Spliced feed for Security Bloggers Network |
Assessing your Organization’s Network Perimeter (pt. 2) [BlogInfoSec.com] Posted: 16 Jun 2008 06:00 AM CDT Welcome once again to the risk rack. This time on the risk rack we will be continuing our review of how to assess your organization's network perimeter. As a reminder the identified steps were:
In Part I we reviewed tips and tricks for Step 1 "Define the functions and purposes of your network perimeter" and started a spreadsheet. In Part II of "assessing your perimeter" we will be looking at tips and tricks for Step 2: "Assess the technology used along the perimeter of your network." Let us begin by first defining the term "Technology" for the purpose of this article. Technology for the purpose of this article is defined as any hardware or software as well as architectural design. To provide some structure for the technology assessment I have provided the following stepped approach which I will describe below.
Defining an endpoint is simply identifying any segment of the network that interfaces with an external environment. There are three basic forms of endpoint interfaces:
Step 1: Step 2: Again a good source for this information is a detailed network diagram and a network architect. Some of the types of hardware you are looking for are routers, modems, switches, firewall servers, monitoring servers, mail servers, proxy servers, remote access servers, Load balancers, application servers, etc. Please also note there are many devices that are sold as appliances, these devices must be included as well. In this step you should also capture the type of communication link used at this endpoint i.e T1, T3, Frame, ISDN, PBX, etc.. Update the spreadsheet you created in step 1 with the information accumulated in this step. You should also create a subset of your network diagram depicting each perimeter endpoint. This diagram is a good visual for analysis as well as reporting In addition to the devices within the DMZ you must also include the other servers that are related to the function and purpose of the endpoint that reside on the internal network i.e. database servers and application servers etc. as the majority of functionality for externally facing services is placed on internal segments for security reasons. Step 3: After you have completed capturing the operating system information you should then capture any other application running on each device and capture that information on the spreadsheet as well. Step 4: A few notes to consider when mapping devices and software to the functions and purposes:
At this point it is probably a good idea to review your spreadsheet with the network architect (or someone else in your organization that may be suited to assist) to make sure you are capturing the information completely, accurately and have mapped everything effectively. Please make sure you review your list of unmatched components with the architect as well as the architect may be able to fill in the blanks. Step 5: Level I by End point
Level II by purpose and function.
A few thoughts before we leave step 5:
Step 6: I hope this article has been helpful as I have tried to provide as much guidance as I could in a limited format. Please join me next time when we review the Step 3 of assessing your perimeter "Assess the Processes used to support your network perimeter". Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately. |
Google has your back against your ISP [StillSecure, After All These Years] Posted: 15 Jun 2008 11:06 PM CDT Its been a while now since word got out that Comcast for sure and possibly other large ISPs were filtering and throttling traffic to their customers. Now Steve Musil over on C/Net is reporting on a report in the Register that Google will be releasing tools that they have developed which will allow users to monitor and identify this type of filtering by your broadband carrier. I am far from a Google fan boy, but I have to give Google a pat on the back for this one. The ISPs have tried to stop the government from stepping in here and preventing them from limiting and filtering traffic like this. It is part of the whole net neutrality thing. The ISPs response is the government doesn't have to step in, the market will take care of itself. Yeah, just like the oil companies say about the price of gas. Ultimately I think the ISPs know they are going to lose this fight. Their next play is to start charging you based upon how much bandwidth you use. We have already seen the noise around that one. It reminds me of my web hosting days. Some hosts charged you by the bandwidth you used per month. Others gave you unlimited bandwidth but put you on a crowded machine where you had to fight for CPU time and hooked that up to a small pipe that was saturated. So you did not pay for extra bandwidth, but you couldn't use any either. Bottom line after a long period of access being cheap and plentiful, the ISP game is back. You can pay them now or pay them later, but you will pay them. |
