(ISC)² Links

CATEGORIES

Archives

More...

(ISC)² Twitter Updates

  • (ISC)² Twitter Updates

    About the
    (ISC)² Blog

    • (ISC)² believes in the importance of open dialogue and collaboration, between both (ISC)², its certified members and members of business and society.

      (ISC)² established this blog to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

      The postings on this site are the author's own and don't necessarily represent
      (ISC)²'s positions, strategies or opinions. (ISC)² does not control, monitor, or endorse any links provided in this blog and makes no warranty or statement regarding the content on any linked website.

      Those who post comments to blogs should ensure their comments are focused on the topic at hand. (ISC)² reserves the right to remove any post or comment from this site.

      Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org.

      Please click here for FAQs.

      Please click here for the Blog guidelines.

    Enter your email address:

    Delivered by FeedBurner

    21 posts categorized "Availability"

    05 May 2010

    CSIRT exercise

    ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team).  They have also provided significant exercise materials in order to test and train such teams.

    Posted by Rob Slade on 05 May 2010 in Availability, Certifications, Disaster Recovery, Events, Network Security, Operations Security, Slade, Telecom, Training | | Comments (0)

    08 February 2010

    Cyber Security Central

    This blog entry focuses on introducing a new community focused resource designed to provide an avenue for the collaboration and sharing of information relating to Cyber Security.  The Cyber Security Central website (www.cybersecuritycentral.com) seeks to extend the knowledge and best practices within the cyber security community. The overall goal of the site is to provide a platform to support the implementation of the National Cyber Security Strategy.

    Since the inception of the project a few months ago, I have tried to establish a site that seeks to demonstrate a broad view of the cyber security community from both the national and international perspectives.  As I look for new opportunities to represent content, I spend a great deal of time identifying mechanisms that best facilitate the information in an easy-to-navigate manner.

    Major features include:
    - Shared Document Repository
    - Top Sites Related to Cyber Security
    - Security Content Automation Protocol (SCAP)
    - Security Checklist Repository
    - Security Tools
    - Cyber Security Projects
    - Cyber Security Videos
    - Cyber Security News
    - Cyber Security Related Tweets
    - Cyber Security Jobs Posting
    - Cyber Security Discussion Boards
    - Cyber Security Directory Listings
    - Cyber Security Articles

    Additionally, within the Cyber Security Central Documentation Center, you will find valuable information relating to the cybersecuritycentral.com and other associated domains (fismacentral.com, diacapcentral.com, and cnsscentral.com), including policies, procedures, and other helpful information to better navigate and interact with the Cyber Security Central website.

    If you have suggestion or recommendations for improving the site, please use the "General Comments" section of the Discussion Boards or contact me directly through the Contact Us form.

    Finally, please visit the Cyber Security Central Documentation Center - New Features section for any major site update.

    Posted by Matthew Metheny on 08 February 2010 in Authentication, Availability, Careers, Certifications, Conferences, Confidentiality, cryptography, Current Affairs, Digital Forensics, Disaster Recovery, encryption, Hacking, Integrity, IT Security, Malware, Metheny, Metrics, Network Security, Operations Security, Privacy, Risk, Secure Software, Training | | Comments (0) | TrackBack (0)

    25 January 2010

    Resilience - the missing link?

    While reading IT Grundschutz, the German information security baseline standards, and in particular the BSI standard 100-4 on Business Continuity Management, I've been thinking about a curious gap that I believe has opened up between the fields of information security and business continuity. 

    The way I think of it, 'resilience' (and related concepts such as 'over engineering', redundancy, automated failover and so forth) is very definitely an integral and essential part of 'business continuity' (in other words, keeping vital business operations running as near normally as possible, despite whatever threats and vulnerabilities might materialize).  Keeping unauthorized users out of the applications, systems and networks, preventing data and systems corruption (including that deliberately introduced by corrupt fraudsters, as well as incompetent or indolent users, designers, administrators, developers and managers), avoiding unplanned and unwelcome changes, avoiding/neutralizing malware and maintaining adequate IT performance and capacity are, for me, all important business process resilience controls, and are therefore all valid aspects of 'business continuity'. 

