Shon Harris and other team members would like to
share with you the CISSP and information security
articles and materials we have published for various
periodicals.
We will continually be updating this page with
more articles, so please check back often. If you
would like to use any of our material, please e-mail
us at
info@logicalsecurity.com for permission
first and please indicate that the material came
from our web site.
A Satire of the Security Divas of Today
I have been in this industry longer than most people I know and work with. At one time I could keep up with technology, which vendors sold what technology, methodologies, tools, and occasionally my socks that attempted to disappear in the black abyss of my clothes washer.
View Article
What Do CISSPs Really Know?
I have been in the "CISSP world" for over 10 years now. I have taught it for 8 years around the world for corporate and government agencies. I have written books on it, developed products, webinars, study materials, etc. Over the years I have noticed that the students who are attempting to achieve their CISSP certification have changed in their approach. Five years ago people studied material on their own for months before attending a CISSP bootcamp course. This is necessary because no one can really learn the extensive material that the CISSP exam covers in just 5 days. Over the last few years, I have seen a real switch in the approach of achieving this credential.
View Article
Handbook of Malicious Code
Malicious
code, or simply Malware, is a new term introduced by
industry, which includes whole range of malicious
and non-malicious code (software) such as viruses,
trojan horses, worms, spywares, adwares, internet
cookies, homepage re-set programs, dialers and
combination of these, known as blended attacks.
Although, each of these has its own definition and
functions, we have witnessed that the malware
writers have used combination of these to create
more deadly and difficult to trace viruses.
View Article
How SSL Works
As you know, virtually all businesses, most government agencies and many individuals now have Web sites, and the number of individuals and companies with Internet access is expanding rapidly. Consequently, businesses are enthusiastic about setting up facilities on the Web for electronic commerce, but the reality is that Internet and the Web are extremely vulnerable to attacks of various sorts, so that the demand for secure for Web services grows.
View Article
The CISSP Exam Is Out of Date, Irrelevant, and Subjective
Busting Through the Myths of the CISSP Exam
For years I have heard people complain about having to learn things for the CISSP exam that they would never use in their life. When I was studying for this exam several years ago, I said the same types of things. I also hear people saying that they have to learn security through (ISC)2's view for this exam, which does not match with reality. The thought on both of these statements is that someone would have to memorize items for the test that are not helpful in their career - thus a waste of time. Again, I fell into this bucket when I studied and took the exam forever ago. Now I see it completely differently.
View Article
Multi-Protocol Label Switching (MPLS)
In recent years, multi-protocol label switching (MPLS) is gaining prominence and many companies are migrating towards it. This is largely due to MPLS is a convergence tool to integrate voice, video and data across a single platform to provide quality of service (QoS), improved performance and reliability, and provide an array of VPN and LAN interconnect services.
View Article
TCP Session Hijacking: the Mitnick Attack
Kevin David Mitnick, also called "Condor", was born in 1963 and became one of the most famous "crackers". He was repeatedly condemned for minor computer related crimes, then his intrusions into big companies ended leading him to prison, where he spent five years (from 1995 to 2000), after a "challenge" against FBI and the security expert Tsutomu Shimomura. Now he runs a computer security consulting company. We don't deal with all aspects of Mitnick's contribution to hacking and cracking (among other things, he made "social engineering", to steal information directly from people, popular), but we focus on an attack he carried out against the California University in Santa Barbara, attack that can be taken as an example, showing various interesting aspects, as it is a complex attack, not made of a single activity.
View Article
Gramm Leach Bliley Act (GLBA)
In this chapter, we will provide an overview of the Gramm Leach Bliley Act, explore the follow-on regulations issued by the various regulators tasked with implementing the Act, and look at several areas of compliance with GLBA that prove particularly challenging to financial organizations. We will also explore some technologies that can help financial institutions to more easily comply with the provisions of GLBA.
