Cyber Security Ltd - Secure IT or lose it

Virtualisation Executive Summit

2009-04-17T22:28:00.002+01:00

Last month I was asked to present at the Virtualisation Executive Summit in Birmingham.
I'd like to thank Tech:Touchstone events for this opportunity.

The presentation on Virtualisation Security is available from thier website http://www.virtualisationsummit.com/page.cfm/link=67

Industry Insiders from Microsoft

2007-08-30T23:47:00.000+01:00

Recently I have been asked if I wanted to join the Microsoft Industry Insiders community. Here is the security article I wrote.

There are some very interesting articles here, check them out and feel free to comment

User Account Protection.. Introduction

2007-04-04T12:34:00.000+01:00

User Account Control aka UAP/LUA How does it work?

2 years ago I was partaking in an annual geekfest referred to as Microsoft IT Forum which was hosted in Barcelona.
As Vista's proposed features were being demo'd a shocked gasp resounded through the auditorium. Yes flip 3D was here (hey, I did say it was a geekfest!)

I thought it was interesting that there was an hour seminar on how to run all your enterprise users run as non admins (standard users to borrow Vista parlance) on Windows XP without breaking all the apps.

Shortly afterward a seminar showing how Vista accomplishes the same thing automatically was presented.

Love it or hate it. User Account Control is the offspring of the Limited User Account/User Account Protection concept.

We have all seen this coming, and much like the days when we all knew we should wear seatbelts, now it is being enforced some are naturally finding it a little inconvenient at first.

In the next few articles I will explore a little about UAC and how it works.

What is token filtering and how does it work?
How is Vista similar to a military operating system?
What does this mean for you?
Why you shouldn't disable UAC or enable the built in Admin account (Its disabled by default as you probably noticed!)

...are just some of the topics I will be covering.

One last thing...If there was a crime of Mobile phone abuse, Steve Lamb would be guilty for the repeated merciless remote wipes of his device @ the TechEd roadshow. Well done for getting through the demo in a professional manner despite the PA conspiring against you!

Is your laptop worth 1 million pounds?

2007-02-15T16:15:00.000Z

Is your Laptop worth £1 million pounds?

Laptops are getting a lot cheaper to buy. Of course if you buy a nice Sony Vaio, you could pay up to £2,000. At the other end of the scale I have seen budget laptops from £299.00.

Portable computer security has long been of big concern to security solution advisors such as myself. The hardware is normally the cheapest thing to replace.

Many people back up their personal data on portable computers, but not everyone.

The loss of business critical data could be disastrous with no adequate backup’s. Perhaps more of an issue would be the value of your customer relationships, their contact details and their credit details in the hands of your direct competitors.

People involved with risk know how to calculate predicted annual loss from certain unforeseen events. This is normally done by calculating the likelihood of an event occurring (Annual Rate of Occurrence) and then multiplying this by the Single Loss Event (SLE) dollar amount.

After this has been calculated, you can establish how much money you can afford to spend to prevent these events from occurring.

To take this a step further, once controls are in place, their effectiveness can be measured and Return on Investment calculated.

One of the key costs that Risk Analysts consider, is the cost of financial sanctions or penalties.
Nationwide Anglia discovered this the hard way this week after being fined a record 1 million pounds. A member of Nationwide Anglia staff had a laptop stolen, but didn’t report it promptly.
After the fact was discovered, the FSA found NA to be negligent in disclosing exactly what the value of the data was on this computer.

Most interesting of all, Nationwide Anglia was criticised for not having a clear and understandable policy for the protection of critical, highly confidential data.

In summary, the value of a clear, understandable and enforceable security policy cannot be over emphasised.
Data is our most valuable resource and we should protect our customers from potential harm by appropriate controls on their information.
When considering the cost of security and technology, we must remember the ‘hidden’ costs. £1,000,000 seems a lot for a single laptop, but this just goes to prove how seriously the FSA and other regulatory bodies take negligence when it comes to protection of customer’s data.

