Secure Enclave

Twenty Critical Security Controls for Effective Cyber Defense

sfrost7lds — Tue, 20 Oct 2009 00:26:41 +0000

Earlier this year, a powerful consortium of security experts was “brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the consortium included NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.” Through their united and focused efforts twenty critical security controls were identified as being effective “in blocking currently known high-priority attacks, as well as those attack types expected in the near future.”

“The Twenty Critical Security Controls have already begun to transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and finding the ones that get through. These controls allow those responsible for compliance and those responsible for security to agree, for the first time, on what needs to be done to make systems safer. No development in security is having a more profound and far reaching impact.”

“The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated more than 80% reduction in “measured” security risk through the rigorous automation and measurement of the Top 20 Controls.”

Source: http://www.sans.org/critical-security-controls/

Security News

sfrost7lds — Tue, 13 Oct 2009 20:42:58 +0000

“In an effort to promote the ‘general health of the Web,’ Google will send Webmasters snippets of malicious code in the hopes of getting infected Web sites cleaned up faster. The new information will appear as part of Google’s Webmaster Tools, a suite of tools that provide data about a Web site, such as site visits. ‘We understand the frustration of Webmasters whose sites have been compromised without their knowledge and who discover that their site has been flagged,’ wrote Lucas Ballard on Google’s online security blog. To Webmasters who are registered with Google, the company will send them an email notifying them of suspicious content along with a list of the affected pages. They’ll also be able to see part of the malicious code.”

See the entire article here.

Top Security Resource Websites

sfrost7lds — Tue, 13 Oct 2009 20:41:27 +0000

Here are my top security resource websites that I regularly visit

**Top Security Resource Web Sites (In no particular order)**
Web Site Address	Purpose or Significance
www.sans.org	The best security training, white papers, etc.
www.slashdot.org	Not strictly a security site – but they are often the first ones to find news about security incidents
cisecurity.org	Check out the latest CIS Benchmarks
www.isecom.org	The Institute for Security and Open Methodologies
www.owasp.org	The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
www.governmentsecurity.org	One of the largest security forums on the net
www.infosyssec.org	The SecurityNewsPortal is a non-profit educational resource dedicated to providing the most comprehensive gathering of the latest news on security, viruses, trojans, hackers, hackings and other things of interest to security professionals.
www.privacyrights.org	A chronology of data breaches – pretty scary stuff!
http://csrc.nist.gov/	NIST’s Computer Security Research Center

Smart Passwords – Rules to create them!

sfrost7lds — Tue, 13 Oct 2009 20:15:49 +0000

I ran across the following article from google that provides some pretty solid advice on how to create “smart passwords” when logging into sites. I particularly liked using distinctly separate passwords for banks and other sensitive web sites versus standard web sites (#1). The third paragraph in Solution 5 was also very clever – instead of answering a challenge question with the standard spelling (say your birth city), tweak the name slightly – R3no versus Reno.

Choosing a smart password

Tuesday, October 06, 2009 6:58 PM

Posted by Michael Santerre, Consumer Operations Associate

As part of National Cyber Security Awareness Month, we’d like to take this opportunity to remind you about smart password practices. Help ensure you’re protecting your computer, website, and personal information by checking out our security series on the Google blog or visiting http://www.staysafeonline.org.

Phishing, a topic that’s been in the news, is unfortunately a common way for hackers to trick you into sharing personal information like your account password. If you suspect you’ve been a victim of a phishing attack, we recommend you immediately change your password, update the security question and secondary address on your account, and make sure you’re using a modern browser with anti-phishing protection turned on. Keep an eye out for the phishing warning Gmail adds to suspicious messages, and be sure to review these tips on how to avoid getting hooked.

Creating a new password is often one of the first recommendations you hear when trouble occurs. Even a great password can’t keep you from being scammed, but setting one that’s memorable for you and that’s hard for others to guess is a smart security practice since weak passwords can be easily guessed. Below are a few common problems we’ve seen in the past and suggestions for making your passwords stronger.

