Are you Ready for Cloud Computing?

Cloud computing offers many benefits, but, it also changes the security equation. Historically, companies kept critical data behind firewalls.  Cloud computing is having a huge impact on the de-perimiterization of network boundaries.  It’s a game changer in that assets are placed outside of corporate firewalls.

Consider this, with cloud computing, you lose control over the assets in the cloud.  Moving to the cloud environment means you are not only giving up logical security, but also physical security.  Basic questions to consider include:

1.    Where’s the physical location of the data?
2.    Who has access to the data or resource?
3.    What regulatory requirements do you fall under as far as protection of the data or resource?
4.    What are the service level agreement (SLA) terms?
5.    What is the long term viability of the provider?

At the end of the day, security is always about the weakest link.  Can you trust your service provider?  What level of control are they providing?  I will be exploring these types of cloud computing security issues at this year’s Fusion 11 conference.

I hope to see you there.

Posted in IT and Computer Security, Training and Education | Tagged , , , , | Leave a comment

Should Anti-virus be Mandatory – South Korea Thinks So!

South Korea is now contemplating a new law that would require computer users to have anti-virus installed on their computers.  The law is called the “Zombie PC Prevention Bill.”  The South Korea law would
1.    Impose a statutory duty on every citizen to install and to use security software
2.    Confer on the government department (Korea Communications Commission; KCC) the power to ban or to allow the business of those security solution providers which KCC chooses to ban or to allow according to certain criteria.
3.    Make the security solution providers to focus on winning the favour of government officials
4.    Empower the KCC agents, without a warrant, to “examine the details of the business, records, documents and others” of anyone upon mere suspicion that the person (individual or company) has violated the duty to use security software.

While I believe this bill goes too far, is the basic idea of requiring users to maintain up-to-date anti-virus a good idea?  In the US, conversations have already occurred about whether ISPs should be allowed to disable botnet-infected computers to prevent the infections from spreading. That means that an ISP could disconnect a system from the Internet without the user’s permission once it had detected the PC was compromised by a botnet.

I think this is a big question and while many free antivirus software programs are available is this enough?  As our society becomes more integrated and dependant on the Internet and more laptops, smartphones, and iPads are plugged in do we need to ask ourselves this question: Is surfing the Internet with a virus-infected computer “socially irresponsible?”

Posted in IT and Computer Security, Training and Education | Tagged , , , | Leave a comment

The New CompTIA CASP Certification

Later this year, CompTIA will be releasing the CompTIA Advanced Security Practitioner (CASP) certification.   It is time for this certification. It’s targeted directly at individuals that have worked in security for a number of years in “hands-on” security.  We are not talking about the suit and tie crowd here; this certification is for those that do the day-to-day security work that keeps networks running and secure.

Just consider the knowledge areas that CompTIA is looking at for security assessments.
The test candidate is expected to know about port scanners, vulnerability scanners, protocol analyzers, switchport analyzers, network enumerators, password crackers, fuzzing, and attack tool frameworks.

Anyone performing a security assessment needs to be able to use and understand the applications regarding many specialized tools such as exploit frameworks.  One good example is Metasploit. The Metasploit Framework is an advanced platform for developing, testing, and using exploited code.

Another tool “hands-on” security professionals need to know is the sniffer.  There are many sniffers available yet almost all present the same data.  Some of the most basic sniffers, such as TCP dump, use a command line interface and dump captured data to the screen, while more advanced products such as Wireshark, use GUI, graph traffic statistics, track multiple sessions, and offers multiple configuration options.  Regardless of the platform, the CASP must understand how to analyze network traffic.  This includes TCP, UDP, IPv4 and IPv6.  IPv6 is does has differences from IPv4. The IPv6 address space is 128 bits, IPv6 does not support a checksum, and does not support ARP protocol. If you are not comfortable with IPv6, now is the time to get up to speed.

I think this certification is going to meet real need in the IT security industry by addressing an area of the market that has been overlooked.  How many of you are interested in the CASP?

Posted in Ethical Hacking, Security Certification, Training and Education | Tagged , , , , , | Leave a comment

Cyber Security Risks for Online Users

Did you know that a report by Sophos in 2009 found that a malicious web site is detected about every 5 seconds? Since then, the pace has only increased.  Internet users must implement basic protections to stay safe while surfing the web.  I have listed a few of these tips below and the rest can be found in the video.   Tiny URLs – You know those abbreviated links people send via Facebook and Twitter? They are a prime target for hackers. Cyber criminals use “tiny URLs” to conceal the actual address that the link takes you to. This means you could easily become a victim if you click on a malicious link. User Tip: Check links before blindly clicking! TinyURL has the ability to allow you to preview the link whereas with URL’s all you need to do is add a + symbol to the end of the address to preview the location. Rogueware – Phony anti-virus software that actually downloads viruses and malware or downloads useless anti-virus. Rogueware is typically designed to fake anti-virus programs and trick users into downloading them in order to gain access to the person’s computer or do nothing more than swindle them out of money for the fake application. User Tip: Anti-virus software that is offered by pop-ups will infect your machine with more malware than it will clean up. Only use AV software from trusted vendors.  If you are infected scan your system with programs such as Malwarebytes, Hijackthis, Ad-Aware, Microsoft Malicious Software Detection Tool or other known detection tools. One final tip is to maintain your anti-virus and keep it up to date. If you cannot afford a paid programs, check out of of the many free versions such as AVG.  Even basic protection can go a long way in keeping you protected while online.

