_gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); Security Ever After: September 2011 var _gaq = _gaq || []; (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Friday, September 30, 2011

Control 18: Incident Response Capability

Enlist all employees to report suspicious activities to the Incident Response Team (IRT). Create a dedicated phone number and email address they can use to report issues to your team. Security awareness training to enable all employees to contact help desk with suspicious issues.

Monthly IRT team member training that covers the steps in the Incident Handling process will be very useful. In this training, demonstrate and practice a single tool that may be used in a real incident. Rotate the training responsibilities of conducting the training as a means to engage the entire team.

After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and vulnerabilities the organization faces. These scenarios help ensure that team members understand their role on the incident response team and also help prepare them to handle incidents. Aggressively look for ways to integrate Lessons Learned from previous incidents into security design.

Tuesday, September 27, 2011

Control 17: Penetration Tests and Red Team Exercises

Penetration testing is often confused with vulnerability assessments, as mentioned in Control 10. Penetration testing differs in that it involves attempted exploitation. Just like in Control 10, penetration testing should occur in each network zone to ensure adequate coverage.

Track all open issues and document through confirmed remediation of all issues to be corrected. Determine an effective means to document the core causes of these issues to make sure new development projects are not subject to the same flaws identified in the penetration test.

Always perform careful screening of potential external pen testers. Make sure the people you engage to perform external testing have to work for their money and do not just point a tool at your network. Force them to articulate the business risk associated with their findings. Identify and resolve as many issues as is possible ahead of their work. Race to see how fast your continuous monitoring program identifies external penetration testers. If they work for long and have not been identified, there are likely gaps in the continuous monitoring program.

BackTrack makes an excellent preconfigured platform to perform penetration tests. BackTrack can easily be used as the primary environment to build and use an internal pen testing program. With so many tools available, it is a good idea to make a weekly task to learn one tool in BackTrack per week. Make it stick by writing a small note of what was learned for future reference.

Sunday, September 18, 2011

Control 16: Secure Network Engineering

Secure networks do not appear by accident. It starts with thoughtful planning and sound engineering principles. Seek out flaws in the current network design as an attacker would and correct all of the faults found in its design. By being intentional and meticulous, a true design can emerge and more importantly it will persist.

A key step to this is creating a document that explicitly lists all approved connections by traffic initiator. This is an excellent source document to audit the firewall rules against each and every quarter. Diligently look for the use of insecure protocols, such as FTP and Telnet in each network segment. When they are found, strongly consider using protocols that do not send their information in clear text format.

Segment networks according to security zones as well as logical departments and divisions. This will allow for more granular firewall rules and a better understanding of the communication paths that are required. Using both color-coded network diagrams and network cables is an excellent visual indicator to the types of traffic and zones being used throughout the environment.

In all monitoring systems that allow it, labeling critical systems within your existing monitoring tools will help reinforce these systems in the monitoring tools. When all else fails, this can help to guide the impact assessment. It is important to include junior team members in these exercises and discussions. Both teaching and learning will happen for everyone involved and will lead to a more informed and engaged team environment.

Monday, September 12, 2011

Control 15: Data Loss Prevention

Data Loss Prevention (DLP) is a new trend in Information Security, but really should not be. DLP may have been a missed opportunity when Network Intrusion Detection (NIDS) was first introduced. Is it all of a sudden that data exfiltration has become important? How was this missed as a priority for so long?

Define what is critical data and write regular expression filters on the NIDS that look for this data passed in unencrypted format. Educate users in security awareness training about importance of remaining diligent when handling sensitive information. Critical data should be defined in formal policy and discussed in new employee security awareness training classes. Snort signatures such as Credit Card Data, Sensitive data credit card numbers 138:2 can be used to specifically look form information that should always be sent securely.

Consider what a data loss prevention incident would look like on your network and design your defenses and alerting to these scenarios. SourceFire Compliance Rules can be configured to alert when the files that are large in size, flows that are long in duration and flows that are new and previously undefined. Once these basic alerts are in place, develop additional data loss scenarios based on recent high profile data loss events and design appropriate controls to detect them. This is a low cost way to get wisdom as cheaply as you can.

Sunday, September 4, 2011

Control 14: Wireless Device Control

Wireless network access allows for better collaboration and mobility. With this relatively new medium comes an extra risk. Be sure to handle this administratively through the use of policy and user education to set clear expectations of appropriate use. Specific policy reference should be made that prohibits the use of peer to peer wireless networking.

Several popular Linux distributions provide pre configured Kismet. Use these platforms to continually run on old laptops in each office location. For no cost, a continual assessment for wireless activity can be performed. As each access point is identified, white list any approved and neighbor business access point and include them in the Wireless Usage policy. All others must be classified as neighbor businesses or rogues to be investigated and disabled.

Discovery of wireless access points can also be performed using traditional network scanning tools, such as Nessus. Using the plugin 11026, daily complimentary scans can help identify rogue and authorized access points. Combining both wired and wireless scanning tools will help identify wireless usage in the environment.

Be sure to check out the recently published book, Hacking Exposed Wireless Second Edition by Johnny Cache, Joshua Wright & Vinnie Liu. This book is well written and included three compelling sections on hacking wireless technology, wireless clients and hacking Bluetooth, ZigBee and DECT.