During a conversation with some folks last week we wondered about what is the most vulnerable device in a network today. The answer of almost everyone in the table was: Routers... So we start talking about risks, how to protect a border router, which hardening actions can be taken in order to improve security, etc. A important point that I noticed is that event nowadays many companies does not implement controls to improve routers security. Based on it I decided to write a few notes mentioning risks and hardening actions that can prevent a attacker to be successful. Main Risks... Read more →
« August 2008 | Main | October 2008 »
Posts from September 2008
30 September 2008
The most vulnerable device in the network
Posted by Alexandre Cezar on 30 September 2008 at 06:54 PM in Insider Risk, IT Security | Permalink
|
Comments (3)
|
TrackBack (0)
25 September 2008
Proxy Caches are a Challenging Threat to Internet Security
Proxy caches, combined with poorly written session management code, can easily leads to serious security flaws similar to what we highlighted in A New Security Breach in Google Docs Revealed. Web developers have no control over proxy caches in the Internet. However, developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies that serve cached data for economic and performance reasons. As a consequence, this fact-of-life on the Internet sometimes results in multiple web clients being... Read more →
Posted by Tim Bass on 25 September 2008 at 02:39 PM in IT Security, Software Development | Permalink
|
Comments (5)
|
TrackBack (0)
The $700bn question for security professionals
Dear fellow professionals, It is no doubt that the world financial markets are in trouble. It also looks that it may cost a lot of money to 'stabilise' them... to the tune of at least $700bn (so the news reports say). One of the causes of the credit crunch and the resulting market near-meltdown has been undoubtedly the inaccurate pricing of risk. With CDOs, sub-prime mortgages (what an euphemism!), other credit derivatives, the financial specialists have managed to disconnect the owner of a financial asset from the asset and its inherent risk. The longer the "risk chain" became, as mortgages,... Read more →
Posted by Ionut Ionescu on 25 September 2008 at 01:06 PM in Risk | Permalink
|
Comments (7)
|
TrackBack (0)
24 September 2008
Prioritizing Security
Overview IT Security is an important component of every organization. However, with any major investment, security implementations must be based on a thorough planning and prioritization process. The planning and prioritization processes help to ensure funding is appropriately allocated to meet the long-term and short-term goals of the organization. In this post, we will explore a framework for utilizing strategic prioritization schemes to manage and prioritize security weaknesses. Strategic prioritization is a component of strategic management that focuses on developing a consensus from across the organization by ranking competing projects to achieve efficiency in the allocation of resources used for... Read more →
Posted by Matthew Metheny on 24 September 2008 at 06:31 AM in IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
23 September 2008
Password Reset Services Can Weaken Authentication
The recent compromise of Alaska governor Palin’s email account was reportedly accomplished through the use of a password reset service. The attacker masqueraded as Governor Palin by answering the associated “security” questions which were discovered through searches of publicly available information. This situation illustrates a significant weakness in password reset services. The effectiveness of authentication factors, such as passwords and pass-phrases, are strongly dependent on their secrecy. Their security strength can be measured by the ability to withstand a brute force attack or resist an attacker’s attempt to correctly guess it. Password reset mechanisms commonly entice users to enter information... Read more →
Posted by Sean M. Price on 23 September 2008 at 10:07 AM | Permalink
|
Comments (3)
|
TrackBack (0)
18 September 2008
Funding security awareness programs
"Obtaining support and funding from senior management - while planning an awareness initiative" is a new free document from ENISA (the European Network and Information Security Agency - an official European Union body that describes itself as a centre of network and information security expertise for the EU Member States and Institutions) that extends the coverage of a previous product, "The new users’ guide: How to raise information security awareness". The new guide is aimed at helping readers scope, plan and justify their security awareness programs to management. Starting with an explanation of the need for, and value of, information... Read more →
Posted by Gary Hinson on 18 September 2008 at 06:26 PM in Cybersecurity Training, Insider Risk | Permalink
|
Comments (0)
|
TrackBack (0)
16 September 2008
A Different Kind of DoS Attack
I locked my wife out of her webmail account the other day, unintentionally. I won't go into boring the details of why I was trying to get into her email, but as a disclaimer let me say that we both have access to each other's webmail account, out of trust. But in this instance I couldn't get a hold of her and I just needed a snippet of info. It was late, I was tired and impatient, so I just kept on trying password after password. Eventually I just gave up and went to bed. A few hours later I... Read more →
Posted by Don Franke on 16 September 2008 at 10:27 PM in IT Security | Permalink
|
Comments (2)
|
TrackBack (0)
15 September 2008
A New Security Breach in Google Docs Revealed
I am a big fan of Google and, over time, I have started to enjoy the freedom from my desktop with Google Docs. For example, when I keep track of business expenses I have found it easier to update a Google Spreadsheet versus depending on Microsoft Excel on my laptop because I can update from anywhere in the world and share with my bookkeeper too. So, I've been using Google Docs more lately. Today, however, I discovered a huge security breach in Google Docs. While I was in my account working on a spreadsheet I suddenly found my Google Doc... Read more →
Posted by Tim Bass on 15 September 2008 at 07:17 AM in IT Security | Permalink
|
Comments (11)
|
TrackBack (0)
08 September 2008
The value of online professional discussion fora
An interesting discussion thread on the ISO27k Implementers' Forum started with a simple question regarding whether it is necessary, for audit purposes, to obtain a certificate of destruction from a company tasked with disposing of confidential waste. The first few answers were binary: Yes, a certificate of destruction is necessary and, along with a contract specifying the disposal requirements, is common practice; or No, because a certificate from a third party doesn't give sufficient confidence in the process (destruction should be witnessed and certified by the customer not the supplier). I then pointed out that the original question begs too... Read more →
Posted by Gary Hinson on 08 September 2008 at 01:00 AM in IT Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
02 September 2008
Event Correlation
I recently had an opportunity to work on some existing event correlation infrastructure in a large environment. I found there were a lot of considerations that came into play to get the event correlation aspects functioning optimally. I found understanding the quality of the data that came into the device from its sources, intelligent design of incident creation, and assuring a proper grasp of the configuration options and limitations within the event correlation software were all particularly important. As I have said, the event correlation infrastructure already existed. Unfortunately, it appeared that whoever had worked on it had not had... Read more →
Posted by Adam Kuncewitch on 02 September 2008 at 08:33 AM | Permalink
|
Comments (0)
|
TrackBack (0)
01 September 2008
Shredded Checks
Recently, I saw a report on CNN about a Texas salsa company that was caught shipping their orders using shredded checks as packing material. And they didn't use a cross-cut shredder either, so it was a nest of thin paper strips. This was revealed by an honest customer who decided to push back to say "should they really be doing this?" (I'm paraphrasing.) And to prove this point, the customer pieced together enough material to glean a few people's bank routing and account number, names, addresses and signatures. So the questions is: was this a new discovery? Or are there... Read more →
Posted by Don Franke on 01 September 2008 at 09:59 AM | Permalink
|
Comments (1)
|
TrackBack (0)
Search
Categories
- Center for Cyber Safety and Education (52)
- Cloud Security (137)
- Cybersecurity Certifications (387)
- Cybersecurity Training (315)
- Cybersecurity Workforce (254)
- Digital Forensics (30)
- Ethics (53)
- Government (127)
- Insider Risk (57)
- ISC2 Chapters (22)
- ISC2 Events (166)
- IT Security (389)
- Legal (46)
- Malware (116)
- Network Security (178)
- Operations Security (144)
- Privacy (117)
- Ransomware (90)
- Risk (204)
- Software Development (46)
- Spotlight (71)