• Enlightening the Confused Deputy

    09Mar
    Author: zack Categories: Infrastructure, Security Comments: 0

    Confused Deputy
    One of the most interesting (in other words, “dangerous”) vulnerabilities that almost every existing web application falls victim to is cross-site request forgery (CSRF – “sea-surf”). CSRF is a type of malicious attack vector whereby unauthorized commands are transmitted from a user that the website trusts. It is an example of the confused deputy problem. This is different than the widely-known cross-site scripting (XSS) in that CSRF exploits the trust that a site has in the user’s browser, and XSS exploits the trust a user has for a particular web site.

    Read more »

    Tags: , , , ,

  • Why do we do Social Engineering exercises, anyway? They seem so far-fetched sometimes.

    04Mar
    Author: terry Categories: Security Comments: 0

    Frequently during the course of a security assessment, we get asked about social engineering. People want to know if it is really worth the time it takes, and what is the point, anyway? Well, the bottom line is that the access an intruder can achieve either by physically walking into an office or data center, or by convincing an employee to click on a link or divulge information over the phone, can be one of the quickest ways to a data breach. In fact, according to the FBI data security survey in 2009, non-malicious insiders (folks that just make mistakes such as the ones listed below) are a much bigger problem than malicious insiders. In fact, 16% of respondents reported that nearly all of their losses were due to these well-meaning insiders.

    Read more »

    Tags: , ,

  • PCI-DSS Compensating Controls

    25Feb
    Author: randy Categories: Security Comments: 0

    Applied Trust recently achieved Payment Card Industry (PCI) Qualified Security Assesssor (QSA) status. Most companies that pursue this credential do so solely for the purpose of being able to perform QSA-certified audits as defined by the PCI standards council. The PCI standard requires that an organization is 100% compliant across all requirements. For requirements that cannot be exactly met, PCI allows the use of compensating controls. For a variety of reasons, we think that this area is an important aspect of our PCI compliance practice.

    When real-world conditions present challenges to compliance with the PCI standard as written, we work with our clients to identify, document, and evaluate appropriate alternatives. These compensating controls are not a get out of jail free card – there are specific rules as to when and how they may be applied. Specifically:

    Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.

    Compensating controls must satisfy the following criteria:

    Read more »

    Tags: ,

  • PCI DSS-driven assessment

    15Feb
    Author: ned Categories: IT Management, Security Comments: 0

    The PCI DSS (Payment Card Industry Data Security Standard) sets a number of expectations for IT assessment.  Activities, from scanning for rogue wireless access points to reviewing vendor contracts, are scattered throughout the PCI Data Security Standard document.

    Below is an attempt to assemble those requirements into a single schedule.  Where the standard didn’t specify a frequency, I used reasonable “best practices” values.  I hope this is a useful starting place for organizations working toward compliance, but it is definitely not a holistic IT security plan!  There are lots of other security activities that should be taking place at every organization – this is just a summary of those discussed in the PCI DSS.

    See anything that I missed?  Did I get something wrong?  Let me know in the comments and we’ll work toward an accurate sample schedule together!!

    Read more »

    Tags: , , , ,

  • HITECH business associate deadlines looming

    10Feb
    Author: ben Categories: IT Management, Security Comments: 0

    We wrote about the HITECH act and its impact on business associates a little less than a year ago. By February 18, business associates are required to:

    • Comply with the HIPAA security and privacy rules
    • Provide medical information breach notifications
    • Work with the Department of Health and Human Services to perform compliance audits as requested
    • Train employees on HIPAA and its requirements for business associates

    BAs, I hope you’re taking note. Violations can incur fines for as much as $1.5 million per year and, in the most serious circumstances, may include prison time. According to HITECH, DHHS audits are also mandatory beginning 2/18/2010. (See sections 13410 and 13411).

    Most of the associates that I’m familiar with haven’t made many changes in the past year to improve HIPAA compliance. So what should any self-respecting business associate, now subject to these somewhat draconian and certainly expensive rules, do to avert heavy fines and lost productivity? Avoid becoming a business associate at all costs.

    First, re-evaluate whether the business truly qualifies as an associate, for one. In the past, BAAs had very few directly applicable requirements, and those that were in place were rarely or never audited and enforced. Businesses should no longer haphazardly sign BAAs when they aren’t strictly necessary.

    If the business has determined that they are indeed an associate, what can be changed to eliminate that status? If there isn’t a dire business need for access to medical records, but they’re being collected incidentally, eliminate that dependency and escape the compliance game. Of course, most health care organizations don’t freely distribute health records, and most organizations don’t want them unless they need them.

    If the business is resigned to being an associate subject to HIPAA courtesy of HITECH, it’s time to get to work. Start at www.hipaasurvivalguide.com, an excellent resource for learning the regulation and applying its teachings.

