January 2009

Exploring FAIR – What’s an Asset?

by kriggins on January 30, 2009

in Risk Management

In this post we are going to start exploring the terminology of FAIR. It makes sense to me that we explore FAIR through the use of an example scenario, much like the FAIR Introduction (link to pdf) does.

We are going to use a web site for our scenario. We will develop the scenario more and more as we go along, but the following are the initial characteristics:

  • The web server is an up-to-date version of Apache.
  • The information stored on the server is public.
  • The web server is exposed to the internet.
  • The bandwidth available is significant.

We are going to take things in a little different order than presented in the Introduction to FAIR. The first thing we are going to look at is asset. From the introduction:

Any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.

With this definition in mind, what asset or assets are present that we need to be worried about?

Is the information in this case an asset? No, because we've classified the information as public. Three things come to mind as assets with the information we have so far, the physical hardware Apache is running on, the Apache web server itself and the available bandwidth.

The hardware is an asset because someone might want to steal it or run their own software on it. The web server is an asset because someone might want to use it for their own purposes. The bandwidth is an asset because, again, someone may want to use that bandwidth, that we pay for, for their own purposes.

Pretty basic and straightforward. Next time we will look at "What's a threat?"

As always, the comments are open. Feel free to share your thoughts.

-Kevin

Image courtesy of tao_zyn.
Reblog this post [with Zemanta]

{ 6 comments }

Interesting Information Security Bits for 01/29/2009

by kriggins on January 29, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. This might be very interesting. I have not read it yet, but it is going on the reading pile.
    ISACA Business Model for Information Security : Security Watch - Internet Security News: IT security, Business security, Computer security, Network security, and more
    Tags: ( security program )
  2. $1 trillion would pay for a log of security measures.
    Study: Cybercrime cost firms $1 trillion globally | Security - CNET News
    Tags: ( general )
  3. Ever had a packet capture from a wireless network and you couldn't read because your tool only understood ethernet? Wlan2eth to the rescue. A nifty tool that converts and WLAN pcap file into an ethernet pcap.
    New Tool: wlan2eth
    Tags: ( wifi )
  4. The Call for Papers is open for SecTor 2009. I have heard really good things about this conference. If you have an idea, why not contribute it?
    Security Experts Speaking Opportunities Black Hat White Hat Toronto Canada
    Tags: ( conferences cfp sector )
  5. I'm not promoting hacking, but this really is classic.
    Motorists warned of "Zombies Ahead" on hacked road sign | Graham Cluley's blog
    Tags: ( humor hacking )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 01/28/2009

by kriggins on January 28, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. I agree completely with George on this one. Arguing that PCI DSS is a failure because two organization that were compliant experienced breaches is like saying door locks are a failure because somebody broke into your house.
    The Death of PCI DSS? Don't Be Silly - Security Blog - InformationWeek
    Tags: ( pci breach )
  2. This is a good article to pass on to your family and friends. The tips are very good and will raise the awareness level of any who reads the article.
    12 tips for managing your information footprint
    Tags: ( privacy )
  3. The next in the series.
    The Business Justification For Data Security: Data Valuation | securosis.com
    Tags: ( risk-management )
  4. The third post in the series.
    The Business Justification for Data Security: Information Valuation Examples | securosis.com
    Tags: ( risk-management )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 1 comment }

Exploring F.A.I.R (Factor Analysis of Information Risk)

by kriggins on January 28, 2009

in Risk Management

Every business has information of one kind or another. That information is most often processed, transmitted and stored using information technology. While that information is being processed, transmitted and stored, it is exposed to a certain level of risk, even if it never leaves the confines of the business's building.

As information security professionals, we are tasked with ensuring that our business's information is protected. To do so, we need to implement processes, procedures, and controls that reduce risk to an acceptable level. Unfortunately, our companies do not have endless resources, either in terms of man power or money. That means we need a method of determining how much risk exists and what is an appropriate level of resources, if any,  to expend to address that risk.

Enter Factor Analysis of Information Risk (FAIR.) FAIR is the brain child of Jack J. Jones, CISSP, CISM, CISA of Risk Management Insight, LLC and has been released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

So what is FAIR? From the Wiki:

Factor Analysis of Information Risk (FAIR) provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.

Together, over what will likely be a fairly long series of posts, we are going to explore FAIR. This will help me internalize the concepts and hopefully you will find it an interesting ride too.

