Index Oct 10, 2006 Blinking lights vs. Process - A case for cost efficient vulnerability analysis Sept 5, 2006 Wireless rogue prevention made cheap and easy Sept 5, 2006 Destroy Your Data August 31, 2006 How to Secure Your Laptop August 2006 Zero Day Exploits August 2006 Anti-virus/Anti-malware products don't work 80% of time August 2006 Stronger Customer Authentication on Web Sites August 2006 Encrypted Laptops August 2006 Secured Email May 18, 2006 Microsoft Exchange Calendar Vulnerability April10th, 2006 Cool sniff tool for cracking passwords on switched LANS   Sept 5th, 2006 - Blinking lights vs. Process - A case for cost efficient vulnerability analysis In this yearly study by the Secret Service  E-Crime Survey CISOs list the technologies they feel are most important to defending the organization. While I agree that this is technology survey I am somewhat dismayed that patch management did not show up on the list. If you car locks are not working wouldn't you want to know about it it and fix them? If a window in your house was broken out - would you not want to fix it?  I feel that the cost/benefit of following a PROCESS of vulnerability analysis and patch management far outweighs quad-redundant IPS firewalls with PKI SSL VPNS and 1000 blinking lights. Since the beginning of time thieves have looked for vulnerabilities and have exploited them, and information security is no different. If you are sick of hiring expensive security contractors to run automated scans and turning in boxes of reports stating "NT registry HK_LOCAL/Machine/.... is not set - then listen up. True vulnerability analysis should not consist of 80% automated scans and 20% manual analysis. Vulnerability analysis should look at business processes, security architectures, key personnel, device configurations, etc. Traditional NESSUS type vulnerability scans should be replaced by a patch management status report. Obviously some automated scans cannot be replaced; application penetration analysis, password cracking, encryption cracking, war dialing, wireless analysis, etc. The point being is that if a system is patched there is a 99% chance that the NESSUS type vulnerabilities will not exist. PROS No threat to availability due to vulnerability scans Cheaper Faster Easier to interpret CONS Hard to patch mobile laptops Hard to patch telecommuters Hard to patch production servers Hard to patch OEM 3rd party servers Hard to query unavailable system   Sept 5th, 2006 - Compensating control for wireless rogue detection Ya could spend next years security budget on wireless rogue detection with all the cool graphics to show your boss, but its probably just as effective and cheaper to turn on Cisco MAC limiting. This limits the number of MACs per port to 1 so that no rogue laptop broadcast as an adhoc WAP can route un-authenticated clients through it into your switch. Also blocks rogue hubs and rogue WAPs from connecting to your network. PROS: Cheap Quick End result is no rogue WAPs or hubs CONS:   No cool graphics Have to setup Cisco logging to get alert if multiple MACs detected Have to play with MAC aging parameters for conference rooms where someone is sharing a cable with another laptop Harder to hunt down rogue adhoc WAPs and hubs Adhoc WAP laptops could be under attack from 3rd parties and not know it. If packets aren't routed through switch Adhac laptop would not know it is under attack.   Sept 5th, 2006 - Cheap Easy Media Disposal (disk, PDAs, cell, routers, USB drives, etc) Get this from NIST (Section 2.3 and Appendix A) - disk drives manufactured after 2001 only need 1 disk swipe to clear them. So if you are not smashing them or degaussing them, then  at LEAST do a easy disk swipe!! We've been using DriveWipe or USCD Secure Erase. As cell phones get more smarts make sure you clear their memories before disposing them. Or if you have a problem employee check out what they are doing with their cell phones. We once saw a used cell phone with "Dr. Hemp's" phone number on it with pictures of hemp in the background. The best solution is to build an asset inventory (spreadsheets have a great cost/benefit) and track the lifecycle of all purchases. Develop a process by which purchasing and IT communicate when materials enter/leave the organization. Example: routers, USB tokens, tapes, etc. PROS: Should be obvious unless if you don't care about people knowing the phone number of your local drug dealers HIGH cost/benefit CONS: Takes time to swing a hammer   August 31, 2006 - How to Secure Your (Windows) Laptop How do I secure my laptop?  No idea?  Or only a rough idea?  