Security Theater of the Absurd

SANS Top-20 Internet Security Attack Targets (2006 Annual Update)

2006-11-15T17:07:00.000-05:00

http://www.sans.org/top20/

Technorati Tags: SANS

USB Drive Access Control Part 2

2006-10-04T15:00:00.000-04:00

So I'm still looking at options for controlling access to USB devices and other forms of removable media. As you can see in this article, I have a list of potential applications to help me with that. In the mean time, I discovered a way to help me mitigate the problem.

Some users in my company will require the use of USB flash drives or hard drives, and for that, we need to purchase some software tools to be able to restrict access by user and by device model. Other users, however, have no use for USB storage devices at all.

The "old school" method of restricting access to USB was to disable the USB ports in the BIOS. This was highly effective, and if the BIOS was password protected, the user couldn't find a workaround to give them access.

There were only 3 problems with this method. First, in theory, a knowledgeable individual could just install a USB card in an available PCI slot. While this is unlikely considering my user base, it is still a potential risk. Second, many newer systems, such as Dell's Optiplex GX280, have done away with PS/2 ports for the mouse and keyboard, relying instead on USB. If you disable all the USB ports, there go your input devices. Third, it requires a visit to each PC, since I haven't found a way to script BIOS changes yet.

So here's the new and improved method, courtesy of Windows XP SP2:
1. Start the registry editor (regedit.exe).
2. Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
3. From the Edit
menu, select New, Key, and type
StorageDevicePolicies. If this key already
exists, then skip to
the next step.
4. Highlight the newly created key
"StorageDevicePolicies" and
from the Edit menu select New, DWORD Value, type
WriteProtect and
press Enter.
5. Double-click WriteProtect and enter 1 for
Value data. The value
1 makes all the USB drives read-only; a value of 0 will
make them
writable.
6. Close the registry editor and restart the
computer.

I also found way to do this via GPO, here.

Technorati Tags: usb, security, registry

Zero-day flaw in Firefox

2006-10-02T16:04:00.000-04:00

I've been recommending the use of Firefox for at least a year now, because of the reduced likelihood of encountering a security vulnerability, as well as the better interface and the ability to use add-ons. Now it looks like Firefox's advantage may have been "security through obscurity." As it gains market share on IE, it becomes more of a target for hackers and vulnerability researchers.

While that's not a bad thing, because I firmly believe that the open model of Firefox will ultimately lead to a more secure product, it serves to illustrate that flaws exist in every application.

Here's the link to the story: Hackers claim zero-day flaw in Firefox.

On another note, since this is a javascript-related flaw, there's a great extension for Firefox that is very effective at blocking malicious javascript. It's called NoScript, and it allows you to whitelist any sites you want to run javascript, while blocking any others. It's one of the extensions I always load in a new installation of Firefox.

20 Reasons the World Despises Norton AV?

2006-10-02T10:22:00.000-04:00

I found this article, and I'm not sure if I agree with the author completely. It's basically bashing Norton Antivirus as causing more problems than it solves. Here is the article:

http://www.dtgeeks.com/

I personally haven't used Norton Antivirus (the home version) in a number of years, but I have heard some complaints that it is bloatware, and it slows down older PCs to a crawl. Not sure about the other allegations in the article, though.

I am currently running Symantec Antivirus Corporate Edition 10 on my company's network, and I have few problems with it, and the problems I have are not enough to switch, at least not yet. Here are my list of negatives about Symantec AV:

Infrequent updates. I'm not talking about virus definitions. I'm talking about actual updates to the application. They seem to come out every six months or so. I'm not even sure about that, which leads to my next point;
No update notifications. How can I tell if there's a new version out? I either have to check their website frequently, or hope that a tech news site might mention it.
Updates require full install. Why can't Symantec do an upgrade installation? Seems like every update requires uninstalling and reinstalling the server application and the System Center Console.

Not to gang up on Symantec too much, here are my list of positives, which is why I'm actually sticking with them:

VERY quick turnaround on zero-day definitions. Symantec's RapidRelease virus definitions have been very good for me. On the rare occasion that I encountered a virus that Symantec didn't detect (3 times in 6 years), I received an updated definition in under 4 hours each time.
Centralized management. While it's not perfect, the Symantec System Center shows me everything I need to know about the protected computers on my network. The fact that you can centralize your quarantine of suspicious files, and your alerts make it even better.

UPDATE: I found this great site which appears to test how well the leading antivirus products stack up against a database of 315,000 virus samples. Check it out here. While it doesn't list Symantec Corporate on the recent tests, it does list Norton Antivirus, and it appears to have dropped from Number 6 best ranked in April 2005 to Number 22 in August 2006. Seems to be heading in the wrong direction. Note: I can't vouch for the reliability of this site, as I only just stumbled across it. I will update with further details when they become available.

Return from the void

2006-10-02T10:15:00.000-04:00

Hello everyone, sorry for the long delay since my last post! I have had a number of personal crises to deal with, along with a few professional ones, that have preventing me from posting any updates to this blog for the past 2 months or so. I apologize for that, and I will endeavor to post more frequently to this blog, both for my own benefit and yours.

Stay tuned for a few new items today, and more to come!

