Archive for the ‘Whitepapers’ Category
Posted by Jaime Raphael Licauco, CISSP, GSEC on February 5, 2009
Seminars
ECCInternational will be giving a Certified BCMS (ISO 25999:2007) course from Feb 9-11. They will also be giving an ITIL Practitioner Program – Configuration Management on Feb 10-11, you can check out their Training Schedule here. ISO 9001:2008 IRCA Certified Lead Auditor Seminar will also be given either on Feb 9-13 or Feb 16-20. For details and specific dates, please contact Rose, Faith or Ness at 7505671 to 73 or email training@ccinternational.com.
Webcasts
CSO Online has published a podcast interview of Jim Routh who is the CISO of the Depository Trust and Clearing Corporation (DTCC). He is a veteran technology and security executive, having held positions at American Express and American Express Financial Advisors before joining DTCC.
(Simply Continuous) How To Keep Your Business Running in the Event of a Disaster
Whitepapers
There’s a recent (Winter 2009) presentation published by the Standford Applied Crypto group by John Mitchell on
Phishing and Malicious JavaScript. Aside from Phishing, the presentation talks about how JavaScript is used to obtain information from your browser. John Mitchell teaches CS 142, Web Programming and Security, at Stanford University.
(SonicWall) Bottom-line benefits of telecommuting & secure remote access
(Quest Software) Finding Complete Identity Lifecycle Management that Fits
Insider Threat
I either gotta love this… or get paranoid about this: Within 90 minutes of getting fired, a former
contract worker for
Fannie Mae allegedly added a malicious script hidden within a legitimate script that ran each morning on the network, which was designed to disable monitoring alerts and all log-ins, delete the root passwords to the 4,000 Fannie Mae servers, erase all data and backup data, power off all the servers and then disable the ability to remotely switch on the machines. This was fortunately found by another employee within days of the firing.
(Computerworld) Ex-Fannie Mae engineer pleads innocent to server bomb charge
(CSO Online) Alleged Fannie Mae data bomb author working for Bank of America now?
Another recent example of an Insider Threat is of a former employee that still has access to the system, as this article reports, “Mysterious Text-Message Alert at U. of Florida Scares and Angers Students.“
Psychology/Social Engineering
There’s good insight as to the psychology involved when it comes to Information Security in this article from
(CSO Online) Are You Addicted to Information Insecurity?
And speaking of psychology, CSO Online’s Anatomy of a Hack is an in-depth article on how Social Engineering can be used. Also in connection to social engineering, the FBI also warns of Money Mule Scams.
A novel way of luring people to a website with malware was found in North Dakota. How? Stick a parking violation ticket on the windshield, with the supposed details of the infraction on a website.
Readers of this blog might also want to check out What the Web knows about you. Its a 6 page article on what attackers may be able to find out about you online. If you’re in the US and is considering searching your SS number, check out this article first on Search Engine Privacy Tips from the World Privacy Forum website.
Browser Security
CSO Online also did a an
unscientific poll of security experts on browser security, and it turns out that IE isn’t viewed as being as insecure as it was just a few years back. In relation to browser security, Firefox just fixed a
couple of vulnerabilities in their release of version 3.06 of their browser.
Also related, Browser secrets of secure connections talks about how browsers play a key part in determining the strength of cipher used between the client and the web server. The article references the Infoworld Test Center Guide to browser security.
New DNS Attack
(CSO Online) Porn Site Feud Spawns New DNS Attack – Botnet operators are adding code to launch a new type of distributed denial of service attack, security experts warn
(NetworkWorld.com) Porn Site Feud Spawns New DNS Attack – A scrap between two pornographic Web sites turned nasty when one figured out how to take down the other by exploiting a previously unknown quirk in the Internet’s DNS.
(NetworkWorld.com Slideshow) How DNS cache poisoning works – this also has tips at the end on how to defend this kind of attack.
Other Info Sec News
(CSO Online) SMB Security: Five Bright Ideas – Small businesses have to be crafty to handle security with fewer resources. Here are bright ideas for SMBs.
