Here’s to a more prosperous 2010.

The foundation of any security program should be based on risk. When security is addressed as a theoretical exercise, it is often a self defeating proposition. I have seen both in an academic setting where instructors teach security concepts as absolutes and in a professional setting when that absolutist approach lead to conflict, resentment and backlash. A risk-based approach to security is a practical approach to security. One must first, however, explore two crucial questions: What is risk  and risk to what? The answers vary from enterprise to enterprise and each organization must go through the process of determining for itself the answers. In the absence of this, organizations tend to seek out “best practices” and follow them without contemplating their necessity.

Risk is an ever changing probability that a vulnerability, weakness, or lack of security control will be exploited by threat agent ( hacker, careless  employee, natural disaster, etc ) leading to negative consequences to an organization. Simply  put, the chances that something bad will happen. There will always be some degree of risk however a robust security program must be able to reduce it to a level acceptable to the organization’s management.  That is referred to as risk management. I recently had a consultation  with a small account firm that was about to lose its “IT guy”. He handled everything technical from configuring outlook on desktops to managing the company’s server which host their mission critical applications and was co-located “somewhere”. He visited the server several times a month apparently and no one knew why he went or what he did there. There was no documentation of any kind. He was about to leave in less than a week and they were in a state  trying to find a replacement. As seen in this example, single person dependencies are par for the course in small enterprises such as this but that leads to considerable risk, especially when the person is unhappy and leaving. My first advice to them was to have him document ( as best he could ) everything he did on a daily basis and why. Hopefully a lesson learned here would be to have his replacement do the same routinely.

As to the object of this risk, we have to refer to the three main  principles of security: Confidentiality, Integrity and Availability. A security program, regardless of the size of the enterprise, should protect against the risk of unauthorized disclosure and modification of an organization’s data and ensure that it’s data and resources are available as needed. Risk management should include data, personnel, processes and physical and technical assets.

With those two concepts as a foundation, in this series, I will seek to outline steps to achieving practical security management.

Every year since 2005, security professionals and aspirants gather in Washington, D.C. for Shmoocon. Shmoocon is an annual hacker convention held by the Shmoo Group. It is three days of informative, fun, entertaining presentations about new hacking exploits, methodology and technology. The 2010 convention will be held on February 5-7. Space is limited and it has sold out every year since its inception. Compared to other security conventions, it is very affordable. Tickets are sold from $100 to $300 in three rounds. The first two round sold out within 2-3 minutes. Even if you try to register at the very minute the tickets are made available, you might not make it as the demand is so great. I was one of those unfortunately souls hitting refresh feverishly during round two but didn’t make the cut. There is hope, however. Round 3 sales begin on January 1 at 12 noon. I shall certainly give it another go. I have thoroughly enjoyed the convention in the past and it’s a great bargain for the price.

The list of presentations are post here.

We were hacked. Bet the thought of it gives you shivers. It sure did me, and more!

As a web designer I use many tools to monitor my site and stats. I signed up for Google Webmaster Tools and was horrified to see a list of keywords that were pornographic AND not on my site. The first question, of course, was where on earth were these coming from.

The next step was to go through every page on the server and check for files / folders that appear suspicious. My main site was fine. What was not fine were archived folders (2) outside of my main site.

I downloaded one of the pages to view the code and saw that there was a script underneath. On further research (Google search) I discovered that these pages were simply jumping off points, due to the script, to actual pornographic sites. But there was my url listed with these awful pornographic words – in Google’s search index.

What I Did Once Found

I removed the files. I created a 400, 403, 404 page stating “PLEASE NOTE: WE HAVE HAD A PROBLEM RECENTLY OF FILES BEING UPLOADED TO OUR WEBSITE THAT WERE NOT CREATED BY THIS COMPANY AND CONTAIN OFFENSIVE MATERIAL. IF YOU ARE LOOKING FOR THESE FILES, THEY NO LONGER EXIST.”

Seeking Extra Resources

My next step was to go to upload an htaccess file loaded with all of words. So we went through all the keywords we had (don’t do this on a full stomach folks) and added to the list and put it up.

How Did This Happen?

It appears that malware has been downloading to unsuspecting websites with a software update.

What Can You Do To Check Your Site?

A good place to start is Google Webmaster Tools and Google Analytics because (increasingly) Google is using the Google Webmaster Tools to inform webmasters of problems with their sites. If you see strange page names being accessed and keywords that do not relate to your site you very well may have a problem. If this is the case contact your hosting company AND check every file in every folder.

