Secure Today

Studying to get your Certified Information System Security (CISSP) from ISC2 is not a walk in the park. It requires that you have many years of experience in the world of Information Security.

It’s prerequisites includes a possession of minimum five years of professional experience in the information security field or four years plus a college degree. Or, an Advanced Degree in Information Security from a National Center of Excellence or the regional equivalent can substitute for one year towards the five-year requirement. Then after passing the 250-item exam in six hours and complying with ISC2 Code of Ethics, you still have to be Endorsed. Please visit ISC2 website for more information.

I posted this because I want to share some useful links for you professionals out there, who are thinking or studying for CISSP. SearchSecurity with Shon Harris go over the ten Common Body of Knowledge (CBK) domains for the CISSP in the following webcasts. Be sure to read through all the useful information and try their 10-free quizzes.

Domain 1: Security Management Practices
Domain 2: Access Control
Domain 3: Cryptography
Domain 4: Security Models and Architecture
Domain 5: Telecommunications and Networking
Domain 6: Application and System Development
Domain 7: Business Continuity & Disaster Recovery
Domain 8: Law, Investigations and Ethics
Domain 9: Physical Security
Domain 10: Operations Security

Good luck!

RISK is a very common word. In the IT World, it had been becoming more and more used not only within the management realms but also going down the end-users. Risk is a big deal when it comes to Security. More often, it is tied with a value or even worse, reputation. That’s why when it comes to managing it, the most important aspect everyone should adhere to is senior management awareness and approval.

Let’s dive into the meaning of the word risk in IT Security world. The simplest way of putting it is:

THREAT + VULNERABILITY = RISK

A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. (All-in-One CISSP, Risk Management; Shon Harris). Before expanding that meaning, let’s take a look at what threats and vulnerabilities are.

A threat, as we all know, is any potential danger. Threat agents are the medium that carry out the threat. So a threat is someone or something that can identify a weakness and take advantage of it. For instance, if I know a website is running an application that is not written properly, I could exploit it to defaced it or to cause denial of service. In this case, I am a threat agent. My inappropriate actions are threat to this website.

The site’s buggy code is subject to exposure, which is its instance of being exposed to losses from a threat agent.

A vulnerability is a weakness in the infrastructure. And weakness is always represented by an absence or lack of ability to safeguard itself. So in our previous example, the poorly written website is a weakness. Without a proper safeguard in place to protect it, it is a vulnerability that a threat agent is ready to exploit.

Safeguard was mentioned earlier. This is the countermeasure that must be in place to prevent and mitigate the potential risk. Mitigating risk comes in many flavors, which we’ll try to cover them in brief details later.

So in brief, the order of concepts for all of these is:

Threat > Exposure > Vulnerability > Countermeasure/Safeguard > Risk

RISK MANAGEMENT

Risk Management involves: Risk Identification, Risk Analysis and Assessments, and Risk Mitigation. This is the process where identified group (most likely the Risk Management team) identify the risk (threats and vulnerabilities), analyze, and mitigate it to an acceptable level. The goal is to implement countermeasures to reduce the risk at a level that is acceptable to the security policy.

Read the rest of this entry »

A follow up on my previous entry about Phishing, here comes another threat on the Net – Pharming. As discussed earlier, phishers bait potential users with genuine looking email to convince victims by taking action to expose critical or personal information. A typical example is an email requesting you to update your password or provide your bank account information. Or asking you to click on the link to update your data. Be aware that banks do not email their customers asking them to change their password or provide their PIN or confidential data. They have better and more secure communication channels to acquire those.

But here comes the joy, or the trouble in this case. Pharming attacks usually do not require convincing emails. It is also more wide-coverage than phishing. While phishing trick victims using a genuine looking emails or links, pharming goes deeper underground in planting a seed for its farm err, pharm?

Pharming cultivation

The technique used in Pharming is not new. In fact it had been around for long. The difference, however, is the intention. They want your identity or data. Pharming takes advantage of hacking DNS (Domain Name Server) such as cache poisoning, spoofing, and hijacking. Let’s see how this works.

How Pharming Works

1. An attacker exploits vulnerabilities of a DNS. Using crafted responses or take advantage of a vulnerability, an attacker can poisoned the DNS cache and can change valid entries. Internally, a disgruntled engineer can even manipulate the host lookup on these servers. Externally, attackers can take advantage of the operating systems vulnerabilities.
2. A user wants to go to a website securetoday.net and enter in the browser.
3. The user’s computer queries the DNS to resolve the site. Now, DNS being poisoned resolved the site to the nefarious fake website and redirected to securetodat.net.
4. User unaware of what happened thinks he is on the correct website.

Of course, the fake website has to be designed as close as possible to convince the victims that they are on the correct website. On the website, they can ask the user to login, provide confidential information, and more.
Read the rest of this entry »

Phishing comes from the analogy that Internet scammers are using e-mails lures to fish for passwords and financial data from the sea of Internet users”. And the term phishing was derived since hackers have a tenancy to replace “f” with “ph”.

In internet world phishing attempt originates when – a malicious user forges a website pretending your trusted site, for stealing personal information (user name/password/sensitive information). Those of us who blindly trust “emails from unknown sources” or “receive unknown links in IMs” becomes easy prey to such fraudulent attempts of identity theft. Motive behind such attempts are mainly for financial benefit, make easy money, access sensitive information, wide-spread marketing, causing damage etc. Any internet user can be at risk of being phished, having an Instant message-id or email address. Yes, this is one of the fastest growing problems within internet which creates billions of dollars of damage every year.

ISP plays an important role in protecting its users from phishing attempts. Also available in market are anti-phishing tools, browser add-ons protecting from phishing, etc. But the main responsibility lies with users education for  “safe clicking” practice.

PHISHING is a social engineering technique, which means to trick someone into believing something but different to what it really means, with a full purpose of obtaining personal information, credit card information and credentials.

The word phishing has been around since 1996. It was originally coined by hackers who started stealing AOL passwords by posing as a staff member and sending email messages to victims asking them their account information to verify their billing information and other information about their AOL accounts. The attacker lure, or fish the victims. This is when the word phishing began.

Although this social engineering technique had been around since the ’90’s it did not hit its popularity until the mid-2003. Phishing attackers, also called phishers creates very convincing emails requesting victims to click on links to update their account information. These emails and the redirecting website looks very closely similar to the actual website. Too convincing enough, a typical user would not spot the differences.

Some of the few tricks that these phishers would manipulate is to ask you to click on the link inside the email with a link almost the same as the actual website. For example, if you have an account with Bank of Alaska and their website is bankofalaska.com, they would create a site something like backofalaska.com. Or they would place @ symbol like bankofalaska.com@oursite.com. Before the @ sign would be the username following the http protocol. The actual website is oursite.com, which is a bad site. Depending on the way the site is written, the username can be ignored if it is not required.

Read the rest of this entry »