Microsoft Acquires Winternals Software

2006-07-18T19:33:00.000-04:00

Wow, big news! Microsoft has acquired one of the most useful and innovative software companies ever to attempt to improve on Microsoft's products. Mark Russinovich is one of the most intelligent and creative people I have ever met. Some of the products he releases for free on the Sysinternals site are worth more than some paid products. And the Winternals products are equally impressive. Mark, if you don't know him, was the person who broke the news 10 years ago that you could turn NT Workstation into NT Server by making a simple registry change.

So this is undoubtably a good move for Microsoft, but is it a good move for Mark? The answer depends on what Microsoft lets him work on. His title is Technical Fellow, which has traditionally been a position that gets a lot of leeway in the creative process. If Mark can use his new insider influence in the same manner he has done things with Winternals, look for some very positive changes in Microsoft products, at least from the perspective of IT tools and ease of management.

Microsoft Acquires Winternals Software
Company appoints operating systems kernel expert Mark Russinovich as Technical Fellow.

Microsoft Corp. today announced the acquisition of Winternals Software LP, a privately held company based in Austin, Texas, that provides Windows®-based enterprises with systems recovery and data protection solutions in addition to offering a freeware tools Web site called Sysinternals. The addition of Winternals is a significant advance in Microsoft's promise to lower customers' total cost of ownership of the Microsoft® Windows platform. Customers will be able to continue building on Sysinternals' advanced utilities, technical information and source code for utilities related to Windows. Financial terms of the acquisition were not disclosed.Winternals was established in 1996 by Mark Russinovich and Bryce Cogswell, who are recognized industry leaders in the areas of operating system design and architecture. Russinovich will join the Microsoft Platforms & Services Division as a technical fellow, working with numerous technology teams across Microsoft, and Cogswell will join the Windows Component Platform Team in the role of software architect.

Winternals Software - Products

Want to know Mark's perspective? Here's his blog entry on the subject:

On My Way to Microsoft!

I’m very pleased to announce that Microsoft has acquired Winternals Softwareand Sysinternals. Bryce Cogswell and I founded both Winternals andSysinternals (originally NTInternals) back in 1996 with the goal ofdeveloping advanced technologies for Windows. We’ve had anincredible amount of fun over the last ten years working on a widerange of diverse products such as Winternals Administrator’s Pak,Protection Manager, Defrag Manager, and Recovery Manager, and thedozens of Sysinternals tools, including Filemon, Regmon and ProcessExplorer, that millions of people use every day for systemstroubleshooting and management. There’s nothing more satisfyingfor me than to see our ideas and their implementation have a positiveimpact.

Mark's Sysinternals Blog: On My Way to Microsoft!

technorati tags:sysinternals, winternals, mark, russinovich, Microsoft

Stop Being Stupid; It's Free: Hard Disk Encryption

2006-07-12T21:44:00.000-04:00

I have to call your attention to this great article by Marcus Ranum. If you don't know who Marcus is, he's the Chief of Security for Tenable Network Security, the company that makes Nessus and NeWT. He is the author of a number of thought-provoking articles on computer security. He also has some entertaining items on his site, including a Computer Security Calendar.

Now that I have filled you in on the author, let me tell you about the article. It's about how easy (and free) it is to set up disk encryption on your computer using a product called TrueCrypt.

Stop Being Stupid; It's Free
I'm not sure why I've been so cavalier about my data since then, but to tell you the truth I've never bothered with hard disk encryption, personally. I think part of it was that I didn't particularly care if anyone got my data, because I like to live an open life, but it's been slowly sinking in that there's no sense making life easy for the bad guys. If I can rob some phisher, hacker, or spammer of a moment's pleasure at little cost to myself, that seems like a worthy goal.

After a few days of researching I stumbled across a thing called TrueCrypt. It meets a lot of my requirements, namely:

Free

Uses recognizable and known encryption algorithms

Works sensibly with a container file that can be treated as external data (i.e.: backed up to tape entire)

Source code available

No adware or "wouldn't you like to buy me now?" bullshit

Small footprint

Now, it's not as if I'm going to go through and review the entire source code of the engine but I like the fact that it's being developed openly and (as far as I can tell) is part of a project that is not socially or financially beholden to anyone.

A Nice Surprise

technorati tags:information, security, encryption, TrueCrypt

The Weakest Link in Network Security

2006-07-10T23:08:00.000-04:00

I found this excellent article on Entrepreneur.com. It spells out some of the inherent risks in Information Security that come with the reality of giving access to users. Many things can happen as a result of carelessness that can devastate even a well-protected network.

The recommendations in this article provide an excellent starting point for providing protection against the human element of Information Technology.

The Weakest Link in Network Security

Viruses and spyware threaten your data security--but carelessness can be an even bigger threat.
July 10, 2006
By Peter Alexander

Your small-business network may be protected by firewalls, intrusion detection and other state-of-the-art security technologies. And yet, all it takes is one person's carelessness, and suddenly it's as if you have no network security at all.

Let me give you an example. In March 2006, a major financial services firm with extensive network security disclosed that one of its portable computers was stolen. The laptop contained the Social Security numbers of nearly 200,000 people. How did it happen? An employee of the firm, dining in a restaurant with colleagues, had locked the laptop in the trunk of a SUV. During dinner, one of the employee's colleagues retrieved an item from the vehicle and forgot to re-lock it. As fate would have it, there was a rash of car thefts occurring in that particular area at that particular time, and the rest is history.

