Saturday, June 30, 2012

The most important IT security policies & proceedures

           This week my focus has been on IT security policies and procedures and I figured that it wouldn't hurt to have a list of some of the more important ones. 

            A security policy is documentation that spells out and enforces a specific set of rules and regulations.  A policy is the foundation for ensuring a security program can be developed.  A policy can be put in place to hold people accountable for their actions.  It is a living document that allows an organization to define very clear objectives, goals, formal procedures, and rules that aid in defining the overall security posture and design of an organization.

            Before getting into specifics, there are a few characteristics that all policies should have:

·         The policy must be understandable

·         The policy must be realistic

·         The policy must be consistent

·         The policy must be enforceable

·         The policy must be documented, distributed, and communicated correctly

·         The policy must be flexible

·         The policy must be reviewed

            A policy should spell out the following:

·         Roles and responsibilities of those affected by the policy

·         Which actions, processes, and activities are and are not allowed

·         What the consequences are for non-compliance

            The following list is what I feel are the most important policies and procedures:

·         Password security policy - defines rules for passwords: complexity, length, expiration, etc.

·         Physical access policy - guidelines for physical access and control

·         Encryption policy - guidelines for encrypting data

·         Remote access policy - defines what actions are an are not allowed when remotely entering the system.

·         Internal Information access policy - covers who has access to what, a 'need-to-know'

·         Social Media policy - covers what employees shouldn't post on social media sites

·         Data classification policy - guidelines for data classification

·         Acceptable use policy - covers Internet, local network, software installation, e-mail use, etc. for all users

·         Privacy policy - guidelines on private data usage and control

·         Disposal and destruction policy - guidelines on when/how data is disposed of or destroyed, and by who

·         Storage and retention policy - guidelines for storage and retention of data

·         Incident response policy - guidelines for incident response to include roles and responsibilities

·         HR policy - guidelines for HR

·         Change management policy - guidelines for change management

·         Firewall policy - guidelines for firewall

·         Personal electronic device policy - guidelines for mobile electronic devices, USB, and DVDs, what is and is not allowed in the facility








References:

Davidson, E. Media, D. (n.d.).  IT security and the importance of policies and procedures.  Retrieved 30 June, 2012, from: http://smallbusiness.chron.com/security-importance-policies-procedures-1100.html

Global Knowledge (2010).  10 Essential security policies.  Retrieved 30 June, 2012, from: http://www.infosecisland.com/blogview/5033-10-Essential-Security-Polices.html

Shimonski, R. (2003).  Defining a security policy.  Retrieved 30 June, 2012, from: http://www.windowsecurity.com/articles/Defining_a_Security_Policy.html

Thursday, June 21, 2012

Flame On!!!

                        It is being reported today that unnamed Western officials have confirmed that the Flame computer virus was developed by US and Israeli governments.  The Flame virus collected intelligence which aided in slowing Iran's nuclear program.   

            According to officials, the virus covertly monitored and mapped Iran's computer networks, and data was retrieved and steadily sent back to prepare for a cyberwarfare campaign.  Included in the effort to develop and deploy the software was the National Security Agency (NSA), the Central Intelligence Agency (CIA), and Israel's military.  The efforts also included destructive software such as the Stuxnet virus which caused malfunctions in Iran's Nuclear-enrichment facilities.

            According to one former high-ranking U.S. intelligence official: "This is about preparing the battlefield for another type of covert action [...] Cyber-collection against the Iranian program is way further down the road than this."  The official also indicated that Flame and Stuxnet were elements of a larger assault that continues even today.

            Eugene Kaspersky, whose security lab recently discovered the Flame virus that had been used against Iran says that there should be an immediate global effort designed to stop what he calls cyber terrorism.  "It's not cyber war, it's cyber terrorism and I'm afraid it's just the beginning of the game [...] I'm afraid it will be the end of the world as we know it [...] I'm scared, believe me."

            Roel Schuwenberg, a senior researcher at Kaspersky Lab said: "We are now 100 percent sure that the Flame and Stuxnet groups worked together [...] The fact that the Flame group shared their source code with the Stuxnet group shows they cooperated at least once."

            Cyber security experts say that Flame is one of the most sophisticated malware codes that has ever been discovered, and believe that it was released to specifically infect computer systems in Iran and in rival regimes across the Middle East.

            It seems as though news of cyber warfare, cyber attacks, cyber terrorism is on the rise.  These are interesting times to be part of information security.  I don't foresee a slowdown in the development of more advanced cyber attack methods, programs, or code, if I had to guess, the cyber battle space will continue to grow and will be the new frontier for a new kind of war.  It's going to be an interesting few years to be sure!   


References:

Heyes, J.D. (2012).  Flame malware, creted by US government, could wreck critical infrastructure.  Retrieved 21 June, 2012, from: http://www.infowars.com/flame-malware-created-by-us-government-could-wreck-critical-infrastructure/

Rey, F.  (2012).  US and Israel developed flame maware to cripple Iranian nuclear power program.  Retrieved 21 June, 2012, from: http://socialbarrel.com/flame-malware-nuclear-power-program/39261/

THN Security Analyst (2012).  US and Israel developed flame malware against Iran.  Retrieved 21 June, 2012, from: http://thehackernews.com/2012/06/us-and-israel-developed-flame-malware.html

Thursday, June 14, 2012

Sources for IT Security News, Threats, Vulnerabilities and Updates



This post will identify credible sources of information for IT threats, vulnerabilities, updates, and security news in general. Included is list of sources I consider to be credible, and why.