(Computerworld Blog) Security businesses move ahead in this economy
(Computerworld) Removing admin rights stymies 92% of Microsoft’s bugs
(Computerworld) Microsoft denies Windows 7 security feature contains bug
(Computerworld) Banks, customers feel the fallout of the Heartland breach
(Computerworld) Study: Data breaches continue to get more costly for businesses
(Computerworld) Obama health care plan said to boost security, privacy controls – Privacy advocates say $20B e-health proposal overcomes some HIPAA concerns
Posted in Change Management, ISMS, Incident Management, Presentations, Privacy, Webinars, Whitepapers, conferences, social engineering | Tagged: admin rights, Breach, ecci, firefox, healthcare, heartland, HIPAA, IE, ISO 25999:2007, Microsoft, obama, Privacy, seminar, social engineering, software vulnerability, stanford university, windows 7, world privacy forum | Leave a Comment »
Posted by Jaime Raphael Licauco, CISSP, GSEC on December 18, 2008
Microsoft has issued an unscheduled patch to close the security hole in IE in its MS08-078 Security Bulletin.
A Security Park report states that according to Panda Security, there has been as much malware in the first months of ‘08 as the last 17 years combined.
Related links:
SANS published a 61 page whitepaper by Mark Baggett, GCIH, on the Effectiveness of Anti-Virus vs Metasploit Payloads
Anti-Virus Rants Blog
Computerworld Security lists 3 simple ways to
protect from Social Networking Malware: 1. Have a stronger password, 2. Be wary of 3rd party apps 3. Beware of user generated SPAM.
Now I’m wondering if there are tips out there regarding Friendster since they obviously have a problem with the SPAM I’ve been getting from a couple of users.
CDW has a 2 page whitepaper on
Making the Case for Security Spending
UPI.com Homeland and National Security Editor Shaun Waterman wrote about the
questionable effectiveness of FISMA in real world use. The article states that the US Justice Dept got a grade of A-, because FISMA is primarily concerned with “ensuring that all agencies ‘have policies and procedures to enhance the security of information in their IT systems. [however FISMA does] ‘not assess whether the Department has actually implemented these processes, nor did it assess the actual security of the Department’s IT systems.’”
The US Center for Strategic and International Studies (CSIS) recommends a
Cybersecurity model based on Nuclear Nonproliferation. This is because of the seriousness and complexity of cyberthreats, which require a coordinated approach that spans agency jurisdictions, borders and sectors.
See earlier Post for the CSIS report
Update on Browser Password Management Security
In the test by Chapin Information Services (CIS) Opera and Firefox each passed seven of 21 tests, IE passed five tests, and Safari and Chrome each passed two tests.
(The Register) Browser Password Security Test
(Chapin Info Services) Google Chrome receives lowest Password Security Score
Other Security News.
(Bank Info Security) Where the Jobs Are: 5 Hot Career Tips for 2009
(Bank Info Security) Top Certifications for Industry Pros
Posted in News, Social Networking, Whitepapers | Tagged: Antivirus, FISMA, IE, Microsoft, Panda, ROSI, zero day | Leave a Comment »
Posted by Jaime Raphael Licauco, CISSP, GSEC on December 1, 2008
Posted in News, Whitepapers, conferences | Tagged: 2008, apple, click-jacking, clickjacking, conference, Forensics, hackin the box, hacking, internet kiosks, iphone, leopard, Mac, OS X, satellite | Leave a Comment »
Posted by Jaime Raphael Licauco, CISSP, GSEC on November 15, 2008
There’s apparently been a huge drop in SPAM after two ISPs were cut off.
Stories from Washington Post, and BBC. Brian Krebs of the Wash Post also talks about this in his Security Fix Blog.
More ISPs are allocating resources for DDoS attacks according to Arbor Network’s
2008 Worldwide Infrastructure Security Report. A related article is on
ZDNet and an article on Vunet talks about
ISP’s fear on IPv6 threats.
A study by Google, presented at the RIPE Meeting in Dubai reports that France and Russia are ahead in IPv6 .
Security Focus reports that, “
Anti-malware testing group releases standards“, and they can be downloaded
here.
