There has to be a better way

IT Security Insider

Subscribe to IT Security Insider: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get IT Security Insider: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task. A very nice feature in Metasploit is the ability to pivot through a Meterpreter session to the network on the other side. This tutorial walks you through how this is done once you have a Meterpreter session on a foreign box. We begin right after a client side exploit has been achieved from an attacker machine running Ubuntu Linux to the victim machine running Windows XP. 1. Introduction The Metasploit Project is an open-source, computer security project which provides information about security vulnerabilities that assist in performing a penet... (more)

Taking a Holistic Approach to IT Security

Welcome to the latest edition of the HP Discover Performance Podcast Series. Our next discussion examines how regional healthcare services provider Lake Health in Ohio has matured from deploying security technologies to becoming more of a comprehensive risk-reduction practice provider internally for its own consumers. We learn how Lake Health's Information Security Officer has been expanding the breadth and depth of risk management there to a more holistic level -- and we're even going to discuss how they've gone about deciding which risk and compliance services to seek from outside providers, and which to retain and keep on-premises. Here to explore these and other security-related enterprise IT issues, we're joined by our co-hosts for this sponsored podcast, Chief Software Evangelist at HP, Paul Muller, and Raf Los, Chief Security Evangelist at HP. And we also we... (more)

The New Standard: Intelligence-Driven Security

In a recent blog post, Art Coviello, the executive chairman at RSA, posed an important question. How do we move from traditional security to intelligence-driven security? In his answer he described that the quickly interdependent exchanges between parties (B2C, B2B, B2P, etc) have grown beyond the traditional means of securing the enterprise: “IT organizations have continued to construct security infrastructures around a disintegrating perimeter of increasingly ineffective controls.” He described a new-model of cyber-security that includes five concepts: A thorough understanding of risk The use of agile controls based on pattern recognition and predictive analytics The use of big data analytics to give context to vast streams of data to produce timely, actionable information Personnel with the right skill set to operate the systems Information sharing at scale I hav... (more)

Canadian Outfit Releases Encrypted Portable Private Web Browser

Vancouver-based ENC Security Systems, which is supposed to make "un-hackable" Encrypt Stick flash drive software, has released an Encrypt Stick 5.0 Private Browser, a digital privacy browser that it claims is the safest way to browse the Internet. Its timing couldn't be better considering the Federal Trade Commission is now backing the development of a Do-Not-Track system for web that's got the online ad people worried about their $23 billion sector and claiming it will mean the end of free content and Firefox revisiting a Do-Not-Track mechanism after Mozilla, pressured by an ad exec, killed such a tool a few months ago for fear Madison Avenue would come up with something sneakier, the Wall Street Journal says. Anyway, the Encrypt Stick Private Browser runs from the user's flash drive and applies polymorphic encryption, which creates unique encryption algorithms ... (more)

Preventive Security Through Behavior Modification - Part 2

Last week, we saw that Defensive Security is not enough to solve the $1 trillion Intellectual Property and IT theft and cybercrime problem. This week, more about Preventive Security. Preventive Security is a set of technologies and processes used to prevent security incidents from even being attempted. These include awareness and training programs, establishment of proper policies and procedures and the use of technology solutions in support of existing laws. In fact, this is not very different from "regular" crime and how we deal with it. We arm ourselves with the means to catch the bad guys, we severely punish crimes and we let people know that crime is bad, that jail is also bad and that if they try and commit the crime they will be caught. This prevents most people from getting into trouble. So how severe are punishments for IT crimes? In a case tried in March o... (more)

Security Awareness Training: The Single Most Important Cost in IT Security

Ok, ok, I know the title is a tad dramatic but hear me out on this one. A well-known computer security professional and former NSA research scientist wrote an editorial back in July 2012 stating, "Money spent on security awareness training, is money wasted." Dave Aitel , a respected individual in the world of Computer Security and current CTO of Immunity, made this statement in light of the fact that several high profile intrusions had occurred at the hands of employees who were targeted in spearphishing attacks, some of which lacking in sophistication. I disagree with the above written statement by Mr. Aitel, I do however find the recommendations he has listed in his article to be spot on, and practical when incorporated with an educated user base. But honestly, plunging your head into the sand does not make the problem go away. In fact, you are making a problem w... (more)

