CISSP
Shon Harris
Certified Information Systems Security Professional
Certified Information Systems Security Professional
Resources > Articles
Shon Harris CISSP
CISSP Training
Articles Shon Harris Resources

Shon Harris and other team members would like to share with you the CISSP and information security articles and materials we have published for various periodicals.

We will continually be updating this page with more articles, so please check back often. If you would like to use any of our material, please e-mail us at info@logicalsecurity.com for permission first and please indicate that the material came from our web site.



STAR Registry Aids Users in Selecting Secure Cloud Offerings

The Security, Trust & Assurance Registry, or STAR, is a publicly accessible registry that lists the cyber security controls that assorted cloud computing organizations offer. Launched by CSA, or the Cloud Security Alliance, STAR is a free service that enables IT and information security users, managers, and auditors evaluate the comprehensiveness of the security controls of cloud providers.

View Article


 

Online Money Thieves Run Complex Businesses to Launder Funds, Market Products

Online thieves who steal bank account and other financial information often set up amazingly sophisticated businesses to ply their illicit trade. Such cyber enterprises include aspects common in successful legitimate businesses, such as segmented business lines, extensive marketing and advertising, bulk discounts, shipping, even money-back guarantees. Many of these "services" are readily available on online underground forums.

View Article


 

Unit Testing and Security by Ivan Makale

This article deals with unit testing, from a basic introductory level up to an explanation of advanced use in current software development, mentioning related tools and frameworks. Unit testing is a less common subject, in relation to IT security, than other kinds of testing such as penetration testing and fuzz testing, because it's more difficult to find an immediate link between unit testing and security, so that this aspect could be easily underestimated by developers/architects that have a special interest in security.

View Article


 

Boy in the Browser Attacks

The "Boy in the Browser" (BitB) is a new kind of attack--a Trojan that seizes control of a victim's traffic to servers and redirects that traffic to an attacker's proxy servers, where they can do their dirty work.

View Article


 

Washington Seeks to Boost Cyber Schools, Workers with National Initiative for Cybersecurity Education

The draft National Initiative for Cybersecurity Education, or NICE, was unveiled on August 11, 2011, as a nation-wide, federally sponsored effort to bolster cyber security education and the cyber security workforce.

View Article


 

Hot Jobs with Rising Wages in Cyber Security

Fiscal crisis may be embroiling Europe, and the U.S. economy may be on the edge of a double-dip recession. You wouldn't know it, though, from the stiff demand for an array of high-paying jobs in information security.

View Article


 

Secure Development Lifecycle

One of the fundamental axioms of software development is that you can never write code that is 100% secure and flawless; a confession that the software industry hesitantly acknowledges after almost six decades of software revisions, debugging and patching.

View Article


 

The Enigmatic Existence of X-Morphic Exploitation

The web browser is one of the most used and most exploited applications. Its frequent use has made it risky and vulnerable in past few years. It made attackers to adopt it as their basic path to fulfill their malicious wishes.

View Article


 

Fuzzing Frameworks

There are a plethora of fuzzers available nowadays that target everyday network protocols and file formats. These fuzzers thoroughly iterate through their targeted protocols and files, and act as a valuable resource for stress testing as well.

View Article


 

Cold Boot Attack

In a recent publication, the Princeton University described an attack, labeled as a 'Cold Boot Attack' against DRAM system memory. The attack completely transforms the traditional concepts of DRAM's volatility and shows that the content of a supposedly 'Volatile' RAM can be accessed even when the power has been turned off.

View Article


 

Trusted Platform Module (TPM)

The Trusted Platform Module (TPM) is a micro chip installed on the motherboard of modern computers and is dedicated to carry out security functions that involve the storage and processing of symmetric and asymmetric keys, hashes and digital certificates. The TPM was devised by the Trusted Computing Group (TCG), an organization that promotes open standards to help strengthen computing platforms against security loopholes and attacks.

View Article


 

Administration Pushing for Trusted Identity Solutions

The White House and Commerce Department on April 15 rolled out a National Strategy for Trusted Identities in Cyberspace, or NSTIC. NSTIC will be a broad government and private-sector effort to encourage the creation and use of secure online credentials that users could employ across multiple applications. The aim is to replace the prevailing systems of multiple, hard-to-remember user names and passwords, and weak security queries such as "your mother's maiden name," with fewer, easier-to-use, and more secure credentials.

View Article


 

Adobe Flash Struck by Zero-day Exploit

According to a recently published security advisory (CVE-2010-1297) by Adobe, the Adobe Reader and Acrobat "authplay.dll" code execution vulnerability, a critical 0-day flaw has been reported in Adobe Flash Player which causes a compromise or crashes the affected system. The vulnerability, reportedly, affects Flash Player for Windows, Mac OS X, Linux, Solaris, and Android. The Authplay.dll component of Adobe Acrobat and Adobe Reader X is reported to be affected by this exploit. Authplay is the interpreter that renders Flash content embedded within PDF files.