The moral of that story is clear: No matter how secure your network may be, it's only as secure as its weakest link. And people--meaning you and your employees--are often the weakest link. It's important to note that poor security puts your business, as well as your partners, at risk. As a result, many enterprises and organizations, such as credit-card companies, now specify and require minimum levels of security you must have in order to do business with them.

The Weakest Link in Network Security

technorati tags:information, security, encryption, risk

Symantec AV Flaw

2006-05-26T19:04:00.000-04:00

Wow, hot on the heels of my last post regarding antivirus options, there comes this news regarding Symantec Antivirus:

A new vulnerability has been discovered by security firm eEye Digital Security in Symantec Antivirus 10.x and Client Security 3.x that could allow for remote code execution. This does not appear to affect the consumer versions of Symantec's products.

The vulnerability report:
http://www.eeye.com/html/research/upcoming/20060524.html

Other news articles on the subject:
http://www.eweek.com/article2/0,1895,1967941,00.asp

http://www.cnn.com/2006/TECH/internet/05/25/antivirus.flaw.ap/index.html?section=cnn_topstories

Note that this is only a preliminary report from eEye, and Symantec should be given the opportunity to respond accordingly.

While a vulnerability in a security product can be a scary thing, this shouldn't be too much concern for anyone who has implemented a reasonable amount of layered security, such as a firewall restricting port access to all systems, whether public-facing or not.

Enterprise Antivirus Solutions?

2006-05-26T10:23:00.000-04:00

My company's Symantec Antivirus Corporate Edition subscription is about to expire, so I figured this would an opportune time to examine other antivirus options.

I've used a number of antivirus solutions on the enterprise (or at least small-to-medium business) level, including Symantec, Trend Micro, CA, and Panda. I've fooled around on the personal computing level with some of the other options, such as McAfee and Grisoft. I sort of inherited the existing Symantec setup at this company, and it has performed relatively well for us, purely on the level of virus scanning. We had an issue about a year ago with a zero-day virus infection, but one we isolated the executable, Symantec quickly gave us a Rapid Release definition to detect and remove it.

On the other hand, I'm not that thrilled with the centralized administration Symantec offers in this product. The deployment options are kind of klunky, and the ability to determine which computers on the network need the software installed is somewhat inadequate. These are minor annoyances that could certainly deal with if necessary, if the rest of the product is satisfactory.

The one thing I have a major problem with is the performance of the application. A while back (I believe it was with version 10.0.1000), there was a bug that caused computers to boot up extremely slowly due to a startup scan that slowed everything down. I believe the solution was to upgrade to version 10.0.1007, which disabled this scan at startup. I'm not sure if this has been rectified in later versions, but it seems to me that a startup scan would be a good thing, if it didn't hobble performance so much.

In any event, if I didn't think there was anything better out there, I would probably just grin and bear it. But I have had some very good experiences with Trend Micro (on a smaller scale, mind you), and Panda has been highly recommended by some of my peers. I'm not too crazy about CA, just because of some bad experiences with Cheyenne AV back in the Windows NT days.

Any recommendations? Or does anyone have any good resources, such as product comparisons and reviews from a reputable source? I tried searching for reviews, but most of the comparisons I can find are no more recent than 2003.

USB Drive Access Control Part 1

2006-05-22T20:42:00.000-04:00

The security risk of allowing unfettered access to USB drives by employees is making me (and my CIO) nervous. How are you dealing with this risk?

Depending on the business needs of an organization, some people disable USB entirely, either through BIOS settings, registry changes, or the ultimate medieval solution: glue in the actual USB ports. As we have a business need for some controlled access to USB drives, I can't go that route.

So I'm looking for some more granular control over USB device access. I'm looking for the following criteria:

Control access by user
Integration with Active Directory
Control access by device type - I'm not talking about USB drives vs. CD drives. I mean "allow access to 512MB Kingston USB drive, but block all others," for example.

There are quite a few products out there, but I don't have enough information yet to make an educated decision. Here is the short list of products I requested more information from:

Except for that last one, do I detect a naming trend? I will post again after I have had a chance to evaluate these options. I'm also open to any other product suggestions that will meet my needs.

Banking and Two-factor Authentication

2006-05-02T20:34:00.000-04:00

There's an interesting article in Network World this week, written by Daniel Blum:

Authentication: Where's the magic factor?

As someone who uses online banking as much as possible, I welcome the concept of two-factor authentication to increase security. As the article points out, however, which two factors will the banks choose? There is an overabundance of options from a number of different vendors.

I think the solution that wins out will be the one that accomplishes the following:

The bank will have a favorable ratio of good publicity to low cost of implementation.
The user will have increased confidence in their personal safety.
The user will little or no trouble adapting to the new authentication method.
The bank will be able to place more blame on users in the event of a security breach.

Obviously, since the banks will be footing the bill, the benefits that apply to them will probably outweigh everything else. But don't discount the weight of public opinion. If Bank A decides to implement this unwieldy biometric solution that requires each account holder to take a trip to the bank to have their retina scanned, and to pick up the scanner device to attach to their computer, they may lose customers to Bank B, who decided to send everyone an RSA SecureID token to use with their account. While Bank A might have gone with the more secure solution (depending on your opinion of the accuracy of biometrics), Bank B has caused less inconvenience to their customers while still greatly increasing the security of their online banking solution.