Author: Jan Carroll
Article Source: EzineArticles.com
Provided by: Guest blogger

As a final research project for my most recent class, I assigned the task of outlining some of the security issues associated with moving to a cloud based solution for an enterprise. Now ‘cloud computing” is certainly not a new concept as Bruce Schneier did a great job outlining in on his blog earlier this year. However, it has recently gained momentum in these hard economic times as the need to reduce IT overhead is even more pressing than usual. The cost savings of moving to a cloud based solution is beyond dispute. Even Uncle Sam is getting in on the action. The GSA has recently set up Apps.gov to promote the benefits of cloud computing to other government entities. The DoD is looking at implementing it’s own “private” cloud. As was outlined by many of the student presentations , there are still many unanswered questions when it comes to security. I believe this is primarily because of the proprietary nature of our current solutions. Microsoft, Google or Amazon aren’t going to publicized all their security measures for current or prospective customers to evaluate. There is risk in the unknown. When an organizations IT is hosted and managed on-site, those responsible for security ( ultimately upper management ) can verify fully what security measures are in place and the effectiveness of such measures.  How’s does an organization ensure that its cloud provider is adhering to the agreed security measures. I believe a third party verification is essential here. Independent, thorough and periodic  audits by a trusted third party can go a long way in ensuring confidence in prospective customers . A well defined Service Level Agreement is also essential. Especially when one considers the loss of control involved in becoming more dependent on the chosen provider. Some if the challenges created by moving portions of IT to a cloud provider are outlined in this NIST presentation.

Another excellent article on the subject has been recently published by MIT’s Technology Review titled Security in the Ether.  Lastly, I believe as organizations consider the a move to cloud computing,  the benefits and risks should be weighed.  For smaller organizations and new startups, the decision seems a relatively easy one. When I formed my consulting practice, using Google Apps for my email, calender, document sharing and other intranet services was an obvious choice. I could have almost as easily hosted and managed that infrastructure myself but my benefit – risk analysis showed that to be neither practical nor greatly beneficial. For larger enterprises that have already invested significant resources in building up an IT infrastructure, the decision should be a lot harder.  However, a thorough analysis of the benefits and risks should help move the decision one way or another.

Is your organization currently considered such a move?

XCXFHSYPDN3G

Sentrigo recently announced it’s top data security trend to watch for in 2010: Enternal attacks from the inside! Three attack vectors really stand out as those of us charged with data protection should be well aware of:

• Malicious employees or contractors being planted in targeted organizations to be the ” agent on the inside”. As you may well know, the greatest security risk to enterprises come from the actions or inaction of  its own users, whether by malicious intent or inadvertent errors. These users already have access to your resources. Awareness, Authentication, Access Control and Auditing are essential parts of any security program which seeks  to mitigate this risk.
• Hackers or malware compromising less protected assets to be used as a springboard to attack more valuable/protected assets (eg. end use desktops/laptops, misconfigured servers, etc) A combination of Vulnerability Assessment ( including Penetration Testing) and User Awareness program can help here. A pentest will help determine if your systems that interact with the wide world beyond are vulnerable but will not detect whether a curious user will “find” a usb drive in the parking lot and plug it in his/her system to see what’s on it. That’s where the awareness training comes in.
• Compromise of users. In these hard economic times, your employees may be more susceptible to bribery or extortion by those wanting to use their access for malicious purposes. User monitoring is very important. Part of the mandatory awareness training for users with supervisory responsibilities should include signs to look for to detect whether their employees are under any kind of duress, emotional or otherwise. Periodic credit checks might also be advisable depending on the nature of the business and the user’s role.

Is your organization adequately mitigating these risk factors?

Here is a post by Stan Schroader warning users of a new Facebook clickjacking attack. Clickjacking is a malicious technique where users are tricked into clicking on hidden link  that leads them to a webpage they didn’t intend. If this is  web site that hosts malicious content, things can get a little hairy. If you are using a Firefox browser as I am,  one way to protect yourself is to install the NoScript plugin which prevents users from clicking on invisible page elements.

It can happen to the best of us. Blogger and Techie Columnist, Amit Agarwal had his Google Apps account hacked this past week and wrote about it on his blog.  Amit has some good tips on how to avoid getting hacked , protect yourself  and improve the security of your online data. One can associate a Google account with a phone number and get an SMS when that password changes. If you aren’t already using this feature, you should.   He got his access restored in three hours but in many cases it takes much longer. It can be a terrifying experience to know that someone else has access to all your online data. One addition I would add to his list of tips is to install Google Gears which allows you to download all your emails to a local machine similar to an email client.

A fews weeks ago, I had a discussion with a student who wondered why Google provided you links to malicious sites in its search results. Her point was that Google was being negligent by not blocking malicious sites or at the very least informing the user. I questioned wether Google had an obligation to do so even though it would be a desirable thing ( atleast the notification part). There browser plug-ins that seek to do this. WOT is one of them.  I came across this post from Google Online Security Blog  which indicates that Google has started to take a more proactive approach performs scans on the web sites they index as a way of protecting users AND webmasters.  Here is the post.