Aggressive Virus Defense

Write Protect USB Drives

December 19, 2009

To write protect the specific drive, use the sider on the drive itself, if available.

To make all drives behave as if they were write protected when inserted in a specifc machine, there’s a registry hack followed by a restart:

Windows XP SP2 or later:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies] “WriteProtect”=dword:00000001
With 64-bit operating systems, make that “qword” instead of “dword”.

Leave a Comment » | Uncategorized | Permalink
Posted by rklanke

An unpatched vulnerability in Adobe Reader and Acrobat 9.2 and earlier is in the wild. The potential payload is remote arbitrary code execution. The expected patch availability is January 12, 2010. Meanwhile, Adobe suggests implementing the JavaScript Blacklist Framework or disabling Acrobat Javascript as a mitigation measure.

If you need JavaScript functionality and have updated to versions of Adobe Reader which support the JavaScript Blacklist Framework, and the JavaScript API needed isn’t the vulnerable DocMedia.newPlayer API, then the JavaScript Blacklist Framework can preserve your business processes while providing risk mitigation. If you do not need JavaScript functionality, turn it off. If you don’t know if your business processes need JavaScript functionality within PDFs, then start finding out.

JavaScript Blacklist Framework

Designed in anticipation of a vulnerability such as this, the JavaScript Blacklist Framework enables a person to designate the APIs that represent security risks. Download the registry keys [zip]. Even if it is not feasible to implement the JavaScript Blacklist Framework before a patch is released, plan to implement it for another opportunity.

Note that this will not be a complete measure; a signed PDF bypasses the JavaScript Blacklist Framework.

Certified documents signed with certificates that chain up to a trust anchor trusted for executing high privileged Javascript.

Plan to permit the blacklisted API once a patch is released.

Disabling Acrobat Javascript

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Plan to reverse this procedure once a patch is released. Perhaps you won’t implement that plan, but have the plan ready.

Leave a Comment » | Uncategorized | Permalink
Posted by rklanke

DNS Client Settings

December 16, 2009

DNS settings are typically ignored. Management of DNS settings is deferred to the Internet Service Provider (ISP).

Windows Vista IPv4 Configuration tab

Concerns:

Malware can replace the DNS settings with its own settings. When this happens, a client who connects to a legitimate web site (such as their bank) tells the malware DNS server who their bank is. The malware DNS server collects information about web sites the client uses. At any time, the malware DNS server can substitute a web address of their own choosing. A prompt for user ID and password would collect responses, returning an dummy “access denied” message. This leaves the bad guy with working credentials.
Since DNS settings are typically ignored, this payload is typically ignored. Anti-virus software would not detect an “infection” since these are IP addresses, not a file. This is one of the many reasons you should not rely upon “cleaning” a system to make it trustworthy. See Can You Clean a Virus?“
In a corporate environment, an inventory system which gathers DNS settings (such as Microsoft’s SCCM) can be used to reveal this payload. See Finding the DNS Hijacking Victims.
Each DNS implementation has security vulnerabilities. DNS has its own issues; search US-CERT. A DNS service must be managed. In a corporate environment, internal server names should not become known externally, so internal DNS servers are required. As a bonus DNS lookup history is an important intrusion detection mechanism, discovering if malicious sites are being accessed.

At home, you want a vendor who pays careful attention to keeping the DNS service maintained and who you trust. You are not required to use the DNS servers your ISP maintains; there are other options. Configure your clients to use more managed, more secure DNS servers.

If you are using your router to provide IP and DNS addresses, consider providing more secure DNS servers. However, you may wish to revisit how you are managing IP addresses; that would be a subject for a different post.

Google Public DNS	8.8.8.8	8.8.4.4
OpenDNS	208.67.222.222	208.67.220.220

Leave a Comment » | Web Security | Tagged: security | Permalink
Posted by rklanke

Internet Explorer or Firefox?

December 16, 2009

Internet Explorer or Firefox? Depends on the context.

Independent (home) user, Firefox. (If only for its lack of native ActiveX support.)

Corporate environment, Internet Explorer.

Hang all the “but Firefox is faster, safer” arguments. Its a maintenance issue. An environment which standardizes upon Firefox will encounter web sites which do not give the appropriate user experience without Internet Explorer. Internet Explorer could be installed on an exception basis. Now there are two web browsers to maintain. On the face of this “reduced maintenance” overrides “faster, safer”.

