Zen One

Retrieving a Stolen iPhone in Under 72 Hours

noreply@blogger.com (Steve) — Wed, 08 Feb 2012 11:17:09 PST

Within 53 hours I was able to get a stolen iPhone safely into police custody. Here's a rough timeline of the steps I went took to get the phone back to the rightful owner:

Saturday, 2/4/2012 @ 8:45 AM -- iPhone was "lost" (i.e., stolen).

Called stolen iPhone and it rang four times before going to voicemail, suggesting that it was powered on and had reception. Used the "Find iPhone" app to locate the phone using the Apple ID credentials of the stolen iPhone, but it was unable locate the phone.
Using the "Find iPhone" app, sent lock code to stolen iPhone to ensure that it was locked and required an unlock code to access the phone.
Using the "Find iPhone" app, sent messages with sound to the stolen iPhone stating that the phone was lost and to call ###-###-#### (my Google Voice number). No response.
Shortly thereafter the iPhone was powered down by the "someone" who had possession of the phone.
I had the owner of the stolen iPhone change passwords to accounts accessed by the iPhone (e.g., Gmail, Dropbox, etc).
Setup the email account used as the Apple ID of the stolen iPhone to forward a copy of all mail from "noreply@me.com" to an account I setup at Boxcar. The reason for doing this was to have push notifications sent to my phone moments after the stolen iPhone would be powered on and receive the commands that I sent from the "Find iPhone" app.

There's a Boxcar iOS app that I installed on the device that I was doing the tracking from.

Opted not to report the phone as stolen with AT&T yet since I wanted to be able to continue tracking the phone.
Also opted not to remotely wipe the iPhone via the "Find iPhone" app for the same reason.
The "Erase all data on iPhone after 10 failed passcode attempts" option was turned off on the iPhone. This was a good thing since it prevented the stolen iPhone from being wiped by 10 failed passcode entries and becoming un-trackable.

Sunday, 2/5/2012 @ 10:00 AM -- the iPhone was powered on by "someone" and the location of the phone was identified.

I received a push notification from Boxcar showing that an email from noreply@me.com was received. That meant that the stolen iPhone was powered on and was now locatable.
Used both the "Find iPhone" and "Find Friends" iPhone apps by Apple to track the location of the phone.

Another option was logging into iCloud with the Apple ID and password associated with the stolen iPhone ... which I did.

Location of the phone tracked to a residential address.
Used Google maps and street view to look at the house.
Identified the owner of the house using PropertyShark.
Gathered information about the owner using Intelius.
Again, sent messages with sound to the stolen iPhone stating that the phone was lost and to call ###-###-#### (my Google Voice number). No response.
The phone was powered down by the "someone" who had possession of the phone roughly five minutes after it was powered on.
Checked AT&T for any unauthorized calls. There were no unauthorized calls.
A police report was submitted online to the police department where the phone was stolen.

The police department where the phone was currently located (different city than where the phone was stolen) would not accept a report directly since the theft occurred in a different city.

Monday, 2/6/2012 @ 10:46 AM -- the iPhone was powered on and left on.

Using both the "Find iPhone" and "Find Friends" apps, the GPS location of the stolen iPhone was the same address as the address that was identified on Sunday.
A police report was submitted online to the police department. The location of theft was intentionally left vague, implying that the theft occurred in the city where the phone was currently being tracked to. The police department was willing to accept the incident report.

Monday, 2/6/2012 @ 1:04 PM -- Called the records and dispatch departments of the PD from the city where the stolen iPhone was currently located.

Gave the incident report tracking number to dispatch.
After a lengthy conversation, dispatch agreed to send an officer to the house and that the officer would call me back if I needed to cause the stolen iPhone to make a sound.

Monday, 2/6/2012 @ 1:36 PM -- Received a call from the responding officer.

The police officer stated that he went to the residential address.
The officer stated that the owners of the house were at the residence.
The police officer gained possession of the phone.
The police officer asked me for the unlock code and some contact data that was on the phone to verify ownership.
The officer relayed the convoluted story that the individual who had stolen the iPhone told him.
We agreed to check the phone into the police department's chain-of-custody and the stolen iPhone will be picked up by the rightful owner soon.
Called the police department from where the phone was stolen, stated that the iPhone was retrieved by another police department, and the case was closed.

... and that's a happy ending.

Apple has more information about locating a lost or stolen iPhone here.

Koobface Analysis

noreply@blogger.com (Steve) — Tue, 17 Jan 2012 12:52:35 PST

Today Facebook announced that it will share the data it has collected about the group of people behind the Koobface virus. Facebook didn't provide any details about the "Koobface gang". However, in a separate blog post independent researchers Jan Drömer and Dirk Kollberg of SophosLabs did provide details of their analysis. I found the SophosLabs article a very interesting read in that it details the painstakingly slow process investigators must endure to piece security incidents together and that given enough time and resources "cybercrimes" can be solved.

"Up until now, Drömer and Kollberg's research has been a closely-guarded secret, known only to a select few in the computer security community and shared with various law enforcement agencies around the globe" ... "At the police's request we have kept the information confidential, but last week news began to leak onto the internet about Anton 'Krotreal' Korotchenko - meaning the cat was well and truly out of the bag." -- Graham Cluley, Sophos analyst

Link to Analysis: http://nakedsecurity.sophos.com/koobface/

DHS Cybersecurity Strategy and New California eCrime Unit

noreply@blogger.com (Steve) — Mon, 19 Dec 2011 16:11:21 PST

Image by Getty Images via @daylife

A couple of interesting items within the information security world...

I. The Department of Homeland Security has released a new cybersecurity strategy document with a two-pronged approach:

Protecting critical infrastructure today
Building a more secure cybersecurity ecosystem for the future

Download the Blueprint for a Secure Cyber Future document (PDF).

II. California Attorney General Kamala D. Harris has announced the creation of a new eCrime Unit to investigate and prosecute technology crime.

"The primary mission of the eCrime Unit is to investigate and prosecute multi-jurisdictional criminal organizations, networks, and groups that perpetrate identity theft crimes, use an electronic device or network to facilitate a crime, or commit a crime targeting an electronic device, network or intellectual property." READ MORE

America the Vulnerable

noreply@blogger.com (Steve) — Wed, 14 Dec 2011 17:39:51 PST

Image by formalfallacy @ Dublin (Victor) via Flickr

During my commute to and from work I recently began listening to the audiobook, "America the Vulnerable: New Technology and the Next Threat to National Security" by Joel Brenner, narrated by Lloyd James. The audiobook was downloaded from Audible.com.

I’m currently half-way through the unabridged audio and am enjoying it. The book is an eye-opening reminder of what many of us within the InfoSec industry are already aware of as we analyze security events on a daily basis. American national security, our economy, physical and energy infrastructure, financial system and our own privacy are at risk and that if security isn't built into our systems, our systems won't be secure. From what I’ve listened to so far, Brenner does a good job of laying out the cyber-threat facing the United States.

I hope to finish the audiobook by the end of this week as I’m interested in hearing what Brenner has to prescribe as a solution to the problem. Though I have yet to finish the audiobook, I recommend it as a must read for anyone interested or with career in cybersecurity.

