Friday, December 30, 2011
Wednesday, September 14, 2011
Security Terms in Simple English
Security Terms in Simple English
Anti-Virus
A security program that can run on a computer or mobile device
and protects you by identifying and stopping the spread of malware on your
system. Anti-virus cannot detect all malware, so even if it is active, your
system might still get infected. Anti-virus can also be used at the
organizational level. For example, email servers may have anti-virus integrated
with it to scan incoming or outgoing email. Sometimes anti-virus tools are
called ‘anti-malware’, because these products are designed to defend against
various types of malicious software.
Drive-by Download
These attacks exploit vulnerabilities in your browser or it’s
plugins and helper applications when you simply surf to an attacker-controlled
website. Some computer attackers set up their own evil websites that are
designed to automatically attack and exploit anyone that visits the website.
Other attackers compromise trusted websites such as ecommerce sites and deploy
their exploit software there. Often these attacks occur without the victims
realizing that they are under attack.
Exploit
Code that is designed to take advantage of a vulnerability. An
exploit is designed to give an attacker the ability to execute additional malicious
programs on the compromised system or to provide unauthorized access to
affected data or application.
Firewall
A security program that filters inbound and outbound network
connections. In some ways you can think of firewalls as a virtual traffic cop,
determining which traffic can go through the firewall. Almost all computers
today come with firewall software installed. In addition, firewalls can be
implemented as network devices to filter traffic that traverses through them.
Malware
Stands for ‘malicious software’. It is any type of code or
program cyber attackers use to perform malicious actions. For example, malware
could be used to capture all your keystrokes or use your computer to harm
others. Such malicious actions often occur without the user of the system
realizing that it has been infected. Malware is a generic term and includes any
type of virus, worm, Trojan or other types of malicious code.
Patch
A patch is an update to a vulnerable program or system. A common
practice to keep your computer and mobile devices secure is installing the
latest vendor’s patches in a timely fashion. Some vendors release patches on a
monthly or quarterly basis. Therefore, having a computer that is unpatched for
even a few weeks could leave it vulnerable.
Phishing
Phishing is a social engineering technique where cyber attackers
attempt to fool you into taking an action in response to an email. Phishing was
a term originally used to describe a specific attack scenario. Attackers would
send out emails pretending to be a trusted bank or financial institution, their
goal was to fool victims into clicking on a link in the email. Once clicked,
victims were taken to a website that pretended to be the bank, but was really
created and controlled by the attacker. If the victim attempted to login
thinking they were at their bank, their login and password would then be stolen
by the attacker. The term has evolved and often means not just attacks designed
to steal your password, but emails designed to send you to websites that hack
into your browser, or even emails with infected attachments.
Social Engineering
A psychological attack used by cyber attackers to deceive their
victims into taking an action that will place the victim at risk. For example,
cyber attackers may trick you into revealing your password or fool you into
installing malicious software on your computer. They often do this by
pretending to be someone you know or trust, such as a bank, company or even a
friend.
Spear Phishing
Spear phishing describes a type of phishing attacks that target
to specific victims. But instead of sending out an email to millions of email
addresses, cyber attackers send out a very small number of crafted emails to
very specific individuals, usually all at the same organization. Because of the
targeted nature of this attack, spear phishing attacks are often harder to
detect and usually more effective at fooling the victims.
Virus, Worm, Trojan
Different types of malware that are based on their capabilities
and means of propagation. These technical distinctions between different types
of malware are becoming less relevant, because modern malware often combines
characteristics from each of them in a single attack.
·
Virus: A type of malware that spreads by infecting
other files, rather than existing in a standalone manner. Viruses often, though
not always, usually spread through human interaction, such as opening an
infected file or application.)
·
Worm: A type of malware that can propagate
automatically, typically without requiring any human interaction for it to
spread. Worms often spread across networks, though can also infect systems
through other means, such as USB keys. An example of a worm is Conficker, which
infected millions of computer systems starting in 2008 and is still active
today.
·
Trojan: A shortened form of “Trojan Horse”, this
type of malware appears to have a legitimate or at least benign use, but masks
a hidden sinister function. For example, you may download and install a free
screensaver which actually works well as a screensaver. But that software could
also be malicious, it will infect your computer once you install it.
