Managing Security Threats & Vulnerabilities for SMEs

Managing security threats and vulnerabilities in assets are two fundamental challenges for SMEs. Vulnerabilities in assets are weaknesses in assets or the absence of security procedures, technical controls, or physical controls that
could be exploited to harm or predispose assets to harm [1]. Harm to assets occurs in various forms, such as interruption, destruction, disclosure, modification of data, including denial of service. For example, in 2001, the Code Red incident exploited a buffer overflow in a library module of Microsoft Windows' Internet Information Server. This allowed it to infect hundreds of thousands of computers [2], causing millions of dollars of damage. The Slammer [3], MSBlast [4], and Sasser [5] worms all exploited known vulnerabilities in computer systems.

There are also accounts of security threats (for instance, Computer worms) used as attack agents in denial of service (DoS) [6], and distributed denial of service (DDoS)[7] attacks. These types of threats affect the confidentiality, integrity, reliability and availability of computer network services.

In this respect, what ways can security be properly managed in an Enterprise? What may provide valid and appropriate options? Answers to these questions are provided in the article.... Please download a copy from this link. Your comments are useful and highly appreciated, please leave a comment. Thanks.

This discussion is shown in a presentation, please download the presentation in DPF.

References:
[1] Computer Security Handbook: The NIST handbook, Special
Publication 800-12, pp.62
[2] D. Moore, C. Shannon, and J. Brown (2002) “Code-Red: a case study on the spread and victims of an Internet Worm”, Proceedings of the ACM/USENIX Internet Measurement Workshop, France, November, 2002
[3] C. C. Zou, L. Gao, W. Gong, D. Towsley (2003), “Monitoring and Early Warning for Internet Worms”, Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, October 27-31 2003
[4] Microsoft Security Bulletin MS03-026, (2003) “Buffer Overrun In RPC Interface Could Allow Code Execution (823980)”, July 2003: [Online]:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
[5] W32.Sasser.worm (2004), April 2004: [Online]: http://securityresponse.symantec.com/avcenter/venc/data/w32.sass
er.worm.html
[6] CERT/CC (2001), “Microsoft Internet Information Server 4.0 (IIS) vulnerable to DoS when URL Redirecting is enabled”; [Online]: http://www.kb.cert.org/vuls/id/544555,

Security Awareness (SA002-09): Intrusion Detection Systems

Intrusion detection systems (IDSes) are used to monitor systems and networks for security policy abuse, compromise and abnormal behaviour. Different types of IDSes exist, such as host-based, network-based and hybrid.

Host-based IDSes are installed on systems such as PDAs, Laptops, workstations, PCs and servers to monitor system behaviours.

Network-based IDSes are appliances that monitor the entire network for policy violation, network behaviour and abnormal traffic thresholds and ongoing malicious activities.

Giving the nature of recent attacks on end user systems, such as PCs, laptops and also due to the growing proliferation of viruses and computer worms, it is a recommended best security practice for end users to install personal intrusion detection systems on their laptops, workstations or PCs. In as much as it's a good security practice to have a personal IDS installed on an end-user system, but it is a waste of time if an IDS log is not checked and analysed regularly. It is important that IDS logs are regularly checked and analysed.

To enhance the security posture of systems and networks, the following is recommended:

1) Spend time to check IDS logs and alerts, this will help you identify ongoing activities and attacks that may have happened undetected.
2) Identify resources that are frequently seen on the logs and what this event is about.
3) Set your IDS to be always on.
4) Configure your IDS to always inform you about a software download or a request that is about to change registry settings.
5) Configure your IDS to always inform you when a request that is about to change registry settings.
6) Configure your IDS to always alert you when a certain threshold is reached or exceeded.
7) Configure your IDS to automatically download latest signatures or patches; this will enable your IDS to remain up to date with software development.

Enterprise-wide Security Attack Detection

With the growing number of security incidents, a requirement is to provide adequate security protection to computer networks. To protect computer networks from security attacks, a current approach is to deploy countermeasures, such as firewalls at the network perimeter, intrusion detection systems (IDSes) within the network and virus scanners on end user systems. Whilst these countermeasures provide a degree of protection, they struggle to detect emerging security threats. Emerging security attacks appear to be distributed and coordinated, while the defences offered by these countermeasures operate in isolation from one another. Each countermeasure possesses only fragments of evidence about the overall state of the network and consequently its response may be both delayed and limited in scope.

To accurately detect enterprise-wide security attacks that are perceived on various networks today or on multiple complex security domains an integrated security framework is proposed, discussed and tested. This innovative security framework is well presented in this book – “Security Framework for Attack Detection in Computer Networks”. This well written book is highly recommended for all security practitioners, analysts, consultants, engineers and decision makers at various levels.

Understanding Risks to Cloud Computing

A major concern with the cloud is that the cloud provider offers the software, platform and infrastructure to the user. On top of that, the actual data/information of the user also resides with the provider. The risk with this model of service is that users risk having their information abused, stolen, unlawfully distributed, compromised or harmed. What is the guarantee that the user’s information/data is not sold to her competitor? What ethical constraints exist to prohibit, prevent or protect the user in this new model of service? Another important risk to consider when using the cloud is with the ownership of the information or data residing on the provider’s system. When a user puts her information in the hands of the provider, what control has the user over the data? Its confidentiality or integrity.