New Reader Poll - CISSP Exam

noreply@blogger.com (Steve) — Mon, 12 Dec 2011 17:10:33 PST

Image via Wikipedia

I just posted a reader poll that's now viewable on the right-hand column of this blog. I want to get opinions from those of you that have your CISSP certification. There are two questions in the poll:

If you are a CISSP, did your employer at the time encourage you to take the CISSP exam? (Yes/No)
If you are a CISSP, did your employer pay for you to take the CISSP exam, or did you? (Employer paid/you paid)

The poll can also be accessed directly from here.

As for the value of a CISSP vs. other certifications ... that's for yet another posting.

The Pony in the Dung Heap Joke

noreply@blogger.com (Steve) — Mon, 12 Dec 2011 10:57:29 PST

Image via Wikipedia

I recently came across a humorous, yet insightful, joke. You may have heard it before. It's the pony in the dung heap. Last week I read it for the first time within, "How Ronald Reagan Changed My Life", by Peter Robinson. Here's an exert from the book containing the joke:

-----BEGIN EXERT------

Chapter One
The Pony In the Dung Heap
When Life Buries You, Dig
Journal Entry, June 2002:

Over lunch today I asked Ed Meese about one of Reagan's favorite jokes. "The pony joke?" Meese replied. "Sure I remember it. If I heard him tell it once, I heard him tell it a thousand times."

The joke concerns twin boys of five or six. Worried that the boys had developed extreme personalities -- one was a total pessimist, the other a total optimist -- their parents took them to a psychiatrist.

First the psychiatrist treated the pessimist. Trying to brighten his outlook, the psychiatrist took him to a room piled to the ceiling with brand-new toys. But instead of yelping with delight, the little boy burst into tears. "What's the matter?" the psychiatrist asked, baffled. "Don't you want to play with any of the toys?" "Yes," the little boy bawled, "but if I did I'd only break them."

Next the psychiatrist treated the optimist. Trying to dampen his out look, the psychiatrist took him to a room piled to the ceiling with horse manure. But instead of wrinkling his nose in disgust, the optimist emitted just the yelp of delight the psychiatrist had been hoping to hear from his brother, the pessimist. Then he clambered to the top of the pile, dropped to his knees, and began gleefully digging out scoop after scoop with his bare hands. "What do you think you're doing?" the psychiatrist asked, just as baffled by the optimist as he had been by the pessimist. "With all this manure," the little boy replied, beaming, "there must be a pony in here somewhere!"

"Reagan told the joke so often," Meese said, chuckling, "that it got to be kind of a joke with the rest of us. Whenever something would go wrong, somebody on the staff would be sure to say, "There must be a pony in here somewhere.'"

-----END EXERT------

It's a great joke to tell ourselves when we're feeling buried under heaps of work and life responsibilities as a reminder to persevere and make the best out of any given moment. For me, it'll take a lifetime to fully grasp, and even then, I might not have made it an automatic process and I'll still see "the glass half empty" at times.

Free Security Awareness Training - Part 5 of 5

noreply@blogger.com (Steve) — Fri, 09 Dec 2011 06:10:00 PST

Image via Wikipedia

Today's post concludes the series of five posts whereby I wanted to give you links to 25 security awareness courses and videos that are publicly available.

I strongly believe that security awareness training is an essential component to good security. Throwing money and technology at the security problem might be worthwhile in the early stages of maturity of an originzatzion's information security program. However, the problem with this approach is that there are diminishing returns; more technology becomes less and less effective at improving security. Something needs to improve beyond installing and patching technology on a daily basis, forever running around attempting to deal with security incidents and emerging threats and doing work simply for work's sake. The human dimension is a critical part of this, and security awareness training helps sharpen this human component; the HumanOS.

Analytical Investigative Tools (Multijurisdictional Counterdrug Task Force Training)
What Every Law Enforcement Officer Should Know About DNA Evidence – Investigators and Evidence Technicians (DNA Initiative)
Food Security Training (US Food and Drug Administration)
Explosives, Booby Traps and Bomb Threat Management (Multijurisdictional Counterdrug Task Force Training)
HAZMAT Transportation Security Awareness Training (Dangerous Goods International)

Free Security Awareness Training - Part 4 of 5

noreply@blogger.com (Steve) — Thu, 08 Dec 2011 05:26:00 PST

Image via Wikipedia

This week I'm sharing with you links to 25 security awareness training sites. The training links are being broken up into groups of five, published within five separate postings. Today we reach the forth set of training links for an accumulative total of 20.

The 2008 information security survey by Pricewaterhouse Coopers revealed that investment in security technologies had increased but “the acute focus on technology over the last year has not been matched by an equally robust commitment to other critical drivers of security’s value, such as: (1) many of the critical business and security processes that support technology, and (2) the people who administer them.” Security awareness training helps address the second item.

"The security discipline has so far been skewed toward technology - firewalls, ID management, intrusion detection - instead of a risk analysis and proactive intelligence gathering. Security investment must shift from the technology-heavy, tactical operation it has been to date to an intelligence-centric, risk analysis and mitigation philosophy. We have to start addressing the human element of information security, not just the technological one; it i only then that companies will stop being punching bags." - PricewaterhouseCoopers

Below is the next set of security awareness training links.

The History of Bio-Terrorism (Center for Disease Control and Prevention)
Detecting Bio-Terror (Center for Public Health Preparedness)
Radiological Terrorism: Just in Time Training for Hospital Clinicians (Center for Disease Control and Prevention)
Nuclear Terrorism: Pathways & Prevention (Center for Public Health Preparedness)
Preparedness & Community Response to Pandemics (Center for Public Health Preparedness)

Free Security Awareness Training - Part 3 of 5

noreply@blogger.com (Steve) — Wed, 07 Dec 2011 05:59:00 PST

Image via Wikipedia

This week I'm passing on to you links to 25 free security awareness training sites. Why is security awareness training important? Fundamentally, security is about people. Having worked within the information security world for the past 15 years, it's become very clear that the best defense to internal and external threats is not technology by itself. Rather, people need to have the mindset that helps them to automatically take actions that support security, not circumvent or undermine it. Security awareness training helps raise awareness so as to begin making this a natural mindset that influences behavior.

"No one wants security; they want the benefits of security. A homeowner does not want the finest deadbolt on the front door because of the excellence of its engineering; they want a comfortable, happy place in which to live." - Steve Hunt

Below are the next five training links. This now brings us to a total of 15 trainings out of the 25 I promised to give you by the end of this week.

OPPSEC (United States Marine Corps)
Intelligence Analysis Web-based Training (Anacapa Sciences)
SAEDA (553G-NG0001-A) (Espionage Awareness) (United States Army)
Are You Ready? An In-depth Guide to Citizen Preparedness FEMA/EMI Course IS-22 (FEMA)
Personal Preparedness (Center for Public Health Preparedness)

Cyber Intelligence Sharing and Protection Act of 2011 (HR 3523)

noreply@blogger.com (Steve) — Tue, 06 Dec 2011 13:37:35 PST

Image via Wikipedia

The House Intelligence Committee held a closed-door markup of a bill (HR 3523) with the intention to improve cybersecurity through enabling the federal government to share classified cyber threat information with businesses. To quote two of the primary proponents:

"There is an economic cyber war going on today against US companies." ... "There are two types of companies in this country, those who know they've been hacked, and those who don't know they've been hacked. Economic predators, including nation-states, are blatantly stealing business secrets and innovation from private companies. This cybersecurity bill goes a long way in helping American businesses better protect their networks and their intellectual property." -- Chairman of The Permanent Select Committee on Intelligence, Congressman Mike Rogers (R-MI)

"We simply can't stand by if we have the ability to help American companies protect themselves. Sharing information about cyber threats is a critical step to preventing them. This bill is a good start toward helping the private sector safeguard its intellectual property and critical cyber networks, including those that power our electrical, water and banking systems. The bill maintains vital protections for privacy and civil liberties without any new federal spending, regulations or unfunded mandates." -- The committee's ranking member, Congressman Dutch Ruppersberger (D-MD)

Free Security Awareness Training - Part 2 of 5

noreply@blogger.com (Steve) — Tue, 06 Dec 2011 15:40:40 PST

Image via Wikipedia

This week my goal is to pass along to you links to 25 free security awareness trainings. The trainings are being divided up into groups of five and published in a series of five separate postings. The first set of training links was published yesterday.

As promised, below is the second set of five trainings.

Anti-Terrorism Awareness Level-1 (Defense Technical Information Center - US DoD)
The Seven Signs of Terrorism (Michigan State Police via YouTube)
AWR-187 Terrorism and WMD Awareness in the Workplace (Rural Domestic Preparedness Consortium)
Kentucky Terrorism Response & Preparedness (University of Kentucky)
Prevention and Deterrence of Terrorist Acts (National Center for Biomedical Research and Training)

Free Security Awareness Training - Part 1 of 5

noreply@blogger.com (Steve) — Tue, 06 Dec 2011 15:34:39 PST

Image via Wikipedia

As a security profesional I believe it's essential that we maintain security awareness and an understanding of the threats we face. Education often isn't cheap and the reality is that for many employers funding for training and education is very limited.

Fortunately, we're entering into the holiday season, which is a time of giving, and what I'm giving you are 25 security awareness courses and videos that are publicly available. Okay - maybe not the most exciting gift, but it fits the budget.

I will publish a series of five posts and each post will have links to five training resources. The security awareness courses may be completed online (or on CD-ROM) and are provided without cost to you. This study program is designed to provide you with a broad security awareness. There will be overlap in training that will help you to build depth of knowledge and to emphasize important areas. I emphasize "broad". The material covers many of the domains within security, some of it IT Security, and some of the material may seem a bit Rambo'esque or even doom-and-gloom.

There are several separate agencies and organizations that are offering the courses. Certificates of training can be printed following completion of the courses. You can enroll in any individual course, or if you're more highly motivated, aim for completing all of them. Personally, I believe that anyone who completes all of the courses will become a much more valuable security asset to their employer as well as their community.

Bring out the leftover turkey, stuffing and cranberry sauce ... it's time to cram in some free security awareness classes!

Phishing Awareness (Defense Information Systems Agency - US DoD)
Personally Identifiable Information (PII) (Defense Information Systems Agency - US DoD)
Security & Privacy Awareness Training (National Institute of Health Information)
Information Assurance Awareness (Defense Information Systems Agency - US DoD)
Information Assurance Awareness shorts (Defense Information Systems Agency - US DoD)

FCC Small Biz Cyber Planner

noreply@blogger.com (Steve) — Tue, 29 Nov 2011 11:06:09 PST

Image via Wikipedia

The FCC has launched a Small Biz Cyber Planner, an online resource to help small businesses create customized cybersecurity plans in conjunction with DHS, NCSA, NIST, The U.S. Chamber of Commerce, The Chertoff Group, Symantec, Sophos, Visa, Microsoft, HP, McAfee, The Identity Theft Council, ADP and others. The complete set of guidance can be downloaded as a PDF at fcc.gov/cyber/cyberplanner.pdf while the interactive online tool is available at FCC.gov/cyberplanner.

"The Small Biz Cyber Planner will be of particular value for businesses that lack the resources to hire a dedicated staff member to protect themselves from cyber-threats. Even a business with one computer or one credit card terminal can benefit from this important guidance. The tool will walk users through a series of questions to determine what cybersecurity strategies should be included in the planning guide. Then a customized PDF is created that will serve as a cybersecurity strategy template for a small business.

This effort is part of an ongoing program to raise awareness about the cybersecurity risks to small businesses and to help these businesses become cyber-secure. Earlier this year, the FCC and a coalition of public and private-sector partners developed a cybersecurity tip sheet, which includes tips to educate business owners about basic steps they can take immediately to protect their companies. The tip sheet is available at FCC.gov/cyberforsmallbiz."

Sections in the complete set of guidance are:

Privacy and Data Security
Scams and Fraud
Network Security
Website Security
Email
Mobile Devices
Employees
Facility Security
Operational Security
Payment Cards
Incident Response and Reporting
Policy Development, Management
Cyber Security Glossary
Cyber Security Links

Protecting Kids Online

noreply@blogger.com (Steve) — Fri, 25 Nov 2011 06:41:00 PST

Image via Wikipedia

One of the issues I’ve been struggling with over the past ten or so years is how to protect kids online. The Internet offers a world of opportunities. People of all ages share photos and videos, build online profiles, text each other and create alter egos in the form of online avatars. These ways of socializing and communicating can be fulfilling, and yet, they come with risks:

Inappropriate Conduct: The online world can convey a false sense of anonymity and kids sometimes forget that their online actions have real-world consequences.
Inappropriate Contact: There are people out there that have bad intentions; predators, bullies and scammers.
Inappropriate Content: Kids can easily come across pornography, violence or hate speech online.

Some questions to ask yourself as an adult:

Do you think your child knows more about the Internet and technology than you do?
Do you think you know more about communicating respectfully off-line than your child does (parents don’t have to be tech-savvy to know a lot that’s relevant to this topic)?
How much time do you think your kid spends online each day? Each week? That includes time on their phones!
What are your kids’ favorite websites or online games?
Do your kids have their own computers? Do they have cell phones?
Do you supervise what your kids do while online and offer guidance, or are they allowed free rein?
What are your main concerns about online safety?
Do you text? Do you text with your children?

It’s also a good idea to talk with your kids about online safety. To kick things off, here are some questions you can ask your kids:

How much time do you spend online?
What do you like to do online?
Do you sleep with your cell phone in reach?
Do you post pictures online?
Have you every posted or sent anything you later regretted?
Have you or one of your friends ever received a text message that was hurtful or mean-spirited?
Have you ever talked to your parents about something that bothered you online?
Have you ever talked to another adult bout something that bothered you online?

Make your conversation interactive. Ask your kids how they might have handled an incident that involved sharing too much information, cyberbullying, posting embarrassing photos or sexting.

For more information, the US Government has created OnGuardOnline.gov, a site that provides practical tips from the federal government and the technology community to help you guard against internet fraud, secure your computers and protect your privacy. The project is managed by the Federal Trade Commission, the nation’s consumer protection agency, and includes more than a dozen federal agencies.

