Wednesday, December 27, 2006

Can legitimate traffic be blocked by my IPS device?

Yes it is possible. The following are scenarios that can cause your IPS device to report an attack that isn’t a real attack, also known as a false positive.
- Your IPS device is not setup to see traffic traversing in both directions. IPS needs to see bi-directional traffic to accurately report attacks. This is important, if your IPS vendor does not do this, your are unquestionably vulnerable to IPS evasion.
- Valid traffic actually contains the same bit sequence as an attack packet. Signatures writers do their best to ensure that this doesn’t happen, but it’s impossible to completely eliminate this problem. Be careful, if you have a vendor who claims they don’t have false positives, they have misunderstood their product.

The best way to ensure that you have the fewest false positives, is to include a device which correlates all of your security logs and analyzes false positive for you. Along with correlation it should be able to take a mitigation action if it determines that an attack is relevant. Take a look at

Friday, December 22, 2006

I see you wrote a book about ASDM, how do I enable it in ASA 7.0?

Thanks for the question. To enable ASDM do the steps outlined below.

Step 1. Download the current ASDM image file from Check the readme to make sure it's compatible with your version of the ASA OS.
Step 2. tftp the ASDM image to your ASA device.
Step 3. On the ASA device enter the "dir" command to verify the ASDM file name.
Step 4. On the ASA device enter the command "asdm image flash:/asdm-521.bin" substitute my file name with yours from step 3.
Step 5. On the ASA device enter the command "http server enable"
Step 6. Ensure that the workstation you want to use to manage your ASA device has connectivity to your firewall. Use the ping command.
Step 7. On the ASA device enter the command "http inside" to ensure that ASDM can only be launched from your computer. You must substitute your ip address instead of the zero's. For eaxmple if your address is, the resulting command would be "http inside"

The resulting commands should look something like the following.

asdm image flash:/asdm-521.bin
http server enable
http inside

After that you can access your firewall using ASDM by entering
https and the nside address of your ASA device.

Good luck. Let me know if I can help with any other questions.

Thursday, December 21, 2006

I have kids, do I need URL fIltering at home?

Absolutely beyond a doubt. Here’ a true story…..

I was stealing a nap one Saturday afternoon after I had written my first book. I was exhausted after what seemed like endless hours of non-stop editing and writing. Only my oldest child was in the house with me. As I was half asleep I heard him ask , “Hey Dad can I get on” He is 8 years old and my wife and I decided this is a completely appropriate site for an eight year old. I groggily replied, “sure, no problem”. Seconds later I heard him say, “Hey Dad, I clicked on foxracing, there’s no mountain bikes, but there are a bunch of girls in their PJ’s!!”.

OK I’ve seen the screen pop-up of images that you don’t really want to try and explain to a very curious and intelligent eight year old. I flew out of bed, and raced to the computer. Ah, I thought, there must be a God, to my extreme relief it was ACTUALLY girls in PJ’s……..Instead of just typing in the browser, he typed “fox racing” into the Goolge search screen, which is our default home page and thin clicked on the first link.
This little lesson did a few things for me.
- made me realize how stupid I was by not putting in child surf control software. - Made me research software that could spare other families and friends from this same experience. - Motivated me to start this blog - Motivated me to start my new book aimed at protecting you and your family while on the internet.
Below are recommendation from security professionals on software to apply filters to protect your kids when they are on-line.

Tuesday, December 19, 2006

Buy an IPS with the most signatures!!! I don't think so.......

Look before you leap, still waters run deep. It's a trap and you are the prey....The number of IPS signatures has no bearing what-so-ever in regards to, how well protected you are with a specific IPS device. Vendors who typically have “REGEX” signatures, vulnerability signatures, application inspection and anomaly detection, may have as many as 50% less signatures and provide more protection then vendors that don’t have this type of consolidated protection. Another thing to look for in IPS is how good is the device at catching IPS evasion techniques.

Many IPS vendors rely on the fact that they have more signatures. This is roughly equivalent to a football team claiming they are the best because they have the largest players. Watch for it, look for industry studies. Most of all, make sure you have an event correlation engine that will do forensic analysts for you. This should include all network devices and software security packages including: Anti Virus, Network Anti Virus, Computer Security both host and server, Intrusion Prevention, Software Firewalls and Hardware Firewalls and Most Intrusion Prevention.

