Archive for the ‘Security Management Tips’ Category

Security Shifts to Data

Thursday, February 15th, 2007

Eric Lundquist, in a February 5 eWeek article, tells a story that is near to my heart–it’s about the data, stupid.  For years security has been focused on system or device protection.  This must  change.

Our goal as security professionals is to protect the confidentiality, availability, and integrity of the data.  This means protecting it at rest and in motion.  Protecting your HR servers doesn’t do much good if your employees’ PII (personally identifiable information) is compromised through storage or LAN/WAN access control weaknesses.  Carrying this a bit further, IM and email transfer of sensitive information completely bypasses any device or perimeter security that isn’t specifically designed to filter and block/alert on sensitive information moving into insecure areas, like the Internet or internal systems at lower trust levels.

New ‘Drive-By’ Attack Is Remote

Thursday, February 15th, 2007

In a February 15 Dark Reading article, Kelly Jackson Higgins reports on a proof of concept attack against broadband routers.  Called drive-by pharming, attackers can gain web access to home or business broadband equipment by using manufacturer default passwords.  This attack vector differs from war driving attacks because the attacker doesn’t have to be anywhere near the target device.  The best defense is to ensure all default passwords are changed when implementing broadband routing equipment.



Protect yourself from the byproducts of software piracy

Thursday, February 15th, 2007

It isn’t news that software piracy is a big problem for software vendors.  Illegal use of applications has been going on since the first PC rolled off the line.  What might be news, however, is the negative impact piracy might have on the Internet and on your company network.

See the rest of the article here.



Check out my book, Just Enough Security, at

Additional security management resources are available at

My podcasts –>

Free security training –>

Public Instant Messaging Scanning Service

Monday, March 27th, 2006

By Cara Garretson, Network World, 03/20/06

“Web security company ScanSafe this week plans to announce a new service aimed at protecting instant-messaging channels from viruses, spam, and other threats, as well as enforcing policies across this increasingly popular communications mechanism.”

Read the rest of the article 

Listen to our Podcasts –> add to my PodNova

Free security training modules available at


Ransomware Password Revealed

Monday, March 27th, 2006

A trojan horse virus is spreading across the Internet that encrypts Word documents, spreadsheets, and databases.  It then leaves a file demanding $300 in return for the password necessary to decrypt the ransomed files.  However, Technicians at Sophos have extracted the password (yes, it looks like a path name):

C:\Program Files\Microsoft \Visual Studio\VC8

This kind of attack seems to be growing.  So keep those anti-virus and firewall programs up-to-date.


Author:  Tom Olzak

Listen to our Podcasts –> add to my PodNova

Free training modules available at



DNS Cache Poisoning: Definition and Prevention

Thursday, March 16th, 2006

The Internet would grind to a halt – would not be possible – without a Domain Name System (DNS).  As you’ll see in this paper, the proper operation of DNS is fundamental to the maintenance and distribution of the addresses for the vast number of nodes around the globe.  So it would be too much to hope for crackers (malicious hackers) to ignore DNS as they continuously look for new ways to circumvent your security.  There are several facets to DNS security. 

In this paper we focus on one of the most dangerous types of attack – DNS cache poisoning.  To provide a complete picture of this threat, we’ll explore how DNS works, two ways crackers facilitate cache poisoning, what impact this type of attack can have on your organization, and steps you can take to protect your information assets.

Download this paper

Author:  Tom Olzak 

Listen to our Podcasts –> add to my PodNova

Free security training available at


CipherTrust Toolbar to Protect Email Users

Sunday, March 12th, 2006

Last week, I wrote a blog article about the growth of SPF and Sender ID technology in the fight against unwanted email (spam, phishing, etc.).  It appears that CipherTrust is taking advantage of its own implementation of these standards to help make the Internet a safer place – at no cost.

On Monday, March 13, CipherTrust plans to make available for download a free toolbar for Outlook and Lotus Notes email users.  The toolbar will be available from the CipherTrust Research Portal, which will also launch Monday.

This is the way it works:

  1. The user clicks on an email
  2. The CipherTrust toolbar program sends the IP address of the sender to a CipherTrust hosted server running the TrustedSource reputation engine for analysis
  3. The results of the analysis are returned to the user’s desktop causing the toolbar to flash:
    1. Green with a happy-face when the email is from a reputable sender
    2. Yellow for questionable trustworthiness
    3. Red when the user should probably just delete the message

The data used for analysis come from CipherTrust’s global network of more than 4,000 sensors installed in business and government networks.  They’re collected on TrustedSource servers where the trustworthiness of the source is assessed to a very granular level.  The assessment is based on the following criteria:

  1. Is this the first time the sender has been seen?  According to CipherTrust, about 30% of IP addresses analyzed fall into this category.  Of those, about 95% are spam, viruses, etc.
  2. How much email is the sender responsible for?
  3. Does the sender send and receive email, or just send?
  4. Does the sender’s behavior seem “bursty” or is it more continuous?

This is one more step in the right direction.  Although not perfect, it goes quite a distance down the path toward a world in which the Internet is a safe place to travel the globe. 

Author:  Tom Olzak

Listen to our Podcast –> add to my PodNova

Free Security training available at


A Practical Approach to Threat Modeling

Saturday, March 4th, 2006

Today’s security management efforts are based on risk management principles.  In other words, security resources are applied to vulnerabilities that pose the greatest risk to the business.  There are several processes for identifying and prioritizing risk.  One of the most effective is threat modeling.           

There has been much written about threat modeling.  But most of the papers and books come at the problem of threat and vulnerability management from an academic perspective.  The papers and articles that do take a business management approach typically cover one or two aspects of the process. 

This paper is a practical, high-level guide to conducting threat modeling activities within a business environment.  It begins by exploring why threat modeling is important.  This is followed by a step-by-step process, including some tools you might find helpful.    

Download the paper     

Download the Risk Calculation Tool   

Author:  Tom Olzak 

Listen to our podcast

add to my PodNova

IP Surveillance

Monday, February 27th, 2006

When managers discuss physical security, it’s usually restricted to what types of locks to place on what doors.  This is a good start, but locks are only one component of effective physical security.  In fact, a lock is intended as one of many safeguards to delay an intruder until he is identified and intercepted by security guards or police officers.  Good physical security requires the combination of locks, barriers, and sensors.  But these safeguards must be supported by the capability for human assessment of alerts or alarms.  The quickest method for gaining visibility into sensitive areas is the use of cameras.

Until recently, CCTV (Closed Circuit Television) technology was the principle means of viewing physical assets.  Today, IP Surveillance systems are taking over and providing significant improvements.  

In this article, I define IP Surveillance, explore how it works, and list the potential value it brings to your security efforts.   


Sorting through the Security-in-the-cloud Debate

Friday, February 24th, 2006

There’s a lot of talk these days about security-in-the-cloud.  Security-in-the-cloud is generally defined as protection provided by Internet Service Providers (ISP) that results in only “clean” packets arriving at a subscriber’s perimeter.  Positions on the topic range from “it’s a bad idea” to “give everything over to a managed service provider.”  Based on my experience as a Director of Security, I have sort of a middle-of-the-road position.  In this article, I explore both sides of the managed services debate.  I’ll also explain why I believe the most effective solution lies somewhere between the two extremes.