Archive for the General Category

ESPN is going to turn ‘chemists’ into the new ‘hackers’

Posted July 31, 2009 at 9:57 am in General | No Comments

FlasksI am a baseball fan. I absolutely love the game of baseball and this has been the case since I was a child. Baseball was the first organized sport I played and without attempting to be cocky, I was damn good at the game. Unfortunately as I grew up other things took precedence over baseball and I abandoned playing the game. I did not, however, completely abandon baseball. To this day I still follow my favorite team, the Chicago Cubs, and everything else that happens in baseball. I wouldn’t say I take it to an extreme but I even have a favorite baseball column written by Jayson Stark of ESPN (especially the Useless Info articles).

I’m also always intrigued and fascinated by anything mechatronic. Like most people, I’m also curious about the world of spies and secrecy. I think those of us involved in the information security realm share these two common interests. So when I read or hear the media using the term “hacker” in a negative manner it’s somewhat unsettling.

Continue reading..

Google Chrome OS already sounds rusty…

Posted July 8, 2009 at 12:39 pm in General | No Comments

Google introduced Chrome OS yesterday and it should be available to the public in the second half of 2010. Does anyone else feel somewhat violated by this or is it just me? It’s bad enough Google wants to control my personal and domain email with Gmail, schedule my days and weeks with Calendar, update me on my financial life with Finance, know where I want to go with Maps and Google Earth, and store my medical information with Medical Records but now they want to do this the instant I boot my computer? Will I need to provide a DNA sample in order to login to Chrome OS?

From the official Google blog post: “So today, we’re announcing a new project that’s a natural extension of Google Chrome — the Google Chrome Operating System.” How is that a natural extension? That’s like an automobile tire manufacturer suddenly saying they’ve developed a new kind of car because it’s a “natural extension”.

Continue reading..

Educate yourself using your Apple iPhone and MIT OpenCourseWare

Posted June 22, 2009 at 10:33 pm in General | No Comments

I received an iPhone 3GS in the mail today. I’m always excited to receive a new toy but to be honest I wasn’t as excited as I would’ve been had the box said Newegg on the side. This is my first Apple iPhone and first smart phone. My old Motorola RAZR was on its last leg so I decided three weeks ago to finally replace it. Luckily for me AT&T had difficulty procuring a regular 3G iPhone and the phone was placed on backorder because the announcement of the new 3G S came a few days later. I decided to purchase the 3G S for $199 instead of paying $150 for a refurbished regular 3G.

Continue reading..

How to deploy your own free Wordpress development sandbox on Windows XP

Posted June 11, 2009 at 5:58 pm in General | No Comments

Wordpress, WampServer, Geany, GIMP

I recently upgraded my computer hardware due to aging components like AGP, 1GB of RAM, single-core processing, SATA 1.5GBs, and a power supply that lacked a few necessary power wires required for new components. That being said, I’m still stuck in the old world when it comes to operating systems. I use Windows XP Professional because I can’t afford to upgrade to Vista, I don’t want to learn Vista, and I have yet to find a reason to upgrade. A dual-boot system with Windows XP and Ubuntu 9.04 for every day computing is more than suitable for my needs.

Continue reading..

Cloud computing

Posted May 19, 2009 at 11:09 am in General | No Comments

I was reading an article titled “It’s Our Time” by Randy V. Sabett in this month’s ISSA Journal while drinking my morning cup of coffee when I came across a paragraph discussing the annual Cryptographers Panel at the most recent  RSA Conference held in San Francisco. Randy writes that the “annual Cryptographers Panel provided excellent insights, including Whit Diffie being ‘bullish’ on cloud computing and comparing it to the last game-changing technology (being radio).” This made me think for a moment about what exactly is cloud computing, why this would be a topic of discussion, and what connection security has to cloud computing.

So what is cloud computing? Wikipedia describes cloud computing as “a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure ‘in the cloud’ that supports them.” Wikipedia goes on to write “the term cloud is used as a metaphor for the Internet, based on how the Internet is depicted in computer network diagrams, and is an abstraction for the complex infrastructure it conceals.”

An excellent video from rPath explains cloud computing better than I would be able to with strictly text:

Continue reading..

