tag:blogger.com,1999:blog-222068822011-11-28T00:05:49.118ZInfosec rants. Your 'Daily Source' for Infosec Tips and Tricks (tm). Warning: Bad humour and unintended puns may follow.DChttp://www.blogger.com/profile/01054975835962882702noreply@blogger.comBlogger51100tag:blogger.com,1999:blog-22206882.post-1139787357615556242008-10-06T23:26:00.000+01:002009-01-12T11:28:44.344ZSecurity comes at a price. A very steep price, that most businesses are reluctant to pay. I mean 'isn't it enough that we keep our information in a firewalled DMZ, physically located in an alarmed, hermetically sealed, climate controlled room, protected by biometricly equipped entry/exit points with twenty four hour guards, eight foot fences... Killer Poodles?<br /><br />The answer, in case you are wondering, is no. Unfortunately the premium on Killer Poodles that can sniff network traffic as well as bite intruders is way too high. so other methods to be employed. One, poodleless way to reduce the cost of Security is through Risk Management. Wow, that is freaky, I swear I just heard the Internet yawn. No really, Risk Management is the answer! In fact it is the only answer. 'Information Security' = 'Risk Management'. You heard it here first folks.<br /><br />Here is an official definintion:<br /><blockquote><br /><span style="FONT-STYLE: italic">Risk management is the identification, measurement, control and minimization of loss associated with uncertain events or risks. It includes the overall security reviews, risk analysis, evaluation and selection of safeguards, cost/benefit analysis, management decisions, safeguard implementation and effectiveness reviews.</span><br /><span style="FONT-STYLE: italic">- Hansche, S;Berti, J;Hare, C. Official (ISC)2 Guide to the CISSP Exam. New York: Auerbach Publications;2004.</span><br /></blockquote><br />Over my next few bleurghs or what simple folk refer to as a 'blog entry', I will talk about the Risk Analysis part of 'Information Security Management'. For now, go read a book.<br /><br />If you enjoyed this post <a onclick="return dbt_bookmark('http://infosecdan.blogspot.com/2006/02/risk-management.html');" href="http://www.blogger.com/post-edit.g?blogID=22206882&amp;postID=113978735761555624#">Bookmark it at del.icio.us</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/22206882-113978735761555624?l=infosecdan.blogspot.com' alt='' /></div>DChttp://www.blogger.com/profile/01054975835962882702noreply@blogger.com0tag:blogger.com,1999:blog-22206882.post-35128354103177415052008-04-30T10:27:00.003+01:002008-04-30T10:57:30.164+01:00If you need a tool to encrypt your personal data in an efficient, manageable and above all secure manner then I can't reccomend TrueCrypt - <a href="http://www.truecrypt.org/">www.truecrypt.org</a> highly enough.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/22206882-3512835410317741505?l=infosecdan.blogspot.com' alt='' /></div>DChttp://www.blogger.com/profile/01054975835962882702noreply@blogger.com0tag:blogger.com,1999:blog-22206882.post-1141750664231372092006-03-07T16:46:00.000Z2006-03-07T17:18:27.846ZI still get asked this one from time to time, so here it is in writing for future reference.<br /><br />Essentially you might as well ask why you should replace any unencrypted protocol with an encrypted one. A detailed risk or cost benefit analysis is probably unnecessary when you consider this question:<br /><br />Do you trust the people you allow onto your network?<br /><br />If the answer is no, and it really should be, then you should consider replacing any unencrypted authentication (HTTP Digest, FTP, Telnet) to your companies assets with more secure methods (HTTPS, SSH, SFTP).<br /><br />If you can’t be convinced to distrust your staff, then I hope you have implemented Port Based Network Access Control (802.1x) or have really clever guard dogs at a minimum, because with the following freely available tool, anyone who manages to connect to your network will basically own it.