Back to Vista tomorrow!

Windows Vista - Security Virtualisation

2007-02-13T12:30:00.000Z

If you read through previous posts of mine, you will know that I recommend running as a local user in XP and only using administrative credentials to install programs.
Usually this works quite well until a legacy application tries to write data to a file or registry location that a normal user has no access to (such as high res mode on Microsoft Flight Simulator 2000)
Vista, with it's 'Run everything with least privilege', gets around this by 'virtualisation' of the filing system and the registry.
How does this work in practice?
When Vista detects a write action to a restricted area, it redirects it to a per-user virtual location. Program file information typically gets written to %LocalAp
pData%\VirtualStore. Subsequent read requests will also be redirected.
You can browse to where these virtualised writes have taken place, say in the Program Files directory, and a 'Compatibility Files' button will be present on the new 'Command bar'.
A similar redirection takes place when writes to restricted areas of the registry takes place, storing data that traditionally would end up in HKLM\Software in places such as HKLM\Software\Classes\VirtualStore

Whatever your opinion of Microsoft, you can't deny the efforts being made in the least privilege space to increase security.

Internet Explorer 7+

2007-02-12T17:22:00.000Z

Ok, you have installed Vista, we know how it fires up and you have logged on. Chances are after you have played around with the AERO interface (Authentic, Energetic, reflective and Open...who thought that one up??), you will be heading over to check out IE7.

Now if you have been using IE7 for XP, you may be thinking that this is identical, well you'd be kinda right. It is very similar, but it has some important differences. Vista's version of IE7 is correctly named IE7+ and operates in a 'least privilege' mode known as Protected Mode. Protected Mode is designed to make it much harder for malicious software to install via the browser interface.
Internet Explorer runs in the context of a very restricted user and can only write information to certain file areas (such as the Temporary Internet files location).

If your like me and rather miss the Menu bars, worry not, ALT will become your helpful companion. Pressing ALT brings the old fashioned menu's scurrying back. I find this most helpful in IE and Explorer.

AutoComplete has been designed to be much more customizable. If you feel comfortable your PC is secure, you can configure AutoComplete to remember all your usernames and passwords on a per-site basis.
In addition to this, AutoComplete can also remember form information and web addresses (to customise goto Tools> Internet Options> Content).

If like me you are interested in how Windows stores these credentials, they are stored in Registry, encrypted with 3DES (512bit key)and can only be 'got at' by the DPAPI (Data Protection API), which appears to be a much better interface from a security perspective than Windows XP 'Protected Storage' (PStore).

One final tip, have a go at using F11 to switch to full screen. Moving the mouse to the top of the screen gets your menu's back and F11 again reverts. I don't normally like ALT-Enter style full screens, but I am starting to really like this feature.

Hello Vista

2007-02-05T15:53:00.000Z

Right...It's here at last. Better late than never and for some of us who have been using various Beta's for a while, some of the excitement may have waned slightly.
But that aside, VISTA and for that matter the rest of the motley EVO crew (Exchange,Vista, Office) is here now.

As I have been a busy bee with CISSP, I am a bit slow off the mark here, but in order to make up lost time, the blog will now continue in earnest.

WHAT YOU NEED TO KNOW ABOUT VISTA...in bite size security flavoured nuggets!

Hit the power button, sit back and...... WHAT?? No NTLDR, No BOOT.INI? Isn't this just XP 'repackaged' according to Steve Golds?

Nope, this is not NT6, this is Longhorn. New ball game.

When you boot;
The BIOS heads for the MBR on the disk defined as the boot disk

Transfer control goes to the MBR (Master Boot Record).
Bootmgr.exe is now called.
This calls information from the Boot Configuration Data Store (similar but more sophisticated than Boot.ini)
If Vista is cold booting then it loads Winload.exe
If Vista is resuming then it loads Winresume.exe
If you multiboot with an earlier OS, then it loads the legacy NTLDR file.

