by Karl Fox on January 26, 2012
Jeff Bardin over at CSOonline.com has written an excellent article entitled The Proliferation of Cyber Janitors (and the mentality behind this movement). He observes that RSA, because of the mentality of its leadership, is focused not on preventing security breaches, but in cleaning up after them. He calls the security professionals who follow this approach “janitors” because that’s their focus–cleaning up (information) spills. Sure, they dust, vacuum and empty the trash, but they’re most visible when they’re actively cleaning up some huge mess.
His point is an excellent one. Don’t listen to these folks; their pitch is unhelpful and fatalistic. It is possible to run a tight ship and dramatically reduce the likelihood of a breach; it is not inevitable that you will be hacked.
[click to continue…]
by Karl Fox on August 4, 2011
Read this excellent account by Ed Bott and decide for yourself.
The situation he describes is a perfect example of why we at Lithik Systems are recommending architectural protections to block the outbound connection from this kind of malware that makes it so deadly. Antivirus and firewalls usually can’t detect these things, which means you can’t keep them from getting in. But you do have a shot at keeping yourself safe if you can keep the infection dormant. Check out our article A Simplified Firewall Architecture for Combating Malware to see how.
by Karl Fox on December 31, 2010
If you operate a small to medium sized bank, savings and loan, or credit union, your biggest IT security concern is the possibility of being breached by malware. Not the kind that makes pop-up windows show up on your screen, but the kind that you become aware of when your credit card processor calls you up and says they think all your customers’ credit card numbers have been stolen. The nightmare kind of malware. The kind that they say costs $6.6 million to fix.
The kind that puts banks your size out of business.
Is there anything you can do other than worry? Isn’t this stuff so complicated only grad students in computer science can understand it? People say that nothing is truly secure—isn’t that true?
You can do something about it, because hackers have adopted a relatively uniform mass-production approach to attacking computers. And yes, you can understand it. [click to continue…]
by Karl Fox on December 31, 2010
Do you have a need to support several public servers? Would you like to have all the bells and whistles the big boys have but without spending $100K on equipment and licenses? You can do it. I know, because we did it and it works. It works great.
Our total capital expenditure, not counting licenses for the public servers themselves, amounts to less than $4,000. Our total monthly expense for data services dedicated to supporting the public servers is $150 for 2U of rack space in a secure colocation facility. We’re spending between 5% and 10% of what our customers spend for nearly the same feature set. [click to continue…]
by Karl Fox on December 30, 2010
The SANS Institute says that the highest priority security risk is client software that remains unpatched. That’s right—it’s the highest priority security issue there is. Number one. It trumps (or should trump) all other issues.
So then, why is it that 90% of the time we here at Lithik Systems perform IT security audits, we discover hundreds, thousands, or even tens of thousands of patches missing from Windows, Office, Adobe, Java and other programs? It has been amply publicized that the vast majority of successful security breaches, that is, breaches that result in actual theft of proprietary information, occur through two avenues: visiting infected web sites and opening infected e-mail messages. Yet we routinely run into organizations, even organizations with CIOs and IT security staff, that don’t keep their systems up to date.
[click to continue…]
by Karl Fox on November 3, 2010
My partner Ron Kellogg and I recently spoke at a meeting of the Northwest Ohio Auditors Association to update them on what an internal auditor should be looking for in an IT audit. We also talked about some new network architecture ideas that can drastically improve an organization’s resistance to web-borne and e-mail-borne malware.
Click here for the slides.
by Karl Fox on November 16, 2009
Keeping your computer systems well-defended against the latest attacks is a daunting task, but fortunately, one of the most important defenses is really quite easy to maintain. Microsoft has provided some powerful tools that can keep your Windows systems patched with very little ongoing effort.
If the idea of configuring Windows Group Policy makes you break out in a sweat, be afraid no longer. We’ll go step-by-step through the process so that even a relative neophyte can get good results. [click to continue…]
by Karl Fox on October 22, 2009
We often help organizations test how well their staff knows their security policy by performing social engineering tests. In one, we drop hacked USB drives around the premises that notify our home server when inserted into a Windows computer. Such tests are a lot of fun when they’re just tests, but when a real hacker leaves such a tasty tidbit in your parking lot, you can bet it’s going to do a lot more mischief than phone home when an employee plugs it into one of your computers.
AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. The main purpose of AutoRun is to provide helpful actions and capabilities when removable media or network shares are mounted. When such a device is mounted, the autorun.inf file from the media is parsed. This file specifies which commands the system should run. Many companies use this functionality to automatically start up their installers when a CD-ROM is inserted, but attackers can also use it to run data extraction sessions or automatic installations of malware.
[click to continue…]
by Karl Fox on August 4, 2009
The keys to good password hygiene are:
- Making them hard to guess,
- Never writing them down,
- Limiting the scope of passwords, and
- Limiting the ability of an attacker to make repeated guesses.
Password Complexity
A recent study on password memorability and security uncovered two surprising results:
[click to continue…]
by Karl Fox on April 27, 2009
I am greatly pleased when we at Lithik meet a client who uses thin clients. It not only means that IT management is forward-looking, it also often means they understand the substantial security benefit that can be gained by removing hard-disk-based Windows systems from their network. Converting an organization with a hundred Windows XP desktops accessing three Windows servers to thin client technology means a reduction from 103 Windows installations to 3. That means 30 times fewer machines to patch, 30 times fewer machines to monitor for antivirus updates and Windows events, and 30 times fewer machines on which to install services packs and other application updates. This is a seriously good thing.
Thin client sales pitches frequently include claims saying they can’t be hacked. They don’t have hard drives, so how could they? Besides, you can always push the reset button and—voilà—the software is booted from a clean copy, erasing any filth that may have found its way into memory.
[click to continue…]
