web-archive-net.com » NET » S » SHORTINFOSEC.NET

Total: 84

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Information Security Short Takes: Corporate Information Security during Layoffs - What will get stolen
    Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Corporate Information Security during Layoffs What will get stolen A recent study confirmed the long known fact any employee that is being fired will try to steal something from his now ex employer While 20 years ago one the companies had to worry about stolen petty cash or office supplies today such items are not the target of the disgruntled ex employee Instead especially in IT companies the laid off employee will try to steal corporate information or documents steal confidential data create some form of flaw in the system that will hurt his ex employer all of the above When dismissing a single employee one can make provisions so that no damage is done locking out his accounts security guard being present when clearing the desk etc Performing the same amount of diligence when laying off hundreds or thousands of employees is much more difficult For example Nortel announced that they ll be laying off more then

    Original URL path: http://www.shortinfosec.net/2009/02/corporate-information-security-during.html (2016-04-28)
    Open archived version from archive


  • Information Security Short Takes: 3 Controls to Secure Corporate Offline Computers
    equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities 3 Controls to Secure Corporate Offline Computers Information Security has many aspects that are easily overlooked A frequent major security hole is the offline equipment which is temporarily or permanently out of use Such equipment is not subject to frequent scrutiny and information theft from such equipment can go unnoticed for months or if done properly never Example scenario A person working in the position as sales analyst leaves the company Since his position needs to be filled with a person of strong expertise HR takes several months to evaluate and recruit the new employee for this position All work related resources PC scanner document cabinet of the former employee are maintained on the same desk in an open space office with 15 people working in the same area After 3 months a new hire is brought in to take over the functions of sales analyst Being his first day of work an IT technician is present to reconfigure the PC set up the user s account and e mail When the technician tries to boot up the PC it gives the legendary no system disk or disk error message When he opens the PC to remove the defective part he finds out that there is no disk in the PC He immediately alerts IT management internal audit and information security After 2 weeks of investigation with the inclusion of the police the thief is found to be a co worker from the another office on the floor He was in the process of negotiating terms of employment with a competitor company To increase his value and get a better deal knowing that the sales analyst PC is unmonitored he offered to deliver the sales analysis and plans of the current company He took out the hard drive of the analysts PC wanting to copy the data but didn t return it before the new employee arrived Analysis The sales analysts PC was left virtually unattended and unmonitored for more then 3 months Although technically it was within a secure environment the office this environment cannot protect you from an insider attack What s worse there are simple and cheap protective measures which would have prevented this incident Controls In order to prevent incidents as described above you should implement the following 3 controls on offline computers within your organization Place a tamper evident seal on the chassis opening point

    Original URL path: http://www.shortinfosec.net/2008/07/3-steps-to-securing-your-offline.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: 5 Reasons to Consult Your SysAdmin for New Systems
    safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities 5 Reasons to Consult Your SysAdmin for New Systems A lot of organizations isolate system administrators from new system implementations lead by the premise that their admin teams need to focus on maintenance and that they may not bring benefit to the implementation especially when consultants are engaged to implement the entire new system But always bear in mind that system admins have very specific insight that any project manager will find useful Here are the 5 reasons why organizations should always include your system admins in all phases of system implementation SysAdmins know the infrastructure and the interactions between systems every corporate IT infrastructure is a complex set of systems firewalls security rules and networking connections The SysAdmin can provide invaluable information about what the new system will communicate to under which conditions and by which rules questions that need to be properly answered in any implementation SysAdmins know the utilized capacities of current systems introducing a new system is never self sufficient The new system will add load to the switching infrastructure firewalls can require additional licenses for monitoring systems

    Original URL path: http://www.shortinfosec.net/2008/09/5-reasons-to-consult-your-sysadmin-for.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: System Management - When do the IT Admins Screw Up?
    Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities System Management When do the IT Admins Screw Up The main purpose of IT within a company is to provide IT services to the business This means that the responsibility for availability response time and service quality rests mostly on the shoulders of IT admins In most cases IT personnel understand the burden they bear very well and are extremely careful in their daily activities But if certain processes and IT culture are not in place in an organization system admins can cause disruptions Here are the conditions with real life examples under which an IT admin can screw up Lack of Proper Testing and Contingency Planning 1 A corrective update batch process was run on the CRM system The admin started the process at 9 PM without to complete overnight and left it without supervision The process ran until 5 AM when it failed and the database began rollback The rollback took another 8 hours incapacitating the companies CRM until noon the following business day Lack of Proper Testing and Contingency Planning 2 During database maintenance several large tables were moved directly to archive and recreated as empty ones manually The system ran well for 5 days after which each operation became very slow or could not be performed at all A simple analysis concluded that the during the archive and recreation process the indexes were not recreated on the newly created tables thus forcing the database to do a full table scan for every operation Since the tables were empty this did not become an immediate problem Lack of Coordination and Communication A clustered mail server exhibited errors in mailbox processing Two administrators were called in to remedy the problem The first administrator initiated a mailbox rebuild process 10 minutes later the second admin instructed the cluster to fail over the mail server resources on the other server The rebuild process crashed and corrupted the entire mailbox pool which had to be restored from backup All received emails after the backup were lost Not following procedures The corporate web server sent an alert of low disk space so a system admin searched the disk for items to delete He found a folder Copy of wwwroot and assumed that it is a copy of the web server root directory He deleted the folder and all sub folders

