Archive for May, 2009

SSCP Certification

Published May 28, 2009 Uncategorized Comment
Tags: ,

How many of you have taken or considered taking the SSCP® exam? While I know many people pass over this exam and go directly for the CISSP®, there are some reasons you might give this certification a second look.

One reason is the background requirements. While the CISSP places very strict requirements on experience, the SSCP only requires test candidates to have a minimum of one year of experience. The SSCP is an intermediate-level certification meant for those who are looking to advance their career in IT security.

While the CISSP exam consists of 250 questions, the SSCP exam only has 125 questions. Both the CISSP and SSCP exams have multiple-choice questions, with four possible answers given for each (but only one is correct). You will need a passing score of 700 to pass. This test is not the same as the Security+ and is much less fact-based and more of a concept-based.

If you have been looking for an alternative to the Security+ certification and don’t have the experience to sit for the CISSP exam yet, give some thought to the SSCP. You’ll be able to build your knowledge and add to your marketable skills.

Editor’s note: Those interested in SSCP certification, but don’t meet the work experience requirement, can earn an Associate SSCP certificate by passing the SSCP exam.

From Michael Gregg

Image from (ISC)²

Pressure to Relax Security Policies

Published May 26, 2009 Uncategorized Comments
Tags:

From the editor:

A recent article from searchsecurity.com discusses a survey revealing that 86% of IT managers feel pressured to relax internet security protocols by others in the organization, including executives. The calls for relaxed policies usually stem from users wanting to access social networking sites, online collaboration tools, and cloud-based technologies. Nearly half of survey respondents said that some users will just bypass web security measures in order to get to the services they want.

My department has experienced this problem first-hand. We wanted to use an application to better organize our Global Knowledge Twitter accounts, and said application ran off of Adobe® AIR™. Our IT group “recommended” we find a different application, because they were concerned the Adobe AIR-portion of the program could open-up areas of our organization to security breaches and hacks. So, here we had a conflict that required weighing our corporate communication needs against the overall health of the company’s network/internet security. In the end,  we decided to find a comparable application.

How about you? Have you ever felt pressured to relax security policies so that users could do something work-related (or even not work-related)? How have you dealt with this problem?

With the increased use of wikis, internet applications, and other web-based services, this is an issue that is not likely to go away anytime soon.

Preparing for Certified Ethical Hacker Version 6

Published May 19, 2009 Hacking & Cybercrime Comments
Tags: , ,

For those of you considering taking the Certified Ethical Hacker (CEH) exam, there is an important deadline approaching that you should be aware of; V5 of the CEH exam will be retiring in June.  All students testing after June will need to take the CEH v6 exam.

There is no need to panic; the two tests are similar except for new tools, techniques, and material that have been added to V6.

I have had students ask me, “why the change?”  Good question!  Tools change, techniques change, and hardware continues to improve. This requires vendors like EC-Council and others to update their material.  I have been lucky, because the folks as Global Knowledge began working with me earlier this year to get updates built into their Certified Ethical Hacker prep course delivery and rolled out before the changeover.  One of the things I was most pleased about was how we worked many changes into the labs.  While we already had a 50% lab to lecture ratio in the class, we added even more labs in the updated version.

This was very important to me; nothing bugs me more than skill-based IT classes where you only “talk” about security.  Here, we introduce a concept and then let students try it themselves.  Compiling an exploit or rooting a box always gets a student’s attention!

While those taking the test will want learn more about the new version of the exam, I would also like to remind each of you that taking a CEH class is not just about a test.  It is about skills.  Skills you can use to protect your network, skills you can use to move into that security job that you have dreamed of, or even demonstrating to your employer that you’ve got what’s needed to justify a raise.

Related Courses

Certified Ethical Hacker

From Michael Gregg

Image from eccouncil.org

Spam Mail and Credit Card Security

Published May 15, 2009 Hacking & Cybercrime Leave a Comment
Tags: ,

With the recent talk of Swine flu in the news, it seems appropriate to talk about pork related items. The particular piece of pork to which I am referring to is spam. I received an interesting piece of spam this week that informed me about the threat of credit card abuse. While it seems strange to receive spam that actually alerts me to the dangers of other spam, this does occasionally happen.

Sometimes, computer criminals turn on each other and use spam to “out” competing criminal organizations. This seems to be the case in what is happening now as one group of spammers is using an existing botnet to send messages about a Russian credit card trading site that we will call “the carder” for the rest of this post.

Such sites are set up to allow criminals to exchange information, buy and sell credit card data, buy blank cards, and even buy equipment such as credit card skimmers. These skimmers caught my attention because of what I was told by an account manager at my local bank just last week. He informed me that some of the bank’s customers were believed to have fallen victim to these devices.

