Feb 25 2009 2:30PM GMT
Posted by: Troy Tate
information security,
infosecurity,
tools,
toolkit,
management,
research
This may be a couple of years old, but the need for infosecurity tools and requirements for cheap solutions has not changed. This was first published in the CSO magazine in 2006. The tools have only gotten better since then. Hope you can find some use for the tools that it recommends in these trying budget & resource times.
Thanks for reading & let’s continue to be good network citizens!
Feb 24 2009 3:14PM GMT
Posted by: Troy Tate
risk,
financial analysis,
information security,
technology,
measurement,
Monitoring,
risk management
I have written before about IT being an accelerator for the financial crisis. Another recent article, this time from Wired called Recipe for Disaster: The Formula That Killed Wall Street, seems to show how extremely complex risk measurement is and how someone tried to design a model to express that risk. It is the same for information security professionals. Take some time, read the Wired article and substitute the words “information security” where the word “finance” is used. See if it mirrors the current information security risk situation today. It may shed some light on how complex the situation has become and what the impact may be if something is not done by security professionals to head off an information security meltdown - but wait… are we already there with some of the botnets, conflicker, etc.? Let me know your thoughts on this.
Thanks for your time and let’s continue to be good network citizens!
Feb 23 2009 4:20PM GMT
Posted by: Troy Tate
House,
Senate,
Law,
IP address management,
identity management,
logging,
Security,
ISP,
service providers
There is a recent bill introduced in both the House and Senate to strengthen current legislation addressing online child predators. The bill is known as the ‘Internet Stopping Adults Facilitating the Exploitation of Today’s Youth (SAFETY) Act of 2009’ There are several provisions in the proposed bill, but one that causes me to stop and wonder how effective the legislation will really be.
The particular section I am referring to is shown below.
SEC. 5. RETENTION OF RECORDS BY ELECTRONIC COMMUNICATION SERVICE PROVIDERS.
‘(h) Retention of Certain Records and Information- A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.’.
This section places a lot of responsibility on the “provider of an electronic communication service or remote computing service.” Where does this actual responsibility lie? Is it with the ISP (top end - think ATT) or is it with the reseller or commercial user of those reseller’s services? Does this include your organization or mine?
What I am also concerned about is the requirement to track the “identity of a user of a temporarily assigned network address that the service assigns to that user.” Is the address assigned to a user or a device? Can it be confirmed who the actual user of the device was at the time of the event(s) in question? Wiretapping is one thing with voice recognition, but how can you tell who was specifically using a device at a particular time? Sure there might be system logs showing who was logged in, but what was the authentication method? Was it just username & password? How strong of evidence is that?
I hope this bill to update the law gets some very careful consideration about the definitions and what identity really means in this case. It seems like the intent is to gain better documentation but I don’t think this particular language or technology is ready to support this.
Thanks for reading & let’s continue to be good network citizens.
Feb 19 2009 1:47PM GMT
Posted by: Troy Tate
network analysis,
protocol analysis,
packet analysis,
packet capture,
training,
education,
wireshark,
ethereal,
tcp/ip,
trace files
Laura Chappell (the Viral Bitgirl) has announced that Sharkfest 09 registration is open and all registered attendees get a FREE AIRPCAP ADAPTER (US $198)! Sharkfest is the Developer/User Conference for Wireshark and it is sponsored by CACE Technologies and Wireshark University. Laura will be there with new, hot (or cool, if you prefer) topics, trace files, case studies and hands-on labs. Register today at Sharkfest.09 to get your free AirPcap adapter. [Dates: June 16-18, 2009-registration and BBQ on June 15th]
Laura has also announced that Chappell University is open for registration. Subscription-level service will be open soon. Chappell University is an affordable, on-demand, online training system to maintain and enhance IT skills in the area of analysis, troubleshooting and security. Some of the content includes two lab workbooks with over 100 lab exercises using Wireshark to spot network problems, security breaches, and analyze normal and abnormal TCP/IP communications. There are video answers to all the lab exercises. In addition, there’s an extensive trace file respository and additional WLAN, VoIP, bot-infections, application, etc., trace files will be added each quarter. Check out the new YouTube Channel for Chappell University and the video “Ethical Hacking with NetScanTools Pro: Tutorial on ARP Scanning to Discover All Local Hosts” (even those hidden behind firewall applications).
If you have never experienced training presented by Laura, this is your chance to get very in-depth, easy to understand technical training. Sure, some of the stuff may cost a little, but she has tons of free stuff out there also. The paid content is definitely worth it. I have her Master Library (pre-dates the new Chappell University) and I still refer to the content occasionally to refresh my skills in network analysis.
Thanks for reading and let’s continue to be good network citizens!
Feb 11 2009 8:08PM GMT
Posted by: Troy Tate
Data security,
administration,
analysis,
antivirus,
anti-virus,
diagnostics,
howto,
information security,
malicious activity,
malware,
Microsoft,
Microsoft Windows,
Active Directory,
AD,
network security,
Password,
policy enforcement,
reporting,
risk,
risks,
scanning,
search,
Security,
security notification,
tools,
troubleshooting,
Windows,
password management,
account management
With an environment spanning 18+ sites and more than 3000 computers around the globe, you could understand how challenging it would be to track down what device/user might be locking user accounts. There are tools out there that you can pay for that can help do this. However, Microsoft has some free tools that with a little testing and use will permit you to quickly track down where the account is being locked and address the situation.
