Computer Forensic Analysis Modes
In the world of computer forensics, an examiner will be performing either a live analysis or a dead analysis on a computer system, depending on the situation. Below are their descriptions.
A live analysis occurs when the suspect system is being analyzed while it is running. In this case, Autopsy and The Sleuth Kit are run from a CD in an untrusted environment. This is frequently used during incident response while the incident is being confirmed. After it is confirmed, the system can be acquired and a dead analysis performed.
A dead analysis occurs when a dedicated analysis system is used to examine the data from a suspect system. In this case, Autopsy and The Sleuth Kit are run in a trusted environment, typically in a lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats.
Thursday, January 31, 2008
Wednesday, January 30, 2008
File Sharing Applications: Another way to be a victim of identity theft
File Sharing Applications: Another way to be a victim of identity theft
If you are using a peer-to-peer file sharing program to download music and videos, you may be a prime candidate for Identity Theft. Applications such as Limewire, Edonkey and numerous others on the Internet may also allow individuals to download personal documents from your computer at will. The issue stems from the sharing of the “My Documents” folder as the default folder for sharing media. Most users and file sharing applications will select the “My Documents” folder because that is where most of the media files are located. But think about it... what else do you have in the “My Documents” folder? Family Pictures, Personal Documents and etc...
To date, I have read and heard of individuals accessing mortgage applications, loan paper work and even 1040 tax information with the social security numbers of a whole family.
My recommendation if you do insist on using a file sharing program is to create a folder where the sharing can take place such as “Shared Documents” and do not place any personal information in that folder.
If you are using a peer-to-peer file sharing program to download music and videos, you may be a prime candidate for Identity Theft. Applications such as Limewire, Edonkey and numerous others on the Internet may also allow individuals to download personal documents from your computer at will. The issue stems from the sharing of the “My Documents” folder as the default folder for sharing media. Most users and file sharing applications will select the “My Documents” folder because that is where most of the media files are located. But think about it... what else do you have in the “My Documents” folder? Family Pictures, Personal Documents and etc...
To date, I have read and heard of individuals accessing mortgage applications, loan paper work and even 1040 tax information with the social security numbers of a whole family.
My recommendation if you do insist on using a file sharing program is to create a folder where the sharing can take place such as “Shared Documents” and do not place any personal information in that folder.
Security Product Review: Nessus Vulnerability Scanner by Tenable
Security Product Review: Nessus Vulnerability Scanner by Tenable
From time to time, I will be conducting product reviews of a security tool, application or website that I find to be very useful.
As a System Security Assessor, I often use and test many different tools and applications to do my job. One that has amazed me in recent years with excellent performance and results is the Nessus Vulnerability Scanner by Tenable.
Nessus is a free program designed to automate the testing and discovery of known security problems on the network and computer systems. For a free tool, Nessus has many useful capabilities such as using the Nessus Attack Scripting Language (NASL), which allows security professionals to use a simple language to describe individual attacks in conjunction to the provide vulnerability database based on the Common Vulnerabilities and Exposures schema. Another powerful feature of Nessus is the client server technology that allow for distributive architecture. The server portion runs on most flavors of Unix and Linux including the Mac OS X operating system while the clients are available for both Windows and Unix/Linux.
In my testing of Nessus against the more expensive commercial applications such as Foundstone’s Foundscan Security Scanner version 5 and Internet Security Scanner (ISS), Nessus faired much better than ISS in respects to initial setup, time of completion and less false positives. Against Foundscan, Nessus fell a little short in the scanning options and reporting.
My conclusion, for the price and results, Nessus is an excellent primary or secondary tool to use for your security needs. Tenable also offer support at a cost for those who needs it. Check it out and decide for yourself. You can find more information on Nessus at:
www.securityorb.com or www.nessus.org
From time to time, I will be conducting product reviews of a security tool, application or website that I find to be very useful.
As a System Security Assessor, I often use and test many different tools and applications to do my job. One that has amazed me in recent years with excellent performance and results is the Nessus Vulnerability Scanner by Tenable.
