Archive for the 'Security' Category

The New Insider Threat

Published
by
Brad
on February 16, 2009
in Security
. Closed

It’s not a new threat really. People inside an organization can always be a threat. It’s just that many people, some of them prominent security professionals, have been downplaying the insider threat lately in order to hype other emerging threats. I’m of the opinion that we’ll see insider threats rise through the year and probably into next. As the economy worsens, people who are becoming financially stressed may turn to corporate crime, or may retaliate for being laid off.

Prime example, news this week of a former Fannie Mae contractor leaving a malicious script designed to wipe out thousands of computers after he was fired for…a scripting error he made earlier in the month. Luckily they stumbled upon the script before it was set to execute. They might not have been so lucky though. Bruce Schneier has some good tips about reducing the threat trusted individuals can pose.

In the end, you can take several measures to reduce your insider risk but you can never eliminate it entirely. At the end of the day the weakest link always comes down to people. People are sometimes dishonest, it’s simply a fact of life. Luckily for the rest of us, they seem to be a pretty small minority.

Rubber Hose Cryptanalysis

Published
by
Brad
on February 15, 2009
in Humor and Security
. Closed


via xkcd

Nmap Network Scanning Review

Published
by
Brad
on February 5, 2009
in Books, Networking and Security
. Closed

Nmap Network Scanning by Fyodor
Title: The long winded title for this book is Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning, but I’ll just be calling it NNS.
Author: Gordon “Fyodor” Lyon
Rating: *****
Bottom Line: The definitive nmap book, for all your network scanning needs.

From the moment you start to read NNS, it is engaging and informative. The wealth of information contained in this book will have even hardcore nmap experts learning a thing or two about the preeminent network scanner. Of course, I expected nothing less from NNS because the author is nmap’s chief architect and programmer, Fyodor. Inside you’ll find his 11 years of network scanning experience distilled down into the ultimate nmap guide.

The material is presented in an engaging way, and wherever possible examples are given where the techniques described are applied in real world scenarios. The book is also littered with command line and output examples as well as diagrams. These items in addition to the text allow one to enjoy and learn from the book without having to sit in front of a command line and try every single command yourself. That said, it took me a bit of time to get through the book because I kept stopping to play with new options I’d learned. :)

From introductory network scanning (What’s a stealth SYN scan?), to scan optimization (Why is it taking so long?!), to advanced techniques (Learn how to write your own nmap plug ins!), NNS covers the gamut. Anyone who does even occasional network scanning with nmap (And you are scanning your network on a regular basis aren’t you?) owes it to themselves to pick this one up.

Interesting SANS posts

Published
by
Brad
on January 19, 2009
in Security
. Closed

Some interesting posts on the SANS Internet Storm Center blog. I’m sure these have already been posted everywhere (I saw one on delicious earlier), but it’s always good to have these kinda things to refer back to later.

The first post is about targeted social engineering. One of the more interesting aspects:

In one incident, an attacker used phrases directly taken from a public blog, as well as a cordial greeting that the blogger had used when writing about a personal topic. This made the message significantly more authentic to the target, who duly clicked on the attachment.

Pretty clever. Anything you can do to make people even subconsciously believe a message is legitimate will increase your success rate. It only takes one person to fall for it in most cases, to get a foothold that you can leverage for a deep internal attack.

The other post is simply a list of what NOT to do when it comes to IT security. Some of the highlights:

  • Assume the users will read the security policy because you’ve asked them to.
  • Assume that policies don’t apply to executives.
  • Don’t review system, application, and security logs.
  • Expect end-users to forgo convenience in place of security.

I’d add a couple of my own to the list:

  • Assume that because you’ve never been compromised you’re secure
  • Assume that you can prevent all compromises
  • Protect only the perimeter
  • Have no incident response plan

Beauty: If you’re attractive enough on the ouside, people will forgive you for being irritating to the core.