Shon Harris and other team members would like to
share with you the CISSP and information security
articles and materials we have published for various
periodicals.
We will continually be updating this page with
more articles, so please check back often. If you
would like to use any of our material, please e-mail
us at
info@logicalsecurity.com for permission
first and please indicate that the material came
from our web site.
STAR Registry Aids Users in Selecting Secure Cloud Offerings
The Security, Trust & Assurance Registry, or STAR, is a publicly accessible registry that lists the cyber security controls
that assorted cloud computing organizations offer. Launched by CSA, or the Cloud Security Alliance, STAR is a free service
that enables IT and information security users, managers, and auditors evaluate the comprehensiveness of the security controls
of cloud providers.
View Article
Online Money Thieves Run Complex Businesses to Launder Funds, Market Products
Online thieves who steal bank account and other financial information often set up amazingly sophisticated businesses
to ply their illicit trade. Such cyber enterprises include aspects common in successful legitimate businesses, such as
segmented business lines, extensive marketing and advertising, bulk discounts, shipping, even money-back guarantees.
Many of these "services" are readily available on online underground forums.
View Article
Unit Testing and Security by Ivan Makale
This article deals with unit testing, from a basic introductory level up to an explanation of advanced use in
current software development, mentioning related tools and frameworks. Unit testing is a less common subject,
in relation to IT security, than other kinds of testing such as penetration testing and fuzz testing, because
it's more difficult to find an immediate link between unit testing and security, so that this aspect could be
easily underestimated by developers/architects that have a special interest in security.
View Article
Boy in the Browser Attacks
The "Boy in the Browser" (BitB) is a new kind of attack--a Trojan that seizes control of a victim's
traffic to servers and redirects that traffic to an attacker's proxy servers, where they can do their dirty work.
View Article
Washington Seeks to Boost Cyber Schools, Workers with National Initiative for Cybersecurity Education
The draft National Initiative for Cybersecurity Education, or NICE, was unveiled on August 11, 2011,
as a nation-wide, federally sponsored effort to bolster cyber security education and the cyber security workforce.
View Article
Hot Jobs with Rising Wages in Cyber Security
Fiscal crisis may be embroiling Europe, and the U.S. economy may be on the edge of a double-dip recession.
You wouldn't know it, though, from the stiff demand for an array of high-paying jobs in information security.
View Article
Secure Development Lifecycle
One of the fundamental axioms of software development is that you can never write code that is 100% secure and flawless;
a confession that the software industry hesitantly acknowledges after almost six decades of software revisions, debugging and patching.
View Article
The Enigmatic Existence of X-Morphic Exploitation
The web browser is one of the most used and most exploited applications. Its frequent use has made
it risky and vulnerable in past few years. It made attackers to adopt it as their basic path to
fulfill their malicious wishes.
View Article
Fuzzing Frameworks
There are a plethora of fuzzers available nowadays that target everyday network protocols and file formats.
These fuzzers thoroughly iterate through their targeted protocols and files, and act as a valuable resource
for stress testing as well.
View Article
Cold Boot Attack
In a recent publication, the Princeton University described an attack, labeled as a 'Cold Boot Attack' against
DRAM system memory. The attack completely transforms the traditional concepts of DRAM's volatility and shows
that the content of a supposedly 'Volatile' RAM can be accessed even when the power has been turned off.
View Article
Trusted Platform Module (TPM)
The Trusted Platform Module (TPM) is a micro chip installed on the motherboard of modern computers and is dedicated to
carry out security functions that involve the storage and processing of symmetric and asymmetric keys, hashes and
digital certificates. The TPM was devised by the Trusted Computing Group (TCG), an organization that promotes open
standards to help strengthen computing platforms against security loopholes and attacks.
View Article
Administration Pushing for Trusted Identity Solutions
The White House and Commerce Department on April 15 rolled out a National Strategy for Trusted Identities in Cyberspace,
or NSTIC. NSTIC will be a broad government and private-sector effort to encourage the creation and use of secure online
credentials that users could employ across multiple applications. The aim is to replace the prevailing systems of multiple,
hard-to-remember user names and passwords, and weak security queries such as "your mother's maiden name," with fewer,
easier-to-use, and more secure credentials.
View Article
Adobe Flash Struck by Zero-day Exploit
According to a recently published security advisory (CVE-2010-1297) by
Adobe, the Adobe Reader and Acrobat "authplay.dll" code execution
vulnerability, a critical 0-day flaw has been reported in Adobe Flash
Player which causes a compromise or crashes the affected system. The
vulnerability, reportedly, affects Flash Player for Windows, Mac OS X,
Linux, Solaris, and Android. The Authplay.dll component of Adobe Acrobat
and Adobe Reader X is reported to be affected by this exploit. Authplay
is the interpreter that renders Flash content embedded within PDF files.
