Nov
27
Support us by visiting our sponsors and win a €20 Amazon Voucher every month
Follow maltainfosec on 
Twitter or RSS 2.0 feed
Nov
18
Some people argue sounding quite convinced that spending time and money on security awareness is fruitless and worthless. Whilst security awareness training might not yield bucketfuls of money as a return on investment, I can assure you that in this day and age its an excellent insurance against one of the biggest things business stand to lose i.e. reputation. On a small island like ours, its paramount as the IT sector is small (comparatively) and its mostly dog-eat-dog.
This week, we ran across an article posted here by Ed Skoudis (thanks G) describing some of these beliefs. If the list below entices you, I invite you to read the reality to each myth on the original website.
In the hope that we learn from these bad security tips here you go...
Worst practices tip #1: Focus information security defenses on prevention
The myth : If an organization prevents attacks, it won't have to spend as much time and effort cleaning up after the fact. Thus, the majority of its security budget should be spent on prevention mechanisms, such as patch deployment, hardening, firewalls, intrusion prevention systems (IPS) and antimalware products. Keep the bad guys out, and there will be no need to worry about detecting or responding to attacks.
The reality...
Worst practices tip #2: Security awareness activities are worthless
The myth: Security awareness is a waste of valuable resources. Why should security personnel spend a lot of time trying to instill good security practices regarding passwords, safe surfing and sharing information over the telephone, and have little or nothing to show for it? Some enterprises that apply metrics to measure password complexity, social engineering response and the like have found that these areas do improve shortly after implementing a security awareness program. However, these results dissipate quickly, leaving little lasting security for the organization. For that reason, security awareness spending is a leaky bucket, dribbling away budgets. Corporations can better apply those resources on technical defenses.
The reality...
Worst practices tip #3: Deploy a patching product, and you'll be secure
The myth: Unpatched Windows machines represent one of the biggest avenues of exploit for enterprises. With numerous client-side vulnerabilities in everyday Windows programs, attackers can easily gain access to unpatched systems if a user simply surfs to the attacker's website or a third-party site hosting the attacker's content. With an automated patching product, an enterprise can keep its systems up-to-date and avoid such exploitation. Once an enterprise is fully patched, it'll be secure.
The reality...
Worst practices tip #4: SSL can secure Web applications
The myth :The Secure Sockets Layer (SSL) provides rock-solid encryption of sessions between browsers and Web servers, and thus can ensure that Web apps are kept safe from attack. After all, if attackers can't see the data going from browsers to the server, they can't alter it. And, if they cannot alter the data, the Web application is protected from hacks.
The reality...
Worst practices tip #5: Penetration testing has limited value
The myth :Penetration tests have many limitations. Trying to model a full-fledged attack from a real-world bad guy in the space of a one- or two-week test doesn't really indicate the risk profile of an organization. Penetration tests have a limited scope, occur during a limited timeframe and are plagued by the limits of testers' skills and imaginations. Sure, if penetration testers successfully compromise corporate systems, it means that an enterprise has some unpatched security flaws. But if testers are unsuccessful, then that doesn't mean an organization is secure. Penetration testing could therefore lead to a false sense of security. What's more, they show target organizations' current vulnerabilities, but with new vulnerabilities constantly being discovered, they provide no insight into security going forward. For those reasons, some think penetration testing is a waste of time.
The reality...
Do you know of other oddities?? If so, feel free to reply.
Nov
13
In an effort to make people more security conscious (and to promote themselves) Lumension (formerly Securewave) are giving away 1Gb Secured sticks. Simply play the flash game and identify 10 security risks among the employees, register and you're on your way to receive a free USB stick as well as being into a draw to win 1 of 3 Lumension software security suites - HP server included!Put yourself to the test and go grab one ... http://www.lumensiontheoffice.com
Nov
10
Here's a top 10 list of things to do to rehabilitate if you want to take a break from being secure. If you're thinking paranoia, think again. Reading up on a post on ha.ckers.org there is a list of things you can (but should not) do.Step 1: Sign up for a MySpace account. Facebook is fine too. Actually why not all of the social networking platforms? It’s easier to keep in contact with everyone if you do. Make sure to fill out each form field completely and accurately!
Step 2: Pick a password that is easy to remember and make sure to write it down on a sticky note. Feel free to tell your friends in case they want to use your account too. Better yet, make a list of all your passwords and change them all - to “password”. If someone is annoying and makes you use a number, “password1″. An upper case, a number and a special character use “Password+1″. Now tear up that pesky list you just made. You’re living easy now aren’t you?
Step 3: Download every third party widget, gadget, movie, game you can think of onto your social networking profile. Cuz that’s fun. And make sure to put every gory detail about who you are, where you live, what your birthday is, what your mother’s maiden name is, what you like and dislike, etc…. And feel free to update it regularly with any and all personal information that may have changed. That way people can get to know you better.
