OWASP Appsec Tutorial project

OWASP started a new educational project called Appsec Tutorial Series.

The OWASP Appsec Tutorial Series breaks down security concepts in a easily accessible, friendly way. Each video will be 5-10 minutes long and highlights a different security concept, tool or methodology.

So far, they have posted two videos, you can check them out here.

Do business leaders care about information risk?

One of the complaints that we hear from information risk practitioners is that the management does not show enough support and concern for the program.

There is no doubt that good management comittment makes the program successful and management's efforts lead to making information security and risk management as a culture within the organization. But, at the same time as information risk professionals, it is absolutely essential that one understand the business. In order to build a program that suits the business requirement, one should understand the business processes, business objectives, key stakeholders, key customers, other business interests, legal and regulatory requirements, etc.

So, do we have any evidence of enough management concern towards information risk?

In a recent interview, Ram Charan, the acclaimed advisor to many CEOs world over was asked,

What are the challenges and problems CEOs are coming to you with post the financial crisis?

This varies from business to business, economy to economy. I will give you what is generally on the minds of the leaders. One is enterprise risk, that’s because uncertainty has increased. There is more regulation and more volatility in the financial system. So they all have to think about risk and how to mitigate it. Two, corporate governance and succession have become important items.


This is definitely good news as information risk plays important roles in both corporate governance and enterprise risk.

DSCI-KPMG Survey on State of Data Security and Privacy in the Indian Banking Industry

Posting the DSCI (Data Security Council Of India) announcement on this.

DSCI, on February 4, 2011, released the results of “DSCI-KPMG Survey on State of Data Security and Privacy in the Indian Banking Industry”. The Survey Report, released by Shri. G. Gopalakrishna, Executive Director, Reserve Bank of India, at an event held in Mumbai, aims to establish a ground for dealing with the security and privacy concerns and offers insight to Banking industry in better equipping themselves for data protection.

The need for such a survey and the understanding of security issues at the banks was highlighted with the enthusiastic response which the survey received from the public, private and international Banks.

Some of the key findings of the Survey Report include:

· Customer awareness on information security along with insecure customer end points is one of the most significant challenges faced by the banks

· External threats and the increasing usage of online & mobile channels along with regulatory requirements are driving banks in India to invest in information security

· Managing security is more challenging in online banking and phone (IVR) banking as compared to other service delivery channels

· Banks drive inputs from international standards such as ISO 27001 to establish their security function

· Absence of collaboration and synergy between Security and Fraud Management functions leaves a significant gap in banks’ effort to curb financial frauds


Please follow the following link to access the full Survey Report

http://www.dsci.in/node/601

New NIST documents on Cloud Computing

NIST issued two new draft documents on cloud computing for public comment, including the first set of guidelines for managing security and privacy issues in cloud computing. The agency also has set up a new NIST Cloud Computing Collaboration site on the Web to enable two-way communication among the cloud community and NIST cloud research working groups.

Here are the two documents:

1. NIST Definition of Cloud Computing (NIST Special Publication (SP) 800-145). SP 800-145 may be downloaded for review from here.
2. Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) provides an overview of the security and privacy challenges for public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment. These recommendations are divided into the following areas:

• Governance
• Compliance
• Trust
• Architecture
• Identity & Access Management
• Software Isolation
• Data Protection
• Availability
• Incident Response

Public comments are requested on this publication as well. SP 800-144 may be downloaded for review from here.

To learn more on Cloud Computing, risks and vendor selection, head over to my three part essay, here, here and here.

SANS India 2011 in Bangalore

SANS is coming back to India from 14-19 February with three courses. Here is the course line up:

I will be attending the FOR610 (GREM) course.

1. SEC 401: Security Essentials Bootcamp Style (GSEC) taught by SANS Certified Instructor Jim Herbeck

2. SEC 560: Network Penetration Testing and Ethical Hacking (GPEN) taught by SANS Certified Instructor, Bryce Galbraith

3. FOR 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques (GREM) taught by SANS Certified Instructor Hal Pomeranz

Details are here.

Mandiant's M-Trends report is out.

Mandiant released its annual M-Trends report detailing APT related incidents that they handled in 2011. The report provides first-hand accounts of real intrusions that illustrate trends in attack methodologies; technology used to accomplish the attacks; and the types of data that have been stolen.

If you are not familiar with what APT is, refer my earlier blog post on APT.

The report is available here.

Data Privacy Day

Many countries celebrate today as the Data Privacy Day. In India, DSCI organized a chapter meeting to start a dialogue among the group members on the various privacy issues affecting our nation and the  best ways to combat those.

Here is what Dr. Kamlesh Bajaj, the CEO of DSCI had to say on this occasion,

"With the increased digitization of personal information, Privacy has emerged as an important agenda for individuals, businesses and governments worldwide. Though a fairly matured and much debated concept in the western world, Privacy is beginning to gain relevance in India, esp. with the roll out of UID project.   To build on this beginning and reflect a comprehensive & thorough understanding of Privacy at national level discussions and policy making, it is critical to educate the organizations, government departments and more importantly the ‘vulnerable’ individuals who provide their personal information for availing business and government services."

2010 Top Ten Web Hacking Techniques

Jeremiah Grossman has published the 2010 Top Ten Web Hacking Techniques. It is an annual report that showcases the best hacking techniques published in the year.

It is an opportunity for the information security professionals to understand the new techniques and how to defend against them.

My personal favorite is the evercookie, which creates a persistent cookies in a browser.

New set of Information Security Principles

The Information Security Forum (ISF),(ISC)² and ISACA recently released a set of 12  principles to help individuals support business objectives, defend their organizations, and promote responsible security behavior.


These 12 principles are outlined under three main categories – support the business, defend the business, and promote responsible security behavior. 


The principles are below:

New tools

If you are a corporate information security practitioner and you want to try out some new tools during the free period you may get during the holidays, check out these tools.


Flint
Flint examines firewalls, quickly computes the effect of all the configuration rules, and then spots problems.

Log2timeline

This tool helps parse various log files and artifacts found on suspect systems and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

This tool currently supports various logs including Windows OS, IIS, AV logs, and Firefox.

HackerStorm Reporter

This is a Nessus reporting tool, its purpose is to allow you to quickly and easily browse and view your scan jobs without the need to run up a nessus session. Some features include; 

• Simply export scan jobs into XML format and copy to the XML folder
• View by Risk
• View by Severity
• Executive summary as well as detailed reports
• Ports and services report
• Vulnerability categoy report
• Export scan jobs to Excel (very useful with autofilter enabled).

NetSparker
You need another tool to your web application testing arsenal? Netsparker announced a free edition of their well known commercial product, check it out. It has its limitations but worth checking out.


OpenDLP
You can term this as poor man's DLP. It has some basic DLP like search features, which are useful for organizations who are starting out and wants to know what are the sensitive information that are out there. It is a free and open source, agent-based, centrally-managed, massively distributable tool, it can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems. 


OWASP Code Crawler
Are you looking for a simple code auditing tool that you want to show to the developers how vulnerable their code is? Here is a nice tool developed by the OWASP project. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code.


WebHistorian
MANDIANT Web Historian helps users review the list of websites (URLs) that are stored in the history files of the most commonly used browsers, including: Internet Explorer, Firefox and Chrome.

• Collects web history, cookie history, file download history, and form history
• Export data sets to XML, HTML or CSV
• View page thumbnails and indexed content
• Visualization using bar graphs, pie charts and timelines
• Shows a quick “report card” of artifacts for various websites