« June 2009 | Main | August 2009 »

Posts from July 2009

11 July 2009

Are policies mandatory and guidelines optional?

Although this is often expressed, I fundamentally disagree that policies are mandatory whereas guidelines are optional. This to me is a rather naïve assessment, and is distinctly unhelpful, misleading even. Let me explain. For a start, do you truly understand the distinction between "mandatory" and "optional"? Are they really (as some claim) as different as binary and analogue? I beg to differ. In my world, they are both analogue concepts. They are both a matter of degree. Occasionally by "mandatory" the information security manager or CISO probably does mean an absolute hard-and-fast rule with no exemptions (authorized non-compliance) or exceptions... Read more →

Posted by on 11 July 2009 at 05:47 PM in Ethics, Insider Risk, Legal | | Comments (1) | TrackBack (0)

| |

Viruses Revealed online

After Macmillan refused to update the book, David and I got the copyright back, and planned to update it and release in online. Somebody beat us to it. This appears to be a blackhat site, so be careful, but the information appears to be there. Read more →

Posted by on 11 July 2009 at 03:45 PM in Cybersecurity Training, Malware, Operations Security, Risk | | Comments (1) | TrackBack (0)

| |

Weekly Summary of the "DHS Daily Open Source Infrastructure Report"

The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered. This weekly summary provides a selection of those items of greatest significance to the InfoSec professional. Week Ending: Friday, July 10, 2009 Infrastructure Report for 6 July 2009 Could Mafiaboy be right? If so, will your enterprise be impacted? 37. June 30, DarkReading – (International) ‘Mafiaboy’: cloud computing will cause Internet security meltdown. A reformed black-hat hacker, better known as the 15-year-old “mafiaboy” who, in 2000, took down Websites CNN, Yahoo, E*Trade, Dell, Amazon, and eBay, says widespread adoption of cloud... Read more →

Posted by on 11 July 2009 at 07:57 AM | | Comments (0) | TrackBack (0)

| |

08 July 2009

Primary Lessons Learned from the TSA Laptop Mess (Part 2)

A couple of weeks ago, I read about the demise of the Verified Identity Pass, Inc.'s Fly Clear program. This was a program working with TSA on the Registered Traveler service. Back in August 2008, I wrote how VIP and TSA had no accountability for losing a laptop with personal information of over 33,000 applicants. There is an additional lesson to be learned on top those from of my original article. If the public can't trust you with their personal information, they are not going to buy your product or service in the long run. That's why you need security... Read more →

Posted by on 08 July 2009 at 03:49 PM in Ethics, IT Security, Privacy | | Comments (2) | TrackBack (0)

| |

Some Background Notes on the Consensus Audit Guidelines (CAG)

Here's some background on the CAG (Consensus Audit Guidelines). The Red Teams have consistently proved that poor configuration and patching practices have made it easy for them to defeat network defenses. This determination lead to the Air Force approaching Microsoft and insisting that new desktop software application come with a standard secure configuration. This was the genesis of what is now known as the Federal Desktop Core Configuration (FDCC.) FDCC uses Red Team knowledge about attacker techniques to protect systems and network vulnerabilities used by attackers to break into systems. This in turn, has led to the Twenty Critical Security... Read more →

Posted by on 08 July 2009 at 03:16 PM in IT Security, Network Security | | Comments (0) | TrackBack (0)

| |

07 July 2009

Guessing SSNs

Ars Technica has an interesting article titled New algorithm guesses SSNs using date and place of birth. It describes how the date and location of birth can be gleaned from social networking sites such as Facebook, and then used in a new algorithm to guess the person's SSN "with a startling degree of accuracy." An inference attack, in other words. Per reference.com: "An Inference attack occurs when a user is able to infer from trivial information more robust information about a database without directly accessing it. The object of Inference attacks is to piece together information at one security level... Read more →

Posted by on 07 July 2009 at 09:57 AM | | Comments (2) | TrackBack (0)

| |

05 July 2009

ENISA CSIRT guide

Exhaustive, and yet strangely undirected, ENISA walk through the points relevant to setting up a CSIRT. Can also be had in PDF from http://www.enisa.europa.eu/cert_guide/downloads/CSIRT_setting_up_guide_ENISA.pdf Read more →

Posted by on 05 July 2009 at 12:11 AM in Cybersecurity Training, IT Security, Operations Security | | Comments (0) | TrackBack (0)

| |

04 July 2009

CERT-in-a-box

Structure for setting up a Computer Security Incident Response Team, informed by the experience of the Netherlands government agency. Some of the graphical material can be downloaded at http://www.first.org/resources/guides/cert-in-a-box.zip, but the Website is much better. Read more →

Posted by on 04 July 2009 at 11:57 PM in Cybersecurity Training | | Comments (0) | TrackBack (0)

| |

Security Economics

With some similarities to "Geekonomics," this article by Ross Anderson, Rainer Bohme, Richard Clayton and Tyler Moore points out the economic factors that tend to keep information security as a low priority. They also point out a number of activities and policies which can help. (This paper was written in late 2007, but it still depressingly relevant.) Read more →

Posted by on 04 July 2009 at 11:38 PM in Cybersecurity Training, IT Security, Legal, Risk | | Comments (0) | TrackBack (0)

| |

IS2ME

This site presents a useful structure for risk assessment/management and information security, specifically for medium-sized businesses (200-1000 employee size). It is not intended as a panacea, but as a stop-gap measure for those without a mature information security architecture of their own. A Spanish version (the original) is available at http://www.is2me.org/ . Read more →

Posted by on 04 July 2009 at 09:10 PM in Cybersecurity Training, IT Security, Operations Security, Risk | | Comments (0) | TrackBack (0)

| |

Fast flux and related technologies

This paper provides an overview explanation of fast flux and double flux activities related to hiding malicious Websites, or avoiding takedown (particularly related to botnets). It also suggests certain actions which could mitigate such activity. The essay uses a lot of jargon and is not always clear, but does provide a decent basic explanation. Read more →

Posted by on 04 July 2009 at 08:53 PM in Cybersecurity Training, Digital Forensics, Malware, Network Security | | Comments (0) | TrackBack (0)

| |

Flashcard Exchange

This site provides functions for creating your own flashcards of varying types. This particular link looks for those tagged as being suitable for study for the CISSP exam. (You will notice that there are other related tags, and you may wish to try out those for security terms which are not specific to the CISSP.) The material is provided by volunteers, so the quality varies. In the sets I examined, some points were flatly wrong, while others where questionable. However, it does provide a range of points to test yourself against, and see if you are unfamiliar with certain areas.... Read more →

Posted by on 04 July 2009 at 08:36 PM in Cybersecurity Certifications, Cybersecurity Training, IT Security | | Comments (0) | TrackBack (0)

| |

TEMPEST

There are lots of myths about TEMPEST and emanations (or emissions) security. This site provides detailed information. Unfortunately, it isn't quite as sensational as the myths, but more useful. Read more →

Posted by on 04 July 2009 at 02:18 AM in Cybersecurity Training, IT Security, Operations Security | | Comments (0) | TrackBack (0)

| |

« Previous