To read more and get some tips on building a security incident handling entity go here.

Read the full article here

Read the full article here.

I think that major cloud providers are working on it, especially Amazon that they are now PCI DSS compliant. On the other hand, the cloud infrastructure is what it is and there will always be the risk of data exposure unless you take the adequate preventive measures. Rather than expecting the impossible from the providers I would implement cloud aware mechanisms that help me protect my data.

Implementing a model that encrypts data all the way, that is, while in transit and when stored reduces the risks of disclosure considerably. Given that the latest encryption tools are put in place makes it harder for an attacker to decipher any data even if he/she is a cloud provider internal employee and has full access to our encrypted data!

Cloud Services have brought new challenges for all security professionals and we can’t expect Cloud Providers to guarantee the highest levels of security when the infrastructure has certain limitations and there’s no magic formula that makes it 100% secure. Therefore, it’s our task to secure our resources in the Cloud and should try to visualize the Cloud as our own server rooms left accessible to all internal staff and without any control measures in place. Only then we would start taking a different approach and finding new ways how to secure our data in the cloud!

Mikeyy worm – April 09. A computer worm with the name of Mikeyy sent thousands of tweets (messages) across Twitter.com. The tweets promoted Michael Mooney’s website (the author) who manages a website with info related to twitters’ vulnerabilities!

Koobface worm – Sept 09. Koobface is a computer worm that targets users of the social networking websites Facebook, MySpace, hi5, Bebo, Friendster and Twitter. The main purpose of Koobface is to gather users’ personal information such as credit card numbers.

Botnet compliant – Aug 09. It was reported that twitter site has been used as the key part of an information-stealing botnet operation. A Twitter account was used to issue instructions to infected computers that are part of a botnet. Tweets coming from the malicious account were actually instructions sent to bots. Other Twitter weaknesses were reported more recently (Aug 2010) were Cybercriminals took advantage of a cross-site scripting vulnerability.

If social networks are considered as the information battlefield, then the users’ machines are the target. If the present Web 2.0 platform allows the spreading of Botnets, then there will be more captured civilians (Botnets controlling our machines). Way back in 2008, the Conficker worm captured more than 7 million computers under its control! Conficker targeted the Microsoft Windows operating systems and used flaws in the operating system to remotely control these machines.

Another remote administration tool (backdoor) which bypasses normal security mechanisms to secretly control a program, computer or network is known as Poison Ivy. Poison Ivy gives the attacker practically complete control over the infected computer. Backdoors may be considered as user based attacks as they can rename, delete, or execute files for illegitimate purposes. Files can also be uploaded and downloaded to and from the system.

Other Botnets and Rootkits

The Srizbi botnet was one of the world’s largest contributors of spam which suffered a significant setback when a hosting provider identified as the main source of Srizbi, was taken down. The Fu is a kernel-mode Rootkit that modifies kernel data structures and is one of the most widely utilized Rootkits. A more powerful version of FU, FUTo was created to demonstrate the weaknesses in Rootkits detection software. The AFX Rootkit is capable of hiding windows registry values, processes, files & folders, services, modules and other system related info. Detection of the Rootkit can be accomplished by the presence of iexplore.dll and/or explorer.dll.

DDOS attacks

Twitter DDOS attack – Aug 09. Twitter was shut down for hours affecting millions of users around the world. The outage was the result of a distributed denial-of-service attack and is considered as the major outage the service has suffered in months.

Google Attack (Aurora) – Dec 09. Google Gmail accounts were under attack by a highly sophisticated tool that originated from China. Google stated that these attacks were targeted at email accounts of Chinese human rights activists. Theft of intellectual property from Google and other major companies were also reported.

Data theft, disgruntled employees and logic bombs

A major bank employee had time to plant a logic bomb that was aimed at about 4,000 of the banks production servers after he was told that he was fired – the Freddie Mac incident. The bomb never took off as it was discovered in time, but the disgruntled employee had time to plant a script that if triggered was capable of blocking all monitoring systems so that no alerts would be sent, disable logins to production servers, replace all data on production servers with zeros and finally disable all fail-over mechanisms. In August of 2008, 11 men were charged of hacking into TJX network and stealing millions of credit card numbers from nine US businesses. The TJK case (owners of TKMaxx) is one of the largest data theft cases.

Heartland Payment Systems suffered a similar incident, where a malicious keystroke logging tool exploited million of records from this PCI (Payment Card Industry) compliant payment-processing company. These attacks raise doubts about Payment Card Industry (PCI) compliance standards. The data stolen from Heartland includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Last year, Bank of America (BOA) had a call center employee stealing customer information and was charged for bank fraud while, some time later in a separate case an internal programmer was accused of stealing trade secrets.

Further comments are superfluous……..

