You can't secure what you don't acknowledge.SM

Tuesday, August 19, 2014

CommView for WiFi - a great option for wireless network analysis

Several years ago I wrote about the neat WEP/WPA recovery tools offered as part of TamoSoft's wireless network analyzer called CommView for WiFi. Well, those tools are no longer available but CommView for WiFi is as relevant as ever. I've been using it for years. It seems that it hasn't changed a ton other than some UI and packet analysis enhancements - probably just oversights on my part since I don't use it every day.

I've featured CommView for WiFi in my book Hacking For Dummies but wanted to tell you about it here as well. It's an enterprise-ready tool by itself but when you add on the remote agent and TamoGraph Site Survey, it's everything you'll likely need in terms of wireless network analysis, monitoring, as well as site surveying for new wireless deployments and troubleshooting.

The following are screenshots showing CommView for WiFi's main interface and its packet generator tool:


CommView for WiFi also has tab called Latest IP Connections that's really neat. In order to protect the infected, I chose not to show this, however, in the few minutes I had the tool loaded to write this blog post, CommView for WiFi detected outbound communication sessions with several interesting hosts including one in Russia. Yet another reason to get control of BYOD and mobile security!

I see that CommView for WiFi's reviews aren't stellar over at CNET but I think that's because of the junk adware wrapper code that CNET includes with its downloads. No worries, just download it directly from TamoSoft and you should be good to go. Michael Berg at TamoSoft is continually updating the program and is very responsive when questions arise.

Yet another great "you get what you pay for" network/security tool.

Monday, August 18, 2014

A resource to help with PCI DSS 3.0's penetration testing methodology requirements

PCI DSS has been getting a lot of buzz lately and the latest version 3.0 will continue gaining momentum until the many small and medium-sized businesses get their arms around the new requirements. Of particular interest is the updated requirement 11.3 (below) which is much more prescriptive on how to find the actual security flaws that matter.

I've always believe that you can't secure what you don't acknowledge...PCI DSS 3.0 now mandates a formal methodology for security testing that:

• Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
• Includes coverage for the entire CDE perimeter and critical systems
• Testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results.


These updates are no doubt an evolution of the realization that many people were simply performing basic vulnerability scans of network hosts or hiring fly-by-night "pen-testers" to seek out one or two easy wins in the cardholder data environment rather than performing a more in-depth security assessment that looks at everything that matters.

I suspect many people (especially those working in SMBs with limited resources) will migrate towards the NIST standard similar to how many people have jumped on the "cybersecurity" bandwagon. There's also the resourceful Open Source Security Testing Methodology Manual (OSSTMM) that's been around quite some time.

The important thing you need to know is that none of these standards will be a best-fit, end all be all solution for your organization. Similar to exercise and diet programs for individuals and strategic corporate plans for businesses, every person/organization has their own unique needs when it comes to information security testing. The interesting thing to be in many of these standards, and just general popular belief, is that open source tools are all you need to perform an effective security assessment. I've said time and again, in all but a handful of scenarios, you're going to get what you pay for with your security testing tools. Outside of the awesome Metasploit tool and a few mostly forgettable others I've used over the years, I've yet to find any open source tool that works a fraction as well as the commercial alternatives.

With PCI DSS 3.0, or whatever requirement, your information security test tools and methodologies will absolutely define your testing outcomes and ultimately your business risks. Before going down yet another confusing path in the name of security and compliance, everything you need to know to get started - and darn near master - your penetration testing is outlined in my book Hacking For Dummies...I hope this helps and best of luck:

Tuesday, August 5, 2014

Are you stuck in this information security rut?

Here's a new post I wrote for Rapid7's blog that I think you might like...

There’s nothing really new in the world in which we work. Every problem you face in information security has already been solved by someone else. Why not use that to your advantage? There’s no time for baby steps in security. Sure, you need to “walk before you run” by thinking before you act. That comes in the form of knowing your network, understanding your risks, and getting the right people on board. But not taking the time to learn from other people’s mistakes and developments in information security is downright bad for business...{read more at Rapid7.com}

Tuesday, June 10, 2014

Pitching your ideas in IT

If you work in IT, your communication and selling skills are more important than anything you can ever do technically. This includes "pitching" your ideas to your audience - typically management and users. As a speaker, I often struggle with new approaches for pitching my ideas.