Summertime, when the livin’s easy!

Posted May 15, 2009 at 6:43 pm in General | No Comments

The Spring 2009 school semester is over and let me be the first to say that I’m glad it is. The semester went relatively quick but the last two or three weeks I was becoming burnt out. I didn’t put as much time and effort into studying for finals as I should have and let’s hope this isn’t reflected in my grades!

The upcoming Fall semester has me somewhat excited. I am enrolled in the first core electrical engineering course which covers circuit laws and analysis, resistive circuits, energy storage, AC circuits and power, three-phase circuits, and computer-aided analysis. I’m also excited to be taking a course in computer networks. Hopefully my previous experience with networking is valuable to me in this course. My Network+ certification hasn’t yielded the benefits I was hoping for prior to becoming certified, partly due to the fact that many businesses aren’t looking for part-time help in networking or operations in this economy, so maybe I’ll be able to lean on this knowledge for my course.

There are two courses this fall that I am not looking forward to. The first is the second course in a two-course series in physics. This course will be interesting and relevant to my future studies but the work load involved with it will be enormous compared to the rest of my courses. I found out this past semester that physics dominated my study time far more than my other classes. Having learned this lesson the hard way I expect to be better prepared for the Fall semester. The second course I am not enthralled with is a course in engineering mathematics. I love math but I know that most of my time will be spent on physics and my electrical engineering course so I won’t have the necessary time to dedicate to this math class.

Regardless of my likes and dislikes for the upcoming Fall semester I will need to develop a strategy to better utilize my time. I would also like to work part-time somewhere that would be willing to let me work in the sysadmin realm or anything that involves infosec.

As far as my summer is concerned, I am enrolled in a summer class. I also hope to catch up on some reading, some car maintenance, some programming (Java), playing some tennis with Jordan, and hopefully moving somewhere closer to campus. I have been browsing Bruce Schneier’s website and glancing over a few of his papers. This paper in particular has my interest: Self-Study Course in Block Cipher Cryptanalysis. I will probably focus much of my technical reading on papers and books he has listed in this self-study paper.

ISO/IEC 27001:2005

Posted April 5, 2009 at 5:19 pm in General | No Comments

ISO/IEC 27001:2005 is an information security management system (ISMS) standard.  It is intended to be “used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls.”[1]

It was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Joint Technical Committee 1 (JTC 1), Subcommittee 27 (SC 27).  ISO/IEC 27001 was officially published October 15, 2005, hence the 2005 in the name of the standard. The standards were to designed to “ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.” [2]

The standard includes a wide range of organizational types such as commercial, government, non-profit, and educational. This large umbrella ensures that you’ll most likely encounter it in your work. As a CIO/CISO you’re more than likely trying to follow the standards to the best of your organization’s ability for certification purposes or just as a security framework. Organizations certify they are within the ISO 27001 standards for a variety of reasons but most commercial organizations use this as a selling point to customers. By using the standards as a selling point they are hoping that it increase revenue, which on the opposite hand could be a target for someone with malicious intent. If you’re performing vulnerability assessments on an organization that follows the ISO 27001 standards then it wouldn’t hurt to glance over the standards to understand the underlying security infrastructure.

Continue reading..

Sarbanes-Oxley Act of 2002

Posted January 15, 2009 at 6:21 pm in General | No Comments

The Sarbanes-Oxley Act of 2002 or the Public Company Accounting Reform and Investor Protection Act of 2002 isn’t a security compliance standard or regulation. It is a United States law that introduced major changes to the regulation of financial practice and corporate governance.  The law emphasizes corporate accountability and was in part a response to the corporate scandals of Enron, Tyco Internationl, Adelphia, WorldCom, etc. in which shareholders lost billions of dollars when the share price of these companies collapsed.

The Sarbanes-Oxley Act of 2002, more commonly known as SOX, was named after Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH) who supported the bill.