1. Keep your system and applications  updated with the latest security patches
2. Install protection tools such as, Antivirus, Anti-malware/Spam, host-based firewalls & monitoring programs – keep them up-to-date!
3. Use restricted user accounts, disable unneeded services, set permissions and policies
4. Enable logging and notification features – check logs!
5. Set strong passwords

Most of the times, malicious activities take advantage of computer users’ mistakes and negligence, so don’t allow mishaps to happen due to the absence of preventive measures and lack of knowledge!

Securing the IT environment is not a task that is defined once and carried out for the life time of the environment but it is an ongoing process of adjustment (updating items) while executing routine checks.  Whether you are a senior executive or security officer in a large organization or an IT Manager in a small enterprise you need to have a security checklist that is dynamic.  While, such a checklist is used to review that all parts of the IT environment are dealt with, the same checklist would tell you that certain areas have become obsolete while others needs further hardening. Reviewing these checks with the responsible IT staff would also turn up new areas that may be missing from the list.

A high-level security checklist like the one below is not intended to deal with the implementation details of the security controls but it can be extended or linked to other documents. It is a sample checklist that can be used as a starting point!

Physical security:

1. Access to server room
2. Access procedures & guidelines
3. Redundant & storage hardware – ex: RAID, backup drives, etc.
4. Disable unused network points
5. CCTV control / theft & fire systems
6. Mobile workers guidelines for handhelds/laptops – ex: usage policy
7. Inventory of all hardware
8. …

Network security:

1. Network Switches configuration – ex: replace default settings
2. Monitor network traffic – ex: performance issues due to malicious scan tools
3. Monitor Internet traffic – (company policy!)
4. Allowed Protocols – ex: SNMP, community strings settings & permissions
5. DMZ setup – ex: servers in DMZ should not store internal IPs
6. Firewall configuration – ex: allowed/blocked ports, secure vpn access, etc
7. IDS or IPS configuration if implemented
8. …

Wireless Network:

1. WAP configuration – ex: replace default settings, such as, SSID name
2. Shared key management – ex: centralized, expiry rules, complexity
3. Additional security – ex: disable SSID broadcasts, use Https, Mac filtering, etc
4. …

Application Servers:

1. Mail servers configuration – ex: open relay!, antivirus solution, etc.
2. Web servers configuration – ex: disable unused services/accounts, etc.
3. Database servers configuration – ex: db admin account, logs, etc.
4. DNS servers configuration – ex: zone transfer, cache settings, etc.
5. File servers – ex: ACL, file shares, antivirus, etc.
6. AD configuration – ex: security group policies, ACL, etc.
7. Updates mechanism – ex: systems and applications updates, notification, etc.
8. Logs – ex: logs are enabled, collect/review logs
9. Remote admin – ex: SSH, secure RDP, etc.
10. Admin scripts – ex: passwords in clear text!
11. Monitoring mechanism – ex: notify when services are down
12. …

Client Workstations:

1. Software updates distribution – ex: auto vs manual updates, central distribution
2. Antivirus solution – ex: cannot be disabled, auto updates, etc.
3. Computer Policies – ex: lock idle workstations, installation permissions, etc.
4. Hardware usage policies – ex: lock unused ports, media usage, etc.
5. Software inventory – ex: applications installed with version numbers
6. User access permissions – ex: dis/allow administrator privileges!
7. Password policy – ex: strong but not too complicated
8. …

Others:

1. Staff education – ex: ethics, security awareness, etc.
2. IT personnel training – ex: training program
3. Data non-disclosure agreement -
4. Social media usage policy – ex: facebook, personal blogs, etc.
5. Other policies….

The above checklist is not an exhaustive one but should give you a head start. Hence, any additions that you may consider important are welcomed. You may submit them as comments.

Frameworks help organizations build an underlying structure that deals with the strategy, the tactical and the operational aspects of security and risks. No single framework is a perfect match and hence, a better approach would be to review a couple of frameworks such as, Cobit, ISO or ITIL and use parts where appropriate.  It is recommended to mix, match and personalize frameworks as to create your own structure. Common sense within a framework is necessary and will drive consistency.

 
IT risks must be put in the context of the big picture and not isolated from the rest of the organization. They may fall in different categories or levels but their impact is always linked directly or indirectly to the business. An organization must integrate risk management with IT Governance and compliance, whether they are external laws and regulations and/or internal corporate policies and procedures.

What kind of Risk levels we find in an organization?

Lowest level isolated type of risks may happen on a day-to-day basis.  User errors are the most common, however, IT related risks may be present in badly configured servers or setups, insecure project tasks, etc. The lack of security awareness and education among the employees will increase the probability of risks. Various tools and controls can be used to minimize these risks.

