Does your information security implementation suffer from mistakes in approach? Everyone is focused on information security, and security is a constant addition into every corporate mission statement. And yet in nearly every security implementation there is a recurring range of mistakes in information security. Here are the most common five
- Focusing primarily on perimeter security - Put in firewalls and other firewalls behind those firewalls, and some IPS in the middle, and set them all up to defend the Internet link of the corporation. And that's it, no need to do anything else. Sounds familiar? Defending the perimeter is important, but it's not the only point of security strengthening. A successful attack does not try to punch a hole through the thickest wall - it finds a way to bypass such walls. Security needs to be layered and focused at properly protecting information storing and processing resources.
- Relying on hard coded elements - whether it be a hostname, an IP address or a username/password pair, hard coded elements in a file open a gaping hole in security. Anyone managing to read or disassemble the file has access to a nice set of information very useful to attack. Always rely on user input elements or single sign-on instead of hard coded elements.
- Trusting people - Any casino owner will tell you the grim truth - 30% of employees are out to steal from you. This is true in any industry, and by the way, you can never know which are included in the 30%. Therefore, implicit trust and saying "he/she can never do us harm, the loyalty is too great" will only land you in trouble. Always enforce security rules and policies for every process and employee.
- Relying on an issue being fixed in the "other element" - "This will be fixed in the program", or "This will be fixed in the database". Finding an issue and hoping that someone else will fix it is stupid to say the least. Address the issue immediately, for noone else will!
- Improper discarding of documentation - Hundreds of thousands of confidential documents are thrown into the garbage every day - even whole laptops which are for some reason not functioning properly. This act of simple neglect of unnecessary information is the nicest (and most legal) way of information and identity theft. Institute simple procedures for information destruction, ranging from paper up to malfunctioning hard drives. The technical resources needed for this are inexpensive and plentiful!
Do you have an example of mistakes? Add it in the comments!!!
Talkback and comments are most welcome
3 Things no book about hacking will ever tell you
5 SLA Nonsense Examples - Always Read the Fine Print
Oracle owns Sun. It moved to acquire the failing giant ahead of IBM and now it has access to a great amount of installed base of Sun servers. But what will Oracle do with a hardware company, and what will remain of it after Larry Ellison is done with Sun?
- Hardware - Oracle has it's R&D focused on databases, and to some extent on underlying operating systems. But Oracle does not want to meddle with expensive chip research just to maintain the SPARC platform. So servers division will go on sale to HP, IBM, EMC, Dell or some venture capital firm - lock, stock and barrel.
- Solaris - A wonderful OS, leader in many platforms. Oracle will want to make it's DBMS one-click installable on an empty machine, so Solaris for Intel will probably be the weapon of choice for this move. But in the process, Solaris will become an embedded
- MySQL - a possible casualty of the RDBMS war - Oracle will need to position this product carefully, to be less competitive with Oracle RDBMS and more competitive to embedded databases and free competition. If Oracle cannot do this, they'll most probably let MySQL die of age by simply not developing it any further.
- Consulting division - Some will be cut-off, some will become Oracle consulting and integration, to take even more off the high-margin integration consulting business
- Open source initiatives - THE BEST PLACE for developer breeding. If Oracle retained any smarts, it will maintain the strong support to open source, but steer it towards Oracle as development platform.
- JAVA - The weapon of mass destruction for Oracle - Just like open source initiatives, excpect that Java will continue to flourish - simply because Oracle wants more and more software that will use their databases.
In any case, things won't be the same. It is sad to see another one of the high quality system giants go.
HP partners with Sun - Anybody remember Digital?
Labels: information strategy
A security assessment is a big deal. It takes a lot of time, requires a good chunk of budget since it is done by independent consultants and the outcome is at best 'OK, but could be better'.
For all these reasons, as well as some egoistic ones which won't be mentioned here, a lot of companies avoid hiring a security consultant and doing this assessment.
While the real thing may take time, budget lobbying and guts to admit that you are not perfect, here is a very fast self-assessment which will give you a feeling where are you standing. You can do this assessment on your own time, and no one needs to know the outcome.
Answer each of the questions truthfully with a yes or a no. If it is partial, write it up as a no. For each answer add appropriate number of points to a total score (indicated on each question). After finishing with all the questions, sum the score and find the appropriate assessment result depending in which interval your score fell.
- Do we have a firewall active at all ingress points of the network? Yes - 5 points, No - 0 points
- Does our team control all firewalls? Yes - 5 points, No - 0 points
- Do we have the following basic technical policies in place? Add 1 point for each policy in place
- password complexity
- password retention
- password history
- logon hours
- controlled registry editing
- 30-36 points - Very good security posture - You have the basics of a great security governance. Continue developing in both the procedural and technical levels of security.
- 20-30 points - Acceptable security posture - You are lacking in written procedures and change management, but basic technical security is at a good level - you need to work harder on formalization
- 10-20 points - Basic security posture - Very basic security, lacking in any formal process of security, and also probably missing elements in auditing, ingress path control and technical policies. You need to go a long way, and you should have started yesterday!
- 0-10 points - Disaster waiting to happen - So you have firewalls? Really? And maybe you've even plugged them in? Hire a good security expert - after firing your current one and start getting somewhere
Talkback and comments are most welcome
Quick and Basic Security Assessment for Databases
WMI Scanning - Excellent Security Tool
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
There are tons of books which 'teach' you on how to become a hacker. Some boast to make you a hacker in XX number of days, or brag about being authored by the greatest experts in the field, or some other commercial mumbo-jumbo.
But is there any great wisdom in those books? No, and they are not even good at teaching technology.
Here is what hacking books will NEVER tell you:
- Being a hacker requires a HUGE amount of learning - All hacking books tell you that you need a lot programming knowledge, a lot of TCP/IP knowledge, and some of them will try to cover the basics. So look around you, these guys are usually the 'gurus' at this and that company, and have a much nicer title - usually it's infrastructure architect, chief designer or something along those lines. And these guys became that by working overtime, nighttime, at home, over weekends, missed vacations and built systems from the ground up. It took a lot of dedication and a whole lot of time to reach that kind of knowledge.
- Being a hacker is very rarely (if ever) a glamorous thing - Most hacking activities are not legal, therefore the prominent or established hacker has to watch his/hers back, remain undercover and rarely trust anyone. Even if you employ your skills for patriotic or political goals, you'll be a hero somewhere, but an enemy elsewhere. Oh, and noone will ever make a movie of your achievements and exploits!!!
- There are few people which earn a legal salary as hackers - hackers are usually hired to do 'dirty' jobs, or at least jobs of questionable legality. So apart from earning money, these jobs leave the hacker always looking over his/her shoulder for investigators or the police. If you are thinking about penetration testing, think again - hackers are not hired outright for such jobs since penetration testing consent requires an enormous amount of trust in the pen-tester. These jobs are mostly landed by 'white-hat' pen-testers with excellent public track record.
On the other hand, if you maintain your learining and studying to be a hacker, you will build excellent technical expertise. Focusing your skills not as a hacker, but as a technical expert will bring you a good name, a lot of conferences where you'll do presentations and a lot of contacts in the expert field of IT.
Talkback and comments are most welcome
Related postsHunting for hackers - Google fraud style
Online or cloud backup was one of the buzz words of cloud computing, and was actually leading the wave in terms of commercial implementation. Hewlett-Packard had it's Upline service, Yahoo had it's Briefcase, IBackup is going strong. But the market for online backup is still quite volitile.
For instance, HP has decided to shut down Upline, without much explanation to the customers. It went down on March 31, 2009. Oh, by the way, Yahoo closed shop at Briefcase on March 30, just a day earlier!
In the meantime, the big players are repositioning: EMC purchased Mozy - an online backup startup, and is pushing the service strong. And there are still new players on the field - COMODO has just announced their online backup service. And we are hearing that Symantec is also going into the online backup business!
With all these events, several questions regarding the entire Online Backup solution surface from the murky deep
- Who uses whose infrastructure? - the simultaneous closing of two major services (HP Upline and Yahoo Briefcase) may be a simple coincidence. But, on the other hand, it is a 'cloud' service, thus one service may outsource it's physical storage to another vendor. This leads to all kinds of unanswered questions like
- Who else has access to the backed-up data?
- Is the advertised availability actually achievable?
- Can we loose the backed-up data if the outsourced provider fails financially?
- Is your online backup actually safe? - While technical security measures can be implemented and documented, corporate decisions fall way outside of the scope of the service. And corporate decisions may include layoffs, selling of assets, closing of divisions, even selling of the entire company. And in such conditions, the service provider's employees could care less about some Joe Average's online photo collection or sales reports
- Can you define a long term data retention policy and rely on online backup to meet it? - HP is a HUGE company. And it failed to deliver a long-running service. One may discuss that HP is primarily a hardware vendor, but nevertheless, as a large company is always interested to present itself as a serious long-term partner. And yet, it closed it's service. So, who can tell what will happen to the other Online Backup service providers?
- Which service provider is the right choice for Online Backup? - Again, HP and Yahoo are large, and closed up shop. Other service providers are all over the place: From start-ups, through venture capital funded firms up to large players who purchased smaller ones. Which one will prove to be the best, and which one will actually deliver on the promise
Talkback and comments are most welcome
3 Rules to Prevent Backup Headaches
Cloud Computing - Premature murder of the datacenter
Know the Difference - Backup vs. Archive
Security Concerns Cloud “Cloud Computing”
Yesterday, after a month of negotiations, G-M Venture Investment Fund purchased the Shortinfosec blog.
The price of the entire deal is $100,000 US.
The blog was purchased in it's entirety, with all text copyright going to G-M Venture, and including the physical assets of Shortinfosec:
- 3 Backtrack DVDs
- 3 Helix Forensic CDs
- 1 Noname Pentium 4 Desktop PC
- 23 VmWare virtual machines with labs
- 1 250 GB Truecrypt encrypted Hard drive with lost password
According to G-M official, to minimize the risk of being short in the payment due to the inflation of the Zimbabwean dollar, they have sent three tankers of cash. Whatever is left after the transaction will be used as landfill mass in a nearby harbor.
And ofcourse, Happy April Fools day!!!