Tuesday, July 31, 2012
Saturday, July 28, 2012
5 Tips to Improve Intrusion Detection
NIST Revising Guide on Detection, Prevention Software
Intrusion detection and prevention software has become a necessary addition to the information security infrastructure of many organizations, so the National Institute of Standards and Technology is updating its guidance to help organizations to employ the appropriate programs.
NIST is seeking comments from stakeholders on the guidance, Special Publication 800-93, Revision 1 (Draft): Guide to Intrusion Detection and Prevention Systems, before publishing a final version. SP 800-93 describes the characteristics of intrusion detection and prevention software technologies and provides recommendations for designing, implementing, configuring, securing, monitoring and maintaining them.
The types of intrusion detection and prevention technologies differ primarily by the types of events that they monitor and the ways in which they are deployed. The NIST publication addresses four types of intrusion detection and prevention software technologies:
Intrusion detection systems automate the intrusion detection process whereas intrusion prevention systems have all the capabilities of an intrusion detection system and also can attempt to stop possible incidents. These technologies offer many of the same capabilities, and administrators can usually disable prevention features in intrusion protection products, causing them to function as intrusion detection software.
The Recommendations NIST says organizations that implement the following recommendations should facilitate more efficient and effective intrusion detection and prevention system use:
Comments on the draft guidance should be sent to 800-94comments@nist.gov by Aug. 31.
Intrusion detection and prevention software has become a necessary addition to the information security infrastructure of many organizations, so the National Institute of Standards and Technology is updating its guidance to help organizations to employ the appropriate programs.
NIST is seeking comments from stakeholders on the guidance, Special Publication 800-93, Revision 1 (Draft): Guide to Intrusion Detection and Prevention Systems, before publishing a final version. SP 800-93 describes the characteristics of intrusion detection and prevention software technologies and provides recommendations for designing, implementing, configuring, securing, monitoring and maintaining them.
The types of intrusion detection and prevention technologies differ primarily by the types of events that they monitor and the ways in which they are deployed. The NIST publication addresses four types of intrusion detection and prevention software technologies:
- Network-based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity.
- Wireless, which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves. IDPS for wireless is an important type for all organizations to have because of the growth of mobile devices and employees' desire to use their own wireless device for work.
- Network Behavior Analysis, which examines network traffic to identify threats that generate unusual traffic flows, such as denial of service attacks, certain forms of malware and policy violations such as client system providing network services to other systems.
- Host-based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.
Intrusion detection systems automate the intrusion detection process whereas intrusion prevention systems have all the capabilities of an intrusion detection system and also can attempt to stop possible incidents. These technologies offer many of the same capabilities, and administrators can usually disable prevention features in intrusion protection products, causing them to function as intrusion detection software.
The Recommendations NIST says organizations that implement the following recommendations should facilitate more efficient and effective intrusion detection and prevention system use:
- Organizations should ensure that all intrusion detection and provision system components are secured appropriately because these systems are often targeted by attackers who want to prevent them from detecting attacks or want to gain access to sensitive information in the intrusion detection and prevention system, such as host configurations and known vulnerabilities.
- Organizations should consider using multiple types of intrusion detection and prevention technologies to achieve more comprehensive and accurate detection and prevention of malicious activity. The four primary types of intrusion detection and prevention technologies - network-based, wireless, network behavior analysis and host-based - each offer fundamentally different information gathering, logging, detection and prevention capabilities.
- Organizations planning to use multiple types of intrusion detection and prevention technologies or multiple products of the same technology type should consider whether or not the systems should be integrated. Direct intrusion detection and prevention system integration most often occurs when an organization uses multiple products from a single vendor, by having a single console that can be used to manage and monitor the multiple products. Some products can also mutually share data, which can speed the analysis process and help users to better prioritize threats.
- Before evaluating intrusion detection and prevention products, organizations should define the requirements that the products should meet. Evaluators must understand the characteristics of the organization's system and network environments, so that a compatible intrusion detection and prevention system can be selected that can monitor the events of interest on the systems and/or networks.
- When evaluating intrusion detection and prevention products, organizations should consider using a combination of several sources of data on the products' characteristics and capabilities. Common product data sources include test lab or real-world product testing, vendor-provided information, third-party product reviews and previous experience from individuals within the organization and trusted individuals at other organizations.
Comments on the draft guidance should be sent to 800-94comments@nist.gov by Aug. 31.
Thursday, July 26, 2012
The Department of Defense Cloud Computing Strategy
Goals presented “consolidate and share commodity IT functions resulting in a more efficient use of resources.”
The Department of Defense needs to accomplish its critical global missions despite a decreasing budget and rising cybersecurity threat. To that end, the Chief Information Officer of the DoD, Teri Takai, released its Cloud Computing Strategy, which outlines its goals to accelerate the adoption of cloud computing throughout the department.
In the strategy, the Office of the CIO explains why it wants to move to the cloud, its goals, the challenges that stand in its way and methods to mitigate them, and the coming steps the Defense Department plans to take to get there. The strategy uses the National Institute of Standards and Technology’s definition of cloud computing for their strategy.
NIST defines cloud computing as: “A model for enabling ubiquitous, convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
DoD likes this definition because it includes Software as a Service, Platform as a Service, and Infrastructure as a Service. According to the CIO, the DoD currently has a “duplicative, cumbersome, and costly set of application silos” that can benefit from more cloud computing. The goals presented in the Cloud Computing Strategy is to “consolidate and share commodity IT functions resulting in a more efficient use of resources.”
The DoD hopes to provide device and location independent on-demand secure global access to mission data and enterprise services. They also hope to enable rapid application development and reuse of applications by other organizations. This means both sharing and adopting the most secure commercially available cloud services.
