Tag Archives: Knowledge

Free Security Magazines And Publications

Posted by Steven Swafford on August 5, 2011

Free security magazines and resources are available if you just know where to look. The following collection should be useful for novice and experienced computer users alike.

Security: Security magazine reaches 35,000 security end-user and integrator subscribers in government, healthcare, education, airports, seaports, transportation, distribution, utilities, retail, industrial, financial, hospitality / entertainment, construction, industrial/manufacturing and other markets.

Security Source: From spyware to phishing attacks, security threats are growing more virulent as the promise of big payoffs increase. In its premier Winter 2007 issue, Security Source Magazine’s cover story is about keeping the network secure, from the gateway to the desktop.

Security on a Budget: How to Develop a Cost-Effective Security Program: Is it better to manage in-house or outsource some tasks to an MSSP? Do you have a complete view of all the “hidden” costs that are often not recognized until late in the process? This webinar provides an insider’s recommendation on how to get the most from your information security budget. Lance Wolrab shares his “lessons learned” about cost management as a CSO for a large healthcare organization and as a senior security engineer at Dell SecureWorks.

HackerProof: Your Guide to PC Security: The terms “PC security” or “computer security” are vague in the extreme. They tell you very little, like most general terms. This is because PC security is an incredibly diverse field. On the one hand you have professional and academic researchers who carefully try to find and fix security issues across a broad range of devices. On the other hand, there is also a community of inventive computer nerds who are technically amateurs (in the literal sense of the word – they’re unpaid and unsupported by any recognized institution or company) but are highly skilled and capable of providing useful input of their own.

Justifying IT Security: Managing Risk & Keeping Your Network Secure: This white paper discusses the management of Risk and how Vulnerability Management is one of the few counter-measures easily justified by its ability to optimize risk.

Securing & Optimizing Linux: The Hacking Solution (v.3.0): This 800+ page eBook is intended for a technical audience and system administrators who manage Linux servers, but it also includes material for home users and others. It discusses how to install and setup a Linux server with all the necessary security and optimization for a high performance Linux specific machine. It can also be applied with some minor changes to other Linux variants without difficulty.

7 Essential Steps to Achieve, Measure and Prove Optimal Security Risk Reduction: Rapid changes within technology and the evolving sophistication of attack methods used to infiltrate systems create the greatest set of challenges faced by IT administrators trying to keep their systems secure and within regulatory compliance. That’s why—whether protecting five servers or 5,000—measuring the security status of your infrastructure and your organization’s ability to rapidly mitigate emerging threats need to be continuously monitored and measured.

Lockdown: Secure Your Data With True Crypt: This manual will be talking about local file encryption – that is, encrypting files on a hard drive (or encrypting the entire hard drive; more on that later). The files are safe as long as they are kept in the encrypted area. TrueCrypt is a free, cross-platform program (meaning that it works in Windows, Mac OS X and Linux distributions including Ubuntu) that you can use to encrypt your data. It is classified as “On The Fly Encryption” (OTFE) software, which basically means that it encrypts and decrypts files as you access and modify them and that all files within the area of encryption are available as soon as you enter the key. Also with this free guide you will also receive daily updates on new cool websites and programs in your email for free courtesy of MakeUseOf.

The Top 10 Reports for Managing Vulnerabilities: New network vulnerabilities appear constantly and the ability for IT security professionals to handle new flaws, fix misconfigurations and protect against threats requires constant attention. However, with shrinking budgets and growing responsibilities, time and resources are at constrained. Therefore, sifting through pages of raw vulnerability information yields few results and makes it impossible to accurately measure your security posture.

The (VERY) Unofficial Guide To Facebook Privacy: As the service evolves, executives tend to favor our open access to information, meaning information you think is private will slowly become public, but that doesn’t mean you can be private if you want to. Facebook gives its users the option to lock things down, but users need to be aware of their controls, how to use them and how to prepare for future Facebook privacy changes. Facebook has not and will not make information obvious, and that’s where this guide comes in. With this free guide you will also receive daily updates on new cool websites and programs in your email for free courtesy of MakeUseOf.

Security Director News: Through its web site and weekly newswire, Security Director News delivers day-to-day facts and real business information that assist security directors in making the right decisions for the safety of their organizations. Security Director News presents a wide variety of viewpoints on important issues, including interviews with involved parties, analysts and experts from every industry segment.

