We all love our browsers and the things they are able to do for
us. For the general user it allows them to check facebook, google
for something, and the list goes on and on. A lot of these people
will also have little browser add-ons that they use to enhance their
internet experience. While this is great and all there are still
issues that need addressed from a security standpoint. Security
professions are having to deal with new types of attacks that are
very different from your standard username and password attacks.
Everything from the secure connection to the server, activex, buffer
overflows, cgi scripting, cookies, cross-site scripting, input
validation, java applets, javascript, and popups makes even the most
security aware person check their knowledge twice about just how
secure they are when browsing the internet.
Just how safe am I and are these issues really relevant to me?
Being secure in an unsecure environment is the end goal here. One
of the first ways to be able to do is the use of secure socket layer
and transport layer security. This is most interesting to me as you
will still see a lot of sites that just don't want to use https for
their clients. The way I look at it is that if you are not looking
out for the protection of my data why would I do business with you?
Even for your internal network it is important to implement https.
Programs are available to listen to the network and then give you a
list of usernames and passwords that it finds during the course of
just sitting there. Yes switched networks help to mitigate but it is
not an end-all solution. There are even browser extentions (as we
are on the subject) to check if a website has https functionality and
will switch you to their secure connection for you. Cost is always a
factor. Why pay for secure certificates for your internal network
when its just employees logging in? Credentials are still being sent
in the clear text is why. Recently I read a forum post where they
said 99% of their company had gone to wireless connectivity and they
were loving it. The security portion of my brain immediately put up
a red flag and worried very much for their company. Here is the deal
(and a topic for another discussion), wifi packets can still be
captured and decrypted in the future. So you may be secure right
now, tomorrow, or even next week but what if the encryption is broken
tomorrow? Your competitor or enemy could have been gathering packets
for this very moment to happen and now all your secrets are theirs
because they had been collecting packets for the last 6 months.
Anyway, moving on with browser add-ons...
Add-ons make for additional functionality in your browser that
give for a better user experience. Problem is, things like buffer
overflows and cgi scripts can cause havoc on systems that are not
hardened. Some user interface sites were never designed with much
security in mind as they were only supposed to be used by the
programmers and their co-workers. Fast forward a few years down the
road and now someone decided it would be good for the entire company
to use. Now you have an interface that could be subject to buffer
overflows due to a lack of input validation or cgi scripts that are
executing malicious code because they are setup to allow crazy
permissions.
I recently added an add-on for my browser to keep people from
tracking me. While not all done with cookies they are still a common
method for data miners to push advertisements on you. Same thing
here with cross-site scripting as a site you visit may choose to do a
little digging of their own to see what you are currently looking at
in other tabs. Taken one step further they could even use your
session to get into a site in the background that you don't even know
about.
Some add-ons are good and some can create a problem. Either way
it would be in your best interest to get some of these good ones so
that you can protect yourself from potential threats.
-- Joe McShinsky
Saturday, August 6, 2011
Monday, August 1, 2011
Security+ Topic - Access Control
So lets talk a little about access control, in specific the
technical aspect of determining which information should be allowed
to interact with other information or users. This could be anything
from servers getting resources, a cross-connect in a database table,
or an application requiring some sort of access to work. Its not
only limited to the technological side though. There are still
people to take into consideration as they have needs that may go
beyond a simple login to their computer. Without being to specific
on an operating system, there are measures called access control
lists that help take care of what can and cannot be accessed. These
can be found on almost any piece of equipment that has to deal with
multiple users or access control.
What does this mean for you?
First of all it means you need to check yourself. You put security measuring in place for a reason right? Test them. Oh you just have a firewall and you think your good? Lets take a look at that then. What are you wanting to protect? What is the risk analysis for what is on your network or the work done by employees on your network? How are attackers or inside threats going to get into your network? Do you have accounts without passwords? Are internal servers viewable from the outside? Lets face it, you could ask yourself what-if questions all day long. The big thing here is that you take a real hard look at what is going on with your network. Its easy to overlook something when you are dealing with the same network for the last year. There are little things that you know in the back of your mind that you are going to address or not that big of a deal but when a third party comes in and takes a look at your network they see it as a hole for attack.
I worked for a company a while back that had to be in compliance with processing credit card data. When we started this new project it made me a bit nervous as I was worried about data breach. I had to make sure I took an attack point of view to cover as many bases as I could. This turned out to be a continual process also. I am a huge fan of the Nagios monitoring software and so that is what I use to make sure certain things are working or not working on my network. Even though it has a wealth of plugins to monitor the network I have chosen to write custom scripts that will check for things not working either.
For the risk analysis of my internal network I chose very specific outside DNS servers in order to mitigate my DNS highjacking risk. In order to enforce this I then applied firewall rules that denied any DNS traffic unless its destination went to those specific DNS servers. To bring this full 360 I then told Nagios to check a few DNS servers on the internet. If the DNS server was the ones I said are ok then the check returned ok and if the check failed against an unauthorized server then it was ok also. The second half to this is that if a unauthorized DNS server responded then I know that a firewall rule got messed up or another rule allowed it (top down design).
Each organization has a different risk analysis and here I presented just a couple things in order to help you with yours. I hope that you are able to utilize some of this in your own network in order to help protect your domain controllers, web servers, clients, printers, and all sorts of other stuff you have to perform a risk analysis against.
-- Joe McShinsky
What does this mean for you?
First of all it means you need to check yourself. You put security measuring in place for a reason right? Test them. Oh you just have a firewall and you think your good? Lets take a look at that then. What are you wanting to protect? What is the risk analysis for what is on your network or the work done by employees on your network? How are attackers or inside threats going to get into your network? Do you have accounts without passwords? Are internal servers viewable from the outside? Lets face it, you could ask yourself what-if questions all day long. The big thing here is that you take a real hard look at what is going on with your network. Its easy to overlook something when you are dealing with the same network for the last year. There are little things that you know in the back of your mind that you are going to address or not that big of a deal but when a third party comes in and takes a look at your network they see it as a hole for attack.
I worked for a company a while back that had to be in compliance with processing credit card data. When we started this new project it made me a bit nervous as I was worried about data breach. I had to make sure I took an attack point of view to cover as many bases as I could. This turned out to be a continual process also. I am a huge fan of the Nagios monitoring software and so that is what I use to make sure certain things are working or not working on my network. Even though it has a wealth of plugins to monitor the network I have chosen to write custom scripts that will check for things not working either.
For the risk analysis of my internal network I chose very specific outside DNS servers in order to mitigate my DNS highjacking risk. In order to enforce this I then applied firewall rules that denied any DNS traffic unless its destination went to those specific DNS servers. To bring this full 360 I then told Nagios to check a few DNS servers on the internet. If the DNS server was the ones I said are ok then the check returned ok and if the check failed against an unauthorized server then it was ok also. The second half to this is that if a unauthorized DNS server responded then I know that a firewall rule got messed up or another rule allowed it (top down design).
Each organization has a different risk analysis and here I presented just a couple things in order to help you with yours. I hope that you are able to utilize some of this in your own network in order to help protect your domain controllers, web servers, clients, printers, and all sorts of other stuff you have to perform a risk analysis against.
-- Joe McShinsky
Subscribe to:
Posts (Atom)