The STRATFOR Conundrum

It has been a while since the last published article, and we are not going to try to make excuses.
But we are enticed to do a quick note of the developing story of STRATFOR. In summary, Strategic Forecasting (STRATFOR) servers got hacked by a group apparently affiliated with Anonymous. Anonymous have since denied any involvement in the hack.

The attack apparently resulted in more than 200 GB of data being stolen.

The story of the hackers is published on pastebin
http://pastebin.com/q5kXd7Fd

The STRATFOR site is currently offline



I can honestly say that I would not want to be in the shoes of the IT guys nor the CEO of STRATFOR.

This incident shows that even guys which do intelligence and security for a living can fail miserably at protecting their information assets.

But what is much more bizarre is the fact that STRATFOR decided to keep a large number of credit card numbers in their databases, thus creating a huge financial problem, which will greatly increase the profile of the incident.

Talkback and comments are most welcome

Related posts
Blogtipz Hacked
When Will Your Mobile Phone get Hacked?

Five Information Security Issues We All Face Today

Technology has done a great deal for changing the way we live and do business today. While the benefits are numerous, however, there have been challenges that come with that development. Here’s a look at some of the information security issues we all face.

Awareness
A blog post by Rik Ferguson for Trend Micro says awareness and education are key issues surrounding information security today. People must understand and accept the risks that come with using technology and the Internet in particular. By knowing threats are present, they can learn to use these luxuries carefully, and not blindly accept that someone will have the solutions for any problems they may face.

Complacent Businesses
We place considerable faith in businesses to safeguard our personal information. However, some companies are not always as proactive about defending files as they could be, Ferguson suggested. In fact some don’t strengthen protective measures already in place until information breaches or near-breaches occur. Customers want to know their information is protected, and businesses often have a legal obligation to plan ahead and monitor their client files as much as possible.

A Wealth of Online Possibilities
Online banking, smart phones, credit cards, bill pay, and countless other Internet options open individuals to numerous hacking risks and opportunities for criminals to try stealing personal information. Careful selection of account passwords, safeguarding Social Security numbers, and being absolutely certain that companies are reputable will help individuals handle some of these risks.

Recognizing Problems
Not every threat can be avoided, but being able to recognize the warning signs of identity theft might keep a problem from escalating as much as it could have if left unchecked. Unauthorized account changes or withdrawals, unexplained denials of credit, and letters or phone calls about services or products you haven’t requested are all good indicators that you might have a problem on your hands and that steps should be taken to stop these issues.

Risk Management
Companies and individuals are responsible for managing the risks associated with keeping personal information in computer files. People and businesses should know what information is in their files, and keep only what is absolutely necessary. Then, plans must be made to keep those essential files safe.

What You Can Do
If you’re interested in joining the ranks of qualified professionals who work daily to keep information and technology safe and secure, consider attending college for information technology training. You’ll learn how to prevent cyber attacks and teach people how to protect their important files. Many colleges and universities offer this degree; start checking for schools if this sounds like the right profession for you.


About the Author:

This guest post has been provided by Philip J Reed on behalf of Westwood College. Westwood offers degrees in many programs, including information technology training. They have an extensive online course catalogue, and are always available to answer any questions you may have about the degrees they offer.


Talkback and comments are most welcome

Related posts
Information Systems Security as a Profession
ITILv3 Foundations Training - Experiences

RAID and Disk Size - Search for Performance

Centralizing your storage is always a very good idea - you can manage storage requirements of most servers through a central storage system, without the hassle of juggling local disks within servers.

But centralizing a storage opens a whole new world of hassles:

  • Physical limits- depending your choice of vendor and class of storage you may be limited by number available slots for drives
  • Technical limits- depending your choice of vendor and class of storage, it may support hundreds od drives, but not with your current CPU's or cache memory
  • Higher costs - everything within the storage costs - physical drives, CPU's, cache memory, drive bays, licenses for storage management software. And all these usually have exorbitant prices.
So when looking for a storage, there is always a tug of war: limited budget vs functionality, drive space and performance.

Let's discuss all three elements countering the budget:

  • Functionality - this are covers overall management, non-disruptive OS upgrades, point-in-time snapshots, point-in-time clones, replication functionality etc. These are very easy to declare as requirement by the client, and leave very little 'wiggle space' for the storage vendors to try to sell something else or reduce the price at the RFP by reducing .
  • Drive Space and Performance - Here is the conflict between storage vendors and clients: Storage vendors do not sell space and rarely sell performance, they sell hard drives. And everything in their portfolio (cache, slots, licenses) is based on physical drives. So they will always push the client into a 'number of drives' mentality. This is wrong, the client needs to think in terms of useable space and Input/Output Operations per Second (IOPS), because at the end of the day, the servers do not care that you have 20 drives, when they see only 100GB of partition and only 200 IOPS when they need 1000. And here we hit the problem of balance - as you are well aware, a storage can provide different levels of data protection through redundancy or parity, at the cost of physical capacity and performance.
When declaring your useable space, you need to either declare the number of IOPS that it needs to support or (which is very difficult) or to declare a RAID level. Since estimating actual IOPS requirement is difficult, you can always approach it with a 'I need a better functionality then I have at the moment'. This is very easy to achieve with the Wmarow's IOPS calculator:

