For a long time, various well known companies have been the target of hackers. This has resulted in huge data losses for the company as well as the client's that are associated with the company. Many companies have faced several financial charges by the government or by business partners to satisfy penalty fees.
Network Solutions, which specializes in the domain name registration industry, has recently reported an incident of a breach of data. The breach occurred during March 12 to June 8 2009 and was detected in a check carried out by the company. Though this breach was detected in June, the company took around a month's time to decipher the code that was used in hacking the domain. By that time the hackers had hacked their e-commerce services and had already diverted the transaction details of more than 500,000 registered companies. This shows that industries are still lacking in security measures to prevent the loss of important data.
Network Solutions company issued a statement saying that till now no incidence reporting misuse of information has been reported by any merchant company. The company is now enlisting all those merchant clients' who had made any transaction in between that period. These clients will in turn notify their customers who will then inform their banks to block the credit cards to avoid any misuse.
Network Solutions has offered to bear all the expenses that the customers have suffered. But isn't it more correct to take a few precautionary measures beforehand than facing such incidents? Data loss prevention and a network security assessment are the best tools available for the security assessment of any website and it also helps in avoiding such incidents.
There have been many such companies reporting breaches in the past that have resulted in the bad reputation of those companies. Heartland Payment Systems and RBS WorldPay are a few examples of such breaches. Both these companies had been removed from the Payment Card Industry Data Security Standard (PCI Audit) services' list. The loss of clients and market value was an additional issue.
These incidents indicate that various other similar companies are exposed to such risks. But if they take certain measures to keep their network system in check, they can surely avoid experiencing these kinds of losses. This also ensures the goodwill of the company in the market thereby attracting more clients.
An expert with knowledge of Information Security Risk Assessment has written this article.
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Sunday, July 26, 2009
Tuesday, July 21, 2009
Web Security Testing has come of age
Website security is the one of the most dangerous places for a company. If you look at a layered security approach, we start out with the internal network. There we have host security, patch management, host IDS and other server based technologies. Next we have the network security layers, network intrusion detection, network monitoring and firewall protection. So if we have the internal servers secured, the network protection place, what is left is the only wany an attacker can possible get into a secure environment.
The website is the open frontdor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?
So on Linkedin, I asked the quesion of what are the Web security tools that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.
1) Foundstone http://www.foundstone.com
2) Acunetix WVS http://www.acunetix.com
3) Scrawlr https://h30406.www3.hp.com/
4) N-Stalker http://www.nstalker.com/
5) Nikto http://cirt.net/nikto2
6) Scarab http://www.owasp.org
7) WebInspect http://www.hp.com
Fiddler - http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT - http://www.security-database.com
11) W3af http://w3af.sourceforge.net/
12) CORE Impact http://www.coresecurity.com/content/web-app-pro
13) Appscan http://www-01.ibm.com/software/awdtools/appscan/
Having listed these and of course there a re a number of other tools. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, i am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.
The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls
Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
The website is the open frontdor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?
So on Linkedin, I asked the quesion of what are the Web security tools that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.
1) Foundstone http://www.foundstone.com
2) Acunetix WVS http://www.acunetix.com
3) Scrawlr https://h30406.www3.hp.com/
4) N-Stalker http://www.nstalker.com/
5) Nikto http://cirt.net/nikto2
6) Scarab http://www.owasp.org
7) WebInspect http://www.hp.com
Fiddler - http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT - http://www.security-database.com
11) W3af http://w3af.sourceforge.net/
12) CORE Impact http://www.coresecurity.com/content/web-app-pro
13) Appscan http://www-01.ibm.com/software/awdtools/appscan/
Having listed these and of course there a re a number of other tools. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, i am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.
The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls
Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Monday, July 20, 2009
HIPAA Assessments are the next wave
In February, CVS was ordered to pay a fine of 2.5million dollars by the FTC. This fine was because their employees threw out personal information about patients. Who knew poor recycling programs could cost so much? HIPAA has been around for a number of years but not until recently did we see that it has teeth and companies are going to be held accountable. CVS has to have an assessment every other year now for 20 years. And assessments are not cheap! Assessments based on the Security Rule cover many areas of technology controls such as Firewall protection, Antivirus, Encryption, Vulnerability Scanning and much more. I am sure conducting an assessment rather than getting fines would have been much cheaper for CVS.