SANS will also have a Webcast on
Understanding the WPA/WPA2 Break.
Since we’re on the topic of webcasts, SourceBoston’s 2008 Conference from March of this year have been up on Blip.tv for a while now. They have great presentations on Incident response, Secure Coding, etc.
And since I enjoyed Schneier’s essay on, “
The Psychology of Security“, I just thought that InfoSec professionals would find it funny that the
Washington Times reports that Paranoia is on the rise 
.
SC Magazine Whitepaper Roundup
Top five strategies for combating modern threats – is anti-virus dead?
By: Sophos Plc.
Today’s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce. Organizations need innovative approaches to protect the web, email servers and endpoint. This paper discusses the security implications of modern…
Complying with the Payment Card Industry’s Data Security Standard
By: DeviceLock, Inc.
The Payment Card Industry Data Security Standard (PCI DSS) was drawn up in order to reduce leakage and inappropriate use of credit card information. It contains over 100 clear information security requirements for all companies who process, store or transfer data about cardholders: banks, processing…
Addressing the Operational Challenges of Administrative Passwords
By: ManageEngine
Enterprises making use of various IT systems (servers, devices, applications etc.) face numerous challenges due to the proliferation of administrative passwords (also called as privileged passwords). This white paper discusses the problems associated with administrative password proliferation with…
Tripwire PCI DSS Solutions- Automated, Continuous Compliance
By: Tripwire, Inc.
Find out step-by-step what it takes to become compliant with the Payment Card Industry (PCI) Data Security Standard (DSS), and how Tripwire can help your company achieve and maintain PCI compliance.
Malware Security: Taking the Botnet Threat Seriously
By: FireEye, Inc.
How does malware continue to infiltrate networks? Primarily because traditional defenses only address the threat in pieces and parts, which leaves gaps in the enterprise security infrastructure. Meanwhile, malware has become organized to form massive ‘botnets’ (networks of compromised…
ComputerWorld Technical Briefing: Mission-Critical Security – The Threat from Within
By: PacketMotion
We all know blind spots are bad for drivers but are you aware of how potentially disastrous they can be for IT security professionals? Take a few minutes to review this Computerworld report and you’ll get a clear picture of both the problem and the solution!.
Automating Code Reviews: How to Manage Application Risk on a Shrinking Budget
By: Veracode
In a tightening economy many organizations are faced with a “do more with less” mandate on their budgets and their security strategies. On-demand application security testing offered as an outsourced service – based on binary analysis and multiple scanning technologies…
Database Auditing Tools and Strategies
By: Sensage
Learn about a new set of software tools that provide low overhead audit collection with storage, alerting and reporting capabilities. This paper details the trade-offs and strategy of each option.
Posted in News, Whitepapers, Wireless | Tagged: 27002:2005 A.10.8.4, 27002:2005 A.12, Database, DDOS, ipv6, malware, paranoia, pci compliance, pci dss, psychology, spam, testing, Wireless | Leave a Comment »
Posted by Jaime Raphael Licauco, CISSP, GSEC on November 8, 2008
In my last seminar for ISACA Manila on Introduction to ISMS, I was asked a question on how to get approval for funding for security projects. I answered that Awareness was key. Upper level management have to have an idea what the risks are to their organization, and the possible consequences. Because coming up with the solution would not matter if there doesn’t seem to be a problem. I then said that a report by ENISA (European Network and Information Security Agency) might help. The report I was talking about was, “Obtaining support and funding from senior management.”
The report talks about five areas identified as being crucial in obtaining corporate security investments:
- Define the investment rationale and the stakeholders.
- Build a persuasive business case to make senior management better understand the value of the investment.
- Estimation of costs: allows organisations to identify the most common expenses which they may incur and make rough estimates.
- Linking business benefits to information security initiative, define and calculate performance metrics.
- Detail a typical path to face a corporate executive in a senior management briefing. Effective communication is critical: the right information should be delivered at the right time, in the right manner, preferably 6-12 months ahead the project.
For more information and where you can download the report, click here. And since we’re talking about awareness and awareness is the best control for social engineering, ENISA also has a whitepaper on “How to avoid on-line manipulation.”