A combination of low level risks would comprise the organization’s infrastructure security. The impact is higher as it starts disrupting business units. At this level of risks we find project failures, vulnerable infrastructure, violation of SLAs by vendors, etc. The implementation of adequate controls and standards is a must at this level.

A combination of failed projects, violated SLAs and infrastructure vulnerabilities will lead to enterprise level disruption. At this level, apart from the business disruption which means financial losses, the organization may suffer bad reputation as well!

At the highest level of risks we find elements tied to the business such as, market perception, strategic failures and regulatory compliance.  The impact at this level is critical as an organization may lose its market share and ruin the business, can be fined and make it to the news headlines!

The cloud is not just a cool technology model but it is also a business model. It is a well-known fact that Amazon at the outset, designed the infrastructure for their own use but it evolved into a product or better a service offered as – Amazon’s Web, EC2, S3, or Amazon’s cloud. It is quite evident that now they are trying to increase their revenue by pushing their infrastructure to the limits through new offers such as, – Spot Instances enable you to bid for unused Amazon EC2 capacity. We all heard of power outages, resources that disappear and slower response times that may be a consequence of an overloaded setup. However, through personal experience I can say that these incidents are very rare with big providers such as, Amazon. Remember, that downtime is also possible with in-house solutions!

One common SaaS is email – if the main criteria are costs, then outsourcing email is your best option. Although, big corporations can negotiate favorable agreements with email providers such as, Google – remember that small to medium businesses may not get the same favor! A word about Google email and applications services – it is very hard to get reasonable support and you may need to rely on third-party tools for basic stuff such as, backing up email boxes. In addition, there is no guarantee that user data would be secure and backed up.

All cloud services share the available resources and therefore, you are competing for computer resources with other customers. A good alternative would be to place your assets with two different providers or use the cloud just to scale-up your systems when the demand rises. Although, you may implement all of the security measures provided by the cloud provider and by the systems themselves, there is still the risk of possible intrusion/destruction from neighboring hosts. Neighboring hosts are virtual machines that are running on the same server or in the same data center. One university claims to have a prototype/model that can identify the exact location of a virtual machine and eventually can start a neighboring VM (Virtual Machine) with high utilization that can hook the underlying platform! In the event of using the cloud as a storage provider, implementing data encryption would adequately harden security – read Securing your online backup archives

No cloud standards yet exist! If you are using the cloud as an infrastructure service, it is impossible to move your assets elsewhere say, to another cloud provider without rebuilding your systems from scratch and moving all your data, as virtual machines setups are not compatible from one provider to another. If you are using software as a service then you need to find another provider that provides the same service and data migration capabilities. Apart from all this, one of the major setbacks remains your Internet connection – so before contemplating to use cloud services make sure to invest in a good and reliable Internet connection, otherwise, you will be disappointed!

One solution is to protect each and every document using a password. Many programs have such a capability built in.  For many one, two or three person organisations this solution could work; the people would password protect every file using a phrase that is shared amongst colleagues. As the number of employees increase, guaranteeing that everyone is obeying the rules makes this solution one that is too problematic. Besides certain file types cannot be password protected.

The script I am sharing is one that addresses this problem. It makes use of the commercial product WinRar to archive an entire directory (including subdirectories) into a RAR file. The RAR file name is user definable and is placed in a folder under C:\RSB. The RAR archive is password protected using a password passed to the script. The script is called rsb.cmd.

The example below would archive everything starting from D:\Personal Docs\Articles to an archive called C:\RSB\Documents. The password used to encrypt the archive is 123456.

rsb Documents “D:\Personal Docs\Articles” 123456

If you have another folder you would like to archive, simply call the command above with a different archive name and a different directory. Using a different password is up to you.

Below is the script to perform this task:

@echo off
:: This script archives a directory and all its contents with a
:: password for storage in online backup service. It adds
:: recovery information to the archive thereby increasing the
:: chance of it being opened up if the archive is damaged.
:: This script compresses files thereby reducing the storage
:: requirements as well as upload times.
:: Written by Alan C. Bonnici (email chribonn@gmail.com) 2010/05

set r_Version=1.0

rem This script takes three parameters:
rem  1. The name of the archive
rem  2. The directory (and its sub-directories) that are to be archived
rem  3. The archive password
rem The archive will be placed into a directory called RSB. Your
rem online backup program should backup all files in this
rem directory

rem All 3 parameters are mandatory
if [%1]==[] GOTO :Error
if [%2]==[] GOTO :Error
if [%3]==[] GOTO :Error

set r_Archive=%1
call :DeQuote r_Archive

set r_Dir=%2
call :DeQuote r_Dir

if EXIST C:\RSB\NUL GOTO :DirExists
md C:\RSB

:DirExists

echo The contents of this archive are intended only for the person or entity to whom they belong and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. > "%TEMP%\comment.rsb"

