Risk Management and Compliance &#187; Web Security

http://twitter.com/kraasecurity

*Vulnerability Management

*Compliance & Police Development

*PGP Security

*Free Website Security Test

Mark Zuckerberg’s Facebook Hacked (devicemag.com)

The Dangers of Employee Social Media Usage

admin — Thu, 30 Dec 2010 02:17:56 +0000

Employers are constantly hearing of social media this and social media that. When your employees go on break or eat lunch, they are usually on their cell phones talking. But, now there are also applications on phones like Facebook, Twitter, FourSquare and others where an employee can actually send photo uploads while being mobile and even post to Facebook automatically. Are employees using social media securely?

Does your company have anything in place for protecting confidentiality through social media usage? Do you have a Social Media Security Policy? Employees sign agreements when joining the company but did the business cover disclosing things like pictures or private conversations and even meeting information via Google Buzz or Facebook? What about brand new products being developed that are trade secrets?

If your employees are online working to do their job and Facebook, MySpace, or gaming sites like Pogo are not blocked, how do you know they are doing their work 100% of the time? Just because their production numbers look great, doesn’t mean they are not slacking. Have you done a Social Media Security Assessment?

It is becoming an epidemic in the work force with employees breaking rules and ultimately being fired every day. If security monitoring technologies are in place you could possibly sue the former employee but your trade secrets are gone and so might be your reputation. If an employee is bad-mouthing your company and tells everyone to not buy or shop with you, there goes your business immediately.

You can make a legal policy for employees to sign when they start their job that they will not talk, disclose, or say anything bad about the company on social media sites. If businesses do not step up soon and do something it can be a total free for all!

Here are a few interesting facts to consider. One out of every ten employees admitted overriding their job’s security system so they could access restricted sites. In 2009, 24% of eight hundred employers surveyed said they had to discipline an employee for using social media sites. Another study showed 8% of employees were terminated for accessing Facebook out of two hundred businesses polled. Twenty eight thousand people were polled in the United Kingdom at the beginning of 2010 and a whopping 87% said they can do what they want; it is their right to do so.

It is now believed that social networking will replace email by 2014 as the main way to communicate for 20% of all business owners or users. Is your company prepared for Secure Social Media?

Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

http://www.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Police Development

*PGP Security

*Free Website Security Test

Social Media Warfare: Are you attacking or defending?

admin — Tue, 07 Sep 2010 01:33:06 +0000

: Image via CrunchBase

Is there such a thing as Social Media Warfare? We have had cyber warfare going on for years now. So it should be an obvious “YES” that Social Media warfare exists. But is that true? To get to a full blown war opposing sides go through an escalation process. Where are we in this process? From a pure cyber warfare perspective, we are in world war three, many opposing sides, lots of new and improved weapons, completely escalating attacks and no end in sight. Companies are used to conducting vulnerability management and risk assessment. This new war will require new tactics and defense strategies.

I think we have seen the first skirmishes of the war. It started with all the spammers morphing their tools into Facebook and Twitter hacking. Then moving into phishing. Then into negative attacks on your reputation by disgruntled customers and competitors. So what is the progression of this coming war? Is there a similarity to how “normal” cyber warfare started? But why is this war inevitable?

The attack vectors in the Social Media War are probably categorized into personal use and corporate use. If these are the assets that needs to be protected, we can then figure out how the assets will be attacked, how will the enemies do reconnaissance, what alliances will be formed and what should be the defense strategies and weapons for defense.

The progression of of this war will follow different patterns and there is probably no end in sight.

Action	Personal	Corporate
Skirmish	Home users receiving spam and phishing attacks and scams	Corporate users seeing more phishing attacks, attackers going through Linkedin profiles
Protest Actions	Users might complain to attorney generals, or write nasty messages about Microsoft Adobe or Apple security weaknesses	The IT department is inundated with help desk calls. Companies have the ability to complain to ISPs or event countries about originating attacks.
Negotiations	There really isn’t anyone to negotiate with. Writing on your Facebook wall will not do a darn thing.	Companies definitely do not want to negotiate. But will see blackmail more and more.
Failed Negotiations	The home user is bascially screwed anyway.	Succumbing to blackmail will only lead down a bad path.
Declaration of War	This is a defacto state with the home user. They are at war whether they know it or not.	Companies have to take a proactive approach to security versus reactive. Anticipate the next types of attacks and have a budget to address it.
Launch Attacks and Defend	More defend, get your anti-spyware, antivirus, personal firewalls and encryption up to speed. But after that, understand how attackers use Social Media.	Spend massive amounts of money on understanding how so fight in the Social media landscape, security hardware and software are not enough.
Allies Join the War	The home user can only rely on the Social media companies for basic security.	Their will be more collaboration between companies and governments. Perhaps together they have a fighting chance. Regulations are also going to force changes.
Years of Conflict – Never Ending	Whats the next thing after Facebook and Twitter? Whatever it is will have its own security challenges. But by that time the home user will probably have given out every bit of personal information on all the Social Media venues anyway.	A company can only rely on the right process to secure their social media usage. As technologies change and new sites go live, a good process and social media security policy is all you can rely on.
Winner	The ISP, they get to sell bandwidth.	The VCs who fund companies like Facebook and Twitter.