The Cloud Computing Strategy also lays out four steps for implementing the Department of Defense Cloud Environment. The first will be to “Foster Adoption of Cloud Computing” by establishing a joint governance structure to drive the transition and an Enterprise First approach while reforming DoD IT finance, acquisition, and contracting and increasing cloud outreach and awareness.
The next step is to “Optimize Data Center Consolidation” by consolidating and virtualizing legacy applications and data. The third step is to “Establish the DoD Enterprise Cloud Infrastructure” so that it’s agile, consolidated, and secure.
The last step will be to “Deliver Cloud Services” using existing DoD cloud services and external providers. The CIO will provide oversight for component implementation of these steps.
Please refer here to download the strategy.
The Department of Defense needs to accomplish its critical global missions despite a decreasing budget and rising cybersecurity threat. To that end, the Chief Information Officer of the DoD, Teri Takai, released its Cloud Computing Strategy, which outlines its goals to accelerate the adoption of cloud computing throughout the department.
In the strategy, the Office of the CIO explains why it wants to move to the cloud, its goals, the challenges that stand in its way and methods to mitigate them, and the coming steps the Defense Department plans to take to get there. The strategy uses the National Institute of Standards and Technology’s definition of cloud computing for their strategy.
NIST defines cloud computing as: “A model for enabling ubiquitous, convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
DoD likes this definition because it includes Software as a Service, Platform as a Service, and Infrastructure as a Service. According to the CIO, the DoD currently has a “duplicative, cumbersome, and costly set of application silos” that can benefit from more cloud computing. The goals presented in the Cloud Computing Strategy is to “consolidate and share commodity IT functions resulting in a more efficient use of resources.”
The DoD hopes to provide device and location independent on-demand secure global access to mission data and enterprise services. They also hope to enable rapid application development and reuse of applications by other organizations. This means both sharing and adopting the most secure commercially available cloud services.
The Cloud Computing Strategy also lays out four steps for implementing the Department of Defense Cloud Environment. The first will be to “Foster Adoption of Cloud Computing” by establishing a joint governance structure to drive the transition and an Enterprise First approach while reforming DoD IT finance, acquisition, and contracting and increasing cloud outreach and awareness.
The next step is to “Optimize Data Center Consolidation” by consolidating and virtualizing legacy applications and data. The third step is to “Establish the DoD Enterprise Cloud Infrastructure” so that it’s agile, consolidated, and secure.
The last step will be to “Deliver Cloud Services” using existing DoD cloud services and external providers. The CIO will provide oversight for component implementation of these steps.
Please refer here to download the strategy.
Monday, July 23, 2012
Smart meter hacking tool released
Termineter, an open-source tool designed to assess the security of smart meters, has been released
SecureState, an information security firm, on Thursday announced the public release of Termineter, an open-source framework written in Python that allows users to assess the security of Smart Meter utility meters over the optical interface. The company is calling it the first framework designed to give authorized individuals access to manipulate and test the security of smart meters.
You can check it out, as well as download it for yourself, over on Google Code. For the uninitiated, smart meters measure the amount of power and water being used in a home or business as well as gather other data. They send periodic reports back to the utility company for analysis.
Smart meters have been criticized by privacy advocates for tracking consumer actions while security researchers have warned about their potential for being exploited.
Here's the tool's official description:
While individual users will require general knowledge of the meter's internal workings in order to use Termineter proficiently, power companies can use the framework to identify and validate internal flaws that leave them susceptible to fraud and significant vulnerabilities.
As with any release of a hacking tool, there are two sides of the same coin. On the one hand, Termineter should help companies find vulnerabilities and test their products. On the other hand, Termineter can also be used maliciously to modify consumer data, inflicting financial loss on one or multiple victims.
SecureState, an information security firm, on Thursday announced the public release of Termineter, an open-source framework written in Python that allows users to assess the security of Smart Meter utility meters over the optical interface. The company is calling it the first framework designed to give authorized individuals access to manipulate and test the security of smart meters.
You can check it out, as well as download it for yourself, over on Google Code. For the uninitiated, smart meters measure the amount of power and water being used in a home or business as well as gather other data. They send periodic reports back to the utility company for analysis.
Smart meters have been criticized by privacy advocates for tracking consumer actions while security researchers have warned about their potential for being exploited.
Here's the tool's official description:
Termineter is a framework written in python to provide a platform for the security testing of smart meters. It implements the C12.18 and C12.19 protocols for communication. Currently supported are Meters using C12.19 with 7-bit character sets. Termineter communicates with Smart Meters via a connection using an ANSI type-2 optical probe with a serial interface.SecureState says it is releasing Termineter publicly to promote security awareness for Smart Meters and to improve security overall by providing a tool that brings basic testing capabilities to the community and meter manufactures.
While individual users will require general knowledge of the meter's internal workings in order to use Termineter proficiently, power companies can use the framework to identify and validate internal flaws that leave them susceptible to fraud and significant vulnerabilities.
As with any release of a hacking tool, there are two sides of the same coin. On the one hand, Termineter should help companies find vulnerabilities and test their products. On the other hand, Termineter can also be used maliciously to modify consumer data, inflicting financial loss on one or multiple victims.
Sunday, July 22, 2012
ENISA Report: Ten Smart Grid Security Recommendations
Smart Grids need protection from cyber attacks
The EU Agency ENISA has launched a new report on how to make smart grids and their roll out a success, in particular by making sure that IT security aspects are properly taken into account from the beginning.
A smart grid is an upgraded electricity network with two-way digital communication between supplier and consumer. The adoption of smart grids will dramatically change the distribution and control of energy for solar panels, small wind turbines, electric vehicles, etc.
By making energy distribution more efficient, smart grids give clear benefits to users, electricity suppliers, grid operators, and society as a whole. At the same time, their dependency on computer networks and Internet makes our society more vulnerable to cyber-attacks, with potentially devastating results.
