Thanks to an email, I’ve come across a great website to offer you when it’s time to go looking for some good policy templates.
You’ll need to scroll down a bit to get to all the templates. There are also some nifty security awareness posters and some explanations for the difference between policy, standards, and procedures.
I downloaded over two dozen document templates. There’s some really good stuff here for Admins and Auditors.
I travel a lot – about 40% of the time. I plug in to the Net from all sorts of places as a part of doing business. So I have some rules based on experience:
1. Turn off the WiFi adapter if it’s not in use. Why broadcast the last hotel you stayed in, and allow bad people to try and attach to your machine? Check your settings, too, to make sure you connect only to infrastructure, NEVER Ad hoc. Never.
2. When you’re in the hotel at night, have you ever checked your Event Log? That’s how I found someone from a lobby computer trying to log into my machine using various passwords and the “Administrator” login. Of course, I had changed that ID name AND created another one with no rights. The motel manager got an earful. So – turn off your laptop, or pull the network plug at night.
And make sure you have Failure logging in your local security policy. For everything. Can’t hurt, since the log overwrites.
Don’t leave the machine on the network for someone to attack all night.
3. Disable ALL shares on your computer. During the day, I have a share running so that coworkers can exchange and update files. I turn it off every night.
4. If you have to leave your laptop somewhere, first of all: don’t. I take mine back with me to the hotel. But when I leave it in the office, I turn if off. Off, whoever steals it won’t get past the disk encryption. If I leave it on, the encryption is disabled, and the possibility of hacking my password or otherwise bypassing Windows controls exists.
Your laptop is disk-encrypted, right?
4. Tape a business card to the top of your computer. A lot of laptops look alike going through security at the airport. Make sure no one has walked off with yours.
5. If you walk away from your computer, lock the screen. Make it a habit, whether you are in the office or on the road.
I had a boss that would go around locking it for you with a nasty message scrolling across the desktop – AND you had to go to him to get the password, because he went in and changed it.
Take a moment to think about what files are on your laptop and what value they might have. Consider what steps you will need to go through should your laptop be stolen.
I happened across the Vulnerability Assessment Team website of the Argonne National Laboratory. The Security Manager there has a great sense of humor, and has devised some security maxims much like my Rules of Thumb only BETTER.
Here’s a couple of my favorites:
Big Heads Maxim: The farther up the chain of command a (non-security) manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy.
Plug into the Formula Maxim: Engineers don’t understand security. They tend to work in solution space, not problem space. They rely on conventional designs and focus on a good experience for the user and manufacturer, rather than a bad experience for the bad guy. They view nature as the adversary, not people, and instinctively think about systems failing stochastically, rather than due to deliberate, intelligent, malicious intent.
I would add “Software Programmers” to this one.
We’ll Worry About it Later Maxim: Effective security is difficult enough when you design it in from first principles. It almost never works to retrofit it in, or to slap security on at the last minute, especially onto inventory technology.
Head on over and check out the rest.
“Cloud” computing continues to beat the drum of “cutting costs.” Although I must say that I am hard put to differentiate between “cloud computing” and data centers that host hardware, the emphasis seems to be on shared server resources and supposedly quick turnaround for new applications.
In my experience, “quick application development” is usually another way of saying “open everything up to make it work,” followed by “oops.” Or “ouch.”
The giants (Amazon, Google and IBM) are promising to customize security for their clients, but I have yet to see a price tag on that promise, or a standard for security in a cloud. I suspect that there isn’t one, and isn’t likely to be one.
Here’s some questions that keep me wondering:
How would they implement different levels of security on the same hardware/server OS?
How do I know who else is sharing my server?
How do I know that my confidential data is secure? (Think PCI and HIPAA)
How would I handle eDiscovery?
Who maintains logs – specifically audit trails?
How does handing off security to a third-party affect compliance?
Where is my backup data?
And, uh, what happens if the cloud vendor goes belly up?
Who is responsible for a data breach?
Faster, better, cheaper – pick TWO.
SC Magazine has reported that a laptop belonging to the State of Oklahoma was stolen, with 1 million names, Social Security numbers, birth dates and home addresses of Oklahoma’s Human Services’ clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits.
All this was secured with a password. The State of OK seems to think that is adequate protection – has nobody there heard of a Linux boot disk? It will ( and probably already has) taken a cracker ten minutes or less to gather the SAM database, and probably not much time to crack the password.
No excuses! Get it done. The cost of losing a laptop is now estimated at $50,000, after the cost of corporate security efforts, bad publicity, and lawsuits. No one is too small to get sued.
We all do it; we connect to the web and grab our mail all the time. But those web pages are vectors for cross site scripting (CSS) and a new nasty – CSRF (pronounced SeeSurf), cross-site request forgery, affects many webmail providers, most notably Gmail.
Gmail even knows about a flaw it hasn’t bothered to patch, according to several researchers. It’s tricky, but an attacker can use it to change your password in the right technical situation.
Not to mention the fact that if you’re checking your mail at an unencrypted WiFi hotspot (you don’t do that, do you?) your password can be captured by the teenager sitting at the window sipping his latte while he runs a packet sniffer.
When I’m asked for advice about this from users that are generally unacquainted with the acronyms above, I have two recommendations:
First, if you’re at a free WiFi hotspot, don’t go anywhere you have to log in. That’s the simplest advice. But if you’re on business, or do want to check Gmail, Yahoo, etc., there is something you can do: Log in using https. This forcibly encrypts your traffic when you log in.