I will get into more tactics in the coming war in future posts.

Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Public gives approval for cyber warfare (v3.co.uk)
Social Media Wars – The Google vs. Facebook Employment War Gets Messy (GALLERY) (trendhunter.com)

When will Vendors provide Risk Assessments of their products?

admin — Thu, 18 Feb 2010 04:22:56 +0000

: Image via Wikipedia

Vendor risk assessment are not part of everyday corporate managememnt but it should be. If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday.

Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook. As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.” The biggest companies are culprits.

So what are we do to about buggy software? How do you force a vendor risk assessment on all yoru vendors? Maybe scream “I’m mad as hell and I am not going to take it anymore!” Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector!

As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:

Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.

Gary Bahadur

http://www.kraasecurity.com

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Apple vs. Microsoft: Making Platform Enemies and Friends (seekingalpha.com)
Adobe Reader And Acrobat Get Yet Another Security Update (ghacks.net)
Microsoft investigates new Internet Explorer flaw (news.cnet.com)
Google readies Flash for Android devices (infoworld.com)
IBM: Vulnerabilities fell in ’09, but other risks abound (computerworld.com)
Update: Adobe issues emergency PDF patches (computerworld.com)
Serious web vuln found in 8 million Flash files (theregister.co.uk)
Hold vendors liable for buggy software, group says (computerworld.com)

Gary Bahadur

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

Data Loss, this time with Network Solutions

admin — Mon, 27 Jul 2009 16:55:02 +0000

Data Loss, this time with Network Solution

Network Solutions, one of the largest domain registrars recently announced a data breach. Malicious code was found on its e-commerce server which may have captured transactions from thousands of websites and capturing half a million or more credit cards. The company said they found the code during a routine check. Since the breach occurred between March 12 and June 8th, how routine was the actual checks? I wonder when their last vulnerability assessment or Information security risk assessment was conducted? Data loss prevention is sorely lacking in just about every industry.

Here is what the company said “At this point, we have no reports or other reasons to believe that any credit card account information has been misused and, under established practice, credit card issuing companies generally will not hold our merchants’ customers liable for any fraudulent purchases made using their credit card account numbers that are reported in a timely way to the issuer,” a statement from the company reads. All these statements around hacker breaches and stolen credit cards read the same.

The process now begins where all the merchants have to be identified, then each merchant has to notify their customers. Their customer then have to work with their banks to stop credit cards, have to get credit monitoring and thus goes the Circle of Life (of data breaches) Here is the list of data breaches in 2009 alone. If you recall the breaches of Heartland Payment Systems and RBS WorldPay, the breachescaused them to be removed from the PCI security audit () list . Well that should be obvious, or should they have been rated compliant int he first place. Known non-compliance might be a better than weak compliance.

The basic question is what was Network Solution not doing to have malicious software installed on key servers? Was it a breach through a web application, was it through malicious email, a browser based attack, some insider who didn’t know enough about security and clicked on the wrong thing? What routine check found it and why wasn’t this check run on a more routine basis, such as weekly or even daily?

At the end of the day, security is a moving target. We can utilize encryption, vulnerability management, application security risk assessment, email filtering, backup and recovery, but all will be useless is we follow poor practices or do not have good procedures in place to take into account the human element. Most breaches are insider problems or mis-configurations or plain old stupidity.

Gary Bahadur
http://www.kraasecurity.com

http://blog.kraasecurity.com

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Wireless (in)Security in Your Pocket

admin — Tue, 23 Jun 2009 00:05:32 +0000

Verizon has launched the pocketable MiFi router. The MiFi 2200 has CDMA with EV-DO Rev. A. So you can roam around without a datacard as the only means for your laptop on the middle of nowhere. This credit card size access point can connect multiple devices such as your iPhone or a laptop. I havent bought a gadget in awhile, but this might be the one.

Sitting on the plane for three hours in a delay might be more tolerable if you can get online. Not having to pay for TMobile hotspot access and not being tethered to your laptop, all great features. But what about the dangers? Wireless security is a challenge here and it should be addressed sooner rather than later.

The wireless risks actually havent changed. But the reality is that if someone uses the MiFi to connect their IPhone rather than using the ATT network to browse, do you think they will think as much about security as if they used a laptop? Probably not. Using portables to get online doesnt seem as dangerous as a laptop does it? People equate more “data” risk with a laptop, but most portable devices have tons of stored data, contacts, files etc. They are at risk and the education isnt there yet about these risks. Should you be running antivirus on your portable device? Should you have an iPhone Firewall application?

