Adobe Reader and Acrobat 8 Vulnerabilities

Adobe has released security updates to address vulnerabilities in Adobe Reader 8 and Acrobat 8. These vulnerabilities could allow an attacker to launch a denial of service or remotely execute arbitrary code.

The security bulletin with patches can be found here.

The OSI model in a nutshell (for beginners)

Since I’m just getting things started on this blog, I figured I’d post some introductory material for those new to the industry, or for others who may want a quick refresher. Knowing the inner-workings of systems is important to provide interoperability and integration among so many diverse platforms. Without a foundational understanding in topics such as the OSI model, administrators will be less than effective.

So here’s a brief overview of each layer of the OSI model and their functions:

Layer 7 – Application: the interface between end-user applications and communications software. Protocols such as Telnet, HTTP, FTP, and SMTP communicate at this layer.

Layer 6 – Presentation: handles encryption, formatting, compression, and presentation of data formats (such as JPEG) to applications. SSL and TLS communicate at this layer.

Layer 5 – Session: responsible for the startup, control, and teardown of sessions for the presentation layer. NetBios and TCP sessions are examples of those controlled at this layer.

Layer 4 – Transport: handles all transport and data delivery issues to other systems (a focus on error recovery and controlling data flow). TCP and UDP protocols reside at this layer.

Layer 3 – Network: responsible for routing, addressing, and determining the best possible route. ICMP, IP, ARP, and IPSEC reside at this layer.

Layer 2 – Data Link: links the data from one host to another, while defining protocols when data is sent over a particular medium. Where the IP address is found at layer 3, MAC addresses are found at this layer. Ethernet, FDDI, ATM, and Token Ring reside at this layer.

Layer 1 – Physical: This layer provides the physical transportation of data. It focuses on connectors, currents, pins, light, and other specifications that define cabling standards. This layer focuses on binary transmission.

There are many mnemonic phrases used to help memorize each layer. Some include:

•    People don’t need to see Paula Abdul
•    Please do not take sausage pizza away
•    All people seem to need data processing

Whichever phrase you choose, the OSI layers are pretty easy to remember over time. Knowing how various systems work and what layer they reside on can help streamline troubleshooting. Click on the diagram below to see how communication takes place through the OSI model:

Thought of the day

“It’s not what’s happening to you now or what has happened in your past that determines who you become. Rather, it’s your decisions about what to focus on, what things mean to you, and what you’re going to do about them that will determine your ultimate destiny.” – Anthony Robbins

If you’ve never read “Unlimited Power” by Tony Robbins, I highly recommend it. I will tell you that it’s pretty long and you may find some chapters that can stand as their own books, but overall it contains some exceptional material. In life, we form perceptions about reality and our future based on our personal beliefs and experiences. Tony talks about how we have absolute control over our future and can make situations better, not by focusing on the negative, but by challenging our beliefs and changing our perceptions.

How to approach baselining for better asset security

A detailed baseline provides an accurate picture of an asset and its configuration. Controlling changes to asset baselines is essential to maintaining and validating the integrity of systems. Without proper documentation of system configurations, administrators may overlook anomalies as being normal. Further, when change management is applied to asset baselines, abnormal behavior, processes, or modifications will be identified much quicker than if no oversight is performed.

Baselining begins with information identification because organizations must know what to protect in order to protect it (say that ten times fast). Proper identification of all assets will enable organizations to establish priorities based on criticality, with a clearer picture of the assets within their base. In addition, assets must be identified for proper labeling. This ensures that all versions and changes are documented and kept up-to-date.

Version management is the process of maintaining an archive of previous baselines. By maintaining archives of previous versions, newly installed baselines can be rolled back in case of failure of unsuspecting errors. This is also necessary to compare the effectiveness of baselines over time and for accountability and auditing purposes. If version management isn’t practiced, rollback won’t be available and versions may get mixed up—this is why labeling is important.

Labeling is an essential task in baselining because it ensures that each asset is properly identified and documented. Labeling should be conducted using a hierarchical approach to document and track each version, their configurations, and controls. With a hierarchical approach, correlation between assets, their functions, and location will be much clearer if labeled properly. In addition, labeling also preserves the “family tree” of an asset base.

Management buy-in is important for baseline management because assets require continuous updates and forward planning. Maintaining baseline integrity is a commitment made by the organization and requires management buy-in to ensure ongoing and accurate baselining. Through collaboration, organizational departments can cohesively provide checks and balances that complement the audit process.

Baselining is an important part of an information security framework. Through baselining, an organization will be able to accurately identify all risks and implement countermeasures to protect sensitive assets. Knowing the baseline of all assets and controlling change through versions and labeling are all facets that make up an effective information security posture. Since information security encompasses many components that together create a strong security posture, baselining is merely one layer in an strong defense-in-depth strategy.

Thought of the day

Try to learn something about everything and everything about something.
–Thomas H. Huxley

This quote is vital to professional and personal growth. Try to take time daily to learn something new. In our complex environments, we must be versed on a multitude of disciplines–not just one.

The Risk Mitigation Report

There are many benefits to performing a risk assessment, but one of the most influential elements is the risk mitigation report. This report serves as the document that lists identified risks, with specific countermeasures for mitigation.  The risk mitigation report can also serve as an accountability mechanism for personnel, as it specifically identifies who’s responsible for implementing each mitigation task.

Since it identifies all risks faced by an organization, it’s a key element for strengthening your security posture. The risk mitigation report sets the security process in motion before deploying countermeasures. Moreover, it’s an effective tool for communicating the true harm an organization faces. Thus, it can be used to help management understand and appreciate the need for security.

In addition to providing a thorough risk mitigation report, a quarterly incident/threat report can aid in supporting the business case for security funding. Such a report will provide management with updates on major security incidents, with actions taken to thwart successful or unsuccessful attacks. If no real threats hindered the organization for that quarter, I’d provide examples of threats faced by similar organizations just to show management that security is necessary and your recommendations are warranted.

« Previous Page