April 25, 2005
Security Resources for Small Business
Microsoft has recently partnered up with the US Chamber of Commerce to publish some great security materials for small business.
From their website:
We know how much security and dependability mean to you in today's business computing environment. And we want to help. That's why we have partnered with Microsoft to bring you free technology resources to get tips, tricks, and how-to information you can use right away to help protect your computers and your business. Learn how to best:
You will find an excellent Security Guide for Small Business that helps explain why security is important to your business and outlines steps to better security. They have even published a great Interactive Security Video that allows you to hear expert tips, take a quiz, and build a security plan.
There is a wealth of knowledge in their Security Portal for Small Business. Make sure you take some time and check it out!
April 18, 2005
Presenting the 8 Rules of Information Security
For anyone in the western Washington region, If you are interested in listening to me talk about the 8 Rules of Information Security, and how to use some of the more common open source infosec tools to assist in the deployment of technical safeguards to meet the needs in your security management lifecycle, come see me at Linuxfest NorthWest 2005.
The conference is being held at the Bellingham Technical College on April 30th from 10am to 4pm. I am told I am presenting at 10am in room R12 if you are interested in dropping by.
Hope to see some of you there!
April 13, 2005
Get ready for the next wave of malware
Yesterday when Microsoft released MS05-20 which addresses an IE DHTML object memory corruption vulnerability (CAN-2005-0553) I groaned at the thought of the attack vector that this will provide. Only a few hours later, there was already a proof-of-concept exploit released which is now floating around in the public. It should only be a few days now before we start to see that code turned into something more hostile and malicious.
Result? Get that patching done NOW!
Now, if you are still not heeding my call to run as a non-admin, perhaps this snippet from the advisory will put you in a better frame of mind in WHY its so important to reduce your own privileges:
If a user is logged on with administrative user rights, an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
(Boldness added for dramatic effect)
Get the point? Good. So start running as a "Normal Computer User" today.
19 Deadly Sins of Software Security
I tripped over this while reading Sergey's blog today.
It seems that Michael Howard, David LeBlanc, and John Viega have gotten together to outline the "19 Deadly Sins of Software Security" in a new book of the same name to be released at the end of July.
This essential book for all software developers--regardless of platform, language, or type of application--outlines the "19 deadly sins" of software security and shows how to fix each one.
Sounds like a great book. And knowing I like the writing style of all these guys, I can't wait to get my hands on it.
Open Source Vulnerability Database becomes a Non-Profit Organization
About a year ago I talked about how the Open Source Vulnerability Database (OSVDB) Goes Live. OSVDB is an independent and open source database created by and for the community. Their goal is to provide accurate, detailed, current, and unbiased technical information about vulnerabilities. Tools like snort and nessus are now incorporating the database directly into their products.
Well, they reached a new milestone yesterday. I was just sent this last night by Jake Kouns, who runs the project:
OSVDB Recognized as 501(c)3 Non-Profit Organization
April 12, 2005
Ten Tips for Corporations to Protect Customer Information from Identity Theft
Cyberguard sent out an interesting press release today that provides "Ten Tips for Corporations to Protect Customer Information from Identity Theft".
The list is pretty self explainatory:
April 05, 2005
Application Insecurity --- Who is at Fault?
Melisa Bleasdale has written an article on the insecurities of applications, asking who is at fault.
We've thrown millions of dollars at the corporate network in the name of security. We've implemented firewalls and gateways and access control. We've installed IDS, IPS, tokens and biometrics. But despite our best efforts, we're still under attack. Though it's really not surprising, we've overlooked the obvious.
The obvious that she refers to? Applications on the host. Included in the article are different view points on who should be responsible, and what should ultimately happen.
I think this is a debate that will go on for years yet. Secure software engineering as a discipline is still in its infancy, and very few software firms are using it as part of their software development lifecycle. It will take time before vendors would adopt such things... unless the consumer DEMANDS it. Sort of like what they did to Microsoft.
Time will tell. I do hope if you are a reader here and are part of an ISV, that you are applying secure software engineering best practices in your software development lifecycle. If you don't, spend some time going through many of my posts in the last 2 years. You will start to see why its important.
April 04, 2005
7 Myths about Network Security
So this evening I was doing the dew and catching up on some reading when I came across an interesting article on Security Pipeline about the "7 Myths of Network Security". It is well worth the read. In summary, the article breaks down the 7 Myths as: