Blog

Who Needs Information

So I’m listening to Pink Floyd the other day, and what kind of story isn’t going to be fun that begins with that line? Roger Waters Radio KAOS, specifically, and the song Who Needs Information is just WEDGED into my head for days now. You can look up the lyrics and listen to it if you’re that interested, but the concept of information it repeatedly brings up are relevant to INFOSEC (as is the opening stanza about theft).

We see a lot of information theft these days. The people going after it are our threat actors. Thinking about who needs it helps us fill out our risk register. Thinking about risk while listening to music (or doing anything) is our JOB. The first stanza looks at the opportunistic aspects “we could win a million pounds” and that’s just how some of our actors look at our blue targets. You’re a prize. Your company is a scratcher to them and all they have to do is buy enough, and it’s a cheap buy-in, and they’ll find a winner.

The second run through is about fear, and the obvious correlation here is the FUD our industry pushes on the rest of the business world. Like Management, the song posits that we just want reassurance there’s an escape and we can get on with business. That desire applies to both the attackers trying to claw their way out of their socio-economic position and management in the blue company that wants a three color graphical chart of security showing GREEN so they can go back to business issues.  They’re both desperate for a solution to their respective concerns.

Information security IS a business issue, and management IS getting better at grasping the importance, but they’re still not entirely on board in many cases. Which brings us back to selling with FUD instead of selling with BUSINESS.  And, coincidentally, why we strongly feel that the CISO position needs to be either under the CFO or an independent with CFO ties.  Stop putting operational responsibilities in the security department because it creates a pressure to put them under the CIO and that is the WORST business choice a company can make.  Let the IT department handle the operational aspects of security, because isolating the security functions from the IT positions directly associated with them creates a barrier to work flow and adds costs.  The system administrator is perfectly capable of handling the security duties assigned which the security TEAM under the CFO can correctly monitor and manage.  Best of all, the CFO isn’t going to put up with FUD responses, they’re going to demand financials.  The harder the better, as it should be.  Let’s put a stop to throwing blinky box solutions at problems that are systemic and get down to brass tacks of business improvement in security areas.

But back to the song. The desperation of the characters looking for a way out of their situation is a key element of the emotional direction of the song.  The motivations of the attackers in our security situation are key to figuring out how assets are at risk and what level of intensity will be brought to bear against your defenses.

Who needs information? The blue team.  More than anything else in the INFOSEC world, information about what’s going on is vital to protecting the business.  So one of the key things you need to ask yourself as you’re spending money on security is “What new information is this product/service/person providing?” And if it’s not obvious, you probably don’t need that particular solution.  Some tools are not information providers directly, but all produce information in some fashion, and that is the most important aspect, because even a purely functional tool like an email system that do not provide information in the form of statistics and metadata is a blind spot in your field of vision.

To quote yet another 80’s icon, Billy Idol, “Information is power and  currency.” And the blue team needs all they can get, because the maxim is that blue must hold against a thousand threats while red only needs one gap in the defenses and they win.

Layered security isn’t about what gadgets you have protecting your assets, it’s about what information you have and filling the blind spots.

Liticode can assist with your security needs in ways other vendors can’t; as a trusted advisor interested in helping you improve your information flow for defenses.

80’s musical references are free for all customers.

Malwarebytes

It’s not often we endorse a product, so this is worth your time. Anti-malware software, anti-virus, whatever the new spin name is for “you clicked something and now you’re in trouble” is a tedious product. None of it, not a single vendor, not even this product, is perfect.

In the course of business here, we install, test, use, and fuss with everything on the market. One product we keep coming back to is Malwarebytes. It’s consistently good. Not perfect, but good.

Recently, it kept one of our computers from picking up something nasty, and I don’t let happenstance good work go unnoticed.  A rebuild of a workstation here costs us a lot of time and money. So this is us thanking Malwarebytes for a job well done. We even purchased additional copies to install on the other Windows systems in the office.

Some security curmudgeons will claim that anti-malware applications are useless, but they’re lying to themselves. We all get surprised by something from time to time, so even if you practice good operational security and don’t click random links, surprises still happen. Like we had last month.

Layered security is not optional, and Malwarebytes is one layer. Something even modestly useful that a professional tells you worked one time is worth it, because JUST ONE TIME is all it takes to ruin your year.