Nessus is a free program designed to automate the testing and discovery of known security problems on the network and computer systems. For a free tool, Nessus has many useful capabilities such as using the Nessus Attack Scripting Language (NASL), which allows security professionals to use a simple language to describe individual attacks in conjunction to the provide vulnerability database based on the Common Vulnerabilities and Exposures schema. Another powerful feature of Nessus is the client server technology that allow for distributive architecture. The server portion runs on most flavors of Unix and Linux including the Mac OS X operating system while the clients are available for both Windows and Unix/Linux.
In my testing of Nessus against the more expensive commercial applications such as Foundstone’s Foundscan Security Scanner version 5 and Internet Security Scanner (ISS), Nessus faired much better than ISS in respects to initial setup, time of completion and less false positives. Against Foundscan, Nessus fell a little short in the scanning options and reporting.
My conclusion, for the price and results, Nessus is an excellent primary or secondary tool to use for your security needs. Tenable also offer support at a cost for those who needs it. Check it out and decide for yourself. You can find more information on Nessus at:
www.securityorb.com or www.nessus.org
Labels:
Information Security,
IT Audit,
Nessus,
Security Software
Tuesday, January 29, 2008
Hacktivism: An Attack on Scientology
Hacktivism: An Attack on Scientology
Hacktivism refers to hacking for a political or social cause. Their intent is to send a message through their hacking activities while gaining visibility for their cause and sometimes themselves.
On Jan. 19 a group called "Anonymous" hit the Church of Scientology's Web site (www. Scientology.org) with an online attack as an effort to seek media attention to help "save people from Scientology by reversing the brainwashing," according to a Web page maintained by Anonymous.
The attack was DDoS which took the website offline.
Hacktivism refers to hacking for a political or social cause. Their intent is to send a message through their hacking activities while gaining visibility for their cause and sometimes themselves.
On Jan. 19 a group called "Anonymous" hit the Church of Scientology's Web site (www. Scientology.org) with an online attack as an effort to seek media attention to help "save people from Scientology by reversing the brainwashing," according to a Web page maintained by Anonymous.
The attack was DDoS which took the website offline.
Monday, January 28, 2008
Websense Internet Filter and Acceptable Use Policy issues in Nation’s Capitol
Websense Internet Filter and Acceptable Use Policy issues in Nation’s Capitol
Very interesting story from my neck of the woods…
Nine D.C. government employees are being fired for viewing pornography on their work computers. In these days, I wonder why individuals are still doing this.
“The investigation was launched late last month after D.C. Chief Technology Officer Vivek Kundra received a tip from an employee in the Office of Property Management, officials said. Kundra then conducted a review of the 10,000 city computers -- about one-third of the government's total -- that contained porn-monitoring software called WebSense, which had been installed several years ago.” (Washingtonpost.com)
The city has a policy that bars employees from looking at porn. This month, Kundra's office installed a tougher version of WebSense software that blocks porn on all 30,000 city computers.
In addition to technical controls, the city may need to conduct an Information Security Awareness program or at least a refreshers .
Very interesting story from my neck of the woods…
Nine D.C. government employees are being fired for viewing pornography on their work computers. In these days, I wonder why individuals are still doing this.
“The investigation was launched late last month after D.C. Chief Technology Officer Vivek Kundra received a tip from an employee in the Office of Property Management, officials said. Kundra then conducted a review of the 10,000 city computers -- about one-third of the government's total -- that contained porn-monitoring software called WebSense, which had been installed several years ago.” (Washingtonpost.com)
The city has a policy that bars employees from looking at porn. This month, Kundra's office installed a tougher version of WebSense software that blocks porn on all 30,000 city computers.
In addition to technical controls, the city may need to conduct an Information Security Awareness program or at least a refreshers .
Friday, January 25, 2008
Network Printer and the Threat they pose to your Network
Network Printer and the Threat they pose to your Network
While conducting security assessments, some of the most problematic issues our clients face are Networked Printers. Networked Printers allow companies to connect to them using TCP/IP so users can share one centralized printer.
