Monday, September 28, 2009
Friday, September 25, 2009
Wireless Identity Thieves
The article “Wireless Identity thieves” really made me realize how easy it is to access wireless networks not just your neighbors’ wireless network devices but also wireless networks belonging to major corporations. Nation - wide corporations like Lowe’s, TJ Maxx, Marshalls apparently had open wireless networks that allowed criminal hackers access into their networks that carried credit card information and eventually stole anywhere from 50 million to 200 million credit card numbers. Even though there is no guarantee that you will be safe, it is recommended that you should encrypt your wireless network, home, or office, and if possible restrict your wireless to only work with the MAC addresses or devices you own. Layering WEP, WPA or WPA2 with MAC address permissions and stealthing one’s SSID can further keep your home network safe.
http://reviews.cnet.com/4520-3513_7-6733602-1.html
http://www.wired.com/science/discoveries/news/2006/07/71358
http://reviews.cnet.com/4520-3513_7-6733602-1.html
http://www.wired.com/science/discoveries/news/2006/07/71358
Taxonomy Attacks - Scary
Denial of Service and Distributed Denial of Service attacks may have two intentions. One can be to exhaust the resources of the targeted host, or to exhaust the bandwidth of a particular link. This bandwidth attack is called a flooding attack which uses a technique of sending a lot of packets down a particular link which was designed for only a certain amount of bandwidth according to the organization’s Information System needs.
Boycott Novel was hit with DDOS attacks in May of 2009. What was interesting about this article is that it states that you can do whatever you want but you will not be able to protect yourself from these attacks. The best you can do is try to see where they are coming from and report to the authorities. It is pretty scary for businesses who do all their business through their Web Pages and the Internet.
http://blogs.computerworld.com/burying_the_truth_boycott_novell_hit_by_denial_of_service_attack?page=1
http://practical-tech.com/network/brace-yourself-ddos-attacks-ahead/
Boycott Novel was hit with DDOS attacks in May of 2009. What was interesting about this article is that it states that you can do whatever you want but you will not be able to protect yourself from these attacks. The best you can do is try to see where they are coming from and report to the authorities. It is pretty scary for businesses who do all their business through their Web Pages and the Internet.
http://blogs.computerworld.com/burying_the_truth_boycott_novell_hit_by_denial_of_service_attack?page=1
http://practical-tech.com/network/brace-yourself-ddos-attacks-ahead/
Recommended Security Controls for Federal Information Systems and Organizations
The fundamental concepts associated with security control selection and specification are, the structure of security controls and the organization of the controls, security control baselines, the identification and use of common security controls, security controls in external environments, security control assurance, and future revisions to the security controls. The process of selecting and specifying security controls for an organizational information system includes; applying the organization’s approach to managing risk, categorizing the information system and determining the system impact level, selecting baseline and assessing the security controls as part of a comprehensive continuous monitoring process.
THE FUNDAMENTALS
Security Control Organization and Structure - In the security control selection and specification process, controls are organized into seventeen families. The table below lists the identifier, the family and the class. Please see Special Publication 800-53 [2.1] Table 1.1
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
Security Control Baselines - To assist organizations in making the appropriate selection of security controls for an information system, the concept of baseline controls is introduced in accordance FIPS 199 and FIPS 200, respectively (see urls below). http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Common Controls - The organization assigns responsibility for common controls to appropriate organizational officials and coordinates the development, implementation, assessment, authorization, and monitoring of the controls.
Security Controls in External Environments - Organizations are responsible and accountable for the risk incurred by use of services provided by external providers and address this risk by implementing compensating controls when the risk is greater than the authorizing official or the organization is willing to accept.
Security Control Assurance - Actions taken by security control assessors to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Revisions and Extensions - The security controls in the security control catalog are expected to change over time, as controls are withdrawn, revised, and added. A stable, yet flexible and technically rigorous set of security controls will be maintained in the security control catalog.
THE PROCESS
Managing Risk - The management of risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for an information system—the security controls necessary to protect individuals and the operations and assets of the organization.
Categorizing the Information System - The security controls applied to a particular information system are commensurate with the potential adverse impact on organizational operations, organizational assets, individuals, other organizations, and the Nation should there be a loss of confidentiality, integrity, or availability. FIPS 199 requires organizations to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
Selecting Security Controls - There are three steps in the control selection process carried out sequentially: selecting the initial set of baseline security controls,) tailoring the baseline security controls, and supplementing the tailored baseline.