  1. Input the parameters for number of drives and raid level that is currently servicing your server.
  2. Then input the estimated number of drives and organization (RAID) that you are thinking of buying.
  3. Compare the IOPS results.
  4. If you are migrating more servers to one RAID group, add up all initial IOPS and compare to the one resulting IOPS
  5. You need to achieve a better IOPS result for the target then currently, by at least 50%

The results will vary wildly, based on number and type of drives, as well as RAID level. We have calculated a sample of IOPS results for a 2 TB capacity drive using different RAID levels and disk drives, with an assumption of using a small storage with only 16 slots for disks (click the image for large version):



Please note that the actual IOPS result of a certain storage system may be different in absolute value, because of processor power, advanced algorithms and cache memory. But regardless of these attributes, the relative ratio between the produced IOPS will remain the same - RAID0 will be always 3 times faster then RAID5 on same drives.

Also, please note that no matter what the abilities of the storage system that you are looking at, there are physical limitations to each disk, and these cannot be overcome by any amount of cache, intelligent algorithms or processing power of the storage system.

In conclusion, since the absolute value of different storage system may be different, what is the best way for a client to be certain that he/she will receive the balance of protection and performance that is needed ? There are two options:
  1. Test the configuration. If someone wants to sell a storage, he/she should be able to create a same configuration storage at a lab environment, and you then generate a full load of performance and load testing of the configuration
  2. Ask for a guarantee - give the salespeople the parameters of the services on the servers (databse, file servers etc.). These can be collected through performance monitor and database tools. Then make the vendor guarantee with financial penalties that any of the functions will perform two times faster (or any other parameter) with the same servers.

Talkback and comments are most welcome

Related posts
Choosing a System Integrator - Follow the money
Cloud Computing - Premature murder of the datacenter

Maintaining quality in outsourcing telco services

More and more IT services are being outsourced. And as telco services are now easily integrated and transported over IP protocols, the outsourcing is being well established with telco.

But the issue with telco services is that quality in telco is very difficult to properly define. This is because there are parameters that are difficult to track – sound quality, response of system to tone-dial menu selection of an IVR, unexpected intermittent interruptions of voice communication, temporarily unavailable service.
And when part of the telco service is outsourced, it becomes even more difficult to manage the quality of such services.

Here are some elements that will affect the quality of outsourced telco services:

  1. Oversubscription to outsourcing service – the service may be of a variable quality, with off and on periods when service is poor and then it’s great. This is usually connected to oversubscription of the outsourcing service, and when their services are overloaded, the customer facing service is of poor quality.
  2. Availability of the oursourcing servers – simple and straightforward, power outages, server outages, cooling outages all create failures that interrupt service. Even if there are secondary servers, the switchover will fail all active connections
  3. Connectivity to outsourcing service - most outsourcing services are far and away, most often in asia. So internet links will be the primary connectivity media to such outsourcing services. But the internet as a medium has a lot of possible issues and failures of connectivity paths are not that rare.

When the outsourcing service is part of your call management, things get very interesting. Services that are part of the call management process that are easily outsourced are ringback tone, voice mail, autoanswer etc.


How to solve this issue of quality when outsourcing? There is no magic bullet, but here are some experiences and pointers:
  • Ofcourse, you will create the standard contract with availability, packet loss and jitter criteria. (see related posts)
  • You can also include call disconnects or failure to connect.
  • It would be very good to try to connect this to customer complaint number, but the outsourcing service will be very reluctant to accept a quality of service condition is connected to a very subjective criteria that cannot be measured and confirmed by both parties independently.
  • Create a criteria of complaint to outsourcing service - for example, if the telco customer detects issues that are so large that they need to send a complaint to their outsourcing service more then 4 times every quarter, that would be a basis for a contract review. This clause is very wise to include especially in the first year of use of the outsourcing service, when you are still learning their weak points

Talkback and comments are most welcome

Related posts
Telco SLA - parameters and penalties
Is the Phone Working? - Alternative Telephony SLA
5 SLA Nonsense Examples - Always Read the Fine Print

Information Gathering - lessons from The Big Short

Information gathering from public sources is still one of the best ways to understand your potential target.

I have been reading a great book called "The Big Short". It's a book about the financial crisis of the sub-prime mortgage market in the US. I don't have any financial services training so I didn't quite grasp all the nuances of the financial machinations involved, but one thing is clear: All people that managed to profit during the failure of the subprime mortgage market relied only on publicly available information.



This only goes to show the power that lies in publicly available information, if it is analyzed properly. Always collect as much information as possible, using OSINT tools like collection of financial statements, annual reports, analysis through specific tools like Maltego and IP and DNS registries.

