Like everything else, technology has got its ugly face which can no longer be ignored. With every patch released for a particular weakness, being followed by the next exploit at the very next moment, you can never be sure that your systems, your processes, your business and ultimately the economy are in safe hands. How good it would have been if technology alone could help us confide in it of totally securing ourselves? Unfortunately, that’s not the case.
With a wholesome increase in internal employee frauds, gone are the days when only firewall or IDS or other security devices could protect our networks and systems. As per the 2010 Cyber Security Watch Survey, insiders were rated as the second largest threat after hackers and also the worst since they are mostly silent and hence difficult to detect. Even a big list of policies, procedures and safe practices falls short owing to a small mistake, intentional or unintentional, by an employee. Putting money every time does not solve the problem. You may invest millions in building thousands of security controls, but a minor inexpensive measure, if not taken may cost you a fortune. As per the survey report, the most often neglected simple measures are listed below:
1. Patch Management: With ever growing business requirements, increases the number of softwares and applications fulfilling them with a single constant governing their complexity- the number of available patches. Each software vendor releases large number of patches continuously. The grave problem in many organizations is that the need for a patch is not realized until the business is impacted. The strategy adopted is often reactive and not proactive. The requirement for a particular patch is at times realized six months after the patch has been released.
The other problem is unmanaged changes. Patches, if not validated, approved and tested in a disciplined manner may cause other business functionalities or controls to break or malfunction. The challenges faced in patch management are affected by compound factors like volume and complexity of patches, speed of implementation, impact on business, events driving the need and environment changes.
Hence, an ongoing proactive process should be followed to identify the available patches, determine the organization’s need, validate, test, implement and continuously monitor the patches for compliance.

2. Log Analysis: Improper log analysis is a cause of many unauthorized and suspicious activities going undetected. Logs are often analyzed just for complying with regulatory and legal requirements. While focusing on compliance, an abnormal event is ignored at times. Organizations should set up rules to perform continuous analysis of daily logs to detect, alert and act upon any suspicious activity found. While doing this, business critical assets and the activities performed on them/by them that need to be monitored, should be identified first. Also, a baseline for security configuration settings should be developed for each device/type of device within an organization and any violation to these settings needs to be alerted. All network, system and critical server logs should be closely monitored to understand the implementation and health of security controls within the organization and their compliance with organizational policies and procedures.
3. Privilege Restrictions: Unmanaged user roles and privileges are similar to open doors of a treasury which can be escalated to gain control of critical systems within an organization. User roles and the privileges assigned to them if not managed and reviewed periodically may lead to privilege escalation attacks. Internet facing services are more risky and hence need foolproof protection against privilege escalation. There may be few services like SSH used in the organization which require complete security throughout their life cycle. All such critical services and business critical applications should be identified. A list of different users that require access to these services or applications should be prepared and privileges should be judiciously assigned based on their roles or “Principle of Least Privilege”. Such lists need to approved, authorized and regularly reviewed.
4. Password Expiration: In spite of thousands of things said, written, talked, and published about password security, needless to say, the lack of awareness still persists. Password policies of different organizations have many aspects in common like no. of characters, password history, type of characters etc. But the expiration period often varies in different organizations from 30 days, 45 days, 60 days or 90 days. The password expiration is always recommended to be set depending on the value of the data to be protected. Some even suggest that never expire passwords, rather than making them weaker by users adopting unsafe practices to choose new passwords and to remember them. Too short password expiration periods may cause user inconvenience leading to increase in number of helpdesk calls for password reset. On the other hand, too long periods have their own disadvantages of password being compromised due to user negligence or any other reasons.
There is no standard definition for password aging periods. The organization should set the expiration periods by striking a balance between data protection, password safety and user convenience.
5. Termination of Former Employees: Off late, the cases of access controls broken by terminated employees are on constant rise. Disgruntled employees taking revenge by deleting all of company’s data or by hacking own company’s systems or by leaking company’s confidential information are often heard. Despite of many security controls in place, improper removal of access rights of the employees who have been transferred, terminated or resigned may lead to huge loss to business. The amount and severity of loss depends on the position, roles and responsibilities of the employee and the privileges assigned to him/her. Organizations should follow a well-defined termination procedure with a separate checklist for removal of access rights from different systems for the IT department. Such removal should not be delayed for any reason and should be on top priority on the termination of employee.
The list of access rights on all systems and applications should be prepared, updated and constantly reviewed.

Read more »

Well, as always, Microsoft has vowed to keep as busy by releasing critical patches. The list this tuesday is as follows:

MS09-018

Read more »

Well a small post goes in here decribing the triggerfish tecnlogy and why it has created a buzz this summer.

Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone’s precise location once cooperative cell providers had given a general location.

Read more »

An article at Microsoft gives technical details of Worm:Win32/Conficker.A which is supposed to be in wild.

The details can be briefed as follows:

Read more »

I came across this generalized list of 10 most essential Linux Office applications. The software listed here is simple to use, reliable, (mostly) scalable, and business ready.Of course, this is a generalised list. Far more specialised office-type software is available on the Linux platform. One of the best places to look for such software is in your Install Software tool, such as Synaptic or Yumex (the tool you have will depend upon the distribution you use). Look through the various categories (a good place to start is the ‘Office’ category) to find what you need.

Read more »

Using only fresh air instead of air-conditioners in datacenter environment seems to a good idea in terms of amount of money saved. ACs consume huge amount of energy in Datacenter environment. Instead piping in fresh air from outside and expelling out hot air can maintain the Intel servers’ temperature between threshold temperatures and thus make drastic savings. Intel carried out this experiment in its datacenter for around 10 months and the failure rates of the Intel servers even didnt affect much. But will the co-orporates take risk and plan to adopt to this new technique for Intel servers? Small datacenters can go ahead and try adopting to this technique where-in big giants can leap in later after the market feedback.

More @ Free Cooling for Data Centers – video and whitepaper Read more »