View Article
A Guide to Bypassing Browser Memory Protection
The purpose of a memory protection mechanism is to prevent exploitation of vulnerabilities on particular platforms.
Despite the fact that protection mechanisms such as GS, SafeSEH, DEP and ASLR, at a glance present a look of undefeatable complication for the
exploit developers, at the same time suffer, from certain limitations where these mechanisms become ineffective at preventing the
exploitation of memory. To cater a better understanding of these limitations, a step by step description of the individual
protection mechanism would be necessary.
View Article
Master Boot Record (MBR) Rootkit - Mebroot
Antivirus vendors and security firms have raised alarm for a devious new
rootkit, the ‘Mebroot’. The Mebroot aims head-on at Windows Master Boot
Record (MBR) and takes control of the entire system by tampering with
the original MBR coding and replacing it with Mebroot’s own coding
whilst, making itself undetectable and irremovable.
View Article
Exploring Microsoft DLL Load Hijacking
A dynamic link library is an ordinary library that takes one step ahead
of the idea of static linked library. A static library is one where a
set of functions are assembled together so that it can be used by
different programs which implies that all a programmer needs to do is to
write code to perform a specific task once only. But, in this scenario,
a program is assembled from functions containing object files or from
data used in the program.
View Article
Windows Access Tokens
Windows Access Tokens are kernel objects that contain security
information regarding privileges associated with a user account and
identify user, user’s group and privileges of a particular user. The
access token describes the security perspective of all the processes or
threads. Malicious attackers use access tokens to perform
post-exploitation tasks.
View Article
Windows Memory Protection Mechanisms
Microsoft Windows, being the most famous OS among all, has persistently
been the target of exploitation attacks over past several years. A
number of protection mechanisms have been gradually been implemented by
security architects at Microsoft. These measures aim at protecting
vulnerabilities from exploitation attempts by limiting memory
manipulation opportunities.
View Article
Under the Microscope: Advance SQL Injections
in MySQL
SQL injection attacks involve insertion of an SQL commands through input
data from client to application. The attack is capable enough to affect
any application that interacts with the database management system using
SQL. The SQL injection attack can result into reading sensitive data
from database, modifying the data of database (using insert, update or
delete functions), send command to the operating system, perform
operations of administrative level on the database, etc.
View Article
Anatomy of XSS Attacks
XSS, also known as Cross Site Scripting, is a client-side attack carried
out by infusing a malicious link surreptitiously into the target site
vulnerable to XSS. XSS attacks are carried out against dynamic web pages
that accept user input and have not implemented sufficient input
filtering mechanisms. The script-code, in this kind of attack, can be
made of any language primarily supported by the victim’s browser. This
covert script is executed on the client side when an unsuspecting user
selects the link.
View Article
Examining the Security State of ERPs: A Look at Security
Vulnerabilities in SAP
In the course of securing intricate business information, the most
complicated task is to keep business applications secure and sanitized
from threats ranging from computer viruses to denial-of-service attacks.
With the increasing value of information, enterprise information
management calls for the implementation of a business solution that is
capable of providing secure and consistent data stream throughout the
system and within the organization itself. That’s where the need for SAP
(Systems, Applications and Products) comes in.
View Article
Chronicling the Evolution of Malware Detection Mechanisms
The best practice considered to protect a system is to prevent malwares
and viruses from getting into the system at first place and to make this
possible, malware detection mechanism should be very strong.
View Article
Stellar Security: Hardening Linux
Linux is a free and open source operating system which might contain
anywhere from a basic set of computing utilities to advanced
virtualization packages depending on the distribution. Linux is
generally perceived to be far superior in terms of security than its
Windows counterpart. However, like any other operating system, Linux
also is also susceptible to security breaches, inadvertent exposure and
system compromise.
View Article
Securing Your Systems NSA Style – With SELinux
US National Security Agency (NSA), late in December 2000, brought in an
extension to the standard Linux Kernel called Security Enhanced Linux (SELinux),
designing it exclusively to implement strict access controls on Linux
Operating System. The strict implementation of access controls results
in assigning of minimum level of privileges to the processes and
granular kernel control.
View Article
Introductory J2EE Security: Encrypting Configuration Properties by Ivan Makale
In a previous article, "Introductory J2EE Security: Role-Based Access
Control Applied to Enterprise Java Beans”, we introduced a sample J2EE
project, which you could use to test some security-related features. In
this second article we add something else to the same project, extending
it. We retrieve information from files that are accessible through an
FTP server, and then we configure the FTP connection using a properties
file. At this point, a security concern is evident, as we write
connection-related data in clear text inside the configuration file. A
method for encrypting properties, using a specific library, is then
provided.
View Article
Introductory J2EE Security: Role-Based Access Control Applied to
Enterprise Java Beans by Ivan Makale
In this article, we introduce a sample J2EE project, with code and
detailed instructions included, which you could use to test some
security-related features, mainly role-based access control obtained by
means of Enterprise Java Beans running inside an application server,
Glassfish in our case, that had to be properly configured.
View Article
Data security: Why the usual solutions fall short
With the current buzz around the WikiLeaks disclosures, the U.S. public
seems amazed by the type and amount of sensitive information that is
available to people who should not have access to it. Security
professionals are not.
View Article
Smart Grid Security Overview
A “smart grid” refers to the traditional electric power grid updated
with modern information technology equipment and knowhow. It is
comprised of digitized devices and the industrial facilities in the
energy sector that such devices help operate: electrical plants,
electrical substations, utility towers, relays, and transformers,
nuclear power plants, and oil refineries.
View Article
Shortages in Federal Government’s Cyber Security Work Force
Two new reports--from the Center for Strategic and International Studies (CSIS), and from the consulting firm Booz Allen and the non-profit Partnership for Public Service (PPS)--highlight serious shortfalls among the federal government’s cyber security work force. Against a background of growing threats to the IT infrastructure of the U.S. military, civilian federal agencies, and major private-sector firms, the reports find common ground on short- and longer-term recommendations for grappling with this pressing concern.
View Article
For years IT organizations have focused on securing the computer network. Technologies such as firewalls and network access control (NAC) are designed to keep malware and unauthorized traffic from coming in. That makes sense from an operational integrity standpoint. Viruses, worms, spam, phishing attacks, etc. can bring a network to a standstill. But, while the focus has been on keeping bad traffic out, data packets have moved freely – for the most part – through and beyond the private network. After all, that’s what the network is for. It plays a supporting role to the star of the show: your data. Without data, there’s little need for a network. But therein lies the rub!
View Article
Zeus Toolkit Gangs Staging Mass Attacks on Banking Applications
Since 2007, illicit organizations have employed Zeus to launch damaging, highly publicized attacks targeting the login credentials and other personal data associated with millions of computers, thousands of organizations, and uncounted numbers of users and their accounts. Relatively small groups of sophisticated criminal bands based in various nations--particularly in Eastern European countries such as Russia and Ukraine--have stolen tens of millions of dollars. Computers in 196 countries have been subject to attack. The countries most affected include the U.S., U.K., Saudi Arabia, Egypt, and Turkey.
View Article
Advanced Persistent Threat
The Advanced Persistent Threat (APT) is very focused
and motivated to aggressively and successfully
penetrate a network with variously different attack
methods and then clandestinely hide its presence
while achieving a well-developed, multi-level
foothold in the environment. Read more to understand
this threat our industry faces today.
View Article
Smartphone Security
Smartphones are infiltrating businesses of all
sizes. Decreasing price points and increasing
functionality puts enterprise-class capabilities in
the palm of every Tom, Dick and Harry who connects
to the corporate network. No big deal, right?
Blackberrys, iPhones and Androids – among many
others – enable your users to work more efficiently.
But, like every other piece of technology,
smartphones come with a price to your organization.
That price is in the form of risk. Let’s look at
some of the ways smartphones introduce risk to your
environment, and then look at some of the best
practices for managing that risk.
View Article
Making the Internet Safer: Online Resources
for Parents and Children
Online predators trawl the Web seeking to involve
youngsters inappropriate and illegal sexual
relationships. The Internet allows sexual deviants
to more easily gain access to information about
youths they may be targeting. Such information can
include a youth’s email address, web site, birth
date and age, photos, family data, other friends,
hobbies, and individual likes and dislikes. Based on
such information, predators can begin to befriend
impressionable youths, perhaps gaining their trust
over a long period of time, perhaps through
enticements such as the provision of free software
games. At the same time, predators can maintain
relative anonymity about themselves, or readily post
false or misleading information. Once friendship is
gained, predators may seek to physically meet their
targets, sometimes by sending them money, tickets,
or other means to travel to a rendezvous.
View Article
Interview with Shon Harris
Shon Harris discusses some of the upcoming threats
companies face in information security today and
what she and her company, Logical Security, is doing
to help in these efforts.
View Article
Risk Management and Security Metrics
What do we have in the world of risk management in
the IT and security world today, a bit of a mess.
Risk management has been a nebulous, pathless utopia
that has been just out of our reach because we are
randomly wandering around in pseudoscience and
non-sensible numbering systems. Read this series of
articles to find out what we should be doing today.
