Category: Uncategorized

The introduction of an IDS into a organization’s network can be sensitive and often has political implications with the network staff, and thus a checklist written from the perspective of an outside consultant (even if the IDS is deployed internally) that appeases all parties can be useful to ensure a successful implementation. While this topic is broad, there’s sufficient information and planning required to form the basis of the checklist.

When installing an IDS a policy needs to be developed to ensure responsibilities are clearly defined. This is especially important when delivering an IDS capability remotely or to another organisation’s network. The Junction Of Maintenance (JOM) defines where your responsibility for the hardware starts and finishes, and this will usually be the network switch port or tap with which the IDS connects to the target network.

On the subject of failing hardware, people administering the target network must be made fully aware that if network taps are used, even fail safe taps can take up to a second for the interfaces to re-negotiate and could potentially disrupt services, though recent improvements have reduced this latency considerably. If the network is remote then it is advisable for the policy to reflect that the target network manpower can be called upon for a predefined duration for power resets, etc. Attempting this retrospectively through contractual alteration, if required, can be expensive and time consuming.

If you rely on the distant network for support, ensure you have a telephone authentication system in place and don’t fall victim to a social engineering attack. It’s all too easy for an attacker or Pen Tester to call the local staff where your IDS is installed and ask them to power it down. Most of these issues can be avoided if you are willing to have your IDS application reside on one of the target network’s hosts, though in my experience it can never be completely trusted and raises the question of who maintains the software and OS deployed on the system. If an OS update corrupts the IDS application, then who takes responsibility for fixing it?

Finally, discuss and set in policy the rules of engagement for automated response. This is especially important when you are deploying Intrusion Prevention Systems. An Intrusion Prevention System or inline IDS will block packets that meet the criteria of an event signature.
These packets could have legitimately been accepted by the firewall and allowed through. As signatures can block packets in a fashion similar to a firewall, there are some that advocate replacing firewalls with IPS is a dangerous step. An IPS complements the firewall very well and they work well together, but the firewall should be left in place.

The myth that an IPS will kill a network through its false positives doesn’t have to hold true. Rather than blocking packets in line, it can craft various responses: TCP resets to the source or destination (or in some cases both) of the offending packet, crafting unreachable/unauthorized replies and spoofing the border device. For example, you might want to retain corporate knowledge by blocking any document that contains the word “prototype”, from leaving the network through the use of an IPS signature.

Once the IDS starts chattering you can revisit those “practises dangerous to security”. Policy also needs to be defined regarding how you respond to an incident and should include statements that direct forensics and evidence preservation activities. The availability of up-to-date network diagrams is essential not only for locating the best site for an IDS, but also post installation. You have to identify your requirements for the installation such as rack space, switch/hub ports, power outlets, UPS, cooling, taps and any mandatory local requirements like fiber infrastructure and fail over.

The first coarse tuning should have occurred by using the site’s policy to define the initial IDS policy. Rather than attempting this on an event-by-event basis, wait a week and look at the historical information, sorted by count.

More info: [url=http://www.securityfocus.com/infocus/1754]http://www.securityfocus.com/infocus/1754[/url]

Enterprises everywhere have fundamental concerns about the manner in which IT organizations can deliver an identity infrastructure that is both productive and efficient while also being secure. Compliance drivers (i.e., legal and regulatory) are also becoming increasingly important, as evidenced by recent legislation on all continents. These factors have combined to drive significant decision making among IT infrastructure planners regarding how best to manage the identity asset currently in use in the enterprise.

Lessons Learned: Planning for Identity Management

1. Managing Expectations Increases the Likelihood of Successful Implementations
2. Executive Sponsorship Is Not Optional
3. Identity Must Be Defined as a Strategic Asset and Used as the Basis for Planning
4. Identity Management Is Integration Management
5. Nothing Is As Political As identity
6. A Sound Identity Infrastructure Is a Prerequisite to Effective Identity Management Deployment
7. It

Bugs are an inevitable problem in a sector where companies are driven by shareholders to rush out equipment before it is ready.

From a security perspective, this presents users with a huge problem. Empirical evidence suggests that the average device – whether it is a perimeter network resource such as a firewall or router, or a core device such as a server – has more holes in it than a piece of Gruyere.