Vulnerability
This is a weakness that attackers or their malicious programs
may be able to exploit. For example it can be a bug in a computer program or a
misconfigured web server. An attacker or malware may be able to take advantage
of the vulnerability to gain unauthorized access to the affected system.
However, vulnerabilities can also be a weakness in people or organizational
processes.
Friday, September 9, 2011
9 Convenient Lies in Information Security
Organizations sometimes “stretch the truth” regarding their ability to safeguard data, protect systems or offer other assurances related to information security. The crux of the problem is that implementing security is hard, as is explaining the effectiveness and roles of various controls. So we’re often left with promises or recommendations that can, at best, be seen as having an optimistic perspective on security.
Here are some of the statements that might often be considered lies, half-truths or idealistic simplifications…
Your data is secure because:
We use bank-level 128-bit AES encryption. Encryption by itself is insufficient, as there are numerous other ways in which data can be put at risk.
We are compliant with applicable industry regulations. The compliance status demonstrates that a set of practices is being followed, but doesn’t address all necessary security measures.
We have a security seal to demonstrate that we passed a security scan. Such scans are often limited in the weaknesses that they examine, potentially leaving the organization to numerous other attack vectors.
Protect yourself on-line by:
Not opening email attachments from suspicious senders. People often receive legitimate attachments from unknown senders, yet have no basis for determining what is suspicious.
Not clicking on links in email messages. People are often in the hurry or are multitasking, which makes it too tempting to click a link rather than attempting to re-type it.
Selecting a “strong” password. Opinions vary on what constitutes a “strong” password; also, by selecting one that’s hard to remember, people are more likely to reuse it across sites and applications, increasing the risk that one compromise might grant the attacker access to other resources.
Your data is safe with our employees because:
We conduct background checks. A “clean” record doesn’t guarantee that the person will exhibit ethical behavior in the future; also, many background checks are quite limited in their scope.
We provide mandatory security awareness training. Many training programs don’t affect employees’ security-related behavior; also, participating in the session doesn’t imply that the employee absorbed the material.
We have a security policy. Security policies seem to be rarely read and more rarely understood; also, the existence of security policies doesn’t imply that they are being followed.
When you see or hear the claims above, dig deeper to understand their meaning. When you hear security advice, ponder whether it is practical. If you are tempted to offer untruths to users or customers, make sure they are accurate and provide additional details where relevant and appropriate.
Monday, August 1, 2011
Tips for creating a secure password
Tips
for creating a secure password
·
Include punctuation marks and/or numbers.
·
Mix capital and lowercase letters.
·
Include similar looking substitutions, such as the number
zero for the letter “O” or “$” for the letter “S”.
·
Create a unique acronym.
·
Include phonetic
replacements, such as “Luv 2 Laf” for “Love to Laugh”.
Things to avoid:
· Don’t use a password that is listed as an example of
how to pick a good password.
· Don’t use a password
that contains personal information (name, birth date, etc.).
· Don’t use words or
acronyms that can be found in a dictionary.
· Don’t use keyboard
patterns (asdf) or sequential numbers (1234).
· Don’t make your password all numbers, uppercase
letters or lowercase letters.
· Don’t use repeating characters (aa11).
Tips for keeping your password secure:
·
Never tell your password to anyone (this includes
significant others, roommates, parrots, etc.).
·
Never write your password down.
·
Never send your password by email.
·
Periodically test your current password and change it to a
new one.
Friday, July 22, 2011
3 Reasons Why People Choose to Ignore Security Recommendations
3 Reasons Why People Choose to Ignore
Security Recommendations
The
researchers define information avoidance as “any behavior intended to prevent
or delay the acquisition of available but potentially unwanted information.”
According to the paper, people may choose to avoid information because:
(a)
the information may demand a change in beliefs,
(b)
the information may demand undesired action, and
(c)
the information itself or the decision to learn information may cause
unpleasant emotions or diminish pleasant emotions.
These
reasons for information avoidance are frequently present in situations where
the organization conducted or commissioned an information security assessment.
