Secure Today

So one of the many challenges about our website/blog is the time to catch up with all the many interesting articles and topics happening around the world. There are those great topics that we have drafted but never got a chance to publish them here. There are also those experiences that we are so dying to share here but never managed to get them on.

So there are always the challenges and trials that we have to go through. Once we pass the first, another comes, and the life cycle just go on and on and on.

And although many obstacles are there as may seem, we still have the passion to continue pressing on sharing and writing interesting security articles here on our blog. The old drafts that we have started will be rewritten and posted as we move forward. We still hope and believe it will help in small ways or another in your daily duty in securing today.

One thing that we have started doing is redesigning the site into a different look and add some features. It is part of the project team to do something different for this new year. And yeah, SecureToday is using Twitter. Follow us http://twitter.com/securetoday.

So this year 2010, we look forward in starting to provide you more helpful, relevant and interesting articles in securing your own today! Cheers!

Studying to get your Certified Information System Security (CISSP) from ISC2 is not a walk in the park. It requires that you have many years of experience in the world of Information Security.

It’s prerequisites includes a possession of minimum five years of professional experience in the information security field or four years plus a college degree. Or, an Advanced Degree in Information Security from a National Center of Excellence or the regional equivalent can substitute for one year towards the five-year requirement. Then after passing the 250-item exam in six hours and complying with ISC2 Code of Ethics, you still have to be Endorsed. Please visit ISC2 website for more information.

I posted this because I want to share some useful links for you professionals out there, who are thinking or studying for CISSP. SearchSecurity with Shon Harris go over the ten Common Body of Knowledge (CBK) domains for the CISSP in the following webcasts. Be sure to read through all the useful information and try their 10-free quizzes.

Domain 1: Security Management Practices
Domain 2: Access Control
Domain 3: Cryptography
Domain 4: Security Models and Architecture
Domain 5: Telecommunications and Networking
Domain 6: Application and System Development
Domain 7: Business Continuity & Disaster Recovery
Domain 8: Law, Investigations and Ethics
Domain 9: Physical Security
Domain 10: Operations Security

Good luck!

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity [Wikipedia].

Few months ago, I was drafting an article about Cryptography. In my draft I wanted to expand the use of Cryptography to not only to cover Confidentiality but likewise Integrity. I began to write in the lines about Public Key Infrastructure; the use of digital signature to encrypt as well as to sign messages. In my search for an email from a friend, I came across an unsent email from my Drafts folder. An old email more than four years ago titled Steganography. In my email were two images. One original and one was stego file. I recall I planned to send to my classmate for our Steganography research. So about less than five years later, here I am talking about the same “art”. Ah, the art and science of steganography.

Earlier this year, I attended a Product Advisory Council meeting from McAfee. One of the future product integration they are adding to their suite of Security products is the Data Leakage Protection, from the acquisition of Reconnix.

The DLP, be it a Host or Network addresses the detection of file that could be leaking out from a confidentiality standpoint within the company. One of the concerns I have brought up was the detection steganography. As you can see, even sophisticated technology could lack in the ability to decrypt or guess the algorithm used in the steganography.

It is not the scope of this article to cover how steganography is performed or ways to accomplish it. Likewise, this article is not going to list down available steganography tools to perform this. In searching the Internet, you could probably find many articles about this and the tools available as well as countermeasures.

Read the rest of this article »

This month, I’d like to discuss a topic that is somewhat being set aside when talking about security – Physical Security. We all know and agree that the physical aspect of security is as important as any facets of security, be it technical or logical, and administrative.

As a security professional, we should be very aware and concerned that the security we protect, such as critcal data and confidential information through the technology like firewall, DLP, IDP, and the like can as easily be compromised as someone stealing the physical server, damaged by natural or environmental calamities, or broken by infrastructure faults. So, physical security must not be ignored and should also be incorporated in the security policies as well as included in any security discussions.

Physical security must be implemented based on the model of a layered defense. The idea is, before unauthorized entity can access the valuable asset, they should go through layers of layers of physical barriers before reaching the spot. If one of the layers fails, the others will protect the asset. So layers of defense should move from the perimeter towards the asset.

I am a firm believer that security should not be a patched-approach, rather, it should be part of the architecture. Similar to software applications, I believe that one of the best ways to stay secure is to develop the program as error-, flaw-free. This way, we don’t have to worry about patching it and afraid of getting compromised by its vulnerabilities. Of course, it is not a perfect world, and that is why as much as we can, security should begin at the very start of the design.

Physical security is not exempted. The CPTED (Crime Prevention Through Environmental Design) is a discipline that structures the proper architectural design of a physical environment to reduce crime by directly affecting human behaviors and activities. The CPTED concept has been around since the 1960s. It provides guidance in loss and crime prevention through proper construction of buildings and the arrangement of environmental components.

CPTED Key Concepts

So the idea of CPTED is before even the construction of a facility, it then address the landscaping, entrances, exits, neighborhood layouts, access roads and freeways, lightnings, and traffic patterns. It also puts into consideration the placement of offices, lobby, restrooms, campuses surrounding, and even up to the scale of the wider scope of the city. As you can imagine, before a facility is built, the security is already put in consideration. Putting the proper landscaping should deter intruders, or building the right height of fence or correct placement of lightnings should stop unauthorized people. Another good example is to architect the built of a data center to be located at the center of the facility so that the walls will protect it from any damages from outside.

Read the rest of this article »

RISK is a very common word. In the IT World, it had been becoming more and more used not only within the management realms but also going down the end-users. Risk is a big deal when it comes to Security. More often, it is tied with a value or even worse, reputation. That’s why when it comes to managing it, the most important aspect everyone should adhere to is senior management awareness and approval.

Let’s dive into the meaning of the word risk in IT Security world. The simplest way of putting it is:

THREAT + VULNERABILITY = RISK

A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. (All-in-One CISSP, Risk Management; Shon Harris). Before expanding that meaning, let’s take a look at what threats and vulnerabilities are.

A threat, as we all know, is any potential danger. Threat agents are the medium that carry out the threat. So a threat is someone or something that can identify a weakness and take advantage of it. For instance, if I know a website is running an application that is not written properly, I could exploit it to defaced it or to cause denial of service. In this case, I am a threat agent. My inappropriate actions are threat to this website.

The site’s buggy code is subject to exposure, which is its instance of being exposed to losses from a threat agent.

A vulnerability is a weakness in the infrastructure. And weakness is always represented by an absence or lack of ability to safeguard itself. So in our previous example, the poorly written website is a weakness. Without a proper safeguard in place to protect it, it is a vulnerability that a threat agent is ready to exploit.

Safeguard was mentioned earlier. This is the countermeasure that must be in place to prevent and mitigate the potential risk. Mitigating risk comes in many flavors, which we’ll try to cover them in brief details later.

So in brief, the order of concepts for all of these is:

Threat > Exposure > Vulnerability > Countermeasure/Safeguard > Risk

RISK MANAGEMENT

Risk Management involves: Risk Identification, Risk Analysis and Assessments, and Risk Mitigation. This is the process where identified group (most likely the Risk Management team) identify the risk (threats and vulnerabilities), analyze, and mitigate it to an acceptable level. The goal is to implement countermeasures to reduce the risk at a level that is acceptable to the security policy.

Read the rest of this article »