Archive for the ‘Security Postings’ Category
Wednesday, January 6th, 2010
Last week’s blog described the problems caused by insufficient Governance and the root causes of this problem. This week’s blog provides an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Example Situation
The Problem Statement
1. A CIO of a fictitious company identifies weak identity management as a significant risk to the privacy and integrity to corporate information as well as to SOX compliance.
2. The problem has recently arisen due to several factors:
* The external corporate auditors introduced new IT audit control points for monitoring unauthorized and attempted unauthorized accesses to critical servers and critical applications.
* Corporate cost cutting has caused a reduction in the staff levels of the security administration group.
* A cost cutting reorganization has dramatically changed employees’ roles and need to access various servers and applications.
* The group of recently terminated employees which include IT security administrators has raised the potential threat of malicious activity from x-employees plus a diminished capacity for the corporation to adequately administer access privileges.
3. There are insufficient funds for a comprehensive upgrade to the identity management infrastructure to ensure reasonable compliance for SOX.
4. The problem is further obfuscated as the lack of any major security breach makes it appear to senior executives that there are no security threats.
5. Nonexistent IT Governance means decision making about the new risk will be delayed until the next year’s budget cycle.
IT micro Governance Solution
1. If the corporation does in fact have an IT Governance committee that is amenable to reacting quickly with micro Governance decisions, then the CIO can identify to the Governance committee the business risks relating to weak identity management.
2. The governance committee works with the CIO to estimate the cost to the corporation in the event of a security event at $5,000,000 per incident.
3. They build a business case modeled upon the chance of a security event occurring once per year.
a. The CIO estimates the first year annual cost to technically mitigate the risk at $100,000 and $50,000 annually thereafter.
b. The first year mitigation cost / annual loss expectation is $100,000 / $5,000,000 or 2% and 1% thereafter.
c. The Governance committee decides the return is acceptable.
4. The IT Governance committee formally creates a specific task force and IT micro Governance process to mitigate the identity management risk.
5. They engage a third party advisor to expedite the process, so that an aggressive date of fully tested implementation is 6 months.
6. They appoint virtual team leaders to manage each risk management process. The team leaders are comprised of two members of the IT Governance committee, the CIO, three members of the IT security team, 6 business line managers, a member of HR and a member of the CFO’s team. They also have external security consultants and auditors to assist with testing and evaluating the effectiveness of the new process.
7. The virtual team leaders assign other employees to implement the project and to create an ongoing process to monitor, manage, and report on the proposed identity management process.
8. The team creates a detailed project plan to complete the project.
9. The third party consultants and auditors work with the team right from the beginning to design processes and mechanisms to test and report on the degree of success of the new identity management process.
10. The virtual team and IT Governance committee creates a schedule for reporting / feedback / direction meetings as oversight for the new process, including:
a. Evaluating the degree of success of the initial implementation.
b. A subset of the virtual team continues to monitor and report to the Governance Committee.
c. A third party with expertise in calculating IT security risk is assigned the task of re-evaluating the initial ROI or cost avoidance business model in terms of:
i. Was risk correctly estimated?
ii. Is there an ongoing evaluation of the degree of risk reduction?
iii. Can the new process and its budget be integrated into IT security operations / administration. Can the virtual team be disbanded?
Conclusion: Keep it simple.
Sources of Information – Governance Authorities
* ISACA (Information Systems Audit and Control Association) www.isaca.org
* ITGI (IT Governance Institute) www.itgi.org
* Gartner Group www.gartner.com
* IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
* SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382
* The IT Metrics and Productivity Institute http://www.itmpi.org/default.aspx?pageid=198
* MIT Sloan School of Management http://web.mit.edu/cisr/working%20papers/cisrwp349.pdf
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, IT Security, Micro Governance
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, December 29th, 2009
Last week’s blog introduced my concept of IT security micro Governance. This weeks installment covers the problems caused by insufficient Governance and the root causes of this problem.
Insufficient IT Governance Impedes the Security Team
In dynamic network environments, security issues can quickly appear where there are insufficient funds planned to mitigate new security risks. An active IT Governance process is invaluable to deal with such issues.
Insufficient IT Governance:
* Slows decision making.
* Inhibits communication of risk and associated potential financial loss between the IT Security. Team and executive management.