    Avoiding or at least reducing the extent/impact of incidents, crises and disasters has got to be better than recovering from them, surely?

    However, most 'business continuity' standards are purely concerned with 'Assume a disaster has happened: we need to prepare ourselves to cope with what happens next'.  They talk about timely resumption and recovery, all post-event of course, while most information security standards major on maintaining confidentiality, with a few token nods towards data, network, application or sysem integrity but very little in the way of process or personal integrity and even less about availability, other than referring to 'business continuity' (often meaning IT Disaster Recovery in fact) as if that settles the matter.

    Most organizations I've worked with seem to separate information security from business continuity management, in the same way that most separate physical from information security, and have other stovepipes for fraud, risk management and compliance. 

    So what on Earth happened to resilience?  Where did it go?  Have you seen it, hiding in a corner somewhere?  While I totally support the need for contingency planning to prepare the organization to cope more effectively with disasters that result from the failure of preventive controls, I strongly suspect that many organizations would be better off diverting some of their not inconsiderable business continuity budgets towards resilience and prevention, or at the very least creating a more coherent strategy linking information security with business continuity through their common interest in resilience.

    I'd be especially interested to hear from anyone who is familiar with standards, guidelines etc. that cover resilience (as outlined above) in some detail, whether they claim to cover information security, business continuity or something else entirely.  Go on, give us a clue about where to find the missing field.

    ... 97, 98, 99, 100, coming, ready or not!

    Kind regards,
    Gary Hinson
    ISO27001security.com
    NoticeBored.com

    PS  A well-written piece on Investing in software resiliency by Dr. C. Warren Axelrod, U.S. Cyber Consequences Unit, lays out several aspects of resilience, including a number of availability threats, software development process issues and of course a range of IT resilience controls such as fault tolerance and failure recovery, system fail-over and recovery and restoration.  Even cloud computing merits a mention.  However, once again, business continuity and the wider aspects of identifying and maintaining critical business functions are largely implied. 

    Posted by Gary Hinson on 25 January 2010 in Availability, Disaster Recovery, Hinson, Integrity | | Comments (0) | TrackBack (0)

    06 November 2009

    Free licence

    Interesting piece by an author who explains why he is not upset by, and even wants people, "pirating" his book, which is published under the GNU Free Documentation License.

    Posted by Rob Slade on 06 November 2009 in Availability, Current Affairs, Legal, Slade, Training, Weblogs | | Comments (0) | TrackBack (0)

    30 October 2009

    Another "Cat and Mouse fight" or... Tracking down a botnet

    A while ago the company I work for was hired for a Telecom company to secure their data centers.

    During the initial gap analysis phase, the backbone was hit by a DDos attack and of course we were assigned to try to help.

    The interesting about this case is that we act on a "happening now" scenario instead of the regular "post mortem" case.

    The Evidence: This is a botnet!!!

    Just to baseline everyone

    Whats is a botnet?

    From Wikipedia:
    Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.

    While the term "botnet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called Zombie computers) running software, usually installed via drive-by downloads exploiting Web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.

    Continuing...

    We deployed a traffic analysis tool to Monitor all traffic at one BRAS aggregation; we could see hundreds of requests going to  http://www.cvsr.ru .

    We checked the DNS server responses (A records) and we saw several different DNS servers answering the requests. We checked some of those and we realized they were all non updated BIND servers and all of them were poisoned.

    Checking the website www.cvsr.ru using a Virtual Machine, we verified that a javascript redirects the user to  http://kodj.ru/cgi-bin/index.cgi?add were finally a client-side exploit was executed.

