Check this link:
http://www.sans.org/critical-security-controls/control.php?id=5
Everyone knows they should have Anti-Virus software. Well, I would hope most people do. Anecdotal evidence aside, why should people have Malware defense? Well like anything else I think a discussion of definitions needs to occur. Now hold on, this isn't going to be some boring list of words. It's going to be an exciting one! Malware is really just a catchall term for any piece of bad software. It's all the viruses, spyware, Trojans, logic bombs, ad-ware, and spyware that exists. Think of it as software that wants to hurt you and your PC.
Ok, now that we have defined it what can we do to stop it? Well the short answer is... not much. The people who are creating advanced malware are working very hard to do so. They have access to all the latest software and antivirus software. In fact they have kits which are intended to help them do this. You can actually lease time on cloud based services designed to create and distribute sophisticated attacks. https://blog.damballa.com/archives/tag/cloud. So if you are still reading you may be thinking, "well that's a lot of doom and gloom." Well hang in there.
While sophisticated attacks do exists many of the attacks being used are not. In fact many of the attacks which occurred last year were unsophisticated. http://blog.trendmicro.com/trendlabs-security-intelligence/how-sophisticated-are-targeted-malware-attacks/ This article discusses this idea. In addition, for a far more detailed analysis you can check to he Verizon Data Breach Investigation report. So if the attacks are using known vulnerabilities why can't we just fix them? In some cases this is due to the vendor not being able to re-work a difficult issue. However, in some cases it is because the end users need the functionality that is being exploited. Or, it may be that the flaw is not in public view.
The answer to all of these concerns is Malware defense. In a corporate environment have an automated anti-virus solution, monitor that antivirus solution, act on the reports it gives you, update the system, and most importantly educate users about it. This type of protection can also be integrated into firewalls. Network monitoring tools can look for known viruses, and bad behavior on a network. Most importantly have a plan. What will you do if a system becomes compromised? Who will you call, where will a replacement PC come from? More importantly how will you rebuild a server? How long will it take? Will you invest in a cleanup and evidence preservation effort? If you don't have the answers to all of these questions you are like most people. If you are looking for a place to start read SANS control 5.
The secret to malware defense is understanding the risk present, proper protection, and a recovery plan.
Sunday, June 30, 2013
Sunday, June 23, 2013
Why on earth would I use Microsoft Visio
This week I decided to write about a feature in Visio that I
until recently was unaware of. For those
of you who don’t know Microsoft Visio allows users to create and map. You can map a city, office, network, even a
process or idea. This is very
useful. Interestingly enough it also
allows its users to show relationships graphically. If any of you have ever needed to explain how
authentication works on a network the picture will certainly inform the
topic. Here is an example.
______________________________________
____________________________________
In addition to this functionality the product also allows
you to diagram a website. This is a new
function I was unaware of until recently.
While documentation is an obvious need in security website diagrams are
more directly related. In order to use
this functionality one must select a new Visio document, got to software and
database, then select website. (http://office.microsoft.com/en-us/visio-help/generate-a-web-site-map-HP001209112.aspx). Once that is complete simply follow the
import dialogue. You will put the URL
you are looking for in place. At that
point you just hit OK and wait. Here is
an example.
I chose to use Altoro Mutual. This is demo site setup by IBM. Security professionals use it to test this
type of tool. http://www.testfire.net/default.aspx
____________________________________
___________________________________
This tool allows the user to map the links and relationships
in a website. From my perspective it
shows me hidden links as well as possibly forgotten pages. This is something anyone who designs web
pages should take full advantage of. It
also allows you to graphically illustrate website design.
Sunday, June 16, 2013
Identifying Credible Resources, a how to!
So we are living in the
information age, so they say. In Cybersecurity
we constantly find ourselves attempting to defend systems and ultimately
information. One of the ways we do that
is by getting intelligence. It’s kind of
like the Maginot Line. The Maginot Line was designed for use during
World War Two using a World War One mindset.
The line consisted of numerous tunnels, walls, and forts which ran along
the border of France and Germany. It was
thought that these fortresses would be superior to the trenches experienced in
World War I. However, the world changed! While the Germans were not able to route the occupants
of these fortresses they were able to bypass them and take France. Ok, so intelligence or information informs our
decisions. It enables us to focus on
what we are trying to protect and more importantly the best way to go about it. I’ve divided information gathering in this
context into a few categories.
1. Blogs or internet
Media
2. Vendors
3. People, Conferences,
and Groups
Since we have decided to get
more information how do we know what to trust?
The place to start is finding out what other people are doing. For example check out a blog. I like Krebs
on Security. This blog is run by a
veteran in the field. He will tell
various stories from a unique perspective.
In addition he has invested significant time in creating online personas
which have access to the darker side of the web. I also like to check on Bruce Schneier. Bruce is less involved but more
academic. Reading his work will help you
understand concepts. Lastly check out
some security podcasts. These will
typically contain up to date information.
I typically check on Security
Now.
That covers blogs and current
events. You can also subscribe to the
vendors for the systems you protect. The
most obvious example would be Microsoft TechNet. Many people realize that Microsoft has a
patch Tuesday, but not everyone realizes they send out messages about those
updates a week before. You can even sign
up to get them via e-mail and notifications via twitter if you sign in with a
live ID. HP is another good
example. When you register products they
will notify you via E-mail of important driver and system updates.
Lastly, talk to people. Take a class at a lowly university. If you can get there go to a conference.
You can also join some other organization like Infragard. The key to all of this is talk to
people! People have experiences and may
have considered methods you have not.
They may also recommend programs, products, software, and other people!
While all of these ideas are
a good place to start they can’t be the end.
One of the reasons it is important to develop and grow a security intelligence
network is threats are ever present. As
a professional you must design, document, and tailor your own network. As always trust what you hear buy verify the veracity.
Sunday, June 9, 2013
The SANS Top 20 Control 4, Continuous Monitoring
I need to take a moment to not it has been a few years since
my last blog post. That being said, the
controls have changed numbers. Since I
already discussed inventory previously, I’m going to go ahead and jump in
sequence with a control I missed before.
Here is a link to the Top 20 in case anyone is interested http://www.sans.org/critical-security-controls/
What is continuous monitoring? I recall hearing about this a few years ago,
more aptly it should be called continuous automated monitoring. This type of work usually involves some sort
of product scanning an information system in an ongoing capacity. The system then reports back to a central
database. That information is then read
and reported on. Hopefully that
information can then be used to drive changes within an organization. Some examples of free versions of this are
OpenVAS http://www.openvas.org/. While I have used this before I must admit
most of my experience is with a Tenable product called Nessus. This product does provide a free
download. However, if used in a business
a license should be purchased. Without
this license automatic updates will not work.
In addition new features like passive vulnerability scanning will not
become available. Another product
commonly used for this is Nexpose. This product
works in concert with backtrack or Kali Linux.
It is also quite popular. http://www.rapid7.com/products/nexpose/
Ok now I've listed a few of the possible products which can
be used for this type of work. So, how
do they work? The high level view here
is they collect data about patch updates, common vulnerabilities, virus update
definitions, and many other small issues.
These devices then scan networks and look for these issues. People can then log into the system, view the
result, update the systems, and confirm the result is gone. One of the key programmatic elements here is
that these scans can become part of business as usual. For example, before a system goes into
production a scan should be run. This
can ensure the system is being updated.
So what about additional features? Many of these systems allow custom
definitions or audits to be created.
These files can allow companies to look for a specific detail on
systems. I once created a file to search
the registry for a specific key. This
key referenced an application which my company was using. While these systems all find vulnerabilities
they do not fix them. In addition, they
do not explain the consequences of system changes. I recommend that these systems are viewed as
a part of a larger vulnerability mitigation plan.
Subscribe to:
Posts (Atom)