Category: Uncategorized

Low-interaction honeypots find the what, when, and how of an attack: “They are there to capture automated attacks and malware,” and don’t really interact with the attacker, he says.

High-interaction honeynets let the attacker exploit and interact with the machines more actively, thus capturing more details about the attack and attacker.

Not only do they incur overhead for IT — you need staff to manage them and their flow of information — but they are also limited to known vulnerabilities, for instance. “Honeynets are great collecting tools, but unfortunately the majority of the time they don’t provide information on a vulnerability that was not already public. Arbor, like other organizations that dabble in this type of attack analysis, uses a combination of darknets and honeynets to track malicious traffic for its ISP customers in its Atlas service.

“No one knows it’s a honeypot — it looks like an enterprise server.” That’s especially useful when attackers are targeting a specific organization’s IP addresses, he says. If they try to log onto a honeypot, they are doing something outside your corporate policy.” And the insider threat may be the sweet spot for honeynets in the enterprise, where the practice has not had much widespread use due to the overhead associated with the all the data they gather, as well as worries about asking for trouble by putting one up.

He says the Big Brother argument doesn’t fly here: “Corporations are well within their rights to deploy honeynets to secure their own networks and identify anyone doing things outside the corporate policy.”

http://www.darkreading.com/document.asp?doc_id=119081&WT.svl=news1_1

Is it reasonable to assume that an expert at testing Solaris, AIX, and other Unix flavours is also going to be equally as good on Windows? The truth is that most consultants have favourite platforms which they know at a deep level, and are either just competent or even incompetent with other platforms. Just as you wouldn’t use a tractor on a racetrack, or a Ferrari in a field, you wouldn’t put a Unix expert on a windows test, or an Oracle expert on a MSSQL assignment.

Consultants hate report writing The secret is out – consultants hate writing reports. You don’t ‘see’ the assessment – you see the report! The report IS the deliverable Remember, it is the Executive Summary that you will show to your manager, the remediation ad-vice that you will give to your team, and the classified vulnerabilities that your auditor will review.

The Methodology No doubt you’ve read, or at least skimmed through the “Methodology” paper on your suppliers web site, or their glossy brochure. It is designed to demonstrate a deep understanding of the assessment process. A consultant can do an excellent job without following the company methodology, but by not having a structure to work with, there is a good chance the results will be inconsistent at best, and dangerously incomplete at worst. It’s easy to wheel in a star consultant to win the business, but follow through with a trainee.

Finally, remember that companies don’t perform penetration tests, people do. So no matter which company you go to, it always boils down to the person you have working on your account.

http://www.it-observer.com/articles/1308/avoid_wasting_money_penetration_testing/

Organizations that select an MSSP as a security partner should be prepared to integrate the MSSP’s people, processes, and technology with their own to effectively improve their security posture.

Ensuring the long-term success of a security partnership is based on four key areas of focus: trust, operational extension, service reviews, and parallel roadmaps.

Managed security service providers that have earned certification under a widely recognized standard such as BS7799 have demonstrated their expertise in establishing, implementing, and documenting effective information management systems. Another certification, the Statement of Auditing Standard No. 70 (SAS 70) Type II, also provides client organizations assurances regarding specific control objectives that the MSSP has designed to meet customers’ unique needs.

Many companies, particularly financial services and other highly regulated organizations, require credible proof that an MSSP has processes and controls in place to provide a consistent, stable, and secure environment to safely monitor and manage customer data throughout the organization.

This requires an MSSP to have the depth and breadth of expertise to meet an organization’s current security needs.

http://www.it-observer.com/articles/1306/ensuring_successful_partnership_with_your_mssp/

The medical center’s intrusion prevention system (IPS), Web filtering tools, and other security and networking tools, for instance, are already converging, Khousnoudinov says. But that doesn’t mean the NOC and SOC will completely merge.

In fact, security analysts say you need a healthy separation between some duties, especially where security policy implementation and auditing is concerned.

Even Boston Medical, which is ahead of most organizations with its fusion of NOC and SOC duties, still keeps policy and auditing as well as its Windows Active Directory security separate from the overall NOC operation, according to Khousnoudinov. That prevents conflicts of interest or other related problems when, say, security must investigate internal access of the company’s resources, says Nicolett. “The security group in charge of investigations might [have to work on something] that involves privileged users,” he says.

The first place the NOC and SOC are converging is in event monitoring. “But control over what’s monitored and drilling down on this needs to be retained by the security staff,” Nicolett says. So start looking at your redundant call center or trouble-ticket systems, for instance, says Rob Enderle, principal analyst with the Enderle Group.

http://www.darkreading.com/document.asp?doc_id=112583&WT.svl=news1_2

With the blessing of top management, security looked at the entire supply chain and made some discoveries that were not apparent to individual managers.

Voice of the Customer (VOC) VOC is the process used to determine the needs of the customer, aimed at improving the customer experience and increasing loyalty. “Voice of the Customer forces you to leave the ivory tower and reach out and interface with your customers,” explains Greg Avesian, vice president of enterprise IT security at Textron. Following VOC’s directives to interface directly and frequently with the customer (Avesian meets formally with business unit CIOs every quarter, for example) ensures that security’s focus is on servicing the business units rather than guarding the bits and bytes, he says.

Failure Modes and Effects Analysis (FMEA) The FMEA procedure aims to identify every possible way in which a process or product might fail, rank on a scale of one to 10 those possible failures and probable causes, and prioritize solutions. “For security, the twist would be to say not just how could a given step fail, but how can we make it fail, how can we force it to fail?”

http://www.csoonline.com/read/120106/fea_six_sigma.html

This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.

http://csrc.nist.gov/publications/nistpubs/800-100/sp800-100.pdf