The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments.
There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, http://www.riskwatch.com Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments.
For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place.
Regards
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
ta8vuc4i3r
The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments.
There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, http://www.riskwatch.com Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments.
For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place.
Regards
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
ta8vuc4i3r
Data Breaches are misunderstood
The Ponemon Institute and Ounce Labs (www.ouncelabs.com) released a study on the view CEOs have regarding data protection in their environment. In the study of 213 CEOs and other senior executives, CEOs did not share the same view on how secure their organization is with their executives. 92 percent of respondents said they were attacks. Who has the more realistic view of data security? Could it also be the fault of the executives who usually do not share all the bad information with the CEO? That is probably part of the security education challenge the CEO faces.
The study also found that 33 percent of C-level executives replied that attacks happened "hourly or more often," while only 17 percent of CEOs said the same thing. That’s a pretty big difference of opinion. Whose responsibility is it to manage, monitor and report on hacker activity? Obviously tactically speaking it fall under IT, the CIO or maybe even the Chief Compliance Officer. But ultimate responsibility in any company falls to the CEO. If a data breach happens such as in the case of TJ Max, its the CEO who has to appear on television to explain what happened and answer to their customers.
How do you apply metrics to report appropriately to the CEO? That magic "Dashboard" is what everyone is after and no one gets right. A good Compliance dashboard that you may want to check out comes with the reports from RiskWatch software (www.riskwatch.com). Its worth a look.
The category of technology CEO's need to focus on these days is Data Loss Prevention (DLP). Every major company in security has a DLP product and the reason is probably because the education is finally in the market around the necessity of looking at all inputs and output of data in the organization. A data breach can be caused by lack of proper firewalls, no antivirus, no browser protection, not malware protection, lack of patch management or no vulnerability management. Or it could be a hundred other things. A CEO needs to know these terms, how data flows and what the data life cycle really means if they are to truly grasp the threat to their environment.
Prevention is really worth more than detection. If the CEO doesn’t bridge the gap to thinking they might be secure to understanding that they are under attack ever day and perhaps every minute, data breached will continue to occur.
Gary Bahadur
CEO KRAA Security, baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
The study also found that 33 percent of C-level executives replied that attacks happened "hourly or more often," while only 17 percent of CEOs said the same thing. That’s a pretty big difference of opinion. Whose responsibility is it to manage, monitor and report on hacker activity? Obviously tactically speaking it fall under IT, the CIO or maybe even the Chief Compliance Officer. But ultimate responsibility in any company falls to the CEO. If a data breach happens such as in the case of TJ Max, its the CEO who has to appear on television to explain what happened and answer to their customers.
How do you apply metrics to report appropriately to the CEO? That magic "Dashboard" is what everyone is after and no one gets right. A good Compliance dashboard that you may want to check out comes with the reports from RiskWatch software (www.riskwatch.com). Its worth a look.
The category of technology CEO's need to focus on these days is Data Loss Prevention (DLP). Every major company in security has a DLP product and the reason is probably because the education is finally in the market around the necessity of looking at all inputs and output of data in the organization. A data breach can be caused by lack of proper firewalls, no antivirus, no browser protection, not malware protection, lack of patch management or no vulnerability management. Or it could be a hundred other things. A CEO needs to know these terms, how data flows and what the data life cycle really means if they are to truly grasp the threat to their environment.
Prevention is really worth more than detection. If the CEO doesn’t bridge the gap to thinking they might be secure to understanding that they are under attack ever day and perhaps every minute, data breached will continue to occur.
Gary Bahadur
CEO KRAA Security, baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Monday, June 22, 2009
Wireless Risk Assessment needed Keep Problems at Bay
Every organization works towards making itself more secure and protected. Its main aim is to protect the data relating to both the organization as well as it’s valued customers. With so many security breaches happening in companies these days, it has become essential to save a company's sensitive information from being stolen or hacked. The article talks about importance of wireless risk assessment to avoid a serious security threat in a company.