Regardless of whether you need to collect information on a potential competitor, a target of a penetration test, in financial spread betting or derivatives trading, or even in financial research of a company there are several lessons that the "The Big Short" teaches us:

  1. Financial statements contain non-financial data - do not run away from the balance sheets, income statements and the like. Most often, these documents have a significant narrative which describes the points of the financial items, and thus explains the operations of the target
  2. Collect information for the target - grab financial statements, news on sales contracts, news on key personnel that arrived or left the company and their assistants, everything in terms of indexed documents or spreadsheets.
  3. Collect information for the target’s partners and customers - it is not only the target that needs to be investigated. An excellent information source may always be the partners who may have less stringent information security policies. Also, their financial statements may have useful insights.
  4. Look at relationships between everyone - who owes money to whom, who is dependent, who has the trust of who. Understanding relationships between people and companies is a great foothold for social engineering.
  5. Ask the 5 Why- On every fact or relationship, ask yourself why is this done in such a way and try to answer it. Then ask why on the answer, and again and again. If you don’t find a good simple answer, there's a good chance there is a gap there, either some useful information is not available but is important, or there is a gap to be exploited.

While "The Big Short" is about making money, the lessons from it are excellent for information security. I would recommend a read for every security guy.

Talkback and comments are most welcome

Related posts
Digging for information with Open Source Intelligence

Software Security Degree Programs

Software security is a highly technical and vital skill in today's evolving technological marketplace. Even so, programs specializing in this area are quite rare. In fact, it's more common to find a professional in this field with a Bachelor's or Master's degree in computer science, than it is to find experts who have achieved a certification in software security.


Software Security Degrees Are on the Rise

More institutions are providing programs and degrees focused on the security aspect of information technology than ever before. Part of the reason for this is the significant projected increase in the number of jobs available in the field. In fact, the Bureau of Labor Statistics estimates the industry will grow by 36%.

The growing technology and ever-expanding number of applications are a significant contributing factor. As new technology appears and grows, so does the risk of system vulnerabilities and the need for specialists to mitigate and protect against them using penetration testing tools and other preventative procedures. .


What to Expect in a Software Security Degree Program


If you're interested in a software security degree program, you'll find a healthy interest in technology and solving intricate problems will help a lot. By the time you've received your degree, however, you'll have a detailed understanding of the challenges involved in securing network and computer systems, and be able to use technological tools and protocols to minimize risks. You'll feel confident knowing you can restore various systems after an attack and be comfortable providing security for mobile and software management.

You'll have the basics in software engineering, telecommunication network fundamentals and have the option to include additional classes such as business management and managerial economics. Just because this program focuses on software security, doesn't mean there's no variety.

Some programs such as the Master of Science in Information Technology – Information Security designation (MSIT-IS degree program) from INI Pittsburgh-Silicon Valley offers focuses in Mobility, Information Security, or Software Management. You're not confined to standard classroom learning either. Some programs offer an internship while many classes are available online, which is perfect for students who may otherwise be unable to take this kind of program.

Certifications in this area can be attained in as little as two years, although the education can take up to four. Most potential employers will consider applicants who combine a degree with practical experience, and this is where internships can make a significant difference.


Where Can You Work With a Software Security Degree?

The job titles currently available to those with a software security degree can include information technology specialist, data security administrator and computer security specialist, among others. Applications can involve the health care industry, financial businesses, or any business that requires any sort of computer program to function. This leaves the field wide open to those who wish to specialize in this fast-growing career choice. The money isn't bad either; annual salary starts at an average of $50K per year and goes up from there.

With the need for software security experts on the rise, and everyone getting online, you can still work in almost any industry. Combine you degree with other interests, and you may just find the career you've always dreamed of.


This is a guest post by Fergal Glynn. Fergal is the director of product marketing and a frequent writer for Veracode. The Veracode platform helps websites of all kinds avoid cross site scripting vulnerabilities. Fergal has spent the last decade working primarily in online security and software development


Talkback and comments are most welcome

The Cloud - time for serious consideration - Web services

In 2008 we published an article on cloud computing, which basically said, don't turn off your local datacenter. To be very sincere, Shortinfosec was a little hypocritical in that article - since Shortinfosec was and is hosted in the cloud. After three years, and a lot of additional examples of cloud development, it is time for a serious reconsideration:

Our original argument was that the confidentiality, availability and integrity triad was unsustainable in the cloud world at the time (2008). Today, things are looking different:

  • Backup storage is humming in the cloud in some form or another - and is being used by enterprises
  • At least 3 different vendors of banking software are collaborating with cloud services providers to enable the cloud operation of their software (Tieto, Misys, Temenos)
  • E-mail and office applications are happily running in the cloud (Google, Microsoft)
  • Web applications are more available then ever
Since this article will become too long if we discuss all possible cloud applications, let's start with the simplest one - Web hosting.