View Article


 

A Guide to Bypassing Browser Memory Protection

The purpose of a memory protection mechanism is to prevent exploitation of vulnerabilities on particular platforms. Despite the fact that protection mechanisms such as GS, SafeSEH, DEP and ASLR, at a glance present a look of undefeatable complication for the exploit developers, at the same time suffer, from certain limitations where these mechanisms become ineffective at preventing the exploitation of memory. To cater a better understanding of these limitations, a step by step description of the individual protection mechanism would be necessary.

View Article


 

Master Boot Record (MBR) Rootkit - Mebroot

Antivirus vendors and security firms have raised alarm for a devious new rootkit, the ‘Mebroot’. The Mebroot aims head-on at Windows Master Boot Record (MBR) and takes control of the entire system by tampering with the original MBR coding and replacing it with Mebroot’s own coding whilst, making itself undetectable and irremovable.

View Article


 

Exploring Microsoft DLL Load Hijacking

A dynamic link library is an ordinary library that takes one step ahead of the idea of static linked library. A static library is one where a set of functions are assembled together so that it can be used by different programs which implies that all a programmer needs to do is to write code to perform a specific task once only. But, in this scenario, a program is assembled from functions containing object files or from data used in the program.

View Article


 

Windows Access Tokens

Windows Access Tokens are kernel objects that contain security information regarding privileges associated with a user account and identify user, user’s group and privileges of a particular user. The access token describes the security perspective of all the processes or threads. Malicious attackers use access tokens to perform post-exploitation tasks.

View Article


 

Windows Memory Protection Mechanisms

Microsoft Windows, being the most famous OS among all, has persistently been the target of exploitation attacks over past several years. A number of protection mechanisms have been gradually been implemented by security architects at Microsoft. These measures aim at protecting vulnerabilities from exploitation attempts by limiting memory manipulation opportunities.

View Article


 

Under the Microscope: Advance SQL Injections in MySQL

SQL injection attacks involve insertion of an SQL commands through input data from client to application. The attack is capable enough to affect any application that interacts with the database management system using SQL. The SQL injection attack can result into reading sensitive data from database, modifying the data of database (using insert, update or delete functions), send command to the operating system, perform operations of administrative level on the database, etc.

View Article


 

Anatomy of XSS Attacks

XSS, also known as Cross Site Scripting, is a client-side attack carried out by infusing a malicious link surreptitiously into the target site vulnerable to XSS. XSS attacks are carried out against dynamic web pages that accept user input and have not implemented sufficient input filtering mechanisms. The script-code, in this kind of attack, can be made of any language primarily supported by the victim’s browser. This covert script is executed on the client side when an unsuspecting user selects the link.

View Article


 

Examining the Security State of ERPs: A Look at Security Vulnerabilities in SAP

In the course of securing intricate business information, the most complicated task is to keep business applications secure and sanitized from threats ranging from computer viruses to denial-of-service attacks. With the increasing value of information, enterprise information management calls for the implementation of a business solution that is capable of providing secure and consistent data stream throughout the system and within the organization itself. That’s where the need for SAP (Systems, Applications and Products) comes in.

View Article


 

Chronicling the Evolution of Malware Detection Mechanisms

The best practice considered to protect a system is to prevent malwares and viruses from getting into the system at first place and to make this possible, malware detection mechanism should be very strong.

View Article


 

Stellar Security: Hardening Linux

Linux is a free and open source operating system which might contain anywhere from a basic set of computing utilities to advanced virtualization packages depending on the distribution. Linux is generally perceived to be far superior in terms of security than its Windows counterpart. However, like any other operating system, Linux also is also susceptible to security breaches, inadvertent exposure and system compromise.

View Article


 

Securing Your Systems NSA Style – With SELinux

US National Security Agency (NSA), late in December 2000, brought in an extension to the standard Linux Kernel called Security Enhanced Linux (SELinux), designing it exclusively to implement strict access controls on Linux Operating System. The strict implementation of access controls results in assigning of minimum level of privileges to the processes and granular kernel control.

View Article


 

Introductory J2EE Security: Encrypting Configuration Properties by Ivan Makale

In a previous article, "Introductory J2EE Security: Role-Based Access Control Applied to Enterprise Java Beans”, we introduced a sample J2EE project, which you could use to test some security-related features. In this second article we add something else to the same project, extending it. We retrieve information from files that are accessible through an FTP server, and then we configure the FTP connection using a properties file. At this point, a security concern is evident, as we write connection-related data in clear text inside the configuration file. A method for encrypting properties, using a specific library, is then provided.