View Article
Risk Management Strategies
Shon explains what risk is and clarifies the
differences between risk and vulnerability
management and provides a 10,000-foot view of the
risk management process. The explanation of how to
use threat modeling to define an organization's
acceptable level of risk, describes the contents of
a risk management policy and provides a sample
policy template, and also describes the roles and
responsibilities of an information risk management
team. Learn how to define the scope of the IRM
team's responsibilities, the difference between
qualitative and quantitative risk analysis and the
tools used to carry out risk analysis. There is
step-by-step instructions on conducting a risk
analysis, along with the four ways to deal with
identified risk: transfer it, avoid it, reduce it or
accept it
View Article
Basic Footprinting
Footprinting of an organization prior launching an
attack against its resources is essential for an
attacker as it enhances the probability of a
successful attack. For example, if a burglar plans
to break into a house, he will first gather as much
information as possible to find out the ways that
can be used to break into it. Similarly, when
malicious attacker plans to target an online
resource, he first gathers all the possible
information to create a complete profile of target’s
security posture.
View Article
IT Security Auditors Roles
We have moved into a fascinating time where
technology has been injected into almost every part
of our lives. We are currently going through a
metamorphosis that none of us can truly grasp,
because we are right in the middle of it. It is very
difficult for a society to know that it is going
through great changes because it is hard to view
something objectively when you are right in the
middle of it.
View Article
E-mail Threats
E-mail spoofing is a technique used by malicious
users to forge an e-mail to make it appear to be
from a legitimate source. Usually, such e-mails
appear to be from known and trusted e-mail addresses
when they are actually generated from a malicious
source. This technique is widely used by attackers
these days for spamming and phishing purposes.
View Article
Basic Security Development Issues
Developers are generally not always aware of the
ever increasing security issues that can nefariously
attack their code. This lack of awareness combined
with tight development timelines generally result in
applications that are prone to a wide assortment of
attacks.
View Article
Programming Languages
From the era of punched card instructions to
heuristic encoding, programming languages have
rapidly evolved in their design, approach and dogma.
Though the first three generations of programming
languages can be classified on distinctly defined
precincts, thereon, the classification becomes
slightly obscure and somewhat arguable.
View Article
Web Security Concepts and Attacks
Cross-Site Scripting (XSS) is a kind of application
security vulnerability which is usually found in web
applications. XSS attacks enable an attacker to
inject their malicious code (in client-side
scripting languages, such as JavaScript) into
vulnerable web pages.
View Article
Identity Management
Identity management is a broad and loaded term that
encompasses the use of different products to
identify, authenticate, and authorize users through
automated means. To many people, the term also
includes user account management, access control,
password management, single sign-on functionality,
managing rights and permissions for user accounts,
and auditing and monitoring of all of these items.
The reason that individuals, and companies, have
different definitions and perspectives of identity
management (IdM) is because it is so large and
encompasses so many different technologies and
processes.
View Article
XML Security
If you can remember when HyperText Markup Language
(HTML) was all we had to make a static web page,
you’re old. Being old in the technology world is
different than in the regular world; HTML came out
in the early 1990s. HTML came from Standard
Generalized Markup Language (SGML), which came from
the Generalized Markup Language (GML). We still use
HTML, so it is certainly not dead and gone; the
industry has just improved upon the markup languages
available to use.
View Article
Cross Site Scripting Attacks
Cross Site Scripting (XSS) is a type of web application vulnerability which enables an attacker to inject her malicious code
(usually JavaScript) into vulnerable web pages. When an unsuspecting user visits the infected page, the malicious code executes
on the victim’s browser and may lead to stolen cookies, hijacked sessions, malware execution,
bypassed access control or aid in exploiting browser vulnerabilities.
View Article
Broadband Wireless Communication
Mobile Telephony refers to communication using a mobile wireless technology.
It is usually classified into four generations namely 1G, 2G, 3G and 4G.
These generations help record the dramatic evolution mobile telephony have under gone since their first introduction nearly 30 years ago.
View Article
Enterprise Methodologies
The Information Technology Infrastructure Library (ITIL) is a set of guidelines and techniques that are used to manage,
improve, and organize the design, development and operations of IT infrastructure.
The major focus of the ITIL is on the constant evaluation and improvement of delivered IT services.
View Article
Security Policies
Security
policies provide the foundation for an
organization’s security infrastructure. A security
policy is a document or set of documents that
conveys the management’s intentions and decision on
how security will play a role within the
organization.
View Article
British Standard 7799
The
British Standard 7799 is an internationally
recognized set of recommendations for developing
security policies and conducting auditing. The
standard provides comprehensive guidance on many of
the issues related to information security. Many
organizations use British Standard 7799 as a
baseline to start from when developing their
policies and indeed their information security
programs.