Exceptions:

Corporate environment web development. They get all expected web browsers and browser maintenance is a cost of doing business.

Corporate environment permits access to a limited, “Firefox-ready,” set of web sites. Firefox.

Leave a Comment » | Uncategorized | Permalink
Posted by rklanke

Revisiting Incident Response

December 13, 2009

1. Preparation: Gather and learn the necessary tools, become familiar with your environment.
2. Identification: Detect the incident, determine its scope, and involve the appropriate parties.
3. Containment: Contain the incident to minimize its effect on neighboring IT resources.
4. Eradication: Eliminate compromise artifacts, if necessary, on the path to recovery.
5. Recovery: Restore the system to normal operations, possibly via reinstall or backup.
6. Wrap-up: Document the incident’s details, retail collected data, and discuss lessons learned.

Here’s a list, by category, with techniques in order of “importance.”

	Then	Now
Prevention	Anti-Virus Firewall (inbound packets) Firewall (stateful) Application Patches Obscurity	Firewall (inbound packets) Firewall (stateful) Application Whitelist Intrusion Prevention System (IPS) Application Patches Anti-Virus Firewall (source blacklist) Obscurity
Detection	Intrusion Detection System (IDS)	Intrusion Detection System (IDS) Anti-Virus Firewall (destination blacklist) DNS lookup history Information extrusion
Containment	(manual)	(manual)
Recovery	Anti-Virus	Rebuild, Reimage, Restore

Obscurity: Security through obscurity is one of your defenses, just not a very reliable one.

Firewall: General term for “mechanism to drop network traffic.” Drop network traffic you do not intend to manage. (Note about SPAM: Drop email you do not intend to manage.) For example, drop unsolicited network traffic (which means “monitor state”).

Anti-Virus: Note the changed role of Anti-Virus. Its role in Prevention and Recovery is diminished, but its role in Detection is (or should be) more significant. Not “dead“.

Recovery: Does not address what has been disclosed.

Leave a Comment » | Uncategorized | Tagged: security | Permalink
Posted by rklanke

Re-imagine Security

December 1, 2009

Security? As said previously, cross out “security” (wherever you have been using the term) and substitute “availability” or “confidentiality” or “integrity” or “authenticity” if you want to get your point across.

Recognize that there is a common language meaning to the word “security” as well as a technical usage of the term. Re-use of language in this way obstructs clarity. Re-defining words separates the speaker from their audience. Operational definitions (sometimes introduced with “in the following, I will use the term such-and-such to mean …”) are used to slip statements in without awareness, justification or comprehension.

During Winn Schwartau’s presentation at the InformationWeek Dark Reading / Black Hat virtual event (December 9, 2009), we have been warned that RF interference could become a problem for artificial limbs. Picture persons with even short range devices causing Denial of Service problems for a person with an artificial leg. When bioengineers are asked what they were doing to secure these devices, they purportedly responded with “We’re trying to make them work. We don’t have time to add in security.” On the other hand (oops), adding in availability and integrity are part of the reliability problem they already consider part of the “making them work” problem. “Is confidentiality being neglected?” would be a more useful question to pose than “What are you doing about security?” [That's Winn Schwartau of The Security Awareness Company and Simply Security (with Winn Schwartau).]

Don’t blame users. While a certain amount of responsibility is in the user’s hands, making it difficult to be irresponsible is an informed design goal. If you leave a glass near the edge of the table, where someone can knock it over, what went wrong? What could be done differently?

Don’t let marketing define your system view. Marketing introduces terms to differentiate their product from competitors. See, for example, “web application firewall.” In what way are these products firewalls? I realize that there is precedent for using the term “firewall” loosely.

Using the Virtual Patching Challenge presentation byRyan C. Barnett of Breach Security at Black Hat DC 2009 as an authority:

A Web Application Firewall analyzes traffic and enforces the Virtual Patching Logic so that malicious traffic never reaches the web application.

That could describe an input validation filter. He goes on to say that a Web Application Firewall (WAF) “is more than an ‘attack blocking device.” A WAF can also identify and correct Appication Defects. A WAF can be used as an HTTP Auditing device.” He add that Virtual Patching can expedite the implemention of mitigation and provide protection for apps that can’t be updated.

