Category: Uncategorized

Use file integrity checking
File integrity checking tells you if the software you think you have installed on your network is actually what it is supposed to be. There are a number of free utilities to do this — Tripwire is the best known among them. Traditionally, file integrity checking is used is to identify recent changes on a PC. That way, when things go desperately wrong you can try to back out of the latest changes. File integrity checking is also useful for discovering spyware and viruses your antivirus software has missed.

Run new or unknown software in a sandbox
A new generation of antivirus software extends file integrity checking by making unknown software run in a “sandbox.” This form of isolation prevents viruses or worms from propagating unless they can trick a known program into doing the work for them. Another way to develop a sandbox is by using Microsoft’s Active Directory to keep users from installing anything new. Any new software is then carefully checked by the network administrator before it is installed on the rest of the network. In effect, this makes the network administrator’s PC the sandbox.

Scan autoruns
Each PC’s autorun programs should be periodically scanned for threats. There is a terrific free utility from SysInternals that will show you everything that is run when you boot up your PC.

Use intrusion prevention at the gateway and on each desktop
Effective intrusion prevention soft-ware monitors network traffic and matches it to known types of attacks. This approach would have stopped the Sasser and Korgo.W worms in their tracks since they exploited known vulnerabilities. Intrusion prevention rules are continually updated by your vendor. You also should be able to add new intrusion prevention rules yourself.

Use heuristic and signature- based antivirus software
A recent addition is the ability for users to easily create their own virus signatures and to distribute them throughout their networks.

Be aware of Microsoft holes
It is no secret that Microsoft systems and programs are the most vulnerable to attack. Some software vendors have extended Microsoft’s security by adding to Windows the concept of program permissions. Just as users have permissions for directories and files, programs can have permissions to access different parts of the operating system, giving you direct control over what they can and cannot do.

http://www.networkingpipeline.com/160902074

CSOs say they can lead their functions to be more effective and save money at the same time. It means overcoming the challenges posed by executives who don’t buy the idea, and staff who will resist you. Here’s a guide to understanding both the upside and the hurdles to holistic security management.

Talk to Jim Mecsics about the benefits of convergence, and you’ll first have to stomach a metaphor about belly buttons. At the end of the day, says Mecsics, if there’s a security problem, the CEO is going to jab Mecsics’ belly button, hold him accountable and say, “Fix it.”

His point: In a converged security organization, there’s only one button to push—executives don’t have to contemplate whether to call the corporate security director or head of IT security or the facilities manager when they have a security issue.

Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security program—to bring together previously disparate pieces of security, including physical and information security, under one roof. It didn’t take long for the reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax’s networks. Mecsics and his team went to work—they set up a plan, mapped out the bad guys’ architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney’s office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen).

The Payoff: Executive-level backing and a mandate to run one operation for all security functions gives CSOs the chance to create more effective teams.

And did we mention the part about saving money? “That was a pure example of [the benefit of] us having everything under one umbrella,” says Mecsics. “I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy,” he says. Mecsics didn’t have to get authorization from people’s bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company’s benefit. (Mecsics left Equifax last year and now works as a senior security analyst at SAIC, a research and engineering company.)

Improved collaboration among security functions is just one of the payoffs of convergence. Others include better alignment of security with business operations, establishing the CSO as a single point of contact for all security issues, the opportunity to cross-train employees, increased information-sharing that leads to more efficient problem solving and, if you’re trying to convince otherwise skeptical execs of why convergence is worth doing, you can pull out your trump card: cost savings.

In this story, security executives at BWX Technologies (BWXT), EDS, Level3 Communications, Pemco Financial, Rohm and Haas, SAIC, Triwest Healthcare Alliance, United Rentals and Wells Fargo talk about why they’ve converged and the payoffs they’ve achieved from reorganizing their security departments to better meet the needs of their businesses.

Payoff #1 A comprehensive security strategy better aligns security goals with
Most CSOs these days would agree that security should dance cheek to cheek with the needs of the business. In a post-9/11 world, companies that hold onto the traditional view of security as just another cost center are failing to recognize the importance of security to day-to-day business activities.