One of the rarest but most devastating security vulnerabilities in host computers is the buffer overflow error, said Gary Jones, professional services manager of security consultancy MIS Corporate Defence Solutions.

The problem is that too many companies are not implementing patches in a structured way. “If you are running a corporate database, you cannot just slap on a patch when it is released,” he said. “You need some form of development environment and the patch must be tested first.”

Companies must also react to critical patches. If another aggressive internet worm appears, companies must be aware of it before they read about it in the press and they must be able to implement a patch quickly.

One solution is to have an employee checking newsgroups, supplier sites and bulletins to pick up on patches before the hackers do. Unfortunately, many companies are not in a position to pay this extra salary.

Common sense plays a big part in locking down your network vulnerabilities, but resources are also an important factor.

Virtual patching, where an intrusion dection system dynamically configures against threats, is the way on insuring against unknown vulnerabilities.

More info: [url=http://www.computerweekly.co.uk/articles/article.asp?liArticleID=127212&liArticleTypeID=20&liCategoryID=1&liChannelID=7&liFlavourID=1&sSearch=&nPage=1]http://www.computerweekly.co.uk/articles/article.asp?liArticleID=127212&liArticleTypeID=20&liCategoryID=1&liChannelID=7&liFlavourID=1&sSearch=&nPage=1[/url]

Intellectual property (IP) can be anything from a particular manufacturing process to plans for a product launch, a chemical formula or a list of the countries in which your patents are registered. It may help to think of it as intangible proprietary information.

The formal definition, according to the World Intellectual Property Organization is creations of the mind – inventions, literary and artistic works, symbols, names, images, and designs used in commerce. IP includes but is not limited to proprietary formulas and ideas, inventions (products and processes), industrial designs, and geographic indications of source, as well as literary and artistic works such as novels, films, music, architectural designs and web pages.

Authoritative sources report that each year, intellectual property theft costs U.S. companies about $300 billion.

To protect the secret, a business must prove that it adds value to the company – that it is, in fact, a secret – and that appropriate measures have been taken within the company to safeguard the secret, such as restricting knowledge to a select handful of executives.

In some ways, trade secrets are easy to protect. Stealing them is illegal under the 1996 Economic Espionage Act. Employees usually know that they’re valuable, and nondisclosure agreements may protect your company further.

What’s more complicated is helping employees understand how seemingly innocuous details can be strung together into a bigger picture-, and how a simple company phone list becomes a weapon in the hands of snoops.

Espionage is sometimes sanctioned – or even carried out – by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country’s economy. Executives traveling to Pakistan, for example, might need to register under pseudonyms, have their hotel rooms or work spaces swept for bugs, or even have security guards help protect information. Over the years, France, China, Latin America and the former Soviet Union have all developed reputations as places where industrial espionage is widely accepted, even encouraged, as a way of promoting the country’s economy. A good resource for evaluating the threat of doing business in different parts of the world is the Corruption Perceptions Index published each year by Transparency International (and made famous by The Economist).

India is another country of increasing importance to American businesses because of the rapid rise of offshore outsourcing. The prevalence of outsourcing of IT functions introduces some vulnerabilities to companies that may not think of themselves as having a global presence. In legal terms, the most pertinent global standard is the World Trade Organization’s intellectual property add-on, TRIPS (Trade-Related Aspects of Intellectual Property Rights). But TRIPS protections still must be enforced locally, and none of the countries prominent in software outsourcing, including India, have local laws covering theft of trade secrets. Experts say India’s culture is generally more IP-friendly, but the legal status of intellectual property in India is in a state of flux.

Protect important information, such as source code, with passwords and access codes, and make sure that these are not widely available, either in the United States or at the outsourcing location. Look for employee retention figures, find out if competitors do business with the same companies, and if so, ensure that there is no contact between teams.

Regulated industries such as health care and financial services need to keep closer controls over data and software development than, say, packaged goods companies.

Companies that don’t have the resources to take these steps should think twice about what they are putting at risk by offshoring, whether it’s software development or some other function like call centers involving sensitive customer data.