We had a situation recently where malicious software got onto a couple of machines and attempted to use the Administrator account to login. We have account lockout on our Windows 2003 AD domain, so after the appropriate number of invalid tries the Administrator account was locked out in the domain. This is because the machines were members of the domain and the malware did not distinguish the local administrator account from the domain administrator when attempting to elevate authority. Note that we use least user authority in our environment so the malware was not able to spread beyond these two machines. We suspect the machines became infected due to out of date antivirus signatures.
Unfortunately, the antivirus we use did not alert us to the situation. The way we were alerted was by our Microsoft Systems Center Operations Manager (SCOM) implementation. It notified the SCOM admin that the domain Administrator account was locked. The operations team was then tasked with tracking down what or who was locking this account. This is where the Microsoft Account Lockout and Management Tools came in use and helped isolate the cause. Continued »
Feb 6 2009 6:31PM GMT
Posted by: Troy Tate
cost savings,
budgeting,
ROI,
printing,
survey,
feedback,
toner,
printing supplies
I don’t know about your organizations but the one I work for is doing as much as possible to reduce costs in these hard times. We have gone through the staffing reductions, travel restrictions, site closures, salary reductions like most other organizations. Now an outside vendor has come to us saying they can help save us money in printing. Granted, there may be some cost savings there and I hope there is. However, some of the statistical information they provided has me wondering about the accuracy and scope.
I don’t have full details yet of how the survey was done, but the vendor reported that the average user in this office exceeds 26 printed pages per day. So, for an office of about 80 people, this is over 2080 pages per day - or over 4 reams of paper. The survey also says that black/white costs are 2.5 cents per page and color is 17.2 cents per page. Do these number seem reasonable or has your organization done a similar printing survey?
One of the issues I have with this is if the volume survey was done in January, that is not really the most representative month for printing volumes. That is the month when month-end, quarter-end and year-end financial statements are produced. There is a lot of “unusual” print volume during the first month of the year.
A cost saving recommendation, of course to come back from the vendor, is to use duplex printing where possible. Most of the printers in this office have been here for well over 5 years. They were not purchased with the duplex print options to save costs at the initial purchase time. So, this is not really an available option on most of the printers. The users of course could print 2 pages per page (as I typically try to do), but then the print is very small and can be difficult to read which can create errors or cause stress. So, is this a good option either?
I’d like to hear from some IT-Trenches readers - please share with me your experiences with printing cost saving measures. I’m sure other readers would appreciate your tips, tricks and insights.
Thanks for reading & let’s continue to be good network citizens.
Feb 3 2009 7:41PM GMT
Posted by: Troy Tate
Microsoft,
Google,
search,
Live search,
Microsoft Live,
documentation,
Powershell
I am looking for some documentation on Powershell to better understand how to use it. Per Wikipedia: Windows PowerShell is an extensible command-line shell and associated scripting language from Microsoft. So, I went to the Microsoft.com home page at www.microsoft.com. I typed powershell into the Search field at the very top of the page. I clicked the magnifying glass… waited a few seconds… and NOTHING was returned! So, I clicked on the Live Search option and 39,500 results were returned. So, now when I go to the main Microsoft page and then enter powershell into the same search term field as before and press Enter, the Live search results get returned - filtered for Microsoft.com only. It seems like my Live search excursion “woke up” the main Microsoft website search into knowing some powershell content does exist at Microsoft.com
I have often been frustrated in the past when searching Microsoft support using the exact error or event code from a Microsoft system or application log and nothing gets returned. It just seems like Microsoft is still missing the boat when it comes to search.
So, I guess I will continue to Google for Microsoft support information until I can see that Microsoft is better able to search their own website from their homepage.
Thanks for reading & let’s be good network citizens out there!
Feb 2 2009 5:15PM GMT
Posted by: Troy Tate
ARP,
protocol,
testing,
tools,
toolkit,
scanning,
education,
video,
training,
protocol analysis,
Laura Chappell
ARP - or Address Resolution Protocol is a necessary element for network traffic. Per Wikipedia: “In computer networking, the Address Resolution Protocol (ARP) is the method for finding a host’s link layer (hardware) address when only its Internet Layer (IP) or some other Network Layer address is known. ARP is defined in RFC 826.[1] It is Internet Standard STD 37.” It is not an IP only protocol.
What this means, is that ARP is not a protocol that is easily blocked or disabled on a network. This is as designed but this also means that attackers can use this protocol for malicious activities. It is important that you understand the ARP protocol and the ways it is used and the dangers associated with it.
Laura Chappell, the BitGirl, has created a new tutorial on using ARP to scan networks which may be firewalled or ICMP pings are blocked. ARP will permit you - and attackers - to find hosts on the network. Take some time and watch this short video and gain some valuable insights into ARP.
Watch Chappell University - Ethical Hacking with NetScanTools Pro - ARP Scanning
Thanks for your time and let’s be good network citizens!