Web Application Security; How to Minimize Prevalent Risk of Attacks: Stories about exploits that compromise sensitive data frequently mention culprits such as “cross-site scripting,” “SQL injection,” and “buffer overflow.” Vulnerabilities like these fall often outside the traditional expertise of network security managers.

Security Systems News: Security Systems News is a monthly business newspaper reaching over 28,000 security dealer/installers, systems integrators, product distributors, central stations, systems resellers as well as end users and security consultants. Editorial coverage focuses on breaking news in all major segments of the security industry such as market trends, new products, new technology introductions, and news about manufacturers and suppliers.

Open Source Security Tools: A Practical Guide to Security Applications: Written with the harried IT manager in mind, Open Source Security Tools is a practical, hands-on introduction to open source security tools. Seasoned security expert Tony Howlett has reviewed the overwhelming assortment of these free and low-cost solutions to provide you with the “best of breed” for all major areas of information security.

Securing Sensitive Data in File Shares: All companies invest in software and staff to ensure they are able to control access to critical information that’s stored in applications and databases because it’s part of standard business and IT operations. Despite those investments, companies don’t put the same amount of resources toward protecting unstructured stores like file shares. View the archive of this educational webinar to learn how your company can effectively manage access to data in file shares.

PC Security Handbook – 2nd Edition: This handbook is designed to help you find ways to protect your Windows XP/Vista/7 PC and ensure your data is safe. The author gets countless emails from site visitors who ask about the best anti-virus software, firewall program, backup utilities, etc., and there are often questions like this in the forums. He sets up PCs for companies, friends, and family; the advice he gives in this manual is what he uses when building any PC. His tips are tried and tested and have left hundreds of people satisfied with the way their computers work. He hopes you too can follow these instructions and enjoy an error-free, spyware-free, and speedy PC.

SY0-201 CompTIA Security+ Special Edition Practice Exam and Study Guide: CompTIA’s Security+ exam is a critical step for anyone interested in IT security. It’s a key component in the Department of Defense’s 8570.1 initiative that mandates federal IT workers and contractors gain security certifications to work with the federal government. The ExamForce SY0-201 CompTIA Security+ practice exam provides a unique triple testing mode to instantly set a baseline of your knowledge and focus your study where you need it most, while the 51 page Study Guide provides high quality reference material — a valuable companion to the practice exams.

Federal Computer Week: It provides information decision-makers need to run the business of their agencies and deliver on their missions through the deployment of information technology.

Who Is Behind Database Security Breaches

Posted by Steven Swafford on July 24, 2011

Senior developers and architects often make decisions related to application performance or other areas that have significant ramifications on the security of the application for years to come. Some decisions are obvious: How do we authenticate users? How do we restrict page access to authorized users? Others, however, are not so obvious.

U.S. Secret Service Assistant Director A.T. Smith said,

Americans over the past several years have seen the significant impacts data breaches are having on our nation’s financial infrastructure. Today, cyber criminals are operating in nearly every civilized nation in the world, exposing Americans’ personal information, either stored or transmitted, to substantial risk.

The following graph demonstrates the effects of security breaches and where breaches originate.

It is not news that a high percentage of attack are derived from external sources but where you should take note is that 18% of attacks come from inside and business partners. Previously I wrote about Facing cyber security threats from employees, if you have not taken the time to read this post; I highly suggest you do so.

The external risks are often easily identified in most cases however threats from within are often much more complex to prevent.

Combating The Problem

Access controls are the front line of defense and they help to prevent the accidental or malicious disclosure, modification, or destruction of data. Access controls also play a role in malfunctioning programs, all software has some type of defect and defects open your software up to vulnerabilities or even leaking confidential data.

Because business partners are necessary they must not be allowed free access to networks and to help prevent prying eyes there must be policies in place. One such policy may be that when none employees are on the floor computer screens are to be turned off and desktops are to be cleared.

Finally the biggest bang for the buck is auditing. I know this seems obvious but I am amazed at the lack of auditing that I have seen over the years and particularity with software. I’m not saying audit everything but you should identify the greatest risk and start from there. For example, password resets and data transactions can provide tall tell signs if systems have been compromised.

Conclusion

Security is a daily process that is ever changing in large part to the growing threats. It is simply not enough to purchase hardware and software and expect that your organization is protected. In particular, if you provide services in the area of software either internal or external to the company, secure coding, and education of the development team is paramount to success.