The problem is most of these printers run some form of operating system such as Windows, Linux or a Firmware. So even thought it may look like a printer, act like a printer and sound like a printer, it is actually a computer on the network and many hackers have found success with them.
This by far is not an easy problem to correct, many vendors do not even support the issues associated with the vulnerabilities discovered with network printers.
What is a System Administrator to do?
Many times, disabling the administrative and web interfaces are a good start if there are no updates available.
Thursday, January 24, 2008
The Computer Information Systems Auditor (CISA) Certification
The Computer Information Systems Auditor (CISA) Certification
I recently sat for the Certified Information Systems Auditor (CISA) certification exam in December of 2007. We were told that the results from the exam will take about 8 weeks to come back to let us know if you have pass it or not.
This CISA certification is extremely popular with over 30,000 certified security professional from all over the world. The CISA certification exam is offered once per year at multiple testing locations worldwide and allows those who need to display knowledge of IT auditing, security, and control to set them at a higher level in the industry.
The CISA certification test your knowledge of the six core competencies:
1. The IS Audit Process
2. Protection of Information Assets
3. IT Governance
4. Systems and Infrastructure Life Cycle Management
5. IT Service Delivery and Support
6. Business Continuity and Disaster Recovery
The exam is four hours long consisting of 200 multiple-choice questions. A person aiming to obtain the CISA certification must show five years of verifiable experience in IS auditing, control or security is required, agree to the ISACA code of ethics and agree to adhere to the Information Systems Auditing Standards as adopted by ISACA.
The cost of taking the exam for ISCA members ranges from $300 to 385 depending upon when you register and if you do so online and $420 to 505 for non-members.
I will let you know status once my results are in…
I recently sat for the Certified Information Systems Auditor (CISA) certification exam in December of 2007. We were told that the results from the exam will take about 8 weeks to come back to let us know if you have pass it or not.
This CISA certification is extremely popular with over 30,000 certified security professional from all over the world. The CISA certification exam is offered once per year at multiple testing locations worldwide and allows those who need to display knowledge of IT auditing, security, and control to set them at a higher level in the industry.
The CISA certification test your knowledge of the six core competencies:
1. The IS Audit Process
2. Protection of Information Assets
3. IT Governance
4. Systems and Infrastructure Life Cycle Management
5. IT Service Delivery and Support
6. Business Continuity and Disaster Recovery
The exam is four hours long consisting of 200 multiple-choice questions. A person aiming to obtain the CISA certification must show five years of verifiable experience in IS auditing, control or security is required, agree to the ISACA code of ethics and agree to adhere to the Information Systems Auditing Standards as adopted by ISACA.
The cost of taking the exam for ISCA members ranges from $300 to 385 depending upon when you register and if you do so online and $420 to 505 for non-members.
I will let you know status once my results are in…
Wednesday, January 23, 2008
Linux Desktop PC
Linux Desktop PC
Linux, a very popular operating system has been gaining a lot of ground in the desktop PC market lately. Linux already a strong player in the enterprise and server market continues to grow at a steady pace. Every year, I hear more buzz talk about the integration or introduction of new product lines using various Linux distributions by vendors and computing professionals trying to break away from the grapples of Microsoft Windows.
Recent events has convinced me that 2008 will be a good push forward for Linux desktop users.
Dell will offer Ubuntu Linux 7.10 on its XPS 1330 laptops, while Sears.com is selling a fully equipped Linux desktop PC for $299, minus a $100 rebate. SecurityOrb.com, has also started offering Linux-based security desktop on their site and lastly Lenovo has launched a range of laptops pre-installed with Novell's SuSE Linux operating system.
There are many different flavors of Linux such as Ubuntu, Redhat, SuSE, Slackware and Fedora. For a comprehensive list, description and download information check out: http://www.securityorb.com/LinuxDistributions.html
These are just a few of the recent Linux based desktop PC news that has passed my way, but there are countless and more to come as well.
Linux, a very popular operating system has been gaining a lot of ground in the desktop PC market lately. Linux already a strong player in the enterprise and server market continues to grow at a steady pace. Every year, I hear more buzz talk about the integration or introduction of new product lines using various Linux distributions by vendors and computing professionals trying to break away from the grapples of Microsoft Windows.
