For years now, security folks have been shouting to high heaven about the end of the world, cyber-terrorism, cyber-jihad and all of the other creative phrasings for increased levels of risk and attacks.

SANS Institute (SysAdmin, Audit, Network, Security) at least asks for good things, too. It is always, as they point out, so much easier to create a list of threats and attack points than a list of what we have done, and are doing right. It is human nature to focus on the shortcomings.

We have to create rational security. Yes, we have to protect against increases in risk, but we have to realize that we have only so many resources and risk will never approach zero!

We recently worked an incident where a complete network compromise was likely to have occurred. In that event, the advice of another analyst was to completely shut down and destroy the entire network, rebuild each and every device from the ground up and come back online only when a state of security was created. The problem: the business of the organization would have been decimated by such a task. Removing the IT capability of the organization as a whole was simply not tenable.

Additionally, even if all systems were “turned and burned” and the architecture rebuilt from the ground up, security “nirvana” would likely not have been reached anyway. Any misstep, misconfigured system or device or mobile system introduced into the network would immediately raise the level of risk again.

Thus, the decision was made to focus not on mitigation of the risk, but on minimizing it. Steps were taken to replace the known compromised systems. Scans and password changes became the order of the day and entire segments of the network were removed from operation to minimize the risk during a particularly critical 12 hour cycle where critical data was being processed and services performed.

Has there been some downtime? Sure. Has there been some cost? Sure. How about user and business process pain? Of course! But the impact on their organization, business bottom line and reputation has been absolutely minimized than if they had taken the “turn and burn” approach.

Rational response to risk is what we need, not gloom and doom. Finding the holes in security will always be easy, but understanding what holes need to be prevented, wrapped in detection and protected by response is the key. Only when we can clearly communicate to management and consumers alike that we have rational approaches to solving the security problems will they likely start listening again.

Did you know that 65% of all reported attacks in 2007 were in the application layer, according to the FBI? Applications are the new playground for hackers and with more apps being developed daily, it makes for one very tempting area for the bad guys. Let’s look at three ways you can make a difference in blocking these attacks:

1. Integrate Application Security into the Software Development Life Cycle (SDLC). Add security to the following phases: requirements, business impact analysis, functional testing, and quality assurance. When you improve your SDLC in this way, you will catch red flags during the designing phase and not later. You’ll also ensure that the security team recognizes the impact and interactions necessary for security and increase the consistency in maintaining standards.
2. Get Proactive – Develop programming standards, embrace development frameworks, create baselines for internal and external applications, create testing procedures, and – make sure to publish this information internally.
3. Educate Developers – This is the most important strategy. It can eliminate a significant number of vulnerabilities by providing an ongoing general awareness. Deep training for leaders will build a strong foundation for training teams who will be empowered to implement a stronger appsec program. Helping developers evaluate outdated applications, for instance, will go a long way toward preventing any potential vulnerabilities from being exploited.

SQL injection and XSS account for 32% of all indents alone! More web applications are being developed which means more targets for the attackers. The threats are data loss, regulatory and legal issues, a loss of customer confidence, a loss of system/network control, an increase of more bots, phishing expeditions, and malware. By following these tips, you will significantly decrease the number of attacks.

Evaluating your frameworks can really help with determining outdated software that would affect your applications; both internal and external. Should you have any questions about the tips or desire additional assistance in the design of your appsec program, please don’t hesitate to contact MSI for help.

There is a growing amount of information regarding Cloud Computing. Here are some resources that can help your organization sift through “the cloud.” They are:

Cloud Computing: Implementation, Management, and Security by John Rittinghouse and James Ransome

Cloud Application Architectures: Building Applications and Infrastructure in the Cloud (Theory in Practice (O’Reilly)) by George Reese

Cloud Computing: Web-Based Applications That Change the Way You Work and Collaborate Online by Michael Miller

What to look for in a Cloud Computing SLA

Security Challenges for Cloud Computing Services

Open Cloud Manifesto

85 Vendors Shaping the Emerging Cloud

Cloud Security Alliance

Cloud Computing Journal

McKinsey Cloud Computing Report Conclusions Don’t Add Up

These articles focus on the different issues concerning cloud computing such as security, access, and development of standards. Cloud Computing is a strong emerging technology. Check out these articles and books in order to stay informed and leverage the benefits while avoiding the pitfalls of safe data storage.

