Holiday wishes and what's in store for 2012

I'd like to send out a special holiday wish to everyone: Merry Christmas, Happy Hanukkah and Happy New Year!

This year has been extraordinarily great for me in my business and I owe it all to my clients, presentation and seminar participants, and purchasers of my books and audio content. Thank you very much!

I have lots of neat things right around the corner including a YouTube video channel and new Security On Wheels audio programs. In fact, I've already started on my videos and am pulling together some fresh audio content based on the feedback I've gotten regarding my presentations, seminars and webcasts over the past year.

It's time for me to disconnect for a couple of weeks. Here's to a great 2011 and an ever greater 2012!

All the best,
Kevin

Read More

WebInspect: How SQL injection testing *should* be done

SQL injection is arguably the grandest of all security vulnerabilities. It can be exploited anonymously over the Internet to gain full access to sensitive information - and no one will ever know it occurred. Yet time and again it's either:

1. overlooked by people who don't test all of their critical systems from every possible angle
2. overlooked by people who haven't learned how to properly use their Web vulnerability scanners
3. overlooked by people who chose to only perform PCI-DSS-type vulnerability scans that don't go deeply enough
4. And, perhaps worst of all, overlooked by tools that can't test for - or properly exploit - SQL injection

Certain automated tools for SQL injection testing/exploitation have been around for years but I've never seen a tool that actually finds SQL injection as frequently or is as simple to use as HP's WebInspect. As shown in the following screenshots, with WebInspect it's a simple two-step process from initial scan to data extraction:

Step 1: Run the vulnerability scan to find SQL injection flaws. Finding it is half the battle. Most vulnerability scanners have no clue of its existence.















Step 2: Right-click on the finding, load the SQL Injector tool to confirm the injection and then click Pump Data to automatically siphon data out. Yes, it's that simple. (Note: in this test instance, extraction was not possible but it is in at least half of the SQL injection flaws I come across).


















At your option, you can also use WebInspect's Vulnerability Review function to go back and test the SQL injection flaws once a fix is put in place...no need for a full rescan. Love it.
















Folks, this is something that cannot be taken lightly. I'm not just talking about SQL injection itself but the fact that your tools may not be providing you the right information you need. As I've said before, You cannot secure what you don't acknowledge. In this case, I'll tweak that a bit and say You cannot secure what you cannot find. Just because the tools you're using aren't finding or exploiting SQL injection doesn't mean it's not a problem. Trust but verify.

Read More

AlgoSec & what happens when you don't look for flaws from every angle

I recently had the opportunity to see how well AlgoSec's Firewall Analyzer performs in a real-world security assessment. Long story short, Firewall Analyzer found a weak password on an Internet-facing firewall that would've gone undetected otherwise. A traditional vulnerability scanner didn't find it nor did two different Web vulnerability scanners. Nothing was uncovered via manual analysis either.

Only AlgoSec's Firewall Analyzer found the weakness...no doubt a flaw that would've been exploited eventually.

Folks, information security is about piecing things together. We're never going to find it all but we darn sure need to use every means possible to check for flaws from every possible angle. Underscope your assessments and you're screwed - at best you're living a delusional world. Case in point, I just reviewed a vulnerability assessment report that looked at every single external and internal IP address belonging to a business but not a single marketing site, e-commerce application or intranet portal was tested. And everything checked out "OK". The result that the executives saw was Low Risk Overall.

Wow.

Just like I tweeted about today regarding what Qualys finds in vulnerability scans versus much of the "free" and commercial competition (there's no comparison)...I honestly believe that some big data breaches that have already occurred and have yet to happen will be related to using the wrong tools...or not enough tools...that combined with people not testing all the systems that matter. People aren't looking at the whole picture.

I know, you can't rely on tools alone but by golly you'd better make sure you're not only looking at everything that matters but you're also using the best tools possible when doing your security testing. Here's a new bit I wrote that covers this very subject:
Good Web Security Tools and Why They Matter

Read More

Big-data-retention-storage-security...what a mess!

