The article “Wireless Identity thieves” really made me realize how easy it is to access wireless networks not just your neighbors’ wireless network devices but also wireless networks belonging to major corporations. Nation - wide corporations like Lowe’s, TJ Maxx, Marshalls apparently had open wireless networks that allowed criminal hackers access into their networks that carried credit card information and eventually stole anywhere from 50 million to 200 million credit card numbers. Even though there is no guarantee that you will be safe, it is recommended that you should encrypt your wireless network, home, or office, and if possible restrict your wireless to only work with the MAC addresses or devices you own. Layering WEP, WPA or WPA2 with MAC address permissions and stealthing one’s SSID can further keep your home network safe.
http://reviews.cnet.com/4520-3513_7-6733602-1.html
http://www.wired.com/science/discoveries/news/2006/07/71358
Friday, September 25, 2009
Taxonomy Attacks - Scary
Denial of Service and Distributed Denial of Service attacks may have two intentions. One can be to exhaust the resources of the targeted host, or to exhaust the bandwidth of a particular link. This bandwidth attack is called a flooding attack which uses a technique of sending a lot of packets down a particular link which was designed for only a certain amount of bandwidth according to the organization’s Information System needs.
Boycott Novel was hit with DDOS attacks in May of 2009. What was interesting about this article is that it states that you can do whatever you want but you will not be able to protect yourself from these attacks. The best you can do is try to see where they are coming from and report to the authorities. It is pretty scary for businesses who do all their business through their Web Pages and the Internet.
http://blogs.computerworld.com/burying_the_truth_boycott_novell_hit_by_denial_of_service_attack?page=1
http://practical-tech.com/network/brace-yourself-ddos-attacks-ahead/
Boycott Novel was hit with DDOS attacks in May of 2009. What was interesting about this article is that it states that you can do whatever you want but you will not be able to protect yourself from these attacks. The best you can do is try to see where they are coming from and report to the authorities. It is pretty scary for businesses who do all their business through their Web Pages and the Internet.
http://blogs.computerworld.com/burying_the_truth_boycott_novell_hit_by_denial_of_service_attack?page=1
http://practical-tech.com/network/brace-yourself-ddos-attacks-ahead/
Recommended Security Controls for Federal Information Systems and Organizations
The fundamental concepts associated with security control selection and specification are, the structure of security controls and the organization of the controls, security control baselines, the identification and use of common security controls, security controls in external environments, security control assurance, and future revisions to the security controls. The process of selecting and specifying security controls for an organizational information system includes; applying the organization’s approach to managing risk, categorizing the information system and determining the system impact level, selecting baseline and assessing the security controls as part of a comprehensive continuous monitoring process.
THE FUNDAMENTALS
Security Control Organization and Structure - In the security control selection and specification process, controls are organized into seventeen families. The table below lists the identifier, the family and the class. Please see Special Publication 800-53 [2.1] Table 1.1
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
Security Control Baselines - To assist organizations in making the appropriate selection of security controls for an information system, the concept of baseline controls is introduced in accordance FIPS 199 and FIPS 200, respectively (see urls below). http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Common Controls - The organization assigns responsibility for common controls to appropriate organizational officials and coordinates the development, implementation, assessment, authorization, and monitoring of the controls.
Security Controls in External Environments - Organizations are responsible and accountable for the risk incurred by use of services provided by external providers and address this risk by implementing compensating controls when the risk is greater than the authorizing official or the organization is willing to accept.
Security Control Assurance - Actions taken by security control assessors to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Revisions and Extensions - The security controls in the security control catalog are expected to change over time, as controls are withdrawn, revised, and added. A stable, yet flexible and technically rigorous set of security controls will be maintained in the security control catalog.
THE PROCESS
Managing Risk - The management of risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for an information system—the security controls necessary to protect individuals and the operations and assets of the organization.
Categorizing the Information System - The security controls applied to a particular information system are commensurate with the potential adverse impact on organizational operations, organizational assets, individuals, other organizations, and the Nation should there be a loss of confidentiality, integrity, or availability. FIPS 199 requires organizations to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
Selecting Security Controls - There are three steps in the control selection process carried out sequentially: selecting the initial set of baseline security controls,) tailoring the baseline security controls, and supplementing the tailored baseline.
