Infosec Dan

Infosec rants. Your 'Daily Source' for Infosec Tips and Tricks (tm). Warning: Bad humour and unintended puns may follow.

Monday, October 06, 2008

Risk Management

Security comes at a price. A very steep price, that most businesses are reluctant to pay. I mean 'isn't it enough that we keep our information in a firewalled DMZ, physically located in an alarmed, hermetically sealed, climate controlled room, protected by biometricly equipped entry/exit points with twenty four hour guards, eight foot fences... Killer Poodles?

The answer, in case you are wondering, is no. Unfortunately the premium on Killer Poodles that can sniff network traffic as well as bite intruders is way too high. so other methods to be employed. One, poodleless way to reduce the cost of Security is through Risk Management. Wow, that is freaky, I swear I just heard the Internet yawn. No really, Risk Management is the answer! In fact it is the only answer. 'Information Security' = 'Risk Management'. You heard it here first folks.

Here is an official definintion:

Risk management is the identification, measurement, control and minimization of loss associated with uncertain events or risks. It includes the overall security reviews, risk analysis, evaluation and selection of safeguards, cost/benefit analysis, management decisions, safeguard implementation and effectiveness reviews.
- Hansche, S;Berti, J;Hare, C. Official (ISC)2 Guide to the CISSP Exam. New York: Auerbach Publications;2004.

Over my next few bleurghs or what simple folk refer to as a 'blog entry', I will talk about the Risk Analysis part of 'Information Security Management'. For now, go read a book.

If you enjoyed this post Bookmark it at del.icio.us

Wednesday, April 30, 2008

Personal Data Encryption with TrueCrypt

If you need a tool to encrypt your personal data in an efficient, manageable and above all secure manner then I can't reccomend TrueCrypt - www.truecrypt.org highly enough.

Tuesday, March 07, 2006

Why replace telnet with SSH?

I still get asked this one from time to time, so here it is in writing for future reference.

Essentially you might as well ask why you should replace any unencrypted protocol with an encrypted one. A detailed risk or cost benefit analysis is probably unnecessary when you consider this question:

Do you trust the people you allow onto your network?

If the answer is no, and it really should be, then you should consider replacing any unencrypted authentication (HTTP Digest, FTP, Telnet) to your companies assets with more secure methods (HTTPS, SSH, SFTP).

If you can’t be convinced to distrust your staff, then I hope you have implemented Port Based Network Access Control (802.1x) or have really clever guard dogs at a minimum, because with the following freely available tool, anyone who manages to connect to your network will basically own it.

http://www.oxid.it/cain.html

At it's heart Cain is an extremely comprehensive, yet easy to use, set of password cracking tools combined with a network sniffer. The latest feature to be introduced is truly frightening. Automated ARP cache poisoning. For those of you who don't understand the significance of this you should read the following article:

http://www.grc.com/nat/arp.htm


Quite simply it gets around one of the supposed security benefits of switched networks. The inability to sniff traffic destined for ports other than the one you are connected to.

If you enjoyed this post Bookmark it at del.icio.us

Friday, February 10, 2006

Tip #1 - Never use customer data in a test lab. Or 'How to get Fired in Three Easy Steps'.

This is one that never ceases to surprise me. People, how hard is it to generate fake customer data? Wait that gives me an idea. A 'Fake Customer Generator'. I'm going to get right on it.

If you enjoyed this post Bookmark it at del.icio.us

Thursday, February 09, 2006

My Favourite Tools (smirk)

The obligatory posting of favourite security tools:
  • Nmap
    • The tool that has rocked many a world.
    • nmap -sI 4lyfe
  • Tcprelay
    • Great for knocking over flaky services
  • Nemesis
    • A bit like witchcraft for packets.
  • Putty (is there an alternative?!)
    • SSH Client.
  • Nessus
    • The lazy way.
  • Powerpoint
    • No jokes. The most effective way I know of explaining security to the PHBs other than knocking them over the head with a brick.


    If you enjoyed this post Bookmark it at del.icio.us

    Socialise This