Professional Network and Host/Server Computer Security

Why Block Skype?

2008-01-25T09:48:00.001-08:00

Blocking Skype with security devices seems to be a very emotional subject for some people. I guess I can’t blame folks for being ticked off about this. From their standpoint they can make free calls and the service is always up. Very nice. But before you hang your security administrators for blocking Skype read on…..

Please make sure you understand the downside of Skype however before you quickly judge those who are skeptical. Skype has security evasion behavior built into the software, it changes ports to avoid being blocked by firewall policies and it encrypts it’s payload so conversations cannot be “grabbed”.

Now consider a security administrators job which is basically to enforce company internet security policies. Now consider that most enterprise have in place called “acceptable use”. Most “Acceptable Use” security policies state that an acceptable application must use a well defined port and an established RFC protocol, this guarantees that an enterprise can have visibility into outbound data streams which helps them to protect against data-leakage. Skype clearly doesn’t work in a way that’s acceptable for many enterprises.

Again is Skype bad – no, it’s great. Is it acceptable to run in corporate environments? Maybe, maybe not, it’s up to the enterprise to make this decision. Just keep in mind that if an enterprise chooses to block Skype, they aren’t doing it as a personal attack against anyone and it doesn’t make them bad guys, they are just doing their job. A more effective use of your energy may be to petition the folks at Skype to enable acceptable behavior into their product.

TJ Maxx - Largest ID Theft Ever!!!

2007-03-30T10:47:00.000-07:00

It happens folks, if I hear one more time that security engineers spread FUD I'm going to scream!!!!!

TJ Max reported the largest identity theft ever. If you are a customer keep a very close eye on any account or credit card that may be exploited. As an IT or security professional this is a case you may want to keep an eye on. The number of potential IDs lost in this exploit is huge.

Of course there is no report of what security was in place. Keep this event in mind when making decisions about a security architecture. If you are using point products as a single line of defense and no host intrusion prevention or network intrusion prevention, you are NOT secure!!!

THINK LAYERS-OF-DEFENSE!

http://ezinearticles.com/?Identity-Theft-Problems-for-TJ-Max-and-Marshalls-Customers&id=431633

Computer Theft of Loss - Equals Game Over for Security

2007-02-12T11:17:00.000-08:00

Ever ask you self the question, what is the MOST IMPORTANT aspect of host security?

Consider this for an answer. It has nothing to do with Software Firewall, Hardware Firewall, Network Intrusion Prevention, Anti Virus, Network Anti Virus Protection, Host Intrusion Prevention and Anomaly Detection. You can have all of this security in place, but if lose a machine or a machine get stolen, the game is over. A PC in the hands of a capable hacher is basically defenseless. If you have PC with critical data the best you can do is protect the critical data with very strong encryption, even then if the hacker is REALLY good, your chances of losing that data is high.

Losing computers happens to everyone, see article below, but that doesn't mean you should not do your absolute best to ensure that PC's are locked down or kept in secure places when not in use.

http://www.cnn.com/2007/US/02/12/fbi.laptops/index.html

Vista Security Dies on the Vine

2007-02-09T09:13:00.000-08:00

I don't usually like to make a big deal out of Microsoft vulnerabilities. For Microsoft to secure all of their products is probably one of the toughest jobs in the world. When you own 90% of the operating install base on the planet, there will be thousands of people trying to exploit your applications.

I was shocked at RSA this week that I had people who I thought to be knowledgeable tout Vista as being the end-all to security vulnerabilities. When I argued, that exploits would be coming soon and frequent, I was unceremoniously scorned:) - ha ha - to those people I say "sit down so you don't faint and read the following article".

Don't get me wrong I'm not happy about this in any way. But learn the lesson, NO operating system with as many features and flexibility offered by ANY vendor are vulnerability proof.

RSA 2007 San Francisco - Meet the author please!!!

2007-02-06T19:22:00.000-08:00

Hey blog-readers. Sorry I've been off line for so long. I had the web hits up to over 100 per day and then I got invoved in getting ready for the RSA security conference and my blog time when away.

If you get a chance please come by the Cisco booh at RSA and see the demo's on CS-MARS, IPS 6.0 and ASA 8.0 I setup the demo's and will pretty much be there the entire time answering questions about IPS.

Please let me know if you are a reader of the blog, I know very few people who log it and it will be good to me you. I'll geek out and talk as much security as you like......

Thanks,
Greg

Host Intrusion Prevention versus Host Anti Virus - Now is the time for change

2007-01-25T13:44:00.001-08:00

Host anti virus is a traditional security mitigation software used by millions of computer users across the globe. Anti Virus does a great job of stopping known security exploits through the use of signature type definition files. Unfortunately for the general computer user, the word “known” is the key to this conversation. This means that Anti Virus is only as good as attacks that you already know about. If you use Anti Virus, you are still highly susceptible to a new computer attacks.

Contrast that with Hosts Intrusion Prevention (HIPS). HIPS looks at the behavior of hosts and decides if that behavior could be consistent with the action of malicious code. If the hips software besides that the behavior is suspicious, it will either stop the behavior or query you on whether you want to allow the behavior. Bottom line is that HIPS does not use signature definition files, it uses rule files that don't require updates and will stop viruses and worms whether they are known or not. My experience with hips software is that it is 100% reliable.

The downside of Host Intrusion Prevention software is that the versions that are available are targeted for larger customers with a professional security team that can manage and analyze events seen win rules trigger. Generally it's too complex to be managed by the average end user.

This article is little more than a call to action for security developers. Security engineers readily accept that HIPS software is superior to Anti Virus, now is the time to commercialize the software. Take the complexity out of the existing hips software, and tone it down so that the average home user can use it, and be protected at all times as opposed to the current scenario experience while using antivirus. This isn't that huge of a task. Shoot for the low hanging fruit, and only deploy rules such as, stopping code that is executed after a buffer overflow, stopping code that is being run for the first time, stop browsers from acting as servers, stop the average computer from opening any listening port, stop traffic related to port scans. These are just ideas I'm sure there's more. If you do happen to read this article, please encourage your local hips vendor to commercialize their product, maybe even encourage them to market it to huge service providers such as Comcast, and AOL.

How effective is Anti Virus software at stopping worm attacks?

2007-01-16T12:42:00.000-08:00

Host Anti Virus software and Network Anti Virus appliances can both be used to stop worms. But there are a few caveats.

1. New exploits may not be stopped by many Anti Virus packages
2. You must use auto-update features of your AV software to ensure that definitions of current worms are activated.
3. Host anti virus will not stop worms destined for any devices except the device they are installed on.

When it comes to stopping worms I recommend a full blown IPS and also behavior based Host Intrusion prevention software. Network IPS mitigates worms against all network assets and behaviors based intrusion prevention does not depend on signature updates to stop threats.

Yes I'm a Cisco bigot check
www.cisco.com/go/asa
www.cisco.com/go/ips

Check adds on this page for other credible AV and IPS vendors that can mitigate work behavior.

Ha ha, did I really say mitigate work behavior? Ah that should be WORM behavior but I suppose mitigating work behavior wouldn't be a bad idea for some of us......

Can legitimate traffic be blocked by my IPS device?

2006-12-27T10:53:00.000-08:00

Yes it is possible. The following are scenarios that can cause your IPS device to report an attack that isn’t a real attack, also known as a false positive.
- Your IPS device is not setup to see traffic traversing in both directions. IPS needs to see bi-directional traffic to accurately report attacks. This is important, if your IPS vendor does not do this, your are unquestionably vulnerable to IPS evasion.
- Valid traffic actually contains the same bit sequence as an attack packet. Signatures writers do their best to ensure that this doesn’t happen, but it’s impossible to completely eliminate this problem. Be careful, if you have a vendor who claims they don’t have false positives, they have misunderstood their product.

The best way to ensure that you have the fewest false positives, is to include a device which correlates all of your security logs and analyzes false positive for you. Along with correlation it should be able to take a mitigation action if it determines that an attack is relevant. Take a look at www.cisco.com/go/mars.

I see you wrote a book about ASDM, how do I enable it in ASA 7.0?

2006-12-22T13:30:00.000-08:00

Thanks for the question. To enable ASDM do the steps outlined below.