Monitoring Security Controls - The continuous monitoring program includes an ongoing assessment of security control effectiveness to determine if there is a need to modify or update the current deployed set of security controls based on changes in the information system or its environment of operation
THE FUNDAMENTALS
Security Control Organization and Structure - In the security control selection and specification process, controls are organized into seventeen families. The table below lists the identifier, the family and the class. Please see Special Publication 800-53 [2.1] Table 1.1
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
Security Control Baselines - To assist organizations in making the appropriate selection of security controls for an information system, the concept of baseline controls is introduced in accordance FIPS 199 and FIPS 200, respectively (see urls below). http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Common Controls - The organization assigns responsibility for common controls to appropriate organizational officials and coordinates the development, implementation, assessment, authorization, and monitoring of the controls.
Security Controls in External Environments - Organizations are responsible and accountable for the risk incurred by use of services provided by external providers and address this risk by implementing compensating controls when the risk is greater than the authorizing official or the organization is willing to accept.
Security Control Assurance - Actions taken by security control assessors to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Revisions and Extensions - The security controls in the security control catalog are expected to change over time, as controls are withdrawn, revised, and added. A stable, yet flexible and technically rigorous set of security controls will be maintained in the security control catalog.
THE PROCESS
Managing Risk - The management of risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for an information system—the security controls necessary to protect individuals and the operations and assets of the organization.
Categorizing the Information System - The security controls applied to a particular information system are commensurate with the potential adverse impact on organizational operations, organizational assets, individuals, other organizations, and the Nation should there be a loss of confidentiality, integrity, or availability. FIPS 199 requires organizations to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
Selecting Security Controls - There are three steps in the control selection process carried out sequentially: selecting the initial set of baseline security controls,) tailoring the baseline security controls, and supplementing the tailored baseline.
Monitoring Security Controls - The continuous monitoring program includes an ongoing assessment of security control effectiveness to determine if there is a need to modify or update the current deployed set of security controls based on changes in the information system or its environment of operation
Generally Accepted System Security Principles
In September 1996, the National Institute of Standards and Technology in the Technology Administration of the U.S. Department of Commerce developed Principles and Practice for securing Information Technology Systems. The document provides a baseline that organizations can use to establish or review their IT Security Systems. The eight principles address computer security from a high level viewpoint. The fourteen practices guide organizations on the types of controls, objectives, and procedures that compromise an effective IT security program.
The eight principles in the following list provide an anchor or guide when creating new systems, practices, or policies. The United States endorsed the international OECD Guidelines that were developed to provide a foundation from which governments and the private sector could construct a framework for securing IT systems. The principles were based on guidelines as documented in the NIST Special Publication (SP) 800-14. http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
Generally Accepted Principles
1. Computer Security Supports the Mission of the Organization
Security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assts.
2. Computer Security is an Integral Element of Sound Management
Organization managers have to decide what level of risk they are willing to accept, taking into account the cost of security controls.
3. Computer Security Should Be Cost-Effective
Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm.
4. Systems Owners Have Security Responsibilities Outside Their Own Organizations
If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure.
5. Computer Security Responsibilities and Accountability Should Be Made Explicit
This principle implicitly states (documents) that people and other entities (such as corporations or governments) have responsibility and accountability related to IT systems which may be shared.
6. Computer Security Requires a Comprehensive and Integrated Approach
Managers should recognize how computer security relates to other areas of systems and organizational management. Many other important interdependencies may exist that are often unique to the organization or system environment.
7. Computer Security Should Be Periodically Reassessed
Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare and become outdated over time. These issues make it necessary to reassess periodically the security of IT systems.
8. Computer Security is Constrained by Societal Factors
The flow of information, especially between a government and its citizens, is a situation where security may need to be modified to support a societal goal. In addition, some authentication measures may be considered invasive in some environments and cultures.
Generally Accepted Practices
The practices serve as a companion to the NIST Special Publication, 800-12, An Introduction to Computer Security: The NIST Handbook. The following lists practices currently employed in an effective computer security program. http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
1. Policy
Directives for senior management to create a computer security program, establish its goals, and assign responsibilities.
2. Program Management
Program management of computer security at multiple levels is important because it contributes to the overall program utilizing different types of expertise, authority, and resources.
3. Risk Management
Require the analysis of risk, relative to potential benefits, consideration of alternatives, and implementation of what management determines to be the appropriate course of action.
4. Life Cycle Planning
Most IT system life cycle models contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal.
5. Personnel/User Issues
No IT system can be secured without properly addressing a broad range of security issues related to how individuals interact with computers, access and authorities they need to do their job.
6. Preparing for Contingencies and Disasters
Contingency planning addresses how to keep an organization’s critical functions operating in the event of disruptions, both large and small.
7. Computer Security Incident Handling
An incident handling capability may be viewed as a component of contingency planning, because it provides the ability to react quickly and efficiently to disruptions in normal processing.
