July 5, 2012

10 Steps to Prepare Your Data Center for the Zombie Apocalypse

Is your data center ready for the coming zombie apocalypse? Data center designers generally do a good job preparing for conventional risks, like earthquakes, fires, floods and hurricanes, but if your disaster recovery plan doesn’t include provisions for dealing with the undead, your risk mitigation strategy has a gaping hole. Data centers are a natural refuge from zombie hoards, but only if you prepare in advance.

Unlike conventional disaster recovery (DR)/business continuity planning (BCP), zombie preparedness has a unique set of goals beyond data protection and business resumption. RPO/RTO goals go out the window when there’s a geek chewing on your skull. I generally recommend hiring a zombie specialist to develop your zombie survival plan (ZSP) but there are steps you can take on your own.

Start with establishing the goals for your ZSP. For most organizations, ZSP goals will fall into 5 categories

  1. Containment – Keep the zombies out
  2. Endurance – Stay alive until the zombies are gone
  3. Sustenance – Don’t go hungry
  4. Eradication – Kill every zombie you find
  5. Repopulation – Breed new humans for the continuation of the race

A good ZSP is measurable and testable. Data centers are used to measuring availability and power usage effectiveness (PUE). Your ZSP needs a similar metrics program. A best practice is to assign weighted values to your ZSP goals, measure them quarterly, and report to executive management on your composite zombie protection effectiveness (ZPE) score. (read more…)

          Comments (1)

May 2, 2012

10 Ways to Protect Yourself From Identity Theft

Identity theft is nothing new, but the rise of the Internet has turned ID theft into a multibillion dollar international business. There are plenty of companies out there that want to sell you protection services, for a fee, which usually involve some form of monitoring of your credit report and your accounts, plus an insurance policy, but there is little information on how to effectively protect yourself from being a target.

The Federal Trade Commission (FTC) has devoted an entire website to educating the public, and created pithy posters to promote their 3-Ds of identity theft: Deter; Detect; Defend. While detection and remediation are important, the best way to deal with identity theft is to deter it by protecting your information. Unfortunately, the deter portion of the FTC’s website is pretty light:

  1. Shred financial documents before you discard them
  2. Protect your social security number
  3. Don’t give out personal information to unknown parties
  4. Never click links on unsolicited emails
  5. Don’t use an obvious password
  6. Keep your personal information in a secure place at home

This is a fine list, but it really doesn’t go far enough to make it useful. As an example, the government says don’t use an obvious password. Well DUH! They don’t tell you how to create a non-obvious password, how to keep it secure, and how to remember it when you need it.

(read more…)

          Comments (1)

February 6, 2012

Lockdown Windows 7 with Simple Scripts

Back in 2007, I published a script for locking down Windows XP and Windows 2003 services, using the sc command. Recently I had need to lockdown a fresh Windows 7 image and realized the list of services needed to be updated. The below list works on my laptop. For a complete list of what each of these services does, or why you do/do not need them, please refer to Microsoft Technet.

The script could not be simpler. Take the below script and save it as a batch file on your desktop.

for /f %%b in (services.txt) do sc config %%b start= disabled
for /f %%c in (services.txt) do sc stop %%c

The list of services then goes into a text file in the same directory as the batch file, named “services.txt”. You can modify the list of services at will, based upon your unique needs. (read more…)

          Comments (0)

May 25, 2007

Web Proxies – Surf the Net Anonymously

Today we launched our own anonymous web proxy: http://www.edgeproxy.net. Like most security tools, anonymous proxies are incredibly useful but also controversal. Web proxies mask your activities on the net in two ways: First, they allow you to access one web site through another, hiding you IP address from the target; Second, they encode the target URL hiding it from any local firewalls or proxies you might be sitting behind. They are great for pen testing where you want to hide your activities, especially if you want to mask your location. They are a nightmare if you are trying to manage a web filter and your users are able to bypass your filters.