<br /><br /><a href="http://www.oxid.it/cain.html">http://www.oxid.it/cain.html</a><br /><br />At it's heart Cain is an extremely comprehensive, yet easy to use, set of password cracking tools combined with a network sniffer. The latest feature to be introduced is truly frightening. Automated ARP cache poisoning. For those of you who don't understand the significance of this you should read the following article:<br /><a href="http://www.grc.com/nat/arp.htm"><br />http://www.grc.com/nat/arp.htm</a><br /><br />Quite simply it gets around one of the supposed security benefits of switched networks. The inability to sniff traffic destined for ports other than the one you are connected to.<br /><br />If you enjoyed this post <a href="#" onclick="return dbt_bookmark('http://infosecdan.blogspot.com/2006/03/why-replace-telnet-with-ssh.html');">Bookmark it at del.icio.us</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/22206882-114175066423137209?l=infosecdan.blogspot.com' alt='' /></div>DChttp://www.blogger.com/profile/01054975835962882702noreply@blogger.com0tag:blogger.com,1999:blog-22206882.post-1139571179333245162006-02-10T11:23:00.000Z2006-02-23T11:35:46.150ZThis is one that never ceases to surprise me. People, how hard is it to generate fake customer data? Wait that gives me an idea. A 'Fake Customer Generator'. I'm going to get right on it.<br /><br />If you enjoyed this post <a href="#" onclick="return dbt_bookmark('http://infosecdan.blogspot.com/2006/02/tip-1-never-use-customer-data-in-test.html');" >Bookmark it at del.icio.us</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/22206882-113957117933324516?l=infosecdan.blogspot.com' alt='' /></div>DChttp://www.blogger.com/profile/01054975835962882702noreply@blogger.com0tag:blogger.com,1999:blog-22206882.post-1139508098604980222006-02-09T18:00:00.000Z2006-02-23T12:07:44.630Z<span style="font-family:trebuchet ms;">The obligatory posting of favourite security tools:<br /></span><ul><li><a href="http://www.insecure.org/nmap/"><span style="font-family:trebuchet ms;">Nmap</span></a></li><ul><li><span style="font-family:trebuchet ms;">The tool that has rocked many a world.</span></li><li><span style="font-family:trebuchet ms;">nmap </span>-sI 4lyfe<br /></li></ul><li><a href="http://tcpreplay.sourceforge.net/"><span style="font-family:trebuchet ms;">Tcprelay</span></a></li><ul><li><span style="font-family:trebuchet ms;">Great for knocking over flaky services</span></li></ul><li><a href="http://nemesis.sourceforge.net/"><span style="font-family:trebuchet ms;">Nemesis</span></a></li><ul><li><span style="font-family:trebuchet ms;">A bit like witchcraft for packets.</span></li></ul><li><span style="font-family:trebuchet ms;"><a href="http://www.chiark.greenend.org.uk/%7Esgtatham/putty/">Putty </a>(is there an alternative?!)</span></li><ul><li><span style="font-family:trebuchet ms;">SSH Client.</span></li></ul><li><a href="http://www.nessus.org/"><span style="font-family:trebuchet ms;">Nessus</span></a></li> <ul> <li><span style="font-family:trebuchet ms;">The lazy way.<br /> </span></li> </ul> <li><a href="http://www.microsoft.com"><span style="font-family:trebuchet ms;">Powerpoint</span></a></li> <ul> <li>No jokes. The most effective way I know of explaining security to the PHBs other than knocking them over the head with a brick.<br /></li> </ul> </ul><span style="font-family:trebuchet ms;"></span><ul></ul><br /><br />If you enjoyed this post <a href="#" onclick="return dbt_bookmark('http://infosecdan.blogspot.com/2006/02/my-favourite-tools-smirk.html');" >Bookmark it at del.icio.us</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/22206882-113950809860498022?l=infosecdan.blogspot.com' alt='' /></div>DChttp://www.blogger.com/profile/01054975835962882702noreply@blogger.com0