Keep in mind that some services let you log in using https, but then bounce you to an unencrypted page for the rest of the activity. Yahoo and Hotmail do exactly that. So if you’re sending an email with private information, it will go across the net in open format.
Gmail has a setting (somewhat well-hidden) that can require you to connect and stay in https. If you are in Gmail, select settings at the right top corner. Scroll all the way to the bottom of the page, to the category “browser connection.” Select “always use https,” and you can read your email safe from prying eyes. I haven’t found anything like this in Yahoo and Hotmail. Good enough reason to switch!
Why isn’t a vulnerability scan part of a penetration test? A scan looks for vulnerabilities the way hackers do – but hackers are MUCH better at it. Scans look for what they are programmed to look for – hackers look for holes.
Penetration testing certainly involves scanning, but most professional pentesters don’t waste time with scanners. They’re nice to have if you have a lot of money and only a little time to check your security. But the guy who gets in doesn’t usually have one in his kit. Scanning software tends to be huge (think database on the backend) and cumbersome.
Don’t get me wrong; there are some terrific pieces of software out there that can and should be used on a regular basis. They can catch the misconfigured server and identify the “low hanging fruit” that needs to be cleaned up. They are a part of a security audit, and VERY handy to have. I’d like to have a few in MY toolkit.
Do I use them for pentesting? No.
The first two or three steps in a penetration test have nothing to do with scanning the network for vulnerabilities, and often are far more effective than a scan will ever be. The nice man who lets me in the door does far more for me than a scan….why do a whole bunch of scanning when I can access the server physically? Ten minutes (or less) with your server and it’s MINE.
Of course, because I’m an auditor, and the First Rule is usually: “Don’t break anything,” I settle for leaving my business card on the back of the chassis or a little file in the root directory. But a thumb drive with some fun software can capture the SAM database pretty quickly and erase traces of itself pretty fast.
So don’t let anyone call a scan a pentest – it just means they don’t know their business.
Yesterday Wired released a story that reveals a startling detail about the TJMaxx data breach: hackers were able to cash in on stolen debit cards because they had a way to crack PINS.
This “minor detail” was buried in an affadavit last year, but Wired has put it together with some other information afloat on the NET, and the article is a really good read on what happens to your PIN from your debit card as it transits various networks to receive approval. Your PIN gets decrypted and re-encrypted by a Hardware Security Module (HSM) each time it transits a network. Lots of opportunities for capture with the help of an insider or some sniffing malware.
“While statistically not a large percentage…in 2008, attacks against PIN information represent individual data-theft cases having the largest aggregate exposure in terms of unique records,” says the report. “In other words, PIN-based attacks and many of the very large compromises from the past year go hand in hand.”
Although there are ways to mitigate the attacks, experts say the problem can only really be resolved if the financial industry overhauls the entire payment processing system.
Clearly, PIN-based authentication has been cracked, and will be cracked more and more. Leave your debit card at home and Pay Cash Instead.
(Sorry, I apologize for using an acronym, but I couldn’t resist.)
Whenever the subject comes up of logging activity in a database, immediately the complaints of “Too much overhead!” can be heard. Everybody thinks it’s a good idea in theory, but from a practical standpoint, it adds a lot of burdens to the database.
From a security standpoint, it’s really difficult to make sure that DBAs or Administrators are accurately logged AND denied access to the logs. On the database server itself, it’s next to impossible.
This isn’t really a new idea, but it has recently gained a lot of adherents: database monitoring. Quest Software has had some good products around for monitoring performance, but recently the focus (because of compliance, big surprise) has turned to access controls, logging, and monitoring activity.
For example, someone might have noticed a little sooner at Countrywide that someone was accessing a lot of customer data if a Database Activity Monitoring device had been installed.
There are two versions of this type of device. First, is the Network-based DAM, which can monitor all traffic going to and from the database server, and puts no load on the server itself. This is a great idea, unless, of course, your traffic is encrypted. Another issue is that this type of monitoring will miss activity that is local to the server itself.
Second is the host-based DAM, which is really the most effective of the two, because it can see everything you want to see via an agent installed on the server that reports back to the monitoring device elsewhere on the network. The overhead of an agent will not be as high as trying to enable auditing within the database itself, and, as much as I am not fond of agent software, in this case I would make an exception, after careful testing.
The drawback to this system is that the agent could be disabled, but the DAM should immediately alert personnel to that fact. If you are able to size your server appropriately, an agent’s overhead could be minimized. I’d love to hear from anyone using this type of configuration, and how they like it.
The latest statistics I’ve read from vendors now say that up to 6% of PCs worldwide are infected by the worm. What is going to happen as a result of this worm is still yet to be determined. The “patch” provided by Microsoft disables autorun so that the worm cannot infect the machine, but that is for only one variant of the worm. Another patch addresses the underlying vulnerability in the server service.
Windows patch MS08-067. What’s wrong with this picture?
It’s been almost six months since the first patch release from Microsoft. Why isn’t everybody patched?
The fact that so many computers have been infected tells us that patch management and deployment as it is now is not working.
Companies frequently refuse to patch because they “don’t want to break something.” SQL SLammer brought networks down worldwide – what will Conficker do to your network if you aren’t up to date on patches?