Here are some quick ideas and templates based on best practices (Give us a call if you want to learn more): People Controls Not everyone should be admin - limit what users can do.  Looks like this will be enhanced with Windows Vista. Require users to sign an "acceptable use" policy Train users on proper use and theft prevention Physical Controls Install cable locks Lock and alarm office space Software Controls Install and enforce CRITICAL security systems: Personal Firewall (XP SP2 firewall, BlackICE, Zone Alarm) Anti-Virus Anti-Spyware (eg: Windows Defender, CounterSpy, Lavasoft).  Note: it looks like AV vendors are starting to roll this feature in with anti-virus. Enable Automatic Updates.  The OS must obtain the latest available security patches in order to protect itself.  In a corporate environment, you might want to install centralized patch management such as Shavlik or WSUS. Enforce strong passwords, account lockouts and avoid account sharing Harden OS by disabling unnecessary services Software restrictions: a properly constructed GPO can limit installing junk software, as well as other security restrictions. NTFS file restrictions can provide limited additional security, especially on multi-user systems. Use EFS to encrypt sensitive data BACKUP your data! Tracking Use software or hardware tracking tools to help recover stolen equipment (eg: www.computrace.com, www.lucira.com) Run free MSBA security analyzer to get current security status Enable logging of security events in GPO or local security policy and periodically review. August 2006 - Security Alert - Zero Day Exploits Problem: Hackers are releasing hacks before or day of vulnerabilities are announced. We all been sitting on our haunches thinking "There hasn't been any big worm outbreak in years so I'm ahead of the curve". While this is mostly true, and many companies are now patching consistently - malware attacks are exploding under your nose (see AV/AS broken). Problem is they are soooo subtle that you don't even know what malware is doing to your organization - just as long as it doesn't crash systems and catch the CEO's attention. FIX:  Patch Patch and Patch again. Use centralize patch product such as WSUS or Shavlik Patch Management Use IDS/IPS and web filtering (see AV/AS broken) August 2006 - Security Alert - Anti-virus/Anti-malware products don't work 80% of time Problem: New generation of spyware/viruses/malware not caught by AV/AS products. Oh this is more and more scary. I've been predicting this for years and it is finally happening.  Especially ActiveX/Java type attacks. NOTE: if the downloaded executable runs in memory (under IE) and not out to disk, AV might be useless.  Many AVs only look at files on disk. FIX: THERE IS NO MAGIC TECHNICAL BULLET!!! Don't assume that since you blew your budget on AV/AS products you are safe. The only answer is going back to basics- security & people management - security operational management. Train users to avoid non-business websites and exotic emails and when they refuse to comply, apply Management 101 techniques - discipline. Don't just reload PCs --- try and determine where the spyware is coming from and stop it from happening again. Email Controls: 3rd party providers such as Postini Antivirus and Antispam gateways - Too many to mention, I'm not aware of one better then other  Web Controls: URL filtering such as SurfControl Block general use of ActiveX and Java NO P2P programs - Skype, IM, Kazaa, etc Desktop Controls: Citrix/VMware environments Antivirus and Antispam products - Too many to mention, I'm not aware of one better then other Patch Patch Patch No admin password to end users (Yes this is hard) http://articles.techrepublic.com.com/5100-6329-5034950.html# http://www.windowsecurity.com/articles/Windows_XP_Your_Definitive_Lockdown_Guide.html August 2006 - Stronger Customer Authentication on Web Sites Yet another panic attack to implement stronger authentication on customer web sites. Once again I feel solutions such as RSA Sitekey, etc are of limited cost/benefit because they don't address phishing threat, Man-In-Middle, PKI solutions will kill the customer, tokens are expensive and don't totally address the phishing threat, etc. Check out this table: https://www.phishcops.com/compare.asp (I'm checking out this product for pros/cons) The best one I found is E-Gold's Account Sentinel.  