You can't secure what you don't acknowledge.SM

Wednesday, September 8, 2010

Security's not just an executive decision

I recently came across this quote by Peter Drucker that struck a chord:

"Most discussions of decision making assume that only senior executives make decisions or that only senior executives' decisions matter. This is a dangerous mistake."

It reminds of how certain executives decide that information security is something that doesn't affect their business regardless of what others are telling them. I'm sure many of these executives' subordinates are ready and willing to prove otherwise.

Business leaders: get the right people together and figure out how information risks affect your business...they do.

What’s Better for Your Information Security Career – Certifications, a Degree, or Good Old-Fashioned Experience?

Here's a piece I wrote on information security careers and what's best for getting ahead:

What’s Better for Your Information Security Career – Certifications, a Degree, or Good Old-Fashioned Experience?

If you want to learn more on the go, I also have a Security On Wheels audio program on this topic that picks up where my article leaves off:
Certifications, Degrees, or Experience - What's Best for Your Security Career?

Good rule of thumb for information security

Thomas Jefferson once said:

"Learn to see in another's calamity the ills that you should avoid."

If you want to manage information risks and keep your business out of hot water I can't think of a better principle to work by.

Tuesday, September 7, 2010

The key to accurate and insightful Web security scans

You've likely found that Web vulnerability scanners aren't just point-and-click. Maybe so for relatively simplistic marketing websites but not for complex applications. In fact, one of the greatest ways to get a grand false sense of security is to turn a Web vulnerability scanner loose on your site/application and assume everything of consequence has been discovered and audited.

The thing is we're now seeing an entirely new set of Web applications that just aren't that simple to assess with an automated tool. Be it an online survey, e-signing application, or e-commerce system if the scanner doesn't know where to go (or client-side Web 2.0 code trips it up) you're going to get a whole lot of nothing in the results column.

Making the problem worse is the fact every application is different...often vastly different. Not just the platform and the coding but the logic and the workflow. It's all those manual clicks in/around the app combined with tons of Ajax, Flash, and other code that's almost impossible for a scanner to traverse that really complicates things. And it's a problem that's not going away.

There's one Web vulnerability scanner that has always helped to take the pain out of this process - at least as long as I can remember. That scanner is HP's WebInspect. Performing a manual scan using WebInspect is very simple: you load up a new scan, tell it you want to perform a "Manual Crawl" as shown in the following screenshot and you're good to go.

Once you kick the scan off, WebInspect automatically loads Internet Explorer for you to step through the application. Meanwhile, in the background, the scanner captures every page you browse to, every input you provide (login credentials included), and every script that's run. Once you're done you simply close out Internet Explorer and WebInspect should complete its crawl (you may have to click Finish). If the application logs the scanner out, WebInspect will automatically log itself back in.

[Side note: This assumes that Default Audit Mode under Edit/Application Settings/Step Mode is set to Manual Audit (which I prefer). Otherwise the audit will have already started during the crawl phase and may complete (you sometimes have to pause the scan and restart for it to complete)].

Once that's done, you'll then click the red Audit button, select the audit policy you want to use, and WebInspect will continue on testing the pages it crawled for vulnerabilities. That's it.

It's still up to you to know and understand the logic and workflow of the application you're assessing. If you don't step through the application in the right ways or overlook critical parts of it, you can't blame the scanner for not providing good results. It will if it knows where to look and what to look for.

Bottom line: you absolutely cannot rely on the results of a basic Web "scan" in the name of PCI DSS compliance or whatever. You have to use a good all the right ways. No one ever said it was easy. But done right, the payoffs are worthwhile.

Monday, September 6, 2010

Securing and hacking Windows go hand in hand

Computer hacking concepts extend to every nook and cranny of what we work with on a daily basis. Front and center are Windows-based servers. A large part of what I do in my work performing internal security vulnerability assessments - a.k.a. pen tests and audits - involves Windows servers. There's so much you can do to build up Windows server security and so much you can take to bring it down. I recommend both approaches. Here are two pieces I've written that cover each:

The very best Sysinternals tools for Windows server security

Step-by-step guide: Hacking Windows file servers