Friday, August 25, 2006

Why You Should Perform Regular Security Audits

This was a real nice articel I found today out of Australia. Great points on why Security Audits are important:

Jonathan Yarden, TechRepublic - August 25, 2006

In less than a decade, Internet security has evolved from an almost esoteric topic to become one of the more important facets of modern computing. And yet it's a rarity to find companies that actually consider information security to be an important job function for all workers—and not just the IT department's problem.

Unfortunately, it's the general opinion of most companies, particularly at the management level, that their computer systems are secure. However, one of the only ways to determine whether this is actually true is by performing a thorough audit of computer systems. But most companies don't make it a habit of performing regular security audits, if they perform them at all.

In my experience, many companies base their Internet and information security strategy entirely on assumptions. And we're all familiar with that old saying about making assumptions.

But I don't entirely blame companies for failing to conduct periodic computer security audits. Frankly, the complexity and variability of administering and interpreting a comprehensive computer systems audit is equal to the complexity and variability of the systems used in corporations.

Several dozen popular commercial network and computer security auditing programs are currently available. While I've used several myself, I've honestly found no favorites. These tools produce mountains of useful information, but understanding what to do with the data is no simple job.

Most computer network and system security audits begin the same way. An automated program gathers information about hosts on the corporate network, identifying the type of network device. If applicable, it also scans the TCP and UDP services that are present and "listening" on the host, and it might even determine the versions of the software supplying an Internet service.

In most cases, the process involves at least two automated scans—one of internal networks, which are generally behind a firewall, and one of the Internet subnet used by the corporation. If a security audit doesn't include both an interior and exterior scan, then you're not getting a complete picture of what hosts are on your organisation's network.

In addition, I also recommend that companies perform their own auditing whenever possible. If not, it's vital that you select an Internet security vendor you don't currently do business with.

Security audits produce a huge amount of data, and you need to be prepared to review this information in order to truly benefit from the audit. It's also important to understand that a computer security audit may report potential problems where no real issue exists.

For example, an isolated switch from 1998 in an internal network could quite possibly be running firmware that's vulnerable to a denial-of-service flood. Should you replace it? Probably not. Nor should you be too concerned about the ancient Windows NT 4 system running outdated voice mail software that's subject to an obscure TCP sequence number exploit. It's not running anything other than a specialised application for voice mail services, and it's behind the firewall.

But some issues should concern you. For example, it's a good idea to disable guest accounts on dedicated Windows servers. Don't run IIS on Windows domain controllers, and DNS servers should not be running services other than DNS either.

However, a security audit may not always identify these issues, and one could debate whether it's actually a security problem. When there's doubt, disable unused services, or determine a secure solution.

The major problems with security audits are that they typically produce either too much data or not enough. A dearth or an excess of data can lead to misinterpretation and even exploitation of the information. Fear remains a very effective way to sell unnecessary equipment and services to companies that don't truly understand security.

For example, one company's recent Internet security audit completely ignored the security issue of direct VPN connections to the internal network and a dial pool, both of which completely bypassed the firewall. Coincidentally, while the same vendor that performed the audit was busy replacing functioning internal network equipment due to "vulnerable" firmware, one of the many recent Sober flavors was busy spreading internally, sourced from a remote office connected via a VPN.

Knowing what is and what isn't a significant issue goes to the very core of understanding Internet and information security. While assumptions can be correct, in many cases, they're dead wrong. Perform regular security audits on your organisation's network to be sure. And if you're not using a particular TCP or UDP service, shut it off.

Technorati Tags:

Thursday, August 24, 2006

Update for MS06-042 released late.

Microsoft released the patch for MS06-042 one day late due to technical problems.

I'm not sure I would put this patch into production as there were issues with the patch.

Meanwhile, my recommendation is to implement Microsoft’s “workaround”.
1. Start Internet Explorer 6.
2. On the Tools menu, click Internet Options, and then click the Advanced tab.
3. In the Settings box, click to clear the Use HTTP 1.1 check box under HTTP 1.1 settings, and then click OK.

Technorati Tags:

Internal Network Security Trends

This was an interesting article I came across today. I feel like I have been yelling about "aggressive patch management" and stricter access control for mobile employees for 5 years now. Enjoy:

Don’t Forget About Network Security Inside Your Perimeter

High-profile network security breaches have been headline news these last few months, and the face of network crime is becoming more ominous with the mass theft of sensitive personnel information. The boundaries of the network are also changing. According to Forrester Research, “Remote Access and Business Partner connectivity means the [network] perimeter is disappearing.”

Michael Rothschild, director of marketing for CounterStorm (, developer of the CounterStorm-1 internal network security solution, sees hacking shifting in the past 48 months from the simple defacing of Web sites to the theft of corporate data. He also sees the perpetrators of such cyber attacks shifting from career hackers to organized crime.