Monitoring Security Controls - The continuous monitoring program includes an ongoing assessment of security control effectiveness to determine if there is a need to modify or update the current deployed set of security controls based on changes in the information system or its environment of operation
THE FUNDAMENTALS
Security Control Organization and Structure - In the security control selection and specification process, controls are organized into seventeen families. The table below lists the identifier, the family and the class. Please see Special Publication 800-53 [2.1] Table 1.1
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
Security Control Baselines - To assist organizations in making the appropriate selection of security controls for an information system, the concept of baseline controls is introduced in accordance FIPS 199 and FIPS 200, respectively (see urls below). http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Common Controls - The organization assigns responsibility for common controls to appropriate organizational officials and coordinates the development, implementation, assessment, authorization, and monitoring of the controls.
Security Controls in External Environments - Organizations are responsible and accountable for the risk incurred by use of services provided by external providers and address this risk by implementing compensating controls when the risk is greater than the authorizing official or the organization is willing to accept.
Security Control Assurance - Actions taken by security control assessors to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Revisions and Extensions - The security controls in the security control catalog are expected to change over time, as controls are withdrawn, revised, and added. A stable, yet flexible and technically rigorous set of security controls will be maintained in the security control catalog.
THE PROCESS
Managing Risk - The management of risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for an information system—the security controls necessary to protect individuals and the operations and assets of the organization.
Categorizing the Information System - The security controls applied to a particular information system are commensurate with the potential adverse impact on organizational operations, organizational assets, individuals, other organizations, and the Nation should there be a loss of confidentiality, integrity, or availability. FIPS 199 requires organizations to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
Selecting Security Controls - There are three steps in the control selection process carried out sequentially: selecting the initial set of baseline security controls,) tailoring the baseline security controls, and supplementing the tailored baseline.
Monitoring Security Controls - The continuous monitoring program includes an ongoing assessment of security control effectiveness to determine if there is a need to modify or update the current deployed set of security controls based on changes in the information system or its environment of operation
Generally Accepted System Security Principles
In September 1996, the National Institute of Standards and Technology in the Technology Administration of the U.S. Department of Commerce developed Principles and Practice for securing Information Technology Systems. The document provides a baseline that organizations can use to establish or review their IT Security Systems. The eight principles address computer security from a high level viewpoint. The fourteen practices guide organizations on the types of controls, objectives, and procedures that compromise an effective IT security program.
The eight principles in the following list provide an anchor or guide when creating new systems, practices, or policies. The United States endorsed the international OECD Guidelines that were developed to provide a foundation from which governments and the private sector could construct a framework for securing IT systems. The principles were based on guidelines as documented in the NIST Special Publication (SP) 800-14. http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
Generally Accepted Principles
1. Computer Security Supports the Mission of the Organization
Security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assts.
2. Computer Security is an Integral Element of Sound Management
Organization managers have to decide what level of risk they are willing to accept, taking into account the cost of security controls.
3. Computer Security Should Be Cost-Effective
Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm.
4. Systems Owners Have Security Responsibilities Outside Their Own Organizations
If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure.
5. Computer Security Responsibilities and Accountability Should Be Made Explicit
This principle implicitly states (documents) that people and other entities (such as corporations or governments) have responsibility and accountability related to IT systems which may be shared.
6. Computer Security Requires a Comprehensive and Integrated Approach
Managers should recognize how computer security relates to other areas of systems and organizational management. Many other important interdependencies may exist that are often unique to the organization or system environment.
7. Computer Security Should Be Periodically Reassessed
Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare and become outdated over time. These issues make it necessary to reassess periodically the security of IT systems.
8. Computer Security is Constrained by Societal Factors
The flow of information, especially between a government and its citizens, is a situation where security may need to be modified to support a societal goal. In addition, some authentication measures may be considered invasive in some environments and cultures.
Generally Accepted Practices
The practices serve as a companion to the NIST Special Publication, 800-12, An Introduction to Computer Security: The NIST Handbook. The following lists practices currently employed in an effective computer security program. http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
1. Policy
Directives for senior management to create a computer security program, establish its goals, and assign responsibilities.
2. Program Management
Program management of computer security at multiple levels is important because it contributes to the overall program utilizing different types of expertise, authority, and resources.
3. Risk Management
Require the analysis of risk, relative to potential benefits, consideration of alternatives, and implementation of what management determines to be the appropriate course of action.
4. Life Cycle Planning
Most IT system life cycle models contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal.
5. Personnel/User Issues
No IT system can be secured without properly addressing a broad range of security issues related to how individuals interact with computers, access and authorities they need to do their job.
6. Preparing for Contingencies and Disasters
Contingency planning addresses how to keep an organization’s critical functions operating in the event of disruptions, both large and small.
