Sunday, November 27, 2011

Start Menu and IE Favorites Artifacts in the MenuOrder Registry Key


In most versions of Windows, a user can manually organize the order in which applications and application groups are displayed in the Start Menu.  A user might, for example, drag a frequently-used application group to the top of the Start Menu and leave the remainder of the items in alphabetical order.  The displayed order of items in the Start Menu is independent of the order in which  %userprofile%\Start Menu is sorted in Windows Explorer. 

Similarly, a user can manually rearrange items in the Favorites menu or Favorites Center of Internet Explorer (IE) independent of the displayed sort order of %userprofile%\Favorites.

These user-defined display settings are controlled by the Windows registry.

Friday, September 9, 2011

I will be speaking at SecureWorld Expo 2011 - St. Louis

SecureWorld Expo 2011 is coming to St. Louis September 13 - 14.  Please come join me at 11:00 on Wednesday for my presentation, "Forensics in Internal Investigations: People, Policies, and Politics." 

Information Security Officers and Analysts are often called upon to conduct investigations into employee actions.  Internal data leaks, violations of acceptable use policies, rogue devices, unauthorized software, and countless other kinds of suspected insider offenses pull information security practitioners into the role of investigator.

Too often, organizations fail to prepare for and effectively manage internal investigations.  Taking an ad-hoc approach to investigations and failing to bring the right skills and tools to the job will lead to ineffective investigations that ultimately increase, rather than mitigate, organizational risk.

This presentation will introduce the concepts and benefits of computer forensics, lay out basic principles for establishing an effective internal investigative function, and discuss organizational and political issues confronting information security practitioners who find themselves investigating their coworkers.

I hope to see you there!

Sunday, August 28, 2011

Colleges and Universities Account for a Disproportionate Number of Reported Data Breaches


As the depressingly steady march of breach notifications comes across my RSS feeds, I notice that US colleges and universities seem to be the victims of an awful lot of breaches.  At least, when I skim the list of breaches cataloged by resources like the DataLossDB and the Privacy Rights Clearinghouse, the names of colleges and universities stick out to me.  It sure looks like higher education makes up a disproportionate number of breach victims.  Several other infosec writers, both inside and outside academia, have made the same point (see below for more articles on the topic).

But, maybe that’s just confirmation bias.  Maybe colleges and universities are not breached any more often than other organizations, and it just seems that way to my subjective memory.  So, I decided to dig into the data a little and see if institutions of higher education – or for that matter, any particular types of organizations or businesses – account for a disproportionately large percentage of breach reports. 


I decided to look at publicly reported incidents of external breaches which were:  1) known or presumed to be malicious; and 2) not carried out or assisted by malicious insiders.  I was only interested in reports of “hacks”, not in reports of lost laptops, accidental exposures on FTP servers, accidental emailings, insider abuse, and so on.

Sunday, July 31, 2011

Pastebin Security Risks: Monitoring with Rollyo Searchrolls

Although text-sharing “pastebin” sites like and have been around for the better part of a decade, I have to admit that I'd never heard of them until LulzSec adopted as its preferred method of shaming its victims. In an article on The Next Web, Matt Brian explores how, once relatively unknown outside the ranks of developers, wound up groaning under the weight of LulzSec's unexpected, and unwelcome, information dumps.

LulzSec gets the headlines, but many publicity-shy individuals and groups also use pastebins for illicit activities such as sharing confidential data, offering PII for sale, trading exploits, and revealing personal information on underground rivals. As Matt Brian notes, a quick look at's “Trending Pastes” shows that a majority of the most popular individual pastes are dumps of breached data, cracked passwords, or other illegitimate content. And Silas Cutler at ReverSecurity points to keylogger dumps and carder profiles among the tens of thousands of daily posts to these sites.

For the information security manager concerned about pastebins, I think there are six general types of risks to be on the lookout for:

Wednesday, May 11, 2011

NPV and ROSI, Part II: Accounting for Uncertainty in the ARO


In a previous post, I proposed a Monte Carlo simulation model that attempts to determine the probability that a security investment will result in a positive Return on Security Investment (ROSI).  The model views security countermeasures and breaches as streams of cash flows and evaluates the Net Present Value (NPV) of each.  To account for the inherent uncertainty in predicting the timing and cost of a breach, the model accepts ranges of possible outcomes and runs repeated simulations.  By calculating the ROSI of many thousands of possible scenarios, the model allows the information security manager to estimate the likelihood that a specific countermeasure will pay for itself by mitigating the impact of a breach.  Please see the earlier post for more detail on this model.

In this follow-up to that post, I propose a slightly different approach to the problem and present a revised version of the simulation tool.  The revised version of the tool includes Annualized Rate of Occurrence (ARO) as one of the variables tested by repeated simulation.

Sunday, February 13, 2011

Managing the InfoSec Investigative Function

Managing the InfoSec Investigative Function: Applying the Lessons of Traditional Investigators

In a corporate setting large enough to have a dedicated Information Security function – whether as a sub-department of the IT division or as a separate division unto itself – Information Security Officers and Analysts are often called upon to conduct investigations into user actions.

If, for example, a line manager hears an allegation that an employee has been accessing adult material on the internet or has been emailing proprietary information to the competition, the line manager will often request that InfoSec help determine whether the allegation is true.