“Virtual patching of web applications” appears to be the technology implemented on web application firewalls. Virtual patching would include filters that drop input that looks like SQL injection or cross site scripting attacks. Virtual patching should include additional approaches which modify output; in effect, wrapping the application to give the effect that the application problem has been fixed A web application firewall would be the device which implements virtual patching.

I need a better, simpler example.

Compliance. Don’t let regulatory compliance define your information security confidentiality (as well as availability, integrity and authenticity) decisions. The measures defined in regulations specify minimal assurances. Legislatures, regulatory agencies and industry organizations cannot define a “one size fits all” set of measures that will accomplish information confidentiality. At best, a set of of generalizations can be written. Neglecting these generalizations can establish irresponsible behavior, but you would still be irresponsible if all you paid attention to was regulatory compliance.

Leave a Comment » | Uncategorized | Tagged: security | Permalink
Posted by rklanke

Log Files

November 28, 2009

Investing in an Intrusion Detection System is pointless if you have no plans for the log files. Having plans for log files can make your investment in an Intrusion Detection System less important. That is, the IDS is there to detect anomalies; if you are detecting anomalies in another way, through log file management, then you have accomplished your IDS task. If you don’t view your IDS logs, then you have not accomplished your IDS tasks.

In general, get Splunk. See the Splunk tutorial at Ethical Hacker Network. This interprets many log files, consolidating their information based upon date and time.

In specific cases, use Perl and regular expressions (regex). Use Regex Coach or Expresso, interactive tools for creating regular expressions. Adopt tested modules from the Comprehensive Perl Archive Network (CPAN) and other published sources, such as Perl-Fu: Regexp log file processing.

Leave a Comment » | Uncategorized | Permalink
Posted by rklanke

Information Leakage Detection (regex)

November 28, 2009

When watching outbound files for sensitive information, some specific strings to grep for would be:

IP addresses	`(b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/)`
Visa Credit Card Numbers	`(^4[0-9]{12}(?:[0-9]{3})?$)`
Social Security Numbers	`(^(?!000)([0-6]\d{2}\|7([0-6]\d\|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$)`

Use Regex Coach and Expresso to assist when writing regular expressions.

Acknowledgment to Perl-Fu: Regexp log file processing should be inserted here.

Leave a Comment » | Uncategorized | Permalink
Posted by rklanke

Digital Forensics Links

November 22, 2009

A forensics examination requires more than tools. Documentation, preservation of evidence and the ability to interpret the tools and reach supportable conclusions are necessary to ensure the admissibility evidence in a court of law.

If you are not concerned about admissible evidence, then I wouldn’t call it “forensics.”

Articles

Computer Forensic Blog Andreas Schuster
Computer Forensics/E-Discovery Tips/Tricks and Information Mark McKinnon’s blog
Computer Forensics Resources Collection of Forensics links maintained by Global Digital Forensics
Digital Forensics Magazine
E-Evidence Information Center Digital Forensics articles and links
FAQ: What is the impact of e-discovery law on IT operations?
File Signatures Tim Coakley’s file signature database. Extend what ProDiscover detects.
Forensics and Recovery, LLC Paul A. Henry, author of Information Security Management Handbook and other books
Forensics Wiki Links to articles, tools, file analysis
Hany Farid: Research about images, image manipulation, digital forensics and steganography
Mac OS X Forensics George Starcher
NTFS Disk Internals NTFS indices
SANS Computer Forensics and eDiscovery blog with Rob Lee
Scientific Working Group on Digital Evidence (SWGDE) Forensic practices and research
Volatile Systems Blog Aaron Walters
Volatility: Volatile Memory Analysis Research Aaron Walters

Podcasts

Forensic 4cast Lee Whitfield’s digital forensics podcast (also 4cast.whitfields.org)
Forensics and Recovery podcasts Paul A. Henry, author of Information Security Management Handbook and other books
CyberSpeak Two former federal agents discussing computer forensics, cybercrime, and computer security.
Inside The Core Macintosh forensics
Cybercrime 101
Talk Forensics

