Category: Uncategorized

The plethora of exploit code available on the web to attack corporate servers should be used as a resource to test computer security. By running such code administrators can judge the efficacy of their defences and make appropriate adjustments.

“There are several legitimate uses for exploit code,” explained Ivan Arce, chief technology officer at Core Security Technologies. “We need to understand the strengths and limitations of our tools. It helps to deploy timely and cost-effective mitigation measures.”

Arce pointed out that code designed to exploit flaws in software programs is a valuable resource and should be used as such. Both legitimate and illegal organisations are now selling such code for use in testing.

This new value on exploit code is such that new vulnerabilities are being traded on the open market. Spammers and malware writers are buying it to further their ends, but legitimate security companies are also buying the information. “There is an increasing perception of value for vulnerability code,” said Arce. “The good guys value it and are not giving it up for free. The bad guys want it so they can carry on their attacks.”

http://www.itweek.co.uk/news/1161395

Not only is it technically impossible to completely secure cyberspace, but the technology is complicated, the vocabulary arcane, and the expertise to make it happen hard to find — and even harder to apply.

Worse yet, most managers never learned how to calculate the value of — and communicate the business case for — cybersecurity. Yes, I realize that overall spending on cybersecurity continues to increase every year. Yet every executive I know is kicking and screaming about its cost along the entire way.

The sad reality is that every computer network has cybersecurity exposures. This is due in large part to the fact that most software and computer systems focus on function, not security. Security is bolted to computer systems using things like firewalls and intrusion-detection systems.

Additionally, the communications methods used to deliver data are over 30 years old, coming from a time when security was less of an issue.

Compounding the problem, as software has become more sophisticated, the code used to write it has grown significantly. Conventional wisdom says you can expect to find about one bug for every 1,000 lines of software code — and every bug is an opening for hackers. The 45 million-line operating system that runs your computer may have 45,000 ways to be breached by a hacker. These hackers are smart, and most have much more time to spend attacking you than a typical system administrator can spend defending against them.

Attacks are also becoming increasingly automated, which compounds the problem. Computer worms and other autonomous, malicious programs can attack and infiltrate these complex environments in a relentless, methodical fashion.

Most senior executives are aware of these cybersecurity issues.

The problem is that these issues rarely turn into funded information-technology projects when evaluated against other business priorities. Sure, every survey of chief information officers says cybersecurity is one of the very top issues for a company.

Yet in most executive suites, cybersecurity is considered necessary to stay in business, but not to make the business bigger. So what if a PC gets hammered by a worm? It won’t kill the business, and the expense to clean it up will be minimal.

There’s a way to deal with this dilemma.

Chief information officers need to translate the IT priority of cybersecurity into a business priority that the CEO can’t ignore.

Asset protection: Most businesses recognize that they must protect their physical and intellectual assets. For example, they can’t let someone steal their patents.

The same kind of rigor that is applied to valuing, protecting, and insuring traditional assets needs to be applied to cyberassets. If someone steals your customer- or product-development data base you could be put out of business.

Brand protection: Every CEO is concerned about the outfit’s brand. CEOs can increase the perceived value of the company through the equity they build in their brands. What if your company is hit by a hacker and all the credit-card data from the e-commerce wWeb site is compromised? What happens to the value of the brand — and to your stock price?

Compliance: Probably the strongest justification for investing in cybersecurity is that you don’t have a choice: It’s the law.

http://www.eweek.com/article2/0,1759,1765331,00.asp

What’s important to energy provider Georgia Power (federal regulation compliance, for example) may not be important to coffee purveyor Starbucks (armed robbery statistics, for example). “Clearly, statistics on their own don’t make a very good read,” says John Hedley, head of group security for food maker Nestlé.

Francis D’addario Starbucks Metrics insight: Rigorous tracking of processes leads to improvements and business value.

Here is the story of four security executives in different industries who give a rare peek into the physical security metrics that are important to them, their CEOs and their organizations. Taken together, data points and measurements help them keep a firm grip on the most important metric of all: How much confidence the rest of the organization has in the security department.

To Francis D’Addario, the connection between security metrics and how effective he is as CSO of Starbucks is simple: His mission to protect people, secure assets and contribute savings year over year is validated with key performance indicators. Whether D’Addario, vice president of partner and asset protection at the $5.3 billion coffee and food retailer, is talking about physical assets (stores and equipment), liquid assets (cash and coffee) or human assets (employees and customers), using metrics is how he judges the success of his security group.

