Tuesday, February 24, 2009

Tips for Cloud and Virtualization Security

As cloud computing grows in popularity, it's important for companies considering this option to take heed of the security issues. Here are some guidelines from Computer World:

1) Understand the cloud and how its diffuse structure affects data security
2) Demand transparency from any proposed vendor about their security architecture
3) Reinforce your internal security such as access controls and firewalls and make sure the cloud meshes with these existing security procedures
4) Consider the legal implications of data put into the cloud
5) Pay attention to changes in cloud technology affecting security

Some other security-specific issues to clarify with a potential cloud provider are user access, regulatory compliance, data location, data segregation, disaster recovery, investigative support and long-term viability.

A related concept, virtualization, also takes data directly off hardware and requires care to protect. Unlike cloud computing, virtual systems remain in-house. In this piece from Neil Roiter of TechTarget's SearchSecurity site, this will be a big year for virtualization vendors to beef up security.

The idea is that security requirements for virtual environments are the same as those for any other environment, including configuration management and change control.

More SSL Mischief and Sleight of Hand

TechRepublic ran an interesting post today by Michael Kassner on its IT Security blog about some tricks for bypassing SSL, the darling of security for e-commerce web sites.

The post has details and slides from presentations at the recent Black Hat DC 09 conference on the subject. Interestingly, the exploits are mostly Man-In-The-Middle (MITM) attacks, or those that fool users into non-HTTPS sites, rather than cracking the algorithms behind SSL.

How to Securely Destroy Information

This is an informative and thorough piece on the CSO web site from Ben Rothke about how to securely destroy data.

Traditionally, IT security tends to look at data in motion or at rest, not on the way to the trash can. But, as this article accurately points out, the fine art of dumpster diving is far from passe. The riches found in a sample garbage expedition are enlightening, if not frightening.

The article further provides a long list of documents that should be considered in any destruction program, and whether to outsource data destruction and how to select a vendor, if that's the route a company chooses.

Sunday, February 22, 2009

Two Social Engineers Are Leaving a Bar . . .

. . . and one says to the other. These are eight of the most classic pick up lines ever spoken by a social engineer to get in the door. They're brought to you courtesy of CSO:

  • "I'm traveling in London and I've lost my wallet. Can you wire some money?"
  • "Someone has a secret crush on you! Download this application to find who it is!"
  • "Did you see this video of you? Check out this link!"
  • "This is Chris from tech services. I've been notified of an infection on your computer."
  • "Hi, I'm from the rep from Cisco and I'm here to see Nancy."
  • "Can you hold the door for me? I don't have my key/access card on me."
  • "You have not paid for the item you recently won on eBay. Please click here to pay."
  • "You've been let go. Click here to register for severance pay. "
They're not clever, and they're not brilliant. But they are typical.

Keeping Porn and Malicious Insiders at Bay

What do pornography and the insider threat have in common? On the surface, not much. But, if you take a closer look, they're two sides of the same coin. Most, if not all, enterprises, I'd say, want to keep their employees from surfing porn.

Not just for legal reasons, but also for security reasons. Despite the spread of mainstream sites hosting malware, porn sites continue to be mainstream hosters of malware, as well. So, in a sense, although porn-surfing isn't an insider threat by itself, it's just one of those bad things malicious insiders might attempt.

In this SearchSecurity article on TechTarget's web site, David Mortman describes the two mainstays for fighting porn in the enterprise: web content filtering and content logging for forensics and policy enforcement.

In an unrelated article in eWeek, Jeff Nielsen provides some nice tips for combatting malicious insiders. The article talks about process-based systems for managing privileged accounts, the key to the entire store, which, if abused or stolen, make a company wide open and vulnerable to attack. The next step is audit trails for tracking malicious behavior and, finally, integrating policy controls with an identity and access management tool such as Active Directory.

Sunday, February 15, 2009

Will A New Internet Be Any Safer?

Somewhere deep in the campus of Stanford, engineers are designing a parallel Internet, one that will be, supposedly, insulated from some of the security issues plaguing the current public one.

But the question is: will it actually end up being safer or just another clone of its security-hole ridden ancestor?

In this thought-provoking article in The New York Times, John Markoff probes just that question. The idea is that this new Internet will have safeguards, not available currently, and will gradually take over, relegating the existing Internet to a bad neighborhood, where only the brave tread.

Citing the Conficker worm, which evaded existing Internet defenses, Markoff quotes Rick Wesson, the CEO of Support Intelligence, who says we're heading toward a "digital Pearl Harbor" where we have "Japanese ships streaming toward us on the horizon."

The Stanford Clean Slate project is designed to add better security features to the network and provide law enforcement better tracking capabilities. Their idea is to have something like a drivers license for anyone wanting to connect to the Internet. Of course, as with the existing Internet, the issue of identity is difficult, if not almost impossible.

What will probably happen, the article says, is that this supposedly new Internet will have features built into the routers and software, the backbone of the existing Internet.

Friday, February 06, 2009

Social Engineering with a Cisco Shirt

There's nothing particularly new or brilliant in this story from CSO Online. It's just a text book social engineering exercise about a security consultant who basically talked his way into a client's facility and hacked their network. The exercise was part of a vulnerability test for a "retail company with a large call center."

All the tester used was a Cisco shirt bought at a thrift shop, some USB keys left in the cafeteria, a Linksys wireless router and a plate of cookies. The USB keys had password-stealing rootkits. These are some of the oldest tricks in the book. The sad part is that they still work.

Tuesday, February 03, 2009

The Firefox Versus IE Security Debate

This one seems to another one of those legendary long-standing discussions: the security of Firefox versus Microsoft's still ubiquitous Internet Explorer. Though IE has lost some ground in recent years to Firefox, the "other" browser is often perceived as more secure.

But is it really? In this piece from CSO Online, the issue is debated by security experts. Most slightly favor Firefox for security but IE for compatibility with other Microsoft products -- like Exchange, SQL Server and SharePoint -- which still dominate many enterprises.

But IE has improved its security and, in reality, neither browser is 100% foolproof. In many cases, it's also the user, not just their browser, and how they configure it and whether they keep it patched and up-to-date, that really determines whether or not the browser is secure.

Hacking Exposed Sixth Edition

The sixth edition of the landmark Hacking Exposed book is now available and, like the rest of the outstanding Hacking Exposed series, carries on the tradition of being an encyclopedic reference for IT security.

This book is a must have for any security professional. The newly released sixth edition has a new chapter on application security with details about the Security Development Lifecycle plus all the usual goodies from previous editions.

Monday, February 02, 2009

Office Security is On The Desk

This is a little physical security tidbit from CSO Online about office security. It's about how employees leave things like sticky notes with passwords and confidential documents with company information right on their desktops for all to see.

In a video, someone from CSO takes a random walk through their office after hours and finds all kinds of hidden gems for prospective social engineers and data thieves. And it's not protected by locked offices. There's plenty of confidential stuff in open cubicles, including an access card under a computer keyboard.

Ever heard the one about the data thief who gets a job as a cleaning person?