* Inhibits attaining unplanned, sufficient IT security funding.
Barriers to implementing IT Governance
Well known barriers to attaining IT governance are:
* The all encompassing scope of any Governance is a daunting challenge to face.
* Expensive.
* Time consuming.
* IT security risk can be very difficult to quantify.
* The executives may find it difficult to request additional funds particularly where the IT security team has done an excellent job and there are no expensive security vulnerabilities.
* A false sense of security makes cost justifying security budgets difficult.
* A Governance committee may get bogged down over confusion arising between identifying the content of compliance frameworks with compliance objectives.
* Turf wars over accepting / relegating ownership of responsibilities for various aspects of IT compliance.
* Maintaining longevity of the IT Governance process.
ITSecurity micro Governance as a Practical Alternative
A simplified alternative to the barriers mentioned above creates a bite-sized micro process which will provide the following value to a corporate entity:
* Minimizes the liability of executives with respect to their fiduciary responsibilities for IT Governance.
* Facilitates communications between the Governance Body and the IT Security Team regarding cost justification of unplanned or insufficient budget.
* Provides a regular opportunity for the Security Team to convey top priorities with requests for expedited executive authorization.
* Provides a regular opportunity for executives to convey business priorities that affect IT related risk directly to those responsible for physically managing those risks.
* Minimizes decision time and frustration levels by identifying bite sized issues.
Steps to Implement IT Micro Governance
1. IT Security should identify the top priority IT security risk(s) that require immediate decisions / funding by the executive team.
2. Estimate the ROI or potential cost avoidance by mitigating the risk(s).
3. Formally create a micro-Governance process to address the risk(s).
4. Engage a third party advisor to expedite the process.
5. Create a virtual (temporary) team to manage each risk management process.
6. Assign other management and employees as appropriate to the virtual team.
7. Identify a timeline to complete the project.
8. Identify a mechanism to test the degree of success of the mitigation.
9. Identify a timeline to report the degree of success back to the IT Governance Committee.
10. Assess whether ROI or cost avoidance goals were sufficiently met. *
11. Mandate longevity for the micro Governance process by directing the virtual team to continue monitoring the process and reporting to the Governance Committee.
12. Integrate the process into the IT security operations / administration processes and disband the virtual team.
* It is difficult to obtain data that captures the prevention of a security threat based on a specific action taken. One empirical yet evidentiary based method is to compare the frequency of similar threats before and after mediation steps are implemented.
To assist with calculating IT security related, risk, ROI / cost avoidance, and residual risk, Governance Committees (and IT security professionals) can contract third party expertise in these matters.
Next week’s blog will be an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
www.ere-security.ca
Tags: Information Security, IT Security, Micro Governance
Posted in Information Security, Internet Security, Security Postings | 3 Comments »
Tuesday, December 22nd, 2009
This week’s blog is the first of a three part series about my idea for an expedited method of implementing IT security Governance. Your feed back would be most appreciated.
Executive Summary
IT Governance is difficult for most organizations to initiate and maintain as it is an ongoing process, particularly for medium and small institutions. There are many subject experts, vendors, and consultants that cater to implementation, but the inherent difficulties and complexities make the implementation of it an elusive goal for many.
Since Governance is, by definition, strategic and focused over long timeframes, it is not designed to deal with unexpected and potentially costly IT security threats. Threats which can evolve into costly security events. A distraught client once described how a serious access breach within his organization could have been prevented if the senior management had evaluated and acted upon his impromptu but appropriate recommendations to harden access controls. The author proposes a modified process to respond to mitigating threats that require funds exceeding the annual IT security budget. I call this micro Governance.
Definitions of IT Governance
IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent. Four prominent authorities define IT governance on their web sites as follows:
1. ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
2. ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.
3. Forrester: … The act of establishing IT decision structures, processes, and communication mechanisms in support of the business objectives and tracking progress against fulfilling business obligations efficiently and consistently.
4. MIT Sloan School of Management: IT governance is the process by which firms align actions with their performance goals and assign accountability for those actions and their outcomes.
The three predominant frameworks for implementing IT Governance are provided by ISACA, ITIL and ISO. In a more granular view, the ISO 38500:2008 guiding principles are organized into three prime sections, specifically Scope, Framework and Guidance. The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:
* Responsibility
* Strategy
* Acquisition
* Performance
* Conformance
* Human behaviour
Significance of IT Security Governance for Compliance
Compliance violations may attract all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.