View Article


 

Introductory J2EE Security: Role-Based Access Control Applied to Enterprise Java Beans by Ivan Makale

In this article, we introduce a sample J2EE project, with code and detailed instructions included, which you could use to test some security-related features, mainly role-based access control obtained by means of Enterprise Java Beans running inside an application server, Glassfish in our case, that had to be properly configured.

View Article


 

Data security: Why the usual solutions fall short

With the current buzz around the WikiLeaks disclosures, the U.S. public seems amazed by the type and amount of sensitive information that is available to people who should not have access to it. Security professionals are not.

View Article


 

Smart Grid Security Overview

A “smart grid” refers to the traditional electric power grid updated with modern information technology equipment and knowhow. It is comprised of digitized devices and the industrial facilities in the energy sector that such devices help operate: electrical plants, electrical substations, utility towers, relays, and transformers, nuclear power plants, and oil refineries.

View Article


 

Shortages in Federal Government’s Cyber Security Work Force

Two new reports--from the Center for Strategic and International Studies (CSIS), and from the consulting firm Booz Allen and the non-profit Partnership for Public Service (PPS)--highlight serious shortfalls among the federal government’s cyber security work force. Against a background of growing threats to the IT infrastructure of the U.S. military, civilian federal agencies, and major private-sector firms, the reports find common ground on short- and longer-term recommendations for grappling with this pressing concern.

View Article


 

Data Loss Prevention: Best Practices for Protecting Your Most Valuable Asset

For years IT organizations have focused on securing the computer network. Technologies such as firewalls and network access control (NAC) are designed to keep malware and unauthorized traffic from coming in. That makes sense from an operational integrity standpoint. Viruses, worms, spam, phishing attacks, etc. can bring a network to a standstill. But, while the focus has been on keeping bad traffic out, data packets have moved freely – for the most part – through and beyond the private network. After all, that’s what the network is for. It plays a supporting role to the star of the show: your data. Without data, there’s little need for a network. But therein lies the rub!

View Article


 

Zeus Toolkit Gangs Staging Mass Attacks on Banking Applications

Since 2007, illicit organizations have employed Zeus to launch damaging, highly publicized attacks targeting the login credentials and other personal data associated with millions of computers, thousands of organizations, and uncounted numbers of users and their accounts. Relatively small groups of sophisticated criminal bands based in various nations--particularly in Eastern European countries such as Russia and Ukraine--have stolen tens of millions of dollars. Computers in 196 countries have been subject to attack. The countries most affected include the U.S., U.K., Saudi Arabia, Egypt, and Turkey.

View Article


 

Advanced Persistent Threat

The Advanced Persistent Threat (APT) is very focused and motivated to aggressively and successfully penetrate a network with variously different attack methods and then clandestinely hide its presence while achieving a well-developed, multi-level foothold in the environment. Read more to understand this threat our industry faces today.

View Article


 

Smartphone Security

Smartphones are infiltrating businesses of all sizes. Decreasing price points and increasing functionality puts enterprise-class capabilities in the palm of every Tom, Dick and Harry who connects to the corporate network. No big deal, right? Blackberrys, iPhones and Androids – among many others – enable your users to work more efficiently. But, like every other piece of technology, smartphones come with a price to your organization. That price is in the form of risk. Let’s look at some of the ways smartphones introduce risk to your environment, and then look at some of the best practices for managing that risk.

View Article


 

Making the Internet Safer: Online Resources for Parents and Children

Online predators trawl the Web seeking to involve youngsters inappropriate and illegal sexual relationships. The Internet allows sexual deviants to more easily gain access to information about youths they may be targeting. Such information can include a youth’s email address, web site, birth date and age, photos, family data, other friends, hobbies, and individual likes and dislikes. Based on such information, predators can begin to befriend impressionable youths, perhaps gaining their trust over a long period of time, perhaps through enticements such as the provision of free software games. At the same time, predators can maintain relative anonymity about themselves, or readily post false or misleading information. Once friendship is gained, predators may seek to physically meet their targets, sometimes by sending them money, tickets, or other means to travel to a rendezvous.

View Article


 

Interview with Shon Harris

Shon Harris discusses some of the upcoming threats companies face in information security today and what she and her company, Logical Security, is doing to help in these efforts.

View Article


 

Risk Management and Security Metrics

What do we have in the world of risk management in the IT and security world today, a bit of a mess. Risk management has been a nebulous, pathless utopia that has been just out of our reach because we are randomly wandering around in pseudoscience and non-sensible numbering systems. Read this series of articles to find out what we should be doing today.