Step 1. Download the current ASDM image file from www.cisco.com. Check the readme to make sure it's compatible with your version of the ASA OS.
Step 2. tftp the ASDM image to your ASA device.
Step 3. On the ASA device enter the "dir" command to verify the ASDM file name.
Step 4. On the ASA device enter the command "asdm image flash:/asdm-521.bin" substitute my file name with yours from step 3.
Step 5. On the ASA device enter the command "http server enable"
Step 6. Ensure that the workstation you want to use to manage your ASA device has connectivity to your firewall. Use the ping command.
Step 7. On the ASA device enter the command "http 0.0.0.0 0.0.0.0 inside" to ensure that ASDM can only be launched from your computer. You must substitute your ip address instead of the zero's. For eaxmple if your address is 192.168.1.100, the resulting command would be "http 192.168.1.100 255.255.255.255 inside"

The resulting commands should look something like the following.

asdm image flash:/asdm-521.bin
http server enable
http 192.168.1.100 255.255.255.255 inside

After that you can access your firewall using ASDM by entering
https and the nside address of your ASA device.

Good luck. Let me know if I can help with any other questions.

I have kids, do I need URL fIltering at home?

2006-12-21T13:03:00.000-08:00

Absolutely beyond a doubt. Here’ a true story…..

I was stealing a nap one Saturday afternoon after I had written my first book. I was exhausted after what seemed like endless hours of non-stop editing and writing. Only my oldest child was in the house with me. As I was half asleep I heard him ask , “Hey Dad can I get on Foxracing.com.” He is 8 years old and my wife and I decided this is a completely appropriate site for an eight year old. I groggily replied, “sure, no problem”. Seconds later I heard him say, “Hey Dad, I clicked on foxracing, there’s no mountain bikes, but there are a bunch of girls in their PJ’s!!”.

OK I’ve seen the screen pop-up of images that you don’t really want to try and explain to a very curious and intelligent eight year old. I flew out of bed, and raced to the computer. Ah, I thought, there must be a God, to my extreme relief it was ACTUALLY girls in PJ’s……..Instead of just typing http://www.foxracing.com/ in the browser, he typed “fox racing” into the Goolge search screen, which is our default home page and thin clicked on the first link.
This little lesson did a few things for me.
- made me realize how stupid I was by not putting in child surf control software. - Made me research software that could spare other families and friends from this same experience. - Motivated me to start this blog - Motivated me to start my new book aimed at protecting you and your family while on the internet.
Below are recommendation from security professionals on software to apply filters to protect your kids when they are on-line.
www.cybersitter.com
www.netnanny.com
www.surfcontrol.com
www.trendmicro.com/en/products/desktop/pc-cillin/evaluate/overview.htm
www.cyberPatrol.com
www.8e6home.com
www.netwitness.com
www.dansguardian.org
www.we-blocker.com

Buy an IPS with the most signatures!!! I don't think so.......

2006-12-19T14:17:00.000-08:00

Look before you leap, still waters run deep. It's a trap and you are the prey....The number of IPS signatures has no bearing what-so-ever in regards to, how well protected you are with a specific IPS device. Vendors who typically have “REGEX” signatures, vulnerability signatures, application inspection and anomaly detection, may have as many as 50% less signatures and provide more protection then vendors that don’t have this type of consolidated protection. Another thing to look for in IPS is how good is the device at catching IPS evasion techniques.

Many IPS vendors rely on the fact that they have more signatures. This is roughly equivalent to a football team claiming they are the best because they have the largest players. Watch for it, look for industry studies. Most of all, make sure you have an event correlation engine that will do forensic analysts for you. This should include all network devices and software security packages including: Anti Virus, Network Anti Virus, Computer Security both host and server, Intrusion Prevention, Software Firewalls and Hardware Firewalls and Most Intrusion Prevention.

I know this is a short message, sorry it’s Christmas week, but please, take this information into consideration when making a decision on the security posture of your company, and you will be more secure.

Many enterprises are scurrying to stop Skype (and other morphing P2P applications) from being used.. Why?