Additional Resources

OnGuardOnline.gov - Practical tips from the federal government and the technology community to help people be on guard against Internet fraud, secure their computers and protect their privacy.
FTC.gov/idtheft - The Federal Trade Commission's website has information to help people deter, detect and defend against identity theft.
StaySafeOnline.org - The National Cyber Security Alliance seeks to create a culture of cyber security and safety awareness by providing knowledge and tools to prevent cyber crime and attacks.
CommonSenseMedia.org - Common Sense Media is dedicated to improving the lives of kids and families by providing trustworthy information, education and voice they need to thrive in a world of media and technology.
GetNetWise.org - A project of the Internet Education Foundation, the GetNetWise coalition provides Internet users the resources to make informed decisions about their and their family's use of the Internet.
CyberBully411.org - CyberBully411 is an effort to provide resources for youth who have questions about or have been targeted by online harassment.
ConnectSafely.org - ConnectSafely is for parents, teens, educators and advocates for learning about safe, civil use of Web 2.0 together.
iKeepSafe.org - iKeepSafe educational resources teach children of all ages, in a fun, age-appropriate way, the basic rules of Internet safety, ethics and the healthy use of connected technologies.
NetFamilyNews.org - A nonprofit news service for parents, educators, and policymakers who want to keep up on the latest technology news and commentary about online youth, in the form of a daily blog or weekly email newsletter.
NetSmartz.org - The NetSmartz Workshop is an interactive, educational safety resource from the National Center for Missing & Exploited Children.
WiredSafety.org - WiredSafety provides help, information and education to Internet and mobile device users of all ages.

Schedule Emails to be Sent Later in Gmail

noreply@blogger.com (Steve) — Tue, 06 Dec 2011 13:44:48 PST

Image via Boomerang for Gmail

I have happily been a Gmail and Google Apps account holder for several years. A feature that I felt had been lacking was the ability to schedule emails to be sent at a later date. I've searched for various solutions ... all of them disappointing ... until recently when I came across Boomerang for Gmail which does just that; it lets you write an email now and schedule it to be sent automatically at a scheduled time. There are both Google Chrome and Firefox plugins for Boomerang. The plugin adds a “Send Later” button in Gmail. It doesn’t get much easier than that to schedule emails for sending at a later date.

If you're interested in using Boomerang for free, here's the link: Boomerang for Gmail

Water System Attack on City Water Station Destroys Pump

noreply@blogger.com (Steve) — Tue, 29 Nov 2011 10:39:39 PST

Image via Wikipedia

Last week a disclosure was made about a public water district SCADA system hack. There have been several reports in the press concerning the attack on control system of the city water utility in Springfield, Illinois and the resulting burn-out of a pump. Law enforcement is investigating.

[UPDATE] 11/29/2011 - Department of Homeland Security officials are now saying that the water-pump failure in Illinois wasn't cyberattack after all. READ MORE

ICS-CERT Report - (ICSB-11-327-01—ILLINOIS WATER PUMP FAILURE REPORT)

Operation Ghost Click

noreply@blogger.com (Steve) — Fri, 18 Nov 2011 22:08:44 PST

The FBI is seeking victims in a DNS Malware Investigation for the case of UNITED STATES v. VLADIMIR TSASTSIN, ET AL. Specifically, the FBI is seeking information from individuals, corporate entities and Internet Services Providers who believe that they have been victimized by malicious software related to the defendants. As you know form the news blurbs that I've been sending out, this malware modifies a computer’s Domain Name Service settings, and thereby directs the computers to receive potentially improper results from rogue DNS servers hosted by the defendants.

On your own systems, and the systems you manage, it's recommend you check the DNS settings and register as a victim of the DNSChanger malware if the DNS entries have been modified to point to the defendants' DNS servers. Complaints can be filed here: https://forms.fbi.gov/dnsmalware

For more information, including steps on how to check your DNS settings, go to http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf.

Department of Defense Cyberspace Policy Report

noreply@blogger.com (Steve) — Wed, 16 Nov 2011 14:07:18 PST

Image via Wikipedia

The Pentagon published their most explicit cyberwarfare policy to date. The report states that, if directed by the president, the DoD will launch "offensive cyber operations" in response to hostile acts. Hostile acts may include "significant cyber attacks directed against the U.S. economy, government or military,".

Here's a link to the report:

http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Report_For%20webpage.pdf

Cyberspace Security Review

noreply@blogger.com (Steve Zenone) — Sun, 31 May 2009 15:01:45 PDT

On Friday (May 29, 2009) President Obama announced the nation’s plan to defend against attacks on the nation's computer networks; a “strategic national asset.” This plan includes appointing a Cyber-Security Chief, whom he has not yet chosen, in the White House. Obama will sign a classified order within the coming weeks that will create the military cybercommand.

He stated that cyber-criminals have cost US citizens over $8 billion worth of stolen data and that the figure worldwide was up to $1 trillion.

The announcement came with the release of the Cyberspace Security Review, a 76 page document that had 60-days to be completed from the date of the initial request. The Cyberspace Security Review explains how the US intends to secure its critical network infrastructure. It was stated that the review was necessary because, “America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration”, and that, “our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information.”

The Cyberspace Security Review made the following 10 recommendations for near-term action:

Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.
Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.
Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.
Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.
Initiate a national public awareness and education campaign to promote cybersecurity.
Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement.
In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

What is promising about the Review is that there's repeated focus on outcomes as opposed to the inputs. Too often forward progress is hindered by the inefficient efforts of trying to define process before goals and objectives are clearly defined and understood. Rather, the Review consistently attempts to make it clear what the strategic outcomes are, and from those objectives, the development of process will be guided.

The Review also states, “Other structures will be needed to help ensure that civil liberties and privacy rights are protected.” The inclusion to help protect our privacy and civil liberties is an indication of the balanced intention of the plan.

Money will also be set aside for research and development of security technologies, from which there will be significant opportunity.

What I'm not certain about is the overall effectiveness the Cyber-Security Chief will have. Specifically, the position will not have direct access to the president. As a result, this position may not be high-level enough to prevent the almost certain bureaucratic nonsense, internal bickering and games that could waste millions/billions of dollars.

Though the Review solely focusses on defensive measures, I'm also curious what efforts are underway, if any, towards the development and potential use of cyberweapons.

Overall, the document doesn't suggest that there will be any major changes that will affect the private sector within the near term. The Review recommends specific changes to the direction of future US policies. Within the mid-term I imagine that lawmakers will develop regulations that will require the sharing of security incident data from the private sector with the government, presumably tempered with the commitment to ensure civil liberties. I anticipate that we will also see more emphasis put towards penetration testing and incident response.

Steve

###

How ITIL Can Improve Information Security

noreply@blogger.com (Steve Zenone) — Wed, 27 May 2009 08:59:07 PDT

By: Steven Weil

Introduction

ITIL - the Information Technology Infrastructure Library - is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment.

Interest in and adoption of ITIL has been steadily increasing throughout the world; the numerous public and private organizations that have adopted it include Proctor & Gamble, Washington Mutual, Southwest Airlines, Hershey Foods, and the Internal Revenue Service. In addition to the often touted benefits of ITIL - aligning IT with the needs of the business, improving service quality, decreasing the costs of IT service delivery and support - the framework can aid the information security professional both directly (there is a specific Security Management process) and indirectly.