NTOSKRNL.exe and HAL.dll (Hardware Abstraction Layer) are still there, which will be followed by the starting of the session manager SMSS.exe, Windows startup WININIT.exe and the Local Security Authority LSASS.exe.

So, some new face and some old. One thing is for sure...this is going to be a totally different animal.

ISA 2006 screenshots.

2007-01-02T10:40:00.000Z

Anyone who has studied for Microsoft's exams knows the value of having a 'lab' to practice upon. With Microsoft's Virtual Server/PC or VMwares's ESX/GSX you don't even have to have physically separate boxes providing you have a server with plenty of RAM and processor speed.
However with the release of Vista, Office 2007, Exchange 2007 and ISA 2006, purchasing all these products just to get familiar with them would be prohibitively expensive. You can of course use evaluation copies, but it is a pain keep reinstalling them.

This is where the Microsoft Action Pack Subscription (MAPS) is so valuable. For a fixed fee (£230 in the UK), you get a years worth of software for testing and studying purposes.

There are a few conditions so check out the Microsoft web site or Daniel Petri's excellent synopsis http://www.petri.co.il/ms_action_pack_subscription.htm

I have just installed ISA 2006, upgrading ISA 2004 as my DMZ firewall. For those of you unfamiliar with the product ISA (Internet Security & Acceleration server) is Microsoft's application firewall and caching/proxy server.

One of the functions of ISA is to proxy internal traffic out to the Internet, but to also securely publish internal services. I use ISA to publish my Exchange 2003 server.

I haven't managed to play too much with ISA 2006, but there are a few immediate differences from 2004. There is now no firewall share for distributing the firewall client application, and the SMTP message screener is no more, so you will need to uninstall these and enable the Background Intelligent Transfer service to start automatically before you upgrade.

The other very noticeable difference is when you log onto OWA with ISA 2006 publishing...the OWA screen is no more!

There are many other improvements that I haven't had a chance to explore, such as multiple certificate support for web site publishing and better Denial of Service protection.

Will blog more when I have had a chance to play......its going to be a busy year!

Think very carefully about your next mouse click!

2006-12-11T12:20:00.000Z

I'm always encouraging people to read dialogue boxes before making a decision, it's far too easy to become click happy.

This one would definitely be worth thinking carefully about!

How does AES work?

2006-12-11T11:54:00.000Z

The winner of the Advanced Encryption Standard was the Rijndael Algorithm, but how does it work?

If you look it up on Wiki http://en.wikipedia.org/wiki/Advanced_Encryption_Standard then you may be forgiven for being confused.

Do you prefer animated diagrams? Then look no further, Enrique Zabala has come up with this fantastic animation. I have checked this for virus', but of course recommend you do so too.

http://www.psvincent.co.uk/Rijndael_ingles_2004.exe

Hooray! I passed the CISSP

2006-12-11T11:33:00.000Z

I have had the results from the CISSP exam back from the ISC, and I am happy to say I have passed. (Whoopee!)
Several people have asked for what study guides I recommend and so here they are.

The Official ISC Guide to the CISSP.

I used the 2003 version, but ISC have slightly altered the CBK domains and curriculum and the 2006 version is meant to reflect this.
This book is a pretty dry read and as it is written by 3 different individuals sometimes appears a little disjointed. The content is excellent with no obvious technical errors and as the official guide, will use correct terminology, at least correct in the eyes of the ISC.

Shon Harris. All in one , third edition.
I have mixed feelings about this book. Firstly the good points.
Shon has obviously got an awful lot of experience and knows what she is talking about. There is a lot of additional info that will not be in the CISSP exam but every security professional should be aware of.
Unfortunately the text is spoilt by inane comments which I can only guess as an attempt at humour at the beginning of every new subsection.
I did come across several technical errors in the book, none particularly serious, but enough to trouble me a little.
This book is a lot easier to read than the official guide, but you may find the attempts at humour a little irratating and patronising after a while.

