Top 5 Tools Every Security Professional Must Learn

5 basic tools for security professionals

As the role of the information security professional continues to evolve within organizations towards that of an executive level position, we see a growing emphasis on traditional business administration skills over the more technical skills that previously defined the top security leadership job.

Nonetheless, Information Security Professionals need to keep abreast of the latest down-in-the-weeds tools and technologies that can benefit their organization’s security posture, as well as those tools that are widely available which could be misused by malicious actors to identify and exploit network security weaknesses.

ToolsWatch is a free interactive service designed to help auditors, penetration testers, and other security professionals keep their ethical hacking toolbox up to date with the latest and greatest resources.

ARMITAGE

Metasploit has become over the years the best framework to conduct penetration testing on network systems and IT infrastructure. Nevertheless, Armitage an open source effort to bring user-friendly interface to Metasploit.

Armitage demonstrations are very convincing and allow you to analyze weak and vulnerable machines in a network in just a few clicks. This tool has brilliantly hidden the complexity of Metasploit (for a non-technical audience) in favor of usability, and is a great way to demonstrate the security in depth of an IT architecture.

HASHCAT

There is constantly a battle between security folks and users when it comes to passwords. Although it is simple to deploy a Password Policy in a company, it’s also very difficult to justify it.

Because in a perfect world from users perspective, the best password would be the name of the family cat with no expiration date, and this fact applies  to any system that requires authentication.

HashCat has shown that the selection of a strong  password must be done carefully, and this tool allows us to demonstrate the ease with which a password can be recovered.

WIFITE

You know what you have connected to when using your hardwired network, but have you ever wondered if the air is playing tricks on you? To test your WiFi security, Wifite has the simplest way.

Wifite allows the discovery of all devices that have an active wireless capability enabled by default (like some printers for example). Wifite is a very simple and convincing way to validate the security of wireless networks.

WIRESHARK

Known for many years as Ethereal, WireShark is probably the best tool when it comes to sniffing for and collecting data over a network.

On the one hand, WireShark has boosted its capabilities with the support of several types of networks (Ethernet, 802.11, etc.) and also in the simplicity of its use through a very friendly user interface.

WireShark allows to demonstrate that outdated protocols such as Telnet / FTP should be banned from a corporate network, and that sensitive information should be encrypted to avoid being captured by a malicious user

SOCIAL ENGINEERING TOOLKIT (SET)

SET is a framework that helps the in creation of sophisticated technical attacks which operated using the credulity of the human. It can be used in the process of preparing a phishing attack mimicking a known website or trapping PDF files with the appropriate payload. The simplicity of use via an intuitive menu makes it an even more attractive tool.

It is the dream of every CISO to drive security awareness campaigns without ruining the security budget. With SET, the team in charge of security audits can design attacks scenarios and distribute them internally to the targeted users.

Australian Government is getting serious about Information Security?

DSD's top 4 infosec strategies now mandatory for Australia government

The Australian Defence Signals Directorate has made its top four information security mitigation strategies mandatory for all Australian government agencies. Its top 35 strategies were updated in October last year, seeing very little change among the top four that it had marked as "essential".

These four strategies are employing application whitelisting, patching applications, patching operating system vulnerabilities, and minimising the number of users that have administrative rights. At the time of the last update to the strategies list, it states that 85 percent of all intrusions it dealt with in 2011 could have been mitigated had the top four strategies been followed.

The choice to make the top four mandatory stems from an update to the Australian government's Protective Security Policy Framework (PSPF). The PSPF has three core mandatory tenets covering the confidentiality, integrity, and availability of data. To achieve these requirements, it has set out seven "Infosec" requirements. 

In particular, Infosec 4 requires that all agencies document and implement procedures and measures to protect their systems and networks, and specifically notes that it "includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber Intrusions' as detailed in the Australian government Information Security Manual [ISM]".

This means that the ISM will also need to be updated to reflect the changes to the PSPF. DSD expects to make these changes this month. As a mandatory measure, there will also be changes to government agencies' compliance and reporting procedures.