From it's inception, web hosting was in a sense hosted in the cloud - but a very simple cloud. Very few people or even companies own and operate web servers, and others host their web sites on provider servers throughout the world.
But hosting is not exactly the cloud. The cloud offers so much more for web hosting.

Now, this is not the time to start thinking: "I'm thinking of upgrading my web host and I've been checking some web hosting reviews. It's pretty hard to decide which host especially when reading the editorial and user reviews since all of Linkthem have good reviews." Let's go on and choose the most expensive one."Link

When reviewing moving the web to cloud, understand the strengths and weaknesses of the cloud:

Strengths
  • Availablity - any cloud service is distributed over multiple servers, datacenters and sites. And the cloud systems can transfer the hosted applications/sites near-instantly between this infrastructure. So even if a server fails, your availability will be nearly unharmed.
  • Coping with large load variations - again, since there are multiple servers and datacenters, if your application/site suddenly become very popular, the cloud infrastructure won't fall to it's knees under the load of additional requests.
  • Timely and consistent updates - the underlying servers of the cloud infrastructure need to be fully consistent with each other. Also, since they are running many customers applications/sites, a failure due to a patch is not something the cloud service will accept. So you can rely on the fact that all servers will be very quickly and consistently updated.
  • Extremely fast scaling out - If your application/site has a sustained high visit rate, it needs more servers to run on. This is very easy to implement in a multi-server, multi-site environment of a cloud service.

Weaknesses
  • Custom platform - each cloud service provider designs the cloud service environment with it's specifics, like underlying operating system, databases, application server and development platform. These are fixed across the entire cloud platform, and if you wish your application/site to run on the cloud service, you must make it work with the cloud service.
  • Lock in - once you have adjusted the entire application/site to run on the cloud service environment, it may be difficult to move it to another cloud service provider - since then you'll need to re-adjust everything to run on the new cloud service. This is even more difficult if the application/site was developed from scratch with specific cloud service in mind.
  • Isolation breach - your application/service is not the only one running on the cloud service systems. A breach between the isolation controls of different applications/customers can cause access to proprietary data, use of other party's resources and in general a very large amount of grief for everyone involved. At the least, you could be billed for resources that another application in your context due to such breach
  • Data protection - placing your application/site in the cloud also puts it's data in the cloud. And this data is very important to you, and sometimes very confidential in nature. Since all this data is managed by the service provider, incidents of data loss, data leaks and security breaches can all happen.
  • Cost - the cloud service providers have a lot of innovative pricing mechanisms, like pricing per I/O, or per CPU used, or bandwidth, or any combination of those. So while efficiency and availability will definetly increase, so may the costs of your hosting.

The cloud is very ripe for web services. But before you choose one, be careful to do a serious consideration on your pros and cons. If you can match your application/site to a cloud service, you can bring it to a new level of efficient operation.


Talkback and comments are most welcome

Related posts

Cloud Computing - Premature murder of the datacenter
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Checking web site security - the quick approach
Tutorial - Secure Web Based Job Application
Rules for good Corporate Web Presence

Where are your default admin passwords - and who can get to them?

Every corporation nowadays is very concerned with account security. And the first thing that an auditor or security officer asks for are the treatment and storage of the default admin accounts (root, administrator, sa, DBO...).
We don't need to repeat the well known mantra of not using the default accounts for daily use.

But these accounts and passwords still need to be well secured, in order to achieve the following criteria

  • Security - the passwords for the default admin accounts need to be strong and complex, and should withstand most attempts at brute force or social engineering attacks
  • Confidentiality -no single person should know the default admin account password, since he/she can abuse this account for gain or to cause damage.
  • Availability - In times of crisis, the organization may still need to use these default admin accounts, so they cannot be lost
The following procedure can be applied by any organization, and it meets all three criteria.

Security and Confidentiality - the passwords should be constructed in two parts (each part entered by different person). Having two people create a password increases the complexity significantly, and reduces the possibility of using social knowledge of a single person to attack the password. Also, no single person knows the password.

Confidentiality and Availability - The parts of the password should be written on separate pieces of paper marked first and second part and stored in separate envelopes. These two envelopes should then be stored in a tamper evident envelope.

Placing the passwords in tamper evident envelope is a place where most attempts at secure storing fail. The basic reason is that tamper evident envelopes are not readily available, or even that they cannot be ordered through central procurement. This is rarely the case, since such envelopes are available in most office supplies stores.

But even if such envelopes are not available, you can easily create a DYI tamper evident envelope like this:

  1. Take an ordinary envelope.
  2. Ask your manager to sign his name at least 2 times on the edges of the envelope, from both sides.
  3. Cover the length of signed edges with a transparent adhesive tape (scotch tape) - make sure that you overlap the envelope with the adhesive tape.
  4. Put the password envelopes inside the tamper-evident envelope
  5. Seal the envelope, and have the manager sign the edge where the envelope is sealed
  6. Cover the length of the seal and the signatures with the adhesive tape - make sure that the tape touches both the flap and the envelope surface as well as the signatures
The end result can be seen on the following image.


