Top

CISCO to launch iPhone App

November 22, 2009 by · Leave a Comment 

CISCO is preparing to launch a new security iPhone App. According to their website, the “Cisco® SIO To Go, an Apple iPhone application that puts the power of the Cisco Security Intelligence Operations (SIO) in users’ hands, giving them real-time access to a wealth of actionable global security information no matter where they are. The Cisco SIO iPhone application enables users to personalize alerts to show only those security threats that could impact their network and provides added assurance that they are being protected by their Cisco security solution.”

Some of their planned alerts include:

  • Cisco Product Security Incident Response Team (PSIRT) Alerts
  • Cisco Intrusion Prevention Systems (IPS) Signatures
  • Cisco Applied Mitigation Bulletins
  • Cisco Threat Outbreak Alerts
  • And many others

Sounds like an interesting App… 

Update: App is available now…

CISCO-iPhone-App

Source: cisco.com

Printer Diving

November 21, 2009 by · 2 Comments 

I had an interesting conversation this week. A gentlemen told me that he frequently sees things on printers that are of interest to him. It’s understandable that people often print new diagrams, Org charts, or special project material that others may find interesting. Nothing out of the ordinary there… However, he went further and said that many times he has no idea where the items come from or who they belong to, but if they sit on the printer too long he feels that the documents belong to him.

I found this statement quite humorous at first. Actually, I laughed for a few seconds because I thought he was kidding. As it turns out, he was very serious. I thought about it for a while and realized that this is likely going on all the time in large enterprise environments.  A user could print out a sensitive document to a print station, someone grabs it by accident, and then the document owner shows up to nothing at the printer. Thinking that the printer may have malfunctioned, the document owner may re-print it and think nothing else about it. The other person that grabbed it by accident may eventually decide to return the document to the printer. At that point, the document just sits on the printer to be glanced over by anyone using that printer. Someone could then decide to go “Printer Diving” and pick up the sensitive document without a valid need-to-know.

While this may seem a bit trivial since only authorized employees should have access to print stations, let’s not forget about non-cleared visitors, disgruntled employees, competitors, or simply authorized users without a need to know.  In that regard, printer diving can be compared to dumpster diving.

Gone Facebook Phishing?

November 4, 2009 by · Leave a Comment 

The folks at Appriver recently reported that attackers have started a serious campaign against Facebook users. According to their reports, the botnet is sending over 500 phishing messages per second. And get this, along with stealing your Facebook credentials, the botnet prompts unsuspecting users to download what appears to be an “update.” What the user really gets is malware crafted to target bank account and other financial information.

For more information on this attack, visit the Appriver blog.

Facebook Phishing

Source: Appriver

What is ISO 17799?

September 5, 2009 by · Leave a Comment 

ISO 17799 is a set of standards created by the International Organization for Standardization.  ISO is responsible for creating numerous standards, including the OSI model. ISO 17799 covers a broad range of information security practices and acts as a framework for an organization to establish and implement a security management program. The ten security domains that make up ISO 17799:2000 include:

  • Security policy: This domain provides input into security management from a top-down perspective and the creation of an effective security management program.
  • Organizational security: This domain focuses on both internal and external management of operational security. It isn’t limited to technical controls, but also relationship and reputation issues.
  • Asset classification and control: This domain focuses on organizations, prioritizing, and classifying information based on sensitivity and need for confidentiality and availability. It also covers the day-to-day use and storage of such information.
  • Personnel security: This domain focuses on procedures for hiring, firing, and training of employees. Employees must be screened prior to employment and consent forms need to be addressed and signed.
  • Physical and environmental security: This domain covers the protection of assets from damage to its physical infrastructure and providing access controls via cipher locks or other mechanisms. It also covers HVAC and power controls.
  • Communications and operations management: This domain covers techniques for ensuring secure communications and providing data integrity through the use of firewalls, AV protection, encryption, and backups.
  • Access control: This domain covers access and monitoring controls through the user of discretionary, mandatory, and role based controls. This constitutes authentication and identity management.
  • System development and maintenance: This domain covers change management of systems with the advancement of technology to ensure compatibility and overall quality assurance.
  • Business continuity management: This domain covers strategies for protecting a business from massive outages and prepares a company for unforeseen circumstances such as natural disasters and impromptu recovery missions.
  • Compliance: This domain covers law and legislation from a state, local, and federal standpoint. It goes into protection of trade secrets and intellectual property.