I have already pointed to the Wiki above. There are also a few other sources of information and tools available if you want to read ahead.

The Basic Risk Assessment Guide lives here. Note: direct link to the pdf.

Alex Hutton frequently writes about FAIR on his blog.

Chris Hayes has done some great work on his blog about FAIR too.

Next we will start digging into the terminology used in FAIR. As always, comments are open. Feel free to let me know what you think.

-Kevin


{ 1 comment }

Monster.com – They Just Don’t Get It!

by kriggins on January 28, 2009

in Awareness,General,Privacy

I had a Monster.com account hanging out there for a few years. I wasn't looking for a new position so all the privacy controls were turned on. Along comes the second data breach in under two years. I decided I didn't need that account anymore. I know, closing the barn door after the horse is already gone.

Anyway, I went to log into my account to have it removed and couldn't remember my password. No problem. I clicked on the 'Forgot my password' link and received a nice email with url in it to reset my password. Slight problem. The URL didn't point to an SSL encrypted page.

I decided to give them the benefit of the doubt by assuming I would be redirected to a secure page to actually reset my password. Nope. The reset page was also unencrypted. To reset my password I had to let it flit across the hostile internet in cleartext. I went ahead and did it since I was deleting the account anyway.

That made me a little curious and I decided to poke around a little more to see if anything else obvious popped up. Didn't take long.

The sign up page wich asks for your full name, email address, password, location and current employment status is also not encrypted. Once again, I decided to give them the benefit of the doubt and took a peak at the page source to see if maybe they posted the information to a secure page. Nope. At least not that I can find.

What this says to me is that there is a serious lack of understanding of information security in Monster.com's organization. If as basic a tenet as encrypting passwords when in transit and at rest is not understood and enforced, what else are they missing.

</hops off soap box>

-Kevin

Reblog this post [with Zemanta]

{ 1 comment }

Interesting Information Security Bits for 01/27/2009

by kriggins on January 27, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well. Here are today's Interesting Information Security Bits from around the web.

  1. Not only is malware watching what you type, now it is taking screen captures of what you are looking at.
    Bot software peers at victims' screens
    Tags: ( malware botnet )
  2. Once again, failure to effectively secure data on a mobile storage device bites someone in a tender place.
    New Zealand man buys MP3 player with U.S. troop data | Security - CNET News
    Tags: ( breach )
  3. A very nice article about storing passwords securely.
    How To Protect Your Users From Password Theft
    Tags: ( passwords )
  4. Jeremiah is collecting the top web hacking techniques for 2008. This year the winner gets a free pass to Blackhat.
    Jeremiah Grossman: Calling all Researchers! Send in the Top Web Hacking Techniques of 2008
    Tags: ( hacking )
  5. Qualys has release a free e-book titled "PCI Compliance for Dummies." Obviously, registration required, etc. Drazen thinks it's worth a read.
    Hat tip: http://beastorbuddha.com/2009/01/27/pci-compliance-for-dummies-from-qualys/
    e-Book: "PCI for Dummies"
    Tags: ( pci )
  6. Some good advice regarding tap vs span port decisions.
    TaoSecurity: Why Network Taps
    Tags: ( network ids taps )

That's it for today.

Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

-Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Damn Vulnerable Linux 1.5 is Out!

by kriggins on January 26, 2009

in Uncategorized

I first talked about Damn Vulnerable Linux here. Well, @mubix announced that version 1.5 has been released.

You can grab the torrent here.

The discussion groups are here.

The website is here.

I can't wait to see what changes have been made.

-Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Interesting Information Security Bits for 01/26/2009

