10 ways to make sure your data doesn't walk out the door: UPDATED

By Debra Littlejohn Shinder

March 29, 2010

Unfortunately, the same security precautions that prevent DoS attacks, viruses and worms, and other high profile attacks may not be addressing a much more insidious problem: theft of company data for corporate espionage or other purposes. Yet the disclosure of your trade secrets to a competitor or the release of private company information to the media could, in some cases, result in a much greater loss than network downtime.

1: Practice the principle of least privilege and put policies in writing

Two opposing philosophies regarding network access policies:

1. All Open Policy, presumes that all data is available, unless explicitly restrict access.

2. Least Privilege Policy, operates on the assumption that all data is off-limits to a given user unless that user is explicitly given access to it. LPP is like the "need to know" policies of government intelligence agencies: Unless a user has a demonstrated need to have access to a particular file, that user can't access it.

Your policies should be specific and give examples of what's prohibited. Workers may not understand, unless you spell it out, that emailing a company document as an attachment to someone outside the network (or even to their own home account) is just as much a violation of policy as copying that document to a USB drive and physically taking it out the door.

2: Set restrictive permissions and audit access

CYBER ATTACK?!?

Stuxnet Virus Could Target Many Industries
The New York Times: 11/17/2010

WASHINGTON (AP) — A malicious computer attack that appears to target Iran's nuclear plants can be modified to wreak havoc on industrial control systems around the world, affecting the production of everything from chemicals to baby formula, government officials and cyberexperts warned Wednesday.

Experts told senators that attackers can use information made public about the so-called Stuxnet virus to develop variations targeting other industries, and that the worm's consequences go "beyond any threat we have seen."

Stuxnet
The New York Times: 9/30/2010

The Stuxnet worm is a fast-spreading malicious computer program that has turned up in industrial programs around the world. Its most striking aspect may not have been how sophisticated it was, but rather how sloppy its creators were in letting a specifically aimed attack scatter randomly around the globe. Iran said it had appeared in the computers of workers in its nuclear project.

Fighting the Evercookie

The next front in the cookie wars: Fighting the Evercookie

• Date: November 1st, 2010
• Author: Michael Kassner

Samy Kamkar: Evercookie is a Javascript API that allows storing cookie data in a number of different locations when a user visits a web page. Normal sites would typically just store data (such as a session identifier) in something like a cookie.

However, Evercookie not only uses the cookie, but a number of other locations such as Flash cookies, Silverlight isolated storage, and various locations of HTML5 storage. When a user deletes their standard cookies, the other locations remain and are able to rebuild the original cookie.

I built Evercookie as a proof of concept, wanting to show how web sites are able to track users even if they delete standard cookies and LSOs. Evercookie also sheds light on the fact that there are numerous methods for storing cookies locally. Finally, Evercookie acts as a litmus test for users who want to see if they’re protected from web sites that track like this.

NSA Chief Outlines Cybersecurity Plans

Gov 2.0 Summit: NSA Chief Outlines Cybersecurity Plans
By Elizabeth Montalbano, InformationWeek September 8, 2010 01:14 PM

Teamwork, global leadership and respect for privacy are necessary as feds work to secure critical infrastructure, the National Security Agency's Gen. Keith Alexander said.

Addressing challenges to the federal government's cybersecurity efforts, the head of the National Security Agency (NSA) said that teamwork, global leadership, and a respect for citizens' privacy are necessary to secure U.S. critical infrastructure against cyber attacks.

There are 250,000 probes trying to find their way into Department of Defense (DoD) networks every hour, and cyber attacks on federal agencies have increased 150% since 2008, Gen. Keith Alexander, NSA director and commander of the U.S. Cyber Command, said Tuesday at the Gov 2.0 Summit at the Grand Hyatt in Washington, produced by O'Reilly Media and UBM TechWeb.

MORE

IN THE NEWS

ManTech wins $100M contract for FBI cybersecurity services

Five-year award includes round-the-clock support

• By David Hubler
• Aug 16, 2010

ManTech International Corp. will provide cybersecurity services to the FBI under a five-year contract that could be worth as much as $99.5 million.

Under the contract from the FBI’s Security Division, ManTech will provide round-the-clock cybersecurity support, including intrusion-detection monitoring, security engineering, and incident identification and response.

The company also is obligated to provide vulnerability assessment and penetration testing, cyber threat analysis, and specialized cyber training services.

ManTech will use ISO 9001-compliant security processes and will introduce new security technologies to reduce the risks associated with cyber threats, the company said in its announcement today.