    Then, we saw that the now zombie machine started to send UDP traffic (port 3074) to different servers (round robin) with a specific payload and finally when a response was issued the infected machine started to send http traffic to a website in Europe. We saw (I repeat) thousands of requests of this type on the backbone only at one aggregation point so if we estrapolate this data and imagine a entire backbone with millions of subscribers connect...How may of them were zombies? And in the entire world....?

    "This tought really scared me..."

    Conclusion

    With this information we could be able to deploy apropriated ACL's in their distribution/border routers to block the UDP traffic and also to block the botnet master servers network. This action reduced a lot the amount of malicious traffic on the backbone.

    Finally we coded a signature to be deployed on their IPS to block the server-zombie payload to at least avoid this botnet to continue spreading itself on this network.

    We also recomended the purchase of a specific Denial of Service Detection/Mitigation solution that can help a lot administrators in this tough task.

    I'll talk further about DDOS Mitigation Devices on a future post

    Best Regards


     

    Posted by Alexandre Cezar on 30 October 2009 in (ISC)2, Availability, Cezar, Network Security | | Comments (0) | TrackBack (0)

    25 September 2009

    DoD IA Policy Chart

    For your information, the Defense-wide Information Assurance Program (DIAP) has just released the IA Policy Chart via the IATAC web site at http://iac.dtic.mil/iatac/ia_policychart.html.  The chart, plus background notes can be found at that site.  In addition, the IA Policy Chart will be included as a centerfold in the January 2010 edition of the IATAC’s IAnewsletter

     

    The goal of the IA Policy Chart is to capture the tremendous breadth of applicable policies, some of which many IA practitioners may not even be aware, in a helpful organizational scheme. The use of color, hatching, fonts and hyperlinks are all designed to provide additional assistance to IA professionals navigating their way through policy issues in order to build, operate and secure the Global Iinfromation Grid (GIG) - DoD Information Infrastructure.

    Posted by John Dittmer on 25 September 2009 in Authentication, Availability, Careers, Certifications, Confidentiality, Disaster Recovery, Dittmer, Insider Risk, Integrity, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk, Secure Software, Software Development, Training, Web/Tech | | Comments (0) | TrackBack (0)

    22 August 2009

    Should the CISSP CBK be improved to place greater emphasis on “human factors” in information security? Definitely Yes!

    Should the CISSP CBK be expanded to cover "human factors" in security? [1]

    Add “Human Factors” No.[2]


    Clearly, human factors are a major component to information security and Gary Hinson presents effective arguments that they should be established as an additional domain.  On the other hand, Rob Slade makes an effective argument that the human factors are a significant component of each of the current ten domains primarily based on his experience teaching the CBK® to CISSP® aspirants for (ISC)²®.  In full disclosure, I also teach the CBK® to CISSP® aspirants, but not for (ISC)²®, but at a local college.

     I found the discussion interesting in that I have, from the very beginning, found that human factors are a significant component to all aspects of security and teach same when preparing my students for the CISSP® exam.  However, almost to a student, I am challenged as to why the emphasis when the varying study materials, place little if any emphasis upon human factors.  As an instructor Rob and I do not have access to the exam materials and cannot write exam questions unless we give up our teaching; an understandable restriction by (ISC)²®.

     None-the-less, the human factor is significant and the materials made available by (ISC)²® make no mention of them.  As I examine each of the ten domains, there is no mention, or even a hint that I can detect in them, of human factors to include their sub-topics as articulated in the description for the “Official (ISC)²® Guide to the CISSP® CBK®”; which, by the way, is the only location that I can find the secondary level mentioned in public.  Yes, I know that if I fill out a questionnaire and submit it, that I will get much more; but that is deceitful as I am not a candidate.  What is a dedicated constituent to do, speculate?

     While anyone can effectively argue that the “Information Security and Risk Management” domain contains numerous indirect references to the human factor I find it difficult to infer same in any of the other nine. 

     It is my position that each of the ten CBK® domains should make it clear at the secondary level that “human factors” are a significant component.