So what do you need to do? Well the steps are pretty much the same as for other wireless hotspot access points:

1) Require encrypted authentication

2) Change default username and passwords

3) Disable broadcast of the SSID

4) Enable logging and alerting

5) Have hostbased security tools such as antivirus, firewalls and intrusion detection on your portable devices if possible.

If you are so old fashioned that you dont have one of these in your pocket and you need a hotspot, try the HotSpot finder Jiwire, http://www.jiwire.com/ Here are some interesting Wifi hotspot stats from Jiwire

Top 10 Location Types

Rank	Type	Locations
1	Hotel / Resort	59,224
2	Cafe	39,310
3	Other	38,430
4	Restaurant	37,159
5	Public Space / Public Building	19,386
6	Store / Shopping Mall	16,063
7	Office Building	10,145
8	Pub	5,478
9	Hotzone	5,413
10	Airport	2,938

Gary Bahadur

baha@kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Healthcare Security- Identity Theft and Hacker ransom

admin — Thu, 07 May 2009 22:57:45 +0000

I hope no one is actually shocked by this story. Records are stolen everyday. Typically, the hackers will sell the information in the underground somewhere is Eastern Europe or Asia. The fact that someone is asking for ransom, and so publicly it actually a good thing in my opinion. Why is it good you ask? (I assume you are asking that, vulcan mind meld and all that..) Maybe the industry (meaning all industries) need a sensational story to get real change in their IT Security environments.

When the Heartland data breach happened, it was interesting but the general public didnt find it sexy enough. A ransom note, publicly done makes for good drama. Equate it to the Somali pirates. They really broke in the news because of the weapons they captured. This might be the “weapons” story that gets the general public asking about security of the places they use on the Internet.

Identity theft is on the rise. Most companies never do a web application security assessment. They almost never do a database security review. If the hacker can break in through your web portal but your database of customer data is encrypted, well your last line of defense can save your hide.

So what are some things you can do to protect your website?

1) Conduct a web application security assessment. You should probably do this twice a year or anytime you make any significant changes to the application.

2) Conduct an architecture review. If your network architecture has holes in it, a hacker can find away around the application and perhaps get to the data through a different port.

3) Conduct a host security diagnostic review. If the hacker can get on the system and take advantage of an operating system weakness, you will still be compromised

4) Conduct a database security review. Your last line of defense, make sure the data in encrypted, access is completely authenticated and IDS on the database to flag and stop inappropriate access

5) Hire someone smart to do your security assessment.

Gary Bahadur

Hacker Holding Health Records Hostage Demands Ransom

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

+++++++++++++++++++++++++++++++++++++++++++++++

The Channel Wire

May 06, 2009

Ways to Maintain Website Security

admin — Fri, 10 Apr 2009 14:33:45 +0000

With the advancement in technology comes the heavy responsibility of monitoring an organization’s sensitive and valuable information. The use of the Internet has become a necessity in organizations to exchange their data and various other business details with their business partners, vendors and clients. In many cases, during transmission of datahackers compromise a network or transmission medium and illegally gain the data. It maligns not only the market value of the company but also the number of clients that place trust in the company and the company’s infrastructure or website.

There are preventive measures that every company can adopt to maintain the value of the company as well as the client base. It is very important for any company to maintain the data securityase and safeguard the internal information of the company. The clients and business partners share their data only after confirming that the partner company will keep it safe and intact under the safety norms of the company.

By taking a few cautionary measures, one can easily secure the sensitive information of the company. Installing a firewall in the network system keeps the security intact and safe. Earlier, this was a bit expensive for companies but with the advent of technology, this has become an easily accessible tool for the organization. Affordable monthly subscriptiuons are available for firewalls, Intrusion detection systems and host intrusion prevention systems. They need not spend a lot of money in availing these services now.

A firewall is the main defense. A firewall carries out routine security checks and blocking techniques at particular time intervals and this helps stop attacks. It will sound an alert in case of any threat posed to the data and will automatically start blocking and reporting. on it. It never compromises on your company’s security and safety and always keeps the information safe. Firewall protection can be easily availed from various online sources at quite reasonable rates but one must always cross-check the credentials of the source company as well and only then purchase it from experts in the field.

Other than installing these tools to maintain web security, companies are also hiring third parties to review the policies and procedures of the organization and also to keep track of the online process of distribution of data of the company. These third parties install web applications that thoroughly review the codes installed in the process and provide valuable feedback to update and upgrade the quality of network systems. hough it is somewhat expensive to employ third-parties but they really keep a detailed track of the security system of their clients’ information.

Many network systems of very renowned companies are getting hacked and misused these days by the hackers. It is high time that the companies take proper action against such activities and thefts as the number of incidents are growing day-by-day. Otherwise, people will start losing their trust in sharing their personal information through web sites.

A web security expert of application security risk assessment has written this article.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com