I've written some new bits on storage security and data retention that you may be interested in...especially as your move your "big data" to the cloud in 2012. You are going to do that, right? ;-) Enjoy!

Data security and backup encryption remain critical

Secure data storage strategies and budget-friendly security tools for SMBs

Heading in the Wrong Direction with Data Protection?

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Going green's tie-in with infosec

If you've been following my blog and my principles for even a short period of time you've probably figured out that I pull no punches when it comes to personal responsibility and limited government. There's hardly anywhere I'm more passionate in this regard than the marketing smoke and mirrors of "Going Green" and the religion of "global warming". I should say "climate change"; that covers warming and cooling for the anti-Capitalist movement, right?.

Bandwagon jumping aside, I do believe that it's up to all of us to take reasonable care of the environment through recycling, minimizing the energy we use and so on. In fact, I strongly believe that if we all just did a little bit in terms of personal and business recycling and being smarter about energy consumption that we could make a huge difference for future generations.

Ditto with information security. I truly believe if we all just did a little bit more...if management exercised more common sense, if users clicked on fewer unsolicited links and if IT managers and developers fixed the low-hanging fruit - the basics of what's continually exploited - just imagine how much more secure our information would be..

The problem is getting people to take personal responsibility for their actions. There's a big, big hurdle with that though and therein lies the problem.

Be it heads in the sand over information security or society slowing dismantling the very essence of what's given us our standard of living in the name of "global warming", as Ayn Rand said: We can evade reality but we cannot evade the consequences of evading reality.

Read More

Why uninterruptible power supplies have higher quality than Web apps

I recently purchased an APC uninterruptible power supply for my office and noticed something peculiar in the packaging. It was a small piece of paper that says "QUALITY ASSURANCE TEST". It has the time, date, operator ID and other identifying information for the specific piece of hardware.


As you can see in the image, this QA test sheet has 33 unique tests that were performed on the unit presumably before it shipped. Everything from polarity checks to AC line calibration to beeper tests were performed on this system.

Then it occurred to me...do we actually demand better quality from uninterruptible power supplies like this than we do from the Web applications that power our businesses? I don't know that we *demand* it but it sure is coming across that way!

Sure, there's unit testing, functional testing, user acceptance testing and so on around any given Web application, but where's the real quality when it comes to security and overall application robustness.

I know companies like APC wouldn't dare let a low-quality uninterruptible power leave the building yet so many companies of similar size and visibility do this every single day with their software. Numerous studies are done each year on security being a missing component of software quality...yet the problem continues on as if it's someone else's problem. I see it in my work every day and we're all impacted when data breaches occur.

Where are we failing ourselves here? Our priorities are misplaced to say the least.

Read More

Windows security exploits, all over again

There's a good bit brewing in the Windows world regarding security and I suspect 2012 will make for an interesting year...Here are some new pieces I've written for TechTarget along these lines where I cover Windows 8 and SharePoint security, using Metasploit to exploit flaws as well as some Windows security oversights I see in practically every internal security assessment I do. Enjoy!

Patching and continuous availability in Windows Server 8

SharePoint security should not be an afterthought

Exploiting Windows vulnerabilities with Metasploit

Five Windows environment security flaws you may be forgetting

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Reactive security at its finest

I've been hearing on the news about Georgia State University (@GeorgiaStateU) installing 50 new security cameras. No doubt, universities in downtown Atlanta (one of the highest-crime cities in the nation) are not fairing so well with security these days so somebody needs to do something, no?

Well, Georgia State's solutions was to install more security cameras. Is this security theater at it's finest? Not totally, but it is security theater like I see all the time in townhome and apartment complexes where the "gate's always up".

This reminds me of some security concerns I found when I first moved into my previous office: outside doors staying unlocked around the clock, wiring closet accessible to everyone who comes inside the building among others...When I mentioned these concerns to my landlord he, in typical head-in-sand fashion, brushed them off and said "We have security cameras that monitor the parking lot." Oh, okay, well in that case...sheesh.