Here's a good Success.com Q&A with Shark Tank's Daymond John to help remind us of what people are looking for. I especially like where Daymond says: "There are no new ideas ever in the world." ...so true, even in our field.

Wednesday, June 4, 2014

More Web security vulnerability assessment, audit, and pen testing resources

I've been busy in the world of Web security testing - both with work and with writing. Check out these new pieces on the subject. I suspect I'll tick off a "researcher" or two given my business angle and 80/20 Rule-approach of focusing on the most problematic areas of Web security...Still, I hope that these are beneficial to you and what you're trying to accomplish in your organization:

Key Web application security metrics

Taking politics out of the Web security equation

Getting back to basics with Web security

Core causes of Web security risks and what you can do about them

Security Considerations When Using AWS Cloud Services

The Big Security Oversight When Using Amazon Web Services
Don't forget to check out all of my other information security content at www.principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/#sthash.hRUYP9DQ.dpuf
Don't forget to check out all of my other information security content at www.principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/#sthash.hRUYP9DQ.dpuf

By the way, with the continued banter/debate around vulnerability assessments v. audits. v. pen tests, here's my two cents on the subject:
Is it a pen test, an audit, or a vulnerability assessment?

Don't forget to check out all of my other information security content at www.principlelogic.com/resources

Wednesday, May 14, 2014

Web security vulnerability testing and management resources you need

Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
 
 
Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpuf
From scanners to compliance to software development and beyond, here are several Web security pieces I've written for the folks at Acunetix that I thought you might like:

The Role Of An Automated Web Vulnerability Scanner In A Holistic Web Security Audit

How Your Web Presence is Throwing You Out Of Compliance

The disconnect between IT audit and software developers

Top 10 Insider Threats and How to Protect Yourself

Top 5 Information Security Trends

Top 5 network security vulnerabilities that are often overlooked


Don't forget to check out all of my other information security content at www.principlelogic.com/resources.

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/2014/04/things-that-impact-careers-in.html#sthash.zTjCeszI.dpuf

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at principlelogic.com/resources. - See more at: http://securityonwheels.blogspot.com/2014/04/things-that-impact-careers-in.html#sthash.zTjCeszI.dpuf

Thursday, May 1, 2014

Running vulnerability scans over VPN connections

If you haven't yet, you'll likely run into a situation where you need to run vulnerability scans over a VPN connection (i.e. for remote office networks). Well, certain scanners won't scan over "raw sockets" - the underlying communication method for certain VPN connections. Other scanners can't even connect to a remote network at all because they're caught up in their own little virtual machines that you cannot add a VPN client to.

If you're faced with this situation, check out GFI LanGuard (currently in version 2014). LanGuard works like a charm over various VPN connections. I have found that when performing unauthenticated scans LanGuard typically doesn't find as many relevant vulnerabilities as other scanners but its authenticated scans of Windows and Linux systems are very good. I have some clients that use LanGuard for patch management with positive results as well. Definitely a worthy tool!


Wednesday, April 30, 2014

Things that impact careers in information security

Here are some recent pieces I've written that can make or break your success in information security:

Open your eyes and you’ll see the light

Steering your career as a desktop admin in the mobility age

The mindset of everyday employees and their impact on security

Why a CIO's relationship with enterprise IT security is important

Be sure to check out the hundreds of security articles, webcasts, and more I've written/developed over the past 12 years at principlelogic.com/resources.
Be sure to go to principlelogic.com/resources for links to hundreds of security resources I've written/developed over the past decade+. - See more at: http://securityonwheels.blogspot.com/#sthash.PLfJQfID.dpuf