Wireless security has become a major challenge for the companies as wireless become pervasive. Companies do install security systems but they forget that it needs to be checked both internally and externally on a daily basis. They need to understand the importance of wireless security system to secure the channels through which they share and transfer their data. Otherwise, it would be tough to control, monitor and verify the network sources of wireless data.
To help these organizations carry out their task efficiently and effectively, there are many tools and services available. Wireless Application security risk assessment is the a service that offers complete security. It thoroughly checks the data you use and transfer, checks the various policies and procedures of your company, keeps conducting routine checks for data analysis and offers guidance for safeguarding these kinds of activities against future problems.
You can maintain the information of your organization by using this risk assessment process. It conducts both internal and external tests. . It also offers a complete report of the results found and offers solutions to solve the problems. These services can be affordable in a typical environment.
This security assessment process is also available for various mobile phones as they are also becoming the targets of attack Typical safety measures that you can install for safeguarding your information include installing firewall protection, intrusion detection, and host monitoring.
Things will be alright if you take a few steps to avoid problems beforehand. By installing these security processes and tools in the network, you can easily ensure the long-term safety and security of the organization. After all, this is ultimately going to benefit your company and customers. Maintaining wireless security in both the network system and mobile phones has become necessary as they hold valuable information.
An expert of network security assessment , of KRAA Security a leading application security risk assessment company, has written this article.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Saturday, June 6, 2009
Vanguard Security Conference - Supplier Security
I spoke at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.
The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.
My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.
The Problem:
-No framework for managing vendor risk
-Inconsistent processes for tracking vendors
-Lack of enforcement capabilitiesThe Problem:
The Opportunity:
-Provide practical steps to manage vendor access/management
-Provide cost effective solution for risk mitigation
-Provide numerical risk analysis of vendor/partner security issues
-Risk reduction or risk acceptance
-Documented exposure
-Iterative process for risk management
-Happy CIO
So a Supplier Security assessment follow 4 main steps:
1 Analyze current vendor database, catageorize each determine risk of each supplier,
2 Determine threats posed by each supplier
3 Perform assessment tests of each supplier, their processes of interaction, and data access
4 Develop risk mitigation plan, update processed, monitoring processes
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Friday, May 29, 2009
US to set out cyber security plan -Baha to the rescue
Why did it takes us over 2 decades to really approach the cybersecurity topic. When I started in informatio security in in 1994, it was the wild west. People were creating processes, developing security frameworks and growing a whole new industry. I like to think I played some part in being on the early team at PriceWaterhouse and we had the first ever corporate "Hacking Lab" in NJ to test our clients security weaknesses. Those were Good time. Now we are just in Regular times.
So what can we expect from the Czar?
The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.
Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is "untenable".
Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.
Good plan right?
My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.
We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUSt have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.
Baha - new Cybersecurity Czar
baha@kraasecurity.com
www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.
In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House.
Both US government and military bodies have reported repeated interference from hackers in recent years.
In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said.
Mr Obama will not discuss the Pentagon plan during Friday's announcement, the newspaper said.
But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.
'Serious threats'
The 60-day review was carried out by Melissa Hathaway, who has been serving as interim White House cyber security adviser.
The new office is expected to co-ordinate a multi-billion dollar effort designed to restrict access to government computers and to protect systems - such as those that run the stock exchange and air traffic control - that keep the country going, reports BBC defence and security correspondent Rob Watson.
So what can we expect from the Czar?
The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.
Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is "untenable".
Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.
Good plan right?
My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.
We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUSt have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.
Baha - new Cybersecurity Czar
baha@kraasecurity.com
www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.
In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House.
Both US government and military bodies have reported repeated interference from hackers in recent years.
In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said.
Mr Obama will not discuss the Pentagon plan during Friday's announcement, the newspaper said.
But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.
'Serious threats'
The 60-day review was carried out by Melissa Hathaway, who has been serving as interim White House cyber security adviser.
The new office is expected to co-ordinate a multi-billion dollar effort designed to restrict access to government computers and to protect systems - such as those that run the stock exchange and air traffic control - that keep the country going, reports BBC defence and security correspondent Rob Watson.
Subscribe to:
Posts (Atom)
