Saturday, September 29, 2012

Top 5 Network Security Technologies

The threats to your network are constantly evolving, so trying to defend your company is like trying to hit a moving target. Not only are new threats coming from external players, but having to protect yourself from malicious insiders is also part of keeping the business secure. Here are the “Top 5” technologies, in my opinion, that should be implemented within an organization from a networking perspective to limit risk. This doesn’t mean you’re secure, but applying these systems to your defense along with the proper monitoring and policy is a step in the right direction.

Vulnerability Management

There are many forms of vulnerability management, but knowing where your vulnerable is a good place to start your security program. Having an understanding of where you’re vulnerable in your systems, applications and networks before some with malicious intent does is highly valuable.

Data Loss Prevention (DLP)

Protecting your company from data leakage or loss is important. Many of these systems are designed to protect malicious intent from coming into the network, but what happens if someone’s on the inside? Using DLP to monitor and block protected information from leaving the network or being touched by those who shouldn’t have access is another way to defend against risk.

Log Management

If you’re not logging your systems you’ll be flying blind when an attack happens. Notice I didn’t say “if” an attack happens. During incident response you’ll wish you had the history or time machine of logs to rely on and assist you with incident management. No one ever said, “I wish I didn’t have all these logs” during an incident. Logging everything you have is essential.

Security Incident and Event Management (SIEM)

Now that we spoke about logging let’s take it up a notch. Now that you have the logs what are you going to do with them? Establishing a way to correlate these logs to capture security attempts against your network in real time is the next logical step. Creating rules and alerts based off the data you’re collecting from your systems is essential for defense.

Next Generation Firewall/IPS

I’m lumping these two in the same category because this market is starting to merge. Either way having one or both of these systems in line with your network will assist with blocking/alerting on malicious and suspicious traffic that’s passing through them, normally on the perimeter or between networks. Now that these systems are able to look into the packet data and analyze through the stack their importance in your network is vital.

Wednesday, September 19, 2012

Monday, September 17, 2012

Wi-Fi for your fridge? That's just bananas.

We haven't even scratched the surface on the implications of having devices like these attached to the internet. The more you expose, the vulnerable you'll be, and I doubt people are thinking about lasting security consequences when rushing products to market.

This is where the physical world meets the cyber security world. No longer are you looking at hacking to steal data, but in these instances you're able to do physical harm to another person or people with these compromises. The ability to hack the electronic system of cars and pacemakers is a perfect example of this.

Companies are rushing to attach their technology to the internet without thinking of the long term risks they might have. I sound like a crotchety old man here, but I think in the grand scheme of things this will end up causing more harm than good.  

What do you think?

Friday, September 14, 2012

Securing big data: Architecture tips for building security in

Since “big data” is a hot topic these days, there’s no question an increasing number of enterprise infosec teams are going to be asked about the security-related ramifications of big data projects. There are many issues to look into, but here are a few tips for making big data security efforts more secure during architecture and implementation phases:
  1. Create data controls as close to the data as possible, since much of this data isn’t “owned” by the security team. The risk of having big data traversing your network is that you have large amounts of confidential data – such as credit card data, Social Security numbers, personally identifiable information (PII), etc. -- that’s residing in new places and being used in new ways. Also, you’re usually not going to see terabytes of data siphoned from an organization, but the search for patterns to find the content in these databases is something to be concerned about. Keep the security as close to the data as possible and don’t rely on firewalls, IPS, DLP or other systems to protect the data.
  2. Verify that sensitive fields are indeed protected by using encryption so when the data is analyzed, manipulated or sent to other areas of the organization, you’re limiting risk of exposure. All sensitive information needs to be encrypted once you have control over it.
Read the rest of my article from here:

Wednesday, September 12, 2012

Antivirus alternatives: Evolving enterprise endpoint security strategy

It's easy to see why so many savvy information security professionals are skeptical about the effectiveness of enterprise antivirus systems. Today, most malware is dropped directly onto enterprise endpoints without much effort on the part of attackers. Studies have shown that a fully updated antivirus package is only about 50% effective at guarding against malware and is almost useless in preventing zero-day attacks, which are becoming increasingly common.

 Malware writers are getting smarter and their viruses more sophisticated. Criminals are using encryption in their malware, along with robust business models that include quality control checks, license keys, upgrades, support and marketing. The bad guys take beating antivirus programs very seriously, and so should we.

A standard antivirus package is no match for today's malware because it is based on signatures. Having to keep thousands of antivirus clients up to date with the latest signatures is also something that becomes an issue; as AV signatures age, their effectiveness declines. This is just a cat-and-mouse game we play with cybercriminals that they are winning. In fact, most attackers test their malware against common antivirus products before ever employing it to ensure that the malware can get through. Although antivirus is still a needed layer in the defense-in-depth paradigm and demanded by many regulations, any organization that relies on antivirus alone for its endpoint protection has cause for concern.

Consider the path a malicious file normally takes before it arrives at an endpoint: The file is sent from the malicious source and makes its way through the Internet, onto the network, through a company's systems, and eventually onto its endpoint. Along this path are multiple opportunities within the network to catch this traffic and stop it before it causes a breach or infection.