·         http://nvd.nist.gov/ -  My #1 site for information on security vulnerabilities is the National Vulnerability Database (the NVD is sponsored by Department of Homeland Security - National Cyber Security Division/US-CERT and NIST).  The NVD the U.S. government repository of standards based vulnerability management data, using Security Content Automation Protocol (SCAP).  It covers vulnerability management, security measurement, and compliance.  Included are: security checklists, security related software flaws, misconfigurations, and impact metrics.



·         http://cve.mitre.org/ - The Common Vulnerabilities and Exposures (CVE) is international in scope and is free for public use.  The CVE is a large dictionary of publicly known information security vulnerabilities and exposures.  The CVE can be used for vulnerability management, patch management, vulnerability alerting, intrusion detection, and much more.    



·         http://www.symantec.com/security_response/ - who does security better than a company that earns it's bread and butter by providing security solutions?  The list of threats, vulnerabilities, risks, and security news delivered by Symantec is arguably near the top of the list; the list is constantly updated and is vast, covering: spyware, adware, hack tools, joke programs, remote access, hoaxes, trackware, the list goes on and on.



·         http://www.iss.net/threats/ThreatList.php - A great list of current and relevant Internet threats and vulnerabilities.  Though the list is geared towards showing how IBM ISS products & services can help protect against the listed threats, it gives plenty of details on what the threats and vulnerabilities are, what they do, and steps that can be taken to mitigate the risk.



·          http://www.itsecdb.com/oval/ - The IT Security Database (ITSECDB) collects Open Vulnerability and Assessment Language (OVAL) definitions from sources such as: Mitre, Red Hat, Suse, NVD, Apache, etc. and provides a one-stop shop with easy to navigate web interface to research a wide array of IT security related items such as patching, vulnerabilities, and compliance checklists.



·         http://www.exploit-db.com/ - The Exploit Database (EDB) is another great site to check out, at the time of typing this, they have a total of 16,108 exploits archived.  This site is geared towards penetration testers, vulnerability researchers, and security addicts.  The site also has blogs, papers, and a community who is apt to share information.  The site is run by the folks at: http://www.offensive-security.com



·         Other good resources for security news (a.k.a. the usual suspects):

o   http://news.cnet.com/security/

o   http://thehackernews.com/

o   http://www.securityfocus.com/

o   http://www.blackhat.com/

o   http://seclists.org/isn/

o   http://www.zdnet.com/topics/security

o   http://www.scmagazine.com/

o   http://www.nist.org/news.php

o   http://www.securityweek.com/

o   http://www.eweek.com/c/s/Security/

Sunday, June 10, 2012

The Weakest Link

Last week was a bad week for three major Internet companies; LinkedIn, eHarmony, and Last.fm were all targeted and successfully breached by hackers.  Early in the week on a Russian hacker forum (InsidePro.com), a site which offers password-cracking tools, two files containing passwords was posted; one of the files contained 6.5 million passwords, and the other 1.5 million passwords.  The password files were posted by a user "dwdm" who asked others to help crack the passwords.  The forum thread has since been taken offline, and the passwords were not displayed in plain text, but rather they were obscured via hashing, though it is reported that more than 200,000 of the passwords have already been cracked.

So far none of the companies are releasing any details about how their users' passwords got into the hands of hackers, but LinkedIn says that the passwords contained in the files are hashed with the SHA-1 algorithm, and no other data accompanies the passwords (i.e. user names or personal data), but security experts are strongly suggesting that people change their passwords immediately, eHarmony has reset the passwords of accounts it believes have been affected.  Apparently many of the passwords that were published to the hacker forum had the term "LinkedIn" in them, i.e. "linkedin1234," or "linkedinabcd," this was a good indicator that these passwords were in fact LinkedIn passwords; it is assumed that many people use weak passwords such as the site name + a string of easy to remember characters.

Just because the password lists were posted without user names does not mean that the original poster doesn't have the user names list that goes along with the passwords.  For this reason, anyone using any of these services should immediately change their password.  This is an excellent reason why a common password should not be used across sites.  If the hackers are able to crack a password and use it against your account, if all your accounts share the same log in information they essentially have a master key to your online life.

Simple passwords containing dictionary words and strings such as 123 or abc will be quite easy to crack, a strong password doesn't necessarily need to be filled with special characters and numbers, a long password with 4 random words such as: Chicago, hockey, cigar, and certification = Chicagohockeycigarcertification would take a brute force tool a very long time to crack, though changing a few characters to numbers or special characters wouldn't hurt if you can remember what characters you changed; for instance, changing all e's to the number 3, or all i's to the number 1.

Best practices would be to limit the amount of personal information you share online, use hard to guess/crack passwords, change your passwords frequently, and don't use the same password for multiple sites.









References:

Mills, E. (2012).  What the password leaks mean to you (FAQ). Retrieved 10 June, 2012, from: http://news.cnet.com/8301-1009_3-57449325-83/what-the-password-leaks-mean-to-you-faq/?tag=epicStories


Paul, I. (2012).  Update: LinkedIn confirms account passwords hacked. Retrieved 10 June, 2012, from: http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html


Last.fm Confirms They Were Hacked, Change Your Passwords Nowhttp://thehackernews.com/2012/06/lastfm-confirms-they-were-hacked-change.html