Writing a book of this magnitude is an intense process that I learned all about. The steps to produce the book, from inception to dead trees, include:

• Brainstorm and agree on full topic list
• Brainstorm and agree on contributing authors
• Assign chapters to authors and contributors
• Write chapter, distribute for review
• Integrate reviewed comments from all other authors, distribute to external reviewers
• Integrate external review comments
• Repeat for all 32 chapters
• Edit chapters
• Index chapters individually
• Engage artist (Lisa Haney) for new chapter cartoons, dividers and cover art
• Engage outside organizations (IBM, Sun, HP) for test equipment
• Regular (semi-weekly) meetings with authors, occasional meetings with publisher
• Read and revise page proofs, searching for any obvious errors or inconsistencies
• Deliver final manuscript to publisher and wait patiently

One of the biggest challenges in producing this edition was the distributed collaboration effort. We Skyped regularly to stay in sync. Evi was around for much of the development, but we also corresponded with her while she was sailing in the Caribbean and the Pacific. We used a subversion repository for the Adobe FrameMaker source files to avoid stomping on each other’s work. I’d say this was met with mixed success; Frame’s binary files are hard to merge, despite Garth’s valiant efforts at a scripted solution.

Special thanks to our named and unnamed contributors whose efforts are highly appreciated and certainly worthy of recognition. This is the best edition yet!

Goodie #1: Learn why version control is important for all businesses across the board.

Goodie #2: Get some assistance in deciding “Git or Subversion? Git or Subversion? Git…?”

Goodie #3 (otherwise known as the cherry on top): Meet Jim Turpin, one of our fabulous network engineers, who embodies the concept of multi-discipline to a T both inside and outside of the office.

Click here to read Q3 2010, and, as always, enjoy the treat!

We’d love to hear from you, so please post your comments and questions here.

1) Set goals: Both in exercise and in information security, it is good to set goals. For example, before I can write up a training plan for myself, I need to know what race I’m training for, and what my target pace is. Similarly, before I can write up my information security plan, I need to know what information I need to protect and how much protection I need (is this credit card data, or is it records of what color paint my store sold last year?)

2) Stick to the plan: Sometimes on Saturday morning at 6 a.m. I don’t really want to go for a run, but I know that the only way to reach my goal is to throw my legs over the side of the bed and stand up. I also know that the best infosec plan in the world does no good if it doesn’t get followed. It may not be fun to conduct that periodic audit again, and it may be frustrating to have to patch those darn servers in the middle of the night so you don’t impact the production systems, but you’ve got to do it. A plan in a drawer is no plan at all!

3) Make the plan doable: I could probably run my race a lot faster if I was willing to quit my job and train full time, but that’s just not practical. I need to keep perspective on the rest of my life and make the plan something that I can accomplish. The same is true for the security plan. It’s not reasonable to expect your team to install each and every patch within 24 hours of release. Save that extreme stuff for the really critical items that only come up once in a while. Be reasonable, and you’ll make everyone’s life easier. No one wants a security approach that flies in the face of usability. But there are some things that just can’t slip – and make sure you know what those are. Passwords, for example: I know it’s easier to remember five-letter passwords with no complexity requirements, but if you let that happen, you may as well forget the rest of the plan.

4) Celebrate your successes: I run with a group twice a week, and the coach keeps track of our times throughout the season(s). When I hit a personal record, she knows it and we celebrate the accomplishment. Do the same thing with security! Did your annual assessment just come back with 20% fewer recommendations? Did you just pass a penetration test with flying colors? Great! Celebrate! There’s always another mitigation recommendation you can implement, but don’t forget you’ve done many already, and congratulate yourself on a job well done.

The Deepwater Horizon rig was equipped with a vessel management system (VMS), which records dozens of different metrics about the conditions on the rig and in the well. These VMS logs would contain valuable details about the blowout, much like an airplane “black box” is essential in understanding a plane crash.

Steven Newman, the CEO of Transocean, said during a recent senate hearing, “There is some delay in the replication of our data, so our operational data, our sequence of events ends at 3 o’clock in the afternoon on the 20th. And so the VMS system, along with the logs of the VMS system, would have gone down with the vessel.”  The blowout and massive explosion happened at 10, taking eleven lives and seven hours of VMS data to the bottom of the ocean. Representative Bruce Braley from Iowa followed up with “So you have no mirrored backup data device so that that information is recorded at some other location than on the rig itself?”.  Newman replied, “We do not have real-time off-rig monitoring of what’s going on on the vessel”.

The costs to synchronize this data back to shore closer to “real-time” are nothing compared to the catastrophe at hand.  If an IT Disaster Recovery risk analysis had been performed, this replication delay would have stood out like a sore thumb.  We can be certain that new congressional regulations will be established to ensure that VMS data is replicated back to shore in a timely manner, but what about the rest of us?  Now is a perfect time to take a look at your business and make sure that critical data is being backed up appropriately to an off-site location.

