Virtualization is making it more difficult to patch and upgrade applications on virtual machines as well complicate network access controls.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=301232&source
=rss_topic17
[Editor's Note (Valle): We know that virtualization can be used for sand-boxing applications to test for malware and also create safe web browsing environments. Here is the flip-side of that technology.]
A great article at Searchsecurity.com from Ed Scoudis on programs every security analyst should have in their tool kit.
http://searchsecurity.techtarget.com/tip/0,289483,
sid14_gci1270735,00.html?track=sy320&asrc=RSS_RSS-10_320
[Editor's Note: (Valle): I am seeing an interesting trend when I do my weekly research for articles on my RSS reader of 90+ security feeds. I see that Searchsecurity.com's feed usually has only 1 or 2 articles (where the other feeds usually average about 20 posts a week) but I invariable pick one of their articles to post to this blog. Keep up the great work searchsecurity and especially Ed Scoudis!]
Here is a good presentation that shows some of the vulnerabilities that were exposed at the Black Hat conference.
http://www.eweek.com/slideshow/0,1206,a=213412,00.asp
Editor’s Note (Valle): We continue to see how the Internet’s beneficial attributes (distributed, redundant, open architecture, etc) are turned into critical vulnerabilities that have even the best security minds perplexed.
This is a great article on how some strong authentication techniques can actually make it easier for cybercriminals to rip you off if they are able to get an in-line proxy between you and your financial institution (aka man-in-the-middle attack)
http://www.darkreading.com/document.asp?doc_id=131191
Editor’s Note (Valle): Ever since I saw a company named TriCipher at a local ISSA meeting use a man-in-the-middle attack against a Charles Schwab account that was using two-factor authentication I have been wary of financial institution’s “secure” solutions.
A new attack on MySpace users in June was turning their sites into bots to serve phishing scams and viruses. This new technique (called fast-flux) was used to hide malicious sites behind constantly changing network of proxy servers that make it almost impossible to track down the malicious sites
http://www.eweek.com/article2/0%2C1895%2C2163609%2C00.asp
[Editor's note (Valle): This technique is similar to anti-forensic methods use by cybercriminals to hide their true origins. The main difference is that fast-flux has a larger and more rapidly changing number of proxy servers to hide behind.]
Ponemon Institute issued a report that brings up the most common inadequancies of ensuring proper access to systems and date.
http://www.darkreading.com/document.asp?doc_id=131038
Some report findings:
1) Reliance on Manual Processes – Audit and compliance (A&E) staff monitor and test controls by depending almost exclusively on reports generated by others rather than software tools
2) Lack of Centralized Control – No clear ownership of compliance oversight or processes around reporting on and monitoring user access as well as fragmentation of data and distribution of responsibility are issues.
3) Poor Communication and Collaboration – A&E staff do not collaborate with departments that share IT compliance responsibility. Other departments have a poor understanding of risk management and compliance.
4) Inattention to Business Risk – Most organizations do not focus their compliance resources or efforts on risk and most say they do not have the necessary information to quantify risk
Computer Security Videos at Security-Freak.com
http://www.security-freak.net/videos.html
A series of good primer videos for network security engineers
Google TechTalk Video “What every engineer needs to know about security”
http://www.net-security.org/secworld.php?id=5401
Interesting talk at Google
Make Mashups secure
http://www.infoworld.com/article/07/08/06/32FEmashsec_1.html
Important techniques to make your mashup more secure
Consumer Reports: Malware Costs US Consumer $7 Billion Over Two Years
http://www.darkreading.com/document.asp?doc_id=131056
Super All-in-one network security test system
http://www.eweek.com/article2/0,1759,2165270,00.asp?kc=EWRSS03129TX1K0000614
A start-up using HD Moore’s Metasploit technology and where he is the Director of Security Research is launching the mother of all network security test systems.
Secretary of State Debra Bowen has mandated new security standards for California’s e-voting systems
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9029038&source
=rss_topic17
[Editor's Note (Valle): Another example of how difficult it is to write secure code and why security needs to be a top priority when creating new software. To this end the SANS Institute has recently created the GIAC Secure Software Programmer Certification (GSSP) which will be the first exam of its kind to test a developer's secure coding skills. http://www.sans-ssi.org/ ]
This article offers eight tips by auditors, consultants, and others who have been through IT security audits on what to look for in a compliance audit and how to beat these problems before the audit.
http://www.darkreading.com/document.asp?doc_id=128368
[Editor's Note (Valle): Since nobody passes security audits on the first try, it is good to learn from the wisdom of people who have been through it before.]
How to Detect Security Vulnerabilities in Your System
http://www.cio.com/article/107158/How_to
_Detect_Security_Vulnerabilities_in_Your_Systems/1
Highlights the importance of keeping up with Common Vulnerability and Exposure (CVE) in your network
Hackers Clean Up with Ajax
http://www.darkreading.com/document.asp?doc_id=128730
Web 2.0 technologies might be prettier to the end user but they are inherently more vulnerable.
NSA, DHS name top info assurance schools
http://www.fcw.com/article103179-07-09-07-Web
Don’t send your people to just any security school.
RFP: Penetration Testing
http://www.eweek.com/article2/0,1759,2155859,00.asp?kc=EWRSS03129TX1K0000614
A quick and dirty guideline for pen tests.