Tools

University of Massachusetts Recommended List of Tools for Incident Detection and Eradication [PDF]
AccessData Registry Viewer
CAINE Live CD Computer Aided INvestigative Environment (CAINE) is a GNU/Linux live distribution created by Giancarlo Giustini as a project of Digital Forensics for Interdepartment Center for Research on Security (CRIS), supported by the University of Modena and Reggio.
DCode decode the various date/time values found embedded within binary and other file types
dd command line utility for disk imaging and restoration
DiskExplorer for NTFS NTFS file system examination
EnCase from Guidance Software digital forensics software
Forensic Acquisition Utilities by George M. Garner Jr., includes a Windows-based dd command that can dump memory
Forensic Toolkit (FTK) from AccessData digital forensics software
FTK Imager from Access Data. Creating the image is free. Using FTK Imager [swf] (from Edmonds Community College).
Intella Mail system forensics
IrfanView and Plugins (specifically, the EXIF plugin) a graphics viewer which can reveal JPEG details
IsoBuster CD examination utility
LADS command line utility to find NTFS alternate data stream files
MiTeC Windows Registry Analyzer
Mobile Internal Acquisition Tool (MIAT) Symbian and Windows Mobile Forensics
Passware password recovery software
Process Dumper (pd) and Memory Parser (mmp) Tobias Klein research and tools for memory analysis
Registrar Registry Manager from Resplendence Windows registry viewer
RegistryReport RegistryReport doesn’t process the Registry files of the running operating system. To get information from the running system, use SystemReport.
With the application RegistryViewer you can view raw Registry files like in the Windows Registry editor.
RegRipper Harlan Carvey’s RegRipper
RegViewer
Revelation password recovery software
Scalpel data carving software Scalpel is a (free) fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.
sha_verify command line utility to compute MD5/SHA hashes
Simple Carver inexpensive data carving and file recovery software
Sleuth Kit (TSK) & Autopsy: Digital Investigation Tools for Linux, Unix, and Windows TSK is a C library and a collection of command line tools (based on code from The Coroner’s Toolkit (TCT)). Autopsy is a graphical interface to TSK.
Windows File Analyzer Analyze Thumbs.db, the Prefetch folder, shortcut files, Index.Dat files, Info2 (Recycle Bin) files
Windows Incident Response (IR) and Computer Forensics (CF) Tools Harlan Carvey
WinHex from X-Ways digital forensics & data recovery software, hex editor & disk editor

Web browser utilities are in Web Browser Forensics.

1 Comment | Uncategorized | Permalink
Posted by rklanke

Code Review

November 15, 2009

Notes from the Security Innovation Secure Code Review presentation (pdf) (wmv).

Focused on security vulnerabilities

Since “security” covers availability, confidentiality, integrity and authenticity, you may feel that this review covers just about everything. Performance, for example, should not distract you.

There’s nothing wrong with saying the same thing in different ways. For example:

Break into manageable chunks
Would you be more effective reviewing a million or a thousand lines of code?
Review iteratively

The iterative reviews focus on the newly added manageable chunks, a few thousand lines of code.

During the code review process, rigorously collect test data today to be used as part of your acceptance test scripts. Test data should test each logical branch of your code. Record the data and its expected result.

In all, the security code review seems much like a structured code review, save that the security code review focuses upon a limited list of coding practices.

Security Innovation whitepapers

Security Innovation list of attacks

1 Comment | Uncategorized | Tagged: security | Permalink
Posted by rklanke

About Me

Russ Klanke, CISSP
Seattle

Seeking employment (full time or consulting)

Preventing Problems through Extraordinary Service

Availability + confidentiality + integrity + authenticity = security
Terror Alert Level
Internet Traffic Report