When Marshall Sanders, vice president of corporate security and CSO (and who served as the founding director of security for President Reagan’s strategic defense initiative program in the ’80s), joined Level3 Communications in 1999, he had a mandate: establish a comprehensive security architecture. Sanders’ mission was made easier because senior executives at the company viewed security as a key enabler for the business. “We’re a network services provider—we’re all about network availability. If the network isn’t available due to a logical or physical incident, it’s a revenue-impacting event. So security was seen by our [company leaders] as an integral component of the business architecture,” he says.

A corporate risk management council, comprising Sanders and other senior executives, forms the basis for an integrated security governance structure and helps keep security top-of-mind at Level3 (see “Security Committee,” Page 28). “It’s critical to have top-down sponsorship,” Sanders says, adding that in his case, the CEO “realized security needed to be integrated into the architecture of the business.” The council, an audience for updates on physical and logical security, business continuity and disaster recovery exercises, is critical to driving this agenda, he says. “It can provide an enterprisewide perspective and accountability for managing the risks to the business; so then security becomes not just security’s problem—it’s a business concern.”

Sanders defines convergence as the integration of logical, information, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.)

Payoff #2 The CSO can be a single point of contact
When there’s a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO. John Pontrelli, vice president and CSO at Triwest Healthcare Alliance, a Department of Defense contractor that manages a health-care program in the western United States for military personnel and their families, wouldn’t have left his previous job at W.L. Gore & Associates to come to Triwest unless he had that kind of accountability. Having a single point of contact also makes it easier for the CEO, board of directors, contractors, external business partners and employees to know that they can call Pontrelli if they have any questions or problems. But bringing team members into a more cohesive organization with one strategic mission and consistent goals will encourage collaboration and help break down some of the walls that can exist among people who previously had prime allegiance to their individual security function.

Payoff #3 Information-sharing among disparate security functions increases
Richard Loving is reaping the benefits of a more collaborative environment at BWX Technologies, which manages and operates nuclear and national security facilities. For years, the company, which runs or helps run facilities for the U.S. government in nine states, organized its facility teams as self-contained units. “We were able to bring an expert from each site together to talk about the changes in regulations, how they were going to protect media and share that information back and forth so that as one site found a new and different way to control something, they would share that information the same day,” says Loving. Contributing to the vulnerabilities is that these networks are generally managed by process control engineers, whose job has been to make sure the systems run day and night, not to worry about hackers or other cybercriminals. For Keith Antonides, corporate information security director at Rohm and Haas, a large specialty chemical manufacturing company, convergence has meant establishing a closer working relationship with the process control engineers.

Payoff #4 Convergence gives you a more versatile staff
Although the unified security theme resonates today at Wells Fargo, it wasn’t long ago that the message was a little more garbled. Previously, external and internal investigations operated separately. That led to inefficiencies, where two separate teams could be investigating the same case. And if the case happened to be in Boise, Idaho, Wipprecht spent money to send somebody from the corporate office in San Francisco to work with the regional agent.

That changed in February 2004, when Wipprecht brought external and internal investigations into his new, converged organization and began cross-training most of his agents. Now the regional agent, trained in external and internal investigations and physical security, can run the case from Boise solo, giving security more bang for its buck and improving response time. Cross-training has also made his agents more aware of areas that weren’t previously part of their job descriptions.

In the past, the physical security folks thought a lot about homeland security but not investigative issues; investigators, conversely, were less observant about homeland security. Now the security organization is more cohesive, with different divisions pursuing similar goals. “The cross-training is an awakening of what they ought to be looking at internationally, nationally and locally,” says Wipprecht.

Triwest’s Pontrelli and Pemco’s Telders cross-train their physical and infosec staff. “It’s mostly a people cost savings,” says Telders. “I can take someone trained in CPR and have them do e-mail filtering and password accounts. I can cross-train staffs so they can cover each other, so my staffing costs are down. People assigned to projects can get cross-trained on the job,” he says. Pontrelli also likes the fact that cross-training gives his team members greater career opportunities.

Payoff #5 You save the company money
OK, you’d like to be converged, you’ve talked up the benefits of single points of contact and holistic strategies and aligning security operations with business goals—and you’ve met with glassy eyes, thinly disguised yawns and general apathy from senior execs. Now’s the time to pull out your trump card: Cost savings. One area that’s generating savings is technology convergence, the intersection of physical and information security.