Web Proxies are very popular among with students whose schools block access to MySpace and Facebook. We launched it because we needed a reliable proxy we control for testing. We debated whether it was wise to provide a public vehicle for bypassing someone else’s security controls, but felt in the end that adding one more proxy on the net will not increase the web’s threat profile. Our TOCs state that we will cooperate will law enforcement if we determine that our site is being used for nefarious purposes. Hopefully, that will be enough to scare away those who hide behind proxies to abuse the web.

          Comments (3)

March 17, 2007

Lockdown Windows 2003 & XP with Simple Scripts

Windows Advanced ScriptingNow that DST 2007 is over, we are going to start a series of articles on securing systems and networks. I have built a lot of systems for various companies over the years. The challenge is to create repeatable processes that work in a variety of operating environments. Having a strong scripting toolkit can make all the difference, especially when you are under deadline.

The first script in the series is a Windows Services lockdown script for Windows XP & 2003. Disabling services is generally a good idea to reduce the threat profile of your computer, and to improve its performance. Every security guide out there tells you to disable unnecessary services. A few of them also give some guidance as to which services are unnecessary. Few of them tell you how to disable them consistently.

There are three ways to disable services: 1) Use the Services MMC GUI. This is a time consuming process and is prone to mistakes. 2) Use Group Policy. This works well for environments that use Group Policy, but is harder to implement for stand-alone servers, such as web servers. 3) Use the sc.exe command line utility.

If you do not know the sc command, learn it! sc is a powerful utility for controlling services on local or remote hosts. sc will let you configure how services start, change the user account and password they run under, and start/stop/pause the services. The basic syntax of sc is:

sc <server> [command] [service name] <option1> <option2>

We are going to use 2 different sc commands in our service lockdown script: config & stop. These should be self explanatory, but config will allow us to disable the service, and stop will stop the service. To make this work, we need three files: 1) The script batch file; 2) a list of servers by name called hosts.txt; 3) a list of services we want to disable called services.txt. The two text files must be in the same directory as the batch file. The code is fairly simple: (read more…)

          Comments (6)

December 14, 2006

OFAC Compliance, the Easy Way

treas_logo.gifOccasionally, I find a simple solution to a complex problem that works better than expected. Office of Foreign Assets Control (OFAC) compliance can be difficult. OFAC is the treasury department responsible for, among other things, enforcing the PATRIOT ACT and Terrorism Sanction Regulations regarding blocking financial transactions with suspected terrorists. Basically, OFAC requires you to compare your client list regularly to the published terrorist watch lists. If you find a match, you are required to stop doing business, freeze the money, and contact the Feds.

The hard part of OFAC compliance is matching your clients to the watch list. OFAC publishes a list on a regular basis, but the list is not exactly user friendly. Complicating matters is the fact that the list contains lots of Mohammeds, Usamas, and John Smiths. Most names on the list also have dozens of aliases. Obviously, not everyone named Mohammed doing business with you is a terrorist, so how do you distinguish the good from the bad? (read more…)

          Comments (4)

December 1, 2006

Clean Up After Terminated Windows Administrators

win2k3.jpgLosing an administrator is always a painful process. Even the best administrators usually forget to document something. The worst admins document nothing, create up multiple backdoor accounts, and install services to run under their own credentials. It is important to immediately check your servers when an admin leaves for several reasons: Disgruntled admins may leave backdoors in your system that they will later use to attack you; Disabling the admin’s account may cause services to stop running; Scripts may be scheduled to run that will grant the admin access weeks or months later.