Troughs indicate slow throughput.
Contents
Introduction
- Code Review
- Report Phishing
- Report SPAM
- Security Patch Management
- Alternatives To Reimaging
- How To Disable Autorun.inf In Windows Vista
- Digital Forensics Links
- Network Forensics Puzzle #2 Solution
Pages
- General Education
Articles
- 2007 Security by the Numbers By Tracy Mayor on June 5th, 2007 in IT Security
- 2009 CWE/SANS Top 25 Most Dangerous Programming Errors the most significant programming errors that can lead to serious software vulnerabilities
- Advanced obfuscated JavaScript analysis by Daniel Wesemann
- Ben Edelman Adware, spyware, web browser malware research
- Bitlocker in Windows 7 [pdf] Kevin Beaver
- Black Hat USA 2009 presentations
- Common Internet Crime Schemes
- ConfigureTerminal.com Cisco tips and other tips for network professionals
- Configuring IP Access Lists Cisco’s Guide To Access Control Lists (ACLs)
- CSO Online – Security and Risk News, tools, templates
- Digital Bond Supervisory Control And Data Acquisition (SCADA) security topics
- EthicalHacker.net
- Gaijin.at Freeware (including forensics), online tools, PHP scripts, articles
- Guide to Selected Privacy and Confidentiality Regulations Summarized list of regulations related to privacy
- How Does Secure Socket Layer (SSL or TLS) Work? Might be the most accessible answer to this popular question.
- How Google Analytics Works An accessible description, with examples.
- How To Build Cheap Cloud Storage 67 Terabytes for $ 7,867
- IETF Recommendations for the Remediation of Bots in ISP Networks (draft 03) Applicable for large corporations as well
- Information Security & Technology at MIT Policy resources and a look at a mature environmnet
- Insider Threat Research How CERT does insider threat research
- Iron Geek Rated “Dangerous” by Trend Micro
- IT Security Short articles on any topic. Not necessarily well-researched.
- Leaks Grow in World of Blogs Companies Search for New Ways to Stop Disclosures of Sensitive Information
- Microsoft Security Intelligence Report (SIR) The changing theat landscape, updated twice a year.
- Mirror: The Protocol Informatics Project Identify protocol fields in unknown or poorly documented network protocol formats – Marshall Beddoe
- mnin.org Michael Ligh Vulnerabilities, reverse engneering
- National Institute of Standards and Technology (NIST) Computer Security Resource Center Resources, important and useful publications
- NSS Labs Product evaluations (IDS, IPS, UTM, WAF) and methodology
- OSF DataLossDB Open Security Foundation collection of information about data losses
- Professional Security Testers Security testing
- Reality Check: Emerging Information Security Threats (Spring 2009) Video. Lenny Zeltser explores today’s emerging Internet security threats to help organizations fine-tune their defenses. Lenny examines attack patterns that have included the use of email as a gateway for fraud, the mighty power of network bots, the ferti
- SANS Internet Storm Center News
- Security Engineering by Ross Anderson Wiley has agreed to make the 1st edition (2001) free, and selected chapters from the 2nd edition are also free
- Sophos Security Threat Report (July 2009) (PDF)
- SpywareGuide Greynets Blog
- Storage Area Network (SAN) Learning Guide LAN, WAN, MAN … SAN?
- The 5 Most Dangerous Security Myths Erik Larkin, PC World, 01/06/2009
- The 60 Minute Network Security Guide NSA UNCLASSIFIED I33-011R-2006 First Steps Towards a Secure Network Environment
- The Academy Pro How to videos (SourceFire, Nessus, Tenable, CheckPoint, Shavlik, Astaro …)
- Top Ten Database Security Threats Imperva whitepaper
- Understanding IP Addressing from 3Com, Everything You Ever Wanted To Know
- Voice over IP Security Alliance (VoIPSA) VOIPSA’s mission is to drive adoption of VoIP by promoting the current state of VoIP security research, VoIP security education and awareness, and free VoIP testing methodologies and tools.
- Washington Post: Network Solutions Hack Compromises 573,000 Credit, Debit Accounts
Awareness
- CfISA The Center for Information Security Awareness
- Identity Theft News at CIMIP Center for Identity Management and Information Protection (Utica College)
- Infragard Awareness features the Certificate in Information Security Awareness in the Workplace
- Internet World Statistics Usage and population
- Lessons learned from the Twitter account hack Why password policies exist.
- SecurityTube Videos related to security
Blogroll
- Adobe Product Security Incident Response Team (PSIRT) Using Adobe products? Stay up-to-date on patch announcements and other mitigation recommendations.
- Apple Equipment Repair Unofficial manuals
- Bharath's Security Blog Collector of Fake AV (Rogue AV)
- Brad's Tech Tips
- De-ICE.net Thomas Wilhelm
