Recently, I discovered Fortinet FortiClient 4.0 Standard is free even for commercial use. It contains personal firewall, antivirus/antispyware scanning, Intrusion Prevention and web filtering.
It is not a trial software. It does not have an expiry date. It has ICSA and VB100 certifications. It can run on Server platform. The most important, it is free.
All three methods successfully override the controls.
Use an anonymous proxy server on the Internet - Joker launched a search at Google for "Anonymous Proxy". The first ten hits are all usable anonymous proxy services. Some of them are free of charge while some of them are paid service. Joker selected a paid service at USD 9.95 per month and found the service can successfully by pass the URL filtering software. The service use a SSL encrypted tunnel between Joker’s computer and the proxy server. He can access Facebook with the service, while Facebook is being blocked without the service.
With the service, actually the proxy can serve both web browsing and IM communication. Because of the SSL encryption, the (2) control cannot archive the IM conversations.
This proofs that using an anonymous proxy can easily bypass these two controls.
Build and use a SSLVPN gateway at home - Joker installed a Fortigate 60B appliance at home. The list price of the appliance is USD 995. Joker then configured the appliance to have dynamic DNS and SSLVPN features. Afterwards, he created a bookmark for Facebook. This is basically a HTTP redirect technique.
After that, every time Jokers would like to access Facebook from Fictional Enterprise, he login to his SSLVPN using dynamic DNS and click on the bookmark. However, this seems not supporting HTTP redirect for IM conversations.
Build and use remote access technology at home - Joker tried two remote access techniques.
The first one is easier to setup – he prepared a desktop computer running Windows XP Professional. The desktop computer enabled Remote Desktop and allowed Joker to connect from FE network. The browser and IM program are basically running from this desktop computer, hence bypassed all URL filtering and IM archive. The drawback is that the whole desktop is transmitted to Joker’s computer at FE network, switching between desktops is somehow not very convenience.
The second one is more difficult to setup – he prepared a computer running Windows Server 2008. He then activated Terminal Service with RemoteApp support. Afterwards, Joker defined Internet Explorer and MSN Messenger as RemoteApp applications and created shortcuts for them. This is more difficult to setup, but easier to use. This is because only the application window is bringing to Joker’s computer at FE network. Now, Joker can use the browser and IM application running remotely, at the same time seamlessly integrated to the desktop at FE network.
This proofs that using remote access technology can also easily bypass these two controls.
Controls should come after Control Objectives
Joker tried all methods to override controls. However, he is not violating any policy. This is because Fictional Enterprise does not have a good way to develop and announce policy. The implemented controls do not have control objective.
Information security policies are the documented control objectives that form the foundation of IT governance. It seems that Fictional Enterprise still a long way to go, instead of a paper-compliant company.
On July 17, McAfee held a security conference at the Sydney Convention Centre. The event was well attended by about 800 guests. But in e-mail a week later thanking people for attending, McAfee added a spreadsheet containing names, numbers, e-mail addresses, employment details and even dietary requirements of 1408 people.
Reference link from media:
http://www.cw.com.hk/content/security-vendor-mcafee-spills-1400-customer-names
From Wikipedia, Defense in depth has the definition of “multiple layers of defense are placed throughout an Information Technology (IT) system”. In short, that means multiple protection strategy to protect an information asset or an infrastructure component.
Have you ever think of the security features of your wireless router? Usually a wireless router supports at lease the following
Did you implement all of them? Or you just implemented some of them? This article aimed to tell the readers why they need a mix of these security features to form a defense in depth protection strategy.
Most wireless network nowadays only implemented encryption between router and endpoint device. Some of them may even using weak encryption (WEP). The author does not aimed to tell why WEP should not be used, because there are many good articles for the purpose. One of them is from Wikipedia. Even wireless network implemented strong encryption like WPA2, the network should not solely rely on encryption. Additional ACL should also be implemented.
For example, a company would like to limit wireless network usage to its owned laptops only and secure the transport layer. The company implemented WPA2 in the wireless network in one of their local offices without additional ACL. The IT Manager distributes laptop computers for the staff members. The laptops are preconfigured with the WPA2 pre-share key. With tools like WirelessKeyView, it is too easy to view or clone the pre-share key. After copying the key to another device (like a Wi-Fi enabled phone), additional device is now allowed to access the wireless network.
For this simple scenario, it can demonstrate the need for defense in depth. Applying encryption alone can prevent data leakage; however it is not a protection scheme for access control. So in order to achieve the original security requirements – limit wireless network usage to its owned laptops, applying encryption alone cannot fit the requirement. In this situation, adding ACL (in terms of MAC filtering) can help achieving the access control requirement.
So, the first thing in security is to define the objectives. Afterwards, selecting applicable controls and implementation to achieve the goals. Finally, having reviews to see if the controls can really meet the defined control objectives.
Know the problem
Many people have wrong perceptions on the issues. Examples of these perceptions includes
The fundamental of software cycle is that software always contains programmatic errors, referred as bugs. Traditionally, these bugs may be just programmed not according to the initial software specifications. However, nowadays, the issues of bugs may become more complicated. The problems may involve insecure coding methods that lead to memory leakage or privilege escalation.
No software is perfect without any issues. Software vendors pay efforts to fix the discovered problems.
Understand the current situation – Scanning, Assessment and Trending
Does it mean I just apply all the software patches and the problem is solved? Not exactly. The author suggests a vulnerability assessment with an experienced security consultant. This assessment process involved vulnerability initial scans and trend analysis. The security consultant should provide a trend report and suggestion on how to develop a vulnerability management strategy. Vulnerability situation of a specific part of the enterprise can be better that that of the others. For example, the server farm contains less vulnerability. This is quite typical as the server farm may be administrated from different group of people, and the hardening procedures of production server may be different from other machines in the enterprise.
Develop vulnerability management strategy
Vulnerability management strategy is important for enterprise of all sizes. If a specific part of the infrastructure components do not contain any customized software (for example, an email server running Microsoft Exchange 2007 and Microsoft Windows Server 2003), the vulnerability strategy will be quite different from the infrastructure components running an in-house developed CRM application. It is essential to have security professionals to review and assess the vulnerability management strategy. This makes sure the strategy is practical and met the industrial baseline requirements.
Implement the vulnerability management strategy
Once the vulnerability management strategy is defined and confirmed, it comes to the implementation. Tools helping implementation of the strategy is equally important as the strategy itself. Tools may include vulnerability scanner, patch management software, patch testing software, etc. These tools can automate the vulnerability management strategy and hence improve the overall security situation of the enterprise.
Continued reassessment
Regular reassessment of the strategy is crucial. The review should include strategy execution review, enterprise-wide vulnerability trend analysis and the strategy itself. The author recommends the strategy should be reviewed every year by an information security professional.
To sum up, the following are typical security ingredients:
The author hopes this article reminds the system analysts that they should include these considerations into their requirements engineering process, making resulting application more secure and hence making the world more secure.
View William Lee's profile