Another good article that talks about different approaches that can help influence management for their approval is, ISMS Implementation – The bottom-Up approach.
Updated Links
I updated the Security Awareness and Training Links to include Microsoft’s Technet on Security Awareness. The free 120 MB zip file includes, Security Awareness Program Development Guidance, Sample Awareness Materials, Sample Training Materials, and the following sample templates:
* Brochure Templates
* E-Mail Invite Template
* Fact Sheet Templates
* FAQs
* Newsletter Template
* Poster Templates
* PowerPoint Templates
* Quick Reference Card
I also added a Philippine Tech Blogs links page.
Posted in Awareness, ISMS, Whitepapers | Tagged: Awareness, ENISA, funding, ISACA, ISO 27001:2005, Manila, social engineering, support | Leave a Comment »
Posted by Jaime Raphael Licauco, CISSP, GSEC on November 6, 2008
Secure Mobile Computing Using Two-Factor Authentication with VPNs and Disk Encryption – sponsored by Alladin
ABSTRACT:
This paper highlights the risks that organizations run in allowing mobile users full access to the enterprise network, data, and applications through VPN. It takes a detailed look at how making sensitive corporate data available in this manner, creates security gaps with passwords and encryption keys stored on the hard drive. Aladdin focuses on successfully addressing these issues with strong two-factor authentication, reviewing the broad range of easy to deploy, easy to use, and low cost two-factor authentication devices available that meet the needs of organizations today.
Web Application Security: Too Costly to Ignore sponsored by HP
Posted: 24 Sep 2008
Published: 24 Sep 2008
Format: PDF
Length: 8 Page(s)
ABSTRACT:
Web application security is crucial to mitigating the risks of attack and attaining regulatory compliance. The number of web attacks is on the rise and is exponentially more cost effective to remedy those flaws early in the development process. There is an enormous chasm between where application security should be and the sad shape of application security today. Download this free whitepaper from HP Software to learn about the gaps in most application security programs and how to incorporate application security across the lifecycle.
Oracle Advanced Security TDE (Encryption)
Posted: 15 Jul 2008
Published: 01 Jun 2007
Format: PDF
Length: 19 Page(s)
ABSTRACT:
Encryption is a key component of the defense-in-depth principle and Oracle continues to develop innovative solutions to help customers address increasingly stringent security requirements around the safeguarding of PII data. Retailers can use Oracle Advanced Security TDE to address PCI-DSS requirements while university and healthcare organizations can use TDE to safeguard social security numbers and other sensitive information. Encryption plays an especially important role in safeguarding data in transit. Oracle Advanced Security network encryption protects data in transit on the intranet from network sniffing and modification. Oracle Advanced Security TDE protects sensitive data on disk drives and backup media from unauthorized access, helping reduce the impact of lost or stolen media.
Data Center TCO – A Comparison of High-density and Low-density Spaces sponsored by Intel
Posted: 24 Jul 2008
Published: 01 Jan 2007
Format: PDF
Length: 12 Page(s)
ABSTRACT:
One of the most common misconceptions in this period of growth is that the total cost of ownership (TCO) of a new data center is lower with a low-density design. In fact, the most efficient new data centers are those with high-density designs, which leverage virtualization to reduce TCO by millions.
This white paper explains why and offers suggestions for successful operations in the high-density data center. Key considerations include:
* Airflow distribution challenges
* Server uniformity
* Airflow velocities
* Hot aisle temperature
Posted in Whitepapers | Tagged: data center, encryption, oracle encryption, Security, web application | Leave a Comment »
Posted by Jaime Raphael Licauco, CISSP, GSEC on November 6, 2008
All the abstracts are from the searchsecurity.bitpipe.com website.
Accelerating PCI Compliance with Log Management and Intelligence.
Posted: 19 Sep 2008
Published: 19 Sep 2008
Format: PDF
Length: 6 Page(s)
ABSTRACT:
Today, all service providers and retailers that process, store or transmit cardholder data have a fiduciary responsibility to protect that data. As such, they must comply with a diverse range of regulations and industry mandates. One of the most important for the service provider and retailer is the Payment Card Industry Data Security Standard (PCI DSS), which sets forth 12 requirements for IT controls to ensure data security and protection. However, retailers both large and small face tremendous challenges in implementing policies and controls that enable PCI compliance, and the task of implementing best practices can be overwhelming.