Problem 1: Re-using passwords across websites
With a constantly growing list of services that require a password (email, online banking, social networking, and shopping websites — just to name a few), it’s no wonder that many people simply use the same password across a variety of accounts. This is risky: if someone figures out your password for one service, that person could potentially gain access to your private email, address information, and even your money.

Solution 1: Use unique passwords
It’s a good idea to use unique passwords for your accounts, expecially important accounts like email and online banking. When you create a password for a site, you might think of a phrase you associate with the site and use an abbreviation or variation of that phrase as your password — just don’t use the actual words of the site. If it’s a long phrase, you can take the first letter of each word. To make this word or phrase more secure, try making some letters uppercase, and swap out some letters with numbers or symbols. As an example, the phrase for your banking website could be “How much money do I have?” and the password could be “#m$d1H4ve?” (Note: since we’re using them here, please don’t adopt any of the example passwords in this post for yourself.)

Problem 2: Using common passwords or words found in the dictionary
Common passwords include simple words or phrases like “password” or “letmein,” keyboard patterns such as “qwerty” or “qazwsx,” or sequential patterns such as “abcd1234.” Using a simple password or any word you can find in the dictionary makes it easier for a would-be hijacker to gain access to your personal information.

Solution 2: Use a password with a mix of letters, numbers, and symbols
There are only 26^8 possible permutations for an 8-character password that uses just lowercase letters, while there are 94^8 possible permutations for an 8-character password that uses a combination of mixed-case letters, numbers, and symbols. That’s over 6 quadrillion more possible variations for a mixed password, which makes it that much harder for anyone to guess or crack.

Problem 3: Using passwords based on personal data
We all share information about ourselves with our friends and coworkers. The names of your spouse, children, or pets aren’t usually all that secret, so it doesn’t make sense to use them as your passwords. You should also stay away from birth dates, phone numbers, or addresses.

Solution 3: Create a password that’s hard for others to guess
Choose a combination of letters, numbers, or symbols to create a unique password that’s unrelated to your personal information. Or, select a random word or phrase, and insert letters and numbers into the beginning, middle, and end to make it extra difficult to guess (such as “sPo0kyh@ll0w3En”).

Problem 4: Writing down your password and storing it in an unsecured place
Some of us have enough online accounts that we may need to write our passwords down somewhere, at least until we’ve learned them well.

Solution 4: Keep your password reminders in a secret place that isn’t easily visible
Don’t leave notes with your passwords to various sites on your computer or desk. People who walk by can easily steal this information and use it to compromise your account. Also, if you decide to save your passwords in a file on your computer, create a unique name for the file so people don’t know what’s inside. Avoid naming the file “my passwords” or something else obvious.

Problem 5: Recalling your password
When choosing smart passwords like these, it can often be more difficult to remember your password when you try to sign in to a site you haven’t visited in a while. To get around this problem, many websites will offer you the option to either send a password-reset link to your email address or answer a security question.

Solution 5: Make sure your password recovery options are up-to-date and secure
You should always make sure you have an up-to-date email address on file for each account you have, so that if you need to send a password reset email it goes to the right place.

Many websites will ask you to choose a question to verify your identity if you ever forget your password. If you’re able to create your own question, try to come up with a question that has an answer only you would know. The answer shouldn’t be something that someone can guess by scanning information you’ve posted online in social networking profiles, blogs, and other places.

If you’re asked to choose a question from a list of options, such as the city where you were born, you should be aware that these questions are likely to be less secure. Try to find a way to make your answer unique — you can do this by using some of the tips above, or by creating a convention where you always add a symbol after the 2nd character in the answer (e.g. in@dianapolis) — so that even if someone guesses the answer, they won’t know how to enter it properly.

Here’s the full article:

http://gmailblog.blogspot.com/2009/10/choosing-smart-password.html

SecureEnclave’s staff are now members of OWASP

sfrost7lds — Tue, 13 Oct 2009 19:53:02 +0000

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.