Recent events has convinced me that 2008 will be a good push forward for Linux desktop users.
Dell will offer Ubuntu Linux 7.10 on its XPS 1330 laptops, while Sears.com is selling a fully equipped Linux desktop PC for $299, minus a $100 rebate. SecurityOrb.com, has also started offering Linux-based security desktop on their site and lastly Lenovo has launched a range of laptops pre-installed with Novell's SuSE Linux operating system.
There are many different flavors of Linux such as Ubuntu, Redhat, SuSE, Slackware and Fedora. For a comprehensive list, description and download information check out: http://www.securityorb.com/LinuxDistributions.html
These are just a few of the recent Linux based desktop PC news that has passed my way, but there are countless and more to come as well.
Labels:
Computer Security,
Linux,
Mac OS X
Information Security Overview
Information Security Overview
Information security is the process of using technical and administrative measures to protect information assets and the systems that collects, stores and transmits them from unauthorized access, use, disclosure, disruption, modification or destruction.
The principal of information security is to protect the confidentiality, integrity and availability of information from harm. These principals together are known as the CIA Triad.
The CIA triad consist of three objectives: confidentiality, integrity and availability.
Confidentiality
Confidentiality is assurance of data privacy. Only the intended and authorized recipients may read the data. Disclosure to unauthorized entities, for example using unauthorized network sniffing is a confidentiality violation.
Countermeasure: Cryptography is the art and science of storing and transmitting confidential data.
Integrity
Integrity is assurance of data non-alteration. Data integrity is having assurance that the information has not been altered in transmission, from origin to reception.
Countermeasures: Digital Signatures and hash algorithms are mechanisms used to provide data integrity.
Availability
Availability is assurance in the timely and reliable access to data services for authorized users. It ensures that information or resources are available when required.
Countermeasures: High availability protocols, fully redundant network architectures and system hardware without any single points of failure ensure system reliability and robustness.
SecurityOrb.com as a article on the "Information Security Overview" description.
Information security is the process of using technical and administrative measures to protect information assets and the systems that collects, stores and transmits them from unauthorized access, use, disclosure, disruption, modification or destruction.
The principal of information security is to protect the confidentiality, integrity and availability of information from harm. These principals together are known as the CIA Triad.
The CIA triad consist of three objectives: confidentiality, integrity and availability.
Confidentiality
Confidentiality is assurance of data privacy. Only the intended and authorized recipients may read the data. Disclosure to unauthorized entities, for example using unauthorized network sniffing is a confidentiality violation.
Countermeasure: Cryptography is the art and science of storing and transmitting confidential data.
Integrity
Integrity is assurance of data non-alteration. Data integrity is having assurance that the information has not been altered in transmission, from origin to reception.
Countermeasures: Digital Signatures and hash algorithms are mechanisms used to provide data integrity.
Availability
Availability is assurance in the timely and reliable access to data services for authorized users. It ensures that information or resources are available when required.
Countermeasures: High availability protocols, fully redundant network architectures and system hardware without any single points of failure ensure system reliability and robustness.
SecurityOrb.com as a article on the "Information Security Overview" description.
Tuesday, January 22, 2008
Computer Viruses: Malware Analysis
Malware Analysis
Dynamic analysis and static analysis are two approaches to analyzing malware on a comprised system once it has been discovered after a computer related incident. Dynamic analysis consist of examining the inputs and outputs produced by the malware, its interaction on the system as to what files are being read or written to and what effects it is applying to the system . The examiner concern is not with the internals of the malware, but the malware's functionality and behavior. Whereas static analysis being the more difficult of the two analysis approaches consists of extracting and reviewing readable data located in the malware binary and converting machine language to readable source code for analysis. Unlike the dynamic analysis approach which usually requires execution of the malware, the static analysis approach does not making it a safer approach, but much more exhausting process.