Victim-nomics: Estimating the “Costs” of Compromise

Since launching ThreatConnect.com, Cyber Squared's Intelligence Support Team has become more effective in managing, analyzing and sharing our Threat Intelligence. While understanding the threat remains one of our core requirements, we have also begun to fill a key gap that, we feel, many within the industry are failing to address. Providing effective Threat Intelligence requires more than just characterizing the threat from a technical perspective.  Instead, you must strike a balance between providing technical context as well as non-technical relevancy to the victim.  Industry report authors will often admire the cyber espionage problem all the while promoting their technical talents.  Unfortunately, these overly technical threat details are not easily interpreted or acted upon by today's non-technical business leaders.  So, ultimately, this shortcoming often over... (more)

Time to Ditch Cryptographic Keys?

What is the most secure way to authenticate electronic data? Until recently, many technical people would have answered ‘cryptographic keys' without blinking. But recent headline events - and a ‘biggie' last year - have raised serious doubts about the ability of cryptographic keys to protect vital government and corporate data. Here are two examples from February that should make CIOs, CTOs and CSOs tremble in their boardrooms: McAfee revoking keys for signing apps on the Apple store; and stolen keys from Bit9 being used to sign malware. In the McAfee case, a McAfee administrator revoked (by mistake) the digital key for certifying desktop apps that run on Apple's OS X, thereby creating serious problems for customers who wanted to install or upgrade Mac antivirus products. The original Arstechnica article (McAfee revoking keys) noted that the administrator intended ... (more)

Network-Based Attacks: How Much Can They Cost You?

Every business acknowledges that network security is critical. But how do you quantify the business value that a secure network provides? And how does an enterprise evaluate and justify investing in network security products like next-generation firewalls, intrusion prevention systems and unified threat management appliances? While there is no exact formula or "cost of attacks" calculator, there are some useful guidelines and research studies that can provide techniques and resources for IT managers to develop their own cost model. There are three core areas that are important for assessing the impact of network-based attacks and the "prevention value" of next-generation firewall technologies: Defining the different types of network-based attacks Understanding how those attacks can affect your bottom line Methods of quantifying the impact of those attacks Types of ... (more)

Best Practices to Ensure Security in the Private Cloud

As regulatory oversight across the financial landscape continues to drive greater transparency and stricter penalties, outsourcing to the private cloud has become an integral resource for hedge fund and private equity managers. Cloud infrastructure services are now synonymous with increased efficiency, decreased costs and added security. However, security in particular remains a key concern for many financial services firms. The costs a cloud services provider can incur in dealing with a security breach, both financially and to its reputation, can be devastating. Infrastructure providers, particularly those catering to financial services firms such as hedge funds, must have strict policies in place and employ best practices to ensure that their clients receive the same level of security as they would achieve with an on-site network. While most participants in the f... (more)

Layered Security Is Key to Avoiding Heartbleed

While organizations spend the next few days and weeks patching OpenSSL vulnerabilities, the realization is setting in that we may never know the full extent of the damage caused by Heartbleed. Although Heartbleed was only announced in early April, it has actually been present in OpenSSL versions dating back to March 2012. This means hackers have had ample time to steal certificates and other sensitive information. Making matters worse, it's nearly impossible for companies to know whether their web communications have indeed been compromised. What exactly is being exposed? When exploited by a hack, Heartbeat (the name of the transport layer security extension where the bug was found) dumps whatever data might reside in the memory of client/server communications in small 64k chunks. Normally this traffic is encrypted, but the bug actually compromises the secret keys, ... (more)