2006-12-17T22:01:00.000-08:00

This is a subject that seems to bring out the passion in many. Arguments range from, Skype is the greatest thing on earth, to, it’s dangerous and must be stopped.

Good or bad doesn’t matter, Skype could have been one of the internets killer app’s if they had taken the high road and wrote this really cool application that followed standard protocols and worked in a way that was understandable and trust worthy. Instead, in their recent versions, they chose to code the product in a way that evades many security classification and detection products. This may have been the kiss of death for Skype.

Now, because Skype chose this morphing option, several security professionals are in a position where they need to decide whether or not to allow it in their network and many folks are deciding "no". Do you really want to allow a program to be used on your network that morphs its self so severely that it evades classification and detection? Many enterprises have a security policy in place that defines acceptable network use. Acceptable traffic is certainly traffic that is know to be safe and can be classified and controlled. Put yourself in the place of an enterprise security engineer. Their job is to protect their companies security assets. Are they going to allow software that evades classification, security detection and is encrypted? – most likely NOT!!!

The upside of Skype is that it is forcing security vendors to develop more sophisticated protocol classification and detection engines. These engines need to take into consideration that they are going to have a threat that will try to morph it self into undetectable traffic. My white-hat is off to Skype for writing a really cool product and waking up the security world before a super-worm uses the same techniques. Unfortunately malware writers are most certainly taking notes and will undoubtedly use these techniques shown to us by Skype (and other P2P applications) in future malicious software. There’s already some reports that BoTs are using similar technology. You can pretty well bet that the race is on between vendors and hackers to see who will get to the finish line first.

Lock down the hatches and get ringside seats, this one is shaping up to be quite a showdown…..the world is changing, old threats are not the only game in town. Mitigation techniques such as Virus Protection, Anti Virus, Network Anti Virus Protection, Intrusion Prevention, Host Intrusion Prevention, Firewalls need to be augmented by behavioral analysis or anomaly detection. Look for more of this type of product in the future.

Morphing Attacks?

2006-12-15T10:19:00.000-08:00

If you haven't already done so, think about it. Potentially insecure software that learns about your network defense and then morphs itself on the fly to bypass your security. It's been happening for a year or so now and will continue to do so at a rate that will become alarming. Look for an article next week explaining morphing applications and potential solutions to stop this type of application.
- BotNets
- Bittorrent
- Instant Messanger
- Skype
These applications listed above aresomewhat harmless in the sense that they mostly suck up bandwidth, with the exception of Botnets, which are used for criminal and fraudulent activity. But the reason you need to think about morphing applications, is that this technology is slowly making into a new class or malicous software that is designed to damage you or other users on the internet. Think about it and we'll cover it on more detail next week.

Basic Home Computer Security Question #5. Why should I change the password of my router once I install it?

2006-12-13T23:31:00.000-08:00

I’m glad somebody else’s question because it is often overlooked and is a huge mistake if you don’t do it. You must absolutely change both the username and password on any network device that you install, such as;
1) router
2) firewall
The reason is most network devices must come with a default username or password and there are several tools out there that will just scan for devices and automatically enter default usernames or passwords. In fact to make it more dangerous a hacker can get a scanner that will go out and find a network device from a certain vendor, and they can manually enter the default username or password to try and gain access to this device. Once someone has access to the device protecting your network, they can open it up for access, sniff your network for usernames or passwords, sniff for personal information that will allow them to steal your identity credentials.
Just for laughs enter this URL and you will see how easy it is to gain the default usernames and passwords for all vendors networked devices.
http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php

Websense to Address new E-mail ransom threat

2006-12-13T10:38:00.001-08:00

THREAT ALERT New Cyber-Extortion Scheme Targets Webmail Websense® Security Labs™ has identified a new form of cyber-extortion with its ThreatSeeker™ technology. Unlike previously documented cases, this attack compromises online Webmail accounts. In this case, when victims logged into their Webmail accounts (in this case, Hotmail®), they noticed that all their “sent” and “received” e-mails were deleted along with all their online contacts. The only message that remained was one from the attacker that requested they contact them for payment in order to receive the data back.
In this case, the victims had recently visited an Internet cafe where their credentials may have been compromised. The email, which was poorly written in Spanish, roughly translates in English to: "if you want to know where your contacts and your e-mails are then pay us or if you prefer to lose everything, then don't write soon!"
Although there has only been a single documented case of this new kind of threat, Websense security customers were immediately and automatically protected from it.
Resources: Learn more about Websense ThreatSeeker technology See the alert details from Websense Security Labs Read press coverage of the discovery

Excellence enterprise focused security webinar coming up Thursday.