Therefore, to prepare for a successful roll-out of smart grids, this study proposes 10 security recommendations for the public and private sector out of almost 100 findings.
Some key report recommendations include:
Cyber security aspects of smart grids Smart grids give rise to new information security challenges for electricity networks. Information systems’ vulnerabilities may be exploited for financial or political motivation in cyber-attacks to shut off power plants.
This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing.
The top 10 recommendations, aimed at various European Union and member-state organizations, are:
The full ENISA smart grid report can be downloaded here.
The EU Agency ENISA has launched a new report on how to make smart grids and their roll out a success, in particular by making sure that IT security aspects are properly taken into account from the beginning.
A smart grid is an upgraded electricity network with two-way digital communication between supplier and consumer. The adoption of smart grids will dramatically change the distribution and control of energy for solar panels, small wind turbines, electric vehicles, etc.
By making energy distribution more efficient, smart grids give clear benefits to users, electricity suppliers, grid operators, and society as a whole. At the same time, their dependency on computer networks and Internet makes our society more vulnerable to cyber-attacks, with potentially devastating results.
Therefore, to prepare for a successful roll-out of smart grids, this study proposes 10 security recommendations for the public and private sector out of almost 100 findings.
Some key report recommendations include:
- The European Commission (EC) and the competent authorities of the Member States (MS) need to provide a clear regulatory and policy framework on smart grid cyber security at the national and EU level, as this presently is missing.
- The EC, in collaboration with ENISA, the MS, and the private sector, should develop a minimum set of security measures based on existing standards and guidelines.
- Both the EC and the MS authorities should promote security certification schemes for the entire value chain of smart grids components, including organisational security.
- The MS authorities should involve Computer Emergency Response Teams to play an advisory role in power grids’ cyber security.
Cyber security aspects of smart grids Smart grids give rise to new information security challenges for electricity networks. Information systems’ vulnerabilities may be exploited for financial or political motivation in cyber-attacks to shut off power plants.
This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing.
The top 10 recommendations, aimed at various European Union and member-state organizations, are:
- Improve the regulatory and policy framework on smart-grid cybersecurity at both the national and EU level.
- Create a public-private partnership to coordinate cybersecurity initiatives.
- Promote initiatives to raise awareness of cybersecurity threats and conduct training.
- Foster knowledge-sharing initiatives.
- Develop minimum security measures based on existing standards and guidelines.
- Develop security certifications for components, products and organizational security.
- Create test beds and security assessments.
- Develop and refine joint strategies to counter large-scale cyberattacks on power grids.
- Involve computer security incident response teams in an advisory role.
- Promote academic and R&D research into smart-grid cybersecurity, including through existing research programs.
The full ENISA smart grid report can be downloaded here.
Tuesday, July 17, 2012
An easy way to defeat a “Keylogger”
How to defeat a "Keylogger" without any software/hardware
There are several ways to defeat a keylogger. Here is an easy way which does not need any software or hardware. It is not a revolutionary but quite an useful technique.
Some of you may already be practicing the same. Keyloggers and Trojans can steal you passwords, credit card details or important information while you type them on your system. We are sometimes bound to use third party systems or even our own systems may be compromised (of which we may not be aware of).
How do we defeat a "Keylogger"?
Let’s assume your password is “savemefromkeyloggers”.
When you type the password you need to ensure that you type the above password in a different obfuscated scheme. Here is an explanation through an example.
Step 1: Type “veme”
Step 2: Use your mouse pointer to bring the cursor just before “veme” and type “sa”. So what you see is “saveme” but the keylogger log would read as “vemesa”
Step 3: Use your mouse pointer to bring the cursor just after “saveme” and type “ggers”. So what you see is “savemeggers” but the keylogger log would read as “vemesaggers”
Step 4: Use your mouse pointer to bring cursor before “ggers” and type “fromkeylo”.
So what you see is “savemefromkeyloggers” but the keylogger log would read as “vemesaggersfromkeylo”
Please note that you do not use the “arrow keys” to move the cursor. Use the mouse to click at the right place so that the password key strokes are jumbled up and the keylogger owner would not be able to understand your real password.
So you can create your own method to jumble up/obfuscate your “credit card number”, “CSV”, “passwords” or anything that is critical.
It is a good practice to always use the same pattern to obfuscate the same data since it would make it more difficult for anybody to decode the real password from a single sample of obfuscated password.
It becomes easier to decode when there is a sample of several obfuscated forms of the same password. This technique is quite useful if you are using a shared computer such as cyber cafes, etc.
There are several ways to defeat a keylogger. Here is an easy way which does not need any software or hardware. It is not a revolutionary but quite an useful technique.
Some of you may already be practicing the same. Keyloggers and Trojans can steal you passwords, credit card details or important information while you type them on your system. We are sometimes bound to use third party systems or even our own systems may be compromised (of which we may not be aware of).
How do we defeat a "Keylogger"?
Let’s assume your password is “savemefromkeyloggers”.
When you type the password you need to ensure that you type the above password in a different obfuscated scheme. Here is an explanation through an example.
Step 1: Type “veme”
Step 2: Use your mouse pointer to bring the cursor just before “veme” and type “sa”. So what you see is “saveme” but the keylogger log would read as “vemesa”
Step 3: Use your mouse pointer to bring the cursor just after “saveme” and type “ggers”. So what you see is “savemeggers” but the keylogger log would read as “vemesaggers”
Step 4: Use your mouse pointer to bring cursor before “ggers” and type “fromkeylo”.
So what you see is “savemefromkeyloggers” but the keylogger log would read as “vemesaggersfromkeylo”
Please note that you do not use the “arrow keys” to move the cursor. Use the mouse to click at the right place so that the password key strokes are jumbled up and the keylogger owner would not be able to understand your real password.