View Article


 

Risk Management Strategies

Shon explains what risk is and clarifies the differences between risk and vulnerability management and provides a 10,000-foot view of the risk management process. The explanation of how to use threat modeling to define an organization's acceptable level of risk, describes the contents of a risk management policy and provides a sample policy template, and also describes the roles and responsibilities of an information risk management team. Learn how to define the scope of the IRM team's responsibilities, the difference between qualitative and quantitative risk analysis and the tools used to carry out risk analysis. There is step-by-step instructions on conducting a risk analysis, along with the four ways to deal with identified risk: transfer it, avoid it, reduce it or accept it

View Article


 

Basic Footprinting

Footprinting of an organization prior launching an attack against its resources is essential for an attacker as it enhances the probability of a successful attack. For example, if a burglar plans to break into a house, he will first gather as much information as possible to find out the ways that can be used to break into it. Similarly, when malicious attacker plans to target an online resource, he first gathers all the possible information to create a complete profile of target’s security posture.

View Article


 

IT Security Auditors Roles

We have moved into a fascinating time where technology has been injected into almost every part of our lives. We are currently going through a metamorphosis that none of us can truly grasp, because we are right in the middle of it. It is very difficult for a society to know that it is going through great changes because it is hard to view something objectively when you are right in the middle of it.

View Article


 

E-mail Threats

E-mail spoofing is a technique used by malicious users to forge an e-mail to make it appear to be from a legitimate source. Usually, such e-mails appear to be from known and trusted e-mail addresses when they are actually generated from a malicious source. This technique is widely used by attackers these days for spamming and phishing purposes.

View Article


 

Basic Security Development Issues

Developers are generally not always aware of the ever increasing security issues that can nefariously attack their code. This lack of awareness combined with tight development timelines generally result in applications that are prone to a wide assortment of attacks.

View Article


 

Programming Languages

From the era of punched card instructions to heuristic encoding, programming languages have rapidly evolved in their design, approach and dogma. Though the first three generations of programming languages can be classified on distinctly defined precincts, thereon, the classification becomes slightly obscure and somewhat arguable.

View Article


 

Web Security Concepts and Attacks

Cross-Site Scripting (XSS) is a kind of application security vulnerability which is usually found in web applications. XSS attacks enable an attacker to inject their malicious code (in client-side scripting languages, such as JavaScript) into vulnerable web pages.

View Article


 

Identity Management

Identity management is a broad and loaded term that encompasses the use of different products to identify, authenticate, and authorize users through automated means. To many people, the term also includes user account management, access control, password management, single sign-on functionality, managing rights and permissions for user accounts, and auditing and monitoring of all of these items. The reason that individuals, and companies, have different definitions and perspectives of identity management (IdM) is because it is so large and encompasses so many different technologies and processes.

View Article


 

XML Security

If you can remember when HyperText Markup Language (HTML) was all we had to make a static web page, you’re old. Being old in the technology world is different than in the regular world; HTML came out in the early 1990s. HTML came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Language (GML). We still use HTML, so it is certainly not dead and gone; the industry has just improved upon the markup languages available to use.

View Article


 

Cross Site Scripting Attacks

Cross Site Scripting (XSS) is a type of web application vulnerability which enables an attacker to inject her malicious code (usually JavaScript) into vulnerable web pages. When an unsuspecting user visits the infected page, the malicious code executes on the victim’s browser and may lead to stolen cookies, hijacked sessions, malware execution, bypassed access control or aid in exploiting browser vulnerabilities.

View Article


 

Broadband Wireless Communication

Mobile Telephony refers to communication using a mobile wireless technology. It is usually classified into four generations namely 1G, 2G, 3G and 4G. These generations help record the dramatic evolution mobile telephony have under gone since their first introduction nearly 30 years ago.

View Article


 

Enterprise Methodologies

The Information Technology Infrastructure Library (ITIL) is a set of guidelines and techniques that are used to manage, improve, and organize the design, development and operations of IT infrastructure. The major focus of the ITIL is on the constant evaluation and improvement of delivered IT services.

View Article


 

Security Policies

Security policies provide the foundation for an organization’s security infrastructure. A security policy is a document or set of documents that conveys the management’s intentions and decision on how security will play a role within the organization.

View Article


 

British Standard 7799

The British Standard 7799 is an internationally recognized set of recommendations for developing security policies and conducting auditing. The standard provides comprehensive guidance on many of the issues related to information security. Many organizations use British Standard 7799 as a baseline to start from when developing their policies and indeed their information security programs.