More info: [url=http://www.csoonline.com/fundamentals/abc_ip.html]http://www.csoonline.com/fundamentals/abc_ip.html[/url]

It may be time to protect your data where it lives–in your database.

But you can’t encrypt everything in your database. Indexed fields, for example, can’t be encrypted because your database-management software will sort the encrypted strings in hexadecimal values, which won’t match the real, unencrypted form. So your index, which is supposed to speed access to the data by preordering it, won’t work. Even if you could relate the encrypted index field to the original data, the collation order wouldn’t match.

Until databases support encryption natively, encrypted indices will be a problem. Remember that any indices generated from encrypted fields won’t be valid, either. And because these fields don’t relate to the actual data, it’ll be harder for the database administrator and developer to debug problems.

Database software, such as Sybase’s, lets you create encrypted databases.

Ingrian Networks’ DataSecure Platform, which lets you encrypt certain fields before you enter them in the database and automatically decrypts them on the way out, has been around for a couple of years.

Bottom line: When building your disk capacity for database encryption, anticipate that your data will triple or quadruple in size.

More info: [url=http://www.securitypipeline.com/story/showArticle.jhtml?articleID=16600160]http://www.securitypipeline.com/story/showArticle.jhtml?articleID=16600160[/url]

The recent spate of viruses has exposed the dangers of providing network rights to laptops that operate both on and off the network.

– Security organizations must employ both technology and policy to protect network resources.

– User management aggregation (identity management, provisioning) will mature rapidly (2004).

– Security event management consoles (collecting intrusion detection system, firewall, and host events) will remain out of the mainstream until 2005.

– Security configuration consoles (central distribution points for firewall, personal firewall, and eventually server configurations/policies) are the least mature, with viable integrated products appearing in 2006/07.

Numerous META Group clients are reporting virus infections that traverse well-designed perimeter defenses in the briefcases of consultants and other roaming users.

Corporate laptop users should be protected with standard antivirus (AV) software, personal firewalls, and regular security patch management. But what about end users not under the IT management umbrella?

Most organizations have a small army of consultants, outsourcers, business partners, customers, and other visitors that require network access in some form.

Even organizations with a federated corporate or security structure must validate security compliance (e.g., patch levels, AV update level, security software installed, security process such as AV and firewalls running) on affiliate PCs before granting network rights.

Best-practice security organizations are employing both written policy and technical means to ensure their network is safe from these roaming “Typhoid Marys.”

Before any technical solutions are deployed, IT organizations (ITOs) must first establish a clear policy and ensure that security compliance and acceptable usage education are embedded in the process.

Computing facilities provided for non-contracted visitors should include instructions on how to use, help desk contact info, and brief security/acceptable-usage guidelines. For contract visitors, security policy compliance should be a contractual obligation with clear penalties for non-compliance. Shifting liability to the outsourcers/contractors creates an incentive for their ITO to prevent problems. However, embedding security compliance in business contracts will require consultation with the business and legal departments and may not be possible to append existing contracts.

The ITO must perform random audits to ensure compliance before a security incident, particularly if no automated compliance technology is deployed.

The first step organizations should take is to identify and classify all non-corporate-managed users based on the trust level of network resources they require and the duration of that access.

Creating a “guest network” that is isolated from the corporate network. If the type and number of internal applications needed by guests are predictable, ITOs can route users outside the organization on the guest network and back into a secure portal (i.e., Citrix, Sybase) that includes host integrity/policy checking prior to providing access. On-site outsourcers/contractors are the easiest to manage.

Another best practice is to reformat the hard drive and install a new image on loaner PC before re-issue it to ensure it is secure, user levels are appropriate, and no residual confidential information is present.

ITOs can use logon scripts to check for security agents and dynamically install it – with approval from the end user – if necessary. These tools typically can report only on compliance and cannot deny network access for non-compliance unless combined with logon scripts.

More info: [url=http://techupdate.zdnet.com/techupdate/stories/main/Defending_Against_Insider_Infections.html?tag=tu.scblog.6673]http://techupdate.zdnet.com/techupdate/stories/main/Defending_Against_Insider_Infections.html?tag=tu.scblog.6673[/url]