So you can create your own method to jumble up/obfuscate your “credit card number”, “CSV”, “passwords” or anything that is critical.
It is a good practice to always use the same pattern to obfuscate the same data since it would make it more difficult for anybody to decode the real password from a single sample of obfuscated password.
It becomes easier to decode when there is a sample of several obfuscated forms of the same password. This technique is quite useful if you are using a shared computer such as cyber cafes, etc.
Sunday, July 15, 2012
Watch Hackers Steal A BMW In Three Minutes
Stolen BMW 1M Coupe Video
There has been an unusual spike in the number of BMWs stolen in the UK this year, with some sources suggesting the number may be 300 cars or higher. The cars are being stolen without activating car alarms or immobilizers. The suspected method used involves the use of devices that plug into the car's OBD port and can program blank key fobs, leaving owners with keys to missing cars. Here's how they do it.
BMW sites and forums have been understandably alarmed about the issue, which is affecting all BMW series models, from the 1 to the X6. The essential theft process varies in detail, but all seem to have a fundamental methodology in common. First, the car is entered, either via nearby RF jammers that block the lock signal from the fob from reaching the car, or, more crudely, by breaking a window, as seen in the video in this post of the 1 Series being stolen.
In cases of the window break, the thieves seem to be exploiting a gap in the car's internal ultrasonic sensor system to avoid tripping the alarm. Once some sort of access to the vehicle is gained, the thieves connect a device to the car's OBD-II connector which gives them access to the car's unique key fob digital ID, allowing them to program a blank key fob to work with the car right then and there.
All cars sold in Europe must permit open and unsecured access to OBD codes, so non-franchised mechanics and garages may read the codes.
BMW is not the only car company to allow key code access through the OBD port, but the recent rash of BMW thefts, compared to other makes, suggests another factor may be at play, possibly a good supply of blank BMW key fobs.
Used key fobs are available, and can usually be reprogrammed for another car of the same model, and new blank fobs are available as well.
There has been an unusual spike in the number of BMWs stolen in the UK this year, with some sources suggesting the number may be 300 cars or higher. The cars are being stolen without activating car alarms or immobilizers. The suspected method used involves the use of devices that plug into the car's OBD port and can program blank key fobs, leaving owners with keys to missing cars. Here's how they do it.
BMW sites and forums have been understandably alarmed about the issue, which is affecting all BMW series models, from the 1 to the X6. The essential theft process varies in detail, but all seem to have a fundamental methodology in common. First, the car is entered, either via nearby RF jammers that block the lock signal from the fob from reaching the car, or, more crudely, by breaking a window, as seen in the video in this post of the 1 Series being stolen.
In cases of the window break, the thieves seem to be exploiting a gap in the car's internal ultrasonic sensor system to avoid tripping the alarm. Once some sort of access to the vehicle is gained, the thieves connect a device to the car's OBD-II connector which gives them access to the car's unique key fob digital ID, allowing them to program a blank key fob to work with the car right then and there.
All cars sold in Europe must permit open and unsecured access to OBD codes, so non-franchised mechanics and garages may read the codes.
BMW is not the only car company to allow key code access through the OBD port, but the recent rash of BMW thefts, compared to other makes, suggests another factor may be at play, possibly a good supply of blank BMW key fobs.
Used key fobs are available, and can usually be reprogrammed for another car of the same model, and new blank fobs are available as well.
Thursday, July 12, 2012
10 Crazy IT Security Tricks That Actually Work
IT security threats are constantly evolving. It's time for IT security pros to get ingenious
Network and endpoint security may not strike you as the first place to scratch an experimental itch. After all, protecting the company's systems and data should call into question any action that may introduce risk.
But IT security threats constantly evolve, and sometimes you have to think outside the box to keep ahead of the more ingenious evildoers. And sometimes you have to get a little crazy.
10 security ideas that have been -- and in many cases still are -- shunned as too offbeat to work but that function quite effectively in helping secure the company's IT assets.
The companies employing these methods don't care about arguing or placating the naysayers. They see the results and know these methods work, and they work well.
Innovative security technique No. 1: Renaming admins
Renaming privileged accounts to something less obvious than "administrator" is often slammed as a wasteful, "security by obscurity" defense. However, this simple security strategy works. If the attacker hasn't already made it inside your network or host, there's little reason to believe they'll be able to readily discern the new names for your privileged accounts.
If they don't know the names, they can't mount a successful password-guessing campaign against them. Even bigger bonus? Never in the history of automated malware -- the campaigns usually mounted against workstations and servers -- has an attack attempted to use anything but built-in account names. By renaming your privileged accounts, you defeat hackers and malware in one step. Plus, it's easier to monitor and alert on log-on attempts to the original privileged account names when they're no longer in use.
Innovative security technique No. 2: Getting rid of admins
Another recommendation is to get rid of all wholesale privileged accounts: administrator, domain admin, enterprise admin, and every other account and group that has built-in, widespread, privileged permissions by default.
True, Windows still allows you to create an alternate Administrator account, but today's most aggressive computer security defenders recommend getting rid of all built-in privileged accounts, at least full-time. Still, many network admins see this as going a step too far, an overly draconian measure that won't work. Well, at least one Fortune 100 company has eliminated all built-in privileged accounts, and it's working great.
The company presents no evidence of having been compromised by an APT (advanced persistent threat). And nobody is complaining about the lack of privileged access, either on the user side or from IT. Why would they? They aren't getting hacked.
Innovative security technique No. 3: Honeypots
Modern computer honeypots have been around since the days of Clifford Stoll's "The Cuckoo's Egg," and they still don't aren't as respected or as widely adopted as they deserve. A honeypot is any computer asset that is set up solely to be attacked. Honeypots have no production value.