Thanks, Malwarebytes.  If you’re listening, about that CPU hit on initial load…

Certified Media Erasing Utility

We were asked if we knew of a media erasing tool that provided a certificate of destruction. We didn’t. So we wrote one.

It’s a very simple linux utility (Windows coming soon!) that performs a low level overwrite per your needs, which is verifiable for third party inspection, and produces a certificate you can use as proof of destruction.

It’s going live on the GSA website soon, but if you’re not government and would like a copy, please contact us at 610-810-1727 or via sales@this site until we get our civilian sales side set up.

V&V

Verification and validation has been coming up quite often recently in conversations with client lawyers. It seems there are a number of litigants relying on systems data or log files information that have not validated their data properly and are suffering the consequences of poor data management practices as a result.

V&V, and data management practices, are well developed standards dating back decades that all IT shops should be incorporating into their standards and practices for systems and data administration.

If the foundation data isn’t right, the business operations won’t be right. In some cases, notably 21 CFR 11, V&V is a requirement. But even if it’s not a legal compliance issue, it should be part of normal IT business practices at every company because of the inherent risk in ignoring V&V.

If your risk management program doesn’t have a V&V component, you might be missing a big vulnerability.

As always, we’re here to help, if you need us.

Outsourcing as a Competitive Business Advantage

Legal firms, whose core business is not IT, can benefit tremendously from outsourced IT & security services.  Advanced outsourcing provides access to services features normally reserved for only the largest companies, such as structured IT program management, ultra-high availability, encryption, and global presence at a fraction of the cost of maintaining such technologies in house. For the majority of law firms, in-house IT is financially disadvantageous, and the lack of high-end features is a business disadvantage and increases risk.  Outsourcing increases performance, reduces risk, and decreases associated costs, enabling any firm to benefit from advanced services and features.

Partnering with a provider who works intimately with the legal industry and understands the needs of a firm equates to better service levels and more productive time with less frustration. A partner that provides a standard platform and services for all its clients provides the most cost effective solutions in a tried and tested format. An outsourcing partner with advanced management services, such as systems architect, security architect, and IT program management can ease the burden on the client firm, improve operations, and spread the cost over the entire client base, so clients only pay for what they get, minimizing overhead.

And with security lapses showing up in the headlines on a near daily basis, everyone can benefit from high quality security management, but even large firms can’t afford to keep an information security expert on staff. It works in everyone’s benefit to spread the load for exceptional personnel.

Finally, use of large scale dynamic infrastructure permits fast adaptation of new features without the cost and problems of “forklift” upgrades. Your outsourcing partner can and should handle all the details of the entire infrastructure, from integration with mobile devices to fault tolerant business continuity services, securely.  In the best of all worlds, you don’t even think about the technology any more, so you can focus on litigation.

Security

Security is the biggest concern after basic operations. But all too often, smaller firms are unable to maintain an adequate level of security which can result in information leaks, loss of data, or lack of availability. A single computer virus can wreak havoc on a law firm’s data repository, taking a terrible toll. Only after the breach does the organization realize they have a problem, and any repairs made in haste typically only last until the next crisis, and the cycle repeats. To make matter worse, any sudden attempt to improve matters without adequate understanding of the overall IT concerns is wasting money. Outsourcing is an appealing alternative because organizations gain the benefit of very experienced staff and insights at a reasonable cost, avoiding missteps or emergency measures.

Encryption

Encryption is still new on most firm’s radar, and the technologies are varied and not without risk. There’s a reason why encryption was considered a munition by the government with real export restrictions.  Encrypting something completely prevents anyone without the key reading the information. This makes it a great privacy tool, until someone forgets the password. Then the data is effectively destroyed, and that is a serious problem.  Having access to personnel and a proven encryption architecture along with contingency plans for failures is the only way to effectively and safely manage your firm’s information assets and reduce risk. More than any other technology component, encryption must be properly managed or the entire data set of the firm is at risk.

Scalability

Outsourcing services, particularly computer intensive services and personnel, can greatly enhance a firm’s bottom line and ability to adapt and grow. While IT shops frequently plan for future growth, they cannot anticipate industry shifts.  An outsourced function can capitalize on the dynamic posture and rapidly adapt. That being said, many internal projects can suffer from misaligned scale planning, but with outsourced services, that challenge is overcome with simple changes to allocations. Finally, outsourced services and assets can rapidly scaled and migrate to new technology, something that cannot be done with internal assets, and is particularly useful when offices, temporary or otherwise, need to be stood up rapidly and then torn down when a job is complete.