View Article
Payment Card Industry (PCI) Data Security Standard
Various credit card companies have had their own security requirements for years that their merchant customers had to abide by to be able to continue to accept and process credit card payments. For example, MasterCard has its Site Data Protection (SDP) program, American Express has its Data Security Operating Policy (DSOP), Discover has its Information Security and Compliance (DISC), and Visa has its Account Information Security (AIS) and Cardholder Information Security Program (CISP).
View Article
Multiservice Access Technologies
Multiservice access technologies combine several types of communication categories (data, voice, and video) over one transmission line. This provides higher performance, reduced operational costs, and greater flexibility, integration, and control for administrators.
View Article
Sarbanes-Oxley Act of 2002 (SOX)
Sadly, SOX like many other regulations was created because some companies were not doing what they were supposed to when it came to disclosing information on the company's financial standing. Some CEOs and CFOs of the past figured out that if they made their company's stock prices go up, then they personally made more money through bonuses, selling their own stocks, and demanding higher salaries.
View Article
Network Scanning Techniques
If you want to get network information on the Internet, the first step is to gather public information that is available visiting specific sites or using certain commands. Typically, you can look for information regarding a certain organization searching on the site of a third party organization offering such a service. This is, of course, absolutely legal.
View Article
An Introduction to Security in Software Development
Software is essentially produced by human beings and so, of course, not perfect but prone to bugs.
Some bugs don't necessarily cause malfunctioning but make the system exposed to attacks, i.e. they are security bugs. According to a rough calculation relating to operating systems, there is about one security bug per 1000 lines in the source code (assuming the programmer is competent in secure coding). Given that operating systems such as Windows or Linux have a number of lines of code that is in the order of some 100 million, they can contain hundreds of thousands of potential security bugs.
View Article
Fundamentals of Asterisk
Open source software (OSS) has achieved a dominant role in the delivery of IP-based content such as web data (Apache) and email (sendmail), and is making serious headway in streaming media (icecast).
View Article
Firewall
A firewall is a portion of hardware and software that works in networked environment to stop unauthorized communications by the security policy. A firewall is a common layer of defense in computing – a barrier to keep malicious intrusions away from your proper computers. It is still the important mechanism for protecting the infrastructure of a company.
View Article
Security Audit
Due to ever-changing government regulations on security-based auditing and compliance requirements being passed in US Congress at each session, it has become necessary for CIOs, system and network administrators to update their skills and knowledge regularly. ISO, the world standards benchmark, is also standardizing global business compliance regulation and quality assurance standards. The US companies and its affiliates in European Union are moving forward to adapt this and other quality standards, largely to make the computer audit trails essential to lessen litigations or legal prosecution.
View Article
3 Attack Vectors: Web Code
So now the infrastructure of your web based application should be up to snuff. Completing that is the 1st step to securing your application. Your infrastructure is the foundation for your system and therefore it must be solid in order to have a strong and secure application that no one will have fear of using due to security flaws.
3 Attack Vectors: DB, OS, Hardware
As discussed previously, with the moving of what used to be internal components out to the “cloud” anything that is not web code can be considered infrastructure. Infrastructure can still be further subdivided into hardware and software if this is needed for those who need to address the risks and vulnerabilities of those subsystems separately.
View Article
3 Attack Vectors: Overview
Most articles will focus on one aspect of web security. Cross site scripting, SQL injection, or web
server vulnerabilities are the main focus of the author. A more holistic approach is to see how all the
different facets come together and how each one holds up the other to secure a web application. The
three vectors that any application can be attacked through are the infrastructure, the web code and the
end points. This series will examine each vector in detail and give suggestions on how to protect each
one. This 1st in the series will take a general overview and subsequent articles will go into more detail.
As the attacks change daily there will be a number of web sites referenced for up to the minute
information.
View Article
VoIP
Voice over Internet Protocol (VoIP) technology converts analogue voice signals into digitized
packets and the recipients get them over data networks. VoIP is another example of Internet has
changed the way we communicate and emergence of convergence where voice, data, video, etc.,
pass through a single medium. It uses existing networks and Internet infrastructure to send
information efficiently and with less cost.
