As a computer security professional, I have to admit that physical security is not always my first concern, but it is something I’m aware of. At one of my first network administration jobs, getting the network and telephony areas secure was probably the single biggest contribution I made for the company. Well, that and getting the servers into a location that didn’t consistently have a temperature in the triple digits.
The reality of network security is that physically securing equipment should be the very first thing considered. All the wonderful authentication tools in the world can become useless once someone with malicious intent has direct access to your servers. Once someone has their hands on your machine it is hard to keep them from comprimising it. Really hard, if they’re any good.
Continue Reading »
Time for my second discussion of the three P’s of security: People, policies and procedures. Last week I wrote about the importance of having the right people behind you (mainly the C-level management). Today I want to talk about policies. Yesterday I was reading an article in Information Security about … well information security, and guess what the very first item on their top 10 list was. You guessed it, policies. Number 2 was physical security, which is a topic I’ll save for another time (I had an interesting time getting into the office this morning, having forgotten my badge at home).
Corporate policies should be a series of high level documents that spell out in very general terms what is and is not allowed in the enterprise, what is expected of users and systems, and the consequences for not following the policies. What the policies should not do is specify which particular technology should be used to meet the guidelines, name specific people who are responsible, or be so restrictive as to be unenforcable. Policies are meant to be general documents that set up the guidelines for your business to do business. They should be specific enough to address security issues, but not so restrictive that they have to be re-written every couple of months. Thats what procedures are for.
Continue Reading »
Microsoft can! They released seven patches yesterday, 5 for ‘Critical’ vulnerabilities, 2 for ‘Important’ vulnerabilities. Wow, that may be a record, even for them. How many of these vulnerablilities already have exploits existing in the wild? And they haven’t even addressed the assertion that came out earlier this week that systems patched against the RPC/DCOM vulnerability may still be attackable.
If you work in IT, I hope you have the time to test all of these patches before pushing them out. These are ‘remote code execution’ vulnerabilities, so if the hacker can exploit them, your box is ’0wn3d’. And if you don’t work in IT, you’d better update the patches on your box and hope for the best.
Here are links to the Microsoft website for each of the vulnerabilities. Good luck.
MS03-041 : Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)
MS03-042 : Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232)
MS03-043 : Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
MS03-044 : Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119)
MS03-045 : Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
MS03-046 : Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (822363)
MS03-047 : Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)
What a week it’s been!
I have spent most of my time at work battling a worm infestation, discuss corporate policies (or lack there of), and arguing with the WAN team over the proper way to deal with a worm. But now things are under control and I can back off and deal with these in a much calmer and methodical method. After all, you know I’d never get worked up and threaten people who can’t figure out how to clean up a simple worm. After I’d forwarded them simple instructions. Nope, that would never happen.
I can’t get into details, because I want to have a job come Monday, but here is the gist of it: A laptop user, who logged into the network for the first time in several weeks, was infected with a worm. While this is not an uncommon experience, what was different about this incident was that the worm managed to find a number of other unpatched systems on the network before we could shut it down. While we hunted for the newly infected systems, they managed to find other systems that weren’t protected. In short, thanks to the worm, we discovered that there is a whole class of systems on our network that are not part of the standard update and antivirus policy – the rogue servers! For now, I think we’re winning the war, but I know that this was just one battle, and there is much worse to come. Microsoft just released MS03-040, a patch for a vulnerability in Internet Explorer which may have been under attack for months without anyone realizing it.
Continue on if you want to read my first rant about the three P’s of network security: People, Policies and Procedures. Today, I will concentrate on People.
Continue Reading »