I know this is a short message, sorry it’s Christmas week, but please, take this information into consideration when making a decision on the security posture of your company, and you will be more secure.

Sunday, December 17, 2006

Many enterprises are scurrying to stop Skype (and other morphing P2P applications) from being used.. Why?

This is a subject that seems to bring out the passion in many. Arguments range from, Skype is the greatest thing on earth, to, it’s dangerous and must be stopped.

Good or bad doesn’t matter, Skype could have been one of the internets killer app’s if they had taken the high road and wrote this really cool application that followed standard protocols and worked in a way that was understandable and trust worthy. Instead, in their recent versions, they chose to code the product in a way that evades many security classification and detection products. This may have been the kiss of death for Skype.

Now, because Skype chose this morphing option, several security professionals are in a position where they need to decide whether or not to allow it in their network and many folks are deciding "no". Do you really want to allow a program to be used on your network that morphs its self so severely that it evades classification and detection? Many enterprises have a security policy in place that defines acceptable network use. Acceptable traffic is certainly traffic that is know to be safe and can be classified and controlled. Put yourself in the place of an enterprise security engineer. Their job is to protect their companies security assets. Are they going to allow software that evades classification, security detection and is encrypted? – most likely NOT!!!

The upside of Skype is that it is forcing security vendors to develop more sophisticated protocol classification and detection engines. These engines need to take into consideration that they are going to have a threat that will try to morph it self into undetectable traffic. My white-hat is off to Skype for writing a really cool product and waking up the security world before a super-worm uses the same techniques. Unfortunately malware writers are most certainly taking notes and will undoubtedly use these techniques shown to us by Skype (and other P2P applications) in future malicious software. There’s already some reports that BoTs are using similar technology. You can pretty well bet that the race is on between vendors and hackers to see who will get to the finish line first.

Lock down the hatches and get ringside seats, this one is shaping up to be quite a showdown…..the world is changing, old threats are not the only game in town. Mitigation techniques such as Virus Protection, Anti Virus, Network Anti Virus Protection, Intrusion Prevention, Host Intrusion Prevention, Firewalls need to be augmented by behavioral analysis or anomaly detection. Look for more of this type of product in the future.

Friday, December 15, 2006

Morphing Attacks?

If you haven't already done so, think about it. Potentially insecure software that learns about your network defense and then morphs itself on the fly to bypass your security. It's been happening for a year or so now and will continue to do so at a rate that will become alarming. Look for an article next week explaining morphing applications and potential solutions to stop this type of application.
- BotNets
- Bittorrent
- Instant Messanger
- Skype
These applications listed above aresomewhat harmless in the sense that they mostly suck up bandwidth, with the exception of Botnets, which are used for criminal and fraudulent activity. But the reason you need to think about morphing applications, is that this technology is slowly making into a new class or malicous software that is designed to damage you or other users on the internet. Think about it and we'll cover it on more detail next week.

Wednesday, December 13, 2006

Basic Home Computer Security Question #5. Why should I change the password of my router once I install it?

I’m glad somebody else’s question because it is often overlooked and is a huge mistake if you don’t do it. You must absolutely change both the username and password on any network device that you install, such as;
1) router
2) firewall
The reason is most network devices must come with a default username or password and there are several tools out there that will just scan for devices and automatically enter default usernames or passwords. In fact to make it more dangerous a hacker can get a scanner that will go out and find a network device from a certain vendor, and they can manually enter the default username or password to try and gain access to this device. Once someone has access to the device protecting your network, they can open it up for access, sniff your network for usernames or passwords, sniff for personal information that will allow them to steal your identity credentials.
Just for laughs enter this URL and you will see how easy it is to gain the default usernames and passwords for all vendors networked devices.