2006-12-12T17:02:00.001-08:00

Thursday morning I have been asked by Cisco to provide technical support for a webinar that promises to be very technical and very informative. Pretty much every key Cisco security technology and integration between these security technologies will be addressed. This is my personal security blog and I normally wouldn’t post a message like this but this one promises to be pretty good, so I feel like I’m not doing readers justice if I don’t mention it. You can get more information at the following URL. http://cisco.com/en/US/netsol/ns665/networking_solutions_packages_list.html?sid=135483_7#~technology

You have a pointer on your blog to an SQL Injection attack that returns a CMD prompt. I thought SQL Injection allowed adding records to SQL databases?

2006-12-12T09:25:00.000-08:00

Good observation. Actually both descriptions of SQL Injections are correct and both can be dangerous. SQL Injection just means that someone gained un-authorized access to send data to your SQL server. The impact being a victim of an SQL Injection attack are usually one of at least the following three things:
As you mentioned, writing invalid data to the database. This can be a HUGE problem if you are using your database for commercial purposes. This may allow a user to fool you into thinking that you need to write them a check. It can fool you into shipping product that you think is paid for to whatever location the attackers wants you to ship. An attacker can just change the ship to addresses fooling your system into shipping paid-for-goods to the wrong location.. Essentially anything in the database can be manipulated to the attackers advantage.
In the demo on my blog, it shows data injected into a database that takes advantage of a vulnerability. The payload they use to exploit the vulnerability returns in a command prompt to the attacker from the system which contains your SQL server. In this case it’s “Game Over”, they have full access to you system.
Another possible use of SQL Injection is for an attacker to take advantage of vulnerabilities on your SQL server and send a crafted packet that will crash your server essentially causing a directed denial of service attack. Then of course if you read my CS-MARS book you know you MAY get the ransom letter saying if you pay a certain amount of money the DoS attacks will stop.

To mitigate SQL injection there are a few things you can do.
Ensure that your database applications are written to enforce rules that ensure data cannot be injected into a single database structure without validating the input against other structures.
Keep your OS and SQL server software up to date by applying current security and software patches. I know some folks are threatened by this because they like to test before they apply patches - see the next step which will protect you while you are doing tests and certifying patches.
Install a good Host Intrusion Prevention system. This will protect you from buffer overflows and code executed off of the stack. If you have this in place, you are protected pretty well against CMD access until you have a chance to verify and install emergency updates and security hot fixes..
Install IPS which has sigs to prevent attacks against know vulnerabilities. Also keep your signatures files up to date at all times!!!

Just and word of warning. I don’t like being a FUD monger, but if you get to the point where you are in a ransom situation, it can be very costly not just in terms of the money being extorted. The criminal can also hurt the integrity of your company which may be far worse then the immediate monetary loss. TAKE STEPS TO PROTECT YOURSELF!!!

What is Defense In-Depth and why is it important?