This article will provide a general overview of ITIL and discuss how ITIL can improve how organizations implement and manage information security.

ITIL overview

ITIL began in the 1980s as an attempt by the British government to develop an approach for efficient and cost-effective use of its many IT resources. Using the experiences and expertise of successful IT professionals, a British government agency developed and released a series of best-practice books, each focusing on a different IT process. Since then, ITIL has become an entire industry of organizations, tools, consulting services, related frameworks, and publications. Currently in the public domain and still evolving, the 44-volume set of ITIL guidelines has been consolidated into 8 core books.

When most people discuss ITIL, they refer to the ITIL Service Support and Service Delivery books. These contain a set of structured best practices and standard methodologies for core IT operational processes such as Change, Release, and Configuration Management, as well as Incident, Problem, Capacity, and Availability Management.

ITIL stresses service quality and focuses on how IT services can be efficiently and cost-effectively provided and supported. In the ITIL framework, the business units within an organization who commission and pay for IT services (e.g. Human Resources, Accounting), are considered to be "customers" of IT services. The IT organization is considered to be a service provider for the customers.

ITIL defines the objectives, activities, inputs, and outputs of many of the processes found in an IT organization. It primarily focuses on what processes are needed to ensure high quality IT services; however, ITIL does not provide specific, detailed descriptions about how the processes should be implemented, as they will be different in each organization. In other words, ITIL tells an organization what to do, not how to do it.

The ITIL framework is typically implemented in stages, with additional processes added in a continuous service improvement program.

Organizations can benefit in several important ways from ITIL:

IT services become more customer-focused
The quality and cost of IT services are better managed
The IT organization develops a clearer structure and becomes more efficient
IT changes are easier to manage
There is a uniform frame of reference for internal communication about IT
IT procedures are standardized and integrated
Demonstrable and auditable performance measurements are defined

ITIL details

ITIL takes a process-based approach to managing and providing IT services; IT activities are divided into processes, each of which has three levels:

Strategic: An organization's objectives are determined, along with an outline of methods to achieve the objectives.

Tactical: The strategy is translated into an appropriate organizational structure and specific plans that describe which processes have to be executed, what assets have to be deployed, and what the outcome(s) of the processes should be.

Operational: The tactical plans are executed. Strategic objectives are achieved within a specified time.

A description of each of the numerous IT processes covered by ITIL is beyond the scope of this article. What follows are brief, general descriptions of the ITIL processes that, along with the Security Management process, have a significant relationship with information security. Each of these areas is a set of best practices:

Configuration Management: Best practices for controlling production configurations (for example, standardization, status monitoring, asset identification). By identifying, controlling, maintaining and verifying the items that make up an organization's IT infrastructure, these practices ensure that there is a logical model of the infrastructure.

Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services. These practices ensure that normal service is restored as quickly as possible after an incident occurs.

Problem Management: Best practices for identifying the underlying cause(s) of IT incidents in order to prevent future recurrences. These practices seek to proactively prevent incidents and problems.

Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable.

Release Management: Best practices for the release of hardware and software. These practices ensure that only tested and correct versions of authorized software and hardware are provided to IT customers.

Availability Management: Best practices for maintaining the availability of IT services guaranteed to a customer (for example, optimizing maintenance and design measures to minimize the number of incidents). These practices ensure that an IT infrastructure is reliable, resilient, and recoverable.

Financial Management: Best practices for understanding and managing the cost of providing IT services (for example, budgeting, IT accounting, charging). These practices ensure that IT services are provided efficiently, economically, and cost-effectively.

Service Level Management: Best practices for ensuring that agreements between IT and IT customers are specified and fulfilled. These practices ensure that IT services are maintained and improved through a cycle of agreeing, monitoring, reporting, and reviewing IT services.

There is also a Service Desk function that describes best practices for establishing and managing a central point of contact for users of IT services. Two of the Service Desk's most important responsibilities are monitoring incidents and communicating with users.

Figure 1 depicts the above processes, showing how the Service Desk function serves as the single point of contact for the various service management processes.

Figure 1. ITIL Service Management Processes

More detailed information about the above processes and Service Desk function can be found in the references listed at the end of this article.

ITIL and information security

ITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels. Information security is considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained.

ITIL breaks information security down into:

Policies - overall objectives an organization is attempting to achieve
Processes - what has to happen to achieve the objectives
Procedures - who does what and when to achieve the objectives
Work instructions - instructions for taking specific actions

It defines information security as a complete cyclical process with continuous review and improvement, as illustrated in Figure 2:

Figure 2. Information Security Process

As some organizations look at Implementation and Monitoring as a single step, ITIL's Information Security Process can be described as a seven step process:

Using risk analysis, IT customers identify their security requirements.
The IT department determines the feasibility of the requirements and compares them to the organization's minimum information security baseline.
The customer and IT organization negotiate and define a service level agreement (SLA) that includes definition of the information security requirements in measurable terms and specifies how they will be verifiably achieved.
Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided, are negotiated and defined within the IT organization.
The SLA and OLAs are implemented and monitored.
Customers receive regular reports about the effectiveness and status of provided information security services.
The SLA and OLAs are modified as necessary.

Service level agreements

The SLA is a key part of the ITIL information security process. It is a formal, written agreement that documents the levels of service, including information security, that IT is responsible for providing. The SLA should include key performance indicators and performance criteria. Typical SLA information security statements should include:

Permitted methods of access
Agreements about auditing and logging
Physical security measures
Information security training and awareness for users
Authorization procedure for user access rights
Agreements on reporting and investigating security incidents
Expected reports and audits

In addition to SLAs and OLAs, ITIL defines three other types of information security documentation:

Information security policies: ITIL states that security policies should come from senior management and contain:
1. Objectives and scope of information security for an organization
2. Goals and management principles for how information security is to be managed
3. Definition of roles and responsibilities for information security
Information security plans: describes how a policy is implemented for a specific information system and/or business unit.
Information security handbooks: operational documents for day-to-day usage; they provide specific, detailed working instructions.

Ten ways ITIL can improve information security

There are a number of important ways that ITIL can improve how organizations implement and manage information security.

ITIL keeps information security business and service focused. Too often, information security is perceived as a "cost center" or "hindrance" to business functions. With ITIL, business process owners and IT negotiate information security services; this ensures that the services are aligned with the business' needs.
ITIL can enable organizations to develop and implement information security in a structured, clear way based on best practices. Information security staff can move from "fire fighting" mode to a more structured and planned approach.
With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change.
ITIL establishes documented processes and standards (such as SLAs and OLAs) that can be audited and monitored. This can help an organization understand the effectiveness of its information security program and comply with regulatory requirements (for example, HIPAA or Sarbanes Oxley).
ITIL provides a foundation upon which information security can build. It requires a number of best practices - such as Change Management, Configuration Management, and Incident Management - that can significantly improve information security. For example, a considerable number of information security issues are caused by inadequate change management, such as misconfigured servers.
ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate. Many managers can't "relate" to low-level details about encryption or firewall rules, but they are likely to understand and appreciate ITIL concepts such as incorporating information security into defined processes for handling problems, improving service, and maintaining SLAs. ITIL can help managers understand that information security is a key part of having a successful, well-run organization.
The organized ITIL framework prevents the rushed, disorganized implementation of information security measures. ITIL requires designing and building consistent, measurable information security measures into IT services rather than after-the-fact or after an incident. This ultimately saves time, money, and effort.
The reporting required by ITIL keeps an organization's management well informed about the effectiveness of their organization's information security measures. The reporting also allows management to make informed decisions about the risks their organization has.
ITIL defines roles and responsibilities for information security. During an incident, it's clear who will respond and how they will do so.
ITIL establishes a common language for discussing information security. This can allow information security staff to communicate more effectively with internal and external business partners, such as an organization's outsourced security services.