ManTech International, of Fairfax, Va., ranks No. 31 on Washington Technology’s 2010 Top 100 list of the largest federal contractors.

About the Author: David Hubler is the associate editor of Washington Technology.

White Papers

Ten Ways Hackers Breach Security

James Michael Steward, Global Knowledge Instructor

Introduction

Hacking, cracking, and cyber crimes are hot topics these days and will continue to be for the foreseeable future. However, there are steps you can take to reduce your organization's threat level. The first step is to understand what risks, threats, and vulnerabilities currently exist in your environment. The second step is to learn as much as possible about the problems so you can formulate a solid response. The third step is to intelligently deploy your selected countermeasures and safeguards to erect protections around your most mission-critical assets.

This white paper discusses ten common methods hackers use to breach your existing security.

1. Stealing Passwords

2.Trojan Horses

3. Exploiting Defaults

4. Man-in-the-Middle Attacks

5.Wireless Attacks

6. Doing their Homework

7. Monitoring Vulnerability Research

8. Being Patient and Persistent

9. Confidence Games

10. Already Being on the Inside

DETAILED LIST

New BotNet Comm Vectors

Botnet: The Six Laws And Immerging Command & Control Vectors
Richard C. Batka
New BotNet communication vectors are emerging. The industry is not prepared. For the next 20 years, BotNets will be what viruses were for the last 20.

Cyber Security Awareness Week: OCTOBER 2010

OUTWIT FELLOW CYBER SECURITY SLEUTHS

Get in on the seventh year of NYU-Poly’s most-anticipated student competition. CSAW participants are leading the next generation of computer science professionals who will think of proper cyber-security measures as a necessity, not as an afterthought.

Register | Follow Uson Facebook

Save the Dates | October 28 and 29, 2010 - Final Competitions and Awards Days

MORE

Note: Registration for the High School Cyber Forensics challenge isn't open yet.Send us your contact information so we can let you know when you can register for the Cyber Forensics challenge.

Prizes, Scholarships, and Travel Grants

Cyber Forensics Challenge

• 8 finalist teams will be flown to NYC for the final competition
• The winning team’s science department will receive:
  • 1st place: $1,500
  • 2nd place: $1,000
  • 3rd place: $750

All Other Challenges

• Travel grants to Awards Day in NYC for qualified finalists (Note: Quiz Tournament and Security Awareness Video participants are NOT eligible for travel grants)
• Master of Science scholarships for students who attend NYU-Poly (excluding AT&T Research and Awareness Video awards):
  • 1st place: $5,000
  • 2nd place: $3,000
  • 3rd place: $3,000
• Cash prizes for winners (excluding high school Cyber Forensics Challenge):
  • 1st place: $500
  • 2nd place: $250
  • 3rd place: $100
• Raffle prizes at day-long award/final competition event

US Military Compromised

Five ways to avoid the same fate

[posed by removable media malware]

• Date: August 27th, 2010
• Author: Chad Perrin

Defense Secretary Lynn has been discussing a 2008 compromise of U.S. military network security by a foreign intelligence agency. The DOD is taking measures to protect itself. You should do the same.

---

The Washington Post reports in Defense official discloses cyberattack:

The most significant breach of US military computers was caused by a flash drive inserted into a US military laptop on a post in the Middle East in 2008.

A foreign intelligence agency managed to place malware on a USB flash drive that was later plugged into the US military laptop, infecting it. From there, the infection made its way onto a U.S. military Central Command network. According to Defense Secretary William J. Lynn III:

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.”

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

With the growth of widespread network-delivered malware infections in today’s almost universally connected world, it can be easy to forget that sometimes the old methods are still effective. In the 1990s, people who used computers on a regular basis were much more cognizant of the potential danger of viruses that could move from computer to computer via removable media like floppy disks.

MORE

How to avoid removable media malware

1. Disable AutoRun
2. Implement restrictive removable media policy
3. Check all removable media on a secured system before
4. Choose to ban all removable media
5. Implement the basics

The Four Pillars of Cybersecurity

Developing a comprehensive cybersecurity strategy becomes simpler when you focus on four pillars, according to Kevin Manwiller, Cisco’s manager of federal security solutions. “To protect information and keep networks running, governments need to address achievable goals: identity and access control, secure remote access, data center and cloud security measures, and advanced threat defense throughout the enterprise,” he says. These four pillars of cybersecurity not only prevent information leakage and network damage, but also support government cost-saving initiatives such as cloud computing, telework, and citizen self-service.