    [1] Gary Hinson, 9 August 2009

    [2] Rob Slade, 10 August 2009

    Posted by Bob Johnston on 22 August 2009 in Authentication, Availability, Certifications, Confidentiality, Current Affairs, Digital Forensics, Disaster Recovery, Ethics, Integrity, IT Security, Johnston, Legal, Network Security, Operations Security, Privacy, Risk, Software Development, Telecom, Training | | Comments (1) | TrackBack (0)

    10 August 2009

    Add "human factors"? No.

    OK, Gary has asked if the CISSP CBK should be expanded to cover "human factors" in security?

    And I answer "No."

    With that kind of beginning, you could be forgiven for thinking that I disagree with Gary about the importance of human factors in security.  Nothing could be further from the truth.  I agree with everything he has said about the fundamental significance of human factors in information security, as well as the difficulty of dealing with them, and will defend to the death his right to say it.

    What I disagree with is the question.

    The CBK already addresses human factors.

    When I teach CBK review seminars, I start with the security management domain.  Yes, Gary is right that this field started out with a bunch of technical people who had difficulty understanding that people don't always do what you tell them.  So candidates coming in, who are not prepared for dealing with human factors, get a good scare right off the top.  They have to deal with management, which means dealing with people (and probably politics).  And organizational roles (which have to do with people).  And security awareness training. (Oh, and ethics.)

    Moving on to access control, we talk about social engineering there.  (As well as the password choice problem Gary mentioned.)  Good scope for human factors.

    Crypto's a technical field, so no human factors, right?  Wrong.  We talk about implementation problems, and the inability of people to be truly random.

    Physical security talks about human factors.

    BCP talks about human factors.  As long as you are truly recovering the business, as you should be, and not just systems.  (Common mistake.)

    Security architecture is pretty technical.  But it deals with the security frameworks, with all those guideline documents.

    Applications security has a lot to do with human factors.  (If you actually do it properly.)

    Telecom?  Sure, that's technical.  But it also has to do with spam, social networking, phone phreaking, and all kinds of social engineering/human factors implications.

    Operations?  You're dealing with people.  In fact, most of the stuff in operations could equally be dealt with in other domains, except for the extra provisions you have to make for your employees who need escalated privileges.  Your classic insider situation.

    Law and investigation?  If you don't think that is mostly dealing with human factors, you are in the wrong field.

    So, no, the CBK doesn't need to have human factors added.

    If you want to talk about whether we need to pull all the human factors stuff out, and put it in a separate domain, that's a different question.

    (And, to that one too, I'd say no.  We'd have a human factors domain that takes up three days of a five day seminar, and have to squish the existing domains into the remaining two days.)

    Posted by Rob Slade on 10 August 2009 in Authentication, Availability, Careers, Certifications, Confidentiality, Current Affairs, Disaster Recovery, Ethics, Events, Fraud, Hinson, Insider Risk, IT Security, Legal, Malware, Online safety, Operations Security, Privacy, Religion, Risk, Slade, Telecom, Telephony, Training, Web/Tech | | Comments (2) | TrackBack (0)

    18 July 2009

    Weekly Summary of the "DHS Daily Open Source Infrastructure Report"

    This week’s set of DHS reports makes it clear to me that information security professionals worldwide should be reading the report every day or the synopsis published at http://dhs-daily-report.blogspot.com/.  Should you have your doubts, read the following weekly summary and determine whether you are up-to-date on each of the items discussed.

    The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered.  This weekly summary provides a selection of those items of greatest significance to the InfoSec professional.

     

    Week Ending:  Friday, July 17, 2009

    Infrastructure Report for 13 July 2009

    Do you allow Twitter?  If you do, you should read the following!