Skimming is nothing more than the theft of credit card information. It is accomplished during an otherwise legitimate transaction. Some instances of skimming have been reported at ATMs and gas stations where you can pay at the pump. The skimmer is placed over the credit card slot of the card reading device, and when the victim enters the card, the skimmer reads the magnetic strip as the card passes through the illicit device. Skimmers may also include a built-in pinhole camera to read the user’s PIN. If you would like a better look at these devices, take a look here.

While many people are rushing about trying to buy the last bottle of hand sanitizer and opting to pay at the pump instead of going into a crowded store, don’t forget to take the time to pay attention to what and where you are inserting your credit card. Otherwise. you may find more than a few unexplained charges on you credit card.

From Michael Gregg

Photo source

Wikileaks & Virginia’s Prescription Monitoring Program

Published May 12, 2009 Hacking & Cybercrime Leave a Comment
Tags: ,

Security leaks continue to make the news.  The truth is that I don’t even have to go looking for them; they just seem to keep popping up on an almost daily basis.  This week’s security breach was released by Wikileaks.  Many of you may not have ever heard of Wikileaks before this week.  It is a site that is somewhat like Wikipedia in that it serves as an online dictionary – Wikileaks serves to expose information and reveal unethical behavior in governments and corporations.  The site’s earlier claim to fame came during the 2008 U.S. presidential campaign when the Wikileaks site exposed vice presidential candidate Sarah Palin’s Yahoo email account hacker attack.  This week’s exposure is much more alarming.

On Thursday, April 30, Wikileaks reported that the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $10M ransom demand that bluntly stated, “In my possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions…For $10 million, I will gladly send along the password…If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid…”

The Virginia state police and FBI would like to find the person (or people) who left the note on the state’s web site. The Virginia Prescription Monitoring Program site is used by doctors and law enforcement officials to monitor prescription drugs and strong narcotics.  While the state’s site is still down as a result of the breach, very little has been confirmed or denied by the state of Virginia.

While we can only hope that there are no more security breaches this year, at best, this would be wishful thinking.  According to a Washington Post interview by Alan Paller, director of research for the SANS Institute, attacks like these are common but rarely make the news, because some companies actually pay to keep such attacks quiet.

I know how hard it is for working security professionals to meet each day’s challenges, but the stakes are high should we fail at our tasks.

From Michael Gregg

Photo from Wikileaks.org

Who Let the Code Out!!

Published May 11, 2009 Cisco Security Leave a Comment
Tags:

As I sit here 34,000 feet up in the air right now, I’m deciding to deviate slightly from the NAC discussion and bring up something very new and interesting, namely changes with Cisco Security Products. It seems there have been some pretty big changes internally to Cisco, including Business Unit rearrangements and new code releases which have been pretty exciting.

Last Friday, Cisco released their latest flavor of the ASA code 8.2(1). As with all the other tech geeks, I immediately ran out and started playing with the code. Some good and some not so good restrictions have come to light with this release.

The first thing I noticed was that there is currently a slight disconnect with CSM, meaning that some of the newer features included in 8.2 are not yet readily available within CSM. I had a chance to talk to the CSM BU (business unit) a few weeks ago and they mentioned a tighter interaction between the BU’s moving forward to combat the delta in technologies between the BU’s.

So, on with some of the cool features. I noticed in the release notes and also in the commandline that Netflow is now supported. The commands look to be the same as IOS and this feature was a long time waiting.

Another difference you’ll notice is the licensing. Seems that has changed the VPN licensing for the AnyConnect. First off, the old license you had will still work so don’t be alarmed. Documentation is stating that the new “Essentials” licensing is the full Anyconnect client with the following exceptions:

  • No CSD (including HostScan/Vault/Cache Cleaner)
  • No clientless SSL VPN
  • Optional Windows Mobile Support

So I’m not too sure if buying an Essentials license is an improvement as it seems like it is hindering operations by removing support of the above mentioned technologies. Seems that this new form of licensing replaces the following full SSL VPN license, shared SSL VPN license, VPN Flex SSL VPN license (which is the shared SSL VPN Server license), and Advanced Endpoint Assessment license. Cisco has more details on their License Feature Page.

Along with this new licensing, brings about new share licensing server which allows you to load licenses on a single ASA acting as the server and allowing other ASAs to borrow licenses on an as-needed basis.

And, hey! We finally got SNMP v3 on our main security device. This flavor of SNMP in the ASA supports the typical hashes and encryption sets including DES. 3DES and AES.

There are a few more features, including double authentication for your PCI compliant networks out there and the Botnet Traffic Filter allowing blacklisting of networks or host IP’s on a collaborative type system (license required).