When we consider small to medium-sized organisations or end users, one can discuss risks associated with cloud services pretty easily. What happens to the government, the enterprise in relation to the cloud? Can the cloud be used for government marked information? For example, ‘strictest in confidence’ document, say for the CIA, MI5 or the MoD. I certainly do not think so, especially at this current stage of the cloud. In this respect, maybe cloud computing is not ideal for all facets of the society. Certainly, I can’t imagine any organisation with security in mind who would hand strictest in confidence, on ‘in confidence’ information to the cloud, without a second thought.

Again, whose security policies are used for operating the cloud? Is that of the enterprise, the government or the MCSP? If the policy is the end users’ then how would the MCSP marry diverse security policies from myriad heterogeneous users of very diverse background, from diverse countries and of very diverse legal and socio-cultural value systems.

What of data location? The data an end user had created on an MCSP’s system, where does this data reside? Location of end user data is of great importance. For example, the EU Border legislation (Safe Harbour) stipulates countries where EU private and personal data can and can not reside, which borders it can and can not traverse. With the infrastructure as a service, the cloud provider can use dynamically localised infrastructures that exist outside the EU or US terrorises. This may contravene or abuse fundamental privacy and legislative issues, especially if the end user was not away of where her information is stored. This applies specifically to EU and US customers, SMEs, government and Enterprise who may wish to use the cloud for delivering service, and I believe other countries have other legislation that should be considered when using the cloud. Some kind of information can be easily abused with cloud computing, for instance personal medical data (health record data) are subjected to strict compliance act such as HIPPA. A significant concern is that personal medical data can be easily circumvented with SaaS or IaaS models of the cloud. These highlights some inherent risks that exist with cloud computing.

Africon 2009 - Nairobi, Kenya

Folks, we've extended submission date to 30th April 2009. Anyone willing to pitch in a publication should do so now.

Here's the conference site:

www.africon2009.org

Africon is a primer IEEE conference for Africa, and this year it's hosted at the beautiful country of Kenya.

The submission deadline for a full paper has been extended to 30
April. Please refer the Call for Papers page for further information
on related date changes.

Security Awareness (SA001-09): Protecting Computer Networks using Firewalls

Using firewalls is an essential part of protecting computers and networks. End users require personal firewalls to provide access control to their computers, PCs, PDAs or home servers. Similarly, SMEs also require firewalls to protect their valued assets, such as information asset, network and system infrastructure assets.

Although firewalls can be relied upon to protect computer networks, it is important to understand that firewalls alone are not capable of protecting an enterprise (see Data Fusion in Security Evidence Analysis). There is a limitation to what a firewall or suite of firewalls can protect. Even when a range of multiple heterogeneous firewalls are deployed in an enterprise, chances are that they may not detect, prevent of mitigate all forms of attacks, vulnerabilities or threats.

To enhance security posture in an enterprise the following is recommended:

1) Investigate your options in time - Research available firewalls, what each firewall offers, read product/manufacturer's product literature and determine the best choice for your environment.
2) Determine best locations or points to install a firewall - where a firewall is place on the network contributes greatly to how much of the network it protects. A border where an organisation peers with other vendors, partners or ISP is a good starting point to put a firewall. Departmental demarcations may be another, and before a critical asset a host-based firewall may be required.
3) Always check firewall logs to determine and audit its events. It is absolutely important. If you are not going to check logs, there's no need installing a firewall.
4) If you're going to use multiple firewalls of different types, it is advisable to test each one in the same environment alone before integrating all the firewalls in the network. The reason for this is to ensure specific capabilities of each firewall before your put them in the network.
5) Always update firewall operating systems and patches. Go for tested and approved vendor OS versions and latest patches. It is not recommended to run an untested firewall OS in a production environment, because you may cause ha voc and be reliable to breach of SLA.
6) Configure firewall for lest privilege.
7) [...]

...My New Book is out Soon

I'm very excited; gradually, it has all come together. Integrated Security Assistance Framework (ISAF) for detecting widespread attacks to Computer Networks will be out end of this month. I've been working on this book for nearly a year now. And finally, there's a breath of fresh air around :-) It's very exciting......

SHA-3 Proposal by NIST

NIST has opened a public competition to develop a new cryptographic hash algorithm, which converts a variable length message into a short “message digest” that can be used for digital signatures, message authentication and other applications. The competition is NIST’s response to recent advances in the cryptanalysis of hash functions. The new hash algorithm will be called “SHA-3” and will augment the hash algorithms currently specified in FIPS 180-2, Secure Hash Standard. Entries for the competition must be received by October 31, 2008. The competition is announced in the Federal Register Notice published on November 2, 2007; further details of the competition will be available at the specific sites indicated in the menu on the left.
http://csrc.nist.gov/groups/ST/hash/sha-3/index.html

Security bug with the recent F-secure Linux Security 7.00

It has been discovered that Linux Security 7.00 that was released by F-secure just about three weeks ago contains a very serious bug that can have severe consequences for customer systems. Hence, F-secure has call for total withdrawal of the sode. Please if you have installed Linux Security 7.00 and you are using the Client Edition keycode, please uninstall immediately to prevent further damage to your system.

You obtain the latest code - Linux Security release 7.01 without the bug at F-secure site at: http://www.f-secure.com/linux-weblog/2008/05/23/linux-security-701-released/