December 26, 2007

Army Says Mac’s Are More Secure! Are They?

Posted in Business Continuity, Patches, Threats at 8:59 pm by jtbevis

An article was recently published about the Army adding Macs to improve security.  Although diversifying vendors will usually make you more secure if used to support a defense-in-depth strategy, the context of the article supports a lack of knowledge or evidence to support the statements made on the Army’s part. 

Article in Full:

http://news.yahoo.com/s/nf/20071224/bs_nf/57382;_ylt=AtIAHN4BI3dTDzpNM.n7xA8E1vAI

There is one particular statement that is worrisome whereas the Army security spokes person has been quoted “Apple’s version of Unix is inherently more secure than Windows”.  Now I don’t claim to know all the facts but if you look at the links provided below the Mac OSx falls behind in 2007 and in the year 2004 has less advisories, but remains equally comparative percentage wise in regards to the number of critical vulnerabilities.

2007 Stats:

http://blogs.zdnet.com/security/?p=758

2004 Stats:

http://www.techworld.com/security/news/index.cfm?newsid=1798

Fortunately the article has a counter argument by Charlie Miller at the end supporting the fact that the Army needs to step it up with more then Macs when it comes to security strategy.  He comments about Mac being “behind the curve in security”.  Also has a great reference stating “In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house.”  On the other hand diversifying is good if you use one product to backup the function of another project in the event one fails.  So even though the pigs straw house was destroyed if that third pig could get to the brick house it would still survive.

December 19, 2007

Disaster Recovery – Alternate Site Geographical Distance

Posted in Business Continuity, Risk Assessment, Security Awareness, Security Governance, Security Program Development at 1:40 pm by jtbevis

There is an article that came out earlier from DRJ (Thomas L. Weems) based on a study that provides guidelines on the required geographical distance for alternate site locations.  This is good news for those performing risk assessments where this is considered vulnerability, because as far as I know FEMA has provided no specific guidelines. 

http://www.drj.com/articles/spr03/1602-02.html (registration required to view)

Ideally 105 miles point to point is the key number for all the threats listed below.  For those who don’t have access to the article below is a breakdown of the recommended geographical distances based on the threat.

NOTE: The article provides a graph so the numbers below is based on my interpretation of the graph.

Alternate Site Distance Recommendations

Hurricane:  105
Volcano:   75
Snow/Sleet/Ice:  70
Earthquake:  60
Tsunami:  52
Flood:   48
Military Installation: 45
Forest Fire:  42
Power Grid:  36
Tornado:  35
Central Office:  29
Civilian Airport: 28
None of the Above: 21

Off Site Storage Facility Distance Recommendations

Hurricane:  85
Volcano:  64
Snow/Sleet/Ice:  56
Tsunami:  45
Earthquake:  43
Flood:   43
Military Installation: 41
Forest Fire:  38
Power Grid:  36
Central Office:  25
Tornado:  24
None of the Above: 24
Civilian Airport: 22

Also the key here is to remember that the off site storage facility should accessible from the alternate site facility, which is a mistake many organizations make.

Problems and Revisions

Based on some quick research there are a few problems with the current distances above.  For example, I took three common disasters and did a quick analysis and here are the results along with some suggested changes.

Hurricane – Katrina spanned a much larger distance then 105 files proving that this distance is not adequate in a very large hurricane storm.  The article below explains that Katrina expanded over 780 miles whereas the outer regions were probably only affected by rain.  However, from my research severe damage was over about a 200 mile radius.  Therefore, I would suggest doubling the current metric to 210 miles.

http://earthobservatory.nasa.gov/NaturalHazards/shownh.php3?img_id=13083

Volcanoes – Although the current figure will probably be fine in most cases there is information to support that volcanoes can spread ashes up to 100 miles as displayed in the below article.  Therefore, this number should be revised to 105 miles based on the type of volcano.

http://pubs.usgs.gov/gip/volc/types.html

Earthquake – Similar to the volcano this distance will probably be sufficient but why take the chance when there is evidence that a 7.8 earthquake ruptured 220 miles of a fault.  Therefore, this number and the definition should be clarified to be at least 60 miles from a major fault line.