Availability

Outsourcing improves reliability and availability. The use of high quality assets and professional grade architectures provides uptime levels that simply aren’t feasible for an organization operating a service internally. Law firms are not 9-to-5 operations, and we all work nights, weekends, and holidays, from home and on vacation.  Partners expect IT services to be available all the time, every day.

Simple Efficiencies

Outsourced IT services provides firms the opportunity to focus exclusively on core business needs and not get distracted by IT problems and personnel issues. By outsourcing commodity services to providers, Partners can focus their own teams on delivering value directly related to the practice.

Risk

Using the best assets and resources available, a firm reduces the risk that an accident or intentional incident will occur.  Further, and specific to law firms, there are distinct liability advantages to using a 3rd party to manage information assets.  Outsourcing reduces risk and creates advantages that are unobtainable through internal IT programs.

Liticode has worked with legal partners for more than 30 years, helping them provide the best technology experience possible.  From basic computer operations to large scale network infrastructure, including forensic technology and experts, we help make your firm more successful. We work in the industry, and we understand your needs better than anyone else.

SSD’s should come with a warning label.

We’ve been working with more and more SSD’s lately, solid state disks, also referred to as m.2 disks, although m.2 is actually the standardized shape of the circuit board and not the drive, with most older SSD’s being strange custom layouts with USB3 and SATA connectors.

Enough about layout and names, let’s get to the important parts.

SSD’s, nearly all current generation, are internally encrypted.  This has great relevance for forensics, because if the drive is not fully operational, you might not be able to retrieve any data from it.  We recently had a case where the controller chip on the disk was damaged and even though the storage chips were intact, no data could be retrieved.  A total loss in a big legal case is no bueno.  Hard drives didn’t have that problem, because they weren’t internally encrypted.  What we mean by that, is the keys are stored in the circuits, they are not input by the user, so there is no optional way to turn it off, and why would you?  You have backups, right?

So here’s three drives, all physically damaged by the same wrong belief, that SATA drives are hot swappable.  SATA drives are only hot swappable if they are explicitly designed that way.  These disks were all hot swapped by the user, with the inevitable *poof* when the magic smoke gets released from the board.

burned board 1
board 1 visibly burned

board 1 burn closeup
board 1 burn closeup

Both of these drives displayed visibly burned components and are POTENTIALLY recoverable, because it does not appear that the controller or storage chips are damaged.  Plus they are old enough they likely are not encrypted anyway.  So we’ll need to physically destroy the chips before disposing of them.

This third drive displays no physical burns, but is also not functional.

drive 3 no visible damage

It will also need to be physically destroyed, to ensure confidentiality of client information.  It’s also a terrible picture.  Sorry about that.

Note that unlike hard disks, working with the guts of an SSD is best left to qualified electronic technicians, as one tiny spark across those teeny-tiny components, which is an incredibly easy mistake to make, can destroy the entire drive.

One bit of humor to all this destruction, the tamper evident label on one of the drives accomplishes nothing other than determining if you peeled off the label.

tamper proof nothing?

We check for screws under labels using a different strategy, so we thought this was funny.  Lab geeks humor is very dry.  We have to add humidity to prevent static discharge in the break room.

Based on other cases involving damaged disks we STRONGLY recommend clients always use a qualified technical forensic lab to handle evidence.  We’ve had 3 cases in recent memory where the client sent it to their local IT support company first before sending it to us, and we have no way of knowing where the fatal damage occurred.  Which can be problematic when discussing spoliation of evidence.  Please call us instead of your local techs.

Liticode is an Authorized OnTrack Data Recovery Partner

We’ve been an authorized partner for years, and there’s nobody we’d recommend more highly for corrupt media data recovery.  Let Liticode coordinate your recovery effort, or request service directly using the link below.  When you let Liticode act as your coordinator, you get analysis assistance, backup copies, and assistance with filtering the results.  Recovery generates a lot of files, and by combining recovery results with forensic search capabilities, we can help clients with special recovery needs locate the information they seek.

OnTrack is the world leader in data recovery, and their process and success rate is second to none.  We wouldn’t partner with them if they weren’t the best.