Beliefs that might be
challenged by the assessment:
My
IT infrastructure is secure
I
can write code that’s free of bugs and vulnerabilities
My
anti-malware defenses are working well
I
am an unlikely target of computer attacks
Undesired actions that might
be prompted by the assessment:
Security
patches need to be applied throughout the environment
The
software development process needs to be overhauled to incorporate security
Staff
needs to be trained to improve information security-related skills
The
budget for information security needs to be increased
The
strategy defined for the information security program needs to be revamped
Unpleasant emotional
situations that might arise due to the assessment:
I
have two “fight” with the management team to increase the security budget
I
don’t know how to secure information
I
spend money on the wrong information security products
I
look bad in front of my colleagues
The
relevant importance of these concerns and the extent to which they come into
play varies across situations. Yet, these psychological factors of information
avoidance explain not only why the findings of a security assessment may be
ignored, but also why organizations may be hesitant to conduct such an
assessment in the first place. What can the organization do to avoid this? Can
the people conducting the assessment do anything to combat this tendency?
Thursday, March 31, 2011
7 Inconvenient Truths for Information Security
Information security policies and corresponding controls are often unrealistic. They don’t recognize how employees need to interact with computer systems and applications to get work done. The result is a set of safeguards that provide a false sense of security.
This problem will continue to grow due to consumerization of IT: the notion that employees increasingly employ powerful personal devices and services for work. This trend makes it easier for the employees to engage in practices that make their life and work more convenient while introducing security risks to their employer.
Corporate IT security departments need to recognize that employees:
• Use personal mobile devices and computers to interact with corporate data assets.
• Take advantage of file replication services,such as Dropbox,to make access to corporate data more easy
• Employ the same password for most corporate systems and, probably, personal on-line services.
• Write down passwords, PINs and other security codes on paper, in text files and email messages.
• Click on links and view attachments they receive through email and on-line social networks.
• Disable security software if they believe it slows them down.
• Don’t read security policies or, if they read them, don’t remember what was in them.
These are inconvenient truths that, if acknowledged by organizations as being common, can be incorporated into enterprise risk management discussions. Doing this will have strong implications for how IT security technologies and practices are configured and deployed.
Wednesday, March 16, 2011
What Is Advanced Persistent Threat (APT) ?
The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers.
• Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.
• Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
• Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.
Looking at the target list, we can perceive several potential objectives. Most likely, the APT supports:
• Political objectives that include continuing to suppress its own population in the name of "stability."
• Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.
• Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim.
•Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these.
• Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.
• Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
• Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.
Looking at the target list, we can perceive several potential objectives. Most likely, the APT supports:
• Political objectives that include continuing to suppress its own population in the name of "stability."
• Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.
• Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim.
•Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these.
Sunday, February 27, 2011
Patriot is a 'Host IDS' for Windows
Patriot is a 'Host IDS' tool which allows real time monitoring of
changes in Windows systems and Network attacks.
Patriot monitors:
Changes in Registry keys: Indicating whether any sensitive key
(autorun, internet explorer settings...) is altered.
New files in 'Startup' directories
New Users in the System
New Services installed
Changes in the hosts file
New scheduled jobs
Alteration of the integrity of Internet Explorer: (New BHOs,configuration changes, new toolbars)
Changes in ARP table (Prevention of MITM attacks)
Installation of new Drivers
New Netbios shares
TCP/IP Defense (New open ports, new connections made by processes,PortScan detection...)
Files in critical directories (New executables, new DLLs...)
New hidden windows (cmd.exe / Internet Explorer using OLE objects)
Netbios connections to the System
ARP Watch (New hosts in your network)
NIDS (Detect anomalous network traffic based on editable rules)
http://www.security-projects.com/?Patriot_NG
changes in Windows systems and Network attacks.
Patriot monitors:
Changes in Registry keys: Indicating whether any sensitive key
(autorun, internet explorer settings...) is altered.
New files in 'Startup' directories
New Users in the System
New Services installed
Changes in the hosts file
New scheduled jobs
Alteration of the integrity of Internet Explorer: (New BHOs,configuration changes, new toolbars)
Changes in ARP table (Prevention of MITM attacks)
Installation of new Drivers
New Netbios shares
TCP/IP Defense (New open ports, new connections made by processes,PortScan detection...)
Files in critical directories (New executables, new DLLs...)