Recently, the standard was revamped and is now known as ISO 270002:2005. In addition to the new version and updates, the domain names are now:

  • security policy;
  • organization of information security;
  • asset management;
  • human resources security;
  • physical and environmental security;
  • communications and operations management;
  • access control;
  • information systems acquisition, development and maintenance;
  • information security incident management;
  • business continuity management;
  • compliance.

Organizations  should create policies for each domain (unique to their mission and objectives).

How to configure ACLs on the Cisco ASA

August 1, 2009 by · Leave a Comment 

The access control list (ACL) methodology on the Cisco ASA is interface-based. Therefore, each interface must have a specified security level (0-100), with 100 being most secure and 0 being least secure. Once configurations are in place, traffic from a more secure interface is allowed to access less secure interfaces by default. Conversely, less secure interfaces are blocked from accessing more secure interfaces.

Some common commands used to configure Cisco ASA interfaces include:
nameif – used to name the interface
security-level – used to configure the interface’s security level
access-list – used to permit or deny traffic
access-group – applies an ACL to an interface

We can configure an access list to permit or deny traffic, based on a specific port or protocol. With deny-by-default, everything is automatically blocked and must be explicitly allowed.

Let’s say we want to configure an ACL on an ASA to permit all FTP traffic from any host to 192.168.1.10. To do this, we must input the following ACL:

ASA(config)# access-list OUTBOUND permit tcp any host 192.168.1.10 eq ftp

As you can see, we specified TCP, or transmission control the protocol, from any host to only the IP address we want to permit. In addition, we specified only port 21 using eq (equal) and ftp. This is because FTP traffic is sent via port 21.

To view the hit count on our access lists, simply type the command: show access-list OUTBOUND.

To remove the access list, simply type the command: clear access-list OUTBOUND

I hope I haven’t lost you….

A few things to keep in mind…you can only apply one access list per interface, per protocol, per direction. That is, make sure you create two ACL groups, one for outbound and the other for inbound traffic on each interface.

If you’re uncomfortable typing the various syntaxes and are a more visual person, the ASA ASDM is your friend. ASDM stands for Adaptive Security Device Manager. This tool provides a easy to use GUI (graphical user interface) with point and click capabilities. A screenshot of the ASDM is provided below:

ASA_ASDM

Source: Experts-Exchange

If you’re looking to become certified on the CISCO ASA, the new exam covers quite a bit of ASDM material. While many of the previous exams covered nearly all CLI (command line interface) material, the newer versions (Securing Networks with ASA Foundation and Securing Networks with ASA Advanced) focus much more on the ASDM.

For more information on becoming a CISCO ASA Specialist, see their website here.

Relationship between a policy, standard, guideline, and procedure

May 16, 2009 by · 2 Comments 

After a recent conversation explaining the relationship between a standard and guideline, I thought I’d post this diagram which clearly shows the relationship, at that of policies and procedures.

policy_standard_guideline_procedures

Source: CISA Certified Information Systems Auditor Study Guide

Cold boot attacks on disk encryption

In the “featured videos” section of my blog, you’ll notice a new video discussing cold boot attacks. The premise behind cold boot attacks is that they can be used to extract data from systems even if the system uses disk encryption. Specifically, when an attacker has physical access to a system, they can take advantage of the fact that a screen locked or “sleeping” system holds crypto keys in RAM after it’s powered-off. After pulling the plug, an attacker can use the short window that the data stays in RAM, or simply cool the RAM with a can of air for more time.

Check out the video–it’s pretty insightful!