Trust Ontrack to recover your data
 

An Expose on the VA and Vendor Certification Fiasco

We’re a veteran owned business. It’s really easy to determine that, because the owner is a veteran with a DD-214 honorable discharge document and he’s the 100% owner of the business. So getting certified as a veteran owned business should be simple, right? No. Of course not. It’s the government. Who in their wisdom, decided to hand off responsibility for veteran verification to the VA, that bastion of bureaucratic integrity and competence we all know from the news articles about them over the decades. What should have been a simple thing has mutated into a 40 hour nightmare of paperwork and back and forth, with invasive requests for documentation, records the VA has no reasonable entitlement to, and the use of subcontracted services providing no recourse to the applicant for any nonsense that may be inflicted on the veteran. This has now cost the firm $10,000 in soft money. Soft money, and hard money, really. Some of it has been nights and weekends, but some of it has been business hours and definitely counts as lost client billable time. So we’ve decided to expose this little waste of taxpayer money for what it is, another fleecing of America by the faceless bureaucracy of Federal government. We’re going to drill down into it until we hit bedrock and can name names and point fingers. Because if they’re going to cost us ten grand, we’re going to get some marketing material out of it and maybe some justice for those still swimming upstream against their petty bureaucratic garbage. Stay tuned for more details.

Drafting Policies for Fun

Not many people think writing policy is fun. Or procedures. Or standards. Or any documentation, really. But policy and documentation can be fun, and more importantly, if done well, contributes directly to the security and safety of the organization, so it’s worth spending time on.

OK, but how can it possibly be fun? Because when you understand what you’re building, how it is like a set of block like toys that click together to create a structure capable of supporting an entire company, then it’s more like a puzzle. And if you don’t like puzzles, anything around the legal industry is probably not for you, and you should get someone else to do it for you. Like Liticode *cough*.

Policy, and all documentation, really, is a support structure. And just like any support structure, requires engineering. Wordsmithing, not metalsmithing, but still, craft that requires study. If you throw something together without adequate understanding and skill, you end up with more problems than before you made the policy. Like a bad bridge, it will collapse at the worst possible time, probably taking careers with it.

A more visually correct representation is a house of cards, because we’re dealing with documents, and most of them are flimsy things that collapse under the faintest pressure.  But we’re going to fix that problem by building using better cards.  Cards made of reinforced concrete and steel, architected not cobbled together.

Policy is the roof. Why not the foundation? Because policy is the first line of defense. It’s what takes the first hits when you’re under attack by hostile lawyers or other nefarious entities, including your own personnel who just want to do things differently. Policy is the shield from stuff falling on the business.

The walls are the procedures and standards that support the policy. Can’t have a policy without process and standards, or it’s a useless policy. For example, if you have a policy that says no personal use of company assets, but you don’t have a process to detect it, or a standard of configuration for the business computers being used, your policy is going to be impossible to support.

So what’s the foundation? That is your charters, bylaws, explanatory documentation, authorities, and anything else that doesn’t count as part of the super structure.  A simplistic example is the criminal laws against theft.  They aren’t part of your policy or your procedures, but they provide the cause that your HR termination policy uses to support a dismissal.  You rely on them, just like you rely on manufacturer’s documentation, government standards, industry standards, and job descriptions, to direct the business.

So, just like building a complex house of cards, your policy in one area might be the foundation in another layer. The procedures of one layer are the foundation of another. The point to internalize being that all these documents are a) tangible, meaning they exist and you can put your hands on them to produce in court, and b) fit together like a puzzle, reinforcing and supporting each other, so that removing one piece in the bottom layer doesn’t cause the entire thing to collapse.  That last part is important.  They interlock and reinforce each other.

Which brings up the other fun part of the policy game. Who has ever performed a red team analysis of policy? Nobody, other than Liticode. We’re the only company that will look at your documentation and game it with our legal teams and provide you a risk analysis of your policy structure and documentation. And that’s just as important as your penetration testing of your network. The evil hackers might get your database, but the lawsuits that come after are what’s going to destroy the company and careers. We help you prepare with our policy analysis, but we want you first and foremost to have people that grasp the concept of the policy structure and how it is critical to your corporate defense.  Defense in depth includes the legal activities side.  Most (all?) risk assessments simplistically check off boxes indicating policy is present, but don’t evaluate the content.  That will get you blindsided, and we can help avoid that.

So enjoy building policy. Call us if you’re short handed or want an additional set of eyes. Call us later if you want to test it and see if you have any unexplored risks in your structure. Our staff has the skill and experience to turn your house of cards into a fortress.