It is somewhat proprietary and am trying to get more information on it. Give me a call if you want to learn more. PROS: It is all web based  No tokens to manage No additional costs after software is installed Users self-register and self-maintain their account It is effective against phishing, pharming, Man-In-Middle, etc. attacks CONS: Not totally two-factor, but good enough considering the threat profile More difficult to use for customers that change PCs or IP addresses Keystroke loggers on kiosks will defeat controls if executed from same kiosk   August 2006 - Encrypted Laptops The greatest latest security threat is laptop theft with confidential information on them. So of course all the laptop encryption vendors are pushing their wares. If you have the money, time, resources to purchase and debug one of these products - fantastic. If you want a quick alternative just use Microsoft's EFS that already exists in XP (well, Windows 2000 and XP Pro, not the Home version).  PROS: No cost No software to load Invisible to users - brainless No help desk calls Meets regulations Minimal key management If lose key, just crack password with special tools.  This, of course, begs a number of questions which we won't get into here. Can also use Absolute tool to phone home and track laptop down CONS: 1% chance thief will use cracking tool to crack password and decrypt data and hold you hostage You have to decide the risk/cost/benefit for your org Make sure you decrypt before you backup - or - have backup key in AD Backup regularly Another option is to use self encrypting USB tokens from Lexar.  These are so cool. We keep no data on our laptops anymore because of these.  PROS: Minimal cost No software to load Can move token between PCs, kiosks Nearly invisible to users - brainless Meets regulations Minimal key management Lower target profile - thieves target laptops not tokens If you don't believe me CONS: Backup regularly!!!! in case employee quits. August 2006 - Secured Email Secured encrypted email is a pain for end users because they have to register and remember passwords or use PKI certificates with client software UGH. If you have to use secured email, try looking at GlobalCerts SecureMail Gateway  which is very cool because there is no client registration or passwords, just a web link.  One of our clients has used it and likes it more then their own email gateway. PROS No client registration Great for banking interaction with 1-to-1 clients CONS The sender has to put keyword into "Subject" line The sender has to tell receiver the passphrase out-of-band - but it can be reused Difficult for mass-mailings Unsecured E-Mail Sparks Dispute Among Australian Doctors (July 18 2006) A Melbourne hospital is sending out sensitive health information as unencrypted e-mail, following a decision by the hospital that the benefits of rapid communication outweigh the risks to patient confidentiality. Doctors are complaining, but other doctors find using encrypted email too difficult to use. [Editor's Note (Schultz): Encryption is indeed a double-edged sword. Its value in protection sensitive information from unauthorized disclosure is indisputable, but encryption programs are too often user-hostile, and key management is frequently grossly inadequate. (Honan): Ah yes, the old "security makes things harder so lets ignore it" argument. Just because something is difficult does not mean it should not be done. How much harder will things be for the hospital, not to mention the patients concerned, if sensitive patient data becomes exposed as a result of doing things the easy way?]   May 18, 2006 - Security Alert - Microsoft Exchange Calendar Vulnerability (MS06-019) Problem:  Microsoft has published a security bulletin on May 9th describing how a remote attacker can send either a malformed vCal or iCal calendar request (such as a meeting request within Outlook).  The user does not need to open an attachment, rather merely view the email.  This potentially allows a remote hacker to exploit the Exchange server and run arbitrary code as the System account, or can at least create a denial-of-service which requires an Exchange server restart.  To date, no public exploit code has been released, but Immunity Security has created a denial-of-service attack for its CANVAS assessment tool, so it is likely public code will follow.  Patches are available at the link shown in the article title. FIX: Patch Patch Patch now   April 10th, 2006 - Dan's cool sniffing tool Dan found this really cool network sniffing tool Cain and Able for cracking all sorts of passwords. PROS: Great for network penetration testing on switched networks if you are a good guy CONS: Great for network penetration testing on switched networks if you are a bad guy   Home | Services | Training | Support | Contact Us | Search Copyright 2006, Security Evolution, Inc.