Dynamic analysis and static analysis are two approaches to analyzing malware on a comprised system once it has been discovered after a computer related incident. Dynamic analysis consist of examining the inputs and outputs produced by the malware, its interaction on the system as to what files are being read or written to and what effects it is applying to the system . The examiner concern is not with the internals of the malware, but the malware's functionality and behavior. Whereas static analysis being the more difficult of the two analysis approaches consists of extracting and reviewing readable data located in the malware binary and converting machine language to readable source code for analysis. Unlike the dynamic analysis approach which usually requires execution of the malware, the static analysis approach does not making it a safer approach, but much more exhausting process.
Labels:
Computer Forensic,
Computer Security,
Computer Virus,
Malware
Monday, January 21, 2008
Computer Phishing
Phishing another growing threat to worry about in 2008
Phishing is a growing problem to computer system end-users and online related businesses. A new study by Gartner shows that phishing attacks cost 3.6 million consumers more than $3.2 billion dollars. The number of phishing victims rose by more than one-third from 2006, with the prime target being debit cards.
Phishing is a social engineering attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email and often directs users to enter details at a website.
Some tips to combat phishing attacks: (http://www.updatexp.com/phishing.html)
1. Never respond to requests for personal information via e-mail.
2. Visit Web sites by typing the URL into your address bar.
3. Check to make sure the Web site is using encryption.
4. Routinely review your credit card and bank statements.
5. Report suspected abuses to the proper authorities.
Saturday, January 19, 2008
CIA Confirms Cyber Attack Caused Multi-City Power Outage
SANS NewsBites Vol. 10 Num. 5, News Flash: CIA Confirms Cyber Attack Caused Multi-City Power Outage
SANS FLASH
CIA Confirms Cyber Attack Caused Multi-City Power Outage
On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donohue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
According to Mr. Donohue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure.
Delegates at the meeting shared information on how attackers are eluding current defenses and on promising practices for mitigating the most critical vulnerabilities. They also shared a jointly developed "SCADA and Control Systems Survival Kit." Next week an electronic version of the Survival Kit will be available (free) to all SANS alumni. Email scada@sans.org.
Alan
- From: The SANS Institute
- Date: Fri Jan 18 14:59:14 2008
SANS FLASH
CIA Confirms Cyber Attack Caused Multi-City Power Outage
On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donohue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
According to Mr. Donohue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure.
Delegates at the meeting shared information on how attackers are eluding current defenses and on promising practices for mitigating the most critical vulnerabilities. They also shared a jointly developed "SCADA and Control Systems Survival Kit." Next week an electronic version of the Survival Kit will be available (free) to all SANS alumni. Email scada@sans.org.
Alan
Thursday, January 17, 2008
The Types of Hackers: Black Hat, White Hat or a Grey Hat Hacker, which type are you?
The Types of Hackers: Black Hat, White Hat or a Grey Hat Hacker, which type are you?
A white hat hacker is a computer and network expert who attacks a security system on behalf of its owners or as a hobby, seeking vulnerabilities that a malicious hacker could exploit. Instead of taking malicious advantage of exploits, a white hat hacker notifies the system's owners to fix the breach before it is can be taken advantage of.
A black hat is a person who compromises the security of a computer system without permission from an authorized party, typically with malicious intent. A black hat will maintain knowledge of the vulnerabilities and exploits they find for a private advantage, not revealing them to the public or the manufacturer for correction.
A grey hat is a skilled hacker who sometimes will act legally and other times may not. They are a cross between white hat and black hat hackers. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits.
Which one are you?
A white hat hacker is a computer and network expert who attacks a security system on behalf of its owners or as a hobby, seeking vulnerabilities that a malicious hacker could exploit. Instead of taking malicious advantage of exploits, a white hat hacker notifies the system's owners to fix the breach before it is can be taken advantage of.
A black hat is a person who compromises the security of a computer system without permission from an authorized party, typically with malicious intent. A black hat will maintain knowledge of the vulnerabilities and exploits they find for a private advantage, not revealing them to the public or the manufacturer for correction.
Which one are you?
Tuesday, January 15, 2008
The New Apple Mac Book "Air"
The New Apple MacBook "Air"
Today January 15, 2008 Apple announced their latest product line at the MacWorld conference in San Francisco… The MacBook “Air”.