View Article


 

Who’s Who

Acronyms for companies and organizations are often used in literature without an explanation of who these organizations are and what their function in the world is. This section covers many of the organizations that have been discussed in the All-In-One CISSP Exam Guide.

View Article


 

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley act was signed into United States law by former President Bill Clinton on November 12, 1999. The act applies to all national banks and federal branches of foreign banks that are subject to the supervision of the Federal Reserve System, Office of Thrift Supervision (OTS), Comptroller of the Currency (OCC), or Federal Deposit Insurance Corporation (FDIC). The act’s main goal is to protect individual private information.

View Article


 

Various Networking Components

There are different flavors, characteristics, and standards underneath the Ethernet umbrella. This article describes these different components.

View Article


 

OMB Circular A-123

Before we dive into this one, let’s figure out who the OMB is. Basically this is the group that oversees all executive branch funding, so when they come down with a new requirement, government agencies have an incentive to follow it so that the agencies can receive funding for the next year.

View Article


 

Regulation Government Agencies

The Congress and President of the United States delegate specific authority to federal government agencies. Others are created at the state level. Federal agencies have the authority to create regulations, to enforce regulations, and to arbitrate disputes. They typically have dedicated enforcement personnel who operate regionally.

View Article


 

An Introduction to Firewalling with iptables and pf

In this article we assume the reader knows what a firewall is and other basic concepts about firewalls, like the distinction between stateless (static) and stateful packet filtering. We introduce the reader to a more technical level, showing how to use two open source tools, iptables on Linux and pf on OpenBSD, in a simple case of firewall configuration.

View Article


 

Passing the Audit

The Public Company Accounting Oversight Board’s standards and the secrets you must know before the audit. Many IT managers and professionals strongly believe that although Sarbanes-Oxley compliance places a heavy and ongoing burden on IT operations, it also leads to better IT governance and more effective information security. Unfortunately, this is not true.

View Article


 

SOX and Internal Controls

The audit function is, in essence, intended to “check up” on how a company reports its information, to help confirm that the company information is reliable. The mechanisms used by a company to assure the consistency of its business processes are its “internal controls.” The “internal controls” associated with financial reporting are of interest to auditors, since they help to indicate how much reliance can be placed on financial information.

View Article


 

PCI Standards

PCI is all about credit card system security. The credit card system plays a critical role in the economy. The system is built from the bricks of various technologies, owned and operated by different parties, mortared together with contracts to form an impressive structure within which a broad range of commerce can be conducted.

View Article


 

GLBA Compliance Challenges

Financial institutions and others subject to GLBA find three aspects of compliance particularly challenging:
1) Assessing and managing risk from third-party vendors.
2) Performing internal risk assessments
3) Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems.

View Article


 

A Satire of the Security Divas of Today

I have been in this industry longer than most people I know and work with. At one time I could keep up with technology, which vendors sold what technology, methodologies, tools, and occasionally my socks that attempted to disappear in the black abyss of my clothes washer.

View Article


 

What Do CISSPs Really Know?

I have been in the "CISSP world" for over 10 years now. I have taught it for 8 years around the world for corporate and government agencies. I have written books on it, developed products, webinars, study materials, etc. Over the years I have noticed that the students who are attempting to achieve their CISSP certification have changed in their approach. Five years ago people studied material on their own for months before attending a CISSP bootcamp course. This is necessary because no one can really learn the extensive material that the CISSP exam covers in just 5 days. Over the last few years, I have seen a real switch in the approach of achieving this credential.

View Article



 

Handbook of Malicious Code

Malicious code, or simply Malware, is a new term introduced by industry, which includes whole range of malicious and non-malicious code (software) such as viruses, trojan horses, worms, spywares, adwares, internet cookies, homepage re-set programs, dialers and combination of these, known as blended attacks. Although, each of these has its own definition and functions, we have witnessed that the malware writers have used combination of these to create more deadly and difficult to trace viruses.

View Article



 

How SSL Works

As you know, virtually all businesses, most government agencies and many individuals now have Web sites, and the number of individuals and companies with Internet access is expanding rapidly. Consequently, businesses are enthusiastic about setting up facilities on the Web for electronic commerce, but the reality is that Internet and the Web are extremely vulnerable to attacks of various sorts, so that the demand for secure for Web services grows.

View Article


 

The CISSP Exam Is Out of Date, Irrelevant, and Subjective

Busting Through the Myths of the CISSP Exam

For years I have heard people complain about having to learn things for the CISSP exam that they would never use in their life. When I was studying for this exam several years ago, I said the same types of things. I also hear people saying that they have to learn security through (ISC)2's view for this exam, which does not match with reality. The thought on both of these statements is that someone would have to memorize items for the test that are not helpful in their career - thus a waste of time. Again, I fell into this bucket when I studied and took the exam forever ago. Now I see it completely differently.