Like cloud computing contracts and SLAs that so many businesses over-rely on, these cameras are certainly good for reactive measures - a means to fall back on. Sure, they may deter a few thugs but they're not going to stop the actual crime in most situations (think convenience store robberies we see on video all the time). Perhaps this would but it'd never fly so the crimes will likely continue. As with criminal hackers, the thugs terrorizing Atlanta's streets know they have the upper hand.

Read More

Are CIOs not doing their jobs?

In the past week I've come across three different articles on how CFOs are getting more involved in IT. For example, in last week's Atlanta Business Chronicle feature CFOs take on increasing roles in IT department stated: "CFO involvement with IT has been largely driving by the need to upgrade reporting functions and the general inability of many legacy systems to provide the kind of data the C-suite needs." According to Robert Half Management Resources, 44% of CFOs have become more involved in technology-related decision-making. Interesting finding.

And this CSO piece from a couple of weeks ago stated: "For business both small and large, CFOs now are finding themselves with fiduciary responsibility in data-protection cases."

Finally, some interesting findings were documented in this CIO piece from just a few months back:

• 26% of IT investments in the past year have been authorized by CFOs alone
• 51% of cases, IT decisions are being made either by the CFO alone, or by the CFO in a collaboration with the CIO
• 5% of the time the CIO makes the investment call
• 42% of IT organizations report directly to the CFO
• 47% of executives viewed IT as being strategic

Ouch!

Is this a sign that CIOs aren't communicating effectively with others in management? Perhaps they're not providing them with the tools they need to make strategic decisions? Does it underscore the very issue I've been ranting about for years regarding executives having their heads in the sand over IT? I'm hopeful that it's merely a sign that IT and information security are getting more visibility in the business and thus luring more decision makers to the table.

Only time will tell. One thing's for sure...If you're an IT leader, you'd better keep doing the things that good leaders do so you can keep your visibility....and your job.

Read More

BitLocker, Passware...heads in sand everywhere!

Three times in the past three weeks. That's how many conversations I've had people who have blown off any sort of technical or operational weaknesses associated with Microsoft BitLocker when using it as an enterprise full disk encryption solution. They're well-documented. I highlighted these issues in my recent whitepaper The Hidden Costs of Microsoft BitLocker as well.

I've said it before and I'll continue saying it: I've sung the praises of BitLocker for years. I still use it on a few non-critical systems that aren't storing sensitive information just to create a hoop for someone to jump through if the systems are lost or stolen. The thing is, there's a tool that can supposedly negate BitLocker's encryption. It's called Passware Kit Forensic.

In one of my recent full disk encryption conversations, someone in a highly-visible healthcare organization told me that even though it's been proven that laptop loss and theft is a big problem for healthcare (backed up by this December 2011 bit from Dark Reading on Ponemon's new study: Healthcare Data in Critical Condition), that loss/theft/Passware Kit Forensic was not a risk to the business. Even when the law says it is. Amazing stuff.

You see I've sung the praises of Passware Kit Forensic to over 1,000 people during my speaking engagements this year alone. I've see it in action and have had some colleagues who have used it recommend it to me. But I want to be able to demonstrate on my blog and to my audiences when I present how BitLocker can be compromised using Passware Kit Forensic. Although Passware has some screenshots on the process here, I need more.

Like other bloggers, trade rags and test labs, I'd like to get a (fully-functioning) demo/test/trial copy of the tool first so I can take it for a spin, validate which scenarios the tool can actually work and document my findings here on my blog, my articles and any forthcoming edition of Hacking For Dummies...especially given how pricey Passware Kit Forensic is ($995; it was $795 just recently so apparently there's a demand for it).

I truly believe this is a big deal and it'd be a win-win for us all. The problem is I can't seem to get anyone at Passware to get back with me. Numerous emails, a Web form submission and LinkedIn requests have fallen on deaf ears. Maybe Passware is no longer around?

For now, just know that the threat and subsequent business risk is likely there and maybe I'll have the opportunity to demonstrate it for you in the future.

Elcomsoft...help!

