September 12th, 2009 by Tyler
I am currently enrolled in an upper division class on information systems security focusing on the CISSP examination. The class is part of a program certified by the National Security Agency and Department of Homeland Security as a Center of Academic Excellence in Information Assurance. Since cyber crime and electronic security are becoming such everyday topics – especially e-commerce related – I thought many of our readers might find it interesting to read some of my papers from the class.
The first assignment was to describe a security attack that I had experienced or been a part of. I describe a situation I was in as a small hosting provider who was defaced by a targeted attack against one of my clients.
The story goes back almost a year now (and is still being added to every day.) The story goes across 4 states and three nation’s borders. Until you’ve done a cyber investigation, you really have no idea how difficult situations like these can be – I sure didn’t have any grasp of it going in, but I have learned lots from the process.
Read the rest of this entry »
Posted in Security | 1 Comment
June 25th, 2009 by Tyler
Over the last several days, I have been traveling the eastern portion of the United States on vacation with 3 of my good friends. Along the way, I like to check my email and do random touchups on projects I have in progress. The one problem with this is that of all the friend’s relatives I have stayed with (totaling 5 so far), only one has had a wireless network that I could access.
So, how do I get on and check my email? I borrow a neighbor’s network. Of all 5 homes, I have been able to access an open wireless connection from 4 of their neighbors. While this is good for me, the average vacationer needing to check his email, it is a really bad sign for the security world.
Read the rest of this entry »
Posted in Security | 2 Comments
June 17th, 2009 by Tyler
I found this great article today in the SANS Internet Storm Center Reading Room and thought I would post a link to share with our readers.
PCI DSS and Incident Handling: What is required before, during and after an incident.
It can not be stressed enough how important it is to follow PCI-DSS when credit cards come even remotely close to touching your servers. It is a comprehensive standard and can be very expensive to comply with. The cost of a breach is almost always greater than the cost of compliance!
Posted in Security, Small Business | No Comments
May 30th, 2009 by Tyler
A few weeks ago, I wrote about getting ready to attend a security competition called CANVAS: Computer and Network Vulnerability and Assessment Simulation. I was among five students in the field of Advanced Networking and Information Assurance who participated from my University, Fort Hays State University. Here’s the lowdown on what we learned at the competition.
Lessons Learned
- Just how easy an SQL Injection can be
- SQL Injections can lead to much more serious problems
- Why attack a router/firewall when the systems behind it are not secure?
- Emergency Incident Response can be stressful, but very rewarding
- Team building among geeks in time-critical environments can be interesting
Read the rest of this entry »
Posted in Security, Small Business | No Comments
May 28th, 2009 by Tyler
To continue this week’s security focus, today we’re going to talk about how to securely delete sensitive data off of old hard drives. All businesses must make it a top priority to protect their customer’s private information because in many states, the data they store becomes their liability if mishandled. There is a proper way to sanitize hard drives that significantly reduces your liability if there is a policy in place to address data destruction and the company follows it to a T.
Read the rest of this entry »
Posted in Security | 1 Comment
May 27th, 2009 by Ben
There are hundreds of ways to make your site or network more secure. These can involve expensive hardware, complicated software, and a LOT of research and time to develop and implement. What’s a low-cost way to beef up your security? Complex passwords! This is a great way for a smaller company to step up a notch in security, and its an easy way for a larger company to add one more roadblock for those malicious “black hats.”
Read the rest of this entry »
Posted in Security, WebHostingBuzz | 2 Comments
May 22nd, 2009 by Tyler
I was at a brand new Taco Bell this afternoon with my girlfriend when I noticed an interesting problem: the new drink dispenser had four drinks per spout, with a button that selected the drink you wanted dispensed.
I’ve obviously been in a security mindset too much recently, as when I saw it, I immediately turned to my girlfriend and asked, “What happens when you press two buttons at once?”
If you are wondering what this has to do with IT or web hosting, here’s your answer: that same question is the first one that pops into the mind of someone trying to break into your systems.
Security Mindset
What happens when I do this? Does it break? If not, does it do something unintended? If so, can I make it break because of that unexpected outcome?
These are questions that need to be considered when you are designing software for the web. If you can look at a piece of software and see a possibility for unintended results, you should try to find a way to prevent those results from occurring.
All too often, unexpected input or output can cause serious damage to your systems. This is why data validation and verification is such an important tool for programmers to use wherever possible!
Did It Break?
Did the fountain dispenser break when I pushed two buttons at once? No, it actually did not dispense anything at all. But you can be sure I tried all combinations of buttons and even pressing three or all four at a time, just to see what would happen.
Whoever designed the system considered that some moron would try to press two or more at once and did a good job at preventing it from causing damage to the system!
Posted in Security | No Comments
May 20th, 2009 by Tyler
Here’s a short list of books which everyone interested in information security/assurance should read when they have time (all links go to Amazon’s listing of that book). Beyond Fear and the two that were written, in part, by Kevin Mitnick are good to read even for those who aren’t interested in IA as a career because of their valuable insight into the human elements of security. Organizations can benefit from knowing how a hacker thinks and ways they can use humans – the weakest element of security – to get what they want.
Read the rest of this entry »
Posted in Security | No Comments
April 9th, 2009 by Tyler
A very wise man, George Washington, once said ”If we don’t learn our history, we’re doomed to repeat it.” This quote is certainly true in the security industry, as you must always be watching and learning – adapting as situational changes occur all around us. It is essential to look at the mistakes of others and learn from them.
I would like to make clear that we are not interested in propagating rumors or beating this issue to death. There are very serious issues that arose here that can be used as a learning experience for all of us in the web industry and it is vital that these lessons be brought out.
It is fair to say that this situation has shown the ideal way not to handle a data breach incident. There have been numerous failures among many different individuals along the road, and some inexcusable negligence on the part of those involved. This should be used as a learning experience, guiding all of our incident response plans to better our reaction to these issues in the future. This example is exactly why we must always have these plans in place, refined, and practiced in case they are ever needed, as it is more a matter of when, not if, we will have to use them.
Read the rest of this entry »
Posted in Security | 6 Comments