Websense to Address new E-mail ransom threat

THREAT ALERT New Cyber-Extortion Scheme Targets Webmail Websense® Security Labs™ has identified a new form of cyber-extortion with its ThreatSeeker™ technology. Unlike previously documented cases, this attack compromises online Webmail accounts. In this case, when victims logged into their Webmail accounts (in this case, Hotmail®), they noticed that all their “sent” and “received” e-mails were deleted along with all their online contacts. The only message that remained was one from the attacker that requested they contact them for payment in order to receive the data back.
In this case, the victims had recently visited an Internet cafe where their credentials may have been compromised. The email, which was poorly written in Spanish, roughly translates in English to: "if you want to know where your contacts and your e-mails are then pay us or if you prefer to lose everything, then don't write soon!"
Although there has only been a single documented case of this new kind of threat, Websense security customers were immediately and automatically protected from it.
Resources: Learn more about Websense ThreatSeeker technology See the alert details from Websense Security Labs Read press coverage of the discovery

Tuesday, December 12, 2006

Excellence enterprise focused security webinar coming up Thursday.

Thursday morning I have been asked by Cisco to provide technical support for a webinar that promises to be very technical and very informative. Pretty much every key Cisco security technology and integration between these security technologies will be addressed. This is my personal security blog and I normally wouldn’t post a message like this but this one promises to be pretty good, so I feel like I’m not doing readers justice if I don’t mention it. You can get more information at the following URL.

You have a pointer on your blog to an SQL Injection attack that returns a CMD prompt. I thought SQL Injection allowed adding records to SQL databases?

Good observation. Actually both descriptions of SQL Injections are correct and both can be dangerous. SQL Injection just means that someone gained un-authorized access to send data to your SQL server. The impact being a victim of an SQL Injection attack are usually one of at least the following three things:
As you mentioned, writing invalid data to the database. This can be a HUGE problem if you are using your database for commercial purposes. This may allow a user to fool you into thinking that you need to write them a check. It can fool you into shipping product that you think is paid for to whatever location the attackers wants you to ship. An attacker can just change the ship to addresses fooling your system into shipping paid-for-goods to the wrong location.. Essentially anything in the database can be manipulated to the attackers advantage.
In the demo on my blog, it shows data injected into a database that takes advantage of a vulnerability. The payload they use to exploit the vulnerability returns in a command prompt to the attacker from the system which contains your SQL server. In this case it’s “Game Over”, they have full access to you system.
Another possible use of SQL Injection is for an attacker to take advantage of vulnerabilities on your SQL server and send a crafted packet that will crash your server essentially causing a directed denial of service attack. Then of course if you read my CS-MARS book you know you MAY get the ransom letter saying if you pay a certain amount of money the DoS attacks will stop.

To mitigate SQL injection there are a few things you can do.
Ensure that your database applications are written to enforce rules that ensure data cannot be injected into a single database structure without validating the input against other structures.
Keep your OS and SQL server software up to date by applying current security and software patches. I know some folks are threatened by this because they like to test before they apply patches - see the next step which will protect you while you are doing tests and certifying patches.
Install a good Host Intrusion Prevention system. This will protect you from buffer overflows and code executed off of the stack. If you have this in place, you are protected pretty well against CMD access until you have a chance to verify and install emergency updates and security hot fixes..
Install IPS which has sigs to prevent attacks against know vulnerabilities. Also keep your signatures files up to date at all times!!!

Just and word of warning. I don’t like being a FUD monger, but if you get to the point where you are in a ransom situation, it can be very costly not just in terms of the money being extorted. The criminal can also hurt the integrity of your company which may be far worse then the immediate monetary loss. TAKE STEPS TO PROTECT YOURSELF!!!

Monday, December 11, 2006

What is Defense In-Depth and why is it important?