SOX established new standards for U.S. public companies and has been a source of controversy for international companies wishing to carry out business operations in the U.S.  The Sarbanes-Oxley Act of 2002 primarily focuses on the accuracy of financial reporting data.  It also outlines criminal penalties for companies failing to comply with these standards. The Act is divided into the following eleven titles:

  • Title 1: Public Company Accounting Oversight Board (PCAOB)
  • Title 2: Auditor Independence
  • Title 3: Corporate Responsibility
  • Title 4: Enhanced Financial Disclosures
  • Title 5: Analyst Conflicts of Interest
  • Title 6: Commission Resources and Authority
  • Title 7: Studies and Reports
  • Title 8: Corporate and Criminal Fraud Accountability
  • Title 9: White Collar Crime Penalty Enhancement
  • Title 10: Corporate Tax Returns
  • Title 11: Corporate Fraud Accountability

How does information and network security play into the Sarbanes-Oxley Act of 2002?  There isn’t one specific direct way that it does but many, if not most, of the fundamental reasons IT security exists within these publicly traded companies is to help protect business assets and information.  An attack on a company’s infrastructure could yield losses to confidentiality, reliability or integrity of systems or data that would have to be disclosed. [2]

The standards provided by SOX outline areas of concern for companies that need to report financial information to shareholders and to the Securities Exchange Commission.  These outlined standards essentially took a highlighter to all financial requirements/standards/regulations and highlighted all of the important standards companies must comply with.  This is key to complying and achieving certification with the standards but also provides critical information to persons wishing to do harm to a company. This critical information cuts the time and effort needed to determine the value of an organization’s data and could lead to increased or better organized attacks on important financial data. If this critical information is attacked it will cause irreparable damage to the company and most likely prompt an investigation from government agencies which could eventually lead to tighter control and more government oversight.

Is the information outlined by SOX important to attackers? No. Not to most. Could it be used in the way I outlined above? Probably but it wouldn’t be a priority resource to most. A well thought out attack could incorporate this information and if an attack on a high profile publicly traded company were to take place the information outlined in SOX could prove worthwhile.  One can never have too much information about a target and knowing how its internal structures are organized is essential to carrying out a successful attack.


References:
1. http://www.law.uc.edu/CCL/SOact/toc.html
2. http://www.securityfocus.com/columnists/322

Trusted Computer System Evaluation Criteria

Posted September 1, 2008 at 8:51 pm in General | No Comments

The Orange Book, part of the DoD’s rainbow series, the Trusted Computer System Evaluation Criteria was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information. It has been superseded by the Common Criteria.

It outlines the following objectives:

  • Policy
  • Accountability
  • Assurance
  • Documentation

Policy defines the Mandatory Security Policy and the Discretionary Security Policy. Accountability defines identification, authentication, and auditing. Assurance defines Operational, Life-Cycle, and Continuous Protection Assurance. Documentation defines Security Features User’s Guide, Trusted Facility Manual, Test Documentation and Design Documentation.

The Orange Book defines four divisions of security: A, B, C, and D with A having the highest level of security. Each division may contain sub-divisions, such as B1, B2, and B3.

  • A – Verified Protection
    1. A1 – Verified Design
  • B – Mandatory Protection
    1. B1 – Labeled Security Protection
    2. B2 – Structured Protection
    3. B3 – Security Domains
  • C – Discretionary Protection
    1. C1 – Discretionary Security Protection
    2. C2 – Controlled Access Protection
  • D – Minimal Protection

Defense In Depth

Posted August 29, 2008 at 7:17 pm in General | No Comments

Defense in depth, a phrase coined by the military, is a defensive technique that layers security countermeasures upon one another. It uses multiple computer security techniques to help mitigate the risk of one component of the defense being compromised or circumvented.

Defense in depth seeks to delay and deter attackers rather than prevent the advance of an attacker by buying time and delaying the ultimate succession of the attack.

From the military play book, rather than defeating an attacker with a single, strong defensive line, defense in depth relies on the tendency of an attack to lose momentum over a period of time.

Using multiple vendors is a best practice that supports this layered approach. If an attacker has to compromise two firewalls and each is from a different vendor, the attacker will have to find separate vulnerabilities for each, which adds time to the attack. Time usually works against an attacker and in favor of defensive countermeasures.

Defense in depth is designed so that if one security control fails, it is unlikely that the attack will penetrate the next layer.

Page 1 of 11