Implementing ITIL

ITIL does not typically start with IT - it is usually initiated by senior management such as the CEO or CIO. As an information security professional, however, you can add value by bringing ITIL to the attention of senior management. With the framework's rapidly increasing adoption, your organization might already be talking about ITIL; letting your management know specifically about ITIL's information security benefits can help spur its adoption.

Implementing ITIL does take time and effort. Depending on the size and complexity of an organization, implementing it can take significant up front time and effort. For many organizations, successful implementation of ITIL will require changes in their organizational culture and the involvement and commitment of employees throughout the organization.

Critical factors for successful ITIL implementation include:

Full management commitment and involvement with the ITIL implementation
A phased approach
Consistent and thorough training of staff and management
Making ITIL improvements in service provision and cost reduction sufficiently visible
Sufficient investment in ITIL support tools

Conclusion

Information security measures are steadily increasing in scope, complexity, and importance. It is risky, expensive, and inefficient for organizations to have their information security depend on cobbled-together, homegrown processes. ITIL can enable these processes to be replaced with standardized, integrated processes based on best practices. Though some time and effort are required, ITIL can improve how organizations implement and manage information security.

Author Resource: Steven Weil, CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, WA. Mr. Weil specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning, security assessments, and information security management. He can be reached at sweil@sla.com.

Article From: SecurityFocus

Some of the Best Ways to Lose Your System Data

noreply@blogger.com (Steve Zenone) — Mon, 18 May 2009 07:44:00 PDT

By: Nick Pegley

Have you ever thought about the best ways to be negatively affected by a disaster, get hacked, or otherwise part with data stored on your computers? Here are some of the best ways to lose system security, in no particular order:

When an employee quits or is let go, leave his network log ins and e mail accounts enabled. You never know when he might want to check in on things.
Rely solely on technology. Firewalls, encryption and antivirus software are all you need to protect your information.
Completely outsource your information security initiatives. There's no need for anyone inside your organization to worry about such matters.
Leave your operating systems and software applications with the default settings. System hardening is for the birds.
Don't train your users on your security policies and what to look out for, such as unsolicited e mail attachments and common hacker activities. Your users can't be burdened with more training.
If you do happen to have a security policy, never refer to it, enforce it, update it or do what it says.
By all means, don't take an inventory of your information systems or document your network.
Don't pay attention to or even bother to understand what you're trying to protect.
Don't patch your software or update your virus signatures, and never, ever, run vulnerability assessments to detect newly discovered software flaws and system misconfigurations. It s just too time consuming.
Respond to hacker attacks, viruses and other intrusions as they happen don't be proactive in dealing with them.
Ignore all known best practices and international information security standards from the International Standards Organization, Internet Engineering Task Force, SANS Institute, and your local information security consultant, to name a few.
Leave your databases, especially those containing credit card or other confidential information, unencrypted. And be sure to store them on publicly accessible servers.
Run your business without disaster recovery and business continuity plans. After all, you can think clearly and make critical decisions under pressure, right?
Don't monitor your systems. They'll be fine running by themselves, and if anything major happens with the integrity or availability of your information, you'll be notified automatically, won't you?
Don't back up your data, but if you must, don't test your backups. Also, leave your backup media on site preferably sitting on top of an uninterruptible power supply.
Don't create any security policies that document how you re safeguarding your information to protect your organization and clients from information disasters and legal liabilities.
Apply the principle of greatest privilege. Give all users the greatest amount of access to your information systems. Everyone should have access to everything ... it's only fair, right?
Don't subscribe to security bulletins and mailing lists, and don't ever read information security trade magazines.
Don't, under any circumstances, get upper management involved in information security initiatives. They're business focused and shouldn't be bothered or even care about technology or the liabilities associated with their information, right?
Use passwords that consist of your pet's name, your name, your mom's maiden name, or your birthday. That way, you won t forget them. Better yet, just use "password" for your passwords. Also, don t forget to write them down and post them on your monitor or keyboard.

And, last but not least:

Leave your servers and network equipment in a room to which everyone, including outsiders off the street, has access.

By following these practices you can be sure that your computers will be an easy target for viruses, disgruntled employees, hackers, and others. You can show up to work each day with the pride of knowing that there's an excellent chance that your business data will be missing when you arrive. It's just a matter of time, and it s all easily achieved.

Author Resource:-> Nick Pegley is VP Marketing for All Covered: Technology Services Partner for Small Business, providing http://www.allcovered.com/locations/denver/ disaster recovery solutions and technology services in 20 major U.S. metro areas.

Article From Zing Articles - Best Free Articles on all topics

Where The 'Bleep' Did My Identity Go?

noreply@blogger.com (Steve Zenone) — Fri, 08 May 2009 17:15:32 PDT

By Judi Lynn Lake

I am a die-hard Mac user. Have been for over twenty years and it only gets better. The PC certainly has its place but for creative projects well... the Mac is superior and the good news is is that Mac's do not get viruses.

My partner is a die-hard PC user. If you ever viewed the recent Mac commercials then you can imagine our relationship. I have recently added creative video production to my advertising agency's services and my partner began to feel a bit competitive. I have always thrived on competition and believe it to be good... even if it is with your partner.

My first video was a Creative Director's dream -- my client gave me complete creative carte blanche. My partner, who is a copywriter, had recently bought PC video software and... well, he was just dying to use it and prove that it would triumph over the Mac.

Once I completed all the storyboards, I sent a crew out to shoot on location. As I passed my partners office, I peaked in his office and I could see sweat dripping from his forehead. He was struggling and I silently laughed, wishing we had made a bet. Two weeks later the video was completed; fully edited and designed on my Mac. The client approved the video and it was a 'go'. My partner, on the other hand, was still trying to learn the software and his final product was 'the homegrown version' clip. It is comical, but seriously our differences actually are our strengths.

An experienced Mac user tends to be 'cocky' at times because there really are no limits to what our little machines can do, and I am no exception -- I rarely see any limits. There was, however, a disadvantage I experienced recently that unfortunately is nondiscriminating towards neither a Mac nor a PC: Identity Theft. This week I became victim to Identity Theft and therefore a statistic in the wonderland of technology.

No longer holding the 'it could never happen to me' mentality because it did and it happens to millions of people a day without some consumers ever realizing it. Technology is incredible and we can do things today that were never imagined twenty years ago. But as technology juices up the creative sector, it also feeds the larcenists and opens up a world of crime unheard of years ago.

Once considered a protection, our social security number has actually transformed into the very bait that perpetrators look for to steal identities. Who is walking around with my name? Who is walking around with my numbers and personal information? Is it someone reading this article? Is it someone I do business with? Is it my neighbor? This is a form of terrorism, which stalks our daily lives in the twenty-first century and ruins lives.