http://www.earthquakecountry.info/roots/shaking.html

December 7, 2007

Test Your Anti-Virus or Re-Install

Posted in Malware, Patches, Prevention, Risk Assessment, What doesn't work at 2:01 pm by jtbevis

On strategic risk assessments not testing the anti-virus signatures before being deployed should be considered a vulnerability.  Many of my customers believe this is ridiculous and not practical, however I report it anyway.   Whatever the case, the organization has the decision to accept the risk, as I am only there to point it out.  There is a great example published where a routine update caused serious problems forcing customers to have to re-install the operating system.

 http://news.yahoo.com/s/zd/20071206/tc_zd/221141;_ylt=AhIN_X.SMrgYGlzdK7zmNe8E1vAI

So you decide.  Should Anti-virus software be tested before deployment.

November 30, 2007

The Chinese Hack Attack

Posted in Security Governance at 4:56 pm by jtbevis

Interesting article came out yesterday saying “hackers in China are believed responsible for four out of five major cyber attacks on government targets in 2007″. 

http://news.yahoo.com/s/ap/20071129/ap_on_hi_te/mcafee_cybercrime_report;_ylt=Anbi.FL2E0D0ceU15GAZZ94E1vAI

Although, I’m in no place to confirm or deny this research my expierence shows that the majority of actual incidents (The organization has been hacked) usually come from ASIA pacfic (Korea, China) or from internal employees.

To protect from the ASIA pacfic consider blocking the IP ranges listed in my IP Blacklist Post.  Internal incidents are usually a result of too much trust of internal employees and lack of segregation of duties between functions.

November 13, 2007

Malware Embedded in Advertising – What is the Solution?

Posted in Malware, Prevention, Security Governance, Threats at 5:17 pm by jtbevis

Malware is everywhere and becoming one of the most common security threats in the industry.  The link below provides some insight into the seriousness of this issue.

There really is not a great solution for this problem at this time, but how can a company that serves adds mitigate the risk.  There are several ways.

  1. Ensure all ads that are uploaded are hashed in some way to ensure the add being delivered is the add uploaded by the client.

  2. Use file monitoring tools like tripwire on image servers to help ensure that adds are not modified.  This will also help provide proof if there is an actual attack on the add server.

  3. Scan adds with anti-virus software.  Although this will not catch everything it will catch some of the files.

  4. Scan adds for known malware URL’s to prevent phishing type attacks.  (This is like a signature based solution and takes a great deal of maintenance to keep up with the attackers)

  5. Hope someone comes up with a good solution that can regularly scan all the adds for malware.

The above will help limit the liability of the ad company serving adds and has some preventive measures that can be implemented to protect both the add companies brand and their customers who may be uploading malware adds without knowing it.

November 8, 2007

IP Address BlackList

Posted in Prevention, Security Awareness, Threats at 1:45 am by jtbevis

IP Address Blacklists are great for short time security events.  This information is important for a paper that I am working.  It took me a while to find this information again.  I actually had to dig into an old email file to get all of the information because typical internet search engines were not providing good results. 

Here is a good list of IP addresses and ranges that can be blacklisted to help prevent DOS attacks, etc.  Before using this list be sure your organization does not have clients in the below ranges.   

 Dshield Top 10 Attack IP’s

http://www.dshield.org/top10.php

  •  074.052.180.114
  •  218.003.209.174
  •  211.106.172.081
  • 195.068.089.211
  • 121.015.253.104
  •  218.004.137.213
  •  202.062.224.090
  • 150.164.029.253
  •  058.215.065.237
  •  218.006.009.099 

Dshield Recommend Block List

http://feeds.dshield.org/block.txt

 

Start End Country
121.150.29.0 121.150.29.255  
64.80.28.0 64.80.28.255  
81.3.254.0 81.3.254.255  
139.55.62.0 139.55.62.255 US
139.55.82.0 139.55.82.255 US
203.152.123.0 203.152.123.255 NZ
196.22.194.0 196.22.194.255 ZA
139.55.113.0 139.55.113.255 US
81.3.248.0 81.3.248.255  
202.144.113.0 202.144.113.255 IN
139.55.97.0 139.55.97.255 US
121.18.13.0 121.18.13.255  
81.3.250.0 81.3.250.255  
121.18.12.0 121.18.12.255  
139.55.103.0 139.55.103.255 US
74.86.127.0 74.86.127.255  
200.207.155.0 200.207.155.255 BR
206.51.136.0 206.51.136.255 CA
85.88.191.0 85.88.191.255  
217.175.179.0 217.175.179.255  