I hear the books written by Ronald Krutz are very good but cannot personally comment as I haven't read them

As far as test resources, use cccure (http://www.cccure.org/quiz/quiz.php) to brush up on general knowledge, but expect the 'real' questions to be more detailed and designed to establish if you really know the subject, and of course AVOID BRAIN DUMPS LIKE THE PLAGUE! At best they give an idea of the kind of questions you may get and the answers suggested are often wrong in my opinion.

Yesterday I sat the CISSP exam.

2006-11-06T14:05:00.000Z

It is not really my idea of fun to sit for 6 hours on a Sunday chewing on a pencil and filling in circles on an answer sheet. Last time I did this was for my GCSE's 18 years ago. The exam can last up to 6 hours with 250 questions. I must say that after 3 hours I was starting to wish I was finished!

The CISSP is regarded by many to be 'the certification to have' in Information Security. It covers 10 domains of knowledge and whilst the examination questions don't test an in depth knowledge of each, the more familiar you are with them the better.

Like with most certifications, there is a debate about their value in the field.
Bad : Good:

To some extent it is a snapshot of a certain set of criteria at a particular point in time (much like a driving test or MOT for your car). One of the differences with the CISSP is that you have to continue to be exposed to security related information to gain CPE points to retain your certification.

The questions are not designed to be have technical depth, so don't expect to be asked about the 4 stages of Rijndael operations per round. However generic questions regarding contol mechanisms are more likely to be asked.

All in all, I think it is a very worthwhile certification and the questions are designed to make you think, rather than just select answers parrot fashion.

One of the more annoying features of the exam is I now need to wait 4-6 weeks to get the results :(

Biometrics

2006-10-26T09:50:00.000+01:00

Recently I was shown a fingerprint reading device that allowed a user to log onto his Windows laptop without supplying credentials. The user was very proud of this device and saw it as 'the security of the future'.

I have a lot of respect for Steve Riley having met him and heard him speak at Barcelona last year. I had an interesting converstaion with him regarding weakness of multi-factor authentication (man in the middle hijack), which incidentally we have seen happen to an American Bank in the last few months.

If you have never heard one of Steve's presentations, then you can download them from Microsoft's 'It's Showtime' site. Between Steve and Jesper, they will have you questioning your solid beleifs in traditional security.

I highly recommend checking out how easy it is to defeat 'unbreakable' fingerprint' readers. They use ballistics gum and photocopies of fingerprints, Steve reckons you can use Gummy Bears, but thats just a waste of good food!

Self Defeating Security

2006-10-25T09:45:00.000+01:00

Part of my role involves inspecting 3rd party vendor’s sites to ensure that they comply with my client’s security policies. This is normally when a vendor will be storing or processing my client’s data

One of the unfortunate side effects of this, is that I find myself evaluating security when not at work as well.

For example, yesterday I was at Citilink parcel couriers warehouse at Gatwick collecting a delivery. They had cipher locks on the doors leading into the restricted areas of the building. There was no obvious CCTV focused on these doors, so the locks seemed to be more for casual security.
Also there were no privacy shields on the locks, so shoulder surfing was definitely an option. On the positive side, the numbers were not on the buttons themselves so wear on frequently used combinations would be harder to detect.

OK so far. Then I noticed that the door had been left on the latch so anyone could walk in, [see picture].

Here is where it gets interesting. Is this bad security or good security?

The answer depends on what threat they are attempting to mitigate against. As a shoulder surfing attack was on the cards, maybe CitiLink had realized this and so have a policy of latching the door to prevent possible disclosure of the entry code.
Slightly unusual, but there is the compensating control of having many staff around during the day to detect intruders.
Then during night hours they engage the door lock, with reasonable assurance that the entry code hasn't been compromised. They may not even tell the day staff the number to provide additional protection.

This would be similar to not using shared authentication with WEP as it reveals plain and cipher text with the data encrypting WEP key, actually reducing overall security. http://www.securityfocus.com/infocus/1814

....Or maybe someone at Citilink just forgot and left the door on the latch ;)

National Identity Theft

2006-10-23T21:21:00.000+01:00

I haven't blogged for a while as I have been busy moving house and all the malarky that goes along with it.
I have also discovered the joys of DIY ;) . My latest achievement was laying a wooden floor, what do you think eh? Not bad?

Of course I had to buy the compulsory plasma screen too (to fit in with the wooden floor of course!).

Enough of that anyway. I have also moved from a permanent member of staff to a contractor, more about that later though.

This week you may have noticed that HSBC was caught out allegedly disposing of thier customers details in the common refuse. Not great.

Quoted from The Sunday Mirror:

"In one case bags marked Confidential Papers Only were left on the pavement of a busy London street. In Birmingham, a customer's entire file - including his salary, address and banking habits - were in a bin bag. Another bin in Bristol contained dozens of bank documents and copies of customers' passports."

This could not have come at a worse time as last week was National Identity Theft Awareness Week. http://www.stop-idfraud.co.uk/

According to this site, 21 million of us need to take better precautions about protecting our identity. There is some considerable debate about who really is responsible for protecting our confidential information but at the end of the day, whatever banks and other financial institutions do, we share responsibility for protecting our private data.

10 Do you own a shredder? If <>"yes" goto buy shredder
20 Does your shredder cross cut your documents into unreadable strips? If <> "yes" then take shredder back to shop and buy a better (more expensive!) one
30 Do you shred all your private documents? if <>"yes" gosubroutine 'shred all private documents'.

We have no idea where our rubbish/trash/garbage will end up. Maybe it will end up in a landfill site, maybe not.
Maybe it will be sold to someone else to 'dispose of'.

ID theft is growing. There are known fraudulent tecqniques such as 'Internet assisted account takeover' that SOCA (formerly NHTCU), are not only aware of but are taking positive steps to break.

Make sure you are not one of the unlucky ones.

Happy shredding!

Technorati

2006-09-14T14:38:00.000+01:00

Technorati Profile

Lack of Confidentiality & Integrity almost saves a legend

2006-07-26T08:29:00.000+01:00

In our line of work, most of the objectives revolve around the 'Security Triad' of A-I-C, Availability, Integrity and Confidentiality.
The strive for confidentiality is often the driver for reactions such as the disabling of USB ports to prevent 'data disclosure' and the blocking of personal webmail.

Steve and Jesper have documented interesting viewpoints on the futility of these actions if not underpinned by a solid access control mechanism (need to know or least privilege enforcement).

Interestingly one of this country's greatest aviation achievements could have been saved if Confidentiality had been breached but Integrity was left intact.
Concorde has always been embroiled in complex and volatile political and financial entanglements.
It is a well document fact that had America continued with its supersonic passenger jet, then many of the obstacles around landing at New York would not have occurred.Had the Russian TU-144 (Concordski) continued successfully, it is highly likely that America would not have pulled the plug on its supersonic project.

Why was the TU-144 unsuccessful?

Apparently, someone at the British manufacturing plant that built the Concorde (or at the French plant!), seemed to have communist sympathy and leaked the Highly Confidential blueprints for the Concorde's design.
How this happened is not clear, (it wouldn't have been a USB stick back in the 70's though) but this is a good example of data leakage which strong authentication and stringent access control could have gone some way to preventing.

Before the plans ended up in Russia however, British Intelligence (If that’s not an oxymoron!), intercepted the leaked documents, and decided to alter them before allowing them to pass onto the Russian aviation company.

This is where the lack of Integrity played a part.

The documents were leaked, but they were not authentic.Interestingly, these changes in the leaked documents have been held responsible for the demise of the TU144.

Who knows, if the TU had have been successful, America would probably have kept in the supersonic race and the Concorde would have become more mainstream, making it a more viable proposition.

All of this down to a lack of Confidentiality and Integrity (but far too much Availability!).

In memory of one of the most gorgeous feats of engineering...

Detective vs Preventative controls

2006-06-30T07:45:00.000+01:00

There are several different types of controls that can be used to provide a level of Information Security.
Two of these are Detective and Preventative.

Detective controls may involve monitoring, administrative event justification, log parsing and intrusion detection systems.

Preventative controls would include access control based on least privilege, restricted group enforcement, Group policy system configuration, disabling of various features of portable media connection such as USB and serial ports.

Really both of these methods should be employed. There are examples of company's that rely heavily on technical controls, locking down almost everything that appears to have a security element to it.
Other firms allow users with high level privileges to log onto their workstations with Domain Administrator rights, and conduct all their information worker tasks (email, word processing etc)

The problem with relying on detective controls only, is that you are only dealing with the issue after the event, sop if a contractor on a weeks contract performs some justifiable action, he may have long gone when the damage is noticed. It is a 'after the horse has bolted approach'.

Conversely, if preventative controls are all that are used, then the gaps in the controls (yes there are certain to be things that get missed or misconfigured), or ingenious developers find ways around the controls, then this can pass unnoticed.

It is important therefore to have the right mix of preventative and detective controls for your environment. What is the right mix? This will depend on the threats that your organisation faces, the vulnerabilities in the systems you use and the overall risk sensitivity of the organization.

The Security Policy, your best friend!

2006-06-29T12:35:00.000+01:00

Most employees see the need for policies and procedures, but often when these mechanisms seem to hinder them from accomplishing their task, their support for them commonly wanes.

It is a well documented fact, that having a Security Policy, is the underpinning of any companies overall security strategy.The high level policy should be technologically abstact, and concentrate on statements that reflect senior management's vision for the enterprise security architecture.
The security policy is a very individual thing, establishments such as financial institutions for example, will have different objectives than government facilities or small independant companies.
Often the security policy will fall underneath the general organizational policy. You can gain a lot of information about what a companys appetite for risk is, by reading the organizational and security policy.

Under the security policy, exist standards that make application of statements within the security policy.
For example, the policy may state "All internal information should be protected by physical or logical controls'. The standard may state "All internal information should be protected via native Windows encryption, with the Data Recovery Key exported to the security operations team"

Procedures give a consistent approach to configuring devices to comply with the standards. Procedures can be of a technical nature, or workflow in order to accomplish a task, such as the provision of a server into a production environment in a controlled and audited manner.

Guidelines can be viewed as 'Best (or better for those who don't like this term) Practices". They may give a default behaviour that gives the best results under a standard set of circumstances.

From looking at this document hierarchy, it becomes clear that the writing of a clear and concise security policy, is really the first key step to Information Security.The policy should have the full approval and backing of the senior management, without this, the policy will be very hard to enforce.

If you are tasked with a security function within a small firm without a security policy, this is the first task on your agenda

Running as a local admin...DON'T!!

2006-05-10T16:53:00.000+01:00

I have been reading Jespers blog today (Microsoft evangelist), and I must say how interesting the whole issue of outbound firewalls is (http://blogs.technet.com/jesper_johansson/ Monday May 1st post).
I have always thought the value of an outbound firewall is negligable, after all, most people just keep hitting 'accept' when any product prompts for a decision to be made regarding an outbound connectioon.
Added to this, once your computer is infected, then really things have gone too far already. The malware will be wrecking havoc with your machine.

One of the most important point is that if you run as a local Administrator, then any code that gets downloaded whilst you are innocently surfing, will run as the local admin too, and you know what that means don't you...you don't?? Well it means the malware can disable your firewall or 'swiss cheese it' so it is useless.

The firewall in Vista appears to be managed similarly with IPsec, which is good as they are trying to achieve very similar results. The local admin issue is one that deserves more attention.

I have to say, I have been guilty of surfing the 'Net logged on as a local admin. Unfortunately whilst my wife was on a reputable marathon running site, a variant of Cool Web Search infected our laptop.
This made me realise how stupid I had been by using an admin account to perform information worker tasks.

The thing is we all know how inconvenient it is to have to keep logging on as an admin to install software, even using 'Runas' adds additional complexity that many people could do without!

That was 6 months ago, and I am pleased to say that ever since then, I have run as a normal user, along with my wife and her family who also have accounts. Once all our software has been loaded with the admin account, I have been pleasantly suprised by how smoothly everything has worked..AND NO SPYWARE.
In fact I am consistently getting pop ups when we surf the 'Net, saying we do not have sufficient privileges to install software...just from browsing! Every time this happens it reminds me of another escape from malware.

We all know its't the right thing to do, try it today. Set up a normal user account, you may be suprised how everything works without problem and you can rest assured that malware will have a lot harder job to infect your computer.

The shape of things to come

2006-04-21T09:35:00.000+01:00

I haven't had a chance to blog much the last 2 weeks, as I have been in a new role.

More about that later, but as I am studying two subjects at the moment; Windows Internals to get better understand of how Windows works, nuts and bolts style and also studying for the CISSP exam, expect to see blogs here discussing how industry standards can be applied to the Wintel platform.

What constitutes a 'Good' password.

2006-04-21T08:57:00.000+01:00

If there is one topic that seems likely to provoke strong opinion it is that of passwords.

Universally loathed by users who get annoyed at having to regularly change them, and system administrators who have to enforce their use.

Even IT Pro's who profess to have no security 'bent' whatsoever, will normally express a stong opinion over various password policies.

The problem with passwords, is that creating a really good one is actually very hard to do. There are various techniques to creating better passwords and some myths around what constitutes a good password or not. I will attempt to discuss several here. As this subject promotes such strong opinion, I will deal with this interesting subjects in several 'bite size' chunks.

First of all, some generalisations:

Avoid:

Short passwords (under 7 characters)
Any words that appear in a dictionary
Relying on substition (a=@, e=3, i=1 etc)
Incremental passwords (password1,password2, password3 etc)
Passwords that can be easily guessed (name of children, favorite football team etc)
Writing down a password and leaving it unsecured

Try to Use:

Passphrases
Passwords longer than 10 characters
Substitution with passphrases
Passwords that combine letters, numbers, uppercase, lowercase, special ALT characters,punctuation.
Combinations of all the above, use your imagination!

In my opinion, it is ok to write down a password in the following conditions:

1) If this enables you to use a highly complex password that you would not be able to remember otherwise (such as †ˆª’®$¼>Lm\`¬pA*-~@;žŸ¿s)
2) If this is appropriate secured (eg, locked in a secure safe with dual control, or encrypted on a USB drive with the decryption key stored seperately and also appropriately physically secured.

It is also important not to use the same password everywhere. If you have to use the same password (or PIN number for that matter), then ensure that you only use the same password for systems with the same level of importance or security.

For example;

You may chose to use the same passwords for all web sites where you don't supply any credit card details. If one of these gets hacked, it's no big deal if your password is used on other such menial sites.

You would choose an entirely different password for sites where you submit credit card information, where it is a well known company that you trust their security policies and procedures.

You would chose a different PIN number for your Bank cards than for your mobile phone.

The rationale behind this, is a compromise between having a totally seperate password for all systems, web sites, computer logon, Bank PIN, mobile phone PIN, and having the same credentials for all.

The important thing to remember is never to allow a secure system password like a Credit Card PIN, be able to be compromised having it identical to a weaker system, say a mobile phone PIN which is written down with your mobile phone.

This principle is at a very high level, the one that all sysadmins should practice for managing multiple I.D's within systems.

Of course, even better than passwords are 2-factor authentication, such as RSA SecurID one time session authentication or smart card/PKI, but this is a subject for another blog!

How to pass any MCP exam

2006-03-28T11:03:00.000+01:00

One of the questions that I get asked a lot is how to pass particular MCP exams. I now have completed 13 of them, so feel somewhat qualified to offer some of the ways that I use to make sure I am fully prepared for them.
Having said this, Fred Baumhardt from MS has claim to 34 MCP's so I am well and truly trumped by him (check out his blog http://blogs.technet.com/fred/default.aspx).
Interestingly do you know the most failed (in %) MCP exam? You may be suprised to learn that it is the ISA exam (70-350).
As this was the last exam I passed, let me give you some tips on passing any MCP.

First of all, I normally read the entire MS Press book (yes cover to cover). I generally cover a chapter every 2 days (takes about 1.5 hours a day).
I then make sure I feel comfortable with all the 'hands on' excercises. Some of them are brainless, but others are quite useful (such as setting up a bridged SSL tunnel to publish Outlook Web Access).
After having done this, I generally try and read some of the white papers and case studies to get a feel of how the technology works 'in the real world'.

Transcenders are superb, and I used them for the first 6 exams, after a while though, you get a feel for the type of questions you are likely to get asked, and transcenders are generally a lot harder than the actual exam.

One final thing, if there is a new technology introduced with an OS or within a field (Printer pooling, Incremental DNS transfers, DNS stub zones, Application Partitions, incremental GC replication, Cross Forest Trusts, Selective Authentication, SID filtering, Command Line Interface commands (Dsadd,DSrm,ntdsutil), GPupdate vs secedit /refreshpolicy), then pay particular attention to these. Like any good company, MS are great at marketing new features and they do feature heavily in the exams.

Hope this has been useful without breaching the MS Non Disclosure Agreement!

Moving on

2006-03-27T14:04:00.000+01:00

Today is my penultimate day with my present employer. It's sad to be leaving behind good friends and colleagues, but exciting to be moving into new and exciting arenas.
I will be doing a different role for my new company, moving from a security consultancy role, into a senior server engineering role. I am really looking forward to 'getting my hands dirty' again supporting live systems.

There is something challenging in the resolution of problems that tests your technical ability, resourcefulness and ability to work under pressure. I am looking forward to seeing how other firms work, how security methods differ and also comparing common problems and how different companies address them.

Unfortunately it does not look like I will be getting more experience with ISA 2004, which is a bit of a shame, as recently I have been impressed with its stability and all round robustness.
In fact in a recent conversation with my penetration testers of choice, they admitted that whenever they test against ISA, they always have difficulty circumventing it.
Of course that depends on what rules have been configured and how the inbuilt filters have been set up...

Common Misconceptions

2006-03-13T07:13:00.000Z

Its interesting how popular misconceptions have hindered IT security historically. For example, having a firewall will protect your company from attack - The more expensive the firewall, the better protection it offers - We have anti virus, so we can't get infected.

It al boils down to correct configuration and defense in depth. A badly configured £30,000 firewall is far worse (if useful at all!) than a £300 correctly configured one.

Defese in depth: This does not mean turn on every security feature within your enterprise!! Realise your threats and mitigate against them or at a minimum, document and manage them to an effective resoultion.
Virus Scanning. Ensure that you have an update mechanism (and perform a 'cheese test' on your enterprise. Go around and manually check a few to ensure updated definitions and library files. Plus check logs, easier if centrally gathered).

Last point, you cannot control everything by technical controls - particularly if your users run as local admins. Have a good, legally binding Security Policy, approved by your legal team and HR department. Make it part of your employees terms of contract...This may prove far more effective at stopping undesirable internal behaviour!