Through this process you have created a crude tamper-evident envelope. If someone tries to open this envelope at any edge or through the sealed flap, he/she will damage the adhesive tape. This damage is easily visible. If someone tries to remove the adhesive tape prior to opening the envelope, the removed adhesive tape will remove the signature that it covers - thus showing that the envelope was tampered with.

Once this step is out of the way, the securing of password can be finished by storing the envelope in the department safe, where employees can still get to it if needed (a crisis situation)


This process is very simple to follow, and can be applied in one afternoon. All it takes is 3 people, some envelopes and the will to secure the default admin accounts. Just make sure that you reset the passwords of the default admin accounts in all places where they are used, like services/daemon accounts, and system jobs.

Talkback and comments are most welcome

Related posts
Cracking a TrueCrypt Container
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
5 Minute Security Assessment

Information Systems Security as a Profession

Computer hackers and cyber-terrorists can wreak havoc on information systems (IS). Because of this looming threat, the demand for cyber-security specialists – and information security training – is on the rise.

Trained and certified IS security professionals are needed to combat these threats and vulnerabilities, which can be incredibly costly to organizations. In fact, a Reuters special report noted that the market that the IS security market is estimated to be between $80 billion and $140 billion a year worldwide.


IS Security Opportunities

Industry experts suggest that that there is a tremendous need for IS security specialists in both the commercial sector and government. National Public Radio (NPR) recently interviewed James Gosler, a veteran cyber-security specialist who has worked at the CIA, National Security Agency and Energy Department.

Gosler estimated that there are only about 1,000 people in the United States that have the necessary skills to tackle the most challenging IS security tasks – but noted that some 20,000 to 30,000 highly trained security professionals are needed to meet the needs of corporations and government agencies. The U.S. Bureau of Labor Statistics (BLS) projects that employment in this field will grow much faster than the average for all occupations, with an increase of 20% or more between 2008 and 2018.


Career Options, Salaries and Job Duties

If you’re considering a career in IS security, you’ll find job openings in a variety of related areas. Security specialists may be found in each of the following BLS occupational groups, and often enjoy salaries in excess of $100,000 per year:*

  • Computer Specialists: $41,680 – $115,050
  • Database Administrators: $40,780 – $114,200
  • Computer Systems Analysts: $47,130 – $119,170
  • Network Systems and Data Communications Analysts: $42,880 – $116,120
  • Computer and Information Systems Managers: $69,900 – $166,400

IS security specialists with industry certification typically earn salaries at the higher end of the range. For example, a 2009 salary survey Certification Magazine found that professionals with the Certified Information Systems Security Professional (CISSP®) credential earned an average annual salary of $108,630.

As an IS security professional, your work might involve encrypting data transmissions, implementing firewalls and developing a formal strategy to protect computer files from unauthorized access. You may also be charged with policing violations of security procedures, and taking corrective or punitive measures.

Other duties include controlling, granting or restricting access to files as required by user; tracking and proactively addressing potential computer virus threats; and performing risk assessments and tests to ensure that security protocols are functioning as intended.


Education and Training

Most IS security jobs require at least a bachelor’s degree in a field such as computer information systems, information technology or engineering. Experience in software or computer hardware design is also beneficial. Candidates with specialized information security training will enjoy the best prospects.

To help meet the demand for government IS security personnel, the Department of Justice sponsors the Federal Cyber Corps Program. College juniors or first-year graduate students who are pursuing a relevant degree and planning on a career in the IS security field are eligible to apply.

Participants receive a monthly stipend of about $1,000 plus tuition, room and board, and travel to conferences. In return, students are expected to complete a summer internship with a federal agency.

Working professionals can pursue information security training through continuing education programs. Online security training is a great way to develop the knowledge and skills required to practice in this specialized field.

Some online security training programs even prepare participants to earn salary-boosting certifications, such as the CISSP®, SSCP® and CAP® designations from (ISC)2® and the CompTIA Security+™ certification.

Do you think you have what it takes to succeed in this challenging field? Employers and government agencies are actively seeking cyber warriors to safeguard critical information infrastructures against security threats. With a computer-related degree and relevant information systems security training, you’ll find yourself in high demand for rewarding, high-paying IS security jobs.



This is a guest post by Claudia Vandermilt. Claudia works in conjunction with Villanova University and University Alliance to promote professional training materials. She’s currently taking Advanced Information Assurance and Security and looks for exciting security news in her daily RSS.


Talkback and comments are most welcome

Related posts
ITILv3 Foundations Training - Experiences
8 Steps to Better Securing Your Job Application
Engaging a team for a security analysis

Mac Antivirus - Staying careful and safer

Having an antivirus software is a gold standard in the Windows world. But what if you are using a Mac? The prevailing opinion is that there aren't enough viruses or malware in the wild to merit having an antivirus.