From August 1, agencies must provide annual PSPF compliance reports, including its status in implementing Infosec 4, to the relevant minister.

10 Supply Chain Risk Management Best Practices

NIST Interagency Report Aims to Mitigate Vulnerabilities

The National Institute of Standards and Technology has issued a new report to help organizations mitigate supply chain risks. NIST says the 10 supply chain risk management practices can be applied simultaneously to an information system or the elements of an information system.

The practices are:

1) Uniquely identify supply chain elements, processes and actors. Knowing who and what is in an enterprise's supply chain is critical to gain visibility into what is happening within it, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into the supply chain, it is impossible to understand and therefore manage risk and to reduce the likelihood of an adverse event.

2) Limit access and exposure within the supply chain. Elements that traverse the supply chain are subject to access by a variety of actors. It is critical to limit such access to only as much as necessary for those actors to perform their roles and to monitor that access for supply chain impact.

3) Establish and maintain the provenance of elements, processes, tools and data. All system elements originate somewhere and may be changed throughout their existence. The record of element origin along with the history of, the changes to and the record of who made those changes is called "provenance."

Acquirers, integrators and suppliers should maintain the provenance of elements under their control to understand where the elements have been, the change history and who might have had an opportunity to change them.

4) Share information within strict limits. Acquirers, integrators and suppliers need to share data and information. Content to be shared among acquirers, integrators and suppliers may include information about the use of elements, users, acquirer, integrator or supplier organizations as well as information regarding issues that have been identified or raised regarding specific elements. Information should be protected according to mutually agreed-upon practices. 

5) Perform supply chain risk management awareness and training. A strong supply chain risk mitigation strategy cannot be put in place without significant attention given to training personnel on supply chain policy, procedures and applicable management, operational and technical controls and practices. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, provides guidelines for establishing and maintaining a comprehensive awareness and training program.

6) Use defensive design for systems, elements and processes. The use of design concepts is a common approach to delivering robustness in security, quality, safety, diversity and many other disciplines that can aid in achieving supply chain risk management. Design techniques apply to supply chain elements, element processes, information, systems and organizational processes throughout the system.

Element processes include creation, testing, manufacturing, delivery and sustainment of the element throughout its life. Organizational and business processes include issuing requirements for acquiring, supplying and using supply chain elements.

7) Perform continuous integrator review. Continuous integrator review is an essential practice used to determine that defensive measures have been deployed. Its purpose is to validate compliance with requirements, establish that the system behaves in a predictable manner under stress and detect and classify weaknesses and vulnerabilities of elements, processes, systems and any associated metadata.

8) Strengthen delivery mechanisms. Delivery, including inventory management, is an essential function within the supply chain, which has a great potential for being compromised. In today's environment, delivery can be physical such as hardware or logical such as software modules and patches. 

9) Assure sustainment activities and processes. The sustainment process begins when a system becomes operational and ends when it enters the disposal process. This includes system maintenance, upgrade, patching, parts replacement and other activities that keep the system operational. Any change to the system or process can introduce opportunities for subversion throughout the supply chain.

10) Manage disposal and final disposition activities throughout the system or element life cycle. Elements, information and data can be disposed of at any time across the system and element life cycle. For example, disposal can occur during research and development, design, prototyping or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys and partial reuse of components.

NIST says the recommendations in the interagency report are for information systems categorized at the FIPS 199 high-impact level. But NIST says agencies and other agencies can choose to apply the recommended practices to specific systems with a lower impact level, based on the tailoring guidance provided in the draft of NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.

Refer here to download the report.

6 Steps to Handle IT Security Incidents

New Guide from the National Institute of Standards and Technology

The National Institute of Standards and Technology has issued a revision of its guidance to help organizations establish programs to manage computer security incidents.

NIST, in Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide, spells out what incident-response capabilities are necessary to rapidly detect incidents, minimize loss and destruction, mitigate weaknesses that were exploited and restore IT services.

Revision 2 updates the original guidance to reflect changes in attacks and incidents. "Understanding threats and identifying modern attacks in their early stages is key to preventing subsequent compromises, and proactively sharing information among organizations regarding the signs of these attacks is an increasingly effective way to identify them," NIST says in the introduction to the guide.