7. Computer Security Incident Handling
An incident handling capability may be viewed as a component of contingency planning, because it provides the ability to react quickly and efficiently to disruptions in normal processing.
8. Awareness Training
An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation.
9. Security Considerations in Computer Support and Operations
Failure to consider security as part of the support and operations of IT systems is a significant weakness. It must be included in user and software support. Any changes in configuration management, backups, and media controls are just some of the areas that must take security into consideration.
10. Physical and Environmental Security
Physical and environmental security controls are implemented to protect the facility housing systems resources, the system resources themselves, and the facilities used to support their operations.
11. Identification and Authentication
A critical building block of computer security since it is the basis for most types of access control and for establishing user accountability.
12. Logical Access Control
Organizations should implement logical access control based on policy made by a management official responsible for a particular system, application, subsystem, or group of systems.
13. Audit Trails
Audit trails can provide a means to help accomplish several security related objectives, including individual accountability, reconstruction of events, intrusion detection, and problem identification.
14. Cryptology
Cryptography provides an important tool for protecting information and is used in computer security. Several important issues should be considered when designing, implementing, and integrating cryptography in an IT system.
The eight principles in the following list provide an anchor or guide when creating new systems, practices, or policies. The United States endorsed the international OECD Guidelines that were developed to provide a foundation from which governments and the private sector could construct a framework for securing IT systems. The principles were based on guidelines as documented in the NIST Special Publication (SP) 800-14. http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
Generally Accepted Principles
1. Computer Security Supports the Mission of the Organization
Security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assts.
2. Computer Security is an Integral Element of Sound Management
Organization managers have to decide what level of risk they are willing to accept, taking into account the cost of security controls.
3. Computer Security Should Be Cost-Effective
Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm.
4. Systems Owners Have Security Responsibilities Outside Their Own Organizations
If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure.
5. Computer Security Responsibilities and Accountability Should Be Made Explicit
This principle implicitly states (documents) that people and other entities (such as corporations or governments) have responsibility and accountability related to IT systems which may be shared.
6. Computer Security Requires a Comprehensive and Integrated Approach
Managers should recognize how computer security relates to other areas of systems and organizational management. Many other important interdependencies may exist that are often unique to the organization or system environment.
7. Computer Security Should Be Periodically Reassessed
Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare and become outdated over time. These issues make it necessary to reassess periodically the security of IT systems.
8. Computer Security is Constrained by Societal Factors
The flow of information, especially between a government and its citizens, is a situation where security may need to be modified to support a societal goal. In addition, some authentication measures may be considered invasive in some environments and cultures.
Generally Accepted Practices
The practices serve as a companion to the NIST Special Publication, 800-12, An Introduction to Computer Security: The NIST Handbook. The following lists practices currently employed in an effective computer security program. http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
1. Policy
Directives for senior management to create a computer security program, establish its goals, and assign responsibilities.
2. Program Management
Program management of computer security at multiple levels is important because it contributes to the overall program utilizing different types of expertise, authority, and resources.
3. Risk Management
Require the analysis of risk, relative to potential benefits, consideration of alternatives, and implementation of what management determines to be the appropriate course of action.
4. Life Cycle Planning
Most IT system life cycle models contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal.
5. Personnel/User Issues
No IT system can be secured without properly addressing a broad range of security issues related to how individuals interact with computers, access and authorities they need to do their job.
6. Preparing for Contingencies and Disasters
Contingency planning addresses how to keep an organization’s critical functions operating in the event of disruptions, both large and small.
7. Computer Security Incident Handling
An incident handling capability may be viewed as a component of contingency planning, because it provides the ability to react quickly and efficiently to disruptions in normal processing.
8. Awareness Training
An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation.
9. Security Considerations in Computer Support and Operations
Failure to consider security as part of the support and operations of IT systems is a significant weakness. It must be included in user and software support. Any changes in configuration management, backups, and media controls are just some of the areas that must take security into consideration.
10. Physical and Environmental Security
Physical and environmental security controls are implemented to protect the facility housing systems resources, the system resources themselves, and the facilities used to support their operations.
11. Identification and Authentication
A critical building block of computer security since it is the basis for most types of access control and for establishing user accountability.
12. Logical Access Control
Organizations should implement logical access control based on policy made by a management official responsible for a particular system, application, subsystem, or group of systems.
13. Audit Trails
Audit trails can provide a means to help accomplish several security related objectives, including individual accountability, reconstruction of events, intrusion detection, and problem identification.
14. Cryptology
Cryptography provides an important tool for protecting information and is used in computer security. Several important issues should be considered when designing, implementing, and integrating cryptography in an IT system.