They sit and wait, and they are monitored. When a hacker or malware touches them, they send an alert to an admin so that the touch can be investigated. They provide low noise and high value. The shops that use honeypots get notified quickly of active attacks. In fact, nothing beats a honeypot for early warning -- except for a bunch of honeypots, called a honeynet.
Innovative security technique No. 4: Using nondefault ports
Another technique for minimizing security risk is to install services on nondefault ports. Like renaming privileged accounts, this security-by-obscurity tactic goes gangbusters. When zero-day, remote buffer overflow threats become weaponized by worms, computer viruses, and so on, they always -- and only -- go for the default ports.
This is the case for SQL injection surfers, HTTP worms, SSH discoverers, and any other common remote advertising port. Recently Symantec's pcAnywhere and Microsoft's Remote Desktop Protocol suffered remote exploits. When these exploits became weaponized, it was a race against the clock for defenders to apply patches or block the ports before the worms could arrive. If either service had been running on a nondefault port, the race wouldn't even begin.
That's because in the history of automated malware, malware has only ever tried the default port.
Innovative security technique No. 5: Installing to custom directories
Another security-by-obscurity defense is to install applications to nondefault directories. This one doesn't work as well as it used to, given that most attacks happen at the application file level today, but it still has value.
Like the previous security-by-obscurity recommendations, installing applications to custom directories reduces risk -- automated malware almost never looks anywhere but the default directories. If malware is able to exploit your system or application, it will try to manipulate the system or application by looking for default directories. Install your OS or application to a nonstandard directory and you screw up its coding.
Changing default folders doesn't have as much bang for the buck as the other techniques mentioned here, but it fools a ton of malware, and that means reduced risk.
Innovative security technique No. 6: Tarpits
Today, many networks (and honeypots) have tarpit functionality, which answers for any nonvalid connection attempt. The only downside: Tarpits can cause problems with legitimate services if the tarpits answer prematurely because the legitimate server responded slowly. Remember to fine-tune the tarpit to avoid these false positives and enjoy the benefits.
Innovative security technique No. 7: Network traffic flow analysis
With foreign hackers abounding, one of the best ways to discover massive data theft is through network traffic flow analysis. Free and commercial software is available to map your network flows and establish baselines for what should be going where. That way, if you see hundreds of gigabytes of data suddenly and unexpectedly heading offshore, you can investigate.
Most of the APT attacks I've investigated would have been recognized months earlier if the victim had an idea of what data should have been going where and when.
Innovative security technique No. 8: Screensavers
Password-protected screensavers are a simple technique for minimizing security risk. If the computing device is idle for too long, a screensaver requiring a password kicks in. Long criticized by users who considered them nuisances to their legitimate work, they're now a staple on every computing device, from laptops to slates to mobile phones.
Innovative security technique No. 9: Disabling Internet browsing on servers
Most computer risk is incurred by users' actions on the Internet. Organizations that disable Internet browsing or all Internet access on servers that don't need the connections significantly reduce that server's risk to maliciousness. You don't want bored admins picking up their email and posting to social networking sites while they're waiting for a patch to download.
Instead, block what isn't needed. For companies using Windows servers, consider disabling UAC (User Account Control) because the risk to the desktop that UAC minimizes isn't there. UAC can cause some security issues, so disabling it while maintaining strong security is a boon for many organizations.
Innovative security technique No. 10: Security-minded development
Any organization producing custom code should integrate security practices into its development process -- ensuring that code security will be reviewed and built in from day one in any coding project. Doing so absolutely will reduce the risk of exploitation in your environment.
This practice, sometimes known as SDL (Security Development Lifecycle), differs from educator to educator, but often includes the following tenets: use of secure programming languages; avoidance of knowingly insecure programming functions; code review; penetration testing; and a laundry list of other best practices aimed at reducing the likelihood of producing security bug-ridden code.
Microsoft, for one, has been able to significantly reduce the number of security bugs in every shipping product since instituting SDL. It offers lessons learned, free tools, and guidance at its SDL website.
This story, "10 crazy IT security tricks that actually work," was originally published at InfoWorld.com.
Network and endpoint security may not strike you as the first place to scratch an experimental itch. After all, protecting the company's systems and data should call into question any action that may introduce risk.
But IT security threats constantly evolve, and sometimes you have to think outside the box to keep ahead of the more ingenious evildoers. And sometimes you have to get a little crazy.
10 security ideas that have been -- and in many cases still are -- shunned as too offbeat to work but that function quite effectively in helping secure the company's IT assets.
The companies employing these methods don't care about arguing or placating the naysayers. They see the results and know these methods work, and they work well.
Innovative security technique No. 1: Renaming admins
Renaming privileged accounts to something less obvious than "administrator" is often slammed as a wasteful, "security by obscurity" defense. However, this simple security strategy works. If the attacker hasn't already made it inside your network or host, there's little reason to believe they'll be able to readily discern the new names for your privileged accounts.
If they don't know the names, they can't mount a successful password-guessing campaign against them. Even bigger bonus? Never in the history of automated malware -- the campaigns usually mounted against workstations and servers -- has an attack attempted to use anything but built-in account names. By renaming your privileged accounts, you defeat hackers and malware in one step. Plus, it's easier to monitor and alert on log-on attempts to the original privileged account names when they're no longer in use.
Innovative security technique No. 2: Getting rid of admins
Another recommendation is to get rid of all wholesale privileged accounts: administrator, domain admin, enterprise admin, and every other account and group that has built-in, widespread, privileged permissions by default.
True, Windows still allows you to create an alternate Administrator account, but today's most aggressive computer security defenders recommend getting rid of all built-in privileged accounts, at least full-time. Still, many network admins see this as going a step too far, an overly draconian measure that won't work. Well, at least one Fortune 100 company has eliminated all built-in privileged accounts, and it's working great.