"This revised version encourages incident teams to think of the attack in three ways," says guide co-author Tim Grance. "One is by method - what's happening and what needs to be fixed. Another is to consider an attack's impact by measuring how long the system was down, what type of information was stolen and what resources are required to recover from the incident. Finally, share information and coordination methods to help your team and others handle major incidents."

The Recommendations

The guide advises organizations to:

1. Reduce the frequency of incidents by effectively securing networks, systems and applications.
2. Document their guidelines for interactions with other organizations regarding incidents. Because these communications often need to occur quickly, organizations should predetermine communication guidelines so that only the appropriate information is shared with the right parties.
3. Be generally prepared to handle any incident but should focus on being prepared to handle incidents that use the most common attack vectors. Incidents can occur in countless ways, so it's not feasible to develop step-by-step instructions for handling every incident.
4. Emphasize the importance of incident detection and analysis throughout the organization. Millions of possible signs of incidents may occur each day so automation is needed to perform an initial analysis of the data and select events of interest for review.
5. Create written guidelines for prioritizing incidents. Incidents should be prioritized based on relevant factors, such as the functional impact of the incident (e.g., current and likely future negative impact to business functions), the information impact of the incident (e.g., effect on the confidentiality, integrity and availability of the organization's information) and the recoverability from the incident (e.g., the time and types of resources that must be spent on recovering from the incident).
6. Use the lessons learned process to gain value from incidents. After a major incident has been handled, the organization should hold a lessons-learned meeting to review the effectiveness of the incident handling process and identify necessary improvements to existing security controls and practices. 

NIST says the guidelines can be followed independently of particular hardware platforms, operating systems, protocols or applications organizations use.

The evolving role of the CISO

New study by IBM

A study by IBM’s Center for Applied Insights concludes that there are now three ‘types’ of CISO: influencers, protectors and responders. Evolution towards the ‘influencer’ role is necessary, and happening.

Security is now seen as a vital aspect of business, and the role and influence of the chief information security officer is correspondingly rising, concludes Finding a strategic voice, a new study from IBM.


The primary driver, suggests IBM, is that security is now recognised as a business rather than just a technology imperative. “In today’s hyper-connected world,” states the report, “information security is expanding beyond its technical silo into a strategic, enterprise-wide priority,” driven by the increasing number of high profile attacks.


The result is that while “many organizations remain in crisis response mode, some have moved beyond a reactive stance and are taking steps to reduce future risk.” Key to this is that business is beginning to understand what security experts have been saying for years: security is not a thing or a product that can be bought and installed – it is a continuous process at the heart of the business itself.

“The Influencers have the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. These leaders understand the need for more pervasive risk awareness.” Influencers have a strategic role on business security. “Responders,” says the report, “are more tactically oriented.

They are concentrating on foundational building blocks: incorporating new security technology to close security gaps, redesigning business processes and hiring new staff. While technology and business processes are still important to Influencers, they are in the mode of continuously innovating and improving rather than establishing basic capabilities.”


In reality, the clear implication here is that business either needs both an influencer and a responder, or that the influencer needs also to be a responder: strategy needs implementation tactics. But what of the protectors? This is the traditional view of security. Almost half of the report’s respondents take this role, a role that is likely to be the most prevalent in smaller companies.

“These security leaders,” says IBM, “recognize the importance of information security as a strategic priority. However, they lack important measurement insight and the necessary budget authority to fully transform their enterprises’ security approach.” “This data painted a profile of a new class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” said David Jarvis, IBM’s author of the report.

“We see the path of the CISO is now maturing in a similar pattern to the CFO from the 1970s, the CIO from the 1980s – from a technical one to a strategic business enabler. This demonstrates how integral IT security has become to organizations.”

In short, this IBM study demonstrates that security and the role of the CISO is evolving from a reactive stance to a proactive stance, both within security itself and the wider business – but there is still a long way to go from protector to influencer.


To read further please refer here.

The top 5 information security certifications

Recent Security Incidents Push Demand for Information Security Professionals

The top 5 information security certifications include the CISSP, CISM, GIAC, CEH and vendor credentials offered by companies such as Cisco and Microsoft. These certifications are in demand not only for their demonstration of IT security proficiency, but also because certified candidates go through training that reflects a higher standard of ethical conduct - a topic that has renewed focus by hiring managers.

In 2012, the rise in security incidents and mobile devices creates hot demand for certifications such as the GIAC, which are technically focused in specific areas of forensics, incident response and application security.

Top 5 Certifications

Based on a review of job boards and various research conducted by IT security recruiters and employers, here is the list of the top five security certifications:

CISSP

The Certified Information Systems Security Professional continues to be the gold standard in certifications.

The CISSP, which is known for its high-level overview on the profession, has recently opened the certification for further specialization in areas such as architecture and management.

The push for this credential is also coming from the U.S. Department of Defense 8570.1 Directive, which requires all government and contract employees working on DoD IT projects to carry an approved certification for their particular job classification.

CISSP certification is usually for mid and senior management IT security positions. This certification is offered through (ISC)2, the not-for-profit consortium that offers IT security certifications and training.

The CISSP examination is based on what (ISC)2 terms the Common Body of Knowledge (or CBK). Candidates interested in taking the exam must possess a minimum of five years of direct full-time security work experience in two or more of the 10 (ISC)2 information security domains (CBK), and agree to abide by their codes-of-ethics and policy for continuous education.

In addition, they need to pass the exam with a scaled score of 700 points or greater out of 1000 possible points. The exam is multiple-choice, consisting of 250 questions with four options each, to be answered over a period of six hours.

For further information please refer here.

CISM

Certified Information Security Manager is in demand, as organizations increasingly need executives to focus on governance, accountability and the business aspects of security.

As with the CISSP, the 8570 Directive requires CISM certification for senior managers that particularly focus on governance, compliance and risk management issues.

CISM is ideal for IT security professionals looking to grow their career into mid-level and senior management positions. CISM is offered by ISACA, an international professional association that deals with IT Governance.

The CISM designation is awarded to individuals with an interest in security management who meet the following requirements: They need to successfully pass the CISM exam; adhere to ISACA's code of professional ethics; agree to comply with the continuing education policy.

They also must submit verified evidence of a minimum of five years of IT security work experience, including a minimum of three years of management work experience; and submit an application for CISM certification.

For further information please refer here.

GIAC

Global Information Assurance Certification is rising in demand specifically in areas of incident handling, forensics, intrusion detection and reverse malware engineering.

Many organizations are seeking such experts for their IT security teams because of the growing threat landscape and rise in security incidents. Usually, professionals turn to GIAC certifications to get further expertise in a particular discipline.

The GIAC is essentially geared toward mid-level security professionals who are looking to carve out a niche career path for themselves. The certification is offered by Sans Institute, a cooperative research and education organization.

There are no official prerequisites to take the GIAC certifications. Any candidate who feels that he or she has the knowledge may take the exam. Candidates can pursue GIAC exams with or without purchasing SANS training.

The exam fees usually include two practice exams and one proctored exam. Each exam has an expiration date of 120 days accessible from their SANS Portal Account. Exams are taken online, however SANS now requires that a proctor be present when candidates take their test.

For further information please refer here.

CEH

Certified Ethical Hacker is gaining popularity as companies seek experts to perform web application and penetration testing to ensure their infrastructure is secure.

A blooming field is security testing, and certifications like CEH are challenging technically and very valuable. This certification is useful for entry-to-mid-level practitioners that are looking to conduct vulnerability assessments.

CEH is offered by the International Council of Electronic Commerce Consultants(EC-Council), a professional certification body. EC-Council's goal is to certify security practitioners in the methodology of ethical hacking. It largely demonstrates an understanding of the tools used for penetration testing.

To obtain the CEH, candidates can choose a path of self-study or complete a training course offered by EC-Council. Candidates must have at least two years of security experience and must sign an agreement to not misuse the knowledge acquired.

For further information please refer here.

