Church File Security
August 25, 2008
Whether government, corporate or faith-based file security is important.
No matter the denomination, church file security is especially important because it may not only deal with money, and privacy but the sanctity of the church community. The member, guest and family information must be protected just as much as the preacher, reverend, deacons, bishops, nuns, and/or administrators.
Coordination of church file security:
It is important to first identify what are the churches sensitive data. You may have in your mind what is or isn’t important files to protect for the church, but you may not have the authority or prerogative to make such an important determination. Even if you do, it important to get ideas from the staff and or clergy of what files should be protected and what level of protection should be considered. And interview or meeting with information owners is the first step.
Access to the church files:
Anyone with access to the church files should sign a user license agreement. This is a standard for security no matter what organization you enter. This is to make sure that those who are trusted with access understand what they can and can not do when entering the system. Items in a basic user license agreement include: what can be copied and/or installed on the system, what can and can not be done while accessing church files, whether or not church files are monitored for heightened security. User License agreements are usually done when multiple people have access to a medium to large network with critical resource (i.e. privacy data, financial information, sensitive data). They are also done for software, website/forum and data base access.
You can find examples of a user license agreement on the Internet.
What Church Files to Protect:
Files in a church community may include mission, member, drive, donation and service information that need to be protected. Any files dealing with any money should be protected always. Personal files of church members should be protected as well as data bases with potentially sensitive information. Even if the church has NO sensitive information, the files that allow any access from the Internet (such as webpages or ftp files and folders) should protected with various levels of security including: Username password (don’t EVER use anonymous for FTP), mandatory user registrations, and file permission lock down.
The reason this is important even for churches with no sensitive information, is that some malicious hackers like to use other organizations resources to upload viruses, spam, scams and pornography.
Regulations to consider:
The Privacy Act of 1974 make it mandatory to protect the personal information of all individuals
No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, MORE
Health Insurance Portability and Accountability Act (HIPAA) is another important law to consider when addressing church file security. Among other things, HIPAA deals with the protection of peoples medical and health history.
File Permission:
Files that are sensitive for a church should have some permissions assigned to them to allow only authorized users (system administrators, missionaries, clergy, secretaries) access. This is one part of the access control. Most operating systems have this capability. Don’t forget that not only computers need to be protected, routers, switches and databases also need adequate security.
Popularity: 1% [?]
Phlash Dance: phlashing
June 9, 2008
Phlashing allows you to damage hardware over the Internet. This is something new and consists of flashing, as in changing the firmware, or computer code in chips on your motherboard, controller cards or other hardware. Since more modern systems allow flashing firmware over a network for quick updates, this is now an exploitable vulnerability. Previously, you had to “flash” those computer chips from the machine that contained them.
There are security features in hardware to prevent this kind of vandalism, but unfortunately some flaws enable hackers to flash destructively. Phlashing code has already been developed by security researchers and hackers. Phlashing attacks are not easy and will likely not be common, however its a possible glimpse of the coming storm of weapons of cyber destruction.
“Phlashing” attacks could render network hardware useless
Most computer security coverage focuses on the PC realm, but Rich Smith, head of HP’s Systems Security Lab, has identified a potential security flaw within a network’s physical hardware rather than a typical desktop or server system. Smith’s report focuses on a class of devices he refers to as Network Enabled Embedded Devices (NEEDS for short), and how such systems could be attacked at the firmware level through a process he refers to as “phlashing.” - more at Arstechnica
Popularity: 2% [?]
How I got into Security
June 13, 2007
Martin McKeay over at the Network Security Blog asks “How did you get into Security?” That is a good question. Its something that I’ve been asked and what I like to ask others in the business.
Up until recently, I’ve done security my entire adult life very reluctantly. I started off in the military as Security Policemen (now called security forces). I was a security specialist and was groomed into law enforcement. The description sounded like special forces. And even though security forces do some pretty cool stuff its NOT usually doing anything even close to what combat controllers, pararescue, Force Recon, Navy Seals and Delta Force do. Instead its like the Air Force version of infantry (when I was in we even trained with the Army infantry at Ft Dix).
I had about five years learning every aspect of physical security. I later “cross trained” into communications expecting to do some hardcore technical stuff. And I did, but while I wanted Routers I got the help desk and later pure security (firewalls, IDS, C&A packages, COMSEC, EMSEC) a little of everything. My experience in the military made it easier for me to pass the CISSP which covers a little of everything.
These days I teach certification classes and do auditing, policies, consulting as well as certification and accreditations.
Popularity: 5% [?]
Standard Desktop Configuration (SDC) everywhere
May 22, 2007
For the last year I’ve been working on the DoD’s SDC implementation. Standardizing ALL common use desktops is a very good idea for security. But the problem I have with it, is that they are forcing SDC on mission systems as well. They allow extension for some systems.
This is a problem because mission systems are NOT standard. Each mission system is different with different requirements. Also, common desktops are in giant homogenous networks that can keep up with the changes in SDC with relative ease with applications like SMS. Mission system are often controlled by a different entity than host so they must be updated manually.
So bottom line: SDC - great for desktops, VERY bad for many mission systems.