It features a 13.3-inch backlit widescreen LED, a full-size backlit keyboard and a track-pad with multi-touch gesture support similar to the iPhone's 'pinch, rotate and swipe' controls. There is even an onboard iSight camera for video conferencing.
Steve Jobs of Apple stated, “We've built the world's thinnest notebook without sacrificing a full-size keyboard or a full-size 13-inch display”.
The price of the Mac Book Air will be $1799. There are two processor options, a 1.6 or a 1.8GHz Intel Core 2 Duo with a 4MB Level 2 cache. There is also 2GB of 667MHz DDR2 onboard RAM, 802.11n Wi-Fi and Bluetooth.
Unfortunately, there is no optical drive in the MacBook Air, but if it is imperative that you do have one, Apple will sell you an color matched external USB SuperDrive specifically for the MacBook Air for $99.
This really looks nice, it seems like Apple has done it again.
Today January 15, 2008 Apple announced their latest product line at the MacWorld conference in San Francisco… The MacBook “Air”.
It features a 13.3-inch backlit widescreen LED, a full-size backlit keyboard and a track-pad with multi-touch gesture support similar to the iPhone's 'pinch, rotate and swipe' controls. There is even an onboard iSight camera for video conferencing.
Steve Jobs of Apple stated, “We've built the world's thinnest notebook without sacrificing a full-size keyboard or a full-size 13-inch display”.
The price of the Mac Book Air will be $1799. There are two processor options, a 1.6 or a 1.8GHz Intel Core 2 Duo with a 4MB Level 2 cache. There is also 2GB of 667MHz DDR2 onboard RAM, 802.11n Wi-Fi and Bluetooth.
Unfortunately, there is no optical drive in the MacBook Air, but if it is imperative that you do have one, Apple will sell you an color matched external USB SuperDrive specifically for the MacBook Air for $99.
This really looks nice, it seems like Apple has done it again.
Worlds No. 1 Computer Hacker on the History Channel
I just happened to be on YouTube today and ran across this interesting clip titled “Worlds No. 1 Computer Hacker on the History Channel”. I like the fact that it discusses the evolution of protection. Security professionals first thought preventive measures such as firewalls were the answer, and then they realized it was not and detective measures such as IDS became popular. Of course, today, we have added proactive measures such as security assessments and reactive measures such as incident response to the Defense in Depth security model.
Enjoy and let me know what you think…
Enjoy and let me know what you think…
Automated Log Management and Analysis using Splunk for Computer Incident Investigations
Automated Log Management and Analysis using Splunk for Computer Incident Investigations
I define “Log Analysis” as a process of collecting system logs (syslog) and event data from computer systems, network devices and applications to look for anomalous events that are malicious or are in violation of organizational policies.
Many organizations spend thousands of dollars on equipment deployment, but ignore the system and event logs from those exact systems. Log analysis is one of the most overlooked aspects of operational computer and network security today.
Traditionally, security teams would use outdated methods and inefficient analysis techniques such as command lines and scripts to review log files. Furthermore, the security team has limited access to data, and when that data has to be collected from multiple locations and equipment to be analyzed, that often increases the amount of time necessary to produce a conclusion of an incident.
By introducing Splunk a search engine for log data that supports many log sources such as Apache access logs, mysql database logs, and any log in standard syslog format, we were able to be more productive in our log analysis.
Splunk comes in two versions, basic and professional. The basic version is free as long as you keep the data limited to 500MB a day while the professional version cost is dependant on the amount of data collected as well as some other neat features.
Splunk provides both real-time and historical visibility into all network, application, server and user activity to support investigations, alerting and reporting. It provides that bridge security and computer investigators need to do their jobs right.
For more information on Splunk and log management you can visit:
www.securityorb.com
or
www.splunk.com
I define “Log Analysis” as a process of collecting system logs (syslog) and event data from computer systems, network devices and applications to look for anomalous events that are malicious or are in violation of organizational policies.