This makes sense because InfoSec professionals will have access to email servers, log files, and other resources that line managers cannot access. In addition, InfoSec specialists will often have the technical expertise to gather and interpret at least some of the data necessary to determine the facts of the case. So, it is understandable and appropriate that line managers expect InfoSec to play a role in investigations of this kind.

However, conducting effective and fair investigations requires specialized knowledge, skills, and abilities. It is not necessarily the case that the InfoSec analyst who can manage a tight network perimeter can also conduct a good investigation. Furthermore, investigations are risky and politically sensitive affairs, and they must be governed by sound policies and by oversight at the appropriate level of the organization.

The InfoSec investigative function must be carefully managed by the organization and must be carried out by information security practitioners with specialized qualifications. Ineffective, inconsistent, or unfair investigative practices put an organization at serious risk. Such practices fail to provide adequate protection for the organization’s information assets, and they invite legal action from employees who are treated unfairly. An organization must give careful thought to how its InfoSec investigative function will be managed and conducted.

When considering their investigative role, InfoSec professionals can borrow many of the concepts long embraced by traditional investigators. “Traditional investigators” here means those professionals who investigate crimes and policy violations taking place in the physical, as opposed to electronic, world. A sufficiently large organization will have a Security or Public Safety function that provides physical security and investigates issues such as asset theft, workplace violence, trespassing, etc. This article will refer to that function as “Public Safety” to avoid confusion with Information Security. Public Safety departments have been part of the corporate landscape for years and have developed mature processes for handling investigations. Although Public Safety and InfoSec investigations often involve different kinds of alleged infractions and different technologies, many of the foundations of traditional investigative practice are equally applicable to InfoSec investigations.

This article describes six key concepts of traditional investigations that can also be applied to InfoSec investigations. InfoSec practitioners can learn a great deal from the mature processes developed over years of traditional investigative practice. The purpose of this article is to help InfoSec managers and other organizational leaders effectively establish, conduct, and oversee the InfoSec investigative function. The six key concepts discussed in this article are:

Applying NPV and ROI to Security Investment Decisions


Too often, the decision of whether or not to implement a security measure is ultimately based on a vague appeal to "best practices", or on a gut feeling that the cost of a countermeasure outweighs the risk of an exposure.  In this paper, the author proposes a model, based on Net Present Value, Return on Investment, and Monte Carlo simulations, that provides a quantitative framework for these decisions.  A sample analytical tool is also provided.


Justifying the costs of security expenditures is a persistent challenge for the Information Security Manager.  The often significant implementation and maintenance costs of a countermeasure, coupled with the difficulty of quantifying the costs of a breach, make traditional cost-benefit analyses problematic at best, and simple guesswork at worst.  While the information security literature addresses such concepts as Single Loss Expectancy (SLE), Annualized Loss Expectancy (ALE), and Annualized Rate of Occurrence (ARO), there are few good models available to translate these concepts into the kind of business analyses that are persuasive to operational managers.  In addition, the models that are available often fail to adequately take into account the probability and timing of a security breach.  An extravagant SLE will fail to persuade senior executives who perceive a vanishingly low probability that such an event will occur.

To be successful, the Information Security Manager (ISM) must be able to make a case for security investments in terms that are persuasive to business managers, not necessarily to other information security professionals.  Senior management will be unmoved by appeals to IT best practices; they will become inured to frightening tales of companies who paid the price for lax security practices; and they will lose confidence in a security manager who supports proposals with little more than instinct.  The ISM must be able to draw on traditional analytical tools such as Net Present Value (NPV) and Return on Investment (ROI).

Although the concept of a Return on Security Investment (ROSI) is frequently explored in the information security literature, there is little consensus on how to calculate it, and few tools to help the ISM do so.  This article describes a flexible model that merges traditional NPV and ROI calculations into ROSI.  The model employs Monte Carlo simulations to determine the probability that a security investment will produce a positive ROSI.  A sample Excel spreadsheet demonstrates how this model can be incorporated into a simple-to-use tool. 

So, How Many Information Security People Do We Need?


It’s not difficult to find a lot of good information on general Information Technology staffing ratios.  Spend a few minutes online, and you will quickly turn up surveys, benchmarking studies, and lively discussions.  The “right” ratio of IT staff to users at large varies widely, depending on the type of business, the industry’s reliance on technology, etc., but for the most part, someone looking to find out how many IT staff overall a company needs can find some decent numbers to start with.

The task becomes a lot harder, however, when you want to find staffing ratios for information security staff.  Perhaps because the “right” number of information security staff is highly sensitive to the nature of the business and the regulatory environment, or perhaps because the information security discipline is less mature than IT infrastructure or operations, there just aren’t very many good benchmarks out there.  Asking “how many information security staff do we need?” results in a resounding “It depends.”

For this article, I gathered several pieces of publicly-available information into one location to sketch out a broad range of staffing benchmarks for the information security function.  A number of data points are collected and described below.  The intent is not to establish the “right” information security staffing ratio – that’s probably impossible.  Rather, my hope is that this article will be a useful resource for information security professionals  looking for data to inform their staffing discussions.  Hopefully this article will also help spark more research into and analysis of this topic.

Data Points

Here are the most illuminating sources of information I found.