• Information Security and Running, Long Lost Brothers?

    24Jun
    Author: terry Categories: IT Management, Ramblings, Security Comments: 0

    Saturday morning I was up and out the door early for a long run before the heat set in too much. As I was running I was thinking to myself, “Gosh, having a good exercise routine is kind of like having a good information security program.” I had lots of time to ponder this particular issue, as my iPod was unfortunately not charged and I had no one to talk to. Here are a few things I thought of that make exercise and security so alike.

    1) Set goals: Both in exercise and in information security, it is good to set goals. For example, before I can write up a training plan for myself, I need to know what race I’m training for, and what my target pace is. Similarly, before I can write up my information security plan, I need to know what information I need to protect and how much protection I need (is this credit card data, or is it records of what color paint my store sold last year?)

    Read more »

    Tags: , ,

  • issues.apache.org compromised by XSS vulnerability

    13Apr
    Author: ben Categories: Infrastructure, Security Comments: 1


    As discussed in detail by the Apache infrastructure team, a cross-site scripting vulnerability in Atlassian’s JIRA led to a full root account compromise on the ASF’s issue and request tracking server. If you don’t care to read the full story from the infrastructure team, the following sequence of events led to the compromise:

    1. Attackers opened a new JIRA issue with a malicious tinyurl.com link that led to the JIRA page with an XSS vulnerability
    2. Simultaneously, attackers launched a brute force attack on the JIRA login form
    3. Several administrators clicked the tinyurl link, which compromised their cookies (giving the attackers JIRA admin access)
    4. Attackers uploaded malicious a JAR file that collected JIRA passwords at login. One of the compromised passwords had also been used for a local account with full sudo privileges.

    There’s more to the story, but those points capture the bulk of the attack.

    This compromise interests me because it’s an explicit, targeted, successful attack against a security conscious and capable next-generation web technology team. Several techniques were used in this attack:

    • Social engineering. The attackers opened an issue as if they were a trusted source posting a legitimate link. The Apache administrators trusted them.
    • Web application security flaw. XSS is #2 on the OWASP top 10 list.
    • Lack of vigilance. As the infrastructure team points out, the same password was used in a number of cases, and the JIRA user was overly privileged.

    I hear a lot of grumbling when I highlight XSS vulnerabilities in a penetration testing report. “Is this really a serious problem?” and “we’re not a target” and “it doesn’t matter if they steal the cookie” are common complaints. Let’s face it – if the Apache team can be powned, we should all be wary.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: , ,

  • Social Engineering, Part Two

    01Apr
    Author: terry Categories: Ramblings, Security Comments: 1

    Who would have thought that just a few short days after I wrote a blog post about social engineering I would get called with a major social engineering scam? This one was at my house, not at work, but the same principles apply: never give out information you wouldn’t want a scammer to have, never agree to give them money (or passwords!), and verify their authenticity with a known trusted source.

    Read more »

    Tags: , ,

  • (In)Security of Removable Media

    24Mar
    Author: dan Categories: IT Management, Ramblings, Security Comments: 0

    Removable media: We all have them, maybe a few of them in different sizes. They’re invaluable for various administration tasks. Trying to get network drivers onto that new machine you’re re-installing? How about bringing one with you when you have to patch a few machines that aren’t on the domain? Or loading Knoppix LiveCD onto one for resetting administrator passwords? We love flash drives, but we also know they can be perfect vectors for malicious users. As with many types of technology, as their popularity increases the more lucrative it becomes to write virus code that targets them.

    Read more »

    Tags: , , ,

  • Enlightening the Confused Deputy

    09Mar
    Author: zack Categories: Infrastructure, Security Comments: 0

    Confused Deputy
    One of the most interesting (in other words, “dangerous”) vulnerabilities that almost every existing web application falls victim to is cross-site request forgery (CSRF – “sea-surf”). CSRF is a type of malicious attack vector whereby unauthorized commands are transmitted from a user that the website trusts. It is an example of the confused deputy problem. This is different than the widely-known cross-site scripting (XSS) in that CSRF exploits the trust that a site has in the user’s browser, and XSS exploits the trust a user has for a particular web site.

    Read more »

    Tags: , , , ,

  • Why do we do Social Engineering exercises, anyway? They seem so far-fetched sometimes.

    04Mar
    Author: terry Categories: Security Comments: 0

    Frequently during the course of a security assessment, we get asked about social engineering. People want to know if it is really worth the time it takes, and what is the point, anyway? Well, the bottom line is that the access an intruder can achieve either by physically walking into an office or data center, or by convincing an employee to click on a link or divulge information over the phone, can be one of the quickest ways to a data breach. In fact, according to the FBI data security survey in 2009, non-malicious insiders (folks that just make mistakes such as the ones listed below) are a much bigger problem than malicious insiders. In fact, 16% of respondents reported that nearly all of their losses were due to these well-meaning insiders.