View Article


 

Multi-Protocol Label Switching (MPLS)

In recent years, multi-protocol label switching (MPLS) is gaining prominence and many companies are migrating towards it. This is largely due to MPLS is a convergence tool to integrate voice, video and data across a single platform to provide quality of service (QoS), improved performance and reliability, and provide an array of VPN and LAN interconnect services.

View Article


 

TCP Session Hijacking: the Mitnick Attack

Kevin David Mitnick, also called "Condor", was born in 1963 and became one of the most famous "crackers". He was repeatedly condemned for minor computer related crimes, then his intrusions into big companies ended leading him to prison, where he spent five years (from 1995 to 2000), after a "challenge" against FBI and the security expert Tsutomu Shimomura. Now he runs a computer security consulting company. We don't deal with all aspects of Mitnick's contribution to hacking and cracking (among other things, he made "social engineering", to steal information directly from people, popular), but we focus on an attack he carried out against the California University in Santa Barbara, attack that can be taken as an example, showing various interesting aspects, as it is a complex attack, not made of a single activity.

View Article


 

Gramm Leach Bliley Act (GLBA)

In this chapter, we will provide an overview of the Gramm Leach Bliley Act, explore the follow-on regulations issued by the various regulators tasked with implementing the Act, and look at several areas of compliance with GLBA that prove particularly challenging to financial organizations. We will also explore some technologies that can help financial institutions to more easily comply with the provisions of GLBA.

View Article


 

Payment Card Industry (PCI) Data Security Standard

Various credit card companies have had their own security requirements for years that their merchant customers had to abide by to be able to continue to accept and process credit card payments. For example, MasterCard has its Site Data Protection (SDP) program, American Express has its Data Security Operating Policy (DSOP), Discover has its Information Security and Compliance (DISC), and Visa has its Account Information Security (AIS) and Cardholder Information Security Program (CISP).

View Article


 

Multiservice Access Technologies

Multiservice access technologies combine several types of communication categories (data, voice, and video) over one transmission line. This provides higher performance, reduced operational costs, and greater flexibility, integration, and control for administrators.

View Article


 

Sarbanes-Oxley Act of 2002 (SOX)

Sadly, SOX like many other regulations was created because some companies were not doing what they were supposed to when it came to disclosing information on the company's financial standing. Some CEOs and CFOs of the past figured out that if they made their company's stock prices go up, then they personally made more money through bonuses, selling their own stocks, and demanding higher salaries.

View Article



Network Scanning Techniques

If you want to get network information on the Internet, the first step is to gather public information that is available visiting specific sites or using certain commands. Typically, you can look for information regarding a certain organization searching on the site of a third party organization offering such a service. This is, of course, absolutely legal.

View Article



An Introduction to Security in Software Development

Software is essentially produced by human beings and so, of course, not perfect but prone to bugs.
Some bugs don't necessarily cause malfunctioning but make the system exposed to attacks, i.e. they are security bugs. According to a rough calculation relating to operating systems, there is about one security bug per 1000 lines in the source code (assuming the programmer is competent in secure coding). Given that operating systems such as Windows or Linux have a number of lines of code that is in the order of some 100 million, they can contain hundreds of thousands of potential security bugs.

View Article



Fundamentals of Asterisk

Open source software (OSS) has achieved a dominant role in the delivery of IP-based content such as web data (Apache) and email (sendmail), and is making serious headway in streaming media (icecast).

View Article



Firewall

A firewall is a portion of hardware and software that works in networked environment to stop unauthorized communications by the security policy. A firewall is a common layer of defense in computing – a barrier to keep malicious intrusions away from your proper computers. It is still the important mechanism for protecting the infrastructure of a company.

View Article



Security Audit

Due to ever-changing government regulations on security-based auditing and compliance requirements being passed in US Congress at each session, it has become necessary for CIOs, system and network administrators to update their skills and knowledge regularly. ISO, the world standards benchmark, is also standardizing global business compliance regulation and quality assurance standards. The US companies and its affiliates in European Union are moving forward to adapt this and other quality standards, largely to make the computer audit trails essential to lessen litigations or legal prosecution.

View Article



3 Attack Vectors: Web Code

So now the infrastructure of your web based application should be up to snuff. Completing that is the 1st step to securing your application. Your infrastructure is the foundation for your system and therefore it must be solid in order to have a strong and secure application that no one will have fear of using due to security flaws.

View Article



3 Attack Vectors: DB, OS, Hardware

As discussed previously, with the moving of what used to be internal components out to the “cloud” anything that is not web code can be considered infrastructure. Infrastructure can still be further subdivided into hardware and software if this is needed for those who need to address the risks and vulnerabilities of those subsystems separately.

