One of security best practices is to implement at least two tiered anti-virus engines from different vendors.  The advantages are:

1. There is no downtime, if you are upgrading one anti-virus engine the other engine is on doing the job.

2.  Extended virus signature coverage i.e. there could be mutually exclusive signature sets across 2 vendors.

3. Redundancy i.e. no single point of failure. Moreover, there is no single point of failure in terms of vendor reliance.

The above all looks good in theory, but in reality:

1. Do the anti-virus engines co-exist without issues? Will the future upgrades on the engines affect their co-existence?

2. What is the total cost of ownership of maintaining two anti-virus engines?

3.  There is no single point of ownership, if there is an infection, which vendor to work with first? Which vendor is to be held accountable for the same? 

There is no one right solution in implementing security. It is a delicate dance. In two tiered solution that we discussed earlier, we need to be able to recognize whether we are at an order of diminishing return for our situation before we implement this solution.

DNS is a glue that binds the Internet. DNS maps IP to user friendly names. Let us imagine a world without DNS for a moment: To access Microsoft.com web site you need to type: http://207.46.130.108 -  how much fun it is to remember all those million IP addresses of all web sites? Now that I made the point that DNS is a glue that binds Internet IP space,  next point is about its vulnerability. Suppose if you type http://www.microsoft.com on browser and if your query is intercepted and a fake IP address is returned, the browser will connect to the fake IP. To take this to next level, what if you tried to connect to a banking web site and get a fake IP - your login/password can be potentially be compromised. Messing with IP address to name mapping is known as DNS spoofing which is relatively easy to do which makes DNS vulnerable.

Some thoughts on securing DNS:

1. Avoid spoofing by encryption - Encrypt data transferred between master and slave servers: use a shared secret or RSA to encrypt data. Restrict zone transfers to known servers.

2. Don't list your private IPs of your zone - Disable ls query which lists all the servers in a particular zone.

3. Isolate internal DNS servers from external DNS servers - Use Split Horizon DNS architecture which in layman term means use 2 DNS servers:Internal DNS servers for intra-company query and to relay non-intra-company query to external DNS server. External DNS servers to service outside-world originating query for the zone's public IPs and to service the recursive non-intra-company query from the zone's internal DNS servers. The Split Horizon DNS can be implemented with a single DNS server in 9.x using views, but I would not reccommend a single DNS sever serving intra-company/outside-world query at any cost.

4. Prevent outside-world induced recursive query attacks -  Disable recursive query on the external DNS servers for outside-world originating queries.

5. Update/Patch software - Use recent version of BIND 9.x.

6. Configure your firewall - log/monitor/administer DNS traffic.

7. DNS registry check - Last but not the least, monitor your DNS registry at the root i.e. perform whois lookup regularly and make sure it returns the correct data.

There are multitude of tools which can perform DNS audit for you. One interesting vendor tool is DNS Expert.

Security is as strong as the weakest link. Many corporates spend tons of money securing their application/hardware/infrastructure, but they forget to focus on seemingly trivial application like IM. IM users can send: unencrypted information, share files, share their on-line status and send audio/video with users across the Internet. As an example, user's on-line status can provide information about about the user's on-line behavior. People outside of organization can find out when a particular user logs in/out of the IM and can make a good guess whether user is logged in from home or office and hence determine location. Another example, If I knew that John just met a friend called Tom and was aware that John's buddy list did not have his name I can open an account tom234 and add John as buddy and fake Tom's identity to gain John's trust: this is easy because authentication is just tied to the on-line identity.

Companies like Yahoo! and AOL have come out with corporate version of messenger called enterprise messenger which works only within the company and not across the Internet. There are other vendors who make IM gateway manager which sit behind the firewall and administer IM traffic. There is a hybrid enterprise messenger solution which  works not only within the company but also across the Internet.

There is no one right answer about how to secure IM in a corporate setting. There are some minimal things that corporates can do to secure IM:

0. Policy: Have a policy about IM usage.

1.IM Gateway: Implement IM Gateway to help  log/monitor/administer IM traffic.

2. File Sharing: Block file sharing through IM.

3. Audio/Video: Block audio/video through IM.

At the near end of the spectrum deploy enterprise messenger solution which allows messaging only within the company. At the extreme end of the spectrum create a policy which disallows IM usage!