Be sure to go to principlelogic.com/resources for links to hundreds of security resources I've written/developed over the past decade+. - See more at: http://securityonwheels.blogspot.com/#sthash.PLfJQfID.dpuf

Tuesday, April 22, 2014

6 reasons information security causes global warming

In keeping with the divorce and everything Capitalist or conservative causes "global warming" movement, how about this:

Information security causes global warming (or cooling, or whatever it needs to be called today)
I really believe we have a "crisis" on our hands and here's why:
  1. The need for IT security controls is a negative side-effect of Capitalism - man bettering himself if you will. If we didn't have computers and the Internet, the advancement of mankind, and greedy corporations trying to make profits, this wouldn't be a problem.
  2. Security policies are often distributed to employees in hard copy form which requires cutting down trees which requires manufacturing, and more jobs, and more people commuting to work, and fuel usage for shipment....
  3. Information security clauses lengthen business contracts contributing to the same paper manufacturing and delivery problems as above.
  4. Firewalls, IPSs, and anti-virus software require manufacturing, and more jobs, and, well, more carbon dioxide and Capitalists getting their way.
  5. Added security controls require more power and space in data centers thus impeding the "green" data center movement we're seeing a lot of.
  6. When criminal hackers' and malicious insiders' attacks are blocked by our non-environmentally-friendly security controls, it hurts their feelings and makes them feel less about themselves and their jobs which leads to lower productivity at work which leads to more snack and smoke breaks which lead to overflowing landfills and, of course, increased carbon dioxide in the sky.
Finally! Managers and executives now have a valid excuse for not buying into information security...How could anyone in their right mind possibly support anything that causes "global warming" anyway..?? 

I know, I know, my approach seems flawed, but so is the "logic" and the "facts" behind the religion of "global warming". If it were only this easy to push information security initiatives in an emotional fashion in the name of something that has no basis in fact and without having to present the real side of the story!

Now I've got to go figure out how I'm going to offset the "carbon emissions" pouring from my race car's open exhaust and my daily driver's big V8. I'm confident a government bureaucrat will guide me along the way.

Here's why:

  1. The need for security controls is a negative side-effect of Capitalism - man bettering himself if you will. If we didn't have computers and the Internet, the advancement of mankind, and greedy corporations trying to make profits, this wouldn't be a problem.
  2. Security policies are often distributed to employees in hard copy form which requires cutting down trees which requires manufacturing, and more jobs, and more people commuting to work, and fuel usage for shipment....
  3. Information security clauses lengthen business contracts contributing to the same paper manufacturing and delivery problems as above.
  4. Firewalls, IPSs, and anti-virus software require manufacturing, and more jobs, and, well, more carbon dioxide and Capitalists getting their way.
  5. Added security controls require more power and space in data centers thus impeding the "green" data center movement we're seeing a lot of.
  6. When malicious hackers' and rogue insiders' attacks are blocked by our non-environmentally-friendly security controls, it hurts their feelings and makes them feel less about themselves and their jobs which leads to lower productivity at work which leads to more snack and smoke breaks which lead to overflowing landfills and, of course, increased carbon dioxide in the sky.

    And finally...
  7. Managers and executives now have a valid excuse for not buying into information security...How could anyone in their right mind possibly support anything that causes "global warming" anyway..??
I know, I know, my logic is flawed, but so is the logic and the facts behind the religion of "global warming". If it were only this easy to push information security initiatives in an emotional fashion in the name of something that has no basis in fact and without having to present the real side of the story. We'd be gagillionaires!

'Nuff said - I just had to get this off my chest. Now, I've got to go figure out how I'm going to offset my big SUV's "carbon emissions" for 2008. We're in a crisis you know... ;-)
- See more at: http://securityonwheels.blogspot.com/2007/12/seven-reasons-information-security.html#sthash.dBiLAmpe.dpuf

Friday, April 11, 2014

Heartbleed - the biggest Web security problem ever???

I just came across this piece from NewsFactor: Is Heartbleed the Biggest Web Security Threat Ever? and couldn't help but chime in. Contrary to popular hype, I don't think the biggest web security issue we face (now or ever) is a technical problem...instead, it's something with hair on top like I talked about here.