2006-12-11T16:39:00.000-08:00

Defense in-depth is a technique that uses many layers of network defense to secure a network and all devices connected to that network. The theory behind defense in-depth is to deploy different layers of security in key parts of the network to detect, contain and ultimately stop an attack.
The basic layers and descriptions of defense-in-depth, in order of deployment, include the following.
· Authentication Layer – authenticates your users before allowing them access to your network.
· Perimeter Layer – filters unwanted network sessions from entering your network, and provides application inspection and enforces RFC compliant behavior to network sessions. Also protects you from DoS and DDoS attacks
· Network Intrusion Prevention Layer – after you have allowed traffic into your network, intrusion prevention will examine this traffic to ensure that it’s valid and does not contain malicious content such as viruses worms, adware, spyware, botware, trojans, or does not behave in a manner that would indicate replicating worms or scanners.
· Host Intrusion Prevention Layer - at this point your network traffic has been examined at three different levels. Host intrusion prevention is the final layer. This technology includes antivirus software, and software that looks at the behavior of your host or server and ensures that the behavior is not indicative of malicious software. The following is a sample of bad behavior on a host: a buffer overflow followed by code being executed and executed from the buffer, the execution of an image that was recently downloaded from the Internet, a non-privileged program self modifying to raise its privileges, a non-privileged hosts trying to set the network interface card into promiscuous mode to be used for network sniffing, a browser listening on a network socket for outside connections.
Along with deploying and the four standard layers of Defense-in-depth, you also need to deploy Security Best Practices – this encompasses many operational aspects of security, a good source for this information is SANS.org. Normally security best practices would include things such as:
· Applying current operating system patches
· Applying Current host and server hot fixes
· Applying Current Application Patches
· Enforcing Secure usernames and passwords
· Deploying Configuration best practices as recommended by the vendor
· Deploying Current anti-virus or IPS signatures
· Hardening Host security
· Hardening server security
· Hardening Network device and security device configuration
· Processes and procedures to respond to security breaches and disasters
· Processes and procedures to correlate and identify attacks, processes and procedures used to respond after an attack
Defense in-depth is the key to stopping most, but not all, network and computer related attacks. It’s a concept of deploying several layers of defense that mitigate security threats. Many hackers are looking for what is called “low hanging fruit”, or easy targets to attack. With defense in-depth applied, attackers will usually either get frustrated and move on to the next target, or stop the attacks altogether deterred by the security you’ve put in place.
Even with defense in depth in place, don’t get lulled into a sense of false security. A patient hacker, a very skilled hacker, a disgruntled employee or far ranging new security vulnerabilities will always pose a threat to any security environment.

From Kevin Lueders - What are the tradeoffs between ease of use/administration versus security?

2006-12-08T13:55:00.000-08:00

This is a question posted on my security1a blog, it seemed appropriate to also post it here since it can affect you as an enterprise security user or manager.

The easiest thing in the world to do when setting up your wireless at home is to take all of the defaults and only use a SSID for security. People tend to think that if they come up with a unique SSID, that no one will be able to log on to their network. But the fact of the matter is, most access points by default broadcast the SSID, and modern day wireless software running on Windows, Linux and Macintosh will list all SSID’s that the wireless antenna detects. Bottom line….SSID is “wireless ease of administration” and it provides “no security what so ever”. Anybody with a PC can logon to your wireless network and do what ever they want.
From a threat point of view here is a list of the possible impacts.- someone gets on your wireless network and they have free open access to any device you have connected to your home network. This means they can install keyboard sniffers, networks sniffers or even man in the middle attack software. All of which could steal encrypted usernames, passwords, Social Security Numbers, credit cards etc. Not to mentioned access your firewall or edge router and modify the configuration to weaken your security posture.- another huge threat is, if you are using VPN to get to your company. Essentially, if somebody compromises your home network they can potentially have access to your company’s network. Also keep in mind that many companies use VPN in a way that data must go into your company’s network before it goes out to the Internet. This means if your company has a policy that defines “acceptable network use” and this person/hacker/attacker/accidental_tourist does compromise your network and violates that policy doing something like, attacking another network or surfing pornographic web sites - your company will track this activity back to you and you may be in a position where you will have to answer very uncomfortable questions or perhaps even face termination.
I guess this is a long-winded way of saying, don’t take the easy way out when it comes to administering the wireless network in your House. Check with your security vendor and find out steps you need to take to authenticate only your devices and in addition encrypt your network traffic. Also change your encryption key on a regular basis if your security vendor does not have technology which automates this process.
Just a little more information. If you don’t use encryption on your wireless network, anybody with a wireless sniffer that is within the range of your access point can sniff all data going to and from your wireless network. This is bad enough at home but this is especially dangerous in wireless hotspots. If you have a host VPN use it in situations where you don’t have control over wireless encryption. Also never turn off your host intrusion prevent, ant-virus or personal firewalls if you are near a public hotspot.

This Blog will be running by December 10th 2006

2006-12-08T08:53:00.001-08:00

Thanks for your patience