- DEFCON Links-O-Rama Something for all tastes
- Dynamoo's blog Current threat sources
- F-Secure blog
- hpHosts Blog
- Infinity Exists
- Infosec Island
- Jesse Kornblum's blog Jesse Kornblum
- Kim Cameron's Identity Blog
- Matthieu Suiche’s blog Root cause research
- Microsoft's Script Center Powershell, VB Script, for example
- Oracle and Oracle Security Pete Finnigan
- Push the Red Button Brendan Dolan-Gavitt
- Security Uncorked Jennifer Jabbusch, CISO, Network Security Specialist, CAD, Inc.
- SpywareGuide blog
- Sunbelt Blog
- TaoSecurity Richard Bejtlich
- Threat Level Wired magazine blog
- U.S.-EU Safe Harbor Framework privacy requirements when U.S. organizations do business in the EU
- Using the New Microsoft Network Monitor (netmon) 3.3 with Network Experts Instead of Wireshark, if you would rather use Microsoft’s version.
- Verizon Business Security Blog
- Windows Incident Response Harlan Carvey
Compliance and Guidance
- American Recovery and Reinvestment Act (ARRA) of 2009 Expands HIPAA to protect patient health information.
- BreachPrep.org Not if, but when. An incident response plan and notification requirements.
- California Security Breach Information Act (CA-1386) Agencies, persons and businesses and their privacy obligations, with similar regulations in 44 states and the District of Columbia
- Children's Online Privacy Protection Act of 1998 Privacy, deceptive practices
- Control Objectives for Information and related Technology (COBIT) guidance materials for IT governance
- Electronic Signatures in Global and National Commerce Act 15 USC Chapter 96 Enforcability of electronic signatures, retention of records
- European Network and Information Security Agency (ENISA) Publications, including the CERT Exercises Handbook and Toolkit
- GovCert.NL the Computer Emergency Response Team for the Dutch Government, home of awareness products such as movies, our annual reviews, trend reports, Cyber Crime manual and “Cert in a box”.
- Gramm-Leach-Bliley Act (GLBA) AKA Financial Modernization Act of 1999; customer privacy protection, notification of privacy protection, management liability; employee training
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) Kennedy-Kassebaum; privacy compliance, not just a health care issue
- Information Technology Information Sharing and Analysis Center (IT-ISAC) Public section with best practices, news, references and a suspicious file submission vehicle. Private section for organizations
- ISO 27001 Online Security Management Standard
- ISO 27001 Security Promotes and explains the ISO/IEC 27000-family of information security standards and provides resources.
- IT Infrastructure Threat Modeling Guide provides an easy-to-understand method for developing threat models that can help prioritize investments in IT infrastructure security. This guide describes and considers the extensive methodology that exists for Microsoft Security Development Lifecycle (S
- NIST 800-53 rev 2 Recommended Security Controls for Federal Information Systems
- NIST Computer Security Resource Center Guidance
- NIST CSRC FISMA Implementation Project National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) Federal Information Security Management Act (FISMA)
- NIST: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Introductory? A detailed risk management guide, using HIPAA to give the abstract subject some substance.
- Payment Card Industry (PCI) Data Security Standard (DSS)
- Payment Card Industry (PCI) Data Security Standards (DSS) See “Roadmap to PCI Compliance” for an implementation plan
- RCW 19.255 Revised Code of Washington (SB6043 2005), Personal information — notice of security breaches (businesses)
- RCW 42.56.590 Revised Code of Washington (SB6043 2005), Personal information — notice of security breaches (agencies)
- Role-Based Access Control (RBAC) and Sarbanes-Oxley Compliance
- Sarbanes-Oxley Act of 2002 (SOX) Fraud and accountability. Section 404: Audit internal controls.
- Security Content Automation Protocol (SCAP) SCAP is a specification established by NIST for expressing and manipulating security data in standardized ways.
- Society of Payment Security Professionals – Complaince Demystified Secure Payments, PCI DSS, Regulatory Compliance Blog
- Statement on Auditing Standards (SAS) 70 Compliance Resource Guide Internal Controls, compliance audit for assessing the internal control framework on service organizations that provide critical outsourcing activities for other entities.
- Truth To Power Compliance and guidance research and advisory community
- U.S.-EU Safe Harbor Framework privacy requirements when U.S. organizations do business in the EU
Current threat news
