web-archive-net.com » NET » S » SHORTINFOSEC.NET

Total: 241

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Information Security Short Takes: Rules for good Corporate Web Presence
    Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Rules for good Corporate Web Presence In the era of Internet and communications there are still a lot of organizations which have a poor or misconfigured web presence This leads to unavailability loss of contact with potential customers and even reduced reputation due to bad or missing web presence This trend is especially true for public services and organizations where management is centralized and has pooor Internet awareness Here are a few examples of common mistakes Hosting a web site on a non default port very common when you hire very cheap webmasters or use the improperly trained administrator to set up the web server Several web servers are installing themselves TCP port 90 or 8080 for security reasons until the service is ready for commercial rollout If the web server remains on port different from the default 80 some visitors may not be able to access it This is especially true for visitors from large corporate networks where proxy and security systems are often configured not to allow access to sites on non standard ports Hosting a web site on an IP address Without a domain name a very old mistake and one that was supposed to have vanished by now It is difficult to communicate the IP address it is difficult to remember an IP address it is difficult to change and re communicate the IP address It should NEVER be done Using IT for content management Even if IT created the engine prepared the server and started it they should not be tasked with content management Because of it s primary function IT will always put a higher priority in maintenance of the infrastructure then on content management This will lead to incomplete or outdated content Allowing for the domain name to be stolen Bear in mind that your corporate domain name is yours only until the lease expires It costs around 10 USD year to renew the lease but if you forget to renew before the lease expires it s first come first serve principle There are persons and even companies known as domain trolls which target large organizations and good domain names and wait for a mistake If you forget to renew your lease they can take it from

    Original URL path: http://www.shortinfosec.net/2008/06/rules-for-good-corporate-web-presence.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: SANS Announced Top 25 Programming Errors
    2013 2 November 1 October 1 2012 8 July 1 June 1 March 1 February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities SANS Announced Top 25 Programming Errors Today in Washington DC experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime

    Original URL path: http://www.shortinfosec.net/2009/01/sans-announced-top-25-programming.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Cloud Computing - Premature murder of the datacenter
    78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Cloud Computing Premature murder of the datacenter Last week Amazon announced it s new cloud computing service The Amazon s Elastic Block Store EBS It s a remote storage service with excellent storage cost ratio which is even advertised as replacement for large storage systems of the enterprise Naturally the ever controversy seeking journalists hurried to declare time of death to the enterprise data center and included this view Though most businesses are quite comfortable in using external utility services for electricity water and Internet access and we even use banks to hold and pool our money with others off site we are still largely unready to move computing off premises no matter what the advantages It is correct that certain elements are used as external utilities but let s compare services from a realistic point of view Electricity as a service because everyone is entirely dependent on electricity the grid itself is designed to be resilient have fast fail over time survive major catastrophic events at power plants or within the grid and even re route additional supplies from other countries if need be at horrible costs but it does work Oh and for the simple case of a grid glitch we ll spend a 500 on a UPS and another 5000 on a diesel generator and we re all set Data storage as a service For data storage services information is needed here and now exactly like electricity If we are to outsource our cloud information storage to a provider that may be well and good as long as it works However in the information security world there are three key concepts Our cloud data storage must guarantee commensurate levels of Confidentiality in cloud computing location is an ambiguous concept So data will exist on different storage elements at different physical locations will traverse millions of miles of physical networks not related to or in any way responsible to the customer as long as it s there Who will guarantee that confidentiality is maintained Oh and I forgot you ACCESS the data via the Internet Whenever a confidentiality breach does occur it can always be blamed on your Internet connectivity and breach of security at the access provider not the storage service provider Integrity will probably be maintained since there are very simple ways of doing comparison and keeping a small subset of control information with each set of data as long as fragments don t get lost in which case we have a problem of Availability in cloud computing information is everywhere and gets collected and presented at the user s request If for any reason this data cannot be reconstructed and verified it is lost And again the access to the information is through

