admini – Page 167 – CyberSecurity Institute

Tech Insight: Incident Response

Posted on January 18, 2008December 30, 2021 by admini

Incident response (IR) for many IT shops traditionally has been accomplished by cobbling together tools from various sources with a script-based tool that automates the collection of data from the suspect system. All manual incident response is slow response, says Kevin Mandia, president and CEO of Mandiant. A key driver for organizations dealing with incidents, especially those in the financial sector, Mandia says, is speed and minimizing exposure: The IR team must be able to quickly grab information about the incident, determine what’s happening, and respond appropriately to minimize collateral damage. And as industry regulations and legislation now require disclosure of data breaches, it’s increasingly important to handle incidents and internal investigations as quickly as possible.

Guidance Software, thanks to its success as a forensic software company, has been the major player in the enterprise incident response (IR) market for several years. Its Encase Enterprise product integrates IR and traditional forensic capabilities into one interface that’s familiar to users of the company’s standalone Encase Forensic product.

There are network event-focused tools arriving as well: Startup Packet Analytics, for instance, on Tuesday will emerge from stealth mode and roll out its new Net/FSE Network Forensic Search Engine software, which collects and organizes Cisco NetFlow and syslog log data into a searchable format, helping analysts to investigate breaches as soon as they occur.

Key features to consider in enterprise IR tools are the breadth of operating system support, what information can be collected, and whether it will complement current internal processes and tools. Collecting volatile data such as open ports, running processes, and contents of memory, is one key thing to consider when searching for an IR solution. If you conduct small internal investigations and computer forensics, most IR solutions can collect information in a way that can be easily analyzed by existing forensic products, or within the IR solution itself.

Chet Hosmer, senior vice president and chief scientist for WetStone Technologies, says that is one of the key features of WetStone’s LiveWire Investigator: quickly and accurately capturing volatile information, as well as performing acquisition in such a way that can be analyzed within its product, or plugged into other vendors’ tools.

Brian Karney, chief operating officer for AccessData, says internal investigations are a primary driver for companies researching, or that already have purchased, enterprise IR tools.

http://www.darkreading.com/document.asp?doc_id=143629&WT.svl=news2_1

UK gov sets rules for hacker tool ban

Posted on January 3, 2008December 30, 2021 by admini

Critics point out that many of these tools are used by system administrators and security consultants quite legitimately to probe for vulnerabilities in corporate systems.

The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.

Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about “dual-use” tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime.

http://www.theregister.co.uk/2008/01/02/hacker_toll_ban_guidance/

VoIP vulnerabilities increasing, but not exploits

Posted on December 18, 2007December 30, 2021 by admini

Implementations of Session Initiation Protocol (SIP), an alternative VoIP protocol, can leave VoIP networks open to unauthorized transport of data.

The VoIPSA tools are intended to help businesses test and secure their networks, but these and other online tools can be used to probe for weaknesses as well.

Part of the reason may be that the largest VoIP vendors use proprietary protocols, such as Cisco’s Skinny, Nortel’s Unistim and Avaya’s variant of H.323, Orans says. SIP, which is gaining popularity, is a mixed bag, Orans says, because it is readily available to those who might want to exploit it. These options include firewalls and intrusion-prevention systems that support SIP (compare products).

Another reason for the lack of broad exploits is that there isnt enough ROI for attackers’ development time.

Hybrid PBX systems — which handle both VoIP and TDM voice — account for 64% of all PBX lines sold, according to a December 2007 Infonetics report.

http://www.networkworld.com/news/2007/121707-crystal-ball-voip-vulnerabilities.html

New Service Detects Backdoors in Software

Posted on December 18, 2007December 30, 2021 by admini

“People doing manual code review look for vulnerabilities, but not typically for backdoors,” says Chris Wysopal, CTO and co-founder of Veracode. “We built a metal detector for this.” Wysopal says several of Veracode’s financial services customers had approached the company with concerns about this potential threat in the third-party software products they purchase and that their developers write.

In a recent report by the Defense Science Board on the risks of the Department of Defense’s dependence on software manufactured outside of the U.S., the DSB discusses the need for assuring the software purchased by the DOD isn’t sabotaged in any way. He found that 23 software packages that government employees might download for tools or for developing apps for their agencies, had backdoors within them.

Special credential backdoors are when a developer or attacker hard-codes passwords or keys into the program code, including username and password, for instance. Hidden functionality backdoors are special commands inserted into the code that lets an attacker issue commands or authenticate without going through the app’s standard application procedure. Still, that’s a dangerous practice, Wysopal says: “I don’t care if a feature was put in on purpose by the developer for debugging, or maliciously by an attacker. “The big tell-tale sign of a rootkit is the software is doing something it’s not supposed to do,” Wyospal says.

http://www.darkreading.com/document.asp?doc_id=141487&WT.svl=news2_4

Companies are Thinking of Information Security as a Strategic Asset

Posted on December 14, 2007December 30, 2021 by admini

I think this trend can also be examined from the angle of compliance with PCI standards— payment card industry data security standards (PCI DSS). Visa certainly didn’t like this behavior and was at the forefront of levying fines against offending merchants for not passing their PCI audits. The council is adopting more stringent standards and requirements around keeping card data safe for all those involved in the payments chain—banks included.

It’s encouraging to see that information security is taking on greater importance at organizations, even beyond compliance requirements.

Getting back to the E&Y study, the firm found that companies are better integrating their information security and risk management initiatives (82 percent of respondents). More than two-thirds (69 percent) of respondents felt that information security improves IT and operational efficiencies.

This finding sharply contrasts to previous years, according to the firm, when information security was viewed as a barrier to IT and operational efficiency.

Nearly a third of respondents said they never meet with their board or audit committee.

Although E&Y didn’t specify the kinds of companies involved in the study, it’s not too difficult to draw parallels to the financial services industry.

http://www.banktech.com/blog/archives/2007/12/companies_are_t.html;jsessionid=CESVIN0SMPC0UQSNDLPSKH0CJUNN2JVN

Mashups, SAAS Present Security Risks

Posted on December 4, 2007December 30, 2021 by admini

Web services are typically XML-based, and HTML is the language needed to design Web pages, upon which mashups reside. “You have to explicitly design that in,” he said. “And by explicit, that means you have to design authentication and authorization into the way that the service responds to consumers. Mashups, by their nature as a composition of services, don’t introduce new security issues, Schmelzer said.

“The security issue in composition is the problem of security context in which you have to deal with the fact that composing different systems might mean trying to span different identity domains, which is a significant problem for companies that have not made a prior investment in identity management systems,” he said. That said, the security issue is not a fatal flaw for SAAS, mashups and SOA, Schmelzer said.

Douglas Crockford, a senior JavaScript architect at Yahoo who is know for discovering the JavaScript Object Notation, said there’s been nothing really new done to HTML since 1999, which has led to security problems and security risks down the line for technologies such as mashups. “We’ve been so distracted by XML that HTML has not gotten the attention it needs,” said Crockford, who was on the panel at the show..

Michael Day, founder of YesLogic and the architect of the Prince formatter, said XML does have a future on the Web, if only as a server technology. XML seems to have gone the way of other technologies, such as Java, that started out as client-side technologies and ended up in the server realm, Day said.

http://www.eweek.com/article2/0,1759,2227704,00.asp?kc=EWRSS03119TX1K0000594