Password Policies on Disconnected Systems

2006-04-28T21:06:00.000-04:00

Another great post from Jesper's blog, regarding what password policies are not enforced when a system is not connected to the domain:

Some Password Policy Settings Are Not Enforced When Disconnected

My first thought when hearing the topic was, "how can they ignore password expiration and account lockouts when disconnected?" After reading the explanation, however, I realize it couldn't be done any other way. Both of these policies would make it extremely difficult for mobile users to function if they were applied when the user is disconnected.

It's not that the policies are that much worse for mobile users (although Jesper recommends against account lockout policies anyway); the problem is the hoops that must be jumped through if someone runs afoul of one of these policies while away from the domain, or away from an internet connection entirely.

The concept that a user will have to log in to a VPN in order to reset their expired password is bad enough. I could see this being a huge issue for my mobile users, and for myself as well.

But even worse is the account lockout policy. If a laptop could be locked out by entering in the wrong password too many times, the only recourse would be to reconnect the laptop to your network to accept the re-enabling of the account. No VPN shortcuts either; the computer would actually have to be connected for this to work. Imagine having a company based on the U.S., and having a user lock themselves out while traveling overseas! What do they do, ship the laptop back to the States?

Thankfully, Microsoft has insightful people like Jesper who consider these issues before they become a problem.

The wisdom of "Temporary" Adminstrators

2006-04-27T19:53:00.000-04:00

Interesting post over on Jesper's blog:

"Temporary " Administrators

As Jesper explains, don't make anyone an administrator temporarily, unless you are prepared to trust them to be an administrator permanently. A temporary administrator can put code in place that will give them access for long after you have revoked their administrative access.

Malicious intentions aside, the pervasiveness of malware should make you think twice about doling out administrative privileges, whether on the local system or domain- (or enterprise-) wide. All it takes is hitting one disreputable website with administrative privileges to turn a system into a Typhoid Mary.

I have had the misfortune to deal with many systems in a similar circumstance. One organization decided, in their shortsighted wisdom, to correct application access issues by giving users local admin rights. This is all too common, especially in small to mid-sized businesses. While this will alleviate the symptoms quickly, it will cause more problems in the long run.

The process of bringing the users' access down to acceptable levels of privilege was painful, but not as painful as attempting to eradicate some of the pests these users had accumulated over the months of surfing the web as administrators. The last few lines of Jesper's post brought back the memory of the solution to this problem:

"Is the rootkit now gone? Noohooo. It is still there, and will remain there until you use the rootkit removal tool: format c:\ (from neutral read-only media)."

This is the only option in most cases, since you can never be sure you have gotten rid of every last piece of malware that can invade a system. I have wasted way too many hours in the past attempting to clean a PC without wiping it out, only to go back a day later to find it just as infected as when I started, if not worse.

Penetration Testing vs Vulnerability Assessment

2006-04-25T21:27:00.000-04:00

Informative post on the difference between pen testing and vulnerability assessment:

Penetration Testing vs Vulnerability Assessment

This post brings up an important point. What most companies are looking for, at least initially, is a vulnerability assessment. This allows you to generate a list of problems with your infrastructure that may need repair or some other form of mitigation. This can take the form of a security audit, where you have some outside consultant come in and run all kinds of tests against your network, or it can take the form of some form of vulnerability scanning product, such as the one offered by Qualys.

Why Winternals Sued Best Buy

2006-04-24T18:47:00.000-04:00

While this is not a security-related issue directly, it concerns the illegal use of copyrighted software. Why a company as large as Best Buy would choose to do something so blatantly illegal, I can't comprehend.

Why Winternals Sued Best Buy

On a separate note, the Winternals Administrator's Pak is one of the most useful collections of utilities I have ever come across as a network administrator. While I have not had as much need for it since moving into the security field, I still recommend it every chance I get.

Skype Risk Analysis

2006-04-20T18:40:00.000-04:00

I spent some time reviewing the risks of Skype, a popular VoIP application. I figured since i put the time into reading it, I'd condense my thoughts into an article on the subject.
Disclaimer: I don't claim to have any inside knowledge of the workings of Skype. The only information I have is based on documentation that is publicly available on their website, as well as a few other analyses I have seen on the web.

Overview

Skype is a popular Voice over IP (VoIP) system, created by Niklas Zennström and Janus Friis, founders of KaZaA. Similar to KaZaA, Skype is based on Peer-to-Peer (P2P) technology. While other VoIP services use a centralized server to manage communications sessions, Skype software clients directly interact with each other to ensure that the network directory is up to date and that calls are quickly completed. This P2P network allows clients in different locations to locate each other and send text messages, hold voice calls, and exchange data files.

Unlike KaZaA, which earns its revenue from advertisements, the Skype client contains no adware and spyware, at least at the time of this writing. Also, calls between Skype clients are free of charge. Instead, the Skype system earns revenue by charging for the use of the gateway that interconnects the Skype network with the regular telephone system.

Another important detail to note is that KaZaA 3.0 contains its own integrated Skype client, so users of Skype may also be communicating with users of KaZaA, rather than just Skype users.

Although some of the files that are traded over KaZaA are exchanged with the permission of the copyright holders, it appears that the primary use of KaZaA appears to be the illegal exchange of copyrighted songs and movies.

Description of Skype services

The Skype client can perform the following functions:

Voice calling to another Skype user
Voice conference calling
Voice calling to traditional telephone lines (SkypeOut)
Voice calling from traditional telephone lines (SkypeIn)
Chat, providing instant messaging for groups of up to 48 participants
Cross-platform file transfer
Directory and presence management

Skype client software is compatible with the following platforms: Windows XP, Windows 2000, Linux, Apple Macintosh OS X, and Pocket PCs running Windows Mobile 2003.