Are we going to need TSA backdoors to encryption [StillSecure, After All These Years] Posted: 15 Jun 2008 09:36 AM CDT I was reading an article in Information Week tonight about a case going to the 9th Circuit Court of Appeals about the governments right to search, seize and copy laptops and other electronic devices at our borders. Two groups that don't often find themselves on the same side of issues, the Electronic Frontier Foundation (EFF) and the Association of Corporate Travel Executives (ACTE) have filed briefs with the court asking them to strike down a lower courts ruling that granted the government these broad powers to confiscate laptops. As the article points out here in the US there was quite an uproar about China "slurping" laptops from people on travel there, but we seem to think it is OK for our government to do it. Well at least our government is telling people they are doing it. What they are not telling us is what they are doing with the data after they search or copy it. How do we know, no US security but nevertheless confidential data is being secured and or destroyed promptly? The government telling us "trust me" just doesn't cut it. However, I think technology is going to pose a bigger problem for the government regardless of whether the court upholds the governments position. I think any terrorist or other bad guy would never have confidential data on their laptop that is not encrypted. In fact with full disk encryption coming to the masses from the likes of McAfee and others, what will the government do? Sure they can take the encrypted data to the NSA and let them brute force the keys, but that sounds impractical. Perhaps, the TSA will demand encryption vendors to put in a back door or secret key that will allow the TSA to decrypt the data similar to what they do with the special luggage locks now. I know what they can do. Perhaps they can go back to Checkpoint and find out for sure about those back doors that they always suspected was in their software and see if it is there for sure. If so the government can appoint Checkpoint the official encryption vendor for laptops ;-) Just kidding of course, but really guys. What self-respecting bad guy is not going to encrypt their data knowing the government has a right to search their laptop. I think it makes this whole case much ado about nothing. |
Some People Just Don't Know When to Stop [Sunnet Beskerming Security Advisories] Posted: 15 Jun 2008 09:27 AM CDT A former corporate executive, currently under home detention since his October 2007 arrest on charges of looting his company of funds has been accused of trying to bypass (unsuccessfully) security monitoring software installed on his home system, even after he promised (via his lawyers) that the attempts to defeat the security system would cease. From the various news reports and unhappy shareholder comments from across the internet, this effort to bypass the rules, including only being partially successful, doesn't appear to be out of character for someone who has been accused of emptying his company of value and spending the money through a number of personal relationships that are ethically dubious at best. If you are trying to get the conditions of your home detention reduced, then hacking the monitoring software that is a part of that detention probably isn't the smartest move to make. |
Time for a weekend laugh [Roer.Com Information Security - Your source of Information Security] Posted: 15 Jun 2008 07:50 AM CDT All right, I needed a laugh, and found my way to the Failblog. This place has potential for fun - particularly if you filter out the kids' comments. I particularly like this one:
And - unlike the other comments - this one was nice: "No submarine trucks? Where do they get all the water?" "Nah, they're just filling up." Yes, I admit it. My humour is not on the dry side today. Happy weekend to all of you from all of me! |
Vonage and Ekiga on SUSE Linux [Room362.com] Posted: 14 Jun 2008 09:52 PM CDT This was originally posted at http://www.jpugh.org/2008/01/vonage-and-ekiga-on-suse-linux.html I had to find it via google cache as the page is no longer there or has just been down for the past week. So I am reposting it for reference:
|
Storming SIP Security - now available just a click away [SIPVicious] Posted: 13 Jun 2008 05:56 PM CDT Time to release the hakin9 article to the public. This article was first released in the February edition of the English hakin9 magazine. Download now (takes you to EnableSecurity). Added: The listings can be found here. Thanks for Chris Gates for noticing that I forgot to include the listings. |