Examples of well known regulatory frameworks and compliance standards are as follows:
* Financial - SOX, Bill 109, Basel II, PCI, SAS 70
* Electrical Infrastructure for North America - NERC CIP
* Privacy – PIPEDA, Red Flag, GLB
* Industry Best Practices - COBIT, ITIL
Next week’s blog will cover the problems caused by insufficient Governance and the root causes of this problem.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | 1 Comment »
Tuesday, December 15th, 2009
My blog this week is a review of a book I recently read, which purportedly was going to tell the reader “What the computer security industry doesn’t want you to know.”
The Myths of Security
By John Viega,
Published by O’Reilly Media Inc.
Printed June 2009
This self proclaimed expose about secrets closely guarded by the security industry fails to tell the reader much of anything new, except the details of John Vega’s history of working with MacAfee – twice.
The word Myths in the title implies, at least to me, long believed truths about to be proved otherwise. These revelations never occurred in the 48 chapters, unless you consider repeating common knowledge in the security industry as new revelations.
A central revelation is that AV vendors have a difficult time keeping up with new malware. There are several chapters dedicated to why AV tools are not effective, why they consume large amounts of computer resources, and the author’s ideas of the AV industry members should collaborate by sharing their knowledge of zero day malware. He further suggests they create “CIST”, the Consortium for Interoperability with Security Technology.
These ideas of collaboration sound viable from a technical perspective, but hardly realistic in a competitive capitalistic environment that favours the strongest vendors. However the author’s suggestions are not revelations of secrets.
Viega goes on to compare the workings of AV with firewalls and with IDS. While these analogies are clever, they are hardly central to the book’s premise of revelation.
I was left scratching my head as the author claims that many AV products have a low degree of usefulness, without providing any statistical, verifiable evidence to prove his point. Unsubstantiated opinion, and in my opinion, overly negative.
Which brings me to the next point about the author’s many references of praise about MacAfee. After 20, I lost count of references to MacAfee, liberally spread throughout the book. This affection and praise for one vendor and twice previous employer certainly challenges the impartiality of the author’s revelations.
It seems the author has liberally substituted hyperbole for fact. For instance the chapter entitled “Google is Evil” says Google’s Adwords creates a conflict of interest between impartiality and profit. Hardly a surprise. The Chapter “VPNs Usually Decrease Security” states the obvious: a compromised VPN’d client workstation indeed is a threat to a host network.
Similarly “The security Industry is Broken” chapter really says security vendors of products and services are not 100% perfect. No further comment is necessary here.
It is not clear to me to whom the book is intended. It can not be for security practitioners with certifications such as CISSP or CISM. In an effort to minimize technical terms, Viega uses a wordy description to circumvent the use of “hashing” ( mentioned in a footnote below the text.)
End users who are not technology savvy might find the book verbose. The few good security recommendations are summarized in a few pages; recommendations which commonly stated in any end-user policy worth reading.
Time reading this book would be better spent elsewhere.
PS I feel guilty writing such a negative article, especially since it is far easier to criticize than to create. So please take my comments with a grain of salt.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Computer Security, Information Security, IT Security, Security Industry, The Myths of Security
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, December 8th, 2009
Last week I posted a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance. Next weeks’ post is part 2 of 2 would greatly appreciate your ideas / feedback / constructive criticism. Thank you in advance for sharing your ideas with me.
Barriers to implementing IT Governance
- All encompassing scope
- Complex PPM Project Portfolio Management
- Expensive
- Time consuming
- Risk is very difficult to quantify
- False sense of security confuses cost justifying security budgets
- Turf wars over accepting / relegating ownership of responsibilities
- Maintaining longevity of the process
Micro – Governance a practical alternative
- Minimize liability of executives / board
- Facilitates communications between Governance and the Security Team regarding cost justification of budget
- Provides a regular opportunity for the Security Team to convey top priorities with requests for executive authorization
- Minimizes decision time and frustration levels by identifying bite sized issues
- Quantify the few most threatening risks
- Create a virtual team with responsibility to mitigate and report
- Measure the results
- Authorize / fund the virtual team
Call to Action
- CEO and CIO discuss a few top priority IT security risks that require immediate decisions / funding
- Formally create a micro-Governance process to address each risk.
