Experts: Computer Crime Down But Caution Still Needed

CSI/FBI Computer Crime and Security Survey, Richardson noted that the average loss per cybercrime incident in 2005 was about US$250,000. That compares to $500,000 in 2004 and more than $3 million in 2001

I guess Computer Crime has gone up comparing the begining of the year to the end of the year but overall more people (especially companies) are taking security much more seriously.  And it is about time, but industry security still has a ways to go… home security has barely started.

read more | digg story

e-Eye Digital Security Beats Internet System Security

e-Eye Digital Security hit a homerun in 2004 when they won the $6 Million dollar Defense Information System Agency’s I-ASSURE contract which will allow their robust e-Eye Retina Vulnerability Scanner to be used on DOD systems world wide.

The Retina Vulnerability Scanner will be used to measure compliance with Department of Defense (DoD) Computer Emergency Response Team (CERT) Information Assurance Vulnerability Management Notices.

The DOD used to use Internet System Security (ISS) vulnerability assessment tools exclusively for this task. However, on 30 September 2005 the ISS vulnerability tools will no longer be used by the Department of Defense.

This comes at a time of the “cover up” CiscoGate controversy which involved ISS. On July 2005, Michael Lynn, a former research analyst with Internet Security Systems, resigned from the company just before releasing a major flaw in Cisco routers (many of which are on critical infrastructures).

According to Lynn, Cisco and ISS allowed him to speak about the flaw at the Black Hat but suddenly changed their minds at the last minute attempting to shut Lynn up with legal action. Cisco and ISS were trying to protect there shareholders at the cost of all the customers, organizations and nations that depend on the Cisco routers. From an ethical perspective, this was not a great way for an Internet System Security company to act.

It will be interesting to see if e-Eye Digital will be more ethical than ISS as it comes to power.  Something very evil tends to happen when large groups of people get together to gather large sums of money.

As stated above, after Friday, 30 Sept 05, the ISS scanner will no longer be available. You should be able to download the new e-Eye Retina Network Security Scanner from one of the DISA pages:

ISS/Retina Vulnerability Scanners (DOD):

e-Eye Retina Network Security Scanner(SCCVI)

http://iase.disa.mil/stigs/iss/index.html (gone 17 Oct Update)

http://iase.disa.mil/stigs/iss/retina.html (gone 17 Oct Update)

 

eEye Digital Security and DISA press release:

http://www.eeye.com/html/company/press/PR20040623.html

 

Official Word from DISA

Information Assurance Support Environment:

DISA IA Announcement: DISA will be converting from using Internet Security Scanner to the e-Eye Retina Network Security Scanner(SCCVI) effective 1 Aug 05 for all security reviews, compliance validations, certification efforts, etc. All open findings related to a penetration test conducted with the ISS tool will be archived (closed) as a Retina penetration test is conducted by DISA. The ISS findings are still valid open findings that need to be worked and closed by the site. However, sites are highly encouraged/recommended to perform a self-assessment using the Retina scanner, as soon as they receive the tool.

Information, online training, and Retina software can be obtained from the http://iase.disa.mil website.

 

eEye Digital Security

http://www.eeye.com/html/index.html

Retina Network Vulnerability Scanner:

http://www.eeye.com/html/products/retina/index.html

 

Resources

ISS is Shady

e-Eye Press release

Inside CiscoGate

Lynn’s Lawyer

Lynn Presents at the BlackHat

Cisco & ISS vs. Lynn

Good Password Tips and Password Management

These days a single computer user may have dozens of passwords. If you use computers at your job you may need to access secured databases, local workstations and numerous accounts online and each is supposed to have its own unique password. Though many people don't require a logon for their home PC, they will definitely have one for email or websites that they manage. Here is a guide to assist you in strengthening your passwords and password techniques.

After reading this article you will know the following:
-How to make good passwords
-Good password practices
-Techniques to manage all of your passwords

How to Make Good Passwords

Choose a password with the following criteria:
-At least 8 characters in length
-At least 1 number
-At least 1 special character
-Upper and lowercase.

Passwords with difficult combinations make it harder for tools like L0phtcrack, Brutus, John the Ripper, Cain and Able and other password crackers to decipher your password.

When creating a password, don't use personal information such as birthdays, children names, or first and last names. Avoid using words or phrases that can be easily guess or cracked with a “dictionary attack.” Do not use the same password on the different systems. If you work in a classified environment, passwords should be treated at the same level of classification as the systems they protect.

Good password practices

Never share your password with ANYONE including your Administrators, Help Desk personnel or System Administrators. IT professionals at your job or Internet Service Provider (ISP) will not normally ask you for your password. If they do need it then you should give it to them in person and ensure you change it as soon as they are done with their task. A common “Social Engineering” tactic used by malicious hackers consists of calling up unsuspecting users and pretending to be from the computer support staff. Another tactic is to have trusting users email the password or type it into what looks like a legitimate site; this is known as “phishing.”

Be aware of your surrounding when you are typing your password. Watch for “shoulder Surfing” or people watching what you type as you are entering your password. If you use the web to access critical information (such as online banking, or medical information) ensure that the site uses some type of secured method of encryption. You will know this if the site's URL begins with an “https.” SSL and Secure HTTP are sometimes indicated by a tiny lock in a corner of the page. If there is no encryption then it maybe possible for unauthorized users to view and/or capture the data you enter and later access the account using a “sniffer.” A sniffer is a tool that captures all “clear text” or unencrypted data. SSL and Secure HTTP encrypts data so that it looks like gibberish to tools like sniffers.

Techniques to manage all of your passwords

It is best to memorize your passwords however if you have literally scores of passwords from work, home, online business ventures and the bank and you do not have a photographic memory, you may want to write them down and put it in your wallet. This simple and practical task is what author of Beyond Fear, and system security phenomenon, Bruce Schneier, recommends as does Senior Programmer for Security Policy at Microsoft, Jesper Johannson.

Using Password Management applications such as Password Safe, a free Microsoft application for storing passwords, and Password Vault (also free) can help you to effectively manage your passwords.

Another management technique is to allow Windows (and other Operating Systems) to automatically fill in the data. This is great for trusted SECURE environments such as home systems in which you don not need to hide any account information from anyone, but not such a good idea for the work environment. It should also be noted that systems without a high level of Internet security (protected with firewalls, updated patches, NAT enabled, etc) should not use the auto fill features as the passwords are many times stored on the system in clear text making it easy for malicious code such as spyware, trojans and worms to steal your passwords and account information.

The greatest thing you can do to protect your password is to be aware that at every moment someone somewhere would love to access some or all of your accounts. It is not always cyber criminals looking for you banking information, sometimes it is just curious people who happen upon your username & password. It may even be someone you know. Be aware.

 

Other ways to protect your passwords:

.htaccess

PasswordSafe

Online Password Generators:

http://www.winguides.com/security/password.php

http://www.goodpassword.com/

 

 

ISO 27001: Information Security Management

WHAT IS ISO 27001?

The ISO 27001 is the replacement for BS7799. It supplements the ISO 17799.

The BS7799 is the requirements for an Information Security Management System. The BS7799 is a framework for
the management of information security.  It is used to for the controls described within ISO 17799 may be selected. 

Management standards such as ISO 9001 is streamlined with the new 27001 and the PDCA model (Plan-Do-Check-Act) as well as 17799 which will eventually be renumbers to 27002.

More on the 27002: http://www.standards-online.net/InformationSecurityStandard.htm

More on 17799:http://www.17799.com

http://17799-news.the-hamster.com

More on 27001: http://www.27001-online.com

1 2 3