That’s what Telders at Pemco Insurance has found. Telders has put smiles on the suits at Pemco by replacing proprietary systems with a centralized, IP-based security management system for both field offices and headquarters that encompasses closed-circuit TV, door controls, access card controls, sensors, alarm monitoring and panic buttons. The system has obviated the need for local security guards; instead, guards monitor the system 24/7 from a central location. Burglar alarm monitoring is also done from that location, so outside contracts with third parties have, for the most part, become unnecessary. And video recording takes place on server disks, not on local digital video recorders. “If a DVR goes out, it could cost five grand. If a disk goes out, it costs $150,” he notes. Telders says the system saved Pemco on the order of $2 million in the first year. (Most came from eliminating the guards; bringing burglary and security monitoring services in-house saved more.)

The company can also use the surveillance cameras in the various locations to hold teleconferences at no additional cost. And Pemco has tied building control systems such as HVAC and lighting into the centralized system, which allows the real estate staff to remotely manage some building systems, largely freeing them from having to install their own network or wiring.

Stephen Baird, vice president of corporate security at United Rentals, North America’s largest equipment rental company, is similarly using CCTV improvements to reduce costs. Baird joined the company last July and has become the single point of contact for security. (Previously the top security role wasn’t as clearly defined.) He reports to the company’s president and CFO. Since coming on board, he’s been working on upgrading the company’s digital CCTV systems to make them motion-based. That will save his staff major chunks of time when conducting investigations—using the old system, watching the DVR could take hours; now it takes minutes. He plans on rolling it out in the company’s corporate facilities first and hopes to roll it out in stores eventually. He’s also looking to save money by standardizing DVRs across the company and by buying those DVRs in bulk.

Stephen Baird, VP of corporate security at United Rentals, is the company’s single point of contact for all security matters. Another technology Baird is exploring is global positioning systems, or GPS, which the company was prototyping before he arrived. One application would involve putting GPS systems on large pieces of equipment, such as light towers. GPS systems would allow security to track where the tower is, how long it’s been there and even if it was turned on. “We’ve had theft of everything,” says Baird. But rolling out a GPS system won’t happen automatically—as with any big project, Baird will first assess the risks and the costs before he and his fellow execs give a thumbs-up or thumbs-down.

But if you’ve done the due diligence and believe that convergence can enhance your security posture and bring more value to the business, the CSOs in this story will tell you that you can converge and not just survive, but prosper.

http://www.csoonline.com/read/041505/payoffpain.html

Almost all companies test for vulnerable versions (i.e., missing security patches) and default configuration files.

Before investing any time or money in securing or verifying the security of an application, first perform a risk assessment.

The following are areas that should be considered:
– Scripting;
– Enumeration;
– Passwords;
– Sessions;
– Error handling;
– Field variables;
– Code commenting;
– Session time-out;
– Session cache; and
– Network parameters.

http://insight.zdnet.co.uk/internet/security/0,39020457,39194163,00.htm

The backbone of every enterprise infrastructure is a massive network of servers, network devices, security and other infrastructure that creates the complex communications network–or nerve center–of a company. Every day, system, network and security administrators are logging-on these critical infrastructure points for routine maintenance, repair and application of the most updated security patches. Many of them are running around with ROOT and ADMINISTRATOR privileges, either with their personal users or with commonly used accounts.

Enterprises have gone to great lengths to educate end-users and implement tools to help them choose complex passwords, avoid obvious ones, eliminate leaving them on Post-it notes, and change them frequently. It goes without saying that the same precautions apply to administrative passwords; however there are several additional security measures that need to be addressed since administrative user rights are extremely powerful, and thus call for an extra level of caution and security.
Administrators have the best intentions, but the more those passwords exchange hands or remain unchanged, then the greater the likelihood of a security breach.

Establishing a password control and change management program As a stop-gap measure, many enterprises store passwords for these systems in files like spreadsheets and simple databases. A quick penetration test will show just how easy it is to get at these documents.

Mismanagement of administrative passwords is a major cause for security breaches and one of the top reasons for long recovery processes from IT failures.

Here’s a checklist of best practices that should be included as a part of an administrative password control and change management policy that can be used when creating a program and evaluating the software and services to support it.