The Four Pillars of Cybersecurity

1. Control Access Based on Who and What Is Connecting
2. Create a “Borderless” Network by Providing Secure Remote Access
3. Cloud Security and Data Center Security

4. Integrated Threat Detection and Defense

   
   

   MORE

Information Operations Institute

Association of Old Crows Educational Update August 2010 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The IO Institute would like to remind you that a Cyber Warrior Course is being held at the AOC headquarters on September 14 through the 16th, 2010. This one of a kind course gives an overview of cyberwarfare, focused at civilians without access to military or government schooling. This is especially important with the high demand for contractor support for the newly created US Cyber Command and the myriad of Service components. Military and government will benefit from this course by hearing how a noted expert in the civilian sector, with unprecedented access to and experience with senior cybersecurity professionals, perceives not only how the war in cyberspace will be waged, but will name methodologies, tools and programs.

Cyber Warrior's Course When taking the Cyber Warrior course, all students receive a copy of the Cyber Commander's Handbook. This excellent book plainly lays out exploitation techniques, attack methodologies and tools, methods of effectiveness, legal and ethical ramifications, and lists active countries and programs designed to wage war in this newest US warfighting domain.

Quick Links... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IO Institute Website IO Courses Publications and Links IO Blog Membership in the IO Institute Contact Information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ phone:(703) 549-1600 or e-mail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hacker’s Arrest Offers Glimpse Into Crime in Russia

By ANDREW E. KRAMER

Published: August 23, 2010

MOSCOW — On the Internet, he was known as BadB, a disembodied criminal flitting from one server to another selling stolen credit card numbers despite being pursued by the United States Secret Service.

And in real life, he was nearly as untouchable — because he lived inRussia.

BadB’s real name is Vladislav A. Horohorin, according to a statementreleased last week by the United States Justice Department, and he was a resident of Moscow before his arrest by the police in France during a trip to that country earlier this month.

He is expected to appear soon before a French court that will decide on his potential extradition to the United States, where Mr. Horohorin could face up to 12 years in prison and a fine of $500,000 if he is convicted on charges of fraud and identity theft. For at least nine months, however, he lived openly in Moscow as one of the world’s most wanted computer criminals.

MORE

The dirty little secret about Google Android

Date: August 23rd, 2010

• Author: Jason Hiner

Google Android began with the greatest of intentions — freedom, openness, and quality software for all. However, freedom always comes with price, and often results in unintended consequences. With Android, one of the most important of those unintended consequences is now becoming clear as Google gets increasingly pragmatic about the smartphone market and less and less tied to its original ideals.

Here’s the dirty little secret about Android: After all the work Apple did to get AT&T to relinquish device control for the iPhone and all the great efforts Google made to get the FCC and the U.S. telecoms to agree to open access rules as part of the 700 MHz auction, Android is taking all of those gains and handing the power back to the telecoms.

MORE

Inside the Latest Web Threats: From Myths to Mechanics

SOPHOS' Complimentary webcast – Inside the Latest Web Threats

August 26, 2010 2 pm ET / 11 am PT

Are you suffering from misconceptions about safe web browsing? You might think you’re being safe, it’s next to impossible to stay up to date on infected

sites—no matter how educated or aware of the risks you are.

Join this live one-hour webcast to bust some myths and learn how web threats are created and spread -- and the impact they have on your business. We’ll also discuss these

key topics and more:

• 10 common myths about web security
• How today's web attacks work
• Key technologies to safeguard your systems

Flash Memory Mobile Forensic

This paper is an introduction to flash memory forensic with a special focus on completeness of evidences acquired from mobile phones. Moving through academic papers and industrial documents will be introduced the particular nature of non-volatile memories present in nowadays mobile phones; how they really work and which challenges they pose to forensic investigators.

---

- Salvatore Fiorillo

The 10 best IT certifications: 2010

2010 CERTS

Date: 8/17/2010

Author: Erik Eckel

1: MCITP Microsoft Certified IT Professional

2: MCTS Microsoft Certified Technology Specialist

3: Network+ CompTIA’s Network+

4: A+

CompTIA’s

A+

5: CSSA Certified SonicWALL Security Administrator

6: CCNA Cisco Certified Network Associate

7: ACTC Apple Certified Technical Coordinator 10.6

8: ACSP Apple Certified Support Professional 10.6

9: CISSP Certified Information Systems Security Professional

10: PMP Project Management Professional

Honorable mentions:

MCSE, ITIL, RHCP, Linux+, VCP, ACE, QuickBooks, Security+