Powered By Blogger

Tuesday, May 25, 2010

Things have moved

Hi all,

First off, the temperature outside is a relatively hot 30C in Ottawa. Feeling sorry for the boys in the pit (you know who you are).

Secondly, We have put together (what I feel) is one heck of a site (www.miw.ca). On that site, you will also learn more about our new training offering - IT Security for IT Staff. The course is a three day course with an AWESOME finish.

What's the finish you ask? Well, its a CAPTURE THE FLAG contest with a nice brand new 16GB iPad for the winner of the challenge!

The course is booked for Ottawa, Toronto, Mississauga and Montreal in the near future.

So, what are you waiting for? Get on over to http://www.miw.ca, signup for the coursse and start brushing up on your security knowledge...Who knows...Maybe YOU will be the winner?

Saturday, January 30, 2010

Just a quick note

So, in addition to the last discussion...Winds up that not only did a complete building lose access to a key network because of poor HVAC, but the backup servers died the same death.

So, not only was availability impacted, but backup and restore functionality were also not available due to poor HVAC. As said: loss of availability = Denial of Service = Security issue.

Back with more...

Thursday, January 28, 2010

CISA exam results are out!

If you sat for the December 2009 CISA exam, today (January 28th) is a very BIG day! ISACA finally released the results. Yes, I am very happy to announce that I passed the exam! So, now that I can speak with some authority on the exam, I plan to have various CISA knowledge/exam related discussions in this space.

So, here is the first one. However, I have to say first that this was originally going to be a seperate discussion based on things that have transpired at work. The place where I work doesn't exactly have the best HVAC in the world. Both the workplace AND the development labs are really quite warm. So warm in fact that often we have to shut down systems in order for the heat to be somewhat tolerable. So...What does this have to do with security you ask?

Poor HVAC systems = Denial of Service = Loss of availability.

Here's a real life example...Access to a specific protected network (think SCADA network) was unavailable for over a day. Why? the closet in which a major network device (I guess I'm free to say it...It's a Type-1 Crypto device called a Taclane) overheated and the Taclane died. Being the main access point into this particular network, hundreds of people were unable to perform any work on this protected network. How many thousands of dollars in lost productivity did this cost my client? Had the room the Taclane is stored in been equipped with proper HVAC and monitoring this would have been avoided.

Remember, while you are preparing for a CISSP or CISA exam, a main guiding thought is that Information Security is not just about "hackers" and theft. It is also about the availability of systems. Availablity can be seriously impacted if servers need to be shut down due to poor HVAC systems. The quality and monitoring of HVAC systems that serve data centers, or ANY important systems should be on your list of things to check when performing an analysis of your company's security posture.

As a final side note, I would like to thank J.P and K.N for their unwavering love of my blog! Looking forward to more ideas from the fan club guys!

Thanks for reading!

Graham Thompson, CISSP, CISA* (waiting for application process to be finished)

Tuesday, January 19, 2010

The most dangerous Microsoft account

Hi all,

Another topic that really irks me and should irk you is the most dangerous account on a Microsoft system, yet so many admins completely disregard the impact of it...Can you guess what it is?

User accounts? No.
Power Users? No.
Administrator Accounts? Kind of, because they are often used as a regular account, but that's not the topic of this post.

Give up? It's the system account.

In the Microsoft world, a system account is usually used by services (IIS, SQL, etc) and it really doesn't need to be.

Going back to the last Knowledge Note, I discussed that Knowledge was a much more powerful ally in the security fight than a particular platform in use. This is never more true than with the system account.

The system account is the most powerful account on a Microsoft system, even more powerful than the administrator account. So, I ask you, why do you allow web visitors to access data on a backend server as the most powerful account possible? This is, in a nutshell what happens when you run SQL server as the local system account. If the SQL server is ever compromised, the attacker can then execute commands on the SQL server as the local system account.

Running core services (because only core services that are required to support the business are run on the server...right?) with more rights than absolutely required is just asking for trouble. It's called the principle of least privilege...Something we should all strive for on all systems in our enterprise.

Securing your enterprise is hard enough. Accidentally giving an attacker a staging point in your network as either an administrator or as "SYSTEM" just makes your job even harder.

There is no magic solution or magic technology that will cover up a poorly designed system. As a first step, check a sample of external facing (and systems that connect to external facing) systems services for services running as an administrator or system account...Hopefully you won't be in for a surprise when you discover that the principle of least privilege isn't enforced on your system services...It's often overlooked.

Thanks for reading! Please feel free to let me know your thoughts in the comment section. Also, please take a second to vote in the poll to the right.

Graham Thompson, CISSP
http://www.miw.ca

Platform Vs. Knowledge

The timeless debate continues to rage on, with gasoline in the form of the latest MS attack fueling the latest platform fight: Microsoft Vs. Linux Vs. Apple.

