Domain: infosecuritymag.com
Stories and comments across the archive that link to infosecuritymag.com.
Comments · 21
-
Yes... Pest Patrol and Spy Sweeper Enterprise
See: here for Pest Patrol, and here for Spy Sweeper. There was an article this month in Information Security Magazine.
-
Re:Microsoft Research?
Microsoft does not have a great research department. Look at the number of innovations coming out of a company like IBM for what a truly great research department can do.
MS has a great marketing department that can turn ideas into marketeable products.
Picture based passwords are Nothing new. -
Screenshot of AirDefense software...
-
Re:Credit Where Due
To bad Larry's claims of being Unbreakable? were squashed. As the article says:
"Some security experts have said that the discovery of these vulnerabilities changes the claim of "unbreakable" from marketing hype to a false sense of security." -
getting started
If you want to get started, start by securing your home Internet connection. This will benefit you and the Internet community in general. I have a page with some information on home broadband security.
When you move to security in a business environment, in my opinion you need to frame security as a tool for risk management. CERT provides good information on handling security professionally, including their book The CERT Guide to System and Network Security Practices and a large collection of Articles, reports and papers.
Information Security Magazine will give you a sense of where the infosec business is going. On the academic side there's the new IEEE Security and Privacy Magazine and the IEEE Computer Society Technical Committee on Security and Privacy. Also on the academic side there are the more established journals from compsec online.
-
Five easy steps.
1. Education - Get educated about what information security is all about, you should know what C.I.A. stands for (in infosec, not the US federal agency), you should know what a security policy is, understand risk management and mitigation, and known what criminals/attackers can do in your organization.
You can get a lot of this from several books and websites, such as Secrets and Lies by Bruce Schneier, the SANS Reading Room, if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus.
2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)
Tools like those from IBM Tivoli or HP Openview can help here. For security specific vulnerability analyzer, open-source Nessus and eEye's Retina, ISS's Internet Scanner
3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.
Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security for benchmarks, and SANS Reading Room - Auditing and Assessment, and Site Security Handbook - RFC 2196.
4. Implement -- Using your education, audits and policies you can now implement decent security.
Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.
5. Be vigilant - "Security is a process, not a product" - Bruce Schneier
Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture. -
Another article on "Trustworthy Computing at 1"
Information Security magazine have a cover feature on the same subject, specific articles are here, here , here and here. I haven't read my paper copy yet but they're usually fairly good quality (well, better than most trade press anyway.)
No, I have no connection with them. -
Another article on "Trustworthy Computing at 1"
Information Security magazine have a cover feature on the same subject, specific articles are here, here , here and here. I haven't read my paper copy yet but they're usually fairly good quality (well, better than most trade press anyway.)
No, I have no connection with them. -
Another article on "Trustworthy Computing at 1"
Information Security magazine have a cover feature on the same subject, specific articles are here, here , here and here. I haven't read my paper copy yet but they're usually fairly good quality (well, better than most trade press anyway.)
No, I have no connection with them. -
Another article on "Trustworthy Computing at 1"
Information Security magazine have a cover feature on the same subject, specific articles are here, here , here and here. I haven't read my paper copy yet but they're usually fairly good quality (well, better than most trade press anyway.)
No, I have no connection with them. -
Another article on "Trustworthy Computing at 1"
Information Security magazine have a cover feature on the same subject, specific articles are here, here , here and here. I haven't read my paper copy yet but they're usually fairly good quality (well, better than most trade press anyway.)
No, I have no connection with them. -
Special Report in Information Security Magazine
The February issue of Information Security has a special report by Lawrence Walsh titled "Trustworthy Yet?" that is a good companion to this article.
-
Special Report in Information Security Magazine
The February issue of Information Security has a special report by Lawrence Walsh titled "Trustworthy Yet?" that is a good companion to this article.
-
Follow up article
A good follow up to this post is a short introduction to honeyd by Marcus Ranum in the latest issue of Information Security Magazine. A good little overview of what the program does and how to potentially use it.
-
Info Security SurveySurvey says: The best way to convince management of the need for security is "Conduct vulnerability assessments or penetration tests to demonstrate need for security" (Figure 9, page 4)
2001 IT Security Survey (PDF)
It's not easy, but the best you can do is document the vulnerabilities, present your case, and KEEP presenting it. See if there are any corporate policies or legal requirements that support your position.
-
DRM in Information Security Magazine
I just read this article in Info Sec magazine on DRM technololgy: alas the web version doesn't have the article, just list of products and vendors - the whole thing was without any discussion of the moral or ethical dimension to the issue. Yet CISSP and SANS info-sec certifications all include an "ethical dimension" to their course materials. Go figure.