Posted in Ethical Hacking, Training and Education | Tagged , , , , , , | Leave a comment

Security+ SY0-301 2011 Certification Update

2011 starts a new year for CompTIA and Security+.  CompTIA certifications will no longer be awarded for a lifetime.  Starting in 2011, all CompTIA certification exams will be valid for three years from the date the test candidate passes the certification exam.

Another big change is that the Security+ certification is being revised. The new version of the exam, Security+ SY0-301, will debut later this year.  I, Michael Gregg, blogged about the update to the Security+ certification last year and since then, I’ve had much more time to review the new objectives since I am working on an the 3rd edition to the best selling Security+ Street Smarts book. We, the authors, will be adding lots of material to help readers seeking real security skills they can use in the workplace.

Cyber Security Foundations

If you are going to get certified this year spend some time and examine the new exam objectives, you’ll notice that the domain names have changed. One such change: Domain 2, Compliance & Operational Security.  Operational security is covered in depth in the CISSP certification program and it’s good to see that Security+ is increasing its coverage too.  This increased emphasis on operational security is good as is a more in-depth coverage of technical, management, and operational controls.

Another big change is more coverage of risk.  I am not just talking about basic quantitative risk calculations using values such as SLE, ARO, and ALE, but stuff any junior security professional can use like the importance of policies in reducing risk and the emerging issues associated with cloud computing.  If you don’t think these are needed additions, consider the cloud computing issue of Microsoft Hotmail.  The free mail service crashed around the New Year holiday and as a result, approximately 17,000 users discovered some or all of their email messages were missing.

I have reviewed the SYO-301 objectives, am happy with the changes, and believe it’s going to make for a better certification. If you’re considering becoming Security+ certified this year, spend some time reviewing the exam objectives and read Security Administrator Street Smarts A Real World Guide to CompTIA Security+ Skills and don’t just get certified, get Street Smarts Security+ certified!

Posted in IT and Computer Security, Security Certification, Training and Education | Tagged , , , , | Leave a comment

Smart Phone Malware Continues To Spread

While Android users may have previously felt secure, attacks against these devices continue to grow.  A new Android Trojan known as Geinimi  is quickly spreading in China. Security researchers have reverse engineered the malicious code and discovered that Geinimi has the capability to: Send location coordinates (find and identify your current location) Send smart phone identifiers (IMEI and IMSI) Download and prompt the user to install additional applications and malware Prompt the user to uninstall applications such as anti-virus Enumerate and send a list of installed apps to the server In the past I have discussed smart phone hacking with the New York Times and how these devices are an emerging attack vector. Desktop and laptop computers are no longer the dominant form of computing and threats targeting the smartphone and tablet markets have topped the list of several cyber security surveys for 2011. How much information do you keep on your smartphone or table computer and how do you protect it?

Posted in Hacking, IT and Computer Security, Smart Phone Hacking | Tagged , , , , , , | Leave a comment

Wikileaks Exposure Points to Bigger Data Security Problems in 2011

I was in DC recently and was looking at some WWII memorabilia that was used during the 1940’s to reinforce the importance of information security. While there were no modern computers, cell phones, or even Internet during this time, the government worked hard at providing end user awareness.  There was great emphasis placed on how individuals should conduct themselves to prevent inadvertent disclosure of information to the enemy.  One example of this is a poster from that era that stated, “Loose Lips Sink Ships.” Image Source Did this previous generation “get it” in a way we don’t today?  Were the concepts of need to know, least privilege, and separation of duties somehow different then? According to the Identity Theft Resource Center, there were about 450 data breaches in 2009. 2010 doesn’t look to be shaping up much better.  From news about data breaches at McDonalds, Walgreens, Gawker, to WikiLeaks, the reports of exposed personal data are almost daily occurrences. It’s a sad fact that many times the controls placed on electronic information are simply not sufficient. In the Gawker attack, cyber criminals stole about 1.3 million usernames and passwords. While these passwords were encrypted, the usernames were not and weak encryption allowed many of the passwords to be broken quickly. In another example, news reports have stated that Bradley Manning, the suspected Wikileaks source, admitted that that the cyber security environment at the military base made it easy to smuggle data out.  According to Manning, “I would come in with music on a CD-RW, erase the music then write a compressed split file.” Will 2011 herald a change in that both government and private firms make a bigger push to secure sensitive data or will these events just be a speed bump along the road to continued information leakage?  It’s time to realize that while we are no longer in the 1940’s, there’s something to be learned from the previous generation about the control of sensitive information.

