jump to navigation

Best Internet Browser? September 23, 2009

Posted by Nikk in Information Security, Information Technology.
Tags: , , , , , , ,
1 comment so far

ie

I’ve been using Internet Explorer, Firefox and Chrome for some time now. While each of them has some unique features, they all basically perform the same function, browsing the web. Since IE is the most prevalent internet browser in the world, 65% IE vs. 26% Firefox it only makes sense that the bad guys would try to exploit what is the most available. Clearly the search for the least amount of work vs. the most return is in play here.

In my experience any of the less used browsers will provide more “security through obscurity” levels of protection, which might work for a while, however not recommend. Since I do a lot of work in security I’m apt fire up Linux and use Konqueror for highly malicious sites as more exploits are written for a Windows type internet browser. While for day to day enterprise operations IE works just fine. In a recent study done by a third party vendor IE8 blocked eight of 10 of the malware-distributing sites, Mozilla’s Firefox 3 blocked 27% of the same sites. Chrome 2 blocked only 21%.

A question to pose is which version of IE you are using. If you’re using IE8 most of the new reports show IE8 to be the more secure. If you’re using IE6 or IE7 I’d say it’s time to upgrade. Ultimately following some industy best practices such as keeping your browser, OS, AV and antispyware up to date will help protect your system and to avoid unwanted payloads from malicious websites.

Twitter and Facebook: When Botnets attack! August 7, 2009

Posted by Nikk in Information Security.
Tags: , , ,
add a comment

photo_verybig_105541

 

Botnets are here to stay and they only continue to be developed  into formidable tools used by the Internet bad guys or IBG’s as I call them.  IBG’s love tools like bots.  It provides a really great level of anonymity.  So big return, little risk?  A great combo in any business! 

Proliferation of bots, bot spread worms and the like are certainly on the increase and the threat will continue to rise until more is done to combat the problem.

Starting Down the Right Road to Penetration Testing June 9, 2009

Posted by Nikk in Information Security, penetration testing.
Tags: , , , , , ,
add a comment

Penetration testing vs. vulnerability assessments

When I talk about penetration testing one of the first things I like to dispel is the fact that vulnerability assessment and penetration testing is the same thing.  What separates the two you ask?  Usually it’s a stack of paper about 20 inches thick full of false positives from the VA tool (Exactly 5800 PDF pages for 255 machines).  Having used Core Impact for the past 4 years and having been a pen tester for a few more, it’s one of very few tools that steer clear of this problem.  When you have 50,000+ IP addresses only Impact can really give you the speed and surgical precision you need across a large enterprise. 

There is a method to the madness

 Impact

Penetration testing is really about following a well defined method to ascertain certain information.  Clearly it’s much more interesting than “Oh gee I hacked a system”.  Pentesting is just one tool in an arsenal of many which help you get a bigger and better picture of your current level of security. 

There is a lot to be said for making the business case for pentesting as well.  The deliverables and benefits planned, the depth of penetration, follow up and showing the ROSI just to name a few.  Legal and HR issues abound, it can be a minefield.  From an internal perspective partnering with numerous departments within your organization is clearly the smartest path.  It is extremely important to have this defined before you start your testing if you’re going to be touching any user data or crossing international boundaries. 

 secretsquirrel3

Secret Squirrel it’s not.

It’s also important to realize that the majority of the time your pentesting activities are NOT going to be done in secret.  It can’t be stressed enough how important it is to let people know you are going to actually conduct testing.  What?  Tell people?  How is this possible?  Well from a technical perspective imagine you’re conducting a pen test and you cause a glitch in one of the local servers.  While you hope this doesn’t happen, letting IT operations know your pentesting plan can save hours of troubleshooting on their part.  It’s just common sense.  Along with that is notification to the IDS/IPS Admins and firewall teams.  When pentesting, all types of bells and whistles can go off if even the most basic security protections are in place.

 

Penetration testing is an important part of an organizations overall IT Security and Risk Management portfolio.  Done correctly it can be extremely valuable.