GRC - Love it or hate it [Andy, ITGuy] Posted: 13 Jun 2008 02:43 PM CDT Last week I received an email from a marketing firm wanting to know if I'd like to talk to Symantec about IT GRC and an upcoming announcement that they were going to be making. Usually I ignore these emails because my blog is NOT an advertisement for vendors. It's my place to voice my thoughts, good or bad, on technology and security. I try to stay as focused as possible and not get off on tangents regarding politics, religion, personal life, food, or anything else. That includes free advertising for vendors. Plus, I usually am not that interested in talking to marketing people about their product. If I want information on a product I want to talk to the engineers that designed it and support it. Not the marketers and sales guys. Anyway, since I do have an interest in GRC and like the concept of it I decided to take the bait and have a conversation with them. So we scheduled a time and spent about an hour talking about what Symantec is doing in the GRC space. Of course they have a product that helps manage and maintain your program and that was they jest behind the conversation. They let me in on the announcement that they were making on Wednesday of this week and we had a good conversation. Then they invited me to sit in on a conference call of Wednesday this week where they were having a round table discussion about their offering and getting ready to make their big announcement as part of their Vision Conference. I wasn't sure if I'd get to because of the audit that we were having but I did find time to join in on the call. In preparation for the call they sent me an advance copy of the announcement and a report on IT GRC. I tried to be a good blogger and read the report before the call but just didn't get the time to do more than skim it quickly. It looked interesting and like it had some good information in it, but I just didn't get the time to really read it. Then the time for the call came and I dialed in, pen in hand (my new Cross fountain pen that I LOVE to write with) ready to take notes and hear some good stuff regarding GRC. Of course you know that didn't happen. I was tired from lack of sleep and 2 1/2 days of audit and my mind wandered. I kept trying to bring it back and just as I'd get focused someone would talk who wasn't close enough to the mic and I couldn't hear them very well and I'd fade again. After about 45 minutes I gave in and hung up. Today I see that Neil Roiter over at Search Security has a write up on the report and the Symantec Round table. You can check it out if you have any interest in what the report or Symantec has to say regarding this. There are a couple of things that I want to point out myself. It seems that the report seems to validate many of my thoughts regarding IT GRC. Mainly that it isn't about technology but about process. The longer I work in IT and especially dealing with security and compliance the more I appreciate how effective good processes can be in your program. Here are the things in the Search Security write up that I really like. My comments are in blue.
|
EeePC 900 in galaxy "hacker" black [Carnal0wnage Blog] Posted: 13 Jun 2008 12:04 PM CDT |
Andrew, What’s Up? [Andrew Hay] Posted: 13 Jun 2008 09:04 AM CDT Hey All, I thought I’d drop a quick post to let you know what’s been keeping me occupied (and away from blogging) for the last few weeks: Studying For My CISSP ExamAs many of you know, out of spite, I’ll be taking my CISSP exam on June 28th in Ottawa, Ontario, Canada. This is taking quite a bit of my time so I am very “head-down” trying to jam as much information into my head as possible. Wish me luck! Writing Another BookI’ve also signed on to write the Nokia Firewall, VPN, and IPSO Configuration Guide (Syngress, ISBN 9781597492867). Note to self, don’t agree to author a book when planning for a large exam. Drafting Call-For-Papers for Various ConferencesI’ve been trying to get a bunch of CFPs drafted for various fall conferences. Takes a lot of time to produce quality papers that have a chance of being accepted. SANS GIAC Gold PaperMy SANS GIAC GCIH Gold paper is due August 22nd, 2008 so I’ve been working on getting all the information I need together to draft a killer paper. Busy, busy, busy |
Posted: 13 Jun 2008 06:38 AM CDT To facilitate training processes are something I truly enjoy. Particularly when I can enter a class where the energylevel is low, and the participants expects to be handed tasks to work with. When you enter the room, you feel their lack of motivation. And no motivation usually means a tough day for both participants and the trainer. And if you want people to learn new skills, and hopefully to change their attitude towards the subject, you need them to be motivated. This is particularly true when training security and user awareness. People act if the topic is as interesting as a piece of dead wood. I believe you me – I do not want to be that piece of wood! Thus, one of my main focuses during a training is to build; and keep; the energy level high. This can be done by using groupexercises, open discussions and by sharing of your own crazyness (and boy, can I be crazy!) I build an environment where it is safe to ask questions and to wonder. A group where they support and help each other – even when I am no longer there. Because only when the motivation and fun is present, can we focus on knowledge transferal. Where the participants get their learning experience. Where the actual message is conveyed, understood and put into use.