    Original URL path: http://www.shortinfosec.net/2008/08/cloud-computing-premature-murder-of.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Software Security Degree Programs
    1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Software Security Degree Programs Software security is a highly technical and vital skill in today s evolving technological marketplace Even so programs specializing in this area are quite rare In fact it s more common to find a professional in this field with a Bachelor s or Master s degree in computer science than it is to find experts who have achieved a certification in software security Software Security Degrees Are on the Rise More institutions are providing programs and degrees focused on the security aspect of information technology than ever before Part of the reason for this is the significant projected increase in the number of jobs available in the field In fact the Bureau of Labor Statistics estimates the industry will grow by 36 The growing technology and ever expanding number of applications are a significant contributing factor As new technology appears and grows so does the risk of system vulnerabilities and the need for specialists to mitigate and protect against them using penetration testing tools and other preventative procedures What to Expect in a Software Security Degree Program If you re interested in a software security degree program you ll find a healthy interest in technology and solving intricate problems will help a lot By the time you ve received your degree however you ll have a detailed understanding of the challenges involved in securing network and computer systems and be able to use technological tools and protocols to minimize risks You ll feel confident knowing you can restore various systems after an attack and be comfortable providing security for mobile and software management You ll have the basics in software engineering telecommunication network fundamentals and have the option to include additional classes such as business management and managerial economics Just because this program focuses on software security doesn t mean there s no variety Some programs such as the Master of Science in Information Technology Information Security designation MSIT IS degree program from INI Pittsburgh Silicon Valley offers focuses in Mobility Information Security or Software Management You re not confined to standard classroom learning either Some programs offer an internship while many classes are available online which is perfect for students who may otherwise be unable to take this kind of

    Original URL path: http://www.shortinfosec.net/2011/06/software-security-degree-programs.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Where are your default admin passwords - and who can get to them?
    equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Where are your default admin passwords and who can get to them Every corporation nowadays is very concerned with account security And the first thing that an auditor or security officer asks for are the treatment and storage of the default admin accounts root administrator sa DBO We don t need to repeat the well known mantra of not using the default accounts for daily use But these accounts and passwords still need to be well secured in order to achieve the following criteria Security the passwords for the default admin accounts need to be strong and complex and should withstand most attempts at brute force or social engineering attacks Confidentiality no single person should know the default admin account password since he she can abuse this account for gain or to cause damage Availability In times of crisis the organization may still need to use these default admin accounts so they cannot be lost The following procedure can be applied by any organization and it meets all three criteria Security and Confidentiality the passwords should be constructed in two parts each part entered by different person Having two people create a password increases the complexity significantly and reduces the possibility of using social knowledge of a single person to attack the password Also no single person knows the password Confidentiality and Availability The parts of the password should be written on separate pieces of paper marked first and second part and stored in separate envelopes These two envelopes should then be stored in a tamper evident envelope Placing the passwords in tamper evident envelope is a place where most attempts at secure storing fail The basic reason is that tamper evident envelopes are not readily available or even that they cannot be ordered through central procurement This is rarely the case since such envelopes are available in most office supplies stores But even if such envelopes are not available you can easily create a DYI tamper evident envelope like this Take an ordinary envelope Ask your manager to sign his name at least 2 times on the edges of the envelope from both sides Cover the length of signed edges with a transparent adhesive tape scotch tape make sure that you overlap the envelope with the adhesive tape Put the password envelopes inside the tamper evident envelope Seal the envelope and have the manager sign the edge where the