    Read more »

    Tags: , ,

  • PCI-DSS Compensating Controls

    25Feb
    Author: randy Categories: Security Comments: 0

    Applied Trust recently achieved Payment Card Industry (PCI) Qualified Security Assesssor (QSA) status. Most companies that pursue this credential do so solely for the purpose of being able to perform QSA-certified audits as defined by the PCI standards council. The PCI standard requires that an organization is 100% compliant across all requirements. For requirements that cannot be exactly met, PCI allows the use of compensating controls. For a variety of reasons, we think that this area is an important aspect of our PCI compliance practice.

    When real-world conditions present challenges to compliance with the PCI standard as written, we work with our clients to identify, document, and evaluate appropriate alternatives. These compensating controls are not a get out of jail free card – there are specific rules as to when and how they may be applied. Specifically:

    Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.

    Compensating controls must satisfy the following criteria:

    Read more »

    Tags: ,

  • PCI DSS-driven assessment

    15Feb
    Author: ned Categories: IT Management, Security Comments: 0

    The PCI DSS (Payment Card Industry Data Security Standard) sets a number of expectations for IT assessment.  Activities, from scanning for rogue wireless access points to reviewing vendor contracts, are scattered throughout the PCI Data Security Standard document.

    Below is an attempt to assemble those requirements into a single schedule.  Where the standard didn’t specify a frequency, I used reasonable “best practices” values.  I hope this is a useful starting place for organizations working toward compliance, but it is definitely not a holistic IT security plan!  There are lots of other security activities that should be taking place at every organization – this is just a summary of those discussed in the PCI DSS.

    See anything that I missed?  Did I get something wrong?  Let me know in the comments and we’ll work toward an accurate sample schedule together!!

    Read more »

    Tags: , , , , ,

  • HITECH business associate deadlines looming

    10Feb
    Author: ben Categories: IT Management, Security Comments: 0

    We wrote about the HITECH act and its impact on business associates a little less than a year ago. By February 18, business associates are required to:

    • Comply with the HIPAA security and privacy rules
    • Provide medical information breach notifications
    • Work with the Department of Health and Human Services to perform compliance audits as requested
    • Train employees on HIPAA and its requirements for business associates

    BAs, I hope you’re taking note. Violations can incur fines for as much as $1.5 million per year and, in the most serious circumstances, may include prison time. According to HITECH, DHHS audits are also mandatory beginning 2/18/2010. (See sections 13410 and 13411).

    Most of the associates that I’m familiar with haven’t made many changes in the past year to improve HIPAA compliance. So what should any self-respecting business associate, now subject to these somewhat draconian and certainly expensive rules, do to avert heavy fines and lost productivity? Avoid becoming a business associate at all costs.

    First, re-evaluate whether the business truly qualifies as an associate, for one. In the past, BAAs had very few directly applicable requirements, and those that were in place were rarely or never audited and enforced. Businesses should no longer haphazardly sign BAAs when they aren’t strictly necessary.

    If the business has determined that they are indeed an associate, what can be changed to eliminate that status? If there isn’t a dire business need for access to medical records, but they’re being collected incidentally, eliminate that dependency and escape the compliance game. Of course, most health care organizations don’t freely distribute health records, and most organizations don’t want them unless they need them.

    If the business is resigned to being an associate subject to HIPAA courtesy of HITECH, it’s time to get to work. Start at www.hipaasurvivalguide.com, an excellent resource for learning the regulation and applying its teachings.

    And never forget the old proverb (that I’m making up right now): more regulation always improves security. Emphasis added.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: , , ,

  • 2009 CSI Computer Crime and Security Survey Says …

    11Dec
    Author: beth Categories: Security Comments: 0
    Daisy is one of the attackers identified by the CSI

    Daisy, an attacker identified by the CSI

    The Computer Security Institute has just released the results of its 14th annual Computer Crime and Security Survey and, as always, there are some interesting findings. This year’s results are based on 443 responses given by information security and information technology professionals in U.S. corporations, government agencies, financial institutions, educational institutions, medical institutions, and other organizations, from the period of July 2008 to June 2009.

    A few highlights:

    • Average losses resulting from security incidents dropped from $289,000 per respondent last year to $234,244 per respondent this year.
    • A third of respondent organizations reported being fraudulently represented as the sender of a phishing message.
    • Respondents reported big jumps in the incidence of financial fraud, malware infection, denials of service, password sniffing, and Web site defacement, and significant dips in wireless exploits and instant messaging abuse.
    • Financial fraud losses averaged $450,000 per organization that suffered fraud.
    • A quarter of respondents believed that more than 60% of their financial losses resulted from non-malicious actions by insiders.
    • The largest increases in security technologies used were in anti-spyware software and tools that encrypt data at rest.
    • Tools that improve visibility, such as log management tools and security information and event management tools, were high on many organizations’ security wishlists.
    • Only 7.7 percent of respondents categorized their organizations as being in the “health services” industry, but 57.1 percent of respondents said their organization had to comply with the Health Insurance Portability and Accountability Act (HIPAA). More respondents said that HIPAA applied to their organization than any other law or industry regulation.
    • Respondents generally reported that regulatory compliance efforts have had a positive effect on their organization’s security programs.

    For more specifics, check out the free Executive Summary of the Survey that’s available from CSI’s web site. CSI members get a copy of the comprehensive version, and it will be made available to non-members for a fee at some point.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: ,
« Previous Page

Subscribe:

Popular Posts