Jaws bytes back.....

Internet users in the Middle East, North Africa, Pakistan and India had their services disrupted on 28 March 2013, because three scuba divers cut an undersea Internet cable off the coast of the northern city of Alexandria, Egypt.

· The affected cable is known as South East Asia-Middle East-Western Europe-4. The Internet slowed down considerably in some countries, as much as 60% in some areas, according to reports.

· Egyptian authorities say the three divers had been spotted on board a small boat and attempted to flee ashore, but the navy gave chase and eventually caught up and arrested them.

· The news highlights issues raised in a 2010 report by the IEEE, which suggested that urgent international action was needed to rid the global submarine cable network of its many vulnerable "choke points". It said that diversifying the deep-sea cable routes on which the Internet and telephony depends would bolster the network's chances of surviving attacks by saboteurs, pirates and cable thieves.

· The major choke points – where cables come together after traversing oceans – are in the Strait of Malacca near Singapore, the Luzon Strait between Taiwan and the Philippines, and the Suez Canal. Even optical fibres have valuable metal shielding, making cables a target for cable thieves, just as copper cables are on land.

· Ships' anchors and fishing nets drag cables up and snap them, too, and this was responsible for most of Asia's Internet outages between 2000 and 2009, the IEEE report said.

You'll be surprised how many Internet backbone and peering routes are susceptible to this type of attack from domestic and international threat actors.

[newscientist.com]

US intelligence officials have warned as nation-sponsored cyber warfare goes mainstream this year, attacks on US installations and institutions could result not just in damage and theft but in fatalities.

· They believe fatalities could occur with a former senior intelligence official stating that "that is the best estimate at this point."

· Last year, cyber attacks against the Iranian government were uncovered and Iran retaliated with "denial of service" attacks against US banks and Saudi oil companies that are continuing today.

· Iran intensified its attempt to push forward its cyber war capabilities with a six-month campaign of virus attacks that culminated in its hackers disabling 30,000 computers at Saudi Aramco, the world's largest oil corporation in August 2012.

· Defence contractors such as Lockheed Martin have become key targets as well, reporting that 20% of all threats aimed at the company's networks were sophisticated, targeted attacks by a nation or a group trying to steal data or harm operations.

· It is reported that the plans for both the F-22 combat aircraft and the F-35 Joint Strike Fighter have been stolen and now cutting edge technology measures must be put in place to secure the aircraft's avionics from hacker attacks.

· The hackers behind the cyber attacks on major US banks were highly knowledgeable about the defensive measures used by the banks and likely spent months on reconnaissance, said researchers in a Reuters report, who viewed the assaults as among the strongest and most complex the world has seen to date.

· Of most concern is the accelerating pace of cyber attacks on the computerised industrial control systems that run the power grid, chemical plants and other critical infrastructure.

[isssource.com,

Weknowyourhouse.com scours Twitter for people using the word "home" in their tweets and picks up their associated GPS co-ordinates, then publishes said tweet to its site along with information about where the tweeter is.

The site tells you where the person is, plots them on a map, shows you the Google Street View picture of that location, tells you nearby places of interest, local photos posted to Instagram by matching location data near that location. You can also see adverts for various business ranging from the essential to the explicit.

The site only keeps data for about 24 hours before purging, though it is alarming the amount of information it can harvest.

Scary huh. So just before you decide to shout to the world on a very public social site such as twitter, that you are "Just packaging my bags at home before flying away for two weeks", you turn off geo-location on your mobile internet device. This can be easily performed on most mobile platforms by limiting application access to the GPS API, or in this case from twitter account settings. Kudos to the twitter developers as they include an option for removing all past location data. Only niggle is if someone has downloaded the image, or already harvested the location data first.

It's crazy how much personal information people keep pumping out for the world to see. I am an advocate of social media, and I recommend people to use it in a safe and controlled way. It is always better to control your own digital identify, because chances are someone out there can easily steel it and pretend to be you. Follow basic commonsense when using these social services. If you wouldn't shout it out in a busy pub, or want your current or future employer to see your half naked drinking antics when you were sixteen, think twice what you "tweet" about.