New hidden windows (cmd.exe / Internet Explorer using OLE objects)
Netbios connections to the System
ARP Watch (New hosts in your network)
NIDS (Detect anomalous network traffic based on editable rules)
http://www.security-projects.com/?Patriot_NG
Monday, January 31, 2011
Improve Your Information Security Resume
The most common mistake I’ve seen on resumes is the candidate merely listing the tasks he or she performed at an earlier job, such as:
•Wrote and maintained information security policies
•Supported the perimeter firewall, updating its rules when requested
•Managed anti-virus deployment for the enterprise
This isn’t all that bad… The task list allows the reader to understand what the candidate might be capable of. The problem is that this listing doesn’t stand out.
The solution? Make sure that every bullet point on your resume answers the question “So What?” That means including not only the text that describes what you were working on, but actually stating what you accomplished. The goal is to have the reader read your accomplishments and exclaim, “Wow! I want this person to do the same for me!”
Answering the implied “So What” question is hard. As you can see, the sample resume excerpt above doesn’t come even close to succeeding at this. The following listing is an improvement:
•Created and fine-tuned security policies, which allowed the organization to pass a regulatory audit. The documentation was succinct, making it easier for the employees to read it and follow its guidance.
•Managed the corporate firewall, improving the response time to implement changes by 50% over the course of the year. Optimized the existing rule set to decrease its length by 25%, making error-free maintenance easier.
•Centralized the management of endpoint anti-virus software, improving the time to respond to a malware infection by 70%. Wrote and deployed a script to validate that anti-virus software is installed on all workstations.
The text is a bit wordy and can use some tweaking. But the idea is that now the reader understands what benefits your tasks provided to your employer. Each bullet point provides an answer to the “So What?” question.
As you look at your current activities, consider whether you can point to any specific accomplishments. If you cannot, check whether there are other, more valuable tasks that you can focus on. Also, examine the extent to which the work you do contributes towards meeting your employer’s business goals.
Moreover, begin collecting metrics that not only provide your organization feedback regarding the effectiveness of its security program, but also help you collect the data you can use to illustrate your success on a resume
Tuesday, January 25, 2011
[Public Shadowserver] The Conficker Working Group Lessons Learned Document
The Conficker Working Group Lessons Learned Document
Starting in late 2008, and continuing through June of 2010, a coalition of security researchers worked to resist an Internet borne attack carried out by malicious software known as Conficker. This coalition became known as “The Conficker Working Group”,
and seemed to be successful in a number of ways, not the least of which was unprecedented cooperation between organizations and individuals around the world, in both the public and private sectors.
In 2009, The Department of Homeland Security funded a project to develop and produce a “Lessons Learned” document that could serve as a permanent record of the events surrounding the creation and operation of the working group so that it could be used as an exemplar upon which similar groups in the future could build. This is the document.
The Rendon Group conducted the research independently, and although a number of members of the Conficker Working Group were interviewed, and provided information to the authors, the report is the sole work product of the Rendon Group. The views and
conclusions are not necessarily those of the Conficker Working Group, or any of its official or unofficial members. Nonetheless the Core Committee of the Conficker Working Group believes the report has substantial value and is pleased to provide access to
the Rendon document via the Conficker Working Group Website
http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf
Starting in late 2008, and continuing through June of 2010, a coalition of security researchers worked to resist an Internet borne attack carried out by malicious software known as Conficker. This coalition became known as “The Conficker Working Group”,
and seemed to be successful in a number of ways, not the least of which was unprecedented cooperation between organizations and individuals around the world, in both the public and private sectors.
In 2009, The Department of Homeland Security funded a project to develop and produce a “Lessons Learned” document that could serve as a permanent record of the events surrounding the creation and operation of the working group so that it could be used as an exemplar upon which similar groups in the future could build. This is the document.
The Rendon Group conducted the research independently, and although a number of members of the Conficker Working Group were interviewed, and provided information to the authors, the report is the sole work product of the Rendon Group. The views and
conclusions are not necessarily those of the Conficker Working Group, or any of its official or unofficial members. Nonetheless the Core Committee of the Conficker Working Group believes the report has substantial value and is pleased to provide access to
the Rendon document via the Conficker Working Group Website
http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf
Sunday, January 23, 2011
The 12 information security principles for information security practitioners
The 12 Principles
The 12 information security principles for information security practitioners are outlined under three main categories – support the business, defend the business, and promote responsible security behaviour – with an objective and detailed description for each principle:
Subscribe to:
Posts (Atom)