8. Awareness Training
An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation.
9. Security Considerations in Computer Support and Operations
Failure to consider security as part of the support and operations of IT systems is a significant weakness. It must be included in user and software support. Any changes in configuration management, backups, and media controls are just some of the areas that must take security into consideration.
10. Physical and Environmental Security
Physical and environmental security controls are implemented to protect the facility housing systems resources, the system resources themselves, and the facilities used to support their operations.
11. Identification and Authentication
A critical building block of computer security since it is the basis for most types of access control and for establishing user accountability.
12. Logical Access Control
Organizations should implement logical access control based on policy made by a management official responsible for a particular system, application, subsystem, or group of systems.
13. Audit Trails
Audit trails can provide a means to help accomplish several security related objectives, including individual accountability, reconstruction of events, intrusion detection, and problem identification.
14. Cryptology
Cryptography provides an important tool for protecting information and is used in computer security. Several important issues should be considered when designing, implementing, and integrating cryptography in an IT system.
The eight principles in the following list provide an anchor or guide when creating new systems, practices, or policies. The United States endorsed the international OECD Guidelines that were developed to provide a foundation from which governments and the private sector could construct a framework for securing IT systems. The principles were based on guidelines as documented in the NIST Special Publication (SP) 800-14. http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
Generally Accepted Principles
1. Computer Security Supports the Mission of the Organization
Security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assts.
2. Computer Security is an Integral Element of Sound Management
Organization managers have to decide what level of risk they are willing to accept, taking into account the cost of security controls.
3. Computer Security Should Be Cost-Effective
Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm.
4. Systems Owners Have Security Responsibilities Outside Their Own Organizations
If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure.
5. Computer Security Responsibilities and Accountability Should Be Made Explicit
This principle implicitly states (documents) that people and other entities (such as corporations or governments) have responsibility and accountability related to IT systems which may be shared.
6. Computer Security Requires a Comprehensive and Integrated Approach
Managers should recognize how computer security relates to other areas of systems and organizational management. Many other important interdependencies may exist that are often unique to the organization or system environment.
7. Computer Security Should Be Periodically Reassessed
Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare and become outdated over time. These issues make it necessary to reassess periodically the security of IT systems.
8. Computer Security is Constrained by Societal Factors
The flow of information, especially between a government and its citizens, is a situation where security may need to be modified to support a societal goal. In addition, some authentication measures may be considered invasive in some environments and cultures.
Generally Accepted Practices
The practices serve as a companion to the NIST Special Publication, 800-12, An Introduction to Computer Security: The NIST Handbook. The following lists practices currently employed in an effective computer security program. http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
1. Policy
Directives for senior management to create a computer security program, establish its goals, and assign responsibilities.
2. Program Management
Program management of computer security at multiple levels is important because it contributes to the overall program utilizing different types of expertise, authority, and resources.
3. Risk Management
Require the analysis of risk, relative to potential benefits, consideration of alternatives, and implementation of what management determines to be the appropriate course of action.
4. Life Cycle Planning
Most IT system life cycle models contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal.
5. Personnel/User Issues
No IT system can be secured without properly addressing a broad range of security issues related to how individuals interact with computers, access and authorities they need to do their job.
6. Preparing for Contingencies and Disasters
Contingency planning addresses how to keep an organization’s critical functions operating in the event of disruptions, both large and small.
7. Computer Security Incident Handling
An incident handling capability may be viewed as a component of contingency planning, because it provides the ability to react quickly and efficiently to disruptions in normal processing.
8. Awareness Training
An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation.
9. Security Considerations in Computer Support and Operations
Failure to consider security as part of the support and operations of IT systems is a significant weakness. It must be included in user and software support. Any changes in configuration management, backups, and media controls are just some of the areas that must take security into consideration.
10. Physical and Environmental Security
Physical and environmental security controls are implemented to protect the facility housing systems resources, the system resources themselves, and the facilities used to support their operations.
11. Identification and Authentication
A critical building block of computer security since it is the basis for most types of access control and for establishing user accountability.
12. Logical Access Control
Organizations should implement logical access control based on policy made by a management official responsible for a particular system, application, subsystem, or group of systems.
13. Audit Trails
Audit trails can provide a means to help accomplish several security related objectives, including individual accountability, reconstruction of events, intrusion detection, and problem identification.
14. Cryptology
Cryptography provides an important tool for protecting information and is used in computer security. Several important issues should be considered when designing, implementing, and integrating cryptography in an IT system.
Subscribe to:
Posts (Atom)