Network Requirements

At a minimum, the following conditions must be true of the network being used by the computer running Skype for the Skype client to communicate :

Outgoing TCP connections should be allowed to remote ports 1024 and higher.
Outgoing TCP connections should be allowed to remote ports 80 and 443.
Outgoing UDP packets should be allowed to remote ports 1024 and higher. For UDP to be useful to Skype, the NAT must allow for replies to be returned to sent UDP datagrams. (The state of UDP “connections” must be kept for at least 30 seconds, and Skype recommends that these translations be maintained for as long as an hour, if possible.)
The NAT translation should provide consistent translation, meaning that outgoing address translation is usually the same for consecutive outgoing UDP packets.

Skype is very effective at circumventing the restrictions of firewalls and Network Address Translation (NAT), provided most of the above requirements are met.

Skype Security

When discussing the security of a VoIP solution, there are a number of factors to take into account.

Authentication – the only authentication being done by Skype is based on a user name and password. Obviously, no one should ever share their Skype user name and password, or have it saved on their computer. Potentially, anyone with User A’s user name and password could install a copy of the Skype client, and receive calls that were intended for User A. Equally likely is the scenario where User B “borrows” User A’s laptop, and is able to use the Skype client with a saved password. Of course, even if User B receives a call intended for User A, it is likely that the caller would be able to identify User A by their voice, in many cases.

Encryption – According to Skype, all message contents between any pair of Skype users is encrypted end to end by utilizing the RSA encryption algorithm for key exchange and Advanced Encryption Standard (AES) in its AES-256 mode as its bulk encryption algorithm. The key for a Skype session is unique to that session and is not re-used. However, Skype does not publish its key exchange algorithm or its over-the-wire protocol and has not explained the underlying design of its certificates, is authentication system, or its encryption implementation. Therefore it is impossible to validate the company's claims regarding encryption.

Integrity – Software running on P2P networks could have wide-ranging implications that are not completely understood yet. While the Skype client does not currently include any spyware or adware, there are no guarantees that it might not include them in the future. Also, as Skype is a completely closed-source system, it is harder to determine if the software contains vulnerabilities that could be exploited by malicious users.

Bandwidth – If a Skype client makes a voice call to one person, the bandwidth usage is minimal, approximately 70kbps. However, if conference calling is used, or multiple users are running the Skype client, this can add up very quickly, and have an impact on internet bandwidth.

File Transfer – Similar to Instant Messaging programs, and other P2P applications the Skype client can be used as a file transfer utility. This could potentially allow confidential information to be sent to unauthorized individuals.

Malware Vector – As mentioned above, files could be transferred between Skype clients. This could allow a virus to be brought into the network if the Skype client connects to another computer that is infected. Skype poses more risk than programs like KaZaA because they have built-in anti-virus protection that scans programs as they are downloaded; Skype appears to have no such protection.

Conclusion

In some ways, the voice functionality of Skype appears to have more security than traditional telephone networks, based on the fact that the sessions are encrypted. However, we have no way of knowing how well the encryption is implemented, considering this is a closed source product. It is also feasible that the Skype system could be compromised by a skillful attacker, or by a motivated insider.

The larger concern is the risk of having unwanted software introduced by the Skype client. While the file transfer functionality is an easily recognizable vector, a less obvious risk is that the application itself could be compromised. If a buffer overflow could be utilized to make the application accept a malicious file and execute it, any connection made to the Skype client could be a potential attack.

I am attempting to present both sides of the issue in this analysis. The choice is yours whether this application is enough of a risk to restrict its use in your organization.

Who Sets The Audit Standards? Part 3 of 3

2006-04-13T09:21:00.000-04:00

And here is part 3 of this informative series.

http://www.rsasecurity.com/blog/entry.asp?id=1080

Topics covered include what members get out of a professional body, and what needs to be done to further support professionalism. This is the final part of the series, so it also includes a conclusion.

Who Sets The Audit Standards? Part 2 of 3

2006-04-05T20:45:00.000-04:00

Part 2 of 3 of a very interesting series by John Madelin.

http://www.rsasecurity.com/blog/entry.asp?id=1077

Among the topics, the devaluation of the CISSP brand, whether the scope of financial auditors should be broadened to include security concerns, and what constitutes a "Professional Body."

StillSecure StrataGuard 4.5 Free

2006-04-04T21:53:00.000-04:00

Alessandro Perilli from Security Zero wrote an excellent review of StrataGuard 4.5 Free, an Intrusion Detection System that is available free of charge.

Based on this review, I'm downloading a copy of the ISO to try on my test network.

Florida band blocked from trip by terrorism fears

2006-04-04T21:15:00.000-04:00

This story is somewhat close to my heart, because I have family in Southwest Florida. And I will admit that I was in my high school band, and we went on trips, but none as cool as this.

Fort Myers High band denied trip to London

This band is actually invited to go to London, tour some famous historical landmarks, and participate in the 2007 New Years' Day Parade. School officials are blocking the opportunity because of the terrorist attack from July 2005. Any terrorist reading about this story would think "mission accomplished."

Note: I first picked up on this from Stupid Security.