    42. July 10, IDG News Service – (International) Twitter suspends accounts of users with infected computers. Twitter is suspending the accounts of some users whose computers have fallen victim to a well-known piece of malicious software that has targeted other sites such as Facebook and MySpace. The malware, Koobface, is designed to spread itself by checking to see if person is logged into a social network. It will then post fraudulent messages on the person’s Twitter account trying to entice friends to click the link, which then leads to a malicious Web site that tries to infect the PC. The popular microblogging service has had a strong impact as a new communication platform. Bis also being targeted by fraudsters and hackers, who are using it as a way to infect people’s PCs with malicious software. Twitter is the latest site to be targeted by a Koobface variant, said a senior security advisor for Trend Micro. Other sites have included Bebo, Hi5, Friendster and LiveJournal, according to the U.S. Computer Emergency Readiness Team. Source: http://www.pcworld.com/businesscenter/article/168201/twitter_suspends_accountssers_with_infected_computers.html

    Infrastructure Report for 14 July 2009

    Have you applied Microsoft’s July patches?  No!  Perhaps you should reconsider.

    40. July 13, Computerworld – (International) Researcher says IE bug could spread quickly. A critical ActiveX vulnerability used by hackers to exploit Microsoft Corp.’s Internet Explorer browser is a prime candidate for another Conficker-scale attack, security experts said. On July 6, just hours after security companies reported that thousands of compromised sites were serving up exploits, Microsoft acknowledged the flaw in the ActiveX control that can be accessed using IE. The bug has been used by hackers since at least June 9. Microsoft said it will issue a patch for the flaw on July 14. The vulnerability “exposes the whole world and can be exploited through the firewall,” said the chief research officer at security software vendor AVG Technologies USA Inc. “That’s better than Conficker, which mostly did its damage once it got inside a network.” Conficker exploited a Windows flaw that Microsoft had thought dire enough to fix outside its usual update schedule in October 2008. The worm exploded into prominence in January, when a variant infected millions of machines that remained unpatched. Microsoft confirmed the latest flaw shortly after security researchers at Danish firms CSIS Security Group AS and Secunia said that thousands of hacks of legitimate Web sites over the July 4 weekend had exploited the bug. The hackers took advantage of the bug to reroute users to a malicious site, which in turn downloads and launches a multiexploit hacker tool kit. Source: http://www.computerworld.com/s/article/340930/Researcher_Says_IE_Bug_Could_Spread_Quickly?taxonomyId=17

    Infrastructure Report for 15 July 2009

    Could a similar attack be successful in the private sector?

    28. July 13, Softpedia – (International) DDoS worm starts damaging infected systems. The malware responsible for the recent denial of service attacks against many U.S. and South Korean government and commercial websites has received an update to damage the computers it infected. Starting with July 10, the worm began to rewrite HDD Master Boot Records (MBR), leaving the zombie computers unbootable. Recently, it was reported that serious distributed denial of service (DDoS) attacks had affected the stability of many websites operated by large organizations or the governments of United States and South Korea. Experts later concluded that a botnet of over 60,000 computers, infected with an updated Mydoom variant, had been used to launch the attacks. Security researchers from FireEye warn that, even though the DDoS has stopped, the impact of this malware might prove to be a lot bigger. Everything started with a DDoS component being shipped to computers infected with a particular strain of Mydoom, a worm dating back to the beginning of 2004. The attackers planned for the DDoS to start on July 4 (Independence Day) and to end on July 10. The worm drops a file called mstimer.dll and loads it as a windows service named “MS Timer Service.” The purpose of this component is to check the date and if it matches July 10 to execute yet another file, called wversion.exe. Originally, wversion.exe contained instructions to uninstall the timer service, suggesting that its authors intended for it to self-destroy. However, a malware researcher at FireEye explains that another, much more destructive version of wversion.exe was deployed shortly before July 10. The new version features a three-step plan to destroy data on the infected computers. First, it rewrites 512 bytes of every hard disk in the system, not only the one used to boot from. The first 512 bytes of a hard disk are used to store the Master Boot Record and Volume Boot Record, which are employed to store information about the file system and partitions. The new data written over the MBR and VBR includes a string reading “Memory of the Independence Day.” The second destructive step targets the personal files and documents stored on the hard disks. The component searches for files with one of 37 extensions, including .pdf, .doc, .ppt, and proceeds to compressing and password-protecting every one of them. Source: http://news.softpedia.com/news/DDoS-Worm-Starts-Damaging-Infected-Systems-116551.shtml

    Infrastructure Report for 16 July 2009

    And, just how safe is your BlackBerry today?