Turning Your Security Focus Inside Your Network Perimeter

So many organizations focus their network security on perimeter defenses such as firewalls and intrusion detection, but they also need to focus inside their network perimeter.

CounterStorm’s Rothschild says that beyond the basic security measures of deploying firewalls and antivirus software is the need to establish aggressive patching strategies for both server and client PCs.

Rothschild also emphasizes being diligent about establishing and enforcing internal IT policies for network access. He says, “Mobile workers, road warriors, and home office workers need policies to govern how they access your corporate network.”

Steve O’Brian, vice president of product management and marketing for Granite Edge Networks (, developers of the Granite Edge ESP appliance-based internal network security solution, says, “Small to midsized enterprises have to support and manage many of the same business processes and IT needs as large enterprises but struggle with efficiencies due to limited staff and budget. In order for IT to overcome these efficiency battles and
become enablers for enhancing business performance and overall competitive advantage, data center/IT managers need to focus on deploying low-support solutions that improve core business operations.”

Get the full article here:

Technorati Tags:

Monday, August 21, 2006

FFIEC Releases FAQ on Authenticaion in an Internet Banking Environment

The Federal Financial Institutions Examination Council (FFIEC) member agencies released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005.

The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues.

Get the FAQ here.

Technorati Tags:

Sunday, August 20, 2006

Biometrics History -- Looking at Biometric Technologies from Past to Present

Biometrics History -- Looking at Biometric Technologies from Past to Present
By Alice Osborn

The ancient Egyptians and the Chinese played a large role in biometrics' history. Although biometric technology seems to belong in the twenty-first century, the history of biometrics goes back thousands of years. Today, the focus is on using biometric face recognition and identifying characteristics to stop terrorism and improve security measures. Once an individual is matched against a template, or sample, in the database, a security alert goes out to the authorities. A person's space between the eyes, ears and nose provides most of the identifying data.

The ACLU and other civil liberties groups are against the widespread use of these biometric technologies, although they acknowledge the necessity of their presence in airports and after the London bombings. Biometric technologies also need to achieve greater standardization and technological innovations to be recognized as a trustworthy identity authentication solution.

A timeline of biometric technology

• European explorer Joao de Barros recorded the first known example of fingerprinting, which is a form of biometrics, in China during the 14th century. Chinese merchants used ink to take children's fingerprints for identification purposes.

• In 1890, Alphonse Bertillon, a Parisian police desk studied body mechanics and measurements to help identify criminals. The police used his method, the Bertillonage method, until it falsely identified some subjects. The Bertillonage method was quickly abandoned in favor of fingerprinting, brought back into use by Richard Edward Henry of Scotland Yard.

• Karl Pearson, an applied mathematician studied biometric research early in the 20th century at University College of London. He made important discoveries in the field of biometrics through studying statistical history and correlation, which he applied to animal evolution. His historical work included the method of moments, the Pearson system of curves, correlation and the chi-squared test.

• In the 1960s and '70s, signature biometric authentication procedures were developed, but the biometric field remained fixed until the military and security agencies researched and developed biometric technology beyond fingerprinting.• 2001 Super Bowl in Tampa, Florida -- each facial image of the 100,000 fans passing through the stadium was recorded via video security cameras and checked electronically against mug shots from the Tampa police. No felons were identified and the video surveillance led many civil liberties advocates to denounce biometric identifying technologies.

• Post 9/11 -- after the attacks, authorities installed biometric technologies in airports to ID suspected terrorists, but some airports, like Palm Beach International, never reached full installation status due to the costs of the surveillance system.• July 7th, 2005 London, England -- British law enforcement is using biometric face recognition technologies and 360-degree "fish-eye" video cameras to ID terrorists after four bombings on subways and on a double-decker bus. In fact, London has over 200,000 security cameras and surveillance cameras that have been in use since the 1960s.

Today and looking forward

Biometrics is a growing and controversial field in which civil liberties groups express concern over privacy and identity issues. Today, biometric laws and regulations are in process and biometric industry standards are being tested. Face recognition biometrics has not reached the prevalent level of fingerprinting, but with constant technological pushes and with the threat of terrorism, researchers and biometric developers will hone this security technology for the twenty-first century.

Copyright © 2005 Evaluseek Publishing.

About the Author

Alice Osborn is a successful freelance writer providing practical information and advice about everything related to CCTV surveillance systems and related topics. Her numerous articles include tips for saving both time and money when shopping for video security products; equipment reviews and reports; and other valuable insights. Increase your knowledge about CCTV equipment and security cameras when you visit today!

Article Source:

Technorati Tags: