Your Internet Presence and Vulnerability Mgmt

If you get put in charge of vulnerability management for a large organization with many internet facing websites, you may run into some roadblocks on

1) Determining who owns what websites,

2) What servers host which websites.

3) What virtual IP’s load balance to which internal webserver hosts.

4) Which different outsourced entities have ownership over different websites and IP ranges.

5) Getting a listing of your total internet facing IP ranges.

6) Determining which websites and IP ranges are hosted by your company, and which are 3rd party.

7) Determining which websites process any PCI or PII data.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • email
  • LinkedIn
  • RSS
  • Technorati
  • Twitter
April 7th, 2010 | Tags: , | Category: Security, Uncategorized | Leave a comment

Compliance, Security and Religion

A strange analogy crossed my mind the other Sunday. The whole IT Compliance vs
Security struggle is a lot like a common struggle in most religion.

A common logic used in religion is to

1) Follow the laws of the religion and

2) Follow the principals of the religion as you understand them.

Following the laws and principals would be doing something “right”, and not following them would be doing something “wrong”.

Laws or Commandments

Compliance regulations are like the “law” or commandments handed down as
non-negotiables in religions. You will or will not do these things. If you break
these rules you will be punished somehow. There is not much grey area when
it comes to following laws and regulations.

Principals

However, general IT security is more like the adherence to the principals
behind the teachings of the religion. How diligently or zealously you follow
and take action on the principals of IT security can cause folks to either admire,
despise, or think you are a radical of some sort. Also, the possibility for a “grey area”
delima is much more common when it comes to principals.

The Dilemma
So what about when there is no clear-cut answer on if something is following the
principals of security or your religion? This is where you must fall back on
risk based decision making. In most religions, the Risk of someone perceiving you
are doing something wrong is enough to give you guidance on how to act.

Security decisions can often be based on the same risk decision. If your customers or others
could have the perception of you doing something wrong or irresponsible, then your
course of action should be to stay far clear of doing anything to cause that perception.

A Code of Ethics can also help reduce confusion around security decision making. That’s just one reason why professional organizations help provide guidance for security professionals.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • email
  • LinkedIn
  • RSS
  • Technorati
  • Twitter
March 31st, 2010 | Tags: , , | Category: Security | Leave a comment

Vulnerability Scanning For Network Appliances

Are you shipping network appliances that haven’t been scanned for vulnerabilities?

I’m responsible for getting security vulnerabilities corrected or “remediated” at work. Keep in mind this is no small job since our network is probably one of the largest in the world.

I continue to be surprised by these network equipment manufacturers that are completely clueless about vulnerability management and the vulnerability footprint of their devices.   These devices are often shipped full of security holes from the factory.

Below I will list some very simple steps that every network appliance manufacturer can do to reduce their customer’s security headaches.

  1. Always run a vulnerability scanner against your device or appliance before you “finalize” the revision for testing. Fix the security holes then start testing.
  2. Ship your “default config” without services needed that expose or open up security holes. This is also known as “secure by default.”  This means instead of having everything the customer could possibly need already up and running, give them an easy way to turn on what they need.
  3. If your default shipping config exposes something that vulnerability scanners pick up on as a vulnerability, or even an informational exposure, Document This information. This will save your security folks work and make your company actually seem professional.
  4. Realize that the security of your appliance is your responsibility as the appliance manufacturer. Be proactive.

It is only a matter of time before some major breach occurs via some “appliance” that was shipped full of security holes from the manufacturer. How will your company reputation be damaged from the fallout?

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • email
  • LinkedIn
  • RSS
  • Technorati
  • Twitter
October 25th, 2009 | Tags: , , , | Category: Security | Leave a comment

Database Patching

Don’t forget about Databases!

Since SQL server was affected by the recent patch Tuesday, I realized that databases are a large space in the Enterprise that may have not been getting the focus they need.

In many large companies a separate team (or teams) own and manage the database engine, whether that is SQL server, DB2, Oracle, etc..  How much time has been spent on making sure that there is a solid patching plan for operating systems and networking equipment compared to major “infrastructure applications” like database engines?

Sure, you have to secure the system to have any hope of securing data and applications, but database engines are almost their own little world that ride on top of the operating system.    Here’s why.. Databases…

1) have their own ports they open up,

2) often have their own user management systems that may or may not tie in to your authentication directory,

3) have their own security vulnerabilities that are widely publicized,

4) Are a #1 target for hackers.

Do I really need to give any more reasons that a solid lifecycle management and patching program for database engines is as critical as your patching and lifecycle management for your operating systems and networking equipment?

Surprisingly, your database engineers may be happy to get extra push for upgrades and patches. They often want to apply them but can’t get the cooperation of their customers for testing etc..

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • email
  • LinkedIn
  • RSS
  • Technorati
  • Twitter
October 13th, 2009 | Tags: , , | Category: Security | One comment

Scans Versus Penetration Tests

What is the difference between scanning and penetration testing?

Those of us responsible for managing Vulnerability scanning and penetration testing often seem to get the same question over and over… What is the difference between a vulnerability scan and a penetration test?

You would think that this is not a difficult topic to grasp, but some folks really do struggle to remember the difference. I’ll lay it out here in the most simple way I know how..

  • Scan = Look for holes and issues on a network or website. Usually with some type of scanning tool.
  • Penetration Test = Exploit and Hack holes that you have found on a network. And see how far you can get.

Some good scanning tools are..

McAfee Vulnerability Manager (used to be called Foundstone)

QualysGuard

Nessus

Many companies offer penetration testing services.  I’ve only had experience with a few, so my only advice is to make sure your contracts are well written and that you are careful when working with a small company.

I’d like to write more, but I’m tired from getting up at 3:30 last night to make sure a 2 year old security patch was applied to critical server.  More from the trenches later..

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • email
  • LinkedIn
  • RSS
  • Technorati
  • Twitter
October 9th, 2009 | Tags: , | Category: Security, Uncategorized | Leave a comment

Need CPE’s to maintain your Cert? Volunteer!

isc2_main_logo

Attention CISSP’s — ISC2 allows you to volunteer doing computer security work for a charitable, Government or public organization and count those hours towards your CPE’s. ( Disclaimer, I am a CISSP, but I am not employed by ISC2)

Most certifications require that you maintain some type of continuing education so that your knowledge does not become stale in the area of your certification. These are typically called CPE’s. (Continuing Professional Education (CPE) credits)

Reading publications is great, and the importance of research and understanding new trends and technology should not be downplayed.  However,  knowledge without application and plans without execution are worth very little. This is why I recommend that you get out there and use your knowledge to make the world a better place.  VOLUNTEER!

Some Volunteering Ideas. For more ideas vist this Charity Navigator Site.

  • -Local Police or Fire Dept.
  • -Local Schools
  • -CASA

Update: Oh yeah, thanks to @martiniblue for pointing out to make sure to document your CPE’s. I happened to get an audit request for my CPE’s yesterday. Just part of the process!

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • email
  • LinkedIn
  • RSS
  • Technorati
  • Twitter
July 17th, 2009 | Tags: , , , | Category: Security | Leave a comment

Applications and Computing Platforms.

I often get into “discussions” with peers on why I use certain computing platforms or why certain platforms have a greater marketshare than others. My personal choice is to use platforms that I feel have the best choice of applications available.

Let’s face it, a computing platform is only as usable for consumers as the applications that ride on top of it.  Below I explain my logic on why have chosen certain platforms over others.

Mobile Computing – Iphone

http://www.apple.com/iphone/

Application availability.

I am not an “Apple person”, but the iphone is the “anti Macintosh” to me. (The iphone has good pricing and App availability, the Macs demand a premium price with less apps available.)

Over 50,000 applications available for the iphone.  How many applications are available on the other phones? I don’t know, but I know it isn’t even close to how many the iphone has available. And the pricing for apps is reasonable. It’s going to be a while before other platforms catch up. I think there will be better competition in the future, but for now, I’m sticking with the iphone.

Firefox

Plugins!!!

Mozilla has made it easy to develop plugins for Firefox. I don’t particularly like the browser itself any better than IE8 or Safari. However, the abundant plugins available and extra functionality it provides in the browser is unbeatable by the other browsers right now. As browsers become more of an application platform, this may become an even bigger selling point.

Browser developers like Google, Microsoft & Apple need to ensure their plugin development environments are easy to use for developers, and facilitate stable functionality.

Windows 

Apps Everywhere!

Disclaimer, I’ve managed Microsoft systems for years. So I could have some bias here.

Don’t get me wrong, it has not been an easy road. Microsoft is just now maturing their utilities to the point where you can manage large amounts of their machines without having to write your own code using their API’s. (which is what I had to do for years) I’ve had more 36 hour days fixing my Microsoft systems issues than most people have had 12 hour days at work. I don’t even remember having a life my first few years at work.

Some things that Microsoft does do well is listening to customers, and trying to make it easy for people to develop applications for their platforms.  A few years ago there seemed to be a tipping point where you saw applications that had only been available on Apple being ported over to work on Windows. That seemed to be the point where the demand for Windows applications was so large that enterprises and consumers were demanding apps be available for Windows, and they got what they wanted.

I have confidence I can go out and get (either free or purchase) any type of application that I need to work on the Windows platform. Mac & Linux really just don’t have the same volume or variety of apps available.

Summary

To summarize, the success of computing platforms depends on demand for that platform. I feel that one of the main factors for driving the demand of those platforms is application availability.

My advice to companies is to focus on making application development for their platform so easy that anybody can do it, while protecting the system from poorly designed apps.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • email
  • LinkedIn
  • RSS
  • Technorati
  • Twitter
July 16th, 2009 | Tags: , , , | Category: Technology | Leave a comment