Security Resources for Small Business

Microsoft has recently partnered up with the US Chamber of Commerce to publish some great security materials for small business.

From their website:

We know how much security and dependability mean to you in today's business computing environment. And we want to help. That's why we have partnered with Microsoft to bring you free technology resources to get tips, tricks, and how-to information you can use right away to help protect your computers and your business. Learn how to best:

• Protect your network against the most common threats
  
• Guard valuable business information
  
• Thwart viruses and hackers
  
• Plus pointers to additional security resources

You will find an excellent Security Guide for Small Business that helps explain why security is important to your business and outlines steps to better security. They have even published a great Interactive Security Video that allows you to hear expert tips, take a quiz, and build a security plan.

There is a wealth of knowledge in their Security Portal for Small Business. Make sure you take some time and check it out!

Presenting the 8 Rules of Information Security

For anyone in the western Washington region, If you are interested in listening to me talk about the 8 Rules of Information Security, and how to use some of the more common open source infosec tools to assist in the deployment of technical safeguards to meet the needs in your security management lifecycle, come see me at Linuxfest NorthWest 2005.

The conference is being held at the Bellingham Technical College on April 30th from 10am to 4pm. I am told I am presenting at 10am in room R12 if you are interested in dropping by.

Hope to see some of you there!

Get ready for the next wave of malware

Yesterday when Microsoft released MS05-20 which addresses an IE DHTML object memory corruption vulnerability (CAN-2005-0553) I groaned at the thought of the attack vector that this will provide. Only a few hours later, there was already a proof-of-concept exploit released which is now floating around in the public. It should only be a few days now before we start to see that code turned into something more hostile and malicious.

Result? Get that patching done NOW!

Now, if you are still not heeding my call to run as a non-admin, perhaps this snippet from the advisory will put you in a better frame of mind in WHY its so important to reduce your own privileges:

If a user is logged on with administrative user rights, an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

(Boldness added for dramatic effect)

Get the point? Good. So start running as a "Normal Computer User" today.

19 Deadly Sins of Software Security

I tripped over this while reading Sergey's blog today.

It seems that Michael Howard, David LeBlanc, and John Viega have gotten together to outline the "19 Deadly Sins of Software Security" in a new book of the same name to be released at the end of July.

This essential book for all software developers--regardless of platform, language, or type of application--outlines the "19 deadly sins" of software security and shows how to fix each one.

Coverage includes:

• Windows, UNIX, Linux, and Mac OS X
  
• C, C++, C#, Java, PHP, Perl, and Visual Basic
  
• Web, small client, and smart-client applications

Sounds like a great book. And knowing I like the writing style of all these guys, I can't wait to get my hands on it.

Open Source Vulnerability Database becomes a Non-Profit Organization

About a year ago I talked about how the Open Source Vulnerability Database (OSVDB) Goes Live. OSVDB is an independent and open source database created by and for the community. Their goal is to provide accurate, detailed, current, and unbiased technical information about vulnerabilities. Tools like snort and nessus are now incorporating the database directly into their products.

Well, they reached a new milestone yesterday. I was just sent this last night by Jake Kouns, who runs the project:

OSVDB Recognized as 501(c)3 Non-Profit Organization

The Open Source Vulnerability Database, a project to catalog and describe the world's security vulnerabilities, has continued to focus on improving database content and increasing services offered to the security community.

Since the official launch of OSVDB in March 2004, the vulnerability database has grown from 1000 to over 6700 complete entries. This rapid growth has far surpassed initial estimates, and the project’s many successes show that the open source community can truly deliver world-class security information.

OSVDB’s rapid success is directly attributed to the dedicated volunteers who help populate, maintain and enhance the database. Their hard work has already allowed OSVDB to exceed the amount of vulnerability information available in some databases. At the current rate of growth, the project is poised to surpass the other vulnerability databases by the end of 2005. “It will soon become mandatory for security professionals to use OSVDB if they want the most thorough information available,” says Brian Martin, one of the project leaders.