"In a connected society like today, people share way too much about themselves, which has never been a good thing," the site's creators say.

"The site was created to show its really dumb to check in at home, or say you're at home with locations enabled," they added. "People need to understand this, whether they like it or not, and a site of this nature attracts attention and gets results."

Though they consider their site to be a public service, the site's creators admit they initially went too far. When it first launched, they left users' full Twitter handles and street addresses visible. After re-launching on Thursday, the site now partially censors that information, and only displays information from the past hour.

I am on the fence with this one. Though the site is only aggregating publicly available information from the Internet, which the users who signed up for the social service agreed to when accepting the T&C's (yes who reads that), this site in my view is acting in a sociably irresponsible way. Yes, it does highlight the dangers of using social media with geo-location, but the site could just become another tool for the bad guys to use. In the real world, typically in the UK, I could be committing an offence if I made available information which attracted or aided in a theft of a property.

It's about choices, and boundaries. 

The fact that people share too much about themselves on social media isn't new, though people need to remember that their mobile devices are the equivalent to a broadcasting GPS tracking device.

Social engineers and hackers love this stuff....

Dan

Sadly not. This is down to the new 'AntiPhishing' technologies built into IE8 and above. These technologies along with the new SmartScreen Filter help protect* users from malicious sites, phising pools and reduces the risk of third party browser hijacking attacks or customisation (aka tool bars, home page, search engines). The only way to enforce a particular search engine is to create a new ADM template with reference to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes. The search provider keys are designed to be GUIDs so each search provider will require an unique identifier.

For example; The Bing key is {9F4BEE75-5E51-4568-87AF-67C35184D4B5} and Google is {9F4BEE75-5E51-4568-87AF-67C35184D4B5}.

You could take the easy way out and just install Chrome, though when you have over 1,000 machines and a trusted application platform policy this is not an option.

To get this to work you need to follow http://support.microsoft.com/kb/918238

Or follow my simple guide.

Firstly, download the following pre-complied 2008 ADM template. I have customised this for UK search engine providers, so if you are outside the commonwealth you will need to edit the file. Please note you need to force ANSII encoding not UTF-8.

Download here

• Right click administrative templates and chose add/remove template

• Locate the new template under Classic Administrative Templates (ADM)\Windows Components\Internet explorer

• Now choose your provider

• Apply the GPO to an Organizational Unit of your choice.