 

For more information on Core Impact:  Core Security

Approximately 175,000 laptops are lost each year in European airports May 22, 2009

Posted by Nikk in Information Security, Information Technology.
Tags: , , , , , , , ,
add a comment

Approximately 175,000 laptops are lost each year in European airports.  A large percent of those laptops contained confidential company information.  (The US reports over 600,000 lost per year)

  • Heathrow-900 a week
  • Amserdam-750 a week
  • Paris CDG-733 a week
                 Laptops lost per week in top 3 European airports

 

Laptop loss is a major issue for many organizations, whether you are talking about the data contained or the cost of replacing the physical asset.  FDE (Full Disk Encryption) will not solve the inventory management portion of this problem, but it could keep you from becoming the next data breech headline.  FDE could be part of the solution.

By adding FDE to your enterprise Defense in Depth infrastructure, your organization can mitigate some of the risk.  Container level encryption is also interesting, in an enterprise level environment but you need something more. Some would argue for container level encryption and that the average user should know and take responsibility for the data contained on their PC/Laptop, and to ensure its proper placement in an encrypted area of the HD. In a perfect world this is what would happen.  But how should a user be responsible for data classification?  I’ve yet to see more than a few industries that even have a data classification scheme let alone FDE or even container encryption.   I’m a firm believer in making sure that the users experience is as easy as possible.  A balance between strength of security and ease of use must, therefore, be sought. If you’re making your customers (users) life more complicated, it will make gaining their acceptance much more difficult. 

 Various regulatory requirements such as the EU Data Protection Act; SOX, PCI or numerous others “help” (these don’t always require encryption) to ensure that some type of protection is keeping the data safe and secure.  Now while FDE isn’t the answer to your midday prayers, it certainly adds a very real and affordable layer of protection.  For those who see key management as a potential obstacle, a modicum of forethought and a solid architecture will ensure success.  As is often the case, it’s not the technology itself which hinders the implementation; rather, it is building the process to support the technology which requires the most attention.

Link to comparison of disk encryption software

And Yet Another Botnet Incident, 100,000 Machines Nuked! May 12, 2009

Posted by Nikk in Information Security.
Tags: , ,
add a comment

Nuke

It never ceases to amaze me what criminals will do.  Usually Bot Herders like to keep a hold of the compromised machines.  But hey, what better way to cover your tracks if your Botnet has been discovered!

http://voices.washingtonpost.com/securityfix/2009/05/zeustracker_and_the_nuclear_op.html

Bots & Botnets May 7, 2009

Posted by Nikk in Information Security.
Tags: , , ,
add a comment

images

Anybody who knows me knows that I’ve been talking about the threat of Botnets for the past few years.  Conficker and the discovery of the Ghost Net only further confirmed my suspicions.   Specific targeted attacks toward businesses and governments will continue to increase in complexity and accuracy.  The technology industry needs to move faster to mitigate/remediate these threats.   The bad guys always go where the money is and Botnets are over a Billion Euro a year business.

Link to Botnet Poll

Information Security Programs May 5, 2009

Posted by Nikk in Information Security.
Tags: , , , ,
add a comment

Somebody asked me today what I would consider the top things to include in an Information Security Program.

The first thing that comes to mind is a well documented, highly visible IT Security policy. I believe that the IT Security policy is the foundation of a good ISMS and helps in recruiting and maintaining the appropriate level of visibility at the executive level. Along with that comes a strong representation of IT security within the business at board level. From a practical standpoint having a good information security policy is followed by having the appropriate technical support in place to ensure that the business can perform its functions. 

Having policies and technical controls in place such as:

·     Consolidated and global:

  • Anti-Virus management
  • Anti-Malware management
  • Desktop patching
  • Server patching
  • IDS/IPS/ Firewall deployment with consolidated logging
  • Secure email, fax and printing
  • Data stream encryption, file encryption/full disk encryption
  • User training, personnel vetting
  • User rights controls, separation of duties controls, and data classification to assist in IP control