Block Google Desktop

2006-04-04T19:55:00.000-04:00

Many organizations are not so keen on their employees using Google Desktop within their enterprise. I share that apprehension, and I have done a little research into what can and cannot be done to rein in this overly communicative application.

A lot of the credit for being able to control this application must go to Google. I'm not sure if this was the case when it was initially released, but the current Enterprise version of the program includes some great resources. Most importantly, it includes an Administrative Template for Windows Group Policy. If you load this template into a GPO, you can effectively curtail any behavior you deem unsuitable for your network.

For my money, the most important settings in this template are the following:
1. Prohibit Policy-Unaware versions - Prohibits installation and execution of versions of Google Desktop that are unaware of Group Policy.
2. Disable sharing and receiving of web history and documents across computers - Prevent Google Desktop from sharing the user's web history and document contents across the user's different Google Desktop installations, and will also prevent it from receiving such shared items from the user's other machines.
3. Disallow Plug-ins - Prevent installation of Google Desktop plug-ins.

If you put these three policy settings in place, you'll be much better off from a security standpoint than if you do nothing.

If you want to go further, you can take some steps to completely block Google Desktop from running at all. Some suggestions:
4. Prevent Indexing policy settings - There are about 19 different "Prevent indexing of ..." policy settings in the Administrative Template. You can enable some or all of them to prevent that category from being indexed at all. If it's not indexed, it can't be shared, copied, or transmitted to a third party.
5. Software Restriction Policies - You can enable these policies through Group Policy, and choose to disallow the application from running throughout a domain either based on a path rule (C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe) or based on a hash rule, where Windows creates a hash of the current version of the file. (Note, the hash will be rendered obsolete if the version of Google Desktop is updated, but that can be prevented with the following 2 entries)
6. Block Auto-update setting - Another Administrative Template setting; you can choose to block updates to the program. No updates = no additional functionality to worry about blocking.
7. Content Filtering - You could add desktop.google.com to whatever method you use to block access to websites. If your users can't get there, they can't download the installer in the first place.

I'm sure there are other methods that can be used to block Google Desktop, but I've found these to be pretty effective. I must admit, I would probably be doing a lot more administrative acrobatics (such as blocking things through firewall ACLs, or more group policy settings) if Google had not released their Enterprise software. I should also note that it includes an Admin Guide that explains a lot of the features of the program, including all the settings in the Administrative Template file.

While Desktop Search Engines (DSE's) such as Google Desktop do present a risk, that risk can be mitigated, as long as the software company is willing to provide the tools to do so. I think Google is setting a very good example with their Google Desktop for Enterprise option.

I intend to explore other DSE's in the near future. I will post my findings.

Termination Procedures

2006-04-03T21:47:00.000-04:00

It is very important for businesses of any size to have in place specific procedures that must be followed whenever an employee leaves the company, whether of his own volition, or by the action of the company. As I mentioned in my previous post, these procedures must be followed no matter which employee is being terminated.

Some considerations for such a procedure:

1. Document it. It doesn't matter if your company has only 1 server that runs 1 critical application, and an email server; there should be a written document that explains how to remove access for any user, and how to disable or delete their email address.

2. Be comprehensive. On the flip-side of the coin, if you have 30 or 40 servers, 5 applications for each department or business unit, and email, VPN access, intranet applications, etc; you need to have a checklist for each item so that all access to each system can be verified and removed.

3. Know your users. This ties in to #2. If you don't know what accounts are out there, you may not be able to track them all down when you need to. Make sure all user accounts for each system are documented per employee, so that you can easily figure out which systems to go to first when disabling accounts. It's important to check the rest, just in case, but if it's going to take you the better part of an hour to get through everything, it helps to prioritize.

4. Beyond IT. Not unreasonably, we tend to focus on computer systems access, since that is our main responsibility. But it is important to think beyond the PCs and servers during terminations. For instance, access to voicemail boxes, teleconferencing systems, keycard entry systems, combination locks, even old-fashioned key locks. While not all these may be "owned" by IT, they must be part of the procedure, so the person or department responsible for restricting those means of access can be notified and respond in a timely fashion.

5. Independent verification. Not that I'm suggesting anyone shouldn't be trusted, but it is a good practice to have a second pair of eyes verify that access has been completely removed during the termination procedures. In that case of having 30 servers or so to go through, it can be a tedious process, and anyone can miss an obscure method of access. Human error should be taken into account in any process whenever possible.

That's the overview for terminations. These procedures should be part of the security manual of any company, large or small.

Who sets the audit standards?

2006-03-30T19:09:00.000-05:00

I found this article on the RSA Security Blog. It is the first of three-part series, so it is mainly focused on the background of auditing and accounting. It's an interesting read, I'm sure the next two parts will be equally informative.

Who Sets the Audit Standards? Part 1 of 3

Security Audit Time

2006-03-19T09:13:00.000-05:00

Today's the day. We're having an external security auditor come in to take a look at one the networks I work with. I'm not expecting any earth-shattering revelations, but, having dealt with this firm before, they usually come back with some interesting suggestions. If that is the case today, I will share the love.

Book Review - Protect Your Windows Network: From Perimeter to Data

2006-03-16T16:02:00.000-05:00

This is my first book review in what I hope will be a series of reviews of security-relevant publications. I aim to write at least one of these per month.