- Engage a third party advisor to expedite the process.
- Create a small virtual team to manage each risk management process.
- Assign other management and employees as appropriate to the virtual team.
- Identify a timeline to complete the project.
- Identify a mechanism to test the degree of success of the mitigation
- Identify a timeline to report the degree of success back to the IT Governance Committee.
Assess Financial Cost of Risk and Residual Risk
- document the technical risks
- Translate them into business risks
- Utilize a straw poll for executives to estimate the cost of liability should the risks become realities.
- Utilize a straw poll for technology experts to guestimate the % chance of a onetime occurrence both before and after mitigation steps are applied.
- Compare the cost of risk vs. residual risk to the cost of mitigation
Create Longevity to the Micro- Governance Process(es)
- Direct the virtual team(s) to continue monitoring and report according to a defined schedule Committee
- Otherwise dissolve the virtual team(s)
Sources of Information – Governance Authorities
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, Information Security Compliance, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, November 17th, 2009
This week I am sharing with you a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance. I would greatly appreciate your ideas / feedback / constructive criticism. Thank you in advance for sharing your ideas with me.
Executive Summary
IT Governance is difficult for most organizations, large and small, to initiate and to maintain as an ongoing process. There are many organizations, vendors, and consultants that cater to the needs of IT governance. Yet because of its inherent difficulties and complexities, IT Governance eludes most organizations. The author proposes a dramatically scaled down approach to achieving and to successfully implementing bite sized pieces of critical elements of the Governance process, aptly named Micro-Governance.
Definitions of IT Governance
Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent. Three prominent authorities say the following:
- ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
- ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.
Significance of IT Governance for Compliance
IT Governance deals with the following subjects:
However, the scope of this whitepaper is confined to IT Governance as it applies to compliance to standards and regulations imposed by statutes and by governing bodies.
Compliance violations may attracts all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.
Legal Counsel and external auditors recommend compliance with standards and regulations
- Financial SOX, Bill 109, PCI, SAS 70
- Electrical Infrastructure for North America NERC CIP
- Privacy PIPEDA, Red Flag, GLB
- Industry Best Practice Standards: COBIT, ITIL,
Insufficient Governance Impedes the Security Team
- Slows decision making
- Inhibits communication of risk and associated financial loss from IT Security Team
- Inhibits attaining sufficient IT security budget
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Sources of Information – Governance Authorities
Tags: Information Security, Information Security Compliance, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | 2 Comments »
Monday, November 9th, 2009
This is the third article in this series on the Methodology of Calculating ROI for IT security
There are three components to the ROI calculation:
1. Identifying actual security risks and translating them into quantifiable business risks.
2. Identifying how to mitigate the security risks, and determining the associated cost.
3. Calculating the ROI as the per cent of cost of mitigation divided by the cost of the risk. This segment describes how to calculate ROI as the per cent of cost of mitigation divided by the cost of risk.
Calculating the ROI
The totals of the cost of risk and the mitigation costs are used in the following formula:
ROI = mitigation costs divided by the cost of potential risk divided by 100
Or
ROI = % (mitigation costs) / (the cost of potential risk)
Sample ROI business case
A company is implementing a new web based transaction system for their clients to place orders and to enquire about their account balance. The incremental projected profit from the web site is estimated at $5,000 per day.
To minimize the complexity of the networking infrastructure required for the web site to communicate with a back-end database, the web site will be placed inside a DMZ within the corporate network. However, the database server will reside on the corporate network.
The CISO wants to understand the total business impact of a security breach on the new web site actually translating into a security event. She requests the governance committee identify what the potential costs would arise per occurrence of such an event, relating to four (4) specific subjects:
- Lost profit.
- Inability of other servers on the corporate network to continue operations.
- Damage to corporate and brand reputation.
- Legal consequences.
The governance committee provides the following averaged costs per occurrence of a security event, assuming a two day outage, for the four subjects:
- Lost profit: $10,000
- Inability of other servers on the corporate network to continue operations: $100,000
- Damage to corporate and brand reputation: $800,000
- Legal consequences: $200,000
- Total potential costs. $1,110,000
The CISO then determines that the cost to protect the increase in scope and risk of the infrastructure, over a three years period is $50,000 per year.
The CISO then calculates, per occurrence:
ROI = $50,000 / ($1,110,000 x 100%)
= 5%
Creating an Ongoing ROI Cost Justification Process
Fundamental to ensuring an ongoing adequate security budget is keeping the executive committee fully engaged in the security process. It is incumbent upon the CIO and CISO to educate their executive peers on the principle that security is an ongoing process, and not a onetime event.
As such, as the CISO successfully implements security infrastructure, it is critical they report on the results in terms of the initial business case used to cost justify the process. This can be successfully accomplished by proving with a business case that the investment in security had the planned payback.
An evidentiary approach to providing factual proof to the governance committee is to accumulate statistical proof of potential breaches that were avoided. These statistics should be collected from the logs of the security technology, which identify risks that were caught, vulnerabilities that were mitigated, and potential security events that were therefore avoided.
It is recommended to communicate this material in simple graph format, showing:
- The number of incidents ranked by severity plotted against a timeline.
- The resulting potential losses associated with possible incidents, plotted against time.
My final article in this series will cover outsourcing security monitoring as a cost savings option and a call to action for the entire series.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
www.ere-security.ca
Tags: IT Security, Return on Investment, ROI, Security Risks
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, October 27th, 2009
Executive Summary
The way to get the executive team to pay attention is to provide a quality ROI on any new initiative. If the Boards of Directors can’t understand the needs of various departments then the only way to their pocketbook is to present them with a bottom line return on their investment.
In the case of procuring a security budget executives are often less than forthcoming because of the lack of information they receive from department heads. Boards of Directors and executive teams respond most favorably to requests for information security budgets which are cost justified with a simple ROI business case.
The business case needs to specifically show how potential costs associated with liability, caused by security breaches, may be minimized by implementing a sound security infrastructure. This can be accomplished by allowing a third party to do a security audit that provides evidence of security risks.
This approach of utilizing an ROI to cost justify a security budget is the same premise used to purchase insurance for commodities like office furniture, computers, etc. The difference is that if a security breach occurs as a result of not implementing the proper protection procedures, the associated costs far outweigh the costs to replace furniture.
The potential liabilities, such as loss of production and/or loss of reputation are translated into actual dollars in the ROI. The security budgets are created by taking a small percentage of the cost of the potential losses and applying it to preventative measures.
As such this calculation of ROI is actually a calculation of the % of the cost to avoid the cost of liability compared to the potential cost of liability. This is similar to the methodology for calculating the financial benefit of insurance for commodities such as office buildings, furniture and computers. [1]
Since the cost of a security infrastructure often falls within about the same price ratio of commodity insurance, one would think this cost justification would be easily sold to an executive committee.
This is often the case, particularly when the business risks identified in the business case are based upon hard evidence of actual security risks. Actual security risks can be identified by evidentiary security audits. These audits are performed by impartial third parties, with an expertise in identifying both technical and policy risks.
[1] Typical annual insurance rates for commodities are about 1.5% – 2.5% of asset replacement cost. The author has observed (over many business cases) that annual security budgets can similarly be about 2% – 4% of potential security breach related costs.
My next blog will focus on the Methodology of Calculating ROI.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors. www.ere-security.ca
Tags: Information Security, Information Security ROI, It Security Spending, Risk Security, Security Risk
Posted in Information Security, Internet Security, Security Postings | 1 Comment »
Monday, October 19th, 2009
Last week’s blog I discussed mitigation steps recommended end users for protecting themselves from malware in general and specifically from drive by malware.
This week I will identify some of most common (popular) malware technical vectors for infecting web sites, and how web site owners can protect their sites.
Technical Malware Vectors
- SQL Injection Attack – exploit application layer security vulnerabilities in order to inject active code or change code in applications or direct attack of databases.
- Javascript Injection Attack – one form of an SQL attack.
- IFrame Injection Attack – strings or active code injected into the web page, sometimes due to poor input data validation.
- Javascript injection- invokes IFrames, active code.
- Stolen FTP credentials Attack – stolen FTP credentials for the web site to gain unauthorized access.
- Server Application Code Vulnerabilities – poorly written or not thoroughly tested code.
- Redirect Injection Attack – takes advantage of function of a web page to a web server of attacker’s choice.
- Malvertising – grabs user information even if publisher is doing a good job. Malvertizing injects dangerous code especially where there is the opportunity for user generated.