The company presents no evidence of having been compromised by an APT (advanced persistent threat). And nobody is complaining about the lack of privileged access, either on the user side or from IT. Why would they? They aren't getting hacked.
Innovative security technique No. 3: Honeypots
Modern computer honeypots have been around since the days of Clifford Stoll's "The Cuckoo's Egg," and they still don't aren't as respected or as widely adopted as they deserve. A honeypot is any computer asset that is set up solely to be attacked. Honeypots have no production value.
They sit and wait, and they are monitored. When a hacker or malware touches them, they send an alert to an admin so that the touch can be investigated. They provide low noise and high value. The shops that use honeypots get notified quickly of active attacks. In fact, nothing beats a honeypot for early warning -- except for a bunch of honeypots, called a honeynet.
Innovative security technique No. 4: Using nondefault ports
Another technique for minimizing security risk is to install services on nondefault ports. Like renaming privileged accounts, this security-by-obscurity tactic goes gangbusters. When zero-day, remote buffer overflow threats become weaponized by worms, computer viruses, and so on, they always -- and only -- go for the default ports.
This is the case for SQL injection surfers, HTTP worms, SSH discoverers, and any other common remote advertising port. Recently Symantec's pcAnywhere and Microsoft's Remote Desktop Protocol suffered remote exploits. When these exploits became weaponized, it was a race against the clock for defenders to apply patches or block the ports before the worms could arrive. If either service had been running on a nondefault port, the race wouldn't even begin.
That's because in the history of automated malware, malware has only ever tried the default port.
Innovative security technique No. 5: Installing to custom directories
Another security-by-obscurity defense is to install applications to nondefault directories. This one doesn't work as well as it used to, given that most attacks happen at the application file level today, but it still has value.
Like the previous security-by-obscurity recommendations, installing applications to custom directories reduces risk -- automated malware almost never looks anywhere but the default directories. If malware is able to exploit your system or application, it will try to manipulate the system or application by looking for default directories. Install your OS or application to a nonstandard directory and you screw up its coding.
Changing default folders doesn't have as much bang for the buck as the other techniques mentioned here, but it fools a ton of malware, and that means reduced risk.
Innovative security technique No. 6: Tarpits
Today, many networks (and honeypots) have tarpit functionality, which answers for any nonvalid connection attempt. The only downside: Tarpits can cause problems with legitimate services if the tarpits answer prematurely because the legitimate server responded slowly. Remember to fine-tune the tarpit to avoid these false positives and enjoy the benefits.
Innovative security technique No. 7: Network traffic flow analysis
With foreign hackers abounding, one of the best ways to discover massive data theft is through network traffic flow analysis. Free and commercial software is available to map your network flows and establish baselines for what should be going where. That way, if you see hundreds of gigabytes of data suddenly and unexpectedly heading offshore, you can investigate.
Most of the APT attacks I've investigated would have been recognized months earlier if the victim had an idea of what data should have been going where and when.
Innovative security technique No. 8: Screensavers
Password-protected screensavers are a simple technique for minimizing security risk. If the computing device is idle for too long, a screensaver requiring a password kicks in. Long criticized by users who considered them nuisances to their legitimate work, they're now a staple on every computing device, from laptops to slates to mobile phones.
Innovative security technique No. 9: Disabling Internet browsing on servers
Most computer risk is incurred by users' actions on the Internet. Organizations that disable Internet browsing or all Internet access on servers that don't need the connections significantly reduce that server's risk to maliciousness. You don't want bored admins picking up their email and posting to social networking sites while they're waiting for a patch to download.
Instead, block what isn't needed. For companies using Windows servers, consider disabling UAC (User Account Control) because the risk to the desktop that UAC minimizes isn't there. UAC can cause some security issues, so disabling it while maintaining strong security is a boon for many organizations.
Innovative security technique No. 10: Security-minded development
Any organization producing custom code should integrate security practices into its development process -- ensuring that code security will be reviewed and built in from day one in any coding project. Doing so absolutely will reduce the risk of exploitation in your environment.
This practice, sometimes known as SDL (Security Development Lifecycle), differs from educator to educator, but often includes the following tenets: use of secure programming languages; avoidance of knowingly insecure programming functions; code review; penetration testing; and a laundry list of other best practices aimed at reducing the likelihood of producing security bug-ridden code.
Microsoft, for one, has been able to significantly reduce the number of security bugs in every shipping product since instituting SDL. It offers lessons learned, free tools, and guidance at its SDL website.
This story, "10 crazy IT security tricks that actually work," was originally published at InfoWorld.com.
Monday, July 9, 2012
3 Tips for IT Security Pros to Land the Right Job
The Recruiter's View
If you're an experienced information security professional thinking of making a job change, or a recent graduate with an academic focus on information security looking to start your career, you're not alone.
As the recession recedes, many people are actively exploring the job market. And while an array of information security jobs are available, landing the right one in this competitive job market will require strategic thinking and a concerted effort.
Here's a game plan to help you get started.
Get Your Head in the Game
Every information security job is likely to be fiercely competitive, so you'll need to stand out from the crowd. My advice is to use your analytical capabilities to determine your strengths, weaknesses, opportunities and threats.
Strengths could be specialized experience, such as a focus on insider threats or advanced persistent threats, or maybe you have broad subject matter expertise and have developed the overall strategy for an IT security program. It's vitally important that you identify what sets you apart.
If you have any shortfalls or weaknesses in your profile, you will have to be prepared to confront them and be ready to counter them. Acknowledging a shortfall is the first step to removing it.
Opportunities could be the potential roles you may learn about and target, trends you may have discerned, or connections you may be able to leverage. Think broadly about what and where the opportunities for you are and devise your tactics to exploit the opportunities accordingly.
Threats are the obstacles in your way. Some of them may be self-imposed. Other threats can be externally driven and may include other job seekers, salary limitations or timing.