 

 

 

I have been receiving excellent feedback from readers about making this blog more useful. Some feel that I should focus on hacking and get more technically detail oriented. Since there are good number of blogs which focus on hacking, nuts and bolts of security and due to my time constraints; I have decided to keep the blog focused. My goal is to provide a high level conceptual overview of security and make readers grounded enough to think further and arrive at their own creative solution.

Search is the one of the hot technology areas these days. Corporates have implemented search technology to boost productivity. Last year, when I deployed GSA (Google Search Appliance -- is a search engine) for my company, I was tempted to type the following search keywords: password, passwd, secret Et Al.  To my surprise many of those keywords returned me pages where users had stored real passwords! When I asked the vendor (Google) whether there was a way to disable some specific sensitive keywords, they said no! I am not following the later versions (4.x) of GSA, may be the feature is available lately.

One thing to remember before deploying corporate intranet/extranet search engine is that they pose security ramification - keep in mind that search is a powerful searching &| hacking tool. I found some interesting article on securityfocus.com about "Googling Passwords" .

SOX (Sarbenes-Oxley) enacted in 2002 was fashioned to protect investors by requiring accuracy, reliability and accountability of corporate disclosures. This makes senior management accountable for their internal controls to ensure accurate financial reports. Failure to comply can result in prison time of upto 20 years and/or significant penalties upto $5 million dollars.

SOX is a complex legal requirement. Two sections that concern IT are 302 and 404. Sarbanes-Oxley 302 states that certifying officers are responsible for maintaining internal control over financial reporting. This section makes corporate executives clearly responsible for establishing, evaluating and monitoring internal control over financial reporting.  IT is a foundation of any system of internal control. Hence section 302 puts IT in the SOX compliance game. Compliance with section 404 requires companies to establish an infrastructure to protect and preserve, records and data from destruction, loss and unauthorized alterations of records vital to maintaining the integrity of the business processes. As an example the auditor might require an email that was recieved 2 years ago. In other words you need to lock down the IT environment and clearly mention how it is done and how it is monitored. Underneath the preceeding statement lies a great deal of work depending on the complexity of your business.

As a guideline to IT managers: we can think of four broad IT areas for implementing internal controls:

1. System Security

2. Configuration Management

3. Data Management

4. Operations

Malware is a short form for Malicious software. Malware comes in many forms: adware, spyware,  hijackers, toolbars and dialers.  Adware serves nasty, sometimes targeted pop-ups, pop-unders advertisement. Spyware sends back the authors information on your computer your browsing habits, sometimes personal information that is entered into the browser forms. Hijackers take control of your web browsers. Toolbars are those that are not intentionally installed by the user. Dialers dial 1-900 number and provide a revenue stream for number's owner leaving you with a large phone bill.

How do you differentiate between a virus and malware? virus is a rogue program that propagates within the computer and sometimes across computers and can destroy your files and/or your operating system: their objective is large scale damage to your computer resource. Malware's behavior is more predictable in a sense that they do not harm your data but they take advantage of your resources for monetary gain. Often times malware comes bundled within other popular free downloads. There are some big companies writing malware!

 Interestingly, most of the anti-virus programs are not good enough clean sweeping malwares. The Norton anti-virus that I have on my computer cleans virus but not malware. I use a combination Ad-Aware (http://www.lavasoft.de) and Spybot (http://www.safer-networking.org/en/index.html). This gives me a near clean computer I think!. Next time when you negotiate with anti-virus vendor you know what additional question to ask: does your program remove malware? If so, what categories of malware?

Soon after the dot-com bust, companies in need of cash auctioned off unused hardware. Some companies did this over the web which generated a lot of publicity, this encouraged even more companies to join the bandwagon. Even though this was a smart idea to generate much needed cash from rapidly depreciating hardware: it was not done with care. Many companies did not even realize that there was company, customer and other private/confidential information which was stored in those lap-top's hard-drive that provided fertile ground for information harvesting.

 Now, many of us can take a good guess why there is so much of identity fraud following the days of dot-com bust! The best way to auction of old hardware is to make sure the hard-drive and other storage accessories are removed before auctioning: don't even take the risk of erasing or degaussing the hard drive and then selling, because you are never sure. It is better for corporates to be paranoid and secure rather than carefree and vulnerable.

The offshoring phenomenon has captured the attention of most of the corporate leaders in the US, be it big or small. Recently I heard that offshoring has cut its teeth into venture capital (vc) community -- vc's are not putting their money at stake unless the startup seeking funding has a sound offshoring strategy.