Now SDC will be pushed to ALL government systems.
Popularity: 4% [?]
Prevent Computer Viruses
December 26, 2006
In the last three years or so I haven’t had a single computer virus on my main system unless I put it there on purpose. I use a very simple method to prevent computer viruses and malware from ever getting on my system.
check it out here: http://elamb.org/hacked/how-to-prevent-computer-virus.htm
Popularity: 7% [?]
Information Security Gurus: Say Goodbye Mr. Network Geek
September 15, 2006
“Information Security workers have found themselves caught up in this wave of change. Originally, it was an important and vital job to track down the current virus threats, manage the Service Packs in [Pick your Windows flavor here], install the few hotfixes needed and call it a day. The rest of our time was spent on the important matters - defining”
The “wave of change” keeps me employed, but I must agree with Karn at Security-Guru.blogspot. There is a lot of times that I’m just playing “wack a mole” with security problems. The root of the problem needs to be taken care of.
There is a movement of more proactive security instead of the old losing reactive security:
- At Defcon Rick Wesson of Support Intelligence, LLC introduced a method of tracking botnets, and black listed malware server globally and in real-time.
- Microsoft is heading up a proactive security project called Strider HoneyMonkey Exploit Detector. It is a kind of active honeypot that follows the links of malicious sites to find new exploits.
Popularity: 3% [?]
What is a Hacker?
September 14, 2006
“A hacker is someone who thinks outside the box. It’s someone who discards conventional wisdom, and does something else instead. It’s someone who looks at the edge and wonders what’s beyond. It’s someone who sees a set of rules and wonders what happens if you don’t follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.”
The above is a quote from crypto living legend Bruce Shneier’s book, Beyond Fear. This is exactly how I feel about hacking. Hacking is a major asset to Information System Security… if fact is THEE only real asset. I’ve had arguements with some of my peers about this. Information Security Pro vs. Hacker. If the typical information system security pro doesn’t get smart on hacking (security/programming) techniques, security will continue to be a losing battle. Cyber criminals have no problem learning the latest exploits, they have no boundaries and this gives them a “superpower” against security professionals. Some Information security professionals, on the otherhand, restrict themselves by categorizing hacking as bad. They see it as unethical and not responsible.
It is unethical and not responsible to NOT know hacking techniques that might exploit a customers system.
Thanks for the post Bruce. I hope you will make another appearance at the Defcon.
read more | digg story
Popularity: 4% [?]
Security Forums Directory
July 21, 2006
Easily locate forums and newsgroups related to security. Why isn’t elamb.org on there? Oh, well.
Popularity: 4% [?]
Former Pentester of FBI, hacks the FBI
July 6, 2006
This case is not the same as the Department of Veteran Affairs loss of records or the Department of Agricultures security failures. In this case, a contracting consultant conducted a penetration test with out getting formal approval. He expoited the FBI's vulnerabilities to gain elevated privledges.
Joseph Thomas Colon, 28, is a former employee of BAE Systems. His pentest allowed him to obtain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. According to Colon, the FBI field office in Springfield, Ill., he was attached to gave him approval.
However, every professional pentester and/or ethical hackers knows that you have to get formal approval from an authority.
Colon's lawyer said in a court filing that his client was hired to work on the FBI's “Trilogy” computer system but became frustrated over “bureaucratic” obstacles, such as obtaining written authorization from the FBI's Washington headquarters for “routine” matters such as adding a printer or moving a new computer onto the system.
As a result, Mr. Colon will likely serve about 18 months in prison. :(…
Pentesting and ethical hacking tools and techniques must be dealt with responsibly. The bureacracies that might allow pentesting must be respected at all costs. The first thing in Pentesting and ethical hacking that is taught is to ALWAYs, ALWAYS, ALWAYS get writen consent to procede from the owners of the system.
Popularity: 5% [?]
Delete Search Results: Cover your tracks
May 31, 2006
Ever search for something questionable on someone else system and go into a hyperventilation panic when you notice that their computer is retaining the keywords you typed into their search engine?
You typed in “boobies” on your mom's computer and now the word pops up everytime you type a “B”!!
Perhaps it was your spouses system and your were searching for evidence of pornography.
Maybe it was your kids computer and you want to make sure they are o.k. mentally.
Maybe your Internet connection has been down for a while and you’ve had to use your friends system or a public system.
Whatever the case maybe it is none of my business. And you don’t want it to be the business of the other who will use the system after you.
Here are two simple techniques to get rid of those bad keywords.
For Window XP “Recently Opened Documents”:
To delete “my Recent Documents”
Right – Click on the “Start” button
Select “Properties”
On the Start Menu Tab, Select “Customize”
Select the “Advance Tab”
Select the “Clear List” button at the bottom. Don’t worry, it will NOT delete the files. (Deselect the checkbox if you don’t want the system to track previously opened files)
For Windows XP, Internet Explorer:
In IE, Select “Tools”
Go to “Internet Option” at the bottom of the Tools list
Under Temporary Internet Files select “Delete Cookies” and “Delete Files”
To delete the history of the websites you searched select “Clear History”
Popularity: 5% [?]