Steps to Better Secure Your Mac
While the Macintosh platform is now becoming the target of the same sort of organized crime that affects Windows users, these attacks are still very limited in scope and in impact. Nonetheless, Mac users cannot afford to be complacent.
Biometrics Defined
Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification.
View Article
Malicious Software: Viruses
Malicious software, often abbreviated with the term “malware”, is software designed to
infiltrate or damage a computer system without the owner's informed consent. It can therefore penetrate
the system evading controls.
GBL Suggestions
GBL only deals with customer data, not business to business data. GBL can be over ridden by other laws and regulations because OCC and other agencies cover other types of requirements other than just customer data protection. OCC is there to assess the integrity of the bank, not just protecting customer data.
Access Control Methods
The purpose of this article is to introduce, from a theoretical point of view, the main access control methods, in order to provide a better understanding of methods to reinforce the security policy that are based on these concepts. We'll concentrate above all on Mandatory Access Control.
What the Botnets Are Netting and for Whom
The greatest threat to online and offline businesses today are not terrorists or even cyber-terrorists, but good old fashioned organized crime groups using fancy new tools on the Internet to fleece the unsuspecting public, governments and global corporations. Computer crimes on businesses are increasing at an alarming rate, and the cost of computer crimes, just like other business costs, will always be passed on to the customer.
Introduction to Elliptic Curve Cryptography
The purpose of this article is to introduce the reader to Elliptic Curve Cryptography.
Most of the products and of the standards that use public-key cryptography for encryption and digital signatures use RSA, that is the Rivest-Shamir-Adleman algorithm, based on the difficulty of factoring the product of two large prime numbers, which ensures that calculating the private key from the public one is hard (computationally too expensive).
Introduction to Intrusion Detection Systems
An Intrusion Detection System (IDS) is an important means to protect IT systems from external attacks. IDSs are monitoring systems and they are passive, that is they detect attacks or potential attacks, they can send alert messages, but don't interfere with the monitored system and events.
Base-Rate Fallacy Considerations
In this article Bayesian statistics is applied to Intrusion Detection Systems (IDSs), in particular to false positives and false negatives, that is alarms without real threat and threats undetected by the IDS. What is the relation between false positives and false negatives? Which one is more important? Are they to be minimized in the same way or one more than the other?
What Are the Dangers of Instant Messaging?
Historically, operating systems and many applications have utilized their own authentication
mechanisms to validate a user and grant access to network resources.As the world becomes ever
more integrated, the authentication processes on a network must not only satisfy the security
concerns of identifying the validity of a user to the resource, and vice versa,
SELinux and AppArmor: An Introductory Comparison
In another article, “Hardening Linux Systems in the Application Layer: Why It's Important”, I explained the importance of hardening our Linux systems by reinforcing the security policy in the application layer too. As I said, SELinux is not the only available tool for this purpose.
How VoIP Really Works
Voice over Internet Protocol (VoIP) is a protocol (convention or standard) that governs the the transmission of voice through the Internet or other packet switched networks (networks in which small units of data called packets are routed through a network). In other words, VoIP uses a broadband internet connection, like cable or DSL, for routing telephone calls.
A Family of EAP’s (or Is It a Flock of EAP’s?)
Historically, operating systems and many applications have utilized their own authentication
mechanisms to validate a user and grant access to network resources.As the world becomes ever
more integrated, the authentication processes on a network must not only satisfy the security
concerns of identifying the validity of a user to the resource, and vice versa,
How Do Bots and Botnets Work?
Basically a bot is simply a very sophisticated program which mimics human behavior. Yet they are a definite risk for home computer security online.
Reinforcing the Security Policy of Linux Systems
In my professional life I see that Linux systems, in several cases Red Hat Enterprise/Advanced Linux distributions, are protected at network level, with firewalls and other things, but system administrators often haven't a deep knowledge of application level security,
Back to School: IT Training Services
"Training is always the last thing on the mind of the people with the purse strings, and it's usually the first thing to go when the budget gets cut," says Shon Harris.
View Article
Role Model
Identity management is a critical security challenge, but without viable standards for access control, your best efforts may be just a drop in the bucket.