References

  1. Database Security : Tech Center – Dark Reading
  2. Verizon 2011 Data Breach Investigations Report: Breaches Increased Dramatically While Data Loss Was at All-Time Low

Microsoft Baseline Security Analyzer

Posted by Steven Swafford on July 13, 2011

If you’re running a Windows platform then you must secure your operating system and the Microsoft Baseline Security Analyzer (MBSA) makes it a breeze. Securing your operating system is absolutely the single most important step you can take to protect yourself. Computers have become so mainstream in homes today that often daily activities that they were previously down with pen and paper are all but extinct. There are a number of actions that should be taken which include staying up to date with patches and of course controlling user account but this just begins to scratch the surface. Unless you’re a security expert the typical end user most likely does not understand what the next steps are. This is where the Microsoft Baseline Security Analyzer is beneficial.

Introduction to MBSA

Microsoft Baseline Security Analyzer is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. A number of options include:

  1. Administrative vulnerabilities
  2. Week Passwords
  3. IIS administrative vulnerabilities
  4. SQL administrative vulnerabilities
  5. File shares
  6. … and more

Best of all Microsoft Baseline Security Analyzer it absolutely free from Microsoft!

Executing MSBA

Once you have downloaded and installed Microsoft Baseline Security Analyzer go ahead and run the application.

If you’re scanning a single computer then go ahead and click “scan a computer”. Once the next dialog has loaded, you will need to uncheck IIS and SQL administrative vulnerabilities unless of course you are running these two services.

The next step is to start the scan. Go ahead and click the button “start scan. The scan can take a few minutes so be patient. Once the scan has completed you are then presented a dialog that tells you exactly what was scanned, the score, issue, and the result. Reporting includes:

  1. Microsoft Office Updates
  2. Critical Updates or Patches
  3. Weak Password Check
  4. Services
  5. Firewall
  6. File Sharing

The scan resulted in a number of critical failures. The failures must be correctly properly secure you system and while you in the process address each line item to further fortify your operating system. Take for example the critical failure of local account password test. The result states user accounts have simple or no password which can lead to others being able to quickly determine your password.

If you’re not positive how to correct the problem then Microsoft has you covered here as well. Go ahead and click “how to correct this” and the issue is explained as well a solution with instructions is provided. Now it just cannot be any simpler and now you have no reason to not properly secure your operating system.

Conclusion

Microsoft Baseline Security Analyzer does a great job of pointing out the holes in security and by following the best practices and guidelines provided you will quickly find yourself on a path of security prosperity. Just remember, security is a never ending process and with that being said you may want to re-run the scan on a monthly or even a quarterly basis.

Have you used Microsoft Baseline Security Analyzer previously? If so what are you thoughts? Does this product provide a valuable tool set that helps in your security endeavors?

References

Credits

Featured image: Casey Serin

OWASP Application Security Tutorials

Posted by Steven Swafford on July 6, 2011

Application security encompasses measures taken throughout the application’s life-cycle to prevent exceptions in the security policy of an application or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.  Applications only control the use of resources granted to them, and not which resources are granted to them. They, in turn, determine the use of these resources by users of the application through application security.

Open Web Application Security Project (OWASP) updates on the latest threats which impair web based applications. This aids developers, security testers and architects to focus on better design and mitigation strategy.

Free Security Vulnerability Guides From Veracode

Posted by Steven Swafford on June 25, 2011

Veracode focuses on security for organizations to accurately identify and manage application security risk. They offer a number of resources to include podcast, whitepapers, cheat sheets, and much more.

SQL Injection Cheat Sheet

The SQL Injection Cheat Sheet provides a summary of everything you need to know about SQL Injection. The SQL Injection Cheat Sheet contains the key concepts of SQL Injection and a SQL Injection example and tips for prevention of SQL Injection attacks. Note that you must register with Veracode in order to obtain these cheat sheets.

Download the FREE SQL Injection Cheat Sheet

Cross-Site Scripting (XSS) Cheat Sheet

The Cross-Site Scripting Cheat Sheet provides a summary of what you need to know about Cross-site Scripting. Our XSS cheat sheet details the different types of Cross-site Scripting and shows you how to protect against Cross-site Scripting vulnerabilities.

Download the FREE XSS Cheat Sheet

LDAP Injection Cheat Sheet

The LDAP Injection Cheat Sheet provides a summary of what you need to know about LDAP Injection. It contains a LDAP Injection example and details of how to protect against LDAP Injection vulnerabilities.

Download a FREE LDAP Injection Cheat Sheet

 

Pages:«12345678910»