by kriggins on January 26, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. You probably already are aware of this. Monster.com has indicated that they have suffered a breach. The evil doers have pretty much everything you ever put into Monster that you would consider sensitive.
    Monster.com suffers database breach deja vu * The Register
    Tags: ( breach monstor )
  2. Andrew has a nifty little script you can use to remotely check the time on your windows boxen.
    Andrew Hay >> Blog Archive >> Quick Script to Remotely Check Windows System Time
    Tags: ( tools windows scripts time )
  3. Sensepost has a challenge up regarding reverse engineering an FTP server. Give it a go.
    QoW: Software Reversing and Exploitation
    Tags: ( challenge exploit software reversing )
  4. Alex calls PCI security through obscurity.
    The Source of PCI DSS "Failure" | RiskAnalys.is
    Tags: ( pci )
  5. Chris disagrees with Alex's notion that PCI is security through obscurity.
    PCI-DSS Is Not About "Security by Obscurity" << Risktical Ramblings
    Tags: ( pci )
  6. A nice set of links to good articles on cloud computing. Includes some security related info too.
    Hat Tip: http://rationalsecurity.typepad.com/blog/2009/01/cloud-security-link-love-monk-style.html
    System Advancements at the Monastery >> Blog Archive >> Recent Cloud Postings
    Tags: ( cloud )
  7. Part 2 of Erik's series on Security Your Linux Host is available.
    Art of Information Security >> Secure Your Linux Host - Part 2: Secure SSH
    Tags: ( linux securing )
  8. Nice walk through of an XSS attack.
    Hat tip: @lbhuston
    Anatomy of an XSS Attack
    Tags: ( xss )
  9. A nice exploration of Skype and its use in your environment.
    Skype, is it right for you?
    Tags: ( skype )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Interesting Information Security Bits for 01/23/2009

by kriggins on January 23, 2009

in Interesting Bits

What have we got today? Well, super secret spy writing, justification for implementing security measures, be careful with publicly talking about your infrastructure, some PCI discussion, ENISA is looking for some writers, and nice article about making the web more secure.

  1. Super secret spy writing technique brought to by Ax0n. Pretty nifty.
    HiR Information Report: "Secret" messages with Pilot Frixion
    Tags: ( general )
  2. Another way or framework for justifying implementation of security measures. They will be talking about it over the course of several blog posts and releasing the paper soon.
    The Business Justification For Data Security | securosis.com
    Tags: ( risk business justification )
  3. Tom makes are really good point. Be careful how much information you share about your infrastructure publicly. Particularly if you have some challenges to overcome.
    spylogic.net - Who's managing information security in your city?
    Tags: ( data gathering general )
  4. Michael puts forth his perspective on what PCI compliance really means. Then there is some interesting discussion in the comments. You should read it.
    Society of Payment Security Professionals - Compliance Demystified >> Blog Archive >> What PCI compliance really means
    Tags: ( pci )
  5. ENISA is looking for articles for the ENISA Quarterly Review. Topic preference: "Resilience and Security of Communication Networks"
    ENISA Call For Articles
    Tags: ( cfp enisa )
  6. Very nice article with some good ideas on how to better accomplish making the web more secure.
    Blog :: by Wade Woolwine >> Blog Archive >> RE: Alignment of Interests in Web Security
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Interesting Information Security Bits for 01/22/2009

by kriggins on January 22, 2009

in Interesting Bits

Here are today's interesting bits in information security.

  1. This is an interesting story of the DarkMarket sting.
    Three years undercover with the identity thieves
    Tags: ( general )
  2. Just because the website you are visiting is a popular, well-known site doesn't mean that it is complete safe. Conversely, just because a site is declared to host malware, doesn't mean they whole site is malicious.
    70 Of Top 100 Web Sites Spread Malware -- Malware -- InformationWeek
    Tags: ( malware )
  3. Want to get some personally identifiable information on somebody. Find out where they get the dry cleaning done and get a job. Wow.
    9,000 USBs left in Laundrettes : Security Watch - Internet Security News: IT security, Business security, Computer security, Network security, and more
    Tags: ( data gathering breach usb )
  4. Time to patch Quicktime.
    QuickTime 7.6 Fixes First 7 Bugs of 2009 - Security Watch
    Tags: ( vulnerability patches quicktime )
  5. I pointed this out recently. Looks like Seagate users are going to need to patch again.
    Seagate Offers Second Fix For Hard-Drive Firmware -- Storage Security -- InformationWeek
    Tags: ( availability )
  6. This is very cool. I use OpenDNS at home and have never been happier.
    New Security Services Land In Home Routers - DarkReading
    Tags: ( home-networking )
  7. Gonna be a meetup for podcasters at ShmooCon. Looks like a lot of fun.
    Podcasters Meetup at ShmooCon - Room362.com
    Tags: ( conferences meetup shmoocon )
  8. A very nice article about why we need to keep identity and authentication as separate and distinct.
    Hat tip: http://www.schneier.com/blog/archives/2009/01/identity_authen.html
    It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct
    Tags: ( identity authentication access-control )
  9. A new blog talking about SSL and some of the pitfalls one can come across in various implementations.
    Introducing SSLFail.com | tssci security
    Tags: ( ssl )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

← Previous Entries