Browser security continues to be an absolutely vital part of providing safety and privacy to end-users and their systems. Browser-based attacks are easily the most common threat on the Internet today. Attacks range from old-style traditional exploits like buffer-overflows to modern, sophisticated attacks like Active-X injection, drive-by downloads of malware and exploitation of cross-site scripting attacks and other web applications issues to steal user credentials or even install arbitrary code. Users want Web 2.0 features and often choose performance and user-friendly functionality over safety and privacy.

Here are a few tips for end-users to make their browsers as secure as possible.

1. Keep your browser up to date.

This is the easiest of all the steps. It is also the one that removes the easiest of exploits from the attacker’s arsenal. Keep your browser up to date. They are issued periodically by all the major browser programmers and often close a number of known security issues. Many of the browsers have built auto-update capabilities, so if your browser has this, make sure it is turned on. If you are a user of Internet Explorer, the updates are delivered as a part of the regular Windows Update process. This can be configured to automatically execute as well. Modify your current settings using the same Control Panel interface as the firewall configuration.

2. Harden your browser against common attacks.

This is a very powerful process as well. It will make you safer by an exponential amount. However, the side effect will be that some web sites may not work properly.  Generally though, there is a fantastic guide to making these configuration changes here. It was created by CERT and walks users through browser hardening, step by step. Follow their instructions and you will get a much safer browsing experience.

3. Be aware of social engineering tactics.

Even if you do follow the other two steps, social engineering will still be a possibility. Attackers use social engineering to trick users into doing things that they should not do, like opening a file, divulging their passwords, etc. You should always remain aware of social engineering tactics and strategies. Many of them are covered in the definition page linked above. Another good place to keep current on emerging social engineering attacks he the SANS incident center. They routinely cover emerging threats against both corporate and end-user systems.

So, there you have it. Three tips, that once enacted and followed, will make browser security a much more attainable process.

This month, we decided to share with you resources that can help you better prepare your organization for the H1N1 Virus. They are:

Protecting Your Business in a Pandemic: Plans, Tools, and Advice for Maintaining Business Continuity by Geary W. Sikich.

Pandemic Influenza Planning: A Step-by-Step Guide For Businesses and Local GovernmentsP by Vernon Dorisson

Tamiflu® Office Preparation for Influenza Season

Tamiflu® Flu Tracker

Centers for Disease Control and Prevention: 2009 H1N1 Flu

CDC: Novel H1N1 Flu (Swine Flu) and You

Association of American Family Physicians: Preparing Your Office for an Infectious Disease Epidemic

HR Issues and Answers: Preparing Your Workplace for an Influenza Pandemic

Most of these articles emphasize the same thing: create a plan for employees who will be absent due to illness, avoid getting sick by using caution and appropriate measures, if infected, stay home and avoid contact with others.
If you have a supervisory role, you may want to review your staff’s responsibilities individually, especially those who are the only ones who know how to complete a task, such as rebooting the server or opening a locked area. A little cross-training could save you any confusion down the road.

[IN]SECURE Magazine, the fresh and innovative online magazine from Help Net Security (HNS), features a great article from Brent Huston, “How ‘Fake Stuff’ Can Make You More Secure.” Brent presents a compelling reason why organizations would benefit from utilizing honeypot techniques to protect their data.

You may download the article here.

Help Net Security is an online portal that covers all the major information security happenings. The portal has been online since 1998 and caters a large number of Information Technology readers specifically interested in computer security. For the entire September issue of [IN]SECURE Magazine, you can download it here. Great reading!

We are excited to announce a special, online community we’ve developed especially for you. This site will be open for a limited time and will provide a great place to connect with other security professionals both from here and around the world. We also have a “Gas Card Giveaway!” Sign up early and have a chance to win either a $50, $25, $15, or $10 Gas Card. We’ll be giving away one gas card per day, for the next four business days: Wednesday August 26, Thursday August 27, Friday August 28, and Monday August 31.

Enjoy the last “dog days” of the summer by joining our new community! Click here to view the details in a PDF. See you online!