View Article
Introduction to Security Governance
Security governance is very similar in nature to corporate and IT governance because there is overlapping functionality and goals between the three. All three work within an organizational structure of a company and have the same goals of helping to ensure that the company will survive and thrive – they just each have different focuses.
Corporate governance has to do with how the board of directors and executive management run and control a company. IT governance is how technology is used and managed so that it supports business needs. There are many professional and official sounding definitions of security governance such as the following by the IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition:
View Article
Risk Management Guide
Companies have always had to deal with different types of risk, be it financial, legal, the success of a new product launch or a merger, or the threat of natural disasters. These risks are traditionally treated as silos. The CFO is responsible for understanding and making decisions pertaining to financial risk. The IT department is responsible for the risk of losing data processing capabilities. Legal council is responsible for understanding and managing the company's legal issues. And so on. But this fragmented approach to risk is becoming more dangerous as companies face risks that threaten the company's overall existence. These risks come in the form of noncompliance with government regulations, increasing information security threats, terrorist activities and natural disasters. It is important now more than ever, for companies to develop and maintain a holistic risk management program that coordinates these silos because they all have the same overall goal – to protect the company and its assets.
View Article
Understanding Standards for Risk Management and Compliance
Regulatory requirements are driving companies to look into risk management more than ever before. SOX, HIPAA and GLBA all require risk analysis and management. But organizations looking for a solution can quickly find themselves swimming in a sea of acronyms that includes NIST 800-30, AS/NZS 4360:2004, OCTAVE, COSO and CobiT.
View Article
Risks Associated with Outsourcing
Although outsourcing can greatly reduce labor costs, because countries have different laws, regulations and enforcement motivations, many companies have to deal with a range of unfamiliar issues to ensure their work is secure. For example, in 2002, ...
View Article
Denying Denial-Of-Service
New solutions fight DoS/DDoS by automatically detecting and blocking potential attacks. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks have been around for years, but with reports that 4,000 DoS attacks are launched each week, it's clear the problem isn't close to being resolved. In fact, in a recent poll of Information Security readers, 90 percent said they remained either "very concerned" or "somewhat concerned" about DoS or DDoS.
View Article
Security Strategies for E-Companies - The Science of Secrets
Cryptology continues to evolve as our need for keeping secrets increases. Cryptology, the science of secure communications, is as old as civilization and the written word. Throughout the ages, everyone from kings to shopkeepers has employed codes to gain a competitive edge, reduce vulnerability, hide their true intentions or revel in the comfort of knowing something that someone else doesn't.
View Article
802.11 Security Shortcomings
Wireless communication has been around for years, but only recently has it ascended to the status of a mainstream communication method. Portable devices (e.g., PDAs, cell phones, laptops) have proliferated, giving mobile users access to email accounts, Internet sites, online banking, and the stock exchange. This proliferation has led to WLAN vendors scurrying to develop proprietary wireless network solutions and application vendors hurrying to code new wireless programs.
View Article
Learning from SQL Slammer
Many people might have heard of the Slammer worm, but few people fully understand the root of the attack. Familiarizing yourself with Slammer's methods can help you evaluate the risk to your environment and prepare for future attacks by similar worms.
View Article
Greater WLAN Security with 802.11i
To improve the standard and close holes in current wireless implementations, IEEE developed the 802.11i Task Group. To address each of the aforementioned flaws, this group has developed a new authentication framework that encompasses several components.
View Article
How 802.11i Addresses WEP's Core Deficiencies
Wired Equivalent Privacy (WEP) contains three core deficiencies. The first deficiency is the use of static encryption keys. The second deficiency is the ineffective use of initialization vectors (IVs). The third deficiency is the lack of packet integrity assurance.
View Article
Vulnerability Mismanagement
The following are seven must-have elements of a successful vulnerability management program. They're not about scanning or applying patches; they're the essentials that will enable you to efficiently and effectively find and remediate vulnerabilities
View Article
To Catch a Thief
Understanding the requirements of bringing the necessary forensics capability in-house and the most popular tools in use today.
View Article
|