First and foremost on the priority list, D’Addario says, is the safety of people. The frequency of armed robberies at retail outlets, for example, is an important metric at Starbucks and within the retail industry.

Nestlé Metrics Emphasize Prevention and Protection
When there is civil war where your people are working, one physical security metric rises above all others: Keeping all of your employees alive. Hedley’s security staff, led by a regional security manager based in Abidjan, the commercial capital, set in motion an evacuation plan for the international Nestlé employees when it was clear that the violence was escalating to a dangerous level. “We have not done a cost-benefit analysis of how much money we have saved because of the security plan in place,” Hedley says, adding he was not sure of the evacuation’s cost. The areas most important to him are Nestlé employees, distributors and consumers; company property; and the strength of Nestlé’s reputation and brand.

Utility Uses Government Rules to Build Metrics
Margaret Levine, corporate security manager at Georgia Power, has found ways to convert the necessary burden of regulation into a bounty of physical security data for the electric utility. Readiness reviews are planned events and are a key component of Georgia Power’s business continuity program. The reviews assess whether employees and site security professionals at a particular facility understand that facility’s threat plans and know what to do when the threat level is raised or lowered.

Tracking Trends Incident trends and loss trends are next on Georgia Power’s metrics list. Levine says that it’s critical to be able to demonstrate that a CSO’s security program is a significant mitigating factor in preventing increased incidents and losses. Levine can compare incidents by quarter, year-to-year and across multiple years. She can note the changes in the number and frequency of incidents by type of incident (for example, thefts, threats against employees or sabotage), by line of business (generation, transmission, distribution, staff services) or by location.

She follows the same process for tracking losses; she says she tracks property and monetary losses. The key, she says, is if you’re not able to prevent losses, then “you can demonstrate an ability to quickly pinpoint where the weakness was and put in place the appropriate stopgap measures. Levine adds that metrics must be more than in-house security tools; they have to be relevant to the people she supports—business executives, plant operators, substation engineers, customer service managers. She says her reports must contain information that is important to them, not just to security managers.

Depending on the type of data and compliance requirements, Levine reports her metrics monthly, quarterly or yearly. Levine says Georgia Power collaborates on metrics reviews with other security managers from within Southern’s 12 operating companies.

(Besides Georgia Power, there are four electric utilities and companies in wholesale power, power generation management, natural gas, nuclear power and energy services. Southern also owns a wireless company and a fiber optics business.)

As for data quality, Levine says that it’s important to watch out for the equivalent of scorekeeping changes. She says Georgia Power recently transitioned from a 10-year-old case management system to a new system developed last year by Southern’s security managers. The case management system is a database that records all the details of incidents that are reported to corporate security. This includes an incident narrative and summary; victim, witness and reporting party names; losses; investigative activity; and case resolution. For example, the old case management system had separate incident categories for burglary, larceny, fraud and robbery. But in the new case management system, all of those crimes are categorized as financial matters.

“To make an apples-to-apples comparison between the old and the new, we have to select a specific subcategory (for example, larceny) in the new system,” Levine says.

http://www.csoonline.com/read/020105/metrics.html

The 93 page report, written by D. Richard Kuhn, Thomas J. Walsh and Steffen Fries, details the “significant” security and quality of service issues in implementing VOIP telephony and makes extensive recommendations in securing a VOIP implementation.

“Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VOIP components into their already-secured networks and remain secure. However, the process is not that simple.”

NIST emphasizes that VOIP plans should include separate voice and data networks where practical, regular security testing, frequent software updates and avoiding PC based implementations of VOIP, as the platform is so difficult to secure.

The full paper, Security Considerations for Voice Over IP Systems, NIST Special Publication 800-58 is available for free in an Adobe Acrobat file.

Click here for NIST, the National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

http://www.extremetech.com/article2/0,1558,1758174,00.asp?kc=ETRSS02129TX1K0000532

Microsoft, Cisco, Checkpoint, Symantec, Nortel, SonicWall, NAI, Juniper/Netscreen, and others, have, in the past eighteen months started manufacturing firewall appliances that implement Deep Packet Inspection (DPI). In general, the DPI engine scrutinizes each packet (including the data payload) as it traverses the firewall, and rejects or allows the packet based upon a ruleset that is implemented by the firewall administrator. The inspection engine implements the ruleset based upon signature-based comparisons, heuristic, statistical, or anomaly-based techniques, or some combination of these.