if EXIST "%TEMP%\output.rsb" del /q "%TEMP%\output.rsb" > NUL

"%PROGRAMFILES%\winrar\winrar.exe" u -as -av -cfg- -ow -r -rr10p -inul -ilog"%TEMP%\output.rsb" -t -hp%3 -z"%TEMP%\comment.rsb" -- "C:\RSB\%r_Archive%" "%r_Dir%"
set r_Err=%ERRORLEVEL%
if %r_Err%==0 GOTO :EndCmd

rem An error occurred. Dump the file if it exists
if EXIST "%TEMP%\output.rsb" type "%TEMP%\output.rsb"

echo.

if %r_Err%==1 echo Warning. Non fatal error(s) occurred.
if %r_Err%==1 GOTO :EndCmd

if %r_Err%==2 echo Error. A fatal error occurred.
if %r_Err%==2 GOTO :EndCmd

if %r_Err%==3 echo Error. CRC error occurred when unpacking.
if %r_Err%==3 GOTO :EndCmd

if %r_Err%==4 echo Error. Attempt to modify a locked archive.
if %r_Err%==4 GOTO :EndCmd

if %r_Err%==5 echo Error. Write error.
if %r_Err%==5 GOTO :EndCmd

if %r_Err%==6 echo Error. File open error.
if %r_Err%==6 GOTO :EndCmd

if %r_Err%==7 echo Error. Wrong command line option.
if %r_Err%==7 GOTO :EndCmd

if %r_Err%==8 echo Error. Not enough memory.
if %r_Err%==8 GOTO :EndCmd

if %r_Err%==9 echo Error. File create error.
if %r_Err%==9 GOTO :EndCmd

if %r_Err%==255 echo Error. You aborted the process
if %r_Err%==255 GOTO :EndCmd

rem Undefined error.
echo Error. Undefined error %r_Err%

goto :EndCmd

:EndCmd
rem Clean up
if EXIST "%TEMP%\comment.rsb" del /q "%TEMP%\comment.rsb" > NUL
if EXIST "%TEMP%\output.rsb" del /q "%TEMP%\output.rsb" > NUL
set r_Archive=
set r_Dir=
set r_Err=
set r_Version=

goto :EOF

:Error
echo This script takes three values:
echo    1. The name of the archive
echo    2. The directory (and its sub directories) that are to be archived
echo    3. The archive password
echo The archive will be placed into a directory called RSB (it will be created if it does not exist).
echo Your online backup program should backup all files in this directory.
echo RSB Documents "C:\Users\ACBonnici\Documents" Pa$$w0rd
goto :EOF

   :: Removes the outer set of double quotes from a variable.
   :: Written by Frank P. Westlake, 2001.09.22, 2001.09.24
   :: Modified by Simon Sheppard 2002.06.09

   :: Usage as a function within a script:
   ::   CALL :DeQuote VariableName
   ::
   :: Calling as a function from another batch file:
   ::   CALL DeQuote.cmd VariableName
   ::
   :: If the first and last characters of the variable contents are double
   :: quotes then they will be removed. This function preserves cases such as
   ::   Set Height=5'6" and Set Symbols="!@#
   ::
   :: If a variable is quoted twice and has delimiters then you will
   :: need to run the function twice to remove both sets.
   ::   Set var=""Two Quotes;And,Delimiters=Fails""
   ::
   :: If the variable name itself contains spaces the routine will fail
   :: e.g. %v_my_variable% rather than %my variable%

   :DeQuote
   SET DeQuote.Variable=%1
   CALL Set DeQuote.Contents=%%%DeQuote.Variable%%%
   Echo.%DeQuote.Contents%|FindStr/brv ""^">NUL:&&Goto :EOF
   Echo.%DeQuote.Contents%|FindStr/erv ""^">NUL:&&Goto :EOF

   Set DeQuote.Contents=####%DeQuote.Contents%####
   Set DeQuote.Contents=%DeQuote.Contents:####"=%
   Set DeQuote.Contents=%DeQuote.Contents:"####=%
   Set %DeQuote.Variable%=%DeQuote.Contents%

   Set DeQuote.Variable=
   Set DeQuote.Contents=
   Goto :EOF

If you would like to download this script rather than copy and paste it from this article point your browser to http://www.RemoteStorageBackup.com/downloads/RSBArticleCode.rar. What remains is to set your online backup program to backup everything in the c:\RSB directory. Don’t forget to periodically test that everything is working well.

Next time I’ll delve into the code and explain what it does and how it works. This will allow you to customise it to your needs.

If you have any observations or questions send an email to chribonn@gmail.com.