So, now for something completely different...
One of the main duties I carry out at my place of employment is being the "DNS guy". So that said, I had to relay the information I located about "DNS Amplification Attacks" I found this week.
This attack relies on the use of public recursive DNS servers. These are servers that anyone may point to in order to perform recursive DNS lookups. Many ISPs maintain these open type of servers.
This attack results in a distributed denial of service (DDOS) attack against a target system. The attacker sends DNS requests to the DNS server with the forged IP address of the target system. The target is then buried by a flood of DNS replies from the DNS server used as the attack vector. DNS replies are usually larger than the requests, so the target is indeed buried in traffic. DNS traffic is almost always permitted, so this type of attack is hard to detect.
There is little the target can do to defend itself unfortunately. There are however a few things DNS administrators can do to prevent their servers becoming attack vectors:
1. Limit recursive queries to those systems the server should handle lookups for. So, if you are using Cox Communications, they should limit queries to Cox Communications IP addresses.
2. Disable recursion on authoritative DNS servers. Authoritative servers should only answer queries, not make them.
3. This was news to me, but apparently there is an experimental response rate-limiting capability in BIND 9. It was created to lessen the possibility of these attacks. Unfortunately, Windows DNS does not have this feature. (I wonder how many Windows DNS servers are public servers??? I wouldn't do it.)
Here is a link to the US-CERT alert:
http://www.us-cert.gov/ncas/alerts/TA13-088A
That's it for this week--cheers!
Sunday, April 28, 2013
Sunday, April 21, 2013
Sources of Vulnerabilities
For this week, I have studied my earlier references and chosen Symantec and USCERT as the best. I have to admit, I haven't scoured the Web for other sources but these seem to be the best I have come across so far. As I progress further in this effort, I may find others. I will keep you posted if I find others...
For this week, I have studied my earlier references and chosen Symantec and USCERT as the best. I have to admit, I haven't scoured the Web for other sources but these seem to be the best I have come across so far. As I progress further in this effort, I may find others. I will keep you posted if I find others...
Sunday, April 14, 2013
Harry & Mae's
This week, I'll discuss some aspects of the Harry & Mae's case study that I noted.
First off, I was concerned with Tom Pierce's attitude about security in his organization. After a data breach affecting 25,000 customers credit data, I'd like to think he'd be very concerned about tightening IT security.
Case in point, the password policy--or should I say lack thereof. The very lax policy was pushed from the top down by Mr. Pierce. We will definitely have to tread carefully here and let Mr. Pierce know that there must be a strong password policy put in place and endorsed by senior leadership in the organization. It would be very easy for an insider with bad intentions to find a password near a user's PC, login, and start doing their dirty work.
I am also concerned about the employment of the security appliances used by Harry & Mae's. Mr. Pierce seems to think they are not working. I think he does not really know that they are actually not being used properly. Examples of this are the Sonic Wall firewalls allowing all traffic through and the Barracuda Spam & Firewall appliances running without activated subscriptions. This area will also call for a frank discussion with Mr. Pierce.
Also of concern is the same Web server hosting both internal and external data. This is definitely not a good decision. The internal and external data should be managed by separate servers.
Lastly, something must be done to protect the point-of-sale systems. They must be locked down to prevent casual web surfing by employees.
My biggest assumption with this case is that Mr. Pierce has Harry & Mae's best interests at heart and will see the reason in tightening IT security in his organization. Another data breach could spell the end of Harry & Mae's!
This week, I'll discuss some aspects of the Harry & Mae's case study that I noted.
First off, I was concerned with Tom Pierce's attitude about security in his organization. After a data breach affecting 25,000 customers credit data, I'd like to think he'd be very concerned about tightening IT security.
Case in point, the password policy--or should I say lack thereof. The very lax policy was pushed from the top down by Mr. Pierce. We will definitely have to tread carefully here and let Mr. Pierce know that there must be a strong password policy put in place and endorsed by senior leadership in the organization. It would be very easy for an insider with bad intentions to find a password near a user's PC, login, and start doing their dirty work.
I am also concerned about the employment of the security appliances used by Harry & Mae's. Mr. Pierce seems to think they are not working. I think he does not really know that they are actually not being used properly. Examples of this are the Sonic Wall firewalls allowing all traffic through and the Barracuda Spam & Firewall appliances running without activated subscriptions. This area will also call for a frank discussion with Mr. Pierce.
Also of concern is the same Web server hosting both internal and external data. This is definitely not a good decision. The internal and external data should be managed by separate servers.
Lastly, something must be done to protect the point-of-sale systems. They must be locked down to prevent casual web surfing by employees.
My biggest assumption with this case is that Mr. Pierce has Harry & Mae's best interests at heart and will see the reason in tightening IT security in his organization. Another data breach could spell the end of Harry & Mae's!
Sunday, April 7, 2013
Security Controls
First off, I have to give credit for this find to a class mate in another class I'm taking. It is a document that I felt just had to be shared further.
This is a document posted by SANS: Critical Controls for Effective Cyber Defense, Version 4.1
The 20 Critical Security Controls are put together by a team of IT professionals led by John Gilligan. In their words: "Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities."
It is a major effort by both government and private organizations to publish and share information concerning some of the controls put in place to block the biggest threats to IT systems.
The document describes each control, how exploits occur without the control in place, how to implement each control (including possible automation) and finally how to test the effectiveness of each control. It also lists what they call "quick wins" of implementing the controls. The descriptions of each of these controls is very detailed and the testing steps are very detailed as well.
Some of the controls discussed are:
Authorized/unauthorized devices and software
Secure configurations for hardware/software on mobile devices
Secure Configurations for network firewalls, routers, and switches
Boundary defense
Data loss prevention
Controlling access by need to know
Secure network engineering
Penetration testing
This document should be mandatory reading for IT security professionals everywhere. I guarantee, you won't be disappointed is you check it out!
Until next week--cheers!
Sources:
https://www.sans.org/critical-security-controls/
https://www.sans.org/critical-security-controls/cag4-1.pdf
First off, I have to give credit for this find to a class mate in another class I'm taking. It is a document that I felt just had to be shared further.
This is a document posted by SANS: Critical Controls for Effective Cyber Defense, Version 4.1
The 20 Critical Security Controls are put together by a team of IT professionals led by John Gilligan. In their words: "Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities."
It is a major effort by both government and private organizations to publish and share information concerning some of the controls put in place to block the biggest threats to IT systems.
The document describes each control, how exploits occur without the control in place, how to implement each control (including possible automation) and finally how to test the effectiveness of each control. It also lists what they call "quick wins" of implementing the controls. The descriptions of each of these controls is very detailed and the testing steps are very detailed as well.
Some of the controls discussed are:
Authorized/unauthorized devices and software
Secure configurations for hardware/software on mobile devices
Secure Configurations for network firewalls, routers, and switches
Boundary defense
Data loss prevention
Controlling access by need to know
Secure network engineering
Penetration testing
This document should be mandatory reading for IT security professionals everywhere. I guarantee, you won't be disappointed is you check it out!
Until next week--cheers!
Sources:
https://www.sans.org/critical-security-controls/
https://www.sans.org/critical-security-controls/cag4-1.pdf
Subscribe to:
Posts (Atom)