Fortunately, it is possible to perform a rapid clean up if you follow a simple process, and use tools to help. This process is specific to the platform the administrator supported. The process for cleaning up after a Windows administrator is as follows:

  1. Create a list of all servers in your environment. If you aren’t sure, check DNS and Active Directory
  2. Search Active Directory for all users with privileged (admin) group memberships
  3. Search every server for services that run under domain or local accounts instead of LocalSystem or NT
  4. Search every server for scheduled tasks that run under domain or local accounts
  5. Change the password on every privileged user account. Assume that the old admin could have had access to every account at some point.
  6. Change the password on every service and scheduled task to match the new passwords in step 5.
  7. Change any service or scheduled task that runs under the old admin’s account to run under a new service account
  8. Review any scheduled tasks that are scripts, to make sure you know what they do. A clever admin could bury a script to recreate his admin account inside of another script.
  9. Disable the old admin account

There are many good commercial tools available for searching servers for service accounts and scheduled task accounts, but I’m a big believer in using simple scripts where possible to get the job done. If you want a commercial product to help, check out:

If like me, you hate to spend good money for tools that duplicate the built-in power of Windows, then these scripts are for you: (read more…)

          Comments (3)

November 14, 2006

How to buy a 65” Plasma for $.99

Panasonic PlasmaHow secure is your web application? Are you sure? We are constantly amazed at the lack of basic security many companies employ online. For instance, it has been known for years that e-commerce sites utilizing hidden fields are susceptible to manipulation. The problem doesn’t seem to be getting any better, and is actually being made worse by some service providers. Many smaller hosting companies offer software solutions to help small businesses get online “faster” and “easier.” This almost never translates to more secure.

Which brings me to the title of this article. During my studies for the CEH exam, I was exposed to the seriously flawed CartIt.cgi shopping cart application. CartIt.cgi is a widely used shopping cart that stopped being developed last year. The reason this application is flawed is that it uses hidden fields within the HTML POST to submit the price and quantity when the user clicks on the add-to-cart button. Hidden fields are easy to manipulate. One of the easiest is to use a local proxy, such as Paros, to intercept the POST, effectively launching a man-in-the-middle attack. This allows you to change the price before it is submitted to the server. (read more…)

          Comments (40)

October 26, 2006

Top 20 Books Every IT Security Professional Should Own (and READ!)

Security WarriorI recently was asked by some colleagues how an IT admin can get into infosec. It’s a tough question for 3 reasons: 1) Most administrators are not wired to be security professionals. The goal of admins is to provide services to users. The goal of infosec is to limit services to only authorized users. These goals often conflict. 2) Most admins specialize in a single technology; good security pros need to be fluent in a wide range of technologies. 3) Security requires a deep knowledge of computing and networking theory, which many admins lack. Modern operating systems provide a high level of abstraction from issues such as the proper format of TCP headers. I know some very skilled systems engineers who do not fully understand a 3-way handshake, nor do they need to. But for a security engineer, understanding this process, how to exploit it, and how to recognize when someone else is exploiting it is critical.

My best advice for those crazy enough to desire a career in infosec is always to start with the technology they already know, learn how it works at a low level and how to break it, and then learn how to protect it. After that, security is a non-stop learning process. The best security guys I know spend hours reading, surfing, and studying every night. Sleep is for the weak!

I compiled the list of books below as a representative sample of the books on my shelf that I reach for regularly. In my (never) humble opinion, every infosec professional should own (and read) each of these, or others in the same category. Originally, I intended this to be a Top 10 list, but I had too many books on my list. 20 is the shortest I could get it and still be representative.

(read more…)

          Comments (1)

October 22, 2006

10 New Immutable Laws of IT Security

Protect Your Windows NetworkBack in 2000, Microsoft released its 10 Immutable Laws of Security & 10 Immutable Laws of Security Administration. 6 Years later, these laws are still true. I recently started reading the excellent book Protect Your Windows Network: From Perimeter to Data by Jesper Johansson & Steve Riley, and they include these laws in their appendix. If you have not read this book, buy it immediately! It is a well written introduction to the theory of network security, and is probably the best guide I’ve seen for those who are new to infosec. Although the book comes from Microsoft, and the title includes Windows, the book covers a wide range of topics including social engineering, patch management, and security policy management that can be applied to any environment.

After reading this book, I decided to write my own updated list of 10 Immutable Laws of Information Security. These 10 rules represent years of experience, hundreds of projects, and countless mistakes:

(read more…)

          Comments (7)
« Previous entries Next Page » Next Page »