It seems like people continue to believe that their company (or themselves) are better protected with one platform versus the other. Now, it is thought that Microsoft platforms (Server, workstation and applications like IE) are more attacked than others. Let's look at the latest figures according to the good folks at Secunia to get a better read on how vulnerable these operating systems actually are:

Linux (Ubuntu 8.04): 75 advisories
Linux (Ubuntu 9.04): 105 advisories
Linux (Debian GNU/Linux 4.0): 587 advisories
Microsoft Windows 2000 Server: 247 advisories
Microsoft Windows 2003 Server: 231 advisories
Apple Mac OS X: 138 advisories
AIX 6.x: 32 advisories

So, not to get too lost in the numbers, but one glaring thing pops out to me: They ALL have vulnerabilities! In fact, I would be willing to bet that if AIX had a bigger install base, its numbers would be much higher.

Now, regardless of what platform is being run, here's my question...Assuming you're looking at these as file servers (I know...Ubuntu is better for the desktop, regardless....), why on Earth should ANY of these platforms be accessing a Korean/Chinese/Utah IP address over 443 or port 80 on it's own? Better yet...Why are they ALLOWED to access anything over port 80 or 443? Does your policy allow administrators to browse the web from the servers?

Even better and trickier: If they are file servers, why would they require access to an External DNS server?

Can a firewall stop malicious "zero day" traffic from accessing DNS, HTTP or HTTPS traffic on the Internet, but allow "good" traffic over these same ports? Nope! So you need to start looking at the network ports that are absolutely required and deny those that are not required, both into (ingress) and out of (egress) your corporate network.

Switching platforms may be a very short term fix (and, in my opinion, nearing impossible in the corporate workplace) but in the long run, nothing beats good old knowledge...Knowing that all platforms are vulnerable to various exploits, and knowing your application systems and what services they absolutely require in order to meet business requirements.

Back with more...

Graham Thompson, CISSP
http://www.miw.ca/

Saturday, January 16, 2010

Google: Forcing DLP onto your company

A couple of days ago, Google announced that Google Docs was going to support all types of files, would cap a single file upload at 250MB and allow up to 1GB per user of data storage.

For the average user, this is awesome news. I get to have anywhere access to important files, can share with other Google Docs users, and don't need to use a USB key to copy files from work to bring them home for working on them at a later time.

WAIT!

Does a company seriously want corporate documents stored on a "cloud" server? I mean, emailing work back home, storing a document on a usb key, portable HDD, etc is one thing (and not necessarily a good one)...This is something completely different. Not only is intellectual data leaving the company premises, but it is also leaving your network and being stored on another company’s server. I know Google says they do no evil, but something there is seriously wrong with this picture…

I would suggest that companies look into restricting these types of sites before important documents are lost in the cloud. What's your take on the impact of Google Docs and other cloud storage solutions on your company's security?

Thanks for reading!

Graham Thompson, CISSP
http://www.miw.ca/

Friday, January 15, 2010

2010 - The coming out of defense in depth

Hi all,

Now this is BIG news, but, very little coverage in the MSM. Google was successfully attacked this past week. McAfee calls the attack "Operation Aurora" and describes it as "highly sophisticated" and also states "We haven’t seen encryption at this level.”.

So, what does this mean for enterprises without a solid defense-in-depth approach? Simply put, it means Big Trouble.

When Google AND Adobe publically announce in the same week that they were hacked, I can only wonder how many other big multinationals were also successfully hacked? If these two high tech companies with highly sensitive intellectual properties can be successfully hacked, what is the average law firm to do?

The answer is : Defense-in-Depth.

Let me give you an example of the need for a solid defense in depth approach to today's security challenges.


A company has a website that accesses data stored on a remote SQL server. Standard stuff, right? Now; if I were to tell you that, from that webserver, I can attack your SQL server. Once the SQL server is hacked, I can get into your domain controller. Once in your domain controller, I have everyone's names and passwords and I can easily access any server in your enterprise. Oh, and the best part is that I'm sending everything in an encrypted format that passes right through your firewall.


Really, Executives have way too much faith in their perimeter systems, and I say "Operation Aurora" will change a lots of opinions of where security investments should be made in 2010. Obviously Google had a firewall, Antivirus, IPS, SIEMs, Syslog, etc. So, with this in mind, did Google management put too much faith in their network defenses and paid lip service (aka: installed patches) to servers and workstations within their network?

It wouldn't surprise me at all if Google I.S. staff detected the breach within minutes. But, detection is 1/3 of the game. There is also Prevention and Response. Since these hacks were made during the Christmas -New Years vacation time frame, I can only assume response times were less than desired. As for prevention...in many cases, internal defenses, such as network zoning, system accounts, internal security assessments, etc, are just not given the attention they deserve.

So how can a company increase defenses from this type of attack? That is the purpose of this blog. In future Knowledge Transfer Notes, we will discuss the need for network zoning and securing system services .

Thanks for Reading!

Graham Thompson, CISSP
http://www.miw.ca/