So basically, we are finally getting the code we’ve been waiting for. However it does lack some feature components such as GRE/VPN, DMVPN, GET VPN better QOS (LLQ) like we can do on the IOS devices, and removal of the requirement for hardware matching between failover peers (AIP-SSMs get costly). How about VPN support with multi-contexts and therefore A/A Failover? Well, maybe next time.

Author: Jim Thomas

add to del.icio.us add to furl Digg it Stumble It! post to facebook post to technorati

NAC up your Alley…host login process

Published May 6, 2009 Cisco Security Leave a Comment
Tags:

So now that we have the NAC agent installed, we can take a look at the process the host goes through in order to achieve NAC login.

The first thing to understand is the SWISS Protocol that Cisco has created. When an agent is installed on the host machine and loads as a user process, it begins sending out discovery packets frequently. The timing depends on the configuration, that is, if the NAS is configured as Layer 2 or Layer 3.

If the NAS is Layer 2 then the host will attempt to discover the NAS by sending packets to its’ default gateway every 5 seconds. Now in a Layer2 type of environment, the users’ gateway should be behind the NAS or the gateway being the NAS itself if we are configured as Real-IP Mode. So the host attempts this discovery using a destination port of UDP/8095. If the NAS is present, it will respond with its’ certificate to the client so they can begin authentication/posture assessment over a secure channel (SSL).

In the case of Layer3 configurations on the NAS, the client attempts to contact its’ configured “Discovery Host” which is an IP Address or hostname configured in the NAA (NAC Appliance Agent). The connection attempt to reach this discovery host will be made on UDP port 8096. If a NAS exists between the agent and this discovery host, then the NAS will send its’ certificate to the host in an attempt to further negotiations over a secure medium. That process can be seen in the following diagram.

caa1

The discovery host field itself can be modified to whatever IP Address you wish. Remember, this IP is only for the NAA to initiate contact and begin the communication process. So really, the IP can be literally anything in the network as long as the IP resides behind the NAS. Some organizations have even configured NAC with split-tunnel VPN configurations and used this discovery host to begin this trigger process with NAC back at their main office where the NAS is located.

Also keep in mind that this discovery host field is already pre-populated since the agent was obtained from the NAM. In fact, we’ve even seen this mangled in configs. It turns out that the Discovery Host is added to the NAA on NAC Appliance reboot and we’ve seen errors in this compilation process of the NAA. Anyway, rest assured you can absolutely change the field by simply right-clicking the agent in the system tray on the host machine and clicking properties as seen in the following image.

screen

Another location where you can modify the discovery host for Layer3 NAS support is during installation. You should have the NAA installed before any NAC deployment goes live and the process can be easily accomplished by using the following in your windows scripts:

msiexec /package F:NACCCAAgent.msi /qn SERVERURL=http://10.1.1.1/

Notice that you can also modify the registry where the discovery host is set by locating the proper registry key located in: HKLMSoftwareCiscoClean Access Agent and modifying the ServerUrl data value to anything you wish.

Author: Jim Thomas

add to del.icio.us add to furl Digg it Stumble It! post to facebook post to technorati

Hackers versus the U.S.

Published May 5, 2009 Hacking & Cybercrime Leave a Comment
Tags:

This year, like many others, has followed a pattern in that every week brings the report of another security breach or network comprise.  These continued attacks against the U.S. by its potential adversaries demonstrate that there is a not-so-silent war going on over who controls the data networks that connect the world together.  Several of last week’s security breaches were significant in nature. One major incident was the report that development work being done on the U.S. Government’s new joint strike fighter had been compromised.

While the attackers were unknown, the Wall Street Journal reported that the amount of data that was copied was several terabytes. This data is believed to be related to the design and electronics systems of the jet. While such information may not be critical in itself, the real issue is how this data allows attackers to validate future information.  The attackers have a way to make a better analysis and discriminate real versus bogus honeypot data.

The same article detailed the means of attack for government systems breached in 2008. Of the 18,050 attacks during this period, 7,528 (about 40%) remain under investigation while 2,274 of these attacks were instances of malicious code.

The most startling issue related to these attacks is that it’s not just the DoD networks being targeted; there are also successful probes and the installation of malicious software on the U.S. electrical grid that are designed to disrupt the system upon command at some point in the future.  These issues affect all of us. While the previous administration spent about $17 billion addressing cyber security, it is apparent that much more still needs to be done.

From Michael Gregg

Photo from US Air Force | Graph from Dept. of Homeland Security

Subscribe in a Reader

Subscribe by Email

Follow us on Twitter

Featured Courses