1. CLASS USER
   Search_Explain="Adds registry entries to HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes for specific search providers.  Check or clear the checkbox next to each search provider.\n\n If you enable this policy setting and if the "Restrict search providers to a specific list of providers" Group Policy setting is enabled, the checked entries will be the only ones that appear in the Internet Explorer drop-down list. If the "Add a specific list of search providers to the user's search provider list" Group Policy setting is enabled, the checked entries will be added to the user's list of search providers.\n\n If you disable this policy setting or do not configure it, search will be governed by the other relevant policies in this category.  See the other policies mentioned here for additional information."
3. CATEGORY !!WindowsComponents
4. CATEGORY !!InternetExplorer
5.  
6. POLICY "Select search providers to be included in policy-based search list"
7.         #if version >= 4
8.         SUPPORTED !!SUPPORTED_IE7
9.         #endif
10.         EXPLAIN !!Search_Explain
11.         KEYNAME "Software\Policies\Microsoft\Internet Explorer\SearchScopes"
12.         PART "Ask Kids"
13.         CHECKBOX VALUENAME LiveChoice      
14.         ACTIONLISTON      
15.         KEYNAME "Software\Policies\Microsoft\Internet Explorer\SearchScopes\{BF9CED03-41B4-44E9-8850-87E374BEDA17}"      
16.         VALUENAME DisplayName   VALUE "Ask Kids"      
17.         VALUENAME URL   VALUE "http://www.askkids.com/web?q={searchTerms}&search=search&qsrc=0&o=0&l=dir"  
18.         VALUENAME FaviconURL VALUE "http://www.askkids.com/favicon.ico"      
19.         END ACTIONLISTON
20.         END PART
21.        
22.         PART "Bing"
23.         CHECKBOX VALUENAME BingChoice      
24.         ACTIONLISTON      
25.         KEYNAME "Software\Policies\Microsoft\Internet Explorer\SearchScopes\{A6CF48A4-CC6B-46CA-B51A-AA3B0DC46532}"      
26.         VALUENAME DisplayName VALUE "Bing"      
27.         VALUENAME URL VALUE "http://www.bing.com/search?q={searchTerms}&form=IE8SRC&src=IE-SearchBox"
28.         VALUENAME ShowSearchSuggestions VALUE NUMERIC 1
29.         VALUENAME SuggestionsURL VALUE "http://api.bing.com/qsml.aspx?query={searchTerms}&market={Language}&form=IE8SSC&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}"
30.         VALUENAME Codepage VALUE NUMERIC 65001
31.         VALUENAME FaviconURL VALUE "http://www.bing.com/favicon.ico"      
32.         END ACTIONLISTON
33.         END     PART
34.        
35.         PART "Google"
36.         CHECKBOX VALUENAME GoogleChoice      
37.         ACTIONLISTON      
38.         KEYNAME "Software\Policies\Microsoft\Internet Explorer\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66}"      
39.         VALUENAME DisplayName   VALUE "Google"      
40.         VALUENAME URL           VALUE "http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"
41.         VALUENAME ShowSearchSuggestions VALUE NUMERIC 1
42.         VALUENAME SuggestionsURL    VALUE "http://clients5.google.com/complete/search?q={searchTerms}&client=ie8&mw={ie:maxWidth}&sh={ie:sectionHeight}&rh={ie:rowHeight}&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
43.         VALUENAME FaviconURL    VALUE "http://www.google.com/favicon.ico"      
44.         END ACTIONLISTON
45.         END     PART
46.        
47.         END POLICY
48.         END CATEGORY
49.         END CATEGORY
50.        
51. [strings]
52. SUPPORTED_IE7="At least Internet Explorer 7.0"
53. WindowsComponents="Windows Components"
54. InternetExplorer="Internet Explorer"

“Gauss is a nation state sponsored banking trojan which carries a warhead of unknown designation... Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations.”

“There is enough evidence that this is closely related to Flame and Stuxnet, which are nation-state sponsored attacks. We have evidence that Gauss was created by the same "factory" (or factories) that produced Stuxnet, Duqu and Flame. All these attack toolkits represent the high end of nation-state-sponsored cyber-espionage and cyber war operations."

"Gauss' USB data stealing payload contains several encrypted sections which are decrypted with a key derived from certain system properties. The RC4 key and the contents of these sections are not yet known - so we do not know the purpose of this hidden payload," Kaspersky said. "We are still analysing the contents of these mysterious encrypted blocks and trying to break the encryption scheme."

Meanwhile, a UN agency that advises countries on protecting infrastructure plans to send an alert on the mysterious code.

More to follow.

Dan

 

"Thats a filthy long hard missile"

Firstly, let me apologise to my readers. As you can imagine I have been very busy recently and the blog unfortunately became a second thought for quite a few months.  On the flip side, I am going to make a conscious effort to at least try and ramble on once a week. Might even try quality over quantity for a while; I will let you be the judge of that J

I want to discuss a story which caught my eye earlier on this week.  On July 27 2012, Executive Director John James Jr. sent out a memo stating that a number of employees and contractors at the US Pentagon's Missile Defence Agency (MDA) were using government computers to access "XXX" sites as well as emailing explicit images between each other.

"Specifically, there have been instances of employees and contractors accessing websites, or transmitting messages, containing pornographic or sexually explicit images," James writes in the memo obtained by Bloomberg.

 "These actions are not only unprofessional, they reflect time taken away from designated duties, are in clear violation of federal and Department of Defence and regulations, consume network resources and can compromise the security of the network though the introduction of malware or malicious code," he added.

So let’s put this into some sort of logical perspective.  The MDA is an agency of 8,000 employees, develops, fields, and upgrades the USA's ground-and sea-based missile defence programs. The MDA is principally involved in developing defences against enemy ballistic missiles. The agency's traces its origins back to Ronald Reagan's Strategic Defence Initiative (Son of Star Wars) programme. Perhaps fortunately, the agency is not in charge of the US's nuclear deterrent.  Contractors include Boeing, Lockheed Martin, Raytheon, Northrop Grumman and Orbital Sciences, so not the sort of network you would want to be compromised for quite the obvious reason. 

"Thats a big pair Sir" 

The infrastructure designed to link this together would likely be a heterogeneous and segmented calibration of Windows & UNIX platforms, integrated SCADA control systems, security appliances all designed to "defence in depth" principles, vetted and audited frequently. I also suspect that the end user presentation side of the network is firewalled, hardened, baselined and configured in such a way that there is limited direct access to systems that control Uncles Sam's warheads.  On the user application side we should have, though these reports demonstrate otherwsie, configured web based content filtering services, proxies and content aware session control. 

This is not your 'run-of-the-mill' business network. This is an advanced platform hardened from unauthorised and malicious use both internally and externally that should not have allowed these breaches in the first place. Let’s face it, with the current cyber games between nations and sophisticated creations such as Stuxnet & Duqu floating around, this only empathises the hostile environment these platforms must operate in.

MDA spokesman Rick Lehner told Bloomberg News that "less than a half-dozen" of the agency's employees had been caught accessing restricted sites or downloading inappropriate materials, caught by what he called a "highly advanced monitoring system to detect intrusions, access to inappropriate websites, viruses and malware downloads."

There was "never any compromise" of the network, Lehner said,  "the system worked as designed."

While I commend the use of these  "highly advanced monitoring systems"  we need to step back and take a holistic view on the platform and the modern threats it will face - Monitoring systems are just that, they monitor and should not be deployed as a defensive, but as a deterrent. The MDA and its contractors are prime targets for state-sponsored industrial espionage, which often uses unconventional malware to infiltrate networks, steal information, destroy uranium enrichment centrifuges ect . Exactly how the whole USA vs Iran cyber spooks theories started.

The security focused amongst us will have at some point seen in action porn sites (and others) compromised to deliver malware payloads to take advantage of client vulnerabilities, of which may be an active zero day flaw.  The TrueType Font parsing vulnerability, the latest dangerous  Java CVE2012-1723 vulnerability, or just another clever stenographical exploit imbedded within a PDF or JPEG executed by  unpatched software, are all examples of zero day flaws which can bypass your security defences; easily I must add.

As a quick side note;

The list of zero-day flaws extensive Link and growing with a demanding black marketing paying serious money for new zero day exploits.

Allowing executable packages or software from the internet to be downloaded by users is also a dangerous game, along with security risks introduced with sharing and allowing removable media.

The key part here is that these platforms maybe secure from a technical or auditors view, but may well suffer insecurities from the people who use it and be compromised by the art of human hacking.

A great book on this topic I recommend is by Christopher Hadagy Link

 Hackers can play on the fact that these users are interested in surfing porn and create e-mail campaigns to promote compromised sites, send crafted attachment containing zero day payloads  (NAKEDHOTTY.PDF),  extort users to surrender passwords at the risk of being reported for their "habit", redirect web traffic to a customised phishing sites to capture credentials or just perform an indirect attack against the network by targeting the porn sites directly.

Out of 8,000 users, how many do you reckon use the same password, email or logon credentials at the MDA and their favourite fetish site? Earlier this year a group of hackers calling themselves Th3 Consortium and claiming to be affiliated with group Anonymous and LulzSec hacked into the porn site DigitalPlaground.com, stealing 72,000 passwords and 40,000 credit card numbers. The pastebin dump contained a large number of Mega accounts from US Government officials including the Department of Justice and the US Senate  used their official email addresses used to register. 

So, if your password is now known in the wild west of the net, hackers might try that same password against your email address, your PayPal account, your Amazon account, and worst case your "secure" MDA network. 

So how do we get around this "kinky" habit?  Quite simply you should employ and enforce basic computer security precautions, such as: 

• Using different and complex passwords for every site
• Introduce third form factor authentication  
• Change passwords after a site's been hacked
• Never use a corporate e-mail alias that mirrors your logon name
• Sandbox web access browsers or present filtered access via separate network segments
• Block by default - Whitelist on demand after vetting requested sites
• ADRM including file screening controls
• Disable auto run and control removable media
• Test human hacking techniques against users
• IDS/IPS systems that is baselined and customisable to model heuristics for zero day threats

Most importantly train your users what is best described as best security practice and enforce your policy when breaches occur. If your users understand the risks, then the most likely weakest link of your network will buy into your security ecosystem. You will then not need to explain to your superiors how a pair of breasts caused your nations missile defence system to be compromised.

Dan

Images copyright of their respective oweners, subtitles unfortunately mine

The Shake down test - Just like testing your fire alarm and evacuation procedure annually, you should always put your infrastructure through some rigorous evaluation criteria. Security on the whole is a continuous evolving process to which changes to business direction, rushed system integration and modern day threats can all go to create vulnerabilities which may go unnoticed; that is until a hacker finds it, exploits it and your data is slapped on paste bin for the entire world to see.

I am an advocate in emphasising that no collaboration of systems can be ever 100% secure at any point in the system life cycle, just like no availability provider can say “Yes Sir, we guarantee 100% uptime”. Information system security professionals must adapt to the increasing possibility that at some point their network may be breached from external or internal entities. How we handle this can diminish the impact this will have on our business operations and outside reputation. By developing and enforcing strict security policies and procedures, complying with legal and regulatory guidelines, and constantly reviewing operational systems and future designs we can minimise our exposure factor and reduce risk.  For example, the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and on-going testing (after system changes).

So, how do we audit our network? This is done by Penetration Testing.

Pen Tests (also sometimes called “ethical hacking”) consists or a formal set of steps and procedures simulating the methods and techniques an hacker or malicious employee would likely to use that are implemented to intentionally, at the invitation of the business requesting the penetration test, to bypass and evade physical, technical and policy security controls and obtain access to a particular system and the data it holds.  Simply put, the purpose is to evaluate how well the company can thwart the attack and how it might be compromised by the potential intruder.

Pen Tests can be used to evaluate the effectiveness of the businesses security incident response and any countermeasures that may be in place. Countermeasures may be technical, administrative or even physical. Remember Pen tests can go two ways; they can add to the credibility of the current security in place and demonstrate due diligence or the tests can alert management that they have significant security weakness that must be addressed.

The most common vulnerabilities tend to be design flaws, configuration errors, and software bugs. These can be introduced during development, implementation and maintenance, generally by accident, and once identified by the penetration tester, can usually be quickly resolved by the IT team.

Pen Tests can be both internal and external in nature. For example, external testing refers to attacks to devices or services on the perimeter of the network. This can be extranet services, email servers, firewalls, remote service gateways, web servers ect. Internal testing is performed from inside the local network and determines what an attacker or authorised employee with malicious intent could gain access to or penetrate.

Testers like me can class our attack methods in three ways; Black box, grey box and white box. With black box testing the pen tester has no knowledge about the targets network and must operate the same way an external hacker would by using social engineering, dumpster diving and other publically available information to help scope the network before the simulated attack. This can be classed as a double blind test as no one on the targets IT team will know about the planned test. This will test the company’s security monitoring, incident response and escalation procedures.

Grey box refers to “need to know” principles. Certain members of the targets management or internal security team may be informed, or the tester may be given certain details of the network.

Finally, White Box is a type of test that typically takes less time and effort to complete, but may not provide as complete picture of the overall security vulnerabilities and response capabilities of the IT team. The tester will have full knowledge of the target environment (such as passwords, network topology diagrams, technology overview ect) and is expected to simulate an inside attack or targeted attack on a particular system.

Basic white box penetration testing is often done as a fully automated inexpensive process. However, black box penetration testing is a labor-intensive activity and requires expertise to minimize the risk to targeted systems. At a minimum, it may slow the organization's networks response time due to network scanning and vulnerability scanning. Furthermore, the possibility exists that systems may be damaged in the course of penetration testing and may be rendered inoperable, even though the organization benefits in knowing that the system could have been rendered inoperable by an intruder. Although this risk is mitigated by the use of experienced penetration testers, it can never be fully eliminated

Typically the pen test consists five steps;

Discovery

Vulnerability mapping

Enumeration

Exploitation

Document and Report

For more information please feel free to contact me. ( I will continue to up date this post in the next few weeks)

Tiger http://www.tigerscheme.org

Tiger Scheme is a commercial certification scheme for technical security specialists, backed by University standards and covering a wide range of expertise. The Tiger Scheme was founded in 2007, on the principle that a commercial certification scheme run on independent lines would give buyers of security testing services confidence that they were hiring in a recognised and reputable company.

OWASP https://www.owasp.org

The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.

PCI https://www.pcisecuritystandards.org

The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.

ISACA https://www.isaca.org

ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals.  IS auditing and IS control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.

CHECK http://www.cesg.gov.uk

The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system.

OSSTMM http://www.osstmm.org

The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organisation concerns, such as the corporate profile of the penetration-testing provider.

CREST http://www.crest-approved.org

The Council for Registered Ethical Security Testers (CREST) exists to serve the needs of a global information security marketplace that increasingly requires the services of a regulated and professional security testing capability. It provides globally recognised, up to date certifications for organisations and individuals providing penetration testing services.

Internet monitoring software is a key component of your defense-in-depth strategy, and can help to protect your corporate information assets, your company’s reputation, and your bottom line. Internet monitoring software is not just about enforcing the Acceptable Usage Policy; it’s about protecting your users from problems involving Human Resources, your workstations from downtime, and your company from lawsuits. Let’s look at three ways in which this solution helps protect businesses.

1. Protect users from malicious content

Perfectly legitimate websites are compromised every day and, as each new vulnerability in operating systems, web applications, and locally installed software are discovered, there’s another way a user’s machine can be taken down or become compromised by malicious content all while they were accessing a valid business website. Internet monitoring software can block access to sites known to be compromised, scan all downloads and scripts in web pages for malicious content, and protect users from accessing a compromised website.

2. Protect the company from users accessing inappropriate content

Internet monitoring software can also ensure that users do not access inappropriate content. Whether accidentally or intentionally, employees tend to access websites containing material that is inappropriate for work. While many users might simply say “oops” and hit the back button, others might be offended by something they see, and if it is offensive enough, they might seek redress from the company. Internet monitoring software can stop access to adult or other offensive content before anyone sees something they shouldn’t and before any policy is violated. Some can even enforce the “safe search” options of popular search engines, further protecting users from the results of those nebulous search terms that have double meanings.

3. Protect the company from users accessing illegal and unauthorized content

Some users have problems separating what they do at home from what they do at work, and they might not have the same respect for copyrights and licensing as they should. Whether they want the latest blockbuster action flick, or just a key-gen for that great software package that wasn’t in the budget this month, when they access such material from work it’s the company that can be found liable. Internet monitoring software can block access to the sites on the darker parts of the Internet, protecting the company from legal liability associated with users downloading copyrighted material.

With Internet monitoring software protecting your business, you can focus on more important things - like security patching, capacity planning, and systems upgrades - and let your users surf the web confident that they are protected from the worst the Internet has to offer. Internet monitoring software enables you to allow your users access to the Internet in a safe and productive way.

 I have worked with GFI and their fantastic GFI web monitor software since 2004 and thoroughly recommend it for the SMB market. If your company runs ISA server or requires a standalone product, please feel free to head over to www.gfi.com and download a fully functional 30 day trail. Even if you don't decide to purchase the product; you will open eyes to what you users are doing on your network and how much time is actually spent on internet usage.

Remember, as previously discussed on Defending the Network, it only takes one carefully constructed webpage with a known or zero day vulnerability, virus or script to completely take down a company or worse, your customer or trade secrets released to the world. Why risk a painful data breach and big fines from the ICO when software like this can be added to your security arsenal very quickly?