Throughout this article, we'll look at each one of these locations in the network and propose a few technologies that can assist with the process of implementing a new endpoint security strategy for stopping malware before it strikes.

Antivirus alternatives: The cloud layer

The cloud has a scary reputation when it comes to storing data, but cloud computing can be especially helpful from an antivirus perspective. Many antivirus vendors now offer services in which they combine intelligence from tens of thousands of customers, partners and even other vendors to better pinpoint potentially malicious activity. The knowledge enables a more predictive form of protection from malware before it even hits a company's network.

When attempting to stop malware from infecting an endpoint, it should be stopped as close to the source as possible; the fewer layers it penetrates, the less likely it will get anywhere near an endpoint. There are only so many new signatures, antivirus or otherwise, that can be pushed down to a multitude of endpoints. If malware can be stopped in a choke point once, it would free up these nodes. Using cloud-based systems as part of the antimalware infrastructure reduces the number of malware instances that make their way to the local network.

Services like those provided by FireEye and ValidEdge allow traffic to be scanned for malware before it hits the network. These providers' services rely on appliances that are in tune with similar systems and work together against known recent attacks. This allows for quicker and more comprehensive protection before potentially malicious traffic enters into the network. In essence, the cloud allows many systems to globally share intelligence to stop malware.

Read the rest of my article for at:

Network Security Horror Stories: Router Misconfigurations

In our the last installment of our network security horror stories (part one was on Change Control and part 2 on Firewall Misconfigurations) and today we’re going to focus on router misconfigurations. Like firewalls, routers play an important part of your organization’s network, but unlike firewalls they are not a security appliance. Even though routers main purpose isn’t security focused, it doesn’t mean that you can’t secure them. Here are a few classic router misconfiguration examples that I’ve come across:

1.    HTTP Open on the Router

While reviewing security for a company from the perimeter I discovered that HTTP was enabled on their core Cisco routers. They were both running very old versions of the IOS and were using the default credentials to log into the device. After getting into the router I was able to escalate to “enable” mode and could in theory have changed routes or wiped the NVRAM. After speaking with the network owners we quickly removed the HTTP service from the core routers and dodged a bullet.

2.    Password Files Stored on Router

Everyone knows that if you’re going to store passwords you should do it in a secure manner as to not divulge your credentials. Well, in this instance an admin decided to store all of the company’s credentials in a Microsoft Word file on the router’s storage. This router was running SSHv1 and penetration testers were able to gain access to the system. After finding this file they were given complete access to the company without blinking an eye. When the admin was confronted about the file being stored his response was, “But you can’t open the .doc file on a Cisco router!!”. He obviously wasn’t getting it.

Read the rest of my article posted on Algosec's blog:

Monday, September 10, 2012

Google Acquires VirusTotal

The search engine giant Google acquired Virus Total on Friday. I personally think this was a great move by Google to scope up these guys, but still hope that they allow Virus Total to act independently. What everyone’s thinking is that Google will eventually add the Virus Total technology into their search features to scan for malicious files when being downloaded. This would be a huge win for everyone that uses the internet, but I’m still unsure how the anti-virus vendors feel about it. If this is what they’re planning I’m interested to see what the AV vendors due or charge to have their product used for free (if that’s even possible).  Very interesting.

Thursday, September 6, 2012

I don't always test my code, but when I do....

Secure a Home Wireless Network with these Helpful Tips

The amount of technology in the modern home is astounding. The average household used to be lucky to have a telephone and a television. Now most homes have at least one television, mobile phones, computers, and high-speed internet access. The world of technology is trending toward wireless technology. In the interest of eliminating tangles of cords connecting devices to the web, most households opt to set up a wireless router to enable multiple devices in their home to connect without cords.

Setting up a wireless network may remove the clutter of cords and the inconvenience of being tied to one are of the home, but it does have disadvantages. A wireless home network is vulnerable to hacking attempts by thieves interested in stealing critical data from the devices on your network. The following tips will help you establish a secure home network that allows you to manage your finances, shop, and surf the web safely.

Secure Access to your Router

The wireless router that serves as the heart of your wireless home network is also a vulnerable point of entry for thieves to hack into your devices and files. The first step any user should take in securing their network is to secure their router with a custom username and password.

After your computer is connected to the internet, simply go to in your internet browser. This will take you to the administration webpage for your wireless network. The first time you access this page it may not ask for a username and password, or it will be set to a factory default. Once you have accessed the administration webpage look for a tab entitled “Administration” or “Management.” Under this tab you’ll be able to set a custom username and password to control access to your router and network.

Some helpful tips to keep in mind at this junction include creativity. Be as creative as possible with a password for your network; don’t make it simple names or birthdays. Try to be unique. If you are having trouble reaching the administration webpage, as not all routers use, check the manual that came with your router or call tech support.

Encrypt your Connection

Hackers feast on un-encrypted networks and in 2012 there is no excuse for not encrypting your home network. Encryption technology has been in the mainstream for a few years and any self respecting router made in the last 5 years has some form of it. As packets of data are sent from each point they are scrambled into undecipherable jumbled data for their journey and unscrambled at the other end. There are limitations to encryption when dealing with older computers or routers. All points on your network must run the same encryption technology, so choose the highest order encryption available throughout your network. WPA2 is the highest encryption technology available to the mainstream; it is based on 128-bit key of scrambled data per packet. This is far superior to the older encryption protocols that were based on 64-bit encryption or even less. Of course encryption is only as good as the password you choose, so make sure you use at least 20 characters in your SSID password.

Setting up encryption is easy. While installing the software for your router you are likely going to be asked what level of encryption you would like. If you already installed the software and skipped that step, you can still add encryption protection. Simply logon to your router’s administration page and go to the “Security” tab. Here you will be able to select the level of encryption and develop your own encryption key.

Be Vigilant and Active

Once you’ve completed the steps above, continue to keep an eye on your router, settings, and security passwords. A few extra tips in this category include checking the router manufacturer’s website for firmware updates. While not necessary, a firmware update for your router could provide fixes for common bugs that weaken your security and also provide new security features that enhance your protection.

If you’re comfortable doing so, you can also tinker with the power settings of your modem and router. The more power provided to them, the greater the strength and reach of your wireless signal. Full power can result in your signal being transmitted beyond your home, making it easier for thieves to access your network and files from the street. Lowering the power settings will shrink the reach of your signal to further secure your network.

These steps are more than sufficient to ensure that your network is secure to deter thieves from attempting to hack into your devices. If you feel as though these are not enough, there is one more tool at your disposal. The Service Set Identifier, SSID, is the name of your network and is broadcast to the surrounding area.

It is possible to hide your SSID from public broadcast under the “Wireless” tab on your router administration webpage. It is worth noting that this step is not considered a true security feature; it merely prevents your network from being easily identified. This step does not provide any added level of security.

These few steps can be completed in just 20 minutes and will ensure that your wireless home network is adequately protected from thieves looking to steal sensitive data.

Author Bio:
 David is a freelance technology writer whose articles appear on various technology blogs.

Hysterical Video About SPAM

Tuesday, September 4, 2012

What You Should Know about the FBI Apple UDID Breach

A hacker group "Anti-Sec" has released over 1 million UDID's they "found" on an FBI laptop. Before we begin an Apple UDID (Unique Device Identifier), which as the name states, is a unique alpha-numeric number that's tied to each iPhone, iPod Touch and iPad. This number, up until iOS 5.1, was taken without permission when a user would download certain apps and other activities. Having this information would allow advertisers to focus ads based off apps and experiences a user was running. With that said, here's the posting by Anti-sec:

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose."

It's one thing to have a privacy breach by advertisers, but what's the FBI doing with over 1 million Apple UDID's? Why is this on an agency laptop and what are they doing with this information? I'd be very interested to see what vendor was "asked" to cough this information up and what the FBI was using it for.

Also, it's very interesting to see that the Java fiasco is still in full blown and being exploited to the fullest. This is a problem for everyone, but I would have hoped the FBI would have taken this vulnerability more serious.

To verify that your Apple UDID isn't on the list of IDs released use the following link to verify: If you are on the list I'd be very interested in speaking with you in more detail. You can see my "About Me" page with contact details.

Network Security Horror Stories: Firewall Misconfigurations

Here we are with our second installment of network security horror stories and having already discuss some of the firewall change control issues in this article we’re going to review some firewall misconfigurations I’ve seen at client sites. The firewall plays an important part in your security architecture and needs to be configured properly in order to gain the most from this layer of security. Here are a few stories of classic firewall misconfigurations:

1.    Dangerous Ports Open
There was a particular network I worked in once that was constantly being breached. We started looking at ways the attackers were gaining access and noticed that there were improperly configured firewall rules that allowed full NetBios access to all systems in the DMZ. These webservers were also running all applications as administrator with an old version of Microsoft IIS.
After cleaning up the firewall access rules, removing unneeded services and updating vulnerable software we were able to help the network owners for the time being. There should be a constant audit of your environment as well as vulnerability scans both internally and externally that would find this low hanging fruit. Using tools that point out vulnerabilities and areas that you’re not compliant are extremely beneficial to your security posture.

2.    Remote Control Gone Wrong
Once while troubleshooting a server outage of a critical server I noticed that the  firewall was previously configured to have these servers put in a group that allowed RDP access to them through the firewall and they were NAT’d directly into the server VLAN, which wasn’t in the DMZ. This allowed attackers to gain access directly through the firewall, bypass the DMZ and used this box as a pivot point in the server VLAN.
Noticing this I confronted the firewall and server administrator as to why this was configured this way. Their response was that this is how the vendor came in to perform maintenance on the server when it crashed. Little did they know that it wasn’t only the vendor that was using this access and that the server wasn’t only crashing, but it was compromised.  Using other tools like Webex or GoToMeeting would be a safer and easier method to troubleshoot issues over the web.

Sunday, September 2, 2012