Focus on Resume and Employer Needs
It's important to realize that your next job in information security will focus on what your employer needs, not necessarily on what you want to do. In a recent search for an IT security manager role, I encountered a candidate who wanted the job, but did not want to manage others on the team.
That's not how the role was structured, so our conversation came to an end fairly quickly. It's important to be pragmatic and have realistic expectations; a good attitude is crucial in this job market. Employers have many choices and these days they are extremely selective.
Also, your resume has to draw the reader in. Make sure your resume communicates your technical capabilities in a way that non-technical folks can understand. Almost every resume I receive for a technical role is difficult to understand, except to others with a similar technical background.
Avoid the technical jargon and heavy reliance on acronyms. Write in clear and concise English and you will stand out from the pack.
Leverage Social Media and Networks
Social media are among the best tools you have for finding your next opportunity. In-house and external recruiters use LinkedIn extensively, so you need to be on LinkedIn.
Your profile needs to be up-to-date and, as with a regular resume, your value proposition and your information security capabilities need to be crystal clear. I have seen information security people on LinkedIn refer to themselves as everything from 'Internet garbage collector' to 'data cop.'
Being snarky, quirky, cavalier, or even super mysterious about what you do will not help you get positive attention. You're much more likely to find your next job by networking, so attend meetings of professional groups, training sessions, any event where you will interact with your peers in information security.
If you're an experienced information security professional thinking of making a job change, or a recent graduate with an academic focus on information security looking to start your career, you're not alone.
As the recession recedes, many people are actively exploring the job market. And while an array of information security jobs are available, landing the right one in this competitive job market will require strategic thinking and a concerted effort.
Here's a game plan to help you get started.
Get Your Head in the Game
Every information security job is likely to be fiercely competitive, so you'll need to stand out from the crowd. My advice is to use your analytical capabilities to determine your strengths, weaknesses, opportunities and threats.
Strengths could be specialized experience, such as a focus on insider threats or advanced persistent threats, or maybe you have broad subject matter expertise and have developed the overall strategy for an IT security program. It's vitally important that you identify what sets you apart.
If you have any shortfalls or weaknesses in your profile, you will have to be prepared to confront them and be ready to counter them. Acknowledging a shortfall is the first step to removing it.
Opportunities could be the potential roles you may learn about and target, trends you may have discerned, or connections you may be able to leverage. Think broadly about what and where the opportunities for you are and devise your tactics to exploit the opportunities accordingly.
Threats are the obstacles in your way. Some of them may be self-imposed. Other threats can be externally driven and may include other job seekers, salary limitations or timing.
Focus on Resume and Employer Needs
It's important to realize that your next job in information security will focus on what your employer needs, not necessarily on what you want to do. In a recent search for an IT security manager role, I encountered a candidate who wanted the job, but did not want to manage others on the team.
That's not how the role was structured, so our conversation came to an end fairly quickly. It's important to be pragmatic and have realistic expectations; a good attitude is crucial in this job market. Employers have many choices and these days they are extremely selective.
Also, your resume has to draw the reader in. Make sure your resume communicates your technical capabilities in a way that non-technical folks can understand. Almost every resume I receive for a technical role is difficult to understand, except to others with a similar technical background.
Avoid the technical jargon and heavy reliance on acronyms. Write in clear and concise English and you will stand out from the pack.
Leverage Social Media and Networks
Social media are among the best tools you have for finding your next opportunity. In-house and external recruiters use LinkedIn extensively, so you need to be on LinkedIn.
Your profile needs to be up-to-date and, as with a regular resume, your value proposition and your information security capabilities need to be crystal clear. I have seen information security people on LinkedIn refer to themselves as everything from 'Internet garbage collector' to 'data cop.'
Being snarky, quirky, cavalier, or even super mysterious about what you do will not help you get positive attention. You're much more likely to find your next job by networking, so attend meetings of professional groups, training sessions, any event where you will interact with your peers in information security.
Friday, July 6, 2012
Why Business Continuity is Critical For Your Business?
4 Tips to Gain Upper Management Attention
Companies often make many strategic decisions such as outsourcing, off-shoring and long supply chains without full consideration of the consequence of business interruption.
They primarily focus in adding short-term value to the bottom-line, but when these strategies fail to deliver, reputation and brand image are compromised. Short-term financial losses might be containable, but long-term loss of market share is often much more damaging.
By implementing effective business continuity plans, businesses can increase their recovery capabilities dramatically. And that means they can make the right decisions quickly, cut downtime and minimize financial losses. So, getting buy-in at the top is crucial. It requires professionals to have better understanding of the concerns of top management and an ability to communicate risk issues in a common language.
Here are a few ways business continuity practitioners can seek upper management attention.
Emphasize business consequences: Many leaders were shaken by the corporate impact that the Gulf of Mexico oil spill incident had on the finances, share-price and reputation of British Petroleum.
Business continuity managers need to bring these real-life cases in their presentation to management and further use their skills to identify their own organization's potential high consequence events.
Implement innovative tests and exercises: A traditional difficulty is that BCM practitioners do not report at a high enough level to affect decisions. Although often true, they are not without influence, and one way to use it is in developing an innovative testing and exercising program.
In the past, too many exercises have concentrated on evacuation, safety and emergency response. Although these are required, top management employs specific specialists to handle safety and security on their behalf.
What BC practitioners need to do is choose scenarios and techniques in their exercises that really interest the leadership team. Using scenarios that highlight fundamental business threats and challenging top management to respond can be scary, but it also can raise the profile of BCM rapidly.
Techniques such as war games, stress testing, scenario planning and horizon scanning are becoming important to business continuity tests. These are areas in which the BCM professional could and (in the future) really should take a leading role.