Posted in Ethical Hacking, IT and Computer Security, Training and Education | Tagged , , , , , , | Leave a comment

CISSP Study Tips – Movies with CISSP Exam Concepts

Studying for and passing the CISSP exam is not an easy task.  It requires a combination of CISSP training, reviewing, studying, and practice tests.  Many test candidates invest in a good study guide such as the CISSP Exam Cram by Michael Gregg.

CISSP Exam Tips

The CISSP exam is not easy; most individuals have stated that it requires a significant amount of work and understanding of the CISSP mindset. If you’ve been busy studying, you know that it’s good to have an occasional break. Recently, someone suggested to me that a good way to take a break might be to watch a few CISSP approved movies.  While there’s not an official CISSP approved movie list, there are some movies that have concepts that can be applied to the CISSP certification exam.   Some movies can even provide some tips as to good and bad security practices. Each domain of the 10 CISSP exam domains has been included:

1. Domain I: Operations security

  • Crimson Tide: Dual Control
  • Wargames: Wardialing

2. Domain II: Access control

  • Sneakers: Authentication, “my voice is my password”
  • Enemy of the State: Tempest, “all the walls are lined with copper”
  • Firewall: Bypassing/hacking access control

3. Domain III: Cryptography

  • Beautiful Minds: Frequency Analysis
  • National Treasure: Polyalphabetic cipher
  • The Falcon and the Snowman: Cryptographic attacks and the One Time Pad
  • From Russia with Love: Side Channel Attacks

4. Domain IV: Security architecture and design

  • Matrix: Assemble Code and buffer overflows
  • Goodfellas: Entering the club through the kitchen door. Poor authentication, (reference monitor)
  • Men in Black: Biba model – National Enquirer reference
  • Trading Places: Brewer Nash Model

5. Domain V: Telecommunications and network security

  • Pet Detective: The opening of the movie where Jim kicks the box. IP is like postal delivery no guarantee of service
  • Die Hard with a Vengeance: SCADA Hacking

6. Domain VI: Business continuity and disaster recovery

  • Apollo 13: Emergency Response
  • Poseidon: Disaster Recovery
  • Titanic: Shows the importance of BC/DR testing

7. Domain VII: Legal, regulations, compliance, and investigations

  • Cheech and Chong: The courts don’t return contraband
  • Enron Smartest Men in the Room: Ethics
  • Dirty Harry: Do you feel lucky, warrant, and seizure

8. Domain VIII: Application security

  • Office Space: Separation of Duties, least privilege, salami attack
  • Superman: Salami Attack
  • The Net: Backdoor program and hacking

9. Domain IX: Information security and risk management

  • 21: Risk Management
  • Breach: Insider risk

10. Domain X: Physical (environmental) security

  • Independence Day: Halon discharged to contain fire in lab
  • The Italian Job: Locks and lock picking
  • Sherlock Holmes: Physical Entry and bypassing physical controls
  • Hackers: Dumpster Diving, reference to the Orange Book (TCSEC)

I know there has to be more movie references that have study tips I have probably missed.  If you have one you would like me to add to the list and feel it applies to a specific concept needed for certification, let me know and I’ll be glad to add it.  Finally, I hope you enjoy the break.  Just don’t make it too long!

Posted in IT and Computer Security, Security Certification, Training and Education | Tagged , , , | Leave a comment

The DHS Cyber Security Infrastructure Protection Act of 2010

What are your thoughts on giving DHS oversight over portions of the Internet?  A new bill, HR 6423, is planning on doing just that.  This bill would give DHS the right to regulate portions of the Internet that is deemed as critical infrastructure?  Some of the items in the bill include: Creating a new Cyber Security Compliance Division Requiring DHS to work with ISP’s to develop tailored security plans Is better cyber security needed? I believe so.  Over the last several years, we have witnessed reports from The Wall Street Journal of malware being placed on systems connected to the power grid and news of Stuxnet, malware designed to target SCADA systems. What mix of private/public oversight is right and how much control should the U.S. government have? Fox News asked our COO, Michael Gregg, to comment on this pending legislation.  That article can be found here: House bill would give DHS power to regulate firms for cybersecurity

Posted in Ethical Hacking, Hacking, IT and Computer Security, Security Certification | Tagged , , , , , | Leave a comment

Employee Access Review – Preventing Access Creep

Access creep is a common problem and one way that employees sometimes end up with a greater level of access than what they should have.  One of the items we examine during a security assessment is employee access. While reviewing employee access isn’t as exciting as rooting a server, it is a necessary part of securing information assets. Business Week asked if I would contribute some tips on preventing access creep and what we look for when performing a security assessment, penetration test, or IT audit. If you would like to read the article it can be found here.

Posted in Ethical Hacking, IT and Computer Security | Tagged , , , | Leave a comment