Executive Summary: How to Achieve Comprehensive Network Security.
Posted: 16 Sep 2008
Published: 16 Sep 2008
Format: PDF
Length: 14 Page(s)
ABSTRACT:
Security practitioners need to think about security management along three separate axes – operations, investigations, and compliance reporting. Each of these functions is distinct, and typically involves different organizational hierarchies, which dramatically complicates the challenge of security management. The good news is that all of these management functions ultimately can be driven by a common data set, and that is the opportunity for a security management platform to aggregate this data once and leverage it for a number of suitable purposes.
Unauthorized Applications: Taking Back Control.
Posted: 01 Jul 2008
Published: 01 Dec 2007
Format: PDF
Length: 7 Page(s)
ABSTRACT:
This paper explains why it is important for businesses to control unauthorized applications such as instant Messaging, VoIP, games and peer-to-peer file-sharing and how malware protection is the simplest and most cost-effective solution.
The rapid emergence of Web 2.0 is beginning to redefine how individuals interact with the internet, and the related technologies pose a range of new threats. While there are a number of solutions available that help IT administrators to manage the problem, many require additional investment and, for many organizations, they can be expensive, unwieldy and difficult to maintain. A better solution is one which completely integrates the blocking of unauthorized applications into the existing anti-malware detection and management infrastructure.
Techniques for Transitioning to an IAM Suite.
Posted: 14 Oct 2008
Published: 14 Oct 2008
Format: PDF
Length: 5 Page(s)
ABSTRACT:
Organizations often fill their IAM needs with a variety of disparate techniques and applications, many of which are home grown or built by a variety of third parties. This tip will explain how an organization can ensure a successful transition from multiple products and tools to a single suite. It will look at:
* How to successfully map functionality from old product/tool functions to new ones
* How to evaluate and manage new and existing policy exceptions
* Guidelines for implementing custom connectors with legacy applications
Anonymous Proxy: A Growing Trend in Internet Abuse, and How to Defeat It.
Posted: 09 Sep 2008
Published: 09 Sep 2008
Format: PDF
Length: 5 Page(s)
ABSTRACT:
Anonymous proxies are an unseen threat-a student’s or employee’s backdoor to malicious or productivity-sapping sites on the Internet. If your URL filtering solution relies on the old-school URL database/keyword approach, your ship is leaking and you may not see the holes.
With hundreds of new proxy sites created each day, traditional URL filtering just can’t keep up, even when supplemented by standard keyword analysis. What follows is a primer on the problems, the sizable costs and time drain for IT professionals, and a discussion of an effective third-generation solution that goes far beyond the traditional strategy.
Posted in Whitepapers | Tagged: log management, pci compliance, unauthorized applications, iam, anonymous proxy | Leave a Comment »
Posted by Jaime Raphael Licauco, CISSP, GSEC on November 5, 2008
Joshua Beeman (University of Pennsylvania) and Kathy Bergsma (University of Florida) gave presentations at the Security Professionals Conference in April 2007 on Incident Tracking and Reporting.
Abstract regarding their presentation is as follows:
“The University of Florida and the University of Pennsylvania both regularly generate summary reports of computer incidents for information security managers. The reports help identify units that need improvement, assist with planning and risk assessment, and have contributed to an improvement in the security posture of both universities.”
Matt Tolbert (University of Pittsburgh) from the same conference presented on Effective Security Metrics.
Abstract is as follows:
“This presentation will show how the University of Pittsburgh successfully uses incident, operational, and compliance metrics to demonstrate the effectiveness of its security controls, as well as to substantiate funding for implementing and sustaining them.”
Both of the above links are from Educause Connect.
Posted in Incident Management, Metrics, Presentations, Whitepapers | Tagged: 27002:2005 A.13, Incident, Metrics, Presentations, Reporting, Security, Tracking, Whitepapers | Leave a Comment »