View Article
Who’s Who
Acronyms
for companies and organizations are often used in
literature without an explanation of who these
organizations are and what their function in the
world is. This section covers many of the
organizations that have been discussed in the
All-In-One CISSP Exam Guide.
View Article
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley
act was signed into United States law by former
President Bill Clinton on November 12, 1999. The act
applies to all national banks and federal branches
of foreign banks that are subject to the supervision
of the Federal Reserve System, Office of Thrift
Supervision (OTS), Comptroller of the Currency (OCC),
or Federal Deposit Insurance Corporation (FDIC). The
act’s main goal is to protect individual private
information.
View Article
Various Networking Components
There are
different flavors, characteristics, and standards
underneath the Ethernet umbrella. This article
describes these different components.
View Article
OMB Circular A-123
Before we
dive into this one, let’s figure out who the OMB is.
Basically this is the group that oversees all
executive branch funding, so when they come down
with a new requirement, government agencies have an
incentive to follow it so that the agencies can
receive funding for the next year.
View Article
Regulation Government Agencies
The
Congress and President of the United States delegate
specific authority to federal government agencies.
Others are created at the state level. Federal
agencies have the authority to create regulations,
to enforce regulations, and to arbitrate disputes.
They typically have dedicated enforcement personnel
who operate regionally.
View Article
An Introduction to Firewalling with iptables and
pf
In this
article we assume the reader knows what a firewall
is and other basic concepts about firewalls, like
the distinction between stateless (static) and
stateful packet filtering. We introduce the reader
to a more technical level, showing how to use two
open source tools, iptables on Linux and pf on
OpenBSD, in a simple case of firewall configuration.
View Article
Passing the Audit
The
Public Company Accounting Oversight Board’s
standards and the secrets you must know before the
audit. Many IT managers and professionals strongly
believe that although Sarbanes-Oxley compliance
places a heavy and ongoing burden on IT operations,
it also leads to better IT governance and more
effective information security. Unfortunately, this
is not true.
View Article
SOX and Internal Controls
The audit
function is, in essence, intended to “check up” on
how a company reports its information, to help
confirm that the company information is reliable.
The mechanisms used by a company to assure the
consistency of its business processes are its
“internal controls.” The “internal controls”
associated with financial reporting are of interest
to auditors, since they help to indicate how much
reliance can be placed on financial information.
View Article
PCI Standards
PCI is
all about credit card system security. The credit
card system plays a critical role in the economy.
The system is built from the bricks of various
technologies, owned and operated by different
parties, mortared together with contracts to form an
impressive structure within which a broad range of
commerce can be conducted.
View Article
GLBA Compliance Challenges
Financial
institutions and others subject to GLBA find three
aspects of compliance particularly challenging:
1) Assessing and managing risk from third-party
vendors.
2) Performing internal risk assessments
3) Monitoring systems and procedures to detect
actual and attempted attacks on or intrusions into
customer information systems.
View Article
A Satire of the Security Divas of Today
I have been in this industry longer than most people I know and work with. At one time I could keep up with technology, which vendors sold what technology, methodologies, tools, and occasionally my socks that attempted to disappear in the black abyss of my clothes washer.
View Article
What Do CISSPs Really Know?
I have been in the "CISSP world" for over 10 years now. I have taught it for 8 years around the world for corporate and government agencies. I have written books on it, developed products, webinars, study materials, etc. Over the years I have noticed that the students who are attempting to achieve their CISSP certification have changed in their approach. Five years ago people studied material on their own for months before attending a CISSP bootcamp course. This is necessary because no one can really learn the extensive material that the CISSP exam covers in just 5 days. Over the last few years, I have seen a real switch in the approach of achieving this credential.
View Article
Handbook of Malicious Code
Malicious
code, or simply Malware, is a new term introduced by
industry, which includes whole range of malicious
and non-malicious code (software) such as viruses,
trojan horses, worms, spywares, adwares, internet
cookies, homepage re-set programs, dialers and
combination of these, known as blended attacks.
Although, each of these has its own definition and
functions, we have witnessed that the malware
writers have used combination of these to create
more deadly and difficult to trace viruses.
View Article
How SSL Works
As you know, virtually all businesses, most government agencies and many individuals now have Web sites, and the number of individuals and companies with Internet access is expanding rapidly. Consequently, businesses are enthusiastic about setting up facilities on the Web for electronic commerce, but the reality is that Internet and the Web are extremely vulnerable to attacks of various sorts, so that the demand for secure for Web services grows.
View Article
The CISSP Exam Is Out of Date, Irrelevant, and Subjective
Busting Through the Myths of the CISSP Exam
For years I have heard people complain about having to learn things for the CISSP exam that they would never use in their life. When I was studying for this exam several years ago, I said the same types of things. I also hear people saying that they have to learn security through (ISC)2's view for this exam, which does not match with reality. The thought on both of these statements is that someone would have to memorize items for the test that are not helpful in their career - thus a waste of time. Again, I fell into this bucket when I studied and took the exam forever ago. Now I see it completely differently.
View Article
Multi-Protocol Label Switching (MPLS)
In recent years, multi-protocol label switching (MPLS) is gaining prominence and many companies are migrating towards it. This is largely due to MPLS is a convergence tool to integrate voice, video and data across a single platform to provide quality of service (QoS), improved performance and reliability, and provide an array of VPN and LAN interconnect services.
View Article
TCP Session Hijacking: the Mitnick Attack
Kevin David Mitnick, also called "Condor", was born in 1963 and became one of the most famous "crackers". He was repeatedly condemned for minor computer related crimes, then his intrusions into big companies ended leading him to prison, where he spent five years (from 1995 to 2000), after a "challenge" against FBI and the security expert Tsutomu Shimomura. Now he runs a computer security consulting company. We don't deal with all aspects of Mitnick's contribution to hacking and cracking (among other things, he made "social engineering", to steal information directly from people, popular), but we focus on an attack he carried out against the California University in Santa Barbara, attack that can be taken as an example, showing various interesting aspects, as it is a complex attack, not made of a single activity.
View Article
Gramm Leach Bliley Act (GLBA)
In this chapter, we will provide an overview of the Gramm Leach Bliley Act, explore the follow-on regulations issued by the various regulators tasked with implementing the Act, and look at several areas of compliance with GLBA that prove particularly challenging to financial organizations. We will also explore some technologies that can help financial institutions to more easily comply with the provisions of GLBA.
View Article
Payment Card Industry (PCI) Data Security Standard
Various credit card companies have had their own security requirements for years that their merchant customers had to abide by to be able to continue to accept and process credit card payments. For example, MasterCard has its Site Data Protection (SDP) program, American Express has its Data Security Operating Policy (DSOP), Discover has its Information Security and Compliance (DISC), and Visa has its Account Information Security (AIS) and Cardholder Information Security Program (CISP).
View Article
Multiservice Access Technologies
Multiservice access technologies combine several types of communication categories (data, voice, and video) over one transmission line. This provides higher performance, reduced operational costs, and greater flexibility, integration, and control for administrators.
View Article
Sarbanes-Oxley Act of 2002 (SOX)
Sadly, SOX like many other regulations was created because some companies were not doing what they were supposed to when it came to disclosing information on the company's financial standing. Some CEOs and CFOs of the past figured out that if they made their company's stock prices go up, then they personally made more money through bonuses, selling their own stocks, and demanding higher salaries.
View Article
Network Scanning Techniques
If you want to get network information on the Internet, the first step is to gather public information that is available visiting specific sites or using certain commands. Typically, you can look for information regarding a certain organization searching on the site of a third party organization offering such a service. This is, of course, absolutely legal.
View Article
An Introduction to Security in Software Development
Software is essentially produced by human beings and so, of course, not perfect but prone to bugs.
Some bugs don't necessarily cause malfunctioning but make the system exposed to attacks, i.e. they are security bugs. According to a rough calculation relating to operating systems, there is about one security bug per 1000 lines in the source code (assuming the programmer is competent in secure coding). Given that operating systems such as Windows or Linux have a number of lines of code that is in the order of some 100 million, they can contain hundreds of thousands of potential security bugs.
View Article
Fundamentals of Asterisk
Open source software (OSS) has achieved a dominant role in the delivery of IP-based content such as web data (Apache) and email (sendmail), and is making serious headway in streaming media (icecast).
View Article
Firewall
A firewall is a portion of hardware and software that works in networked environment to stop unauthorized communications by the security policy. A firewall is a common layer of defense in computing – a barrier to keep malicious intrusions away from your proper computers. It is still the important mechanism for protecting the infrastructure of a company.
View Article
Security Audit
Due to ever-changing government regulations on security-based auditing and compliance requirements being passed in US Congress at each session, it has become necessary for CIOs, system and network administrators to update their skills and knowledge regularly. ISO, the world standards benchmark, is also standardizing global business compliance regulation and quality assurance standards. The US companies and its affiliates in European Union are moving forward to adapt this and other quality standards, largely to make the computer audit trails essential to lessen litigations or legal prosecution.
View Article
3 Attack Vectors: Web Code
So now the infrastructure of your web based application should be up to snuff. Completing that is the 1st step to securing your application. Your infrastructure is the foundation for your system and therefore it must be solid in order to have a strong and secure application that no one will have fear of using due to security flaws.