 Asia Pacific Black List

http://www.apnic.net/db/ranges.html#country

  •  58.0.0.0/8
  •  59.0.0.0/8
  •  60.0.0.0/8
  •  61.0.0.0/8
  • 116.0.0.0/8
  • 117.0.0.0/8
  • 118.0.0.0/8
  • 119.0.0.0/8
  • 120.0.0.0/8
  • 121.0.0.0/8
  • 122.0.0.0/8
  • 123.0.0.0/8
  • 124.0.0.0/8
  • 125.0.0.0/8
  • 126.0.0.0/8
  • 169.208.0.0/12
  •  202.0.0.0/8
  •  203.0.0.0/8
  •  210.0.0.0/8
  •  211.0.0.0/8
  •  218.0.0.0/8
  •  219.0.0.0/8
  • 220.0.0.0/8
  • 221.0.0.0/8
  • 222.0.0.0/8 

November 1, 2007

New Foundstone Blog

Posted in Passwords, Patches, Risk Assessment, Security 2.0, Security Awareness, Security Governance, Security Program Development, Security Staffing, Social Engineering, Threats at 11:18 pm by jtbevis

Its about time!  Foundstone Professional Services has been added to the Avert Labs research blog.  So now the makers of all the free hacking tools are accessible online.  Check it out there are already some great posts. 

 http://www.avertlabs.com/research/blog/index.php/category/foundstone/

I’ve also added it as a Blogroll.

October 16, 2007

Security Spending – How Much of IT Budget

Posted in Security Awareness, Security Governance, Security Program Development, Security Staffing at 10:24 pm by jtbevis

There is an article on The Register web site claiming security spending has soared to 20% of the IT budget.  This is based on a poll of 1070 organizations.

http://www.theregister.co.uk/2007/10/11/comptia_security_survey/

It is a shame the article doesn’t provide more detail.  It would be nice to know the industries surveyed, size of the organizations, and all of the categories assessed.  Does this review include staffing, business continuity, disaster recovery, Application security, etc.?

My experience shows that most organizations can’t account for the actual security dollars spent.  When evaluating IT security within an organization, excluding physical security and business continuity, most organizations I review are in the 1% to 5% range of the IT budget with the exception of the major financial firms and a few others.  These numbers are also pretty much inline with the CSI/FBI annual surveys conducted.

  • What is your experience? 
  • Can you account for your total security budget? 
  • What does that budget include?

Unfortunately this area of security is still lacking in the amount of free information available to the public and many of the assessments are limited to less then 1000 respondents.  I would be happy to post some links on this site if anyone has some good free resources or whitepapers.

September 27, 2007

PHIN 2.0 Requirements

Posted in Policy and Compliance at 5:28 pm by jtbevis

There are updated guides for anyone who does security compliance assessments of works with the Public Health Information Network (PHIN).  These were updated in June of 2007.  There are many changes from the previous 1.0 version guides.  For the new requirements guide see below.

PHIN Requirements 2.0

September 21, 2007

Extreme Social Engineering Paper

Posted in Risk Assessment, Security Awareness, Security Governance, Security Program Development, Social Engineering at 4:34 pm by jtbevis

The PhishMe blog on building employee awareness to social engineering tactics was inspiring so I finally decided to put up a paper on this site regarding similar subject matter.

Extreme Social Engineering

Combating the Insider Security Threat – A Security Awareness Exercise

This paper has been developed to address the human factor of security and the apparent weaknesses within organizations due to employees’ lack of security awareness.  The purpose is to provide organizations a simple solution for increasing security awareness and combating other malicious insider security threats through a series of social engineering exercises. The document is available by clicking the name above or by accessing the “Papers” section of the site.  

PhishMe Blog Entry:

http://blog.phishme.com/2007/09/time-to-phish-your-customers/

Previous page · Next page

Follow

Get every new post delivered to your Inbox.