As with the hype over the Target breach and the gloom and doom over Windows XP's end of life, it's never the hard-to-find, technical stuff that many people believe is at the "heart" of our security woes. Instead, this issue, like most others in life, can be distilled down into a much more basic form. We're our own worst enemies...

P.S. Wouldn't it be weird if the NSA is somehow tied to this vulnerability...? ;)

Wednesday, April 9, 2014

Windows XP: Goodbye my love...well, not really.

Windows XP...ah, the memories!

I wrote many of my books including the first two editions of Hacking For Dummies and the first edition of The Practical Guide to HIPAA Privacy and Security Compliance originally on Windows XP - not to mention countless articles, security assessment reports and more over a 7-8 year span.

It was nice working with you XP!

I waited to write this post today, the day after all the Windows XP end-of-life hype, so as to not get caught up in that mess from yesterday. What's interesting to me about this whole Windows XP story is that every analyst, IT vendor marketing rep, journalist, auditor, and consultant is an "expert" on the doom and gloom that will be brought upon society with all of the businesses and consumers not upgrading their operating systems.

Looking at the headlines, still today, it's kind of funny (and sad):
"Vital industries exposed to risk"
"Isn't safe to use anymore"
...blah, blah, blah.

Apparently Windows XP is still being run on 25% of PCs. Will we hear stories about Windows XP systems being drywalled into oblivion like we've heard about Novell NetWare? Probably not. I do suspect it's going to be around for years to come. And, sure, vulnerabilities will discovered - especially on systems that have scant security controls to begin with. IT's elite will clamor about their amazing exploits. Management will still have their heads in the sand. Life goes on. 

The funny thing about Windows XP is that the OS itself is not where the real risk is in most network environments. [Oh gosh, did I say that out loud!?...now I'm going to have some "researchers" all over me...shudder.] Real-world experience tells me that much of the risk is all the other stuff people are installing and IT is not patching that's creating the real problems...the latest study shows that 76% of vulnerabilities are NOT Microsoft's issue. I've seen higher numbers in the past.

Microsoft Corporation is being treated like some of the big social/political issues like "global warming", gun control, and income "inequality" because they're expedient, convenient, and intangible enough to get people riled up.

Here's the real issue that we're still not hearing: I know without a doubt that many of the people preaching fire and brimstone about Windows XP are the same people who continue to ignore the critical basics I'll rant about until the day I retire such as:
  • Network shares full of sensitive files made available to everyone with a login
  • Mobile devices with ZERO security controls
  • Minimal - and grossly reactive - system monitoring
  • Firewalls with default passwords
  • Laptops storing tens of thousands of credit card numbers and SSNs with no hard drive encryption
  • Open wireless networks for "easy guest access" that provide full access into the back end network
  • Database servers with no passwords
  • Operating systems with weak passwords
  • Numerous cloud services being used without IT's consent or knowledge
  • Physical security control systems with ZERO security controls
  • etc...
Unless and until these people have helped themselves and the others who depend on them fix this low-hanging information security fruit, I'm going to say: Got XP? No problem!

Tuesday, March 25, 2014

68% of workers do this...and we wonder why we have security problems!

I've always believed that information security is a people problem that goes deep into the psychology of how we think. Here's a great example...starting at 0:24:

http://johnmaxwellteam.com/industrious/

This is the basis for why our so-called leaders rise to power, why there's a gap between the haves and have-nots, and why so many "ailments" afflict society. Many people simply don't believe in themselves and have no desire or motivation to get any better.

Are you going to let this drive your information security program!?

Is this as good as you're going to get or are you going to get any better?

As Og Mandino said, Use wisely your power of choice


Thursday, March 13, 2014

HIPAA compliance lip service

Here's an example of the lip service (security theater) people give to compliance and information security found on display at one of those giddy-over-regulations retailers:



Really, who's certified? How are customers to know what this means?

Checkbox checked...all that matters.

Good stuff.