I have been 'Judi Lynn' all of my life and 'Lake' for the past eleven years and am very happy to be me. How dare a stranger invade my life and steal it from me. I have heard nightmare stories of people haunted for years through Identity Theft and to quote the 1970s movie Network, "I am mad as hell and I am not going to take it anymore!"

Unfortunately, in this day and age, high security precautions must be taken both personally and professionally. The best defense against this heinous crime is education and guidance but 'the damned if you do' fact is that skilled identity thieves will use a variety of methods to gain access to your data. There are many websites available on the Internet that educates people on steps to protect themselves before and after Identity Theft occurs. One such site I recommend is The Federal Trade Commission For The Consumer.

Some Steps To Take Today Before You Fall Victim

Place passwords on all of your credit card, bank, and phone accounts. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers. When opening new accounts, you may find that many businesses still have a line on their applications for your mother's maiden name. Ask if you can use a password instead.
Secure personal information in your home, especially if you have roommates, employ outside help, or are having work done in your home.
Ask about information security procedures in your workplace or at businesses, doctor's offices or other institutions that collect your personally identifying information. Find out who has access to your personal information and verify that it is handled securely. Ask about the disposal procedures for those records as well. Find out if your information will be shared with anyone else. If so, ask how your information can be kept confidential.

Don't think that identity theft can not happen to you, expect that it will so that it won't -- stay informed and stay educated so you do not become a statistic.

Article Source: Articles Engine

PCI Compliance - Disable SSLv2 and Weak Ciphers

noreply@blogger.com (Steve Zenone) — Thu, 19 Mar 2009 07:57:06 PDT

According to section 4.1 of the the Payment Card Industry Data Security Standard (PCI-DSS) v1.2, merchants handling credit card data are required to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

What does this mean? In order to validate your PCI DSS compliance in this area you will need to ensure that your relevant server(s) within your PCI environment are configured to disallow Secure Sockets Layer (SSL) version 2 as well as "weak" cryptography. You are also required to have quarterly PCI security vulnerability scans conducted against your externally facing PCI systems. Without disabling SSLv2 and weak ciphers you are almost guaranteed to fail the scans. In turn this will lead to falling out of compliance along with the associated risks and consequences.

The SSLv2 Conundrum

Does your server support SSLv2?

How to test:

You will need to have OpenSSL installed on the system that you will perform the tests from. Once installed, use the following command to test your web server, assuming port 443 is where you're providing https connections:

# openssl s_client -ssl2 -connect SERVERNAME:443

If the server does not support SSLv2 you should receive an error similar to the following:

# openssl s_client -ssl2 -connect SERVERNAME:443

CONNECTED(00000003)

458:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

How to configure Apache v2 to not accept SSLv2 connections:

You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.

An example would be editing the following lines to look similar to:

SSLProtocol -ALL +SSLv3 +TLSv1

Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.

How to configure Microsoft IIS to not accept SSLv2 connections:

You will need to modify the system’s registry.

Merge the following keys to the Windows registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"Enabled"=dword:00000000

Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.

Those Pesky Weak SSL Ciphers

Does your server support weak SSL ciphers?

How to test:

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

If the server does not support weak ciphers you should receive an error similar to the following:

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

CONNECTED(00000003)

461:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

How to configure Apache v2 to not accept weak SSL ciphers:

You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.

An example would be editing the following lines to look similar to:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted.

How to configure Microsoft IIS to not accept weak SSL ciphers:

You will need to modify the system’s registry.

Merge the following keys to the Windows registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

"Enabled"=dword:0000000

Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted..

At this point have your Approved Scanning Vendor (ASV) scan your external facing PCI environment to validate. Making the above changes should cause the ASV scans to not tag and fail you on the following vulnerabilities:

SSL Server Supports Weak Encryption
SSL Server Allows Cleartext Encryption
SSL Server May Be Forced to Use Weak Encryption
SSL Server Allows Anonymous Authentication

Steve

###

Sync Oracle Calendar to Google Calendar + iCal + iPhone

noreply@blogger.com (Steve Zenone) — Mon, 02 Mar 2009 19:21:21 PST

I've been searching for a reliable method to automate the synchronization of events from Oracle Calendar (formerly CorporateTime) to my Google Calendar, iCal on my Mac, and internal iPhone calendar on my iPhone.

Recently I learned of a promising iPhone app available at iTunes called Todo+Cal+Sync that could do most of what I was looking for with synchronizing calendars. However, I didn't want to fork over $14.99 for an application that, instead of importing Oracle Calendar events into the native iPhone calendar, added an additional calendar application on my iPhone. Synthesis AG, the developer of the Todo+Cal+Sync application, is required to do this because of limitations imposed by Apple's iPhone software development kit (SDK). In other words, Apple does not allow 3rd part applications, such as Todo+Cal+Sync, to access the internal iPhone calendar, nor sync with iCal. This is a risk/benefit that Apple needs to manage; is the benefit of restricting access to the internal iPhone calendar worth the impact it has on the development of 3rd party applications and subsequent ripple effect? Until Apple's iPhone SDK allow such access, I did not want two calendar applications and continued looking for something that would better match my needs.

After digging around and tinkering with different solutions, I worked out a method that did exactly what I wanted. To make this solution even better, it cost $0 - in other words, FREE!

Below are the steps that I came up with to make the calendar sync work for me. Steps 1-3 are also useful for those who do not necessarily have an iPhone or iTouch but want to sync their Oracle Calendar with other devices and/or calendar apps that support Google Calendar's CalDAV sync.

Begin by changing your password for your Oracle Calendar user account. Make it a unique password that you are not using anywhere else. In other words, your new Oracle Calendar password should not be the same password as you're using for other email accounts, online banking, eBay, PayPal, etc. This new password should also comply to any password policies that may exist for users of the Oracle Calendar system.
Create a "magic" URL using SyncML2iCal.com. This URL will be used in step #3. You will want your magic URL to look something like the following:

Example - Oracle Calendar supporting https on port 443

http://sync.syncml2ical.com/?serverurl=https://YOUR.ORACLE.CALENDAR.COM:443/ocas-bin/ocas.fcgi?sub=syncml&user=USERNAME&pass=PASSWORD&eventsdb=./Calendar/Events?/dr(-7,30)

SECURITY WARNING - There is an increased security risk with this method. It's up to you to determine if this is a risk you are willing to accept and that it doesn't violate any policies or restrictions imposed by the organization running the Oracle Calendar service that you are using. The risks include:

Unauthorized interception of your password from the URL as it's being transmitted to SyncML2iCal.com or from SyncML2iCal.com.

SyncML2iCal.com itself becoming compromised and allowing an attacker to intercept your password.

In my opinion, the likelihood of the above risks happening are medium to low. You can keep this risk on the lower end by never connecting to untrusted networks or using insecure wireless, which includes wireless networks that use WEP encryption.

Additionally, you will need to determine if the impact of an unauthorized user obtaining your Oracle Calendar password would have a significant impact or not. In most instances, I would imagine the impact would be low.

This is why doing step #1 above is critical in helping minimize the impact if your password was compromised.