So now you know my secret to giving successful trainings! |
Maltego Community Edition Available [Carnal0wnage Blog] Posted: 13 Jun 2008 06:07 AM CDT Paterva has released a community (free) edition of Maltego v2 From the site: The Community Edition is limited in the following ways:
|
A Continental nightmare [StillSecure, After All These Years] Posted: 13 Jun 2008 03:35 AM CDT The state of the airline industry is a travesty. Today United announced that they are joining American in charging a fee for even the first bag of checked luggage. Combined with the ban on liquids that makes it hard to carry on anything, you are forced to pay up. This is on top of the already jacked up prices and fuel surcharges they are already charging. They also charge if you want to fly stand by now, extra for exit seats, aisles, etc, etc. It is not one airline worse than another, they are all pretty bad. Today's travel nightmare though comes courtesy of Continental Airlines. I rarely fly Continental because in coach I find their seats are to close together and my knees get crushed. But flying home from Denver today, they were the cheapest so I booked the flight. I was scheduled to be on a 4:50 flight out of Denver into Houston. An hour layover, an 8:55 flight from Houston to Ft Lauderdale and I would get me home around midnight. Long day for sure. So I finished up my meetings and stuff early in Boulder and saw that Continental had a 2:30 flight from Denver to Houston and a 7:10 connection to Ft Lauderdale that would get me in around 10:20pm. I left StillSecure HQ around noon and was at Denver airport by about 12:45. I went to the Continental counter and asked to get on the earlier flight. Because I am a platinum medallion member of Delta, as a Sky Team member, I am an elite plus level passenger on Continental. In days gone by that would qualify me for same day ticket changes for free. Not anymore it doesn't! I don't understand what the price of fuel has to do with charging me for same day ticket changes. Anyway, they said I could fly stand by for free until June 17th, when even standby is going to cost an extra fee (again they blamed it on fuel costs). So they put me on standby and told me my luggage would go on the earlier flight. I then went to the 2:30 flights gate and waited. The ticket counter agent told me about 20 minutes before take off that they only had me as a silver medallion and due to my low status I was far down the list and would not make the flight. My luggage would though. OK, so I will hang at the airport and work a few hours. Just before the plane takes off they call my name and tell me to wait at the end of the jetway. They are checking the plane and if there is a seat I can take it. I get the last seat on the plane, a middle seat. I arrive at Houston and proceed to the gate for the 7:10 flight to Ft Lauderdale. I check in with the agent and she tells me the folks in Denver only put me on standby for the Denver Houston flight and I am not on stand by for the Ft Lauderdale flight. She can put me on and I will probably make it, but my luggage will be going on the later flight. Now mind you I can see the plane I just got off of out the window and could have gone to the jetway and told the guys unloading the luggage to grab my bag. Not wanting to wait two hours in Ft Lauderdale late at night for my luggage to arrive and not wanting to drive down the next day to pick it up I say thanks, but no thanks and decide to wait another two hours for the later flight that my luggage will be on. I board my 8:55 flight as scheduled and we take off headed for Ft Lauderdale, due to land at 12:15 or so. The plane is hot as heck and about a half hour into the flight the pilot says that we have a pressurization problem and am turning back to Houston! We turn back and upon arrival near Houston, he tells us we have too much fuel to land and will have to fly around to burn it off. We have no air conditioning, it is hot as can be and they are telling me how much they charge because of the cost of fuel that they are now flying around in circles to burn off! We land in Houston, they find another plane and we finally take off from Houston around 11:45 or so. I am writing this on the plane and am due to land about 2:30am. If I find my luggage came on the earlier flight I am going to kill someone. In the meantime, I have had enough of Continental for a while and they won't see me on their planes very soon. End of story, we landed around 2:45 and my luggage was waiting for me, having arrived on the earlier flight. The Continental employee at the baggage claim will remember Alan Shimel for a while, as I gave him a piece of my mind. |