    38. July 14, The Register – (International) BlackBerry update bursting with spyware. An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life. Sent out as a WAP Push message, the update installs a Java file that one curious customer decided to take a closer look at, only to discover an application intended to intercept both email and text messages, sending a copy to an Etisalat server without the user being aware of anything beyond a slightly excessive battery drain. It was, it seems, the battery issue that alerted users to something being wrong. Closer examination seems to indicate that all instances of the application were expected to register with a central server, which could not cope with the traffic — thus forcing all the instances to repeatedly attempt to connect while draining the battery. A more phased reporting system might have escaped detection completely. The update is labelled: “Etisalat network upgrade for BlackBerry service. Please download to ensure continuous service quality.” The signed JAR file, when opened, reveals an application housed in a directory named “/com/ss8/interceptor/app”, which conforms to the Java standard for application trees to be named the reverse of the author’s URL. No one from Etisalat, RIM, or SS8 is saying anything about the issue, despite the fact that the application appears remarkably difficult to remove. Source: http://www.theregister.co.uk/2009/07/14/blackberry_snooping/

    Infrastructure Report for 17 July 2009

    Have you applied the latest Microsolf patches?  If no, perhaps you should!

    39. July 15, Enterprise Security Today – (International) Researchers rate all six Microsoft patches as critical. Microsoft on July 14 released six bulletins as part of its monthly patch cycle. Three of the bulletins cover critical flaws, including two unpatched zero-day vulnerabilities. Three other bulletins address important risks that security researchers said can quickly escalate to critical. The CTO of Qualys said Microsoft’s advisories should be addressed immediately because they allow an attacker to take complete control of a victim’s computer. Microsoft proxy server ISA 2006 has a vulnerability rated as important that allows remote unauthenticated users to access the server. However, paired with a knowledge of the administrator’s username, attackers can take full control of the server. Because administrator usernames are often easy to guess, the CTO said, this vulnerability deserves special attention if IT organizations are using ISA with the Radius configuration. Likewise, MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite rated as important, but can be used to take full control of a system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as critical as well, the CTO said. Source: http://www.enterprise-security-today.com/story.xhtml?story_id=67785

    Note:  The DHS only maintains the last ten days of their reports online.  To obtain copies of earlier reports or complete summaries, go to:

     http://dhs-daily-report.blogspot.com/

     

    Posted by Bob Johnston on 18 July 2009 in Availability, Current Affairs, IT Security, Johnston, Malware, Network Security, Risk | | Comments (0) | TrackBack (0)

    04 July 2009

    Fast flux and related technologies

    This paper provides an overview explanation of fast flux and double flux activities related to hiding malicious Websites, or avoiding takedown (particularly related to botnets).  It also suggests certain actions which could mitigate such activity.  The essay uses a lot of jargon and is not always clear, but does provide a decent basic explanation.

    Posted by Rob Slade on 04 July 2009 in Availability, Current Affairs, Digital Forensics, Events, Malware, Network Security, Slade, Telecom, Training, Web/Tech | | Comments (0) | TrackBack (0)

    Next »

    The (ISC)² bloggers

    • Tipton W. Hord Tipton, CISSP-ISSEP, CAP, (ISC)² Executive Director
      Schmidt Prof. Howard A. Schmidt, CISSP, CISM (Hon.)
      Sarah E. Bohne, Director of Communications & Member Services

    Recent Contributors

    Past Contributors