Also bandwidth is expensive – so during the trail you can work out the percentage of unsolicited internet usage and correlate this to your internet break out costs. How much are you spending on wasted bandwidth?

Coming soon, I will post a full review of GFI webmon 2011, along with an Internet AUP template which you can customise for your company. 

Enjoy,

Dan

Operating in the financial\banking industry generally requires that you try your best not to offend anyone. Sometimes hard, but in this day and age with social media allowing for rapid spread of an employee’s mishap via twitter and Facebook, new legislation and data protection laws, coupled with the fact that generally people do make honest mistakes, engineers are required to find ways of protecting the company’s reputation and stop accidental data leaks.

Let's face it, we have all accidentally fallen for outlook's auto complete feature and that document that should be encrypted is now on its merry way outside the company! Queue auditor’s worst nightmare! Once it is out in the public domain, it is out there for good.

I have designed, installed and configured many data level protection (DLP) systems for various infrastructures ranging from email content filtering systems that sit either between front or backend exchange clusters, first response data control gateways or data analysis systems sitting between the VDI client and hypervisor. The idea is that all content passing through these systems is screened and audited by predefined algorithms to ensure HR, information security and company compliance. 

This why as a security engineer you need to not only understand the technical requirements in detail, but translate audit, compliance and HR polices into clear defined business objectives. Today, I can spend almost 40% of my time working on system polices outside of my engineering background. But, and this is a big but, audit requirements especially say, "PCI-DSS" and some fine points on ISO 27001 does not mean by a long shot that you are secure – just compliant against the guys with the overly LARGE clipboard.

One mail appliance I have worked with is the Sophos ES5000. This great piece of kit, in either physical or virtual form can screen 380,000 an hour. Some of the key features of this product are;

• Protect sensitive data with integrated SPX Encryption technology
• Prevent accidental loss of sensitive information with unique and simple Data Loss Prevention (DLP)
• Eliminate over 99% of spam with Sender Genotype Technology and Live Anti-Spam real-time updates
• Proactively protect against evolving threats including viruses, phishing, and malware with Sophos Behavioural Genotype technology

The SPX encryption engine is the real key selling point of this product though. For example, if your company is audited by regulatory bodies, handles very sensitive customer, financial or top secret data and you want to comply with FSA, CESG, or British Security Standards for information security then this box of tricks should be at the top of your pile. Simply, the SPX engine scans any mail leaving the company’s network, audits, logs and then checks the entire contents and attachments against defined DLP rules. 

For example, certain email or attached documents might have SECRET, NOT FOR RELEASE watermarks or meta tags embedded, contain a number of customer account details, or just be sent from a user group that should not be sending email outside the company\network. The SPX engine flags this email, and can do a few things with it.

Firstly, it can be configured to drop the item or return to sender, or maybe copy to your compliance department for review; secondly, it can encrypt the entire email and attachments and store it securely on the appliance.

The appliance will then send an email to the recipient stating that they have received an encrypted document from 'yourcompany.com' and that to access this they must click the hyperlink, which will direct the user via SSL\HTTPS to a front end portal of the Sophos appliance. The recipient can then log on by either supplied credentials or create their own and access the secure email with any documents. Sophos SPX Encryption does not require installation of client software. SPX uses the ubiquitous and cross-platform PDF reader software installed by default on all systems (cough).

Basically the sensitive data never leaves your network, nor does it cross the public internet. Big win for your compliance and security objectives! Enough of the Sophos sales chat, but if this is of interest to you please drop me an e-mail - As a Sophos trusted sales and technical engineer I can have the techy or human discussion about how this appliance can work in your environment.

Anyway, stripping back down to the basics. What if you needed to create simpler rules, such as blocking offensive terms to and from your company? 

Compiling a list can be a hard but amusing task. I have spent a number of days with a few friends, and after a couple of beers later, we came with as many offensive terms as possible. All you need to do is import the below text file into your appliance, DLP engine and bingo. 

Download Offensive Words from Defending the Network

Enjoy,

Dan