View Article



3 Attack Vectors: Overview

Most articles will focus on one aspect of web security. Cross site scripting, SQL injection, or web server vulnerabilities are the main focus of the author. A more holistic approach is to see how all the different facets come together and how each one holds up the other to secure a web application. The three vectors that any application can be attacked through are the infrastructure, the web code and the end points. This series will examine each vector in detail and give suggestions on how to protect each one. This 1st in the series will take a general overview and subsequent articles will go into more detail. As the attacks change daily there will be a number of web sites referenced for up to the minute information.

View Article



VoIP

Voice over Internet Protocol (VoIP) technology converts analogue voice signals into digitized
packets and the recipients get them over data networks. VoIP is another example of Internet has
changed the way we communicate and emergence of convergence where voice, data, video, etc.,
pass through a single medium. It uses existing networks and Internet infrastructure to send
information efficiently and with less cost.

View Article




Steps to Better Secure Your Mac

While the Macintosh platform is now becoming the target of the same sort of organized crime that affects Windows users, these attacks are still very limited in scope and in impact. Nonetheless, Mac users cannot afford to be complacent.

View Article




Biometrics Defined

Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification.

View Article



Malicious Software: Viruses

Malicious software, often abbreviated with the term “malware”, is software designed to
infiltrate or damage a computer system without the owner's informed consent. It can therefore penetrate the system evading controls.

View Article




GBL Suggestions

GBL only deals with customer data, not business to business data. GBL can be over ridden by other laws and regulations because OCC and other agencies cover other types of requirements other than just customer data protection. OCC is there to assess the integrity of the bank, not just protecting customer data.


View Article




Access Control Methods

The purpose of this article is to introduce, from a theoretical point of view, the main access control methods, in order to provide a better understanding of methods to reinforce the security policy that are based on these concepts. We'll concentrate above all on Mandatory Access Control.

View Article




What the Botnets Are Netting and for Whom

The greatest threat to online and offline businesses today are not terrorists or even cyber-terrorists, but good old fashioned organized crime groups using fancy new tools on the Internet to fleece the unsuspecting public, governments and global corporations. Computer crimes on businesses are increasing at an alarming rate, and the cost of computer crimes, just like other business costs, will always be passed on to the customer.

View Article




Introduction to Elliptic Curve Cryptography

The purpose of this article is to introduce the reader to Elliptic Curve Cryptography.
Most of the products and of the standards that use public-key cryptography for encryption and digital signatures use RSA, that is the Rivest-Shamir-Adleman algorithm, based on the difficulty of factoring the product of two large prime numbers, which ensures that calculating the private key from the public one is hard (computationally too expensive).

View Article




Introduction to Intrusion Detection Systems

An Intrusion Detection System (IDS) is an important means to protect IT systems from external attacks. IDSs are monitoring systems and they are passive, that is they detect attacks or potential attacks, they can send alert messages, but don't interfere with the monitored system and events.

View Article




Base-Rate Fallacy Considerations

In this article Bayesian statistics is applied to Intrusion Detection Systems (IDSs), in particular to false positives and false negatives, that is alarms without real threat and threats undetected by the IDS. What is the relation between false positives and false negatives? Which one is more important? Are they to be minimized in the same way or one more than the other?

View Article




What Are the Dangers of Instant Messaging?

Historically, operating systems and many applications have utilized their own authentication
mechanisms to validate a user and grant access to network resources.As the world becomes ever
more integrated, the authentication processes on a network must not only satisfy the security
concerns of identifying the validity of a user to the resource, and vice versa,

View Article




SELinux and AppArmor: An Introductory Comparison

In another article, “Hardening Linux Systems in the Application Layer: Why It's Important”, I explained the importance of hardening our Linux systems by reinforcing the security policy in the application layer too. As I said, SELinux is not the only available tool for this purpose.

View Article




How VoIP Really Works

Voice over Internet Protocol (VoIP) is a protocol (convention or standard) that governs the the transmission of voice through the Internet or other packet switched networks (networks in which small units of data called packets are routed through a network). In other words, VoIP uses a broadband internet connection, like cable or DSL, for routing telephone calls.

View Article




A Family of EAP’s (or Is It a Flock of EAP’s?)

Historically, operating systems and many applications have utilized their own authentication
mechanisms to validate a user and grant access to network resources.As the world becomes ever
more integrated, the authentication processes on a network must not only satisfy the security
concerns of identifying the validity of a user to the resource, and vice versa,

View Article




How Do Bots and Botnets Work?

Basically a bot is simply a very sophisticated program which mimics human behavior. Yet they are a definite risk for home computer security online.

