You can't secure what you don't acknowledge.SM

Friday, September 5, 2008

My security content from this week

Here are two articles I wrote for Security Technology & Design magazine (a really good trade rag covering both IT and physical security) as well as another piece for Redmond Developer News I was interviewed for. Enjoy!

Get Certified? The real deal with information security training and certifications

10 Ways to Protect Your Web Servers

Despite Help From Microsoft, SQL Injections Remain A Threat



As always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcast interviews, webcasts, screencasts and more.

Thursday, September 4, 2008

PCI v1.2 = 802.1x for wireless? Yeah right!

Apparently the new changes in PCI DSS v1.2 (due out in October) are going to require more robust wireless security. As if no new WEP implementations after March 2009 and none at all after June 2010 weren't enough...Wireless must now be "implemented according to industry best practices (e.g., IEEE 802.1x) using strong encryption for authentication and transmission".

Yeah right!! So people using WEP not only have to upgrade their hardware but they've also got to take on the 802.1x beast for authentication and encryption? Maybe in the enterprise but not for SMBs. I suspect we'll either see a lot of wireless-centric PCI violations or SMBs will just yank their wireless altogether. Maybe it's time for me be a good time to invest in some of these wireless security vendors.

Hopefully I'm just interpreting the new requirements incorrectly.

Wednesday, September 3, 2008

Upcoming PCI updates and the firewall change management disconnect

I was reading about the upcoming PCI DSS version 1.2 updates and noticed something that struck a chord. It's the requirement to review firewall rules every 6 months instead of every three. Wooo - what a nice break the Council has given everyone. Seriously folks, is anyone really reviewing their firewall rules on a regular basis? I don't mean loading up the PIX or Check Point or whatever interface, scrolling through the rules, and saying "Yep - looks good!". That's not what reviewing firewall rules is all about - at least for most organizations. With such complex configurations and often several people administering the system, good processes and tools have to be used if changes are going to be managed properly and PCI compliance is to be had.

The best way I've found to adequately review firewall rulebases is to use both manual analysis and automated tools to verify that what's in place (or assumed to be in place) is actually working. That means using - at the very least - a port scanner but ideally a network mapper/vulnerability scanner such as QualysGuard to see just what the firewall is allowing and not allowing. Beyond that, one of the most overlooked and underrated means of reviewing a firewall rulebase is using a tool like Traffic IQ Professional. You load it up, connect one interface of your test machine to the inside of the firewall, and another interface to the outside of the firewall, and fire away. It sends packets in both directions to see what can get in and what can get out.

Validating the rulebase like this is the only realistic way to know for sure how traffic is being processed through the firewall. For complex firewall configurations (and outside of a few small businesses, most are) this is an awesome way to test what's really going on...And to help ensure PCI compliance.

While I'm on the subject...if you're looking for a good set of firewall best practices, check out my Firewall Best Practices document.

In search of a good personal firewall...

Ever since my all-time favorite personal firewall - BlackICE - went away, I've been searching for product that could fill its shoes. I'm still searching...and it's a pain. Thanks ISS!!

Anyway, I came across this "Firewall Challenge" site that compares the well-known and not so well-known personal firewall products, shows test results along with vendor responses, and gives a yay or nay on whether or not the product is recommended. Use your own judgment since reviews can be subjective and may not look at the whole picture (usability, pricing, general annoyances, etc.) but this is still a useful comparison.

Tuesday, September 2, 2008

Questions posed to me about security testing

Here's a recent question posed to me regarding firewall assessments that you may benefit from:

"I am currently running a security assessment in my company for all Cisco ASA firewalls and I would like to know if you have some sort of a guideline or a "recipe" that you are following as to what one needs to look for when performing a security assessment. That is, security flaws, loopholes, best practice, etc. I would appreciate any help you can provide me with."

Here's my response:
"...This is something that an entire book could be written about. In a nutshell, you should treat a firewall like any other host by scanning it and pounding on it to see what it can divulge. Don't forget to poke around on the web and telnet/SSH interfaces as well. That's where I find most firewall vulnerabilities. Check out Traffic IQ Professional - it's a very good tool for analyzing firewall rulebases, etc. in this context. If you haven't already, also check out my Firewall Best Practices document that's got some pointers in this area. Also, stay tuned to my Security On Wheels audio programs and blog for more tips/tricks in this area..."

Another thing I forgot to mention to this reader is my book Hacking For Dummies outlines the methodology that should be used when testing for security flaws. I cover firewall testing in it as well. Check it out:

My security content from this week

Here's a piece I wrote for SearchDataBackup.com (a new TechTarget site I'm now writing for):
Change management and disaster recovery

...as well my thoughts on the latest and greatest version of BackTrack (a tool you've gotta get familiar with):
Free security testing toolkit review: BackTrack 3

As always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcast interviews, webcasts, and screencasts.