Many organizations spend thousands of dollars on equipment deployment, but ignore the system and event logs from those exact systems. Log analysis is one of the most overlooked aspects of operational computer and network security today.
Traditionally, security teams would use outdated methods and inefficient analysis techniques such as command lines and scripts to review log files. Furthermore, the security team has limited access to data, and when that data has to be collected from multiple locations and equipment to be analyzed, that often increases the amount of time necessary to produce a conclusion of an incident.
By introducing Splunk a search engine for log data that supports many log sources such as Apache access logs, mysql database logs, and any log in standard syslog format, we were able to be more productive in our log analysis.
Splunk comes in two versions, basic and professional. The basic version is free as long as you keep the data limited to 500MB a day while the professional version cost is dependant on the amount of data collected as well as some other neat features.
Splunk provides both real-time and historical visibility into all network, application, server and user activity to support investigations, alerting and reporting. It provides that bridge security and computer investigators need to do their jobs right.
For more information on Splunk and log management you can visit:
www.securityorb.com
or
www.splunk.com
Monday, January 14, 2008
IT Security Audits: A Necessary Evil…
IT Security Audits: A Necessary Evil…
As I prepare to conduct my next IT security audit at a client’s site, I realize some things have not changed in the past few years. The client’s reaction towards the security audit is always amazing the day before the on-site visit as they exhibit a sense of fear. For the most part, it has always been the same issues. The client deciding to wait until the last minute to prepare for the security audit.
From my experiences, the client will start applying required security patches that should have been applied months ago the weekend before the audit. Sometimes, it works out fine, and as you may know, sometimes it does not and causes additional issues for the system administrators. Many times, the Security Point-of-Contact (SPOC) will use a security scanning tool such as Nessus to conduct their own network scan to get a view of how they fair up. Conducting your own security scans are fine, being proactive is a good thing, but the day before an audit may not the best time to do so. Then the disclaimers start rolling in from the client. “Well… We know of this issue and that issue.”
I guess I cannot blame their anxiety. It’s not a good feeling to have strangers (IT Security Auditors) come into your organization to review the controls and practices you put in place and possible tell you that you are doing it wrong.
However, IT Security Audits are a necessary process that needs to occur to ensure compliance to organizational and/or federal regulations. Some of the more notable regulatory compliances are FISMA, HIPAA and the Sarbanes-Oxley Act that specifies how organizations must deal with information.
Unfortunately, many organizations treat security and audit as an after thought rather then a process ... Preparation is the key to successfully passing a security audit.
For a full detail review on security assessments and IT security audits, check out www.securityorb.com.
As I prepare to conduct my next IT security audit at a client’s site, I realize some things have not changed in the past few years. The client’s reaction towards the security audit is always amazing the day before the on-site visit as they exhibit a sense of fear. For the most part, it has always been the same issues. The client deciding to wait until the last minute to prepare for the security audit.
From my experiences, the client will start applying required security patches that should have been applied months ago the weekend before the audit. Sometimes, it works out fine, and as you may know, sometimes it does not and causes additional issues for the system administrators. Many times, the Security Point-of-Contact (SPOC) will use a security scanning tool such as Nessus to conduct their own network scan to get a view of how they fair up. Conducting your own security scans are fine, being proactive is a good thing, but the day before an audit may not the best time to do so. Then the disclaimers start rolling in from the client. “Well… We know of this issue and that issue.”
I guess I cannot blame their anxiety. It’s not a good feeling to have strangers (IT Security Auditors) come into your organization to review the controls and practices you put in place and possible tell you that you are doing it wrong.
However, IT Security Audits are a necessary process that needs to occur to ensure compliance to organizational and/or federal regulations. Some of the more notable regulatory compliances are FISMA, HIPAA and the Sarbanes-Oxley Act that specifies how organizations must deal with information.
Unfortunately, many organizations treat security and audit as an after thought rather then a process ... Preparation is the key to successfully passing a security audit.
For a full detail review on security assessments and IT security audits, check out www.securityorb.com.