But in reality, while very few will name 5 viruses for Mac off the top of their heads, Mac has a lot of issues. For instance, Safari does not have a stellar reputation on security. In March of 2011, at CanSecWest, a Mac with Safari fell victim to a security exploit in under 10 seconds.

Also, social engineering attacks can be easily used to con the user into running malware code on their Mac. So having an antivirus and antimalware package on your Mac is a very wise choice.

But this brings us to another problem: What antivirus software packages have a Mac version. As of June 2011, Wikipedia lists that only 16 out of 62 antivirus software packages support the Mac. In a very interesting marketing move, some antivirus manufacturers actually offer free use of antivirus packages for Mac. Norton has another very interesting combination product - one that runs on the native MacOS and another that runs on the Windows environment available through BootCamp.

The policy of implementing an antivirus on Mac is a very wise choice for corporate environments. If a corporate environment is just starting to adopt the Mac platform, one can start 'light' with the free antivirus packages. These are not manageable through a central console, so you will soon be looking for a corporate antivirus platform that includes Mac antivirus software. But while you are using a couple of Macs, the free stuff will help immensely.


Talkback and comments are most welcome

Related posts

Managing the permanent security issue of Top Management
Protecting from the CCenter Malware and Trojan
Managing Antivirus Software - Keep the reinstall away

What is a Dedicated Server, and Why Would I Need One?

A server is essentially a computer that does not do anything else but supply and store information for other computers. You could be using one of your computers as a server in your office, for example.

This computer would then be called a server and supplies information (even software applications) and data to other computers, which basically become user terminals. If you have an e-commerce site, or you have a lot of important information that you want to keep safe and secure, you should be looking at the best dedicated servers provider in your country or region.


Normally, when you register for a website, your website would be hosted on what is called a shared server. This means your website and information are stored on a computer that is used by many other customers of that provider.
In the case of a dedicated server, you have your own whole computer and network connection.

Here is a comparison of normal shared servers and dedicated servers to illuminate the issue.

  • Traffic Issues. If someone else’s website gets a lot of traffic, and your website and database are on the same server, your website will start to slow down. You cannot have this happening if your website and database are crucial to your business operations. With a dedicated server, you have the one whole computer to yourself, and there will be no influence on your traffic from outside sources.
  • Size. What happens when your website grows? With a shared server, you will have to keep buying extra space. With a dedicated server, you have the whole computer, and this means it is just about impossible to run out of space.
  • Security. Information on shared servers is never as secure as dedicated servers. There are multiple accounts and multiple users. Do you really want your important company information on a computer that is also being used by other people?
  • Service. Dedicated servers normally come with a range of services, such as back-up, security and support. If your information is on a computer provided by a normal shared server supplier, you cannot expect the same service. Do not expect the computer support with shared servers to match the response times of that provided by your dedicated server company. Dedicated also means the company should be dedicated to you, and not just the fact you have your own server.
  • Location. Just like any other server, your dedicated server will be stored in a very secure location. This is much better than having a server in your own office, for example. It would be possible to run your own e-commerce site from your own office, but you would need the technical know-how and computer support to manage your own server. Normally, that will require outsourcing it services or employing your own team.
  • Cost. Dedicated servers will obviously cost a considerable amount more than a standard server. If your e-commerce site is growing, for example, having a smooth, fast and reliable website will mean more money. Investment in a dedicated server is an investment into your revenue stream.

In essence, dedicated servers are necessary for anyone who is making revenue from their site with a lot of traffic. You need to be sure that your business is managed, monitored, protected and stands alone from anyone else’s business on the internet. You can always switch your website to a managed server as it grows, although for those who are serious about e-commerce, setting it up so it is stand-alone from the beginning, is still the best option.

This is a guest post by Tom Mallet is an Australian freelance writer and journalist. He writes extensively in Australia, Canada, Europe, and the US. He’s published more than 500 articles about various topics, including dedicated servers and Computer Support


Talkback and comments are most welcome

Related posts
Creating Your Own Web Server
Tutorial: Making a Web Server
Is the Server Running - optimal use of redundancy on a budget

Where are the sources of security incidents?

Security incidents come in all shapes and sizes. They can affect availability, confidentiality or integrity. Shortinfosec organized a Linkedin poll to observe the opinions of the professionals on what are the sources of security incident that they deem most frequent.

The poll has 56 respondents , and there is no scientific selection of respondent groups to have a full blown research result. However, this small still nicely represents the issues by frequency that organizations are coping with.

The poll question was What is the most frequent incident type that is affecting your organization?
Five answers were suggested

  • Network Issue or Outage
  • External Hacker Attack
  • Internal Hacker Attack
  • Software Error Causing Data Corruption
  • Human Error Causing Data Corruption

The poll was open for all Linkedin users for 20 days, with invitations sent to the linkedin connections and groups.