Be more assertive: BCM professionals can get top level attention by taking a more assertive position to organizational change. Clearly, there are limits to which individuals can become involved in strategic decisions, but by producing a well considered analysis of the consequences of change, they can often get senior management interest.
Decisions can be reviewed or modified if consequential risks are better articulated. BCM professionals can do this through a risk management organizational framework and can make their voice heard.
Communicate BCM benefits: Practitioners must concentrate on finding value and benefits for BCM and promoting them.
For example, if having proper BCM in place helps the organization get on the approved supplier list for a major customer, it's the BC professional's job to ensure that everyone knows about it. If it were a key deciding factor that actually won a big contract, make sure that sales, marketing and finance recognize and publicize that fact.
If BCM helps procurement eliminate high-risk suppliers, again getting that message out through whatever communication vehicles is key.
Companies often make many strategic decisions such as outsourcing, off-shoring and long supply chains without full consideration of the consequence of business interruption.
They primarily focus in adding short-term value to the bottom-line, but when these strategies fail to deliver, reputation and brand image are compromised. Short-term financial losses might be containable, but long-term loss of market share is often much more damaging.
By implementing effective business continuity plans, businesses can increase their recovery capabilities dramatically. And that means they can make the right decisions quickly, cut downtime and minimize financial losses. So, getting buy-in at the top is crucial. It requires professionals to have better understanding of the concerns of top management and an ability to communicate risk issues in a common language.
Here are a few ways business continuity practitioners can seek upper management attention.
Emphasize business consequences: Many leaders were shaken by the corporate impact that the Gulf of Mexico oil spill incident had on the finances, share-price and reputation of British Petroleum.
Business continuity managers need to bring these real-life cases in their presentation to management and further use their skills to identify their own organization's potential high consequence events.
Implement innovative tests and exercises: A traditional difficulty is that BCM practitioners do not report at a high enough level to affect decisions. Although often true, they are not without influence, and one way to use it is in developing an innovative testing and exercising program.
In the past, too many exercises have concentrated on evacuation, safety and emergency response. Although these are required, top management employs specific specialists to handle safety and security on their behalf.
What BC practitioners need to do is choose scenarios and techniques in their exercises that really interest the leadership team. Using scenarios that highlight fundamental business threats and challenging top management to respond can be scary, but it also can raise the profile of BCM rapidly.
Techniques such as war games, stress testing, scenario planning and horizon scanning are becoming important to business continuity tests. These are areas in which the BCM professional could and (in the future) really should take a leading role.
Be more assertive: BCM professionals can get top level attention by taking a more assertive position to organizational change. Clearly, there are limits to which individuals can become involved in strategic decisions, but by producing a well considered analysis of the consequences of change, they can often get senior management interest.
Decisions can be reviewed or modified if consequential risks are better articulated. BCM professionals can do this through a risk management organizational framework and can make their voice heard.
Communicate BCM benefits: Practitioners must concentrate on finding value and benefits for BCM and promoting them.
For example, if having proper BCM in place helps the organization get on the approved supplier list for a major customer, it's the BC professional's job to ensure that everyone knows about it. If it were a key deciding factor that actually won a big contract, make sure that sales, marketing and finance recognize and publicize that fact.
If BCM helps procurement eliminate high-risk suppliers, again getting that message out through whatever communication vehicles is key.
Wednesday, July 4, 2012
Facebook Email: What You Need to Know!
Facebook Knocks Your Email off the Podium
Facebook is receiving a decent amount of backlash from its most recent privacy misstep. The social media giant recently forced their @facebook.com email addresses upon all users who had not previously signed up to use it - and did so without their permission.
If you don't want this default email used by your Facebook friends, read this article to learn how to change your email back to the preferred address.
From a privacy standpoint, I'd recommend you not use the @facebook.com email address at all. That is unless you want to give everyone at Facebook (and possibly their third parties) access to your email messages.
Facebook is receiving a decent amount of backlash from its most recent privacy misstep. The social media giant recently forced their @facebook.com email addresses upon all users who had not previously signed up to use it - and did so without their permission.
If you don't want this default email used by your Facebook friends, read this article to learn how to change your email back to the preferred address.
From a privacy standpoint, I'd recommend you not use the @facebook.com email address at all. That is unless you want to give everyone at Facebook (and possibly their third parties) access to your email messages.
Monday, July 2, 2012
Don't Get Burned by Twitter Updated-Privacy Policy
Twitter Carries a Torch for Privacy
In mid-May, Twitter published an updated privacy policy, which every Twitter user should read - and other social media sites would be smart to emulate. The policy includes a clearer explanation of the situations in which Twitter will share user information with others.
Most notably, the policy provides better clarifications about how your personal information is used than most other social media sites. The updates include a new section on how Twitter tailors content. It makes clear that Twitter can use users' contact information to help third-party services, client applications and others find Twitter accounts.
While that particular practice is not new, it is much more clearly stated today. The policy also indicates how users can opt-out of several data-sharing practices, which is incredibly important to privacy-minded individuals.
You may find Twitter very helpful to use for sharing information, learning of breaking news and doing research. It's a good option; just make sure you set your privacy settings appropriately.
In mid-May, Twitter published an updated privacy policy, which every Twitter user should read - and other social media sites would be smart to emulate. The policy includes a clearer explanation of the situations in which Twitter will share user information with others.
Most notably, the policy provides better clarifications about how your personal information is used than most other social media sites. The updates include a new section on how Twitter tailors content. It makes clear that Twitter can use users' contact information to help third-party services, client applications and others find Twitter accounts.
While that particular practice is not new, it is much more clearly stated today. The policy also indicates how users can opt-out of several data-sharing practices, which is incredibly important to privacy-minded individuals.
You may find Twitter very helpful to use for sharing information, learning of breaking news and doing research. It's a good option; just make sure you set your privacy settings appropriately.
Subscribe to:
Posts (Atom)