Saturday, January 12, 2008
Mac OS X: A Threat is growing…
Mac OS X: A Threat is growing…
As a devoted Mac user since 1994, it scares me every time I hear other Mac users say, “ The Mac is so safe, I don’t worry about viruses or apply any security features”.
Even though to date, there have not been any damaging viruses or attacks successfully applied to the Mac OS X operating system, it is increasingly becoming a target for hackers and malware authors.
Security researchers are discovering serious vulnerabilities in the Mac OS X system. Even though we have not seen specific malware to exploit these vulnerabilities, they do exist in the labs and technical papers as proof of concepts.
According to Symantec, as Apple increases its market share--with new low cost products such as the Mac mini--its user base is likely to come under increasing attack.
So we are lead to believe as the popularity of Apple’s new platform continues to grow, so too will the number of attacks directed at it. If that is the case, then vulnerabilities that allow attackers to carry out information disclosure, authentication bypass, code execution, privilege escalation, and DoS attacks will soon be common headaches for Mac OS X users.
Even though none of these events have yet to occur, it is important to start changing our mind frame as Mac users that we are immune to the threats that are common with Microsoft Windows users. The Mac OS X has many built in security features as well as some security configuration recommendations on www.securityorb.com that can prevent malicious activities from taking place on your system.
As a devoted Mac user since 1994, it scares me every time I hear other Mac users say, “ The Mac is so safe, I don’t worry about viruses or apply any security features”.
Even though to date, there have not been any damaging viruses or attacks successfully applied to the Mac OS X operating system, it is increasingly becoming a target for hackers and malware authors.
Security researchers are discovering serious vulnerabilities in the Mac OS X system. Even though we have not seen specific malware to exploit these vulnerabilities, they do exist in the labs and technical papers as proof of concepts.
According to Symantec, as Apple increases its market share--with new low cost products such as the Mac mini--its user base is likely to come under increasing attack.
So we are lead to believe as the popularity of Apple’s new platform continues to grow, so too will the number of attacks directed at it. If that is the case, then vulnerabilities that allow attackers to carry out information disclosure, authentication bypass, code execution, privilege escalation, and DoS attacks will soon be common headaches for Mac OS X users.
Even though none of these events have yet to occur, it is important to start changing our mind frame as Mac users that we are immune to the threats that are common with Microsoft Windows users. The Mac OS X has many built in security features as well as some security configuration recommendations on www.securityorb.com that can prevent malicious activities from taking place on your system.
Friday, January 11, 2008
Hello to my Information Security Blog Space...
Hello, my name is Kellep Charles, and I am an information security practitioner, educator, student and enthusiast. I have over 10 years of information security experience ranging from security engineering to computer forensics as well as vulnerability security assessment and security operations in the private and governmental sectors.
I am currently a Ph.D. student in Computer Information Systems at Nova Southeastern University (www.scis.nova.edu) concentrating in Information Security and Artificial Intelligence. I hold a Master of Science in Telecommunication Management from the University of Maryland University College and a Bachelor of Science in Computer Science from North Carolina Agriculture and Technical State University.
I am an Adjunct Professor at Capitol College in Laurel Maryland where I teaches in the Computer Science department. My core classes are Computer Forensics and Incident Response and Network Security
I currently hold the CISSP, CCNA, CISA, NSA-IAM and CCE certifications.
I created and maintain www.securityorb.com, an information security knowledge base website dedicated to decimating critical information to other individuals.
I am currently a Ph.D. student in Computer Information Systems at Nova Southeastern University (www.scis.nova.edu) concentrating in Information Security and Artificial Intelligence. I hold a Master of Science in Telecommunication Management from the University of Maryland University College and a Bachelor of Science in Computer Science from North Carolina Agriculture and Technical State University.
I am an Adjunct Professor at Capitol College in Laurel Maryland where I teaches in the Computer Science department. My core classes are Computer Forensics and Incident Response and Network Security
I currently hold the CISSP, CCNA, CISA, NSA-IAM and CCE certifications.
I created and maintain www.securityorb.com, an information security knowledge base website dedicated to decimating critical information to other individuals.
Subscribe to:
Posts (Atom)