-
More hints from an insider.I've been doing this (reviewing security and being reviewed myself) for a long time. For what it's worth, here' a few thoughts on getting your money's worth:
- What kind of review?
Basically, there are three types: penetration tests (ethical hacking), assessments (white box technical reviews), and audits (process/procedure reviews). These are very different from one another, as (typically) are the firms who perform each type. Ira Winkler wrote a good article on this subject.
Although a pen test is sexy, you almost certainly want an assessment based on your description.
- Know the goal.
Unfortunately, much of this market is driven by "Good Housekeeping Seals of Approval" -- inexpensive rubber stamp reviews designed to limit liability and make partners feel good (e.g., we followed the best practices and even had 3rd party auditors, they just didn't find this hole). Unfortunately, this creates a disincentive to actually finding problems since that's not what the customer ordered.
If you're really concerned about your security, you want a confidential report for your internal consumption that takes a good hard look at your real security and is clear about all of the problems, even less critical ones (though of course you want them prioritized). Stay far away from "certification" oriented reviews.
- Make it attorney-client work product.
If your organization is structured such that this works (and in this case — a state agency — it may not be), it can be useful to have the report be protected by attorney-client privilege, to manage the legal liability caused by the findings in the report. You especially want this if you follow the previous step and get a good, hard look.
- Go independent.
This was already mentioned in another post, but bears repeating. Don't get a review from a company whose primary business involves selling anything other than security reviews. First, they often consciously try to sell you their product (or service). Second, they are generally unconsciously biased by their own efforts on their product and are looking at problems from a more limited perspective. Same goes from companies who resell network and security products for other vendors, taking a cut of every sale. Get an independent review from someone who's earning their keep based on their professional opinion, not leveraging follow-on sales.
Also, look out for the one-two punch from auditing firms: a cheap initial pen test to prove how insecure you are (typically with lots of grandstanding to upper management), follwed by a really expensive audit where they actually make their money.
- Hire the individuals, not the company.
There are good people at mediocre companies and vice versa. The quality of the output depends most on who did the work and least on what company employs them. Although the larger firms have more structure and quality control, the odds of getting a great reviewer rather than a room full of talking heads from a Big 5 are less.
This doesn't mean don't hire a Big 5, it means hire a specific team from a reputable company.
If at all possible, make the hiring decision based on face-to-face discussions with the actual team that will do the work, and ensure the contract allows you to approve changes in the team. Look for people who five or more years technical experience outside security before they started doing security (e.g., was a hard-core sys admin for five years before they started consulting others on systems security).
This also means evaluating potential firms like a job interview, to some degree. The most effective, yet cooperative way to accomplish this is to invite them over and start describing a couple of your problems that you've already carefully considered. If the potential team rolls up their sleeves and starts solving your problems — in the sales call — with good, obviously experienced approaches, then they're worth considering. If they only talk in broad generalities or don't grasp issues that are widely understood, then they're not worth your time.
On the other hand, ensure that they are bi-lingual. Not English and Hindi, but Technical and Management. They need to be able to find problems, propose practical solutions. Then they have to document this in the report, so that the technical staff understands the problem and solution well enough to fix it and the management team can grasp the level of risk, cost of remediation, and gauge priorities.
Try to get a sanitized report from a job performed by the same team for review. Evaluate whether you would be happy with those results and, if so, ensure they know that you expect even better.
- Be specific.
When developing the scope of work, be specific about what is and is not included in the review. Don't accept a vague statement of work that isn't clear which or how many systems will be reviewed, the structure of the report, or other details. Ensure you know what you're paying for and what will be performed.
- Be prepared
Although you're overworked and have a hard enough time keeping up with your day-to-day tasks, the results also depend on your preparation, responsiveness, and organization. Have network diagrams, org charts, and device/system configs ready for the reviewers. When they need more information, get it too them in a timely fashion — it'll keep your costs down and result in a more detailed report with fewer guesses on the part of the reviewer.
- Don't hold back.
Although it may be tempting to not tell them about things you know are a problem to gauge how long it takes them to find the problem, this approach is simply a waste of your own money during the review. If you evaluated the team well before hiring them, tell them everything you already know is a problem so they don't spend time rediscovering those issues. Sure, they'll end up in the report even though you already knew about them, but it'll again save money and result in a better more detailed product.
- More small reviews.
It's quite likely that you'll get better results getting several smaller reviews from carefully chosen teams than one single large review. This is especially true if you choose well rounded teams with different backgrounds. While they should all be competent across the board, if one team comes from an application development background while another team comes from a system administration background, they're likely to find different results.
- Ultimately, it's your security.
Opinions vary. Accept the report as one person's opinion on how they would prioritize the issues and fix them. After you receive the report, review it and then prioritize the issues and develop fixes based on your knowledge of the environment and business goals.