Step 4: Log into your newly created webmail account and email all your friends your likes and dislikes. Don’t forget to enable HTML rendering so you can see all the neato pictures! And don’t feel afraid of hitting reply to those spam emails. That’ll help them know that you’re not interested.
Step 5: Start downloading toolbars and desktop applications galore so that you can get your real time stock quotes, shop for beanie babies and know what the weather is like in Iceland at all times.
Nov
10
Following my previous Monday blues ranting article, today is a good Monday - albeit even closer to my exams than the previous week 
- nevertheless between correcting assignments and fixing my system at home I've had my hands full this weekend.
My Epatec3850 ebox is currently a sitting duck as I am still unsure what the problem with it is. Instead I've decided to go greener by selling off one of my P4 machines only to get an AsusB202 ebox. Needless to say, I love the box. Consuming only 20W I now feel better that amidst the rising electricity tariffs, I should be consuming less power than a full blown PC (450W). Performance with WinXP is excellent and I even run my Debian box inside VMWare without too much performance loss when using the system for normal PC usage. Only thing I did was beef up the memory to 2Gb. My WRT54G WDS network is also much more stable as I reset all the boxes and flashed back with the standard DDWRT 24vSP1 firmware. Running with WPA2-AES over WDS all my devices happily connect and talk to each other without any drops or losses. (fingers-crossed) all is working in unison.
Back to the security topic of interest... is an article written by Sean M. Price on the September ISSA journal - an extension to the McCumber Cube to Model Network Defense.
Firstly, the McCumber cube was developed by John McCumber as a way to model risk management. It provides the security practioner with a way to consider risk from different perspectives employing three different aspects namely, information states, countermeasures and security services. Sean does an excellent job giving examples of how the cube can used in practice.
Building on the CIA triad, Sean talks about extending it to reduce reliance on inexact estimates and improve risk by focusing on attacks while coming up with explicit countermeasures. So in addition to the above cube to achieve the security goals of CIA attacks are added to the equation.
What is cool is that is Sean systematically broke down attacks to fit the model in way that makes more sense. The images below explain the logic behind it and I truly think it makes sense associating specific attacks with a selected information state and particular security service.
The proposed extension now takes the below form
The result is a better evaluation of system risk and a more discrete identification of countermeasures needed to defend a network against specific types of attacks - and I am all over it...
- nevertheless between correcting assignments and fixing my system at home I've had my hands full this weekend.My Epatec3850 ebox is currently a sitting duck as I am still unsure what the problem with it is. Instead I've decided to go greener by selling off one of my P4 machines only to get an AsusB202 ebox. Needless to say, I love the box. Consuming only 20W I now feel better that amidst the rising electricity tariffs, I should be consuming less power than a full blown PC (450W). Performance with WinXP is excellent and I even run my Debian box inside VMWare without too much performance loss when using the system for normal PC usage. Only thing I did was beef up the memory to 2Gb. My WRT54G WDS network is also much more stable as I reset all the boxes and flashed back with the standard DDWRT 24vSP1 firmware. Running with WPA2-AES over WDS all my devices happily connect and talk to each other without any drops or losses. (fingers-crossed) all is working in unison.
Back to the security topic of interest... is an article written by Sean M. Price on the September ISSA journal - an extension to the McCumber Cube to Model Network Defense.
Firstly, the McCumber cube was developed by John McCumber as a way to model risk management. It provides the security practioner with a way to consider risk from different perspectives employing three different aspects namely, information states, countermeasures and security services. Sean does an excellent job giving examples of how the cube can used in practice.
Building on the CIA triad, Sean talks about extending it to reduce reliance on inexact estimates and improve risk by focusing on attacks while coming up with explicit countermeasures. So in addition to the above cube to achieve the security goals of CIA attacks are added to the equation.
ATTACK + Information State + Countermeasures -> Security Goal
What is cool is that is Sean systematically broke down attacks to fit the model in way that makes more sense. The images below explain the logic behind it and I truly think it makes sense associating specific attacks with a selected information state and particular security service.
The proposed extension now takes the below form
The proposed extension to the McCumber cube takes risk assessment from a different angle. Why not consider specific threats and the estimate of their likelihood and then identify countermeasures that should be in place to defend against them. A lack of existing countermeasures from a defense-indepth perspective (which is a vulnerability) equates to more risk for the system.
A model which is closer to a state of reality as opposed to something which relies on estimates is preferable. Often the estimates used in risk assessments have little research or quantitative results to support their assertions.
The result is a better evaluation of system risk and a more discrete identification of countermeasures needed to defend a network against specific types of attacks - and I am all over it...
Nov
2
One of the things that I do as EnableSecurity is Security Research. Recently I had the opportunity to present my Web Application Firewall research at a local ISACA meeting. The presentation included information about web application attacks, WAFs and attacks on Web Application Firewalls. Additionally, the audience was able to see a demonstration of an attack on one particular Web Application Firewall which was found vulnerable to a security bypass.
The presentation can be downloaded here.
The presentation can be downloaded here.