Above, AppliedTrust’s  banner is displayed along with other “Laps for Learning” supporters at the corner of 76th and Baseline in Boulder.  Although the Douglass PTO had obtained advance permission to hang banners for the event along an Open Space-managed fence across the street from the school on 75th Avenue, it was later determined that such use for elementary school fund raising events constitutes prohibited “commercial use” of the open space lands and must be removed. Brady Van Matre volunteered to host the banners on his nearby fence as an alternative, and wrote a letter to the editor of The Daily Camera titled Lend Schools A Helping Hand.

We’re delighted to be an active supporter of our community, wherever our banner hangs!

As our regular readers know, AppliedTrust is looking for a great infrastructure engineer who wants to work in Boulder, Colorado. This role is a “Jack of all trades” within the broad field of Information Technology – they get to play with networks, servers, software, and security.  One ideal candidate for this job would be a graduating Computer Science or Engineering major who has experience with Windows and Linux system administration and doesn’t want to spend all day programming.  We would definitely also consider someone with more work experience.  If you are interested, or know of a good candidate, please check out our jobs page: http://www.appliedtrust.com/jobs

This morning, I received a call from a person claiming to work for Briggs Security, trying to coordinate a time when they could deliver a prize I had won from Publisher’s Clearing House. I of course started out by telling him I didn’t believe him. So he gets his manager to call, and his manager says, “This is not a scam, you have won 2.5 million dollars through Publisher’s Clearing House, and all you need to do is call the claims department.” He gives me a Winner number, a package ID number, and the actual check number to write down. Then he gives me some phone numbers to call so I can schedule a time when they will come bring me my check. Isn’t that great? Two and a half million dollars, and I didn’t even enter any contests! When I mentioned that minor detail he told me that people are automatically entered when they pay utility bills on time.

The next part of the conversation is where things started to get dicey. He wanted to know if I worked, if I was disabled, and when I would be home. But that’s not all: He also wanted to know the name of my bank and my mother’s maiden name as a password for future interactions. (Imagine now red flags waiving violently in the wind and alarm bells ringing loudly.) I of course do not want to give him my mother’s maiden name, as that information is used widely on the Internet to verify identity. What if he goes to my bank’s web site, is able to guess my username based on the information he has, and now he has my mother’s maiden name? This could easily be the “secret” that my bank uses to reset my password. Scary!

The next thing I was supposed to do was call the Claims Department. Once I got off the phone with him, I went to Google and looked up the phone number for Publisher’s Clearing House. I called them and reported the call I received.They confirmed this was a scam, and warned me that they would probably try to get me to pay for insurance or shipping, or something like that, which is where they make their money. I decided to go ahead and call the Claims Department so I could gather as much information as possible and use it to report the scam at fraud.org.

When I talked with the Claims Department, they asked when they could deliver the check, and then they started to explain that I needed to pay for shipping and handling. I didn’t point out to them that they claimed to be hand-delivering the check (which normally does not mean you pay shipping and handling) – that their whole cover was that they were the security company who would be accompanying the Publisher’s Clearing House delivery team. Regardless, I told him, “Oh, no. I won’t be paying for anything.” He paused and said, “Excuse me?” I repeat myself: “I won’t be paying for anything. If I have to pay for anything, I don’t want to participate.” Then he hung up.

Just in case you ever get a call like this, the phone number I received the call from was (876) 485-9735. The Claims Department phone numbers were (876) 782-6915, (914) 412-2425, and (702) 545-6252. Remember to protect yourself and your employees! Educate them about social engineering and remind them to never, ever give information out to people who call or email them out of the blue (and that includes clicking on links in email) – not even if they claim to be from Publisher’s Clearing House.

Removable media: We all have them, maybe a few of them in different sizes. They’re invaluable for various administration tasks. Trying to get network drivers onto that new machine you’re re-installing? How about bringing one with you when you have to patch a few machines that aren’t on the domain? Or loading Knoppix LiveCD onto one for resetting administrator passwords? We love flash drives, but we also know they can be perfect vectors for malicious users. As with many types of technology, as their popularity increases the more lucrative it becomes to write virus code that targets them.