Results and analysis
After the closing of the poll, the following results were observed:
Most respondents (66%) select network issues as the primary source of security incidents. Data corruption due to human error takes the second place with 18%, and data corruption due to software error with 13%.

However, the demographics of the responses also indicate different view of the issues from a different executive level. Network issue is selected as a primary source of security incidents by operational personnel. Management levels have also voted on this option, but the majority of issues of networking are felt by operational teams.


The second most frequent issue is human error, and this is an incident which is mostly identified by managers (more then 75%). In reality, a human operator within a company has significant abilities to work within the information system of the company. Human errors can happen for any number of reasons, and paired with the abilities of the human operator within the systems, very significant errors can occur corrupting data, causing erroneous calculations. And such data corruptions are easily felt across the entire company, hence the votes by management.


The third most frequent issue is data corruption due to software errors. These should have a much lower frequency then human errors, but the impact of such errors can be very wide ranging - since the error is embedded within the information system.



External hacker attack was chosen as the least frequent issue. But this only presents the view of the internal users. It is quite possible that internal users do not have the full scope of hacker attacks - they are not detected, or corporate procedures prevent distribution of information about hacker attacks.


Conclusion
The overall poll, while not conforming to standards for academic research, it still provides the following insights - operational people are plagued by network issues (availability), while managers are plagued by data corruptions (integrity).
Very few identify actual breach of confidentiality as a top issue in security incidents. It seems that the corporate world is either well protected against confidentiality breaches, or is still relatively blind to them. We would bet on the latter.


Talkback and comments are most welcome

Related posts
Thrown in the Fire - Database Corruption Investigation
The SLA Lesson: software bug blues
Security risks and measures in software development

Managing the permanent security issue of Top Management

Regardless of procedures and policies, a company can have a nearly permanent security issue in top management. This issue results from the speed with which top management requires their services delivered and, more than probably, their lack of an information assurance degree - or even an understanding of what information assurance is, for that matter. No top manager wants to be bothered with the problems and challenges that security and IT guys are facing with their wishes. They want them resolved, preferably yesterday.

The security issue of top management results from their lack of time and insistence that everything works when they request it. Usually that means that the security request aspects of the solution have not been researched or even familiarized with. All this results in a half-baked workaround solution.

We will provide two examples of security issues that can easily arise:

  1. The manager requests a new gadget - like a smart phone, tablet computer or a new 'bling computer' with a different OS. Procurement is quick to purchase the new device for the top manager that orders it. When the new gadget arrives procurement informs him in a CYA (Cover Your A*s) approach that they have done their job. The manager expects it to run immediately, so this is what usually happens:
    • the gadget is set-up as fast as possible, using the basic instructions from the Internet or what little experience an engineer has with the gadget.
    • help to install the gadget is solicited from any current users of the gadget, who also assist in set-up to the best of their knowledge, but with little concern about security or compliance to corporate standards
    • the gadget is configured to provide all or most corporate services as used by the manager on the standard corporate computers.
    • The end result is a device which can connect to most of the corporate services, but which is rarely properly secured. If the gadget is stolen, there will be a whole lot of grief for security guys.
  2. The manager wants to open photos on a foreign USB - a guest arrives at the managers office, and he/she has an USB stick with photos. The manager wants to see the photos on his computer.
    • If the manager's computer has permissions to open a USB, he/she will read the USB, possibly opening a virus or Trojan.
    • If the manager's computer doesn't have permissions to open USB, it will be rushed through operations to enable access. Again, the end result can be a executing a virus or a trojan
    • If not captured properly, a Trojan may enter the computer network of the corporation, and collect data or cause havoc

The harsh reality is that these situations will happen, and cannot be avoided in most corporate environments. So what can be done to mitigate these situations?
1. Have antivirus with very frequent auto-updating and realtime scanning installed on everything. Even if an infected USB is inserted, this mitigates the risk of the virus/trojan infecting a corporate compoter.
2. When configuring a new gadget, educate the IT team to first set up security - they should find out how to install/activate antivirus, put up a firewall and set up password protection for using the device. Even if you have limited amount of time with the gadget, it will have deterrents in place to reduce the risk of a stolen device.
3. Try to set-up the gadgets so they don't store corporate data locally - Access mail via IMAP or webmail, and computer services via VPN. Even if the gadget is stolen, all it takes is a password reset.
3. Have a good relationship to procurement - if they give you just a day advanced notice that there will be new gadgets, that is a day more to read up and prepare for a more proper configuration.

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review
Brief reminder - The value of a stolen corporate laptop
Tutorial - Breaking Weak Encryption With Excel

Engaging a team for a security analysis

Being involved in a security project requires lot of resources: a good measure of knowledge, a huge measure of experience, some amount of software and personnel. Usually time is in short supply, so this is compensated by more computers or more people.