Deep Packet Inspection promises to enhance firewall capabilities by adding the ability to analyze and filter SOAP and other XML messages, dynamically open and close ports for VoIP application traffic, perform in-line AV and spam screening, dynamically proxy IM traffic, eliminate the bevy of attacks against NetBIOS-based services, traffic-shape or do away with the many flavors of P2P traffic (recently shown to account for ~35% of internet traffic), and perform SSL session inspection.

Deep Packet Inspection essentially collapses Intrusion Detection (IDS) functionality into the firewall appliance so that both a firewall and an in-line IDS are implemented on the same device. Many of these products have recently been shown to be vulnerable to exploitation of software defects in their DPI inspection engines, however. The data suggest that the addition of these enhanced functions to firewalls may, in fact, weaken, rather that strengthen network perimeter security.

Traditionally, firewalls have provided a physical and logical demarcation between the inside and the outside of a network. The first firewalls were basically just gateways between two networks with IP forwarding disabled. It fails closed – that is, if the firewall crashes in some way, no traffic is forwarded between interfaces. One of these, the Gate, or packet-screening device, relied upon the kernel to pass packet headers to a user-space program, screend, which informed the kernel whether or not to forward the packet. IP packet filtering firewalls all share the same basic mechanism: As an IP packet traverses the firewall, the headers are parsed, and the results are compared to a ruleset defined by a system administrator.

A stateful inspection firewall registers connection data and compiles this information in a kernel-based state table.

Several firewall vendors, including Check Point, Cisco, Symantec, Netscreen, and NAI have integrated additional application-level data analysis into the firewall. Checkpoint, for example, initially added application proxies for TELNET, FTP, and HTTP to the FW-1 product. Cisco’s PIX fixup protocol initially provided for limited application parsing of FTP, HTTP, H.323, RSH, SMTP, and SQLNET.

DPI engines parse the entire IP packet, and make forwarding decisions by means of a rule-based logic that is based upon signature or regular expression matching. Promising approaches to these problems include a software-based approach (Snort implementing the Boyer-Moore algorithm), and a hardware-based approach (FPGA’s running a Bloom filter algorithm). DPI technology can be effective against buffer overflow attacks, denial of service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet.

Researchers at Internet Security Systems (ISS) discovered a remotely exploitable buffer overflow in the Snort stream4 preprocessor module. Remote attackers may exploit the buffer overflow condition to run arbitrary code on a Snort sensor with the privileges of the Snort IDS process, which typically runs as the superuser.

Due to an implementation fault in VirusWall’s handling of a UUencoded file name, it is possible for a remote attacker to specify an arbitrarily long string, overwriting the stack with user defined data, and allowing a remote attacker to execute arbitrary code.

Multiple Cisco products contain vulnerabilities in the processing of H.323 messages, which are typically used in Voice over Internet Protocol (VoIP) or multimedia applications.

The bottom line is that in order to exercise sound bandwidth and security controls, organizations and service providers must be able to differentiate traffic types based upon the contents of the application payload.

http://www.securityfocus.com/infocus/1817

ITIL can be applied across almost every type of IT environment. Interest in and adoption of ITIL has been steadily increasing throughout the world; the numerous public and private organizations that have adopted it include Proctor & Gamble, Washington Mutual, Southwest Airlines, Hershey Foods, and the Internal Revenue Service. In addition to the often touted benefits of ITIL – aligning IT with the needs of the business, improving service quality, decreasing the costs of IT service delivery and support – the framework can aid the information security professional both directly (there is a specific Security Management process) and indirectly.

Configuration Management: Best practices for controlling production configurations (for example, standardization, status monitoring, asset identification). Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services. These practices ensure that normal service is restored as quickly as possible after an incident occurs. These practices seek to proactively prevent incidents and problems.

Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable.

Financial Management: Best practices for understanding and managing the cost of providing IT services (for example, budgeting, IT accounting, charging). These practices ensure that IT services are maintained and improved through a cycle of agreeing, monitoring, reporting, and reviewing IT services.

There is also a Service Desk function that describes best practices for establishing and managing a central point of contact for users of IT services. Two of the Service Desk’s most important responsibilities are monitoring incidents and communicating with users. The customer and IT organization negotiate and define a service level agreement (SLA) that includes definition of the information security requirements in measurable terms and specifies how they will be verifiably achieved.

Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided, are negotiated and defined within the IT organization.

With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change. ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate.

http://www.securityfocus.com/infocus/1815