– Centralized Administration
– Secure Storage
– Worldwide, Secure Availability
– A Dual-control Mechanism
– Routinely Change Passwords and Track History
– Intuitive Auditing
– Disaster Recovery Plan

http://www.zdnetindia.com/news/commentary/stories/119420.html

If that weren’t bad enough, many “so called” security experts propagated these myths through speaking engagements and publications and many continue to this day. Many wireless LAN equipment makers continue to recommend many of these schemes to this day. One would think that the fact that none of these schemes made it in to the official IEEE 802.11i security standard would give a clue to their effectiveness, but time and time again that theory is proven wrong. To help you avoid the these schemes, the writer has created the following list of the six dumbest ways to secure your wireless LAN.

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person’s name tag and compares it to his list of names and determines whether to open the door or not. All someone needs to do is watch an authorized person go in and forge a name tag with that person’s name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

SSID hiding: There is no such thing as “SSID hiding”. You’re only hiding SSID beckoning on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, you re talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all you ve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. Hidden SSIDs also makes wireless LANs less user friendly. You don t need to take my word for it. Just ask Robert Moskowitz who is the Senior Technical Director of ICSA Labs in his white paper Debunking the myth of SSID hiding.

LEAP authentication: The use of Cisco LEAP authentication continues to be the single biggest mistake that corporations make with their wireless LAN because they leave themselves wide open to attack. Cisco still tells their customers that LEAP is fine so long as strong passwords are used. The problem is that strong passwords are an impossibility for humans to deal with. If you doubt this, try a password audit of all the users in your organization and see how long it takes to crack 99% of all passwords. 99% of organizations will flunk any password audit for most of their users within hours. Since Joshua Wright released a tool that can crack LEAP with lighting speed, Cisco was forced to come out with a better alternative to LEAP and they came up with an upgrade to LEAP called EAP-FAST.

Disable DHCP: This is much more of waste of time than it is a security break. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address.

Antenna placement: I’ve heard the craziest thing from so called security experts that actually tell people to only put their Access Points in the center of their building and put them at minimal power.

Just use 802.11a or Bluetooth: Fortunately, I haven’t heard this one for a while.

In light of recent developments within the last 6 months, it takes only a few minutes to break a WEP based network which makes WEP completely ineffective and a good potential future candidate for the wireless LAN security hall of shame. Where it currently fails to be in the hall of shame is that it still holds up for a few minutes, requires a little skill to launch the packet injection attacks, and isn’t propagated as an urban legend for a secure wireless LAN.

This blog wasn’t just meant to be funny, it’s serious business that so many organizations waste their time and money on worthless security schemes that give them a dangerous false sense of security.

http://blogs.zdnet.com/Ou/index.php?p=43

This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: “Yes, we will buy this machine because it makes twice as many diamond rings per hour and we’ll be able corner the Valentine’s Day market in North America.”

This article will help guide Computerworld readers from a current state of reaction and acquisition to a target state of business value and justification for information security, providing both food for thought and practical ideas for implementation.

Most companies don’t run their information security operation like a business unit with a tightly focused strategy on customers, market and competitors. Most security professionals and software developers don’t have quotas and compensation for making their numbers. Information security works on a cycle of threat, reaction and acquisition.

It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share. With measurable improvement, we’ll be able to prove the business value of spending on security.

– Is your digital asset protection spending driven by regulation?

– Are Gartner white papers a key input for purchasing decisions?

– Does the information security group work without security win/loss scores?

– Does your chief security officer meet three to five vendors each day?

– Is your purchasing cycle for a new product longer than six months?

– Is your team short on head count, and not implementing new technologies?

– Has the chief technology officer never personally sold or installed any of the company’s products?

Start by implementing a consistent set of activities, for example, standardizing on diskless thin clients, remote desktops and Windows Terminal services. Segment the network into virtual LANs, put the application servers on one segment, the data servers on another and client workstations on departmental segments and so forth.

For instance, if you want to evaluate cash flow, then measure cash flow from operations or free cash flow (FCF), which is cash from operations minus capital expenditures. FCF omits the cost of debt, but it is an objective indicator that can be measured every day.

http://www.computerworld.com/securitytopics/security/story/0,10801,100413,00.html