Operation n

You should always practice what you preach and the giants are not doing that all… Check out xssed! Versign, McAfee and Symantec have been found to be vulnerable according to the ‘hacker safe’ certification does not cover all XSS according to holisticinfosec.org.

System administrators have a lot of power when it comes to access control of systems and perhaps more importantly data. There is a lot of responsibility for these key players.

Nothing more highlights what can go wrong when you upset an administrator. An ex-IT manager for the Council of Community Clinics resigned after unfavourable evaluation. Over the Christmas period of 2007, he logged onto the servers and disabled the backup program. He logged in once again a week later and systematically deleted the files containing patient appointments.

Now one could argue that there was no exit strategy for the administrator, that is disable the former employee’s account and having a set of policies may have stopped this from happening. You could log the administrator’s activities automagically, etc.

But in a way, you have to trust your administrator. Administrators should understand the responsibility they have. Play nice guys!

Really, it doesn’t matter whether you leave, lose or have something of value stolen. It’s not good but there have been a number of stories doing the rounds including that top secret being left on a train and this local government official. Now I don’t know about actual files, if it’s top secret, you should know that lives literally depend on it! I’d make sure they are left in secure areas.

For laptops and other devices, at least you can set power-on passwords and use encrypted drives. But a determined person will find a way of getting into hard drive.

Firewalls are usually your first line of defence and often in an n-tier environment, your second and third line too. As someone told me, you are only as secure as your weakest link. And as Anne Robinson would tell you, humans are the weakest link. Firewalls need policies in place created by you’ve guessed it humans.
But all is not lost! There are good guides on creating decent policies from seclists.org, principle logic and the whitepaper from windowsecurity.com.

Let’s take it from security assessment point of view. You have been given a firewall configuration. You can use the above guides to make some suggestions about policies. Now I don’t profess to be a know-it-all at firewalls but you should look for and be suspicious of any traffic that is permitted between two interfaces. Permit and any rules are always suspicious! Is the traffic encrypted? Is it using a standard port? Are the interfaces in question externally interfacing? Any non-standard/unfamiliar ports should be looked into and establish what they are exactly used for, if this is possible. It maybe that these ports are related to the vendor software. In which case, you should look up any weaknesses relating to the port service offered by the vendor. For example, if there is a rule for SIP (port 5060) then they maybe vulnerable to this cisco advisory.

Here’s six of the best from Marcus Ranum

1. Default Permit
2. Enumerating Badness (should only track the good things)
3. Penetrate and Patch
4. Hacking is Cool
5. Educating Users
6. Action is Better Than Inaction