  • The first option is to use a computer and a piece of software. While there are a lot of automated tools that a security consultant can use, these are not really smart.
    • For penetration tests - most vulnerability scanning systems are 'loud' as hell and will be immediately detected by any IPS/IDS system. Also, such systems are very rarely successful at any penetration unless properly tweaked and configured by a human operator.
    • For procedural assessment, that software is just a set of questions forming a checklist. The problem is that every organization has specifics in their security organization, and the actual procedural posture of security needs to be understood by an expert operator in order to properly answer the questions in a checklist.

  • The second option is to hire a freelancer team. Presently, there are a very large number of people looking for a freelance gig as security analysts. Some of them publish their expertise through social networking sites, others just use job search sites to look for an engagement. But this is a nightmare in itself for at least two reasons:
    • Unknown amount of expertise - when hiring someone for a security job, unless you know his/her previous work it is very difficult to know whether he/she will deliver the expertise. Please note that the CV of a person can say anything without much means of confirmation - references for previous security engagements are very rarely given by clients.
    • Unknown agenda - even if he/she is a great expert, you will open the doors of a corporation to that person. Unless you are 100% certain of his/her professional agenda, you may find yourself in a lot of legal trouble if there is a disclosure of confidentiality or even malicious attack from someone in your freelancer team.

As Alan Weiss points out, you should only get into partnerships if you can multiply the profit by a hundred, not double it. And in cases of security analysis, you can easily deplete your profit with a choice of a wrong team, let alone be stuck with some legal issues.

Talkback and comments are most welcome

Related posts
Tutorial - Secure Web Based Job Application
8 Steps to Better Securing Your Job Application

Defeating gaming protection on popular gaming consoles

Gaming consoles are great for multiple reasons. First the obvious reason - you get to play a lot of games, and every one of them look as advertised, runs smoothly, and without performance issues. And then there are the additional benefits: A gaming console is basically a very beefed - up computer. Wouldn't it be nice to run it as a full blown computer?

But gaming console manufacturers need to make the users use only their software with the console - that is how they generate profit. So all console manufacturers lock their consoles through a firmware protection mechanism that allows only signed code to run on the consoles.

And a lot of people attempt to bypass these protection mechanisms in order to run custom code, also known as homebrew code. Naturally, all bypassing methods are illegal, but we are going to discuss the success of bypassing for different consoles

  • Xbox 360 - Xbox 360 is well protected. can run homebrew only if you make a hardware modification to the Xbox. There are subvariants on modding the Xbox for playing music, using large USB files which are much easier. But since Xbox is a full blown computer, the aim would be to run a full computer operating system. Unfortunately, this falls under the domain of homebrew, and can be achieved through hardware modification. But the Xbox is currently quite outdated in terms of total computing power compared to current new computers. The only thing that stands out is the PowerPC CPU, but not so much to merit a hardware modification. Therefore, xbox 360 is not a very popular homebrew platform.
  • Play Station Portable (PSP) - The PSP is my favorite example. It started with a buggy firmware that allowed for all kinds of exploits, and the users could install their own custom firmware. Then SONY stepped up to the plate, and fixed a lot of things, and made the newer versions much stronger in terms of protection. The exploits were limited to exploiting flaws in legal games and then injecting a code that will run the homebrew as if part of the legal game. But then things got horribly wrong. On 02 January 2011 it was revealed that the master signing keys were uncovered. You can now sign more or less anything for PSP.
  • Nintendo Wii - Similarly to PSP, Nintendo Wii can run homebrew by exploiting a installing a 'Homebrew Channel' application which bypasses the copy protection. The architecture of the Wii is based on the Nintendo GameCube. Because of this, most of the homebrew tools from Nintendo GameCube can be used for Wii.
For anyone, choosing a gaming console is primarily based on the choice of games and the gaming experience. But it is always nice if you have the freedom to try other things on your gaming console.

Talkback and comments are most welcome

Avoiding security complications when servicing desktop equpment

Any computer within a company is full of confidential information. And corporate desktop computers are quite resilient and long living. But at the end, any electronic device can fail.

But contrary to the rules that everyone repeats about laptops, desktop computers do not have encrypted disk drives.

Unlike industrial electronic repair, in which the repairs are performed on-site, desktop computers are treated as consumer electronics and are repaired at the vendors premises. So, if proper controls are not present, an IT technician may pick up the computer with the functional hard drive full of information and send it off to an external vendor - thus creating a security incident

To prevent this, a simple process should be put in place:

  1. When performing electronic repairs on IT equipment, first try to fix system with replacement parts - internal IT can replace RAM memory, Hard Drive and PSU.
  2. If the motherboard or elements on the motherboard are an issue, remove the Hard Drive prior to delivering the computer to the vendor.
  3. If the computer is fully failed, remove the hard drive for data transfer or controlled data destruction
  4. Even if the hard drive is fully failed, remove it for mechanical or magnetic destruction.

This very simple process will prevent possible security incidents


Talkback and comments are most welcome

Related posts
Windows 7 Full Disk Encryption with Truecrypt
Brief reminder - The value of a stolen corporate laptop

Designed by Posicionamiento Web