Mitigation Steps for Web Site Owners
- Incorporate security into application development / database access at the design stage. Do not treat application security as a bolt-on or afterthought. Particular emphasis on data input fields.
- Thoroughly test all data input fields and validation for input fields. Audit all user input fields and user contribution fields by internal audit or by a group other than the developers.
- Update and patch the Java Virtual Machine (JVM) and Java Developer Kits (JDK).
- Ensure the integrity of any third party tools for managing a web site, even seemingly innocuous apps like traffic counters.
- Constantly look for unauthorized changes in web site code, such as strings that cause URL redirects. Employ tools to identify unauthorized changes in code.
- Update and patch web server software.
- Harden the web server platform. Eliminate all unnecessary accounts, privileges, restrict access, and vigilantly monitor the logs for attempted but failed access, attempted unauthorized access, and of course successful unauthorized accesses.
- Consider deploying a second layer of anti-malware monitoring and diagnostic technology that is
specifically designed for web site security, with the abilities to block attack attempts, log the
attempted and successful attacks, and which will generate reports and alerts.
- Identify and remedy all network vulnerabilities for the infrastructure which houses the web site, its
platform, and of course its Internet access.
- Have an impartial set of eyes review all aspects of network security, including architecture (isolation of web site on a DMZ, etc.), policies and score of compliance with policies, security architecture and how effectively it is used, event log monitoring, and with the risk of repetition; timely and consistent upgrades and patching.
Have a secure week.
Regards
Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
www.ere-security.ca
Tags: Information Security, Malware, Malware Detection, Malware Protection, Malware Remove
Posted in Information Security, Internet Security, Security Postings | No Comments »
Monday, October 12th, 2009
My last blog discussed the financial motivation for creating malware. This article identifies preventative measures that both end users and web site managers can implement to protect all concerned from the dangers of drive-by malware.
As a brief reminder, drive-by malware is:
A download which the user indirectly authorized by clicking on a link or by being redirected to a misleading link, but without understanding the consequences. For instance the user could be installing an unknown ActiveX component or Java applet. Or any of this happens without the user even knowing about it.
The damaging occurs when the download contains spyware, a computer virus or any kind of malware. Download of malware through exploitation of a web browser, e-mail client or operating system bug, without any user intervention whatsoever. Websites that exploit the Windows Metafile vulnerability may provide examples of “drive-by downloads” of this sort.
Common occurrences of drive-by downloads happen when a user:
- Visits a website.
- Views an e-mail message.
- Clicks on a deceptive popup window believing that, for instance, it is a bone fide message while in fact they have just initiated a malicious software download.
Mitigation Steps Recommended for the End User
- In order of simple to more complex:
- Do not store unencrypted personal information on a workstation.
- Use strong passwords for encryption, access to the workstation, and to any services or devices to which access would be granted by using a workstation.
- Do not use the same password for multiple devices / services.
- Change the passwords regularly.
- Do not open email from unknown senders.
- Never click on attachments or links embedded within emails, even when the emails are from friends. A friend may provide an attachment or link that, unknown to them, is infected with malware.
- Do not go to unknown web sites that could be potentially dangerous. If in doubt about the veracity of a web site, check its credentials on any number of black listed web sites; search black listed web sites.
- Do not assume that the web site of a small organization is less prone to malware. The trend is for criminals to install malware even on small and medium size sites.
- Verify the certificates of web sites on which the user will be divulging confidential information and / or performing a financial transaction. Where possible, I recommend, do the transaction by telephone, unless the end user is highly confident in the identity and reputation of the web site.
- Install an anti-malware package on each workstation.
- Use a browser with anti-malware features.
- Judiciously apply security patches to:
- Anti-malware software.
- Anti-malware features on a browser.
- Operating system software.
- All other application software.
- At the very least, install a personal firewall in front of any Internet facing workstation.
My Next Blog Article
Next week I will identify some of the technical vectors used to install malware on web sites and the preventative and restorative steps web site owners can implement.
Have a secure week.
Regards,
Ron Lepofsky,
ERE Information Security Auditors.
Tags: Drive-by Malware, Information Security, Malware, Malware Remove, Spyware Check
Posted in Information Security, Internet Security, Security Postings | No Comments »
|
|