View Article




Reinforcing the Security Policy of Linux Systems

In my professional life I see that Linux systems, in several cases Red Hat Enterprise/Advanced Linux distributions, are protected at network level, with firewalls and other things, but system administrators often haven't a deep knowledge of application level security,

View Article



Back to School: IT Training Services

"Training is always the last thing on the mind of the people with the purse strings, and it's usually the first thing to go when the budget gets cut," says Shon Harris.

View Article



Role Model

Identity management is a critical security challenge, but without viable standards for access control, your best efforts may be just a drop in the bucket.

View Article



Introduction to Security Governance

Security governance is very similar in nature to corporate and IT governance because there is overlapping functionality and goals between the three. All three work within an organizational structure of a company and have the same goals of helping to ensure that the company will survive and thrive – they just each have different focuses.

Corporate governance has to do with how the board of directors and executive management run and control a company. IT governance is how technology is used and managed so that it supports business needs. There are many professional and official sounding definitions of security governance such as the following by the IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition:

View Article



Risk Management Guide

Companies have always had to deal with different types of risk, be it financial, legal, the success of a new product launch or a merger, or the threat of natural disasters. These risks are traditionally treated as silos. The CFO is responsible for understanding and making decisions pertaining to financial risk. The IT department is responsible for the risk of losing data processing capabilities. Legal council is responsible for understanding and managing the company's legal issues. And so on. But this fragmented approach to risk is becoming more dangerous as companies face risks that threaten the company's overall existence. These risks come in the form of noncompliance with government regulations, increasing information security threats, terrorist activities and natural disasters. It is important now more than ever, for companies to develop and maintain a holistic risk management program that coordinates these silos because they all have the same overall goal – to protect the company and its assets.

View Article



Understanding Standards for Risk Management and Compliance

Regulatory requirements are driving companies to look into risk management more than ever before. SOX, HIPAA and GLBA all require risk analysis and management. But organizations looking for a solution can quickly find themselves swimming in a sea of acronyms that includes NIST 800-30, AS/NZS 4360:2004, OCTAVE, COSO and CobiT.

View Article



Risks Associated with Outsourcing

Although outsourcing can greatly reduce labor costs, because countries have different laws, regulations and enforcement motivations, many companies have to deal with a range of unfamiliar issues to ensure their work is secure. For example, in 2002, ...

View Article



Denying Denial-Of-Service

New solutions fight DoS/DDoS by automatically detecting and blocking potential attacks. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks have been around for years, but with reports that 4,000 DoS attacks are launched each week, it's clear the problem isn't close to being resolved. In fact, in a recent poll of Information Security readers, 90 percent said they remained either "very concerned" or "somewhat concerned" about DoS or DDoS.

View Article



Security Strategies for E-Companies - The Science of Secrets

Cryptology continues to evolve as our need for keeping secrets increases. Cryptology, the science of secure communications, is as old as civilization and the written word. Throughout the ages, everyone from kings to shopkeepers has employed codes to gain a competitive edge, reduce vulnerability, hide their true intentions or revel in the comfort of knowing something that someone else doesn't.

View Article

802.11 Security Shortcomings

Wireless communication has been around for years, but only recently has it ascended to the status of a mainstream communication method. Portable devices (e.g., PDAs, cell phones, laptops) have proliferated, giving mobile users access to email accounts, Internet sites, online banking, and the stock exchange. This proliferation has led to WLAN vendors scurrying to develop proprietary wireless network solutions and application vendors hurrying to code new wireless programs.

View Article

Learning from SQL Slammer

Many people might have heard of the Slammer worm, but few people fully understand the root of the attack. Familiarizing yourself with Slammer's methods can help you evaluate the risk to your environment and prepare for future attacks by similar worms.

View Article

Greater WLAN Security with 802.11i

To improve the standard and close holes in current wireless implementations, IEEE developed the 802.11i Task Group. To address each of the aforementioned flaws, this group has developed a new authentication framework that encompasses several components.

View Article

How 802.11i Addresses WEP's Core Deficiencies

Wired Equivalent Privacy (WEP) contains three core deficiencies. The first deficiency is the use of static encryption keys. The second deficiency is the ineffective use of initialization vectors (IVs). The third deficiency is the lack of packet integrity assurance.

View Article


Vulnerability Mismanagement

The following are seven must-have elements of a successful vulnerability management program. They're not about scanning or applying patches; they're the essentials that will enable you to efficiently and effectively find and remediate vulnerabilities

View Article

To Catch a Thief

Understanding the requirements of bringing the necessary forensics capability in-house and the most popular tools in use today.

View Article



 

© Logical Security  
Certified