//Update//

I’ve provided the video below…

8 Steps to disaster recovery planning

April 4, 2009 by · 1 Comment 

It’s been some time since I’ve delved in disaster recovery planning, so I thought I’d create this post as a short refresher on the planning process.  Every organization, whether small or large, should have a disaster recovery plan. Depending on the size, it may take some organizations several months to fully document an effective plan. In such cases, it’s important to understand the 8 steps to disaster recovery planning.

  • Step 1 in disaster recovery planning: organize the disaster recovery planning team. The team should consist of a primary representative and an alternate from each participating department. Organizing the disaster recovery team begins by creating a group consisting of members that represent all functions of the organization. The team must also include a high-level manager, or CEO, to endorse the plan and eliminate obstacles. The team should attend training by a reputable source in disaster recovery. Once arranged, the team will start an awareness campaign and create a schedule of their anticipated activities.
  • Step 2 in disaster recovery planning: assess the risk in the Enterprise. The goal in this step is to assess the potential economic loss that could occur as a result of the determined risks. The team will use a business impact analysis to assess risk. In the analysis, all business processes should be identified and analyzed. As with any assessment, business processes should be ranked as critical, essential, necessary, and desirable. Legal and contractual requirements should also be assessed for consequences of business disruption.
  • Step 3 in disaster recovery planning: establish roles across department organizations. The disaster recovery planning team determines the role each department and external party must play in disaster recovery. This ensures that all resources and expertise are properly utilized. The team must contact local departments and authorities, emergency services, law enforcement, public utilities, etc. to determine their roles.
  • Step 4 in disaster recovery planning: develop policies and procedures. Procedures are the step-by-step methods, while policies are the guidelines. Both are very important in recovering from a disaster. This step requires attention to detail. Procedures must be in place for every step in disaster recovery and response. Each function must be spelled out in black and white to ensure continuity.
  • Step 5 in disaster recovery planning: document disaster recovery procedures. Policy and procedures must be documented and sent through the proper channels for approval before being stored for future implementation. Each policy and procedure must be drafted, reviewed, and approved by management and all departments and organizations responsible for implementation. The plan must be available at all times during the testing phase, and especially during disaster response.
  • Step 6 in disaster recovery planning: prepare to handle disasters. An “information campaign” is the word that works here. Get the information out, make everyone aware, and ensure they all know the plan. All parties must be aware of the plan from executives to general staff.
  • Step 7 in disaster recovery planning: train, test, and rehearse. Practice makes perfect! During this step, the organization conducts a live simulation including all departments and supporting organizations–as if a real disaster is taking place. Observers are in place to monitor and evaluate the procedures being implemented. Weaknesses are determined so updates and modifications can be made.
  • Step 8 in disaster recovery planning: ongoing management. Maintenance is the key here. Continual assessment of threats, changes in structure, and impact of new technology and recovery procedures. This step requires continual monitoring of laws, political climate, and social conditions. Any changes are documented, and updated training is given.

The threat of short-lived malware

April 2, 2009 by · Leave a Comment 

New article:

Recently, security software vendor AVG Technologies asserted that Web-based malware attacks are now so prevalent that attackers craft them to be “secretive, short-lived and fast-moving. It’s an acceptable premise, but why the sudden shift? Is it because more active and open attacks aren’t as successful or noteworthy? Well, not quite. Let’s explore why attackers do this, how they do it, and how enterprises can defend against short-lived Web malware.

Read the rest of my article here

IE 8, will you try?

March 21, 2009 by · 1 Comment 

internet_explorer8

Source: Microsoft.com

Microsoft has recently released Internet Explorer 8, boasting that it’s faster, easier, and safer.  Some of their latest features include:

  • Quick links to Live Maps
  • InPrivate Browsing
  • Web slices
  • SmartScreen Filter
  • History Searching
  • History Sorting
  • etc….

You can download it here. As with any new software, expect a patch or two in the near future.

« Previous PageNext Page »

Bottom

Warning: Unknown: open(/home/content/30/5076530/tmp/sess_od1p8mqp714dl95lpd93ogvu41, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0