The OSVDB leadership team has been aggressively working to ensure the long term viability of the project. After improving content to be recognized as an industry leader, the team determined that incorporating as a non-profit organization was imperative to OSVDB’s future success. Founded to formally run the OSVDB project, the Open Security Foundation has been approved as a 501(c)3 non-profit organization under United States law. Jake Kouns, OSVDB project lead, says, “Achieving our non-profit status will allow us to seek funding and ensure free vulnerability information will be available for years to come.”

Two of the OSVDB project leaders, Brian Martin and Jake Kouns, will be presenting a talk called “Vulnerability Databases: Everything is Vulnerable” at cansecwest/core05 (http://www.cansecwest.com/) in May 2005. The presentation aims to provide an unbiased review of vulnerability databases, and addresses the value they should provide to security practitioners.

###

More Information:

Jake Kouns
Open Source Vulnerability Database Project
+1.804.306.8412
jkouns@osvdb.org

Congrats guys.

Ten Tips for Corporations to Protect Customer Information from Identity Theft

Cyberguard sent out an interesting press release today that provides "Ten Tips for Corporations to Protect Customer Information from Identity Theft".

The list is pretty self explainatory:

1. Unless there is a specific reason that personal information is being stored, get rid of it. If information needs to be there, set a timetable for its length of stay and when it can be disposed of.
   
2. Make sure that the server holding personal information is isolated to its own network with limited access. The network should be secured/protected by a strong firewall that protects from attacks at the network, protocol and most importantly the application layer.
   
3. The server that contains the personal information should NOT allow direct connectivity to any user on the public Internet.
   
4. The isolation of the database server should provide protection not only from the Internet but from other Internet facing servers as well as the internal network.
   
5. Under no circumstance should the database server be permitted to initiate connections to the Internet.
   
6. The controls afforded by the application layer defenses must include the ability to control not only what the database can query, but the explicit commands that can be run, as well as the number of responses per query.
   
7. Both the security mechanisms and the database server should be operated on kernel hardened operating systems to mitigate the risk of operating system bugs or vulnerabilities.
   
8. Strict controls of who can access the server should be in place, be enforced, and reviewed to validate the need for access rights.
   
9. A multi-defense is your best defense; take full advantage of both security mechanisms available within the database application and strong encryption as well as security mechanisms of the application level firewall.
   
10. All communication of personal data sent to/from the database across public and private networks should be permitted over encrypted channels (HTTPS / SSL SSH).

Application Insecurity --- Who is at Fault?

Melisa Bleasdale has written an article on the insecurities of applications, asking who is at fault.

We've thrown millions of dollars at the corporate network in the name of security. We've implemented firewalls and gateways and access control. We've installed IDS, IPS, tokens and biometrics. But despite our best efforts, we're still under attack. Though it's really not surprising, we've overlooked the obvious.

The obvious that she refers to? Applications on the host. Included in the article are different view points on who should be responsible, and what should ultimately happen.

I think this is a debate that will go on for years yet. Secure software engineering as a discipline is still in its infancy, and very few software firms are using it as part of their software development lifecycle. It will take time before vendors would adopt such things... unless the consumer DEMANDS it. Sort of like what they did to Microsoft.

Time will tell. I do hope if you are a reader here and are part of an ISV, that you are applying secure software engineering best practices in your software development lifecycle. If you don't, spend some time going through many of my posts in the last 2 years. You will start to see why its important.

7 Myths about Network Security

So this evening I was doing the dew and catching up on some reading when I came across an interesting article on Security Pipeline about the "7 Myths of Network Security". It is well worth the read. In summary, the article breaks down the 7 Myths as:

1. Myth: Encryption guarantees protection
   
2. Myth: Firewalls will make you bulletproof
   
3. Myth: Hackers ignore old software
   
4. Myth: Macs Are safe
   
5. Myth: Security tools and software patches make everybody safer
   
6. Myth: As long as your corporate network is unbreached, hackers can't hurt you
   
7. Myth: If you work for a security enterprise, your data is safe.

So, as you can imagine, the article discusses how the opposite of the myths are true. Notice #4? I talked about that a bit last week. These are good points that I see on a regular basis. Please spread the word to others, and bust these myths.

Happy reading.