Protect Your Windows Network: From Perimeter to Data
by Jesper M. Johansson and Steve Riley
Addison-Wesley Microsoft Technology Series (2005)

As the title should tell you, this is an unabashedly Windows-oriented book. It's no surprise, considering the authors are both employees of Microsoft. Jesper Johansson is the Senior Program Manager for Security Policy, and Steve Riley is the Senior Program Manager in the Security Business and Technology unit. Both authors are extremely knowledgeable, and participate in speaking engagements around the world on a regular basis.

Microsoft-centric view aside, I deal primarily with Windows-based networks, so I found this book to be extremely informative in my security continuing education. The authors attempt to cover a great deal of ground, so by necessity, some areas are covered in more depth than others. The areas covered are divided into 6 parts: "Introduction and Fundamentals," "Policies, Procedures, and User Awareness," "Physical and Perimeter Security: The First Line of Defense," Protecting Your Network Inside the Perimeter," "Protecting Hosts," and "Protecting Applications."

The book is filled with practical, common sense analysis of security, both with respect to genuinely securing systems, and avoiding practices of "Security Theater." Each chapter ends with a section entitled "What You Should Do Today," reinforcing the action items suggested throughout the chapter. The book also includes a CD containing a few helpful tools. These include a password generator, a HOSTS file that blocks known spyware sites, and a script to revoke SQL Server PUBLIC permissions.

The writing style is at times humorous, and very down-to-earth. This book is valuable both as a casual read, and a comprehensive reference for securing networks. I highly recommend it to anyone in the Information Security field, as well as anyone looking for a place to start educating themselves about network security.

Password Policies

2006-03-15T22:38:00.000-05:00

Do you have a password policy for your organization? You probably should. I have read a lot about password policies in recent weeks, and there seems to be some controversy about the best approach to take. Here's my method for the madness. Keep in mind that this is just the best I have been able to come up with so far. As Bill Gates recently mentioned, passwords may be on the way out. Barring the premature demise of the password, these recommendations are subject to change:

Password Complexity - I use Group Policy to enforce complexity requirements, which by Microsoft's standards is to include 3 out of the 4 possible types of characters (lowercase letters, capital letters, numbers, and symbols).

Password length - Again, a Group Policy setting. I am currently allowing a minimum of 8 characters. The longer the password, the harder it is to crack. One other detail: all Windows server operating systems, by default, generate LM hashes for all passwords 14 characters or shorter. LM hashes are relatively weak, and should be disabled (another Group Policy setting) if possible. Another easy way to avoid LM hashes is to use a password of 15 characters or more. I couldn't quite get that one approved, but I tried.

Account lockout settings - This is a tricky one. I have heard arguments going both ways on this one, but most accounts would consider this to be Security Theater. If you enable account lockout policies, you are most likely attempting to avoid having a malicious individual from attempting to "guess," or bruteforce, an account password. On the surface, it sounds like configuring that account to be locked out after a handful of failed attempts would be a good idea. There are two problems with that approach. The first is an administrative issue. As soon as you enable that lockout feature, you will have users calling you (or your helpdesk) complaining that they have locked out their account because they forgot they had CAPS lock on or some similar issue. Secondly, it would seem trivially simple for a malicious user to effectively cause a denial-of-service attack by typing in the wrong password to an account multiple times in order to lock it out. Imagine you enabled this feature throughout your domain, and someone managed to lock out a service account, or all the domain or enterprise admin accounts! Sounds kind of risky to me.

Best practices - While all of these options I have mentioned have involved technical controls, meaning you are using settings in Active Directory to mandate certain password conditions, there are other steps that you should take that are not always as simple as a setting in Group Policy. For instance, tell your users to avoid using dictionary words in their passwords. Even with complex passwords of sufficient length, dictionary attacks can be fairly effective. Another idea is not necessarily to avoid those dictionary words, but to use more than one. I think the idea of a passphrase instead of a password seems like a pretty effective technique. For instance, the passphrase "My dog's name is Max" is an extremely strong password. It has capital and lowercase letters, it has special characters, it is 20 characters long, and it is extremely easy to remember (provided you actually have a dog, and have named him accordingly). Easy to remember is a good approach for your users, so you won't have to deal with passwords written on a Post-It note under their keyboard.

Security Live CDs

2006-03-14T23:06:00.000-05:00

In case you've never used them, Live CDs are a useful tool for many reasons. They can be used to evaluate operating systems, such as a Linux distribution. They also serve as an interesting tool for those in the security field. There are Live CDs for penetration testing, forensic analysis, and other security testing.

Darknet has posted a list of the 10 Best Security Live CD Distros. I have personal experience with a few of these, including Auditor and Helix. I intend to check out the rest. I suggest you do the same.

Anyone have any experience with these Live CDs that they would like to share?

NORAD orders Web deletion of transcript

2006-03-13T23:15:00.000-05:00

This seems somewhat foolish. For some reason, the Defense Department thought that the transcript of a public hearing should be pulled from a government website. The speculation is that this transcript was deemed a security risk due to the fact that it might have revealed sensitive information. Later in the article, it is mentioned that the article might have been pulled due to the criticism of the government, as opposed to an attempt to hide a security risk. Oh, that makes me feel so much better.

Isn't it better to have an open forum where vulnerabilities such as this can be brought to light? If we pretend there's no problem, how can a solution be found? This applies as much to Homeland Security as it does to application security. I'm all for responsible disclosure on the part of vulnerability researchers, but if an application vendor is not addressing the problem in a timely manner, how is this serving their customers?

Microsoft Security Bulletin Advance Notification

2006-03-09T21:05:00.000-05:00

It's that time again...

On Tuesday, March 14th, Microsoft will be releasing one "Important" security update for Windows, one "Critical" security update for Office, an updated Malicious Software Removal Tool, and one non-security High-Priority update.

As usual, any Critical updates are highly encouraged to be installed as soon as possible, within reason. What do I mean by "within reason?" That depends on who you are.

For home users, I would suggest waiting a few days to see if there are any reports of major issues. Of course, if you consider yourself a "power user," you can probably take care of yourself, and don't need my advice on patching.

If you are a small to medium sized business (or the IT staff of one), try to find a few non-mission critical machines to get the updates installed on as quickly as possible, and monitor the results. Then, wait a day or two to see if there is any "buzz" about potential issues. If there is not, patch away, keeping an eye out for potential issues that you may be the first to experience.

If you are a large business, you probably already have detailed patching procedures in place, so you don't need me to tell you what to do.

Personally, with the decreasing window between a vulnerability being announced and an exploit being released, I start to feel very nervous if I don't have most of my critical machines patched within a week of Microsoft's release date.

Check out Microsoft's Advance Notification here.

-JB

P.S. - For small and medium businesses that are not using a patch management product, a great one for the money (since it's FREE) is Microsoft's Windows Server Update Services (WSUS). I will go into more detail on this one, as well as other patch management options, in a future post.

Running as Limited User - the Easy Way

2006-03-08T19:39:00.000-05:00

One of the prime examples of a best practice that is often ignored is the principle of least privilege. Sure, everyone knows that the temp working in Customer Service shouldn't have access to the Finance Department's file share, but beyond simple file permissions, many users are allowed to run as a local administrator on their systems. In general, this is a very bad idea, not just because of the damage that can be caused by the user, but because a large majority of spyware and adware infections could be prevented if the user didn't have admin access to the system at the time of the infection attempt.

While having all users operate in a limited account at all times is the ideal, unfortunately it is not the reality for many companies. There are many applications (Quickbooks, for one), that are not able to function when running as a limited user. Not to knock Quickbooks' design team, because I'm not a software engineer, but in general, this inability to run as a limited user is the result of poor software design. And I don't mean to single them out, because there are many products that have this problem. Sometimes there are workarounds that will allow the application to run in spite of the limited privileges, but other times that is not possible.

Mark Russinovich, over on his blog, has put forth another interesting option that deserves consideration. On a system that cannot be operated using a limited user account, Mark proposes using a limited account for applications that are prone to compromise, such as web browsers and email clients.

-JB

Security Theater Examples

2006-03-08T10:04:00.000-05:00

While I intend for this blog to include more than just issues related to security theater, in honor of the title, I want to mention a few examples of security practices that are more image than substance.

Security through obscurity
While there is some value to the concept "if attackers can't see me, they won't know I'm there to be attacked," it is misleading to think that any method used to hide a system, or traffic, or whatever else you are trying to hide, will provide any real protection. Take disabling the SSID broadcast in a wireless network, for example. While this may prevent some novices from finding you, any war driver who spends 15 minutes of their time reading up on wireless networks will be able to get that information using simple utilities.

I have a firewall, so I'm protected
Don't get me wrong, firewalls are pretty much essential in most networks (actually, I can't think of any exceptions at the moment, but I try to avoid generalizations). The misconception is that the perimeter firewall is the single device needed to protect your network. There are a lot of attack vectors out there, and not all of them involve Internet traffic coming into your network. Heck, not all of them even originate outside of your network. What about the user that brings in a laptop loaded with all kinds of viruses, spyware, and P2P applications, and attaches it to your network? Obviously, there are other methods of protection, including antivirus/antispyware software, IDS/IPS, email security products, network and remote access quarantine products, patch management, etc. I intend to go into greater depth on each of these options soon.

[Insert Product Here] will solve all our problems
Not to mislead you with the products I mentioned in the last category, most methods used to mitigate risk should start as a policy, not necessarily a product. Certainly, protection may be provided by a new security product, but only if it is implemented in a way that is consistent with the overall security posture of an organization. If you expect to just drop a security appliance onto your network and be instantly more secure, you will probably be disappointed.

The OSI model only has 7 layers
People who deal with security often focus on securing only the first 7 layers of the OSI model. They tend to forget about the 8th layer - people. If you aren't educating your users, and taking their actions into account when designing your security solutions, you are destined for failure. Also, expecting your systems to "catch" all user-created problems is underestimating your users. They are notorious for (intentionally or unintentionally) finding ways around your carefully crafted controls. Whether their intent is malicious, such as finding a way to steal sensitive data, or they are merely trying to open that funny email attachment that a "friend" sent them, the actions of users cannot always be anticipated. While you can design controls to catch the malicious users, you should also focus on educating the more "innocent" offenders.

That should do it for now. There are many more examples of Security Theater, so this may become a regular series of articles.

-JB

Welcome to the Security Theater of the Absurd

2006-03-08T01:17:00.000-05:00

Welcome! As an experienced network engineer who began specializing in the security field a while back, it has become apparent that there is often a big disparity between "Security Theater" (a term coined by Bruce Schneier in his book Beyond Fear) and what I'm going to call "Security Reality." I intend to highlight both sides of the coin on this blog, and hopefully the contrast between the two should be both educational and informative.

-JB