Offshoring is good economically to the participating countries but it brings in security risks too. The offshorer (I coined my own word -- company/country which offshores) has to be aware of following things about the offshore vendor/country:

1. How is the sensitive information is handled at the offshore vendor location? Are the staff adequately trained in handling classified information? What is the employee hiring process? Are the employees properly screened and background checks done before they are hired?

2. How safe is their network/hardware/software infrastructure from viruses, malawares, adawares and from DOS-attacks? How is the physical security of the location? Do they have infomation security policy in place?

3. What is the legal framework in the country of offshore location? How it affords information protection? How can offshore vendor be accounted under their own law for non-compliance?

4. How is the offsore-vendor's financial health? How happy are their past clients with  offshore-vendor's security conformance? What is nature of the past clients?

Last but not the least, the offshorer must  incorporate into contract suitable penalty for breach of information security due to negligence of offshore vendor. Offshoring provides a way to conserve capital but at the same time it brings in security risks, being aware of the security risks will help us better balance the equation.

 

If a business suffers downtime there is a way of quantifying the monetary loss -- we can consider the potential customers lost multiplied by average $$ per customer. Also, there is a loss of goodwill. The bottom line is we can quantify monetary loss upto certain extent. 

The next big question is -- how can we monetarily quantify the breach of corporate information? We all know about the classification of information into tiers i.e. top secret, secret, confidential, sensitive and unclassified but there is not $$ associated with the loss of these information.  How can we go about putting a $ figure to the loss of information?

Here are my thoughts about this:

1. Since higher the information classification higher the monetary loss, can we build a relationship between these two?

2.  Once you produce a document, classify the document then put a monetary value to the would be cost if somebody stole the document. The document containing Coca Cola secret formula would cost say 3 billion $ -- make sure to factor in the loss of your competitive positioning etcetra etcetra before you arrive at this number.

3. Measuring lost customer goodwill and trust is difficult. The way to measure this is to roughly compute the amount of resources and time it takes to get back the goodwill and assign a $ figure for the same.

4. Regulatory/Legal cost is the expense that is incurred either in the form of fines by govt due to non-compliance or handling legal ramification of the information breach like customer lawsuit.

5. Cost of preventive measure in future to make sure that such breach will not happen: we are a learning organization!

6. Last but not the least the cost of the company machinery doing the damage control.

$ Information Breach =  $ Information Value   + $ Regulatory/Legal + $ Good Will Lost + $ Preventive Measure + $ Damage Control

Though it is hard to come out with the exact figure some$thing is better than no$thing.

  

I decided to specialize in the area of security, at the same time CMU introduced a program in their west coast campus called MSIT-ISP or some fancy name like that. It is Master of Science in IT, Information Security and Policy. I applied for the program, but the program was cancelled. I continued researching what I need to do in order to gain specialization in the area of security. My uncle who passed CISSP told me that it was one of the toughest exams that he ever took and told me that I should give it a shot. I studied hard by myself for atleast 1.5 months, then I took the boot camp organized by the "Training Camp". The instructor Mr. Dennis Lee was extremely good. Finally, when I took the exam, I found it quiet tough.  I consumed all the time: though I had finished the exam an hour early, when I did  the revision, I had marked so many incorrect answers and when I delved into those questions I could figure out the correct answers. The list of things for my CISSP success were:

1. Self preperation of 45 days, any CISSP guide would do. I referred CISSP study guide by Ed Tittel.

2. Boot camp provided me some sort of revision and the knowledge was complementary to my self study.

3. Finishing exams atleast an hour early and dedicating the remaining hour for thorough revision.

4. Think atleast 2 - 3 level deep for every question (use this with caution, some questions are too simple and you may get it wrong if you think too deeply)

I think CISSP covers tremendous breadth of knowledge which brings in confidence in you. It is 1 mile wide and 1 inch deep. In the end I feel CISSP is well worth it. I am more than willing to share tips, if anyone wants them.

Currently there are about 600+ venture funded security startups! There are some companies which provide appliance based security (Intruguard, Ironport, Teros). There are some focused on software based security. Some appliances implement rate based anamoly detection and some other appliance implement pattern based anamoly detection. Some appliances provide network layer security and some appliances provide application layer security. There is no OneBox which provide all of those. Customers have to spend time and energy in implementing multi-vendor, multi-point and multi-tiered solution. As the industry matures there is a tremendous opportunity in putting an OneBox solution.