Anyone using an application that syncs using the SyncML functionality of Oracle Calendar should take the same precautions irregardless if he or she are using SyncML2iCal.com as a proxy to convert SynchML to iCal format.

Go to Google Calendar and add a new calendar by selecting Add by URL . You will use the URL you created from step #2. You may also want to change the display name and color of this new calendar on Google Calendar.

Do note that Google has stated that external feeds added via the "Add by URL" method should be refreshed every 24 hours.

Download and run Calaboration from Google Code. This will allow you to add your Oracle calendar to your Mac's iCal application. Before you can add the new calendar, click on preferences within Calaboration and enable allowing read only calendars to be added. Make sure your new calendar is selected and let Calaboration do the setup work for you. Your Oracle calendar will then sync with iCal.

Use iTunes to sync Oracle calendar from iCal to your iPhone.

One minor annoying issue I came across was with how day events and day notes from Oracle Calendar were handled by the time they showed up in iCal. Day events and notes from Oracle Calendar showed up in iCal as being a blocked all-day event from 0000-2359. As a quick temporary solution I simply denied day events and notes within Oracle Calendar and re-synced. This temporary approach was acceptable for me since I use Google Calendar to manage my daily notes and I can look at a user's Oracle calendar if I need to know if he or she is on vacation, on-call, etc.

As for effectively managing tasks using your iPhone, see my previous article titled, Tools To Get Things Done.

Steve

###

Thoughts on IT Security Organizational Structure

noreply@blogger.com (Steve Zenone) — Mon, 04 May 2009 15:45:12 PDT

I've recently been asking myself how to most effectively structure Information Security (InfoSec) within an organization. Here are some thoughts I've had while trying to answer this.

As with any "structure" there needs to be some form of integral support, whether it's a frame for a house or honeycomb for a beehive. This is also true with organizational structures - there needs to be support. In order for InfoSec to be successful it must have the full support of senior or executive management. This support would be actualized as a sincere commitment by senior management to achieve the following:

Develop high standards of corporate governance
Treat InfoSec as a critical function that enables an organization to do business
Create an environment that understands the importance of, and embraces, InfoSec
Consistently show 3rd parties that InfoSec is vital and will always be handled in a professional manner
Ensure that controls being implemented by InfoSec are appropriate and proportionate to risk being addressed
Stay informed and accept ultimate responsibility and accountability

The first bulleted point in the above list, "Develop high standards of corporate governance", is where the necessary framework is built from which InfoSec can flourish. At a minimum, an effective governance framework includes:

An all-inclusive security strategy that links to clearly defined and documented business objectives
Security policies that address the multiple facets of security strategy, regulatory compliance and controls
Standards for each of the policies to make sure that procedures and guidelines comply with policy
An organizational structure void of conflicts of interest with sufficient resources and authority
Metrics and monitoring processes to ensure compliance and provide feedback

Again, I want to emphasize that It is imperative that an organization's top management sees InfoSec as a critical business function and is fully committed to stand behind InfoSec. Without the complete assurance from top management we will continue to see security functions getting moved around the organization while adequate resources are never obtained and conflicts of interest are progressively created.

To limit conflicts of interest and actualize the benefits from investing within InfoSec, the Chief Information Security Officer (CISO/ISO) or Information Security Manager (ISM) must report directly to the top of the organizational structure, or an independent branch such as Audit. The trend in the past was to embed central InfoSec within Information Technology (IT), that is, until organizations began realizing that this structure kept InfoSec's hands tied behind their back, significantly reducing InfoSec's overall effectiveness. In other words, organizations were self-limiting their return on investment (ROI) from InfoSec. To resolve this issue and improve the ROI from InfoSec, CISO's/ISO's/ISM's began reporting to the CEO's, CFO's, CTO's and CIO's.

Ok, great, so the ISO should report to the CFO ... then what?

What we want to avoid is a structure with the fragmentation that is commonly seen today. Rather, create a tighter integration of the duties and activities performed by IT Security, Operations, Policy & Compliance, Risk Management and Audit. To anticipate the trends of the future, it’s very likely that individuals and departments taking on central InfoSec duties will also have various risk management responsibilities that extend beyond IT. This can include anything from physical security, business continuity and disaster recovery.

Fact is, too often in industry the security discipline is (mis)directed by technology instead of using a risk analysis and proactive ‘intelligence’ approach. To add to the vicious cycle, when majority of the investment is being put into technology then most of the return comes from there too. This reinforcement perpetuates the destructive spiral.

So, how does a business avoid this technodazed shortsightedness? It comes down to strategy, making the conscious shift to be more strategic. This means moving away from the predictable technology-centric and tactical security operation seen in the industry since the golden days of the dot-gone era. At a high level, for InfoSec to more closely align with and help business achieve its objectives, InfoSec will need to become more focussed on 'intelligence'; gathering information, ability to comprehend, ability to develop policy and plans at a high level, using a methodology of risk analysis and risk mitigation, having the knowledge about an organization's business environment that has implications for its long-term viability and success, thinking long-term, and being both pragmatic and visionary.

Thinking strategically while taking into account anticipation of future trends and using proactive 'intelligence', I believe the wise CISO, or equivalent, who's in a healthy organizational environment needs to start planning for incorporating some of the non-IT specific risk management responsibilities before it's thrust upon them within the next three to five years. There will need to be coordination between IT Security, Operations, Policy & Compliance, Risk Management, Audit and Physical Security.

What this boils down to is that a very effective way to structure InfoSec within an organization involves having the CISO, or equivalent, reporting directly to the senior/executive level of the organization while having their full support, commitment and involvement. This top level commitment includes the development of high standards of corporate governance and actively limiting conflicts of interest so that InfoSec will be effective and provide a high ROI by enabling the organization to do business.

Steve ###

Zen One

Retrieving a Stolen iPhone in Under 72 Hours

Related articles

Koobface Analysis

Related articles

DHS Cybersecurity Strategy and New California eCrime Unit

Related articles

America the Vulnerable

Related articles

New Reader Poll - CISSP Exam

The Pony in the Dung Heap Joke

Free Security Awareness Training - Part 5 of 5

Related articles

Free Security Awareness Training - Part 4 of 5

Related articles

Free Security Awareness Training - Part 3 of 5

Related articles

Cyber Intelligence Sharing and Protection Act of 2011 (HR 3523)

Related articles

Free Security Awareness Training - Part 2 of 5

Related articles

Free Security Awareness Training - Part 1 of 5

FCC Small Biz Cyber Planner

Related articles

Protecting Kids Online

Schedule Emails to be Sent Later in Gmail

Water System Attack on City Water Station Destroys Pump

Related articles

Operation Ghost Click

Related articles

Department of Defense Cyberspace Policy Report

Cyberspace Security Review

How ITIL Can Improve Information Security

Introduction

ITIL overview

ITIL details

ITIL and information security

Service level agreements

Ten ways ITIL can improve information security

Implementing ITIL

Conclusion

Some of the Best Ways to Lose Your System Data

Where The 'Bleep' Did My Identity Go?

PCI Compliance - Disable SSLv2 and Weak Ciphers

Sync Oracle Calendar to Google Calendar + iCal + iPhone

Thoughts on IT Security Organizational Structure