- AV-Test.org See their collection of LINKS Anti Virus, Anti Spyware, Personal Firewalls, Security Suites, Corporate Editions, Online-Scanner, Virus Infos, Virus Libraries, Security Blogs AND their Update Frequency of Anti-Virus Software (number of updates in the past
- Bad Mal Web Russian Business Network (RBN) where are they now?
- Banking Information Security News Need security breach horror stories? The ones everyone hears about?
- CERTStation News Threat Management Advisory (TMA) Summary of recent activity
- CircleID Breaking Internet News, Opinions and Blogs
- Cyber-TA (Threat Analytics)
- Dark Reading Information Week Business Journal
- Department of Homeland Security (DHS) Daily Open Source Infrastructure Report
- Department of Homeland Security News email or RSS
- DShield Mirror of ISC. ISC uses the DShield distributed intrusion detection system for data collection and analysis. Submit firewall logs here.
- Emerging Threats More real threats that mainstream media doesn’t cover, with SNORT signatures and firewall rules
- Exploit-db Vulnerabilities. Take vulnerabilities seriously, and if it takes damples to become serious, then look here.
- ExtremeTech News, 802.11 tips
- GNUCITIZEN
- HostExploit Current threat news
- Hosts News More real threats that mainstream media doesn’t cover
- hpHosts Malicious URL list
- Immunity CANVAS Early Updates You may not be able to afford their test tool, but you may wish to follow the exploits as they appear.
- Malware Advisor
- Malware Block List Collects links to malware
- Malware Domain List (MDL) WARNING: All domains on this website should be considered dangerous. If you do not know what you are doing here, it is recommended you leave right away. This website is a resource for security professionals and enthusiasts.
- Malware Patrol Malware Patrol is a free, automated and user contributed system for verifying URLs for the presence of Viruses, Trojans, Worms, or any other software considered Malware.
- Malware Web Threats More real threats that mainstream media doesn’t cover
- MalwareURL Malicious URL list
- NIST's CVE database
- Offensive Computing Submit a suspicious file AND more real threats that mainstream media doesn’t cover
- SANS Internet Storm Center (ISC) SANS
- Security Wizardry Computer Network Defence Operational Picture from Talisker Computer
- SecurityFocus Bugtraq mailing list
- Shadowserver Foundation Bot and botnet statistics and whitepapers, malware definitions,
- Spyware Sucks More real threats that mainstream media doesn’t cover
- Spyware Warrior
- SpywareGuide
- SRI Inc Malware Threat Center Most Aggressive Malware Attack Source and Filters, Most Effective Malware-Related Snort Signatures, Most Prolific BotNet Command and Control Servers and Filters, Most Observed Malware-Related DNS Names, Most Effective Antivirus Tools Against New Malware B
- Stop Badware
- sudosecure.net More real threats that mainstream media doesn’t cover
- Team Cymru Research NFP a specialized Internet security research firm and 501(c)3 non-profit dedicated to making the Internet more secure. By researching the ‘who’ and ‘why’ of malicious Internet activity worldwide, Team Cymru helps organizations identify and eradicate problems.
- TeMerc Internet Countermeasures Emerging Security Threats and News
- The H (formerly Heise Online UK) News, more Linux orientation than many
- Threatpost Kaspersky’s consolidated web threat news
- Twitter: Elcomsoft
- UnderForge of Lack More real threats that mainstream media doesn’t cover
- US-CERT
- Washington Post Security Fix column by Brian Krebs
- Web Hacking Incidents: Planting of Malware Successful web application attacks
Podcasts
- GetMon Podcasts fro Cyber Security Professionals
- PaulDotCom Not introductory. Lots of insider-speak. An interview, then the news.
- Radio Free Security Watchguard
Promotions
- Microsoft retailers only Get rewards for learning marketing points
- VistaPrint 250 business cards, $5.67 shipped. 25% discount on custom printed products
- Windows 7 for $30 Students (with .edu address) Only
Subscriptions
- Information Security Magazine
- IT Security Short articles on any topic. Not necessarily well-researched.
- NextGov.com Technology and the Business of Government
- North American Network Operators Group (NANOG) Insider information about the state of the Internet (ISPs, outages, malware …), the actual news behind the broadcast news.
- SANS @RISK Critical Vulnerability Archives in one bulletin, you get the critical ones, what others are doing to protect themselves, plus a complete list of the full spectrum of newly discovered vulnerabilities.
- US-CERT The United States Computer Emergency Readiness Team has a variety of mailing lists and news feeds.
Tools
- Adeona On hold. Free service to track stolen laptops.
- Avira Antivir Rescue System Rootkit hunter
- Blat A Win32 Command Line SMTP Mailer
