authentication and posture assessment. A third was looking for post-connect NAC, *cough* IPS *cough*. Yet another wanted machine based authentication followed by user authentication. There was also discussion of machine provisioning on the network based on an HR event. As we have heard before, the definition of NAC is a moving target.

2. Lack of executive buy-in kills
No big revelation here. Without proper senior management participation, understanding and approval almost any initiative will fail. What is interesting is the fact that within this group the challenge of selling NAC to upper management seemed to be more of a barrier to deployment than cost or complexity, the ones usually cited. My guess is that NAC may be an organizational or cultural challenge that is more common in “academic” environments where people may be used to doing what they want with less oversight. That is just a guess on my part. Cost was not mentioned once as an issue.

3. 802.1x is still a long way out for wired deployments
Most security professionals will agree that 802.1x authentication is the preferred enforcement mechanism for NAC. IP’s can be changed, MAC’s can be spoofed but digital certificates pose a formidable challenge to forge. All 3 vendors said that in their experience 90% of wireless NAC deployments use 802.1x. The reason cited was ease of configuration on the client side and general wider acceptance of the protocol. On the wired side that equation was reversed with only 10% deploying 802.1x. Supplicant issues and the prevalence of devices that may not be able to have a supplicant (printers, VOIP phones, etc.) were said to be big issues.

4. Support for non-Windows clients still developing
The majority of the audience organizations have significant numbers of non-Windows clients, specifically Mac’s. We get it. Windows is on 90 something percent of the enterprise desktops. That number is changing. More and more companies are offering choices on the desktop / laptop. The NAC vendors present had different levels of support for non-Windows. Some could do authentication only and some could do posture checking if the NAC device was in-line. Note to NAC vendors: Mac support is not a nice to have any more. Mac will have an ever increasing presence on the desktop. The NAC options should be the same for Windows and non-Windows. I do recognize that Linux is a little more of a challenge due to the variants and much further behind Mac in the desktop OS race.

Some of the other take-aways were:
Make sure you have an accurate inventory of network connected devices
Do not underestimate the increased help desk utilization
Automated remediation is not as common as self-remediation in deployments

Those were the ones worth mentioning. Let me know if any of these jump out at you.

–Chris

Technorati Tags: NAC, Network Access Control

Anyone know of a commercial solution or open source libraries that could do this? I know many IPS’ can detect IM video but he needs to record. Is IM video even encrypted? Before you start with the privacy concerns this is done with full knowledge of both parties who are also employees of the same company. It is a pilot program at this point.

–Chris

Technorati Tags: AIM video, record, MSN Messenger

World of Warcraft creator Blizzard Entertainment is selling hardware security devices. These small devices can fit on a key ring and provide a second form factor for authentication using something similar to a one time pad. The cost…..6 EUR. Robert over at Errata Security has a pretty good write up on it.

Now if only my bank could figure this out. Wait a minute….don’t they have to under PCI??

–Chris

Technorati Tags: WoW, World of Warcraft, Blizzard Entertainment, 2 form factor

Thanks!

–Chris

Security Twits are people in security related jobs, companies, etc that use Twitter. We can thank Jennifer, aka Mediaphyter, for the name and the original blog post on the Twits. It’s actually a pretty impressive list of security folks using it.

If you have not tried Twitter you should. You may just find it useful if not downright addictive.

– Chris

Technorati Tags: Twitter, Security, Security Twits

What can these services see?
In a hosted model these companies act a the middle man between the person giving a PowerPoint presentation and the ones viewing it, as an example. Can WebEx or GoToMeeting see the presentation? If so, is it done overtly or covertly? Any audit trail? Is the presentation stored on their servers?

Sharing of desktops?
I know some of these services have the ability to share their desktops or applications. Some can even give control of their entire PC over to another person in the meeting. That could have some significant security implications in certain environments.

How do you handle these technologies? Do you block them? Have an approved one and block the rest?

I would love to hear what you do.

–Chris

Technorati Tags: GoToMeeting, WebEx, Web Meeting

• Of 11,000 suspected spam domains registered through them, NONE were taken down in a 6 month period.

• Approximately 100 new spam sites per day being registered.

• A “significant” number of those domain registrations have apparent bogus contact information

What makes matters worse is that there appears to be some interesting langauge in the ICANN agreement that registrars are supposed to comply with:

“Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.”

Reasonable steps? A little vague don’t you think? It will be interesting to see if ICANN does something here. Why does the prhase “Stop or I’ll yell Stop again!!!” come to my mind here?

–Chris

Technorati Tags: ICANN, Spammer, Xinnet

So I am working in an Information Security position at MIT Lincoln Laboratory. It’s a very interesting mix of Academia and Military. We have a new CIO (as of last fall) and he really seems to be shaking things up and making some improvements. The environment is similar in feel to the NSA which is no surprise given the classified research that is done there. So far I am enjoying it. I do not enjoy the commute…about 60 miles each way with 12 of it being on 128. Those in the Boston area know all too well what I am talking about.

I’ve got a couple of posts in the works to try and freshen things up around here. The site is also going to get a fresh look and feel. Who knows, I might even get a podcast or two up

–Chris

 ”Your previous posts were real rubbish, but this is good. This one is brilliant. Your blog is getting really better.”
The email address was a fake and the URL they left was to a porn site. Made my morning.

And yes,  I am still alive.

–Chris