    Original URL path: http://www.shortinfosec.net/2011/06/where-are-your-default-account.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Steps to Ensure a Smooth(er) Migration to a Cloud Service
    of the cloud provider all your services were authenticated to a data set within your company usually a LDAP server or a database You must understand which data set can the cloud provider support for authentication because you may need to recreate your user s accounts and generate and distribute new passwords to them Gather all usage scenarios of the service as it is currently delivered in house there may be multiple usage scenarios for a service that have been introduced through the years either officially or unofficially For instance a mail server can be accessed via POP3 IMAP MAPI on Exchange servers and different users may be using different protocols Confirm which usage scenarios are supported by the service provider your users may need to be reconfigured in advance or at the moment of migration You need to understand which steps you ll need to take to maintain minimum outage for the users This is usually tightly connected to the authentication source and set up Ensure you have bandwidth Going into the cloud means remote access And whatever your in house service was you never cared about bandwidth usage and latency over your gigabit LAN but that bandwidth usage may be very significant Observe your current network using network analysis tools and learn more about broadband packages that you use especially their flexibility to quickly increase bandwidth or decrease latency if needed on roll out time Know who to call at time of migration and right after that things are going to be hectic issues will rise all over the place and your team will be less than their usual competent self since they ll also be using a service Have all of them read through the SLA and the communication and escalation procedures of the cloud contract This way the issues will be escalated rapidly and support call will be made much faster Understand your fallback options any migration can go wrong In order to be able to continue your original service in such a scenario Investigate whether your original service will be available during after the migration and look and test for any risks that the migraiton may leave your in house service broken This may be a huge issue if somehow there are problems Make a plan with outage period and ability to go back to your service before you go into migration make a plan for the migration in which you ll define the migration period start and finish times based on testing results The entire period of migration should be planned as downtime and the source service should be in a frozen state no new entries in it The reason for such a downtime is two fold Even if the migration is online if anything goes wrong you are under less pressure to fix it and by creating a frozen state of the source service creates a point in time to which you are prepared to revert in case of trouble Inform everyone of

    Original URL path: http://www.shortinfosec.net/2012/07/steps-to-ensure-smoother-migration-to.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Management Reaction to Failed Cloud Security
    2014 1 January 1 2013 2 November 1 October 1 2012 8 July 1 June 1 March 1 February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Management Reaction to Failed Cloud Security After all the risk assessments cost analysis and decisions you decide to send your data into the cloud And things are good at least until the security breach When that happens every security professional and IT

    Original URL path: http://www.shortinfosec.net/2010/03/management-reaction-to-failed-cloud.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: 5 SLA Nonsense Examples - Always Read the Fine Print
    Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities 5 SLA Nonsense Examples Always Read the Fine Print I ve had the opportunity to review several poor Service Level Agreement SLA contracts which include clauses shielding the provider as if they are an endangered species These clauses are usually masked under general clauses or fancy legal lingo to possibly go un noticed Here are several examples of texts that a customer should watch out for in a Service Level Agreement 1 The data protection trick Sample clause The provider will protect and not reveal any received or collected information about the buyer unless it s required by legal authorities during a formal investigation or in case of protection of provider s interests Analysis Although this particular clause may vary from country to country legal system differences there is NO LOGICAL ARGUMENT for anyone to reveal your information for protection of their interest 2 The no responsibility trick Sample clause The customer will hold harmless and indemnify the provider from all errors damage or data loss loss of business delays in processing or any other problems resulting from usage or inability to use this service The provider is not responsible for any damage to hardware or systems during the installation or maintenance of the service Analysis While a relatively standard clause always have your legal team AND your technical team review and dissect this clause In the example the bold sentence wording actually makes the provider not responsible for any screw ups during installation even if their technician placed a 110V line in a 300V outlet or used a drill to tighten a screw of the serial port 3 The automatic consent trick Sample clause The provider reserves the right to modify the conditions of service and the modifications will be considered agreed to in case of service contract renewal Analysis An SLA can be written to refer to certain general conditions related to the service A provider can modify these formal conditions without proper communication to the customer Since most contract renewals are automatic this can suddenly put the customer in a very bad position even if the initial SLA

    Original URL path: http://www.shortinfosec.net/2008/07/5-sla-nonsense-examples-always-read.html (2016-04-27)
    Open archived version from archive