- BotHunter IDS-ish botnet scanner from SRI International
- DIFRwear RFID blocking wallets
- DTSearch Text Retrieval and Full Text Search, instantly search terabytes of text
- Flawfilder Scan source code for possible security weaknesses
- FortiClient Endpoint Security Suite Standard edition, free Firewall / VPN security, Antivirus and Malware protection, Web Filtering, Endpoint Control and WAN Optimization
- Freeware utilities
- Gargoyle malware discovery across large file systems
- Gmer Rootkit hunter
- GNU Utilities for Win32 Including grep
- IceSword Detect keyloggers, rootkits
- KarenWare Freeware
- KeePass Password Safe free, open source, light-weight and easy-to-use password manager for Windows. You can store your passwords in a highly-encrypted database, which is locked with one master password or key file.
- Lenny Zeltser Cheat Sheets nothing wrong with having these cheat sheets on hand at all times.
- log2timeline Root cause analysis. Review many Windows artifacts to construct a sequence of events
- Maltego Maltego collects publically available information about you, your company, your phone number, and many more.
- Malwarebytes' Anti-Malware Malware discovery
- Mandiant Red Curtain by Nick Harbour, search for suspicious files
- Microsoft Fiddler Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and “fiddle” with incoming or outgoing data. Fiddler includes a powerful event-base
- Microsoft Office enhancements Free from Microsoft
- Microsoft Security Essentials Antivirus
- Microsoft Windows SteadyState Microsoft utility to reset a shared access computer
- Microsoft Windows SysInternals PsExec, ProcessExplorer, Process Monitor, FileMon, DiskMon, RegMon, AutoRuns, and so forth
- Microsoft's free software Ultimate List of Free Windows Software from Microsoft
- Microsoft's Security Tools Part of Security TechCenter. Assess vulnerabilities and strengthen security with these tools and technologies.
- Microsoft's Solution Accelerators “IT Compliance Management Guide” “Security Compliance Management toolkit”, “Malware Removal Starter Kit: How to Combat Malware Using Windows PE”, “Windows Server 2008 Security Guide” (and Vista and XP Security Guides), for example
- Microsoft's Windows Server 2003 Resource Kit Tools a set of tools to help administrators streamline management tasks such as troubleshooting operating system issues, managing Active Directory®, configuring networking and security features, and automating application deployment.
- Nagios IT Infrastructure monitoring
- Nessus Nessus Vulnerability Scanner from Tenable Network Security
- NirSoft Freeware
- nmap “Network Mapper” at insecure.org, a free and open source utility for network exploration or security auditing.
- OpenDNS Trustworthy DNS servers and optional content filtering
- PBX in a Flash the Lean, Mean Asterisk Machine
- Prevx Prevx Edge rootkit hunter
- Quintessential Network Tools Page, The mobrien.com DNS, Routing, Calculators, Performance, Security
- Robtex Internet toolkit
- Script Decoder Decode JScript, ASP pages, VBScript obfuscated with Microsoft’s Windows Script Encoder (screnc.exe)
- Scuba by Imperva a free, lightweight java utility that scans (Oracle, IBM DB2, Microsoft SQL Server, and Sybase) databases for known vulnerabilities and configuration flaws
- Secunia PSI Inventories your system to determine if any software has security vulnerabilities with vendor patches. (free)
- SecuriTeam Web application testing and forensics tools
- Security xploded Tools and articles; IE, Firefox and Chrome password decrypters, ProcNetMonitor
- SlavaSoft FSUM Hash (Message Digest) or Checksum calculator in a command line with wild cards and recursion (free)
- SlavaSoft HashCalc Hash (Message Digest), CRC, and HMAC calculator in a GUI (free)
- Splunk Time-based log review. Consolidates logs from any product.
- Swatch Event log monitoring
- Tinc is a self-contained VPN solution
- Trend Micro System Information Collector (SIC) All-in-one “what’s suspicious about my system?” utility
- Ultimate Boot CD For Windows A bootable recovery CD that contains software used for repairing, restoring, or diagnosing computer problems.
- VideoJak is an IP Video security assessment tool that can simulate a proof of concept video interception or replay test against a targeted, user-selected video session.
- Wireshark (formerly Ethereal) Network Protcol Analyzer
- Xirrus WiFi Inspector Xirrus Wi-Fi Inspector and Xirrus Wi-Fi Monitor Gadgets/Widgets to troubleshoot 802.11 and detect rogue access points
Meta

Articles

Podcasts

Tools

About Me

Terror Alert Level

Internet Traffic Report

Contents

Pages

Articles

Awareness

Blogroll

Compliance and Guidance

Current threat news

Podcasts

Promotions

Subscriptions

Tools

Meta