3 Attack Vectors: DB, OS, Hardware
As discussed previously, with the moving of what used to be internal components out to the “cloud” anything that is not web code can be considered infrastructure. Infrastructure can still be further subdivided into hardware and software if this is needed for those who need to address the risks and vulnerabilities of those subsystems separately.
View Article
3 Attack Vectors: Overview
Most articles will focus on one aspect of web security. Cross site scripting, SQL injection, or web
server vulnerabilities are the main focus of the author. A more holistic approach is to see how all the
different facets come together and how each one holds up the other to secure a web application. The
three vectors that any application can be attacked through are the infrastructure, the web code and the
end points. This series will examine each vector in detail and give suggestions on how to protect each
one. This 1st in the series will take a general overview and subsequent articles will go into more detail.
As the attacks change daily there will be a number of web sites referenced for up to the minute
information.
View Article
VoIP
Voice over Internet Protocol (VoIP) technology converts analogue voice signals into digitized
packets and the recipients get them over data networks. VoIP is another example of Internet has
changed the way we communicate and emergence of convergence where voice, data, video, etc.,
pass through a single medium. It uses existing networks and Internet infrastructure to send
information efficiently and with less cost.
Steps to Better Secure Your Mac
While the Macintosh platform is now becoming the target of the same sort of organized crime that affects Windows users, these attacks are still very limited in scope and in impact. Nonetheless, Mac users cannot afford to be complacent.
Biometrics Defined
Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification.
View Article
Malicious Software: Viruses
Malicious software, often abbreviated with the term “malware”, is software designed to
infiltrate or damage a computer system without the owner's informed consent. It can therefore penetrate
the system evading controls.
GBL Suggestions
GBL only deals with customer data, not business to business data. GBL can be over ridden by other laws and regulations because OCC and other agencies cover other types of requirements other than just customer data protection. OCC is there to assess the integrity of the bank, not just protecting customer data.
Access Control Methods
The purpose of this article is to introduce, from a theoretical point of view, the main access control methods, in order to provide a better understanding of methods to reinforce the security policy that are based on these concepts. We'll concentrate above all on Mandatory Access Control.
What the Botnets Are Netting and for Whom
The greatest threat to online and offline businesses today are not terrorists or even cyber-terrorists, but good old fashioned organized crime groups using fancy new tools on the Internet to fleece the unsuspecting public, governments and global corporations. Computer crimes on businesses are increasing at an alarming rate, and the cost of computer crimes, just like other business costs, will always be passed on to the customer.
Introduction to Elliptic Curve Cryptography
The purpose of this article is to introduce the reader to Elliptic Curve Cryptography.
Most of the products and of the standards that use public-key cryptography for encryption and digital signatures use RSA, that is the Rivest-Shamir-Adleman algorithm, based on the difficulty of factoring the product of two large prime numbers, which ensures that calculating the private key from the public one is hard (computationally too expensive).
Introduction to Intrusion Detection Systems
An Intrusion Detection System (IDS) is an important means to protect IT systems from external attacks. IDSs are monitoring systems and they are passive, that is they detect attacks or potential attacks, they can send alert messages, but don't interfere with the monitored system and events.
Base-Rate Fallacy Considerations
In this article Bayesian statistics is applied to Intrusion Detection Systems (IDSs), in particular to false positives and false negatives, that is alarms without real threat and threats undetected by the IDS. What is the relation between false positives and false negatives? Which one is more important? Are they to be minimized in the same way or one more than the other?
What Are the Dangers of Instant Messaging?
Historically, operating systems and many applications have utilized their own authentication
mechanisms to validate a user and grant access to network resources.As the world becomes ever
more integrated, the authentication processes on a network must not only satisfy the security
concerns of identifying the validity of a user to the resource, and vice versa,
SELinux and AppArmor: An Introductory Comparison
In another article, “Hardening Linux Systems in the Application Layer: Why It's Important”, I explained the importance of hardening our Linux systems by reinforcing the security policy in the application layer too. As I said, SELinux is not the only available tool for this purpose.
How VoIP Really Works
Voice over Internet Protocol (VoIP) is a protocol (convention or standard) that governs the the transmission of voice through the Internet or other packet switched networks (networks in which small units of data called packets are routed through a network). In other words, VoIP uses a broadband internet connection, like cable or DSL, for routing telephone calls.
A Family of EAP’s (or Is It a Flock of EAP’s?)
Historically, operating systems and many applications have utilized their own authentication
mechanisms to validate a user and grant access to network resources.As the world becomes ever
more integrated, the authentication processes on a network must not only satisfy the security
concerns of identifying the validity of a user to the resource, and vice versa,
How Do Bots and Botnets Work?