Thursday, September 17, 2009
RFC 1135 “Helminthiasis of the Internet Worm”
1. What was the cause of the first Internet Worm? In specific, what vulnerabilities did the worm take advantage of in order to spread through the Internet?
Answer:
It was a code that was developed specifically for targeting flawed utility programs in Unix systems and infected in particular Sun Microsystems Sun 3 systems and VAX computers running variants of 4 BSD UNIX. Some of the systems’ vulnerabilities allowed a free ride for the worm to attach itself to vector programs, establish itself as a shell, and proceeded by one of three routes: rsh, fingerd, or sendmail. But first it would attempt to establish a connection on the telnet or rexec ports first before attempting the infection methods to spread through the Internet.
This first Internet worm was traced to a twenty-three-year-old Cornell University graduate student named Robert Tappan Morris, Jr. He had launched it by infecting a machine at MIT from his terminal in Ithaca, New York. The worm identified other nearby computers on the Internet by rifling through various electronic address books found on the MIT machine. Its purpose was simple: to transmit a copy of itself to the machines, where it would there run alongside existing software and repeat the cycle.
When asked why he unleashed the worm, Morris said he wanted to count how many machines were connected to the Internet.
2. Are those vulnerabilities still present?
Answer:
The same vulnerabilities for the Unix operating system are not the same, just as the malware infestations are not the same. As a matter of fact, another Unix-like operating system has evolved called Linux. Today vulnerabilities still exist for these two operating systems but they are different, since technology has advanced so much that different anti-worm and anti-virus tools are consistently being developed. (See zdnet article below)
http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf
http://yupnet.org/zittrain/archives/11
http://www.zdnet.com.au/insight/soa/Linux-Unix-viruses-demand-special-attention/0,139023731,120275738,00.htm
Answer:
It was a code that was developed specifically for targeting flawed utility programs in Unix systems and infected in particular Sun Microsystems Sun 3 systems and VAX computers running variants of 4 BSD UNIX. Some of the systems’ vulnerabilities allowed a free ride for the worm to attach itself to vector programs, establish itself as a shell, and proceeded by one of three routes: rsh, fingerd, or sendmail. But first it would attempt to establish a connection on the telnet or rexec ports first before attempting the infection methods to spread through the Internet.
This first Internet worm was traced to a twenty-three-year-old Cornell University graduate student named Robert Tappan Morris, Jr. He had launched it by infecting a machine at MIT from his terminal in Ithaca, New York. The worm identified other nearby computers on the Internet by rifling through various electronic address books found on the MIT machine. Its purpose was simple: to transmit a copy of itself to the machines, where it would there run alongside existing software and repeat the cycle.
When asked why he unleashed the worm, Morris said he wanted to count how many machines were connected to the Internet.
2. Are those vulnerabilities still present?
Answer:
The same vulnerabilities for the Unix operating system are not the same, just as the malware infestations are not the same. As a matter of fact, another Unix-like operating system has evolved called Linux. Today vulnerabilities still exist for these two operating systems but they are different, since technology has advanced so much that different anti-worm and anti-virus tools are consistently being developed. (See zdnet article below)
http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf
http://yupnet.org/zittrain/archives/11
http://www.zdnet.com.au/insight/soa/Linux-Unix-viruses-demand-special-attention/0,139023731,120275738,00.htm
Wednesday, September 16, 2009
Is it Time to Supplement Desktop Security Protections
The article “Is it Time to Supplement Desktop Security Protections?” posted April 20, 2009, caught my attention because Bruce Van Nice goes further than just giving his perspective on safety for internet users through current protections. He proposes that there is a lot more that can be done to help the user beyond Desktop protection software. He is aware how Internet users struggle to get the best protection they can get without having the expertise to know whether they are actually getting the right anti-malware protection they need. Almost all users are under the assumption that the only thing they can do is use Desktop software and become aware of the different types of malware threats such as viruses, worms, and phishing. He states that this is not enough obviously because in the past few months there has been a dramatic increase in Internet-based attacks. He targets the Service providers because they are in the position to deliver network based protections that would benefit the Internet user tremendously. He believes that network based protections can complement and enhance existing desktop software.
I think that the fact that he is asking the question of the service providers to take the initiative to help the internet users is very important and something that should be conveyed to all users since they can pose the question to the Service Providers as they shop for the best service.
http://www.circleid.com/posts/20090420_time_to_supplement_desktop_security_protections/
I think that the fact that he is asking the question of the service providers to take the initiative to help the internet users is very important and something that should be conveyed to all users since they can pose the question to the Service Providers as they shop for the best service.
http://www.circleid.com/posts/20090420_time_to_supplement_desktop_security_protections/
Subscribe to:
Posts (Atom)