    Original URL path: http://www.shortinfosec.net/2008/08/system-management-when-do-it-admins.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Essential Management Semantics - Responsible vs Accountable
    February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Essential Management Semantics Responsible vs Accountable I ve had a discussion at the office about who is responsible for a certain activity And as expected the junior colleagues got into a discussion of who is more and who is less responsible for the activity The Information Technology Infrastructure Library ITIL defines two distinct roles Responsible and Accountable If you open Websters dictionary www websters com and look up the adjective responsible you get the following description answerable or accountable as for something within one s power control or management If you do the same for accountable here is what you get subject to the obligation to report explain or justify something responsible answerable It is a common sense to assume

    Original URL path: http://www.shortinfosec.net/2008/08/essential-management-semantics.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Fedora Servers Compromised
    Blog Archive 2014 1 January 1 2013 2 November 1 October 1 2012 8 July 1 June 1 March 1 February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Fedora Servers Compromised According to this announcement from yesterday Fedora servers were compromised Here is a scary part of the announcement One of the compromised Fedora servers was a system used for signing Fedora packages That particular server had very

    Original URL path: http://www.shortinfosec.net/2008/08/fedora-servers-compromised.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Where is that XP Install CD?
    7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Where is that XP Install CD Today Christopher Dawson has a post at ZDnet titled Don t downgrade me to XP His take on the Vista subject is that we should bite the bullet and go with Vista since XP is already 7 years old so installing it on new equipment and running it for 4 years will bring it to an age of 11 years way too much in an industry where anything older then 4 years is ancient But turning back to reality let s analyze who might benefit of using Vista instead of XP First the proposed benefits Apparently Vista has better security better application support is more modern and far easier to use The users have already said their part Vista and XP are on par at security the only remaining benefit being that XP support is ending Application support in vista is lacking and a lot of drivers were funky even 1 year after Vista was released The interface although modern is a huge resource hog and hampers a lot of users So who will benefit from Vista Not the corporate users corporations are riddled with legacy applications have very stringent procedures for upgrade and are generally very careful when adopting anything In such an environment implementing Vista will require additional training for the users significant testing to verify that all corporate applications are working big chunk of change to bring all available hardware up to Vista hardware requirements Not the power users power users have specific applications they use and they expect that the apps run as fast and as smooth as possible Installing Vista will very probably reduce performance of their application possibly hamper operation of their application make them re learn part of their computer use which takes time that they can use much more productively Not the gamers Unless insisting on DirectX 10 XP still delivers a better performance bang for the same buck of hardware which is very important for gamers since they are on the road of draining every last frame per second from their hardware Some of the older readers will remember installing special memory managers to take maximum advantage of ALL computer resources Users like this DON T WANT a resource hog like Vista In summary although XP is 7 years old Vista hasn t delivered any significant improvements which would justify it s use XP still delivers much better productivity So the only ones that will take up Vista are the ones that really don t mind productivity changes Newbies anyone just starting out in computing so they don t have any specifications and expectations to meet nor are particularly oriented towards any specific application Testers the people

    Original URL path: http://www.shortinfosec.net/2008/08/where-is-that-xp-install-cd.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Competition Software Testing - Benefits and Risks
    1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Competition Software Testing Benefits and Risks Testing of any solution especially software is a very slow and painful process which requires a lot of human resources and proper design of test scenarios Because of the slowness of the process something can be missed So a number of companies organize competitions in which they offer rewards to whomever breaches the security finds a bug or similar activity to their software Jon Oltsik in a text titled Carnival atmosphere in security compares this process to carnival and criticizes it heavily Although I agree that the competition is not a good approach here is a more constructive analysis of the reasons Benefits Here are the perceived benefits of a competition style testing of any software All of them are naturally legitimate and every company would like an army of very dedicated testers for their product at a price at which they ll never be able to hire so many testers The application will get stress tested An army of testers hunting the prize will put the software through it s paces and make very creative use cases to reveal bugs A lot of boundary conditions will be checked and re checked These bug hunting testers will throw all kinds of garbage at the software precisely where most applications fail and open a way to fraud security breaches or simply erroneous operation Implementations of standard protocols and algorithms will be checked for errors the most frequent path to breach of application or system security is the poor implementation of the standards that are trusted the most For instance while AES encryption is virtually unbreakable within an acceptable time frame it s poor implementation in program code can lead to easy exploits and breaches Such errors can be identified in a prize hunting test Drawbacks Naturally it s not all good There are several risks to using a competition for software testing and here are the most very dangerous pitfalls Only one winner Only one vulnerability This method of testing will actually identify only one vulnerability There can be several controls to prevent this situation like a submission time after which a winner is declared but usually the first hacker to perform the breach will use covert channels to advertise his success to deter other competition and to increase his reputation Bugs publicized in the wild A lot of other bugs and potential errors can be identified during the test but these will not create the effect to win the prize After the competition information about these

    Original URL path: http://www.shortinfosec.net/2008/08/competition-software-testing-benefits.html (2016-04-28)
    Open archived version from archive