Defense in-depth is a technique that uses many layers of network defense to secure a network and all devices connected to that network. The theory behind defense in-depth is to deploy different layers of security in key parts of the network to detect, contain and ultimately stop an attack.
The basic layers and descriptions of defense-in-depth, in order of deployment, include the following.
· Authentication Layer – authenticates your users before allowing them access to your network.
· Perimeter Layer – filters unwanted network sessions from entering your network, and provides application inspection and enforces RFC compliant behavior to network sessions. Also protects you from DoS and DDoS attacks
· Network Intrusion Prevention Layer – after you have allowed traffic into your network, intrusion prevention will examine this traffic to ensure that it’s valid and does not contain malicious content such as viruses worms, adware, spyware, botware, trojans, or does not behave in a manner that would indicate replicating worms or scanners.
· Host Intrusion Prevention Layer - at this point your network traffic has been examined at three different levels. Host intrusion prevention is the final layer. This technology includes antivirus software, and software that looks at the behavior of your host or server and ensures that the behavior is not indicative of malicious software. The following is a sample of bad behavior on a host: a buffer overflow followed by code being executed and executed from the buffer, the execution of an image that was recently downloaded from the Internet, a non-privileged program self modifying to raise its privileges, a non-privileged hosts trying to set the network interface card into promiscuous mode to be used for network sniffing, a browser listening on a network socket for outside connections.
Along with deploying and the four standard layers of Defense-in-depth, you also need to deploy Security Best Practices – this encompasses many operational aspects of security, a good source for this information is Normally security best practices would include things such as:
· Applying current operating system patches
· Applying Current host and server hot fixes
· Applying Current Application Patches
· Enforcing Secure usernames and passwords
· Deploying Configuration best practices as recommended by the vendor
· Deploying Current anti-virus or IPS signatures
· Hardening Host security
· Hardening server security
· Hardening Network device and security device configuration
· Processes and procedures to respond to security breaches and disasters
· Processes and procedures to correlate and identify attacks, processes and procedures used to respond after an attack
Defense in-depth is the key to stopping most, but not all, network and computer related attacks. It’s a concept of deploying several layers of defense that mitigate security threats. Many hackers are looking for what is called “low hanging fruit”, or easy targets to attack. With defense in-depth applied, attackers will usually either get frustrated and move on to the next target, or stop the attacks altogether deterred by the security you’ve put in place.
Even with defense in depth in place, don’t get lulled into a sense of false security. A patient hacker, a very skilled hacker, a disgruntled employee or far ranging new security vulnerabilities will always pose a threat to any security environment.

Friday, December 8, 2006

From Kevin Lueders - What are the tradeoffs between ease of use/administration versus security?

This is a question posted on my security1a blog, it seemed appropriate to also post it here since it can affect you as an enterprise security user or manager.

The easiest thing in the world to do when setting up your wireless at home is to take all of the defaults and only use a SSID for security. People tend to think that if they come up with a unique SSID, that no one will be able to log on to their network. But the fact of the matter is, most access points by default broadcast the SSID, and modern day wireless software running on Windows, Linux and Macintosh will list all SSID’s that the wireless antenna detects. Bottom line….SSID is “wireless ease of administration” and it provides “no security what so ever”. Anybody with a PC can logon to your wireless network and do what ever they want.
From a threat point of view here is a list of the possible impacts.- someone gets on your wireless network and they have free open access to any device you have connected to your home network. This means they can install keyboard sniffers, networks sniffers or even man in the middle attack software. All of which could steal encrypted usernames, passwords, Social Security Numbers, credit cards etc. Not to mentioned access your firewall or edge router and modify the configuration to weaken your security posture.- another huge threat is, if you are using VPN to get to your company. Essentially, if somebody compromises your home network they can potentially have access to your company’s network. Also keep in mind that many companies use VPN in a way that data must go into your company’s network before it goes out to the Internet. This means if your company has a policy that defines “acceptable network use” and this person/hacker/attacker/accidental_tourist does compromise your network and violates that policy doing something like, attacking another network or surfing pornographic web sites - your company will track this activity back to you and you may be in a position where you will have to answer very uncomfortable questions or perhaps even face termination.
I guess this is a long-winded way of saying, don’t take the easy way out when it comes to administering the wireless network in your House. Check with your security vendor and find out steps you need to take to authenticate only your devices and in addition encrypt your network traffic. Also change your encryption key on a regular basis if your security vendor does not have technology which automates this process.
Just a little more information. If you don’t use encryption on your wireless network, anybody with a wireless sniffer that is within the range of your access point can sniff all data going to and from your wireless network. This is bad enough at home but this is especially dangerous in wireless hotspots. If you have a host VPN use it in situations where you don’t have control over wireless encryption. Also never turn off your host intrusion prevent, ant-virus or personal firewalls if you are near a public hotspot.

This Blog will be running by December 10th 2006

Thanks for your patience

With Great Power Comes Great Responsibility....raise the bar

With Great Power Comes Great Responsibility....raise the bar
Get Secure