Read More

Information security quote

Don't expect short-term perfection in your security program. Instead, aim for incremental improvements over time. -KB

Read More

Join me live online today with TechTarget & ISACA

Today is our live virtual seminar Making the Case for the Cloud: The Next Steps. Join me, Urs Fischer, Dave Shackleford, Andrew Baer and Diana Kelley to hear about various aspects of cloud computing you may not have thought about.

Starting at 11:15am ET, I'll be presenting on Incident Response in Cloud Computing. I'll talk about common incident response weaknesses I see in my work, questions you must ask your cloud providers and how you can start developing your incident response plans with a proven incident response plan template.

It'll cost you nothing but an hour or so of your time and it'll be well worth it. You'll even have the opportunity to send me a curveball question at the end of my session. Won't you join us?

Read More

School staff members and porn - Why you should care

Here's an interesting read on government employees trying to make an extra buck by serving up pornography on their high school-issued computers. What a lovely story.

Don't think this kind of behavior is random. I've seen this very thing at the university level during a security assessment I did early on in my information security consulting venture.

You see, one thing I do during my internal security assessments is connect a network analyzer just inside the firewall for a few hours to look at general traffic patterns, protocols and the like. Interestingly, during this assessment I found a workstation that was the top talker on the network. No, it wasn't the email server, or the Web server or the high-traffic FTP server but, instead, a workstation.

After further review it was determined that a staff member was hosting porn on his computer...right on the school network. He was apparently doing pretty well as his workstation was sending and receiving literally 10 times the traffic of any other system on the network.

Folks, just because an employee passed a background check, had good references and seems to be a reasonable person doesn't mean s/he can be trusted to always do the right thing.

You've got to know your network...As I wrote about a network analyzer is a cheap and easy way to get rolling to make sure your network - and your users - are kept in check.

Read More

What happens when third-party patches are ignored

The majority of people I speak with claim they have no means for patching third-party software. As Kelly Jackson Higgins mentions in her recent Dark Reading blog post regarding the rash of Java exploitations, when third-party software goes unmanaged, bad things can happen.

It's great that Metasploit has a a module for Java exploitation - something that'll not only benefit me in my security assessments but will also help bring to light what can happen in any given enterprise. But you know as well as I do that criminal hackers will use it for ill-gotten gains.

In my work, I certainly don't see what HD Moore was quoted as saying in the Dark Reading piece regarding most enterprises not allowing admin privileges on desktops. Between my clients and the people in at my speaking engagements, maybe 5-10% of businesses have their desktops truly locked down. I will agree with the reality that Java is pervasive across any given business. In fact, I had to install Java on a system yesterday and believe the following screenshots underscore the issue:
































Given such proclamations, where do you think the bad guys are going to focus their efforts?

Another funny thing about Java is what Microsoft recently documented in its 2011 Security Intelligence Report. Microsoft found that Java exploits make up to 50% of all exploits. Wow. Another side note from this report that I found interesting is that 0.1% of attacks are related to the sky is falling zero-day exploits that so many people (especially vendors) are claiming to be a huge problem.

Bottom line: as I talked about this piece - unless and until you get your arms around third-party patches, you're going to continue to be vulnerable, especially given how simple Metasploit is to use.

Read More

You're in charge of your own crisis

Whether or not you - or your management - believes you'll suffer a security incident it certainly pays to be prepared. Odds are that something is going to occur.

Does your business have a solid incident response plan? What about a communications plan? Is an executive or business PR representative going to say "Um, well, uh you know - we got hacked and stuff..." to the eager media or are they prepared to answer questions in a mature and professional manner?

PR pros will tell you that you'd better be prepared. As Bolling Spalding - a PR expert here in Atlanta - said in this Atlanta Business Chronicle piece:

"Address the situation openly by saying, 'We don't have all the facts yet, but will tell you what we know now and we'll continue to report back as the facts come in.'...If you don't tell the story, someone else will tell it for you, and it might be someone with an ax to grind."

There's too much to lose folks. Do something now so you'll have a plan when the time comes.

If you're interested, here are some tips I've written about information security-related incidents and how to shore up what could be one of your business's greatest weaknesses.

Read More