    And never forget the old proverb (that I’m making up right now): more regulation always improves security. Emphasis added.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: , , ,

  • 2009 CSI Computer Crime and Security Survey Says …

    11Dec
    Author: beth Categories: Security Comments: 0
    Daisy is one of the attackers identified by the CSI

    Daisy, an attacker identified by the CSI

    The Computer Security Institute has just released the results of its 14th annual Computer Crime and Security Survey and, as always, there are some interesting findings. This year’s results are based on 443 responses given by information security and information technology professionals in U.S. corporations, government agencies, financial institutions, educational institutions, medical institutions, and other organizations, from the period of July 2008 to June 2009.

    A few highlights:

    • Average losses resulting from security incidents dropped from $289,000 per respondent last year to $234,244 per respondent this year.
    • A third of respondent organizations reported being fraudulently represented as the sender of a phishing message.
    • Respondents reported big jumps in the incidence of financial fraud, malware infection, denials of service, password sniffing, and Web site defacement, and significant dips in wireless exploits and instant messaging abuse.
    • Financial fraud losses averaged $450,000 per organization that suffered fraud.
    • A quarter of respondents believed that more than 60% of their financial losses resulted from non-malicious actions by insiders.
    • The largest increases in security technologies used were in anti-spyware software and tools that encrypt data at rest.
    • Tools that improve visibility, such as log management tools and security information and event management tools, were high on many organizations’ security wishlists.
    • Only 7.7 percent of respondents categorized their organizations as being in the “health services” industry, but 57.1 percent of respondents said their organization had to comply with the Health Insurance Portability and Accountability Act (HIPAA). More respondents said that HIPAA applied to their organization than any other law or industry regulation.
    • Respondents generally reported that regulatory compliance efforts have had a positive effect on their organization’s security programs.

    For more specifics, check out the free Executive Summary of the Survey that’s available from CSI’s web site. CSI members get a copy of the comprehensive version, and it will be made available to non-members for a fee at some point.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: ,

  • Microsoft patents sudo

    11Nov
    Author: trent Categories: Ramblings, Security Comments: 0

    Good grief.  For those paying attention, tools like sudo and the concepts behind them have been around for a really long time.  Long enough that I can barely remember working on them, though I agree with this article that I did and it did in fact occur many years before Microsoft’s “invention” of this technology.  Microsoft, apparently, doesn’t remember or chooses not to.  Read the Groklaw article on this topic for the gory details.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: , ,

  • Cloud Security – What Should We Be Focused On?

    30Oct
    Author: trent Categories: Security Comments: 0

    Happy Friday, and Happy Halloween!  If you’re looking for some thought provoking reading, my good friend Gunnar Peterson presented what is truly a masterpiece about information security in a cloud environment at the mnemonic RISK Conference in Oslo, Norway this week.   I wouldn’t do it justice to attempt to summarize it fully here, but he makes a number of excellent, anti-information security-establishment points about how we as a discipline really need to buck up and deal with the difficult problems in information security, rather than continue to do the same old thing that we’ve been doing, for, well, 5078 days.

    This is excellent brain food – I encourage you take the time to read and digest it.  Nice work, Gunnar!  Check it out:  Thinking Person’s Guide to the Cloud.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags:

  • The Barking Seal Blog celebrates a birthday!

    05Oct
    Author: ned Categories: Green IT, IT Management, Infrastructure, Ramblings, Security Comments: 0

    2052055757_4e13e12c03I’m excited to say that The Barking Seal Blog has been around for a year now! We’ve had a great time blogging, ranting, and pontificating on the future of IT infrastructure, and have especially enjoyed the reader comments and emails.
    Below are ten of our favorite posts from our first year – if you missed one, check it out now…

    Here’s to lots more entertaining (and hopefully insightful!) posts in the year to come!  Thanks for your comments, feedback, and continued support!

    – The Seals at Applied Trust

    (photo courtesy hfb under the CC)

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: ,

  • Monitoring site-to-site VPNs on a Cisco ASA

    02Aug
    Author: ned Categories: Infrastructure, Security Comments: 12

    161072974_f50ecb1823Virtual Private Networks (VPNs) offer a way to securely connect different locations that are both connected to the Internet. Internet VPNs are way cheaper than private lines leased from a telco company, but unfortunately they are often much less reliable. Many times, when an Internet VPN “drops”, distant offices are no longer able to communicate — as network administrators, we want to know so we can fix it before our users notice anything!

    This post shows one way to monitor site-to-site VPNs configured on a Cisco ASA firewall using SNMP and Nagios.

    Read more »

    Tags: , ,
« Previous Page

Subscribe:

Popular Posts