I have personally run across several viruses that will try to copy themselves onto any drive attached to the infected machine. This means that if you plug your flash drive into an infected machine, a virus can easily copy itself onto the drive and then propagate itself to every computer you use thereafter. You may say to yourself, “Well, this will never happen to me, I’m a lot safer with the machines I use with my personal flash drives.” I was once in that group and I completely understand the logic, but one experience changed my entire outlook on flash drives, and Microsoft AutoRun. A family friend came to me one day and asked me to find out what was wrong with his laptop. It didn’t take me very long to figure out that it was heavily infected with many viruses, so I went to work cleaning them off. I obviously did not want this machine on my home network (or connected to any network, for that matter), so I copied a malware removal program to a handy flash drive, attached it to the infected laptop, and started cleaning. Shortly thereafter, I decided I needed to use a different application for a specific virus found on the infected laptop. You know where this is going. I moved the flash drive back over to my personal computer, and before I knew it Microsoft’s AutoRun opened my flash drive for me and executed the virus that had moved itself to my computer. Bam. Two infected machines. Maybe AutoRun is to blame for this particular incident, but I feel that the popularity and sheer number of flash drives in use presents a high likelihood of this same thing happening to other folks. The easy fix here is to turn off AutoRun and the companion feature AutoPlay on every machine that you can. Had I done this on my home computer, I could’ve simply reformatted the flash drive before Windows tried to run anything found on the flash drive.

Here is a link to the Microsoft KB article on how to disable AutoRun in Windows via local security policy or domain policy, if you’re a domain administrator. Please think of the flash drives, and do this to all computers you administer.

Viruses don’t present the only problem for flash drives, as the small devices can be easily lost. They can slip out of your pocket when you’re pulling your keys out, or they can be left on a desk after you pack up your bags and head home for the day. It then becomes very easy for someone to grab your flash drive, connect it to their machine, and read any unencrypted data on the drive. I have found a few flash drives on the CU campus and, with the desire to return them to their rightful owners, put them into a machine (that now has AutoRun disabled) to find information on its owner. This has netted mixed results, but in one case an instructor had put his class grades into a spreadsheet and kept it on the unencrypted device. I was able to find the owner (as it happened to be a class that I was taking) and give the drive back to him, but not without first reprimanding him about storing my grades on removable media and then leaving it lying around campus. If you would like the portability and convenience of using a flash drive for storing sensitive documents, then please check out TrueCrypt and encrypted volumes. While it may not be secure enough for some people, in my opinion it does provide enough security for the average user. If this isn’t enough security for you, then you probably shouldn’t be storing your data on a flash drive in the first place!

As illustrated above, either by pure curiosity or the Good Samaritan in you, it’s common for people to take found flash drives and plug them into their computer to find out what’s on them. While most company policies would prohibit employees from doing this, it’s still common in the corporate world. I remember reading an account about a company using USB drives for a social engineering experiment. Keeping in mind that this was all sanctioned by the target company’s management, the company wrote a Trojan that would gather passwords and logins and also computer information and then email that information back to a specific machine. The company then put this Trojan onto 20 flash drives and “lost” them in various places around the business. Thanks to AutoRun and employee curiosity, “15 were found by employees, and all had been plugged into company computers.” (Reference: Here) They were able to get username and passwords for company machines without emailing the employees directly, or by phishing, or by any other notable virus transmission vectors.

In summary, we all need protection when it comes to these handy little devices. Encrypt your flash drives if you want to store sensitive data on them, and turn off AutoRun on all machines you use them on. You can save yourself the potential of embarrassment, wasted time and money, and a compromised machine just by taking the proper precautions with AutoRun and encryption.

This infographic from Focus claims that IT-related positions compose three of the top 10 “Best Jobs in America.”  Systems engineers, IT project managers, and security consultants are ranked at number one, number five, and number eight, respectively. The graphic also indicates that 7 of the top 35 jobs are in the IT sector. Interestingly, there are only 13,000 security consultants, far fewer than the 200,000 IT business analysts, or the nearly 800,000 software developers.

Health care jobs also have a strong representation in the list. It’s a good time to be a security consultant working extensively in the health care sector. I’m excited that I regularly play the role of system engineer, project manager, and security consultant, often all in a single day.

The data was gathered from cnnmoney.com, payscal.com, and the U.S. Bureau of Labor.

We’re just a few weeks away from sending the latest edition of the Unix and Linux System Administration Handbook to press, and as of today you can get a preview online at the Safari site.

This 20th anniversary edition brings the best of Unix System Administration Handbook and Linux System Administration Handbook together, and adds coverage of  IBM AIX to updated coverage of Oracle America Solaris (formerly Sun Solaris), HP HP-UX, Ubuntu Linux, SUSE Linux, and RedHat Linux.  In addition, it includes significant all-new coverage of system administration scripting languages such as Python and Perl, as well as virtualization, green IT, and modern standards and compliance management challenges. This is the ultimate system administration bible.

We’re very proud to have 4 Applied Trust staff members on the author team for this book (me, ned, ben, terry).  Look for the printed version in your favorite bookstore this June (or, pre-order at Amazon now), but enjoy the Safari online preview in the meantime!