Posted: 13 Jun 2008 03:29 AM CDT I don't know what it is, but lately everyone I am speaking to is talking SaaS, outsourcing and MSSPs. Just today I was reading Neil Roiter's column on the latest acquisition by Perimeter eSecurity. The MSSP acquisition kings have now bought Edgeos, a vulnerability scanning service. I don't really know alot about them, but it seems their vulnerability service does not utilize a distributed or local server at the customers location. I am not sure how they deal with things like firewalls and such that would result in very different results from an internal scan, but that isn't the point here. The fact is that MSSP service providers, whether it be large carriers line Verizon or ATT or dedicated security MSSPs like Perimeter or SecureWorks or smaller MSSPs like ProtectPoint here in Florida, are finding fertile ground. I will talk more at the end of the article about what kind of MSSP will likely be your MSSP in the future. |
Links for 2008-06-12 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 13 Jun 2008 12:00 AM CDT |
Ideal Tool to Solve Real Problems ... of the Near Future? [Anton Chuvakin Blog - "Security Warrior"] Posted: 12 Jun 2008 09:02 PM CDT Remember my write-up about an ideal log management tool? Somebody asked me: "That's great that you have such a clear vision of a future log management technology - but tell me first what future business problems will such 'ideal tool of the future' solve?" First, I laughed and said: "Dude, look around, will ya? :-) There are plenty of log-related problems today which we are not even close to solving. We need to solve the problems of today first, before we can get to solving the future problems..." So, what I consider to be the biggest log-related problems of today?
Now, when you read the above think "end user", not "log management vendor" challenges (I plan to post about these later). My idea of an ideal tool will seek to solve these and others. Along the same line, this picture from 4th SANS Log Management Survey shows how people perceive the logging challenges: as well as my logging challenges poll (analysis here): Now, let's think of logging problems of the near future, say in 2 years. But you'd have to wait for the next post for this :-) |
Posted: 12 Jun 2008 09:09 AM CDT One of the nice things about having started the SBN was that I have gotten to meet (mostly virtually) many security bloggers from around the world. Some of the most prolific contributors to the content of the SBN has been the members of the Belgian Security Bloggers Network. I received word today from one of the authors of one of the blogs, belsec, that they are under assault by the EU government. It seems in their wisdom, the European Parliament has decided that in the interests of "media pluralism", all blog owners should declare their ownership, affiliations and status of weblog authors. The explanatory notes of the proposed regulation says this:
As the belsec author points out, disclosure of their identities would effectively silence their voices. There is no first amendment freedom of speech or freedom of press constitutional right in Europe. Of course if forced to do so, the Belgian authors could take up blogs based here in the US and escape the disclosure laws of the EU, but why should they have too. The EU is a democratic, progressive entity. Forcing these bloggers to make their "status and identity" public should not be mandatory here. Blogs are todays pamphlets. Basic freedom of expression, speech and press have been protected for hundreds of years. Forcing these bloggers to identify themselves is a violation of their rights. What would Thomas Paine and others like him think of this restriction? If you feel that this is an unfair and unjust restriction on bloggers rights, blog about it. It is our right and to do so and we should use the medium to do so. If you are a EU citizen write to your representative and demand that this proposed regulation does not go into effect! Do not take your right to blog lightly. If you don't stand up for it, it can be taken away from you. "The world is my country, all mankind are my brethren, and to do good is my religion." - Thomas Paine This posting includes an audio/video/photo media file: Download Now |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
1 comment:
Hello all, I would also like to give my opinion on Risk and Compliance.
IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk. The maturity of IT GRC practices for managing reward and risk has a direct impact on the organization. IT GRC encompasses the practices for delivering: Greater business value from IT strategy, investment and alignment, Significantly reduced business and financial risk from the use of IT, and Conformance with policies of the organization and its external legal and regulatory compliance mandates. IT GRC energizes the entire organization to imagine what it can achieve, establishes methods for achieving their objectives, and demonstrates the practices that are proven to work for minimizing business and financial risk. Fundamentally, IT GRC is about striking an appropriate balance between business reward and risk, enabling an organization to more effectively anticipate and manage business risk while more effectively delivering value for the organization. IT governance, risk, compliance, IT GRC, White paper, compliance survey report, 2008 compliance report.
You can also get more information from http://www.compliancehome.com/symantec/
Post a Comment