Basically a bot is simply a very sophisticated program which mimics human behavior. Yet they are a definite risk for home computer security online.
Reinforcing the Security Policy of Linux Systems
In my professional life I see that Linux systems, in several cases Red Hat Enterprise/Advanced Linux distributions, are protected at network level, with firewalls and other things, but system administrators often haven't a deep knowledge of application level security,
Back to School: IT Training Services
"Training is always the last thing on the mind of the people with the purse strings, and it's usually the first thing to go when the budget gets cut," says Shon Harris.
View Article
Role Model
Identity management is a critical security challenge, but without viable standards for access control, your best efforts may be just a drop in the bucket.
View Article
Introduction to Security Governance
Security governance is very similar in nature to corporate and IT governance because there is overlapping functionality and goals between the three. All three work within an organizational structure of a company and have the same goals of helping to ensure that the company will survive and thrive – they just each have different focuses.
Corporate governance has to do with how the board of directors and executive management run and control a company. IT governance is how technology is used and managed so that it supports business needs. There are many professional and official sounding definitions of security governance such as the following by the IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition:
View Article
Risk Management Guide
Companies have always had to deal with different types of risk, be it financial, legal, the success of a new product launch or a merger, or the threat of natural disasters. These risks are traditionally treated as silos. The CFO is responsible for understanding and making decisions pertaining to financial risk. The IT department is responsible for the risk of losing data processing capabilities. Legal council is responsible for understanding and managing the company's legal issues. And so on. But this fragmented approach to risk is becoming more dangerous as companies face risks that threaten the company's overall existence. These risks come in the form of noncompliance with government regulations, increasing information security threats, terrorist activities and natural disasters. It is important now more than ever, for companies to develop and maintain a holistic risk management program that coordinates these silos because they all have the same overall goal – to protect the company and its assets.
View Article
Understanding Standards for Risk Management and Compliance
Regulatory requirements are driving companies to look into risk management more than ever before. SOX, HIPAA and GLBA all require risk analysis and management. But organizations looking for a solution can quickly find themselves swimming in a sea of acronyms that includes NIST 800-30, AS/NZS 4360:2004, OCTAVE, COSO and CobiT.
View Article
Risks Associated with Outsourcing
Although outsourcing can greatly reduce labor costs, because countries have different laws, regulations and enforcement motivations, many companies have to deal with a range of unfamiliar issues to ensure their work is secure. For example, in 2002, ...
View Article
Denying Denial-Of-Service
New solutions fight DoS/DDoS by automatically detecting and blocking potential attacks. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks have been around for years, but with reports that 4,000 DoS attacks are launched each week, it's clear the problem isn't close to being resolved. In fact, in a recent poll of Information Security readers, 90 percent said they remained either "very concerned" or "somewhat concerned" about DoS or DDoS.
View Article
Security Strategies for E-Companies - The Science of Secrets
Cryptology continues to evolve as our need for keeping secrets increases. Cryptology, the science of secure communications, is as old as civilization and the written word. Throughout the ages, everyone from kings to shopkeepers has employed codes to gain a competitive edge, reduce vulnerability, hide their true intentions or revel in the comfort of knowing something that someone else doesn't.
View Article
802.11 Security Shortcomings
Wireless communication has been around for years, but only recently has it ascended to the status of a mainstream communication method. Portable devices (e.g., PDAs, cell phones, laptops) have proliferated, giving mobile users access to email accounts, Internet sites, online banking, and the stock exchange. This proliferation has led to WLAN vendors scurrying to develop proprietary wireless network solutions and application vendors hurrying to code new wireless programs.
View Article
Learning from SQL Slammer
Many people might have heard of the Slammer worm, but few people fully understand the root of the attack. Familiarizing yourself with Slammer's methods can help you evaluate the risk to your environment and prepare for future attacks by similar worms.
View Article
Greater WLAN Security with 802.11i
To improve the standard and close holes in current wireless implementations, IEEE developed the 802.11i Task Group. To address each of the aforementioned flaws, this group has developed a new authentication framework that encompasses several components.
View Article
How 802.11i Addresses WEP's Core Deficiencies
Wired Equivalent Privacy (WEP) contains three core deficiencies. The first deficiency is the use of static encryption keys. The second deficiency is the ineffective use of initialization vectors (IVs). The third deficiency is the lack of packet integrity assurance.
View Article
Vulnerability Mismanagement
The following are seven must-have elements of a successful vulnerability management program. They're not about scanning or applying patches; they're the essentials that will enable you to efficiently and effectively find and remediate vulnerabilities
View Article
To Catch a Thief
Understanding the requirements of bringing the necessary forensics capability in-house and the most popular tools in use today.
View Article
|