If you've done you're homework, your prioritization and solutions will match those in the report. If they clash, then figure out what went wrong an know to look for those indicators next time.
- What kind of review?
-
focus, value, and experienceI have never heard of the SCP before, and a quick look at it didn't impress me.
There is an article in the September 2001 issue of Secure Computing Magazine. (a "trade rag" - so it never says anything bad about a potential advertiser)
Pay Your Dues by Jay Heiser in Information Security Magazine is also worth reading.
A small reader survey, May 2001 - Talkback.
Security Focus offers several mailing lists that you may wish to subscribe to, or at least read the archives about. In particular Security Certification, CISSP Study, and security-basics. One recent message is certainly worth reading. Similar questions have been also asked in cryptography and firewall wizards - Nov 2001 mailing lists, and I believe has come up several times before.
A review of one IS manager's experience from Computerworld secuirty Column.
A so-so review of different security certificates from CertCities.
The main points I would make are choose a certificate that has the right focus for your career. CISSP is the best known cert, but it is aimed at IT/IS Security Managers and Consultants not at senior technologists / engineers / "in the trenchs" types. The best features of this is requiring 3 years of computer / network / audit security experience and having a broad overview of computing security (the 10 common bodies of knowledge, CBK). This makes it out of reach for many people new to info sec, and that's okay, they likely should focus on another certification anyhow. Next is the SANS/GIAC certificates which are more focused and hands on. The best feature is that they require a "practical" part to the certification, which is doubly good because it is not just exam cramming and lets the student practice her communicaton skills, which is important in the security field since you should be able to work in a team and with others (non-technical other) in an organization outside your team for the common benefit of the business.
Certifications tend to be expensive to get, and don't forget most of them have requirements for maintaince such as x number of contuning education credits, re-examinations, or conference attendance. This is a mixed bag, it is good that it justifies staying up to date, but it can also be very expensive for a member working as a new contractor or for a small company that isn't pre-IPO throwing money around.
-
focus, value, and experienceI have never heard of the SCP before, and a quick look at it didn't impress me.
There is an article in the September 2001 issue of Secure Computing Magazine. (a "trade rag" - so it never says anything bad about a potential advertiser)
Pay Your Dues by Jay Heiser in Information Security Magazine is also worth reading.
A small reader survey, May 2001 - Talkback.
Security Focus offers several mailing lists that you may wish to subscribe to, or at least read the archives about. In particular Security Certification, CISSP Study, and security-basics. One recent message is certainly worth reading. Similar questions have been also asked in cryptography and firewall wizards - Nov 2001 mailing lists, and I believe has come up several times before.
A review of one IS manager's experience from Computerworld secuirty Column.
A so-so review of different security certificates from CertCities.
The main points I would make are choose a certificate that has the right focus for your career. CISSP is the best known cert, but it is aimed at IT/IS Security Managers and Consultants not at senior technologists / engineers / "in the trenchs" types. The best features of this is requiring 3 years of computer / network / audit security experience and having a broad overview of computing security (the 10 common bodies of knowledge, CBK). This makes it out of reach for many people new to info sec, and that's okay, they likely should focus on another certification anyhow. Next is the SANS/GIAC certificates which are more focused and hands on. The best feature is that they require a "practical" part to the certification, which is doubly good because it is not just exam cramming and lets the student practice her communicaton skills, which is important in the security field since you should be able to work in a team and with others (non-technical other) in an organization outside your team for the common benefit of the business.
Certifications tend to be expensive to get, and don't forget most of them have requirements for maintaince such as x number of contuning education credits, re-examinations, or conference attendance. This is a mixed bag, it is good that it justifies staying up to date, but it can also be very expensive for a member working as a new contractor or for a small company that isn't pre-IPO throwing money around.
-
Cayley-Purser algorithm
The algorithm has already been shown to have fatal flaws (search for Plaintext Defense). Sarah Flannery herself was quoted as such. However, there is nothing to say that the flaw cannot be eliminated in the next version. To say the least, this algorithm provides a strong foundation on which to build.
-
stronger passwords aren'tThe following article makes the point that asking users to pick and memorize cryptic passwords that they must change every 60 days etc. is both unreasonable and usually unnecessary. Different types of accounts require different levels of security (e.g. if shadow passwords are implemented why worry so much about password cracking - be more concerned about keeping the root account secure). Instead, more effort should be expended on securing system rather than chasing down those users who forgot to include a digit in their password. And face it, in the real world a large corporation with thousands of users is NEVER going to get every user to pick a totally cryptic password.
"Stronger Passwords Aren't"
http://www.infosecuritymag.com/articles/june01/col umns_executive_view.shtml