Thursday, March 31, 2011

7 Inconvenie​nt Truths for Informatio​n Security


Information security policies and corresponding controls are often unrealistic. They don’t recognize how employees need to interact with computer systems and applications to get work done. The result is a set of safeguards that provide a false sense of security.




This problem will continue to grow due to consumerization of IT: the notion that employees increasingly employ powerful personal devices and services for work. This trend makes it easier for the employees to engage in practices that make their life and work more convenient while introducing security risks to their employer.

Corporate IT security departments need to recognize that employees:

• Use personal mobile devices and computers to interact with corporate data assets.
• Take advantage of file replication services,such as Dropbox,to make access to corporate data more easy
• Employ the same password for most corporate systems and, probably, personal on-line services.
• Write down passwords, PINs and other security codes on paper, in text files and email messages.
• Click on links and view attachments they receive through email and on-line social networks.
• Disable security software if they believe it slows them down.
• Don’t read security policies or, if they read them, don’t remember what was in them.

These are inconvenient truths that, if acknowledged by organizations as being common, can be incorporated into enterprise risk management discussions. Doing this will have strong implications for how IT security technologies and practices are configured and deployed.


Posted by at No comments:
Labels:

Wednesday, March 16, 2011

What Is Advanced Persistent Threat (APT) ?

The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers.

Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.

Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.

Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.

Looking at the target list, we can perceive several potential objectives. Most likely, the APT supports:

• Political objectives that include continuing to suppress its own population in the name of "stability."

• Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.

• Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim.

•Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these.







Posted by at No comments:
Labels:

Sunday, February 27, 2011

Patriot is a 'Host IDS' for Windows

Patriot is a 'Host IDS' tool which allows real time monitoring of

changes in Windows systems and Network attacks.



Patriot monitors:
Changes in Registry keys: Indicating whether any sensitive key
(autorun, internet explorer settings...) is altered.
New files in 'Startup' directories
New Users in the System
New Services installed
Changes in the hosts file
New scheduled jobs
Alteration of the integrity of Internet Explorer: (New BHOs,configuration changes, new toolbars)
Changes in ARP table (Prevention of MITM attacks)
Installation of new Drivers
New Netbios shares
TCP/IP Defense (New open ports, new connections made by processes,PortScan detection...)
Files in critical directories (New executables, new DLLs...)
New hidden windows (cmd.exe / Internet Explorer using OLE objects)
Netbios connections to the System
ARP Watch (New hosts in your network)
NIDS (Detect anomalous network traffic based on editable rules)

                               http://www.security-projects.com/?Patriot_NG
Posted by at No comments:
Labels:

Monday, January 31, 2011

Improve Your Information Security Resume



When you craft a resume to pursue an information security job, you are expected to list past responsibilities. The goal is usually to catch the attention of the recruiter or hiring manager and be invited for an interview. Describing your role in a way that helps your resume stand out is hard, but I have a suggestion for a way to tackle this challenge.


The most common mistake I’ve seen on resumes is the candidate merely listing the tasks he or she performed at an earlier job, such as:

•Wrote and maintained information security policies
•Supported the perimeter firewall, updating its rules when requested
•Managed anti-virus deployment for the enterprise

This isn’t all that bad… The task list allows the reader to understand what the candidate might be capable of. The problem is that this listing doesn’t stand out.

The solution? Make sure that every bullet point on your resume answers the question “So What?” That means including not only the text that describes what you were working on, but actually stating what you accomplished. The goal is to have the reader read your accomplishments and exclaim, “Wow! I want this person to do the same for me!”

Answering the implied “So What” question is hard. As you can see, the sample resume excerpt above doesn’t come even close to succeeding at this. The following listing is an improvement:

•Created and fine-tuned security policies, which allowed the organization to pass a regulatory audit. The documentation was succinct, making it easier for the employees to read it and follow its guidance.

•Managed the corporate firewall, improving the response time to implement changes by 50% over the course of the year. Optimized the existing rule set to decrease its length by 25%, making error-free maintenance easier.

•Centralized the management of endpoint anti-virus software, improving the time to respond to a malware infection by 70%. Wrote and deployed a script to validate that anti-virus software is installed on all workstations.

The text is a bit wordy and can use some tweaking. But the idea is that now the reader understands what benefits your tasks provided to your employer. Each bullet point provides an answer to the “So What?” question.

As you look at your current activities, consider whether you can point to any specific accomplishments. If you cannot, check whether there are other, more valuable tasks that you can focus on. Also, examine the extent to which the work you do contributes towards meeting your employer’s business goals.

Moreover, begin collecting metrics that not only provide your organization feedback regarding the effectiveness of its security program, but also help you collect the data you can use to illustrate your success on a resume

Posted by at 1 comment:
Labels:

Tuesday, January 25, 2011

[Public Shadowserver] The Conficker Working Group Lessons Learned Document

The Conficker Working Group Lessons Learned Document


Starting in late 2008, and continuing through June of 2010, a coalition of security researchers worked to resist an Internet borne attack carried out by malicious software known as Conficker. This coalition became known as “The Conficker Working Group”,

and seemed to be successful in a number of ways, not the least of which was unprecedented cooperation between organizations and individuals around the world, in both the public and private sectors.

In 2009, The Department of Homeland Security funded a project to develop and produce a “Lessons Learned” document that could serve as a permanent record of the events surrounding the creation and operation of the working group so that it could be used as an exemplar upon which similar groups in the future could build. This is the document.

The Rendon Group conducted the research independently, and although a number of members of the Conficker Working Group were interviewed, and provided information to the authors, the report is the sole work product of the Rendon Group. The views and

conclusions are not necessarily those of the Conficker Working Group, or any of its official or unofficial members. Nonetheless the Core Committee of the Conficker Working Group believes the report has substantial value and is pleased to provide access to

the Rendon document via the Conficker Working Group Website
 
http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf
Posted by at No comments:
Labels:

Sunday, January 23, 2011

The 12 information security principles for information security practitioners


The 12 Principles


The 12 information security principles for information security practitioners are outlined under three main categories – support the business, defend the business, and promote responsible security behaviour – with an objective and detailed description for each principle:




Posted by at No comments:

Thursday, October 7, 2010

Computer Monitoring Tools

As security professionals we all know when our computers are trying to tell us that there is something wrong.  We also have our own techniques for poking around "under the hood" looking for trouble before it gets out of hand.  Like car enthusiasts, we know what each rattle and noise means and we take steps to correct the problem early.  But what about our parents and extended family members who don't have the same skills?  Like the temperature gauge or "check engine" light in your car, how does a typical user know that something is wrong?
Most newer operating systems have a system health and monitoring capability.  For example, in Windows 7 you do this:
  • Log on as a local administrator on your computer, click Start, and then click Performance and Information Tools.
  • Under Advanced Tools, select Generate a system health report.
And in Windows XP you take these steps:
  • Log on as a local administrator on your computer, click Start, and then click Help and Support.
  • Under the Pick a task, click Use Tools to view your computer information and diagnose problems.
  • In the Task pane, click My Computer Information, and then click View the status of my system hardware and software.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)