Vendor Certifications

Securing an organization's infrastructure and keeping up-to-date with emerging technologies are critical. Vendor certifications, including Cisco's Certified Network Associate Certification (CCNA) and Microsoft's Certified Systems Engineer (MCSE), with focus on security and Check Point's Certified Security Expert (CCSE), are particularly in demand.

The top information security certifications Dice has tracked for 2011 include Cisco CCNP Security and Check Point Certified Expert. These certifications are also on the rise because of their in-depth technical focus.

They help in understanding the technical skills associated with what professionals are trying to defend, and the inherent security capabilities of the infrastructure.

For most entry-level positions requiring one-to-two years of experience, employers seek vendor certifications, Security+ and the CEH credential. Mid-to-senior positions demand more mature training in CISSP, CISM and GIAC.

Other certifications in demand include Security+, Offensive Security Certified Professional, Cloud Security Alliance's new Certificate of Cloud Security Knowledge, Systems Security Certified Practitioner and Certified in Risk and Information Systems Control.

Certifications cannot be a substitute for on-the-job experience, but they are turning out to be a good measure for both proficiency and character.

5 Strategies to Improve IT Security

Building Security Culture, Monitoring Risk Top Tactics

The Energy Department's Energy Sector Control Systems Working Group, just published a paper, Roadmap to Achieve Energy Delivery System Cybersecurity, aimed at boosting cybersecurity in that industry.

The paper presents five strategies to improve IT security that's appropriate for other sectors, as well. They are:

1. Build a Culture of Security: In a culture of security, extensive dialogue about the meaning of security and the consequences of operating under certain levels of risk is continuing, by various means, among citizens and stakeholders.
   
   When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in systems or emerging threats do not diminish their effectiveness.
   
   
2. Assess and Monitor Risk: Risk assessment and monitoring give organizations a thorough understanding of their current security posture, enabling them to continually assess evolving cyberthreats and vulnerabilities, their risks, and responses to those risks.
   
   
3. Develop and Implement New Protective Measures to Reduce Risk: New, protective measures are developed and implemented to reduce system risks to an acceptable level as security risks, including vulnerabilities and emerging threats, are identified or anticipated.
   
   These security solutions are built into systems, and appropriate solutions are devised for legacy systems.
   
   
4. Manage Incidents: Managing incidents is a critical strategy because cyberassaults can be sophisticated and dynamic and any system can become vulnerable to emerging threats as absolute security is not possible.
   
   When proactive and protective measures fail to prevent a cyber incident, detection, remediation, recovery and restoration activities minimize the impact of an incident on a system. Post-incident analysis and forensics enable stakeholders to learn from the incident.
   
   
5. Sustain Security Improvements: Sustaining aggressive and proactive systems security improvements over the long term requires a strong and enduring commitment of resources, clear incentives and close collaboration among stakeholders.
   
   Collaboration provides the resources and incentives required for facilitating and increasing sector resilience.

International Strategy for Cyber Space

Preparing for 21st Century Security Challenges

Cyberspace, and the technologies that enable it, allow people of every nationality, race, faith, and point of view to communicate, cooperate, and prosper like never before.

Today, as nations and peoples harness the networks that are all around us, we have a choice. We can either work together to realise their potential for greater prosperity nd security, or we can succumb to narrow interests and undue fears that limit progress.

Cyber security is not an end unto itself; it is instead an obligation that our governments and societies must take on willingly, to ensure that innovation continues to flourish, drive markets, and improve lives. While offline challenges of crime and aggression have made their way to the digital world, we will confront them consistent with the principles we hold dear: free speech and association, privacy, and the free flow of information.

Envision a future in which reliable access to the Internet is available from nearly any point on the globe, at a price that businesses and families can afford. Computers can communicate with one another across a seamless landscape of global networks permitting trusted, instantaneous communication with friends and colleagues down the block or around the world.

Content is offered in local languages and flows freely beyond national borders, as improvements in digital translation open to millions a wealth of knowledge, new ideas, and rich debates. New technologies improving agriculture or promoting public health are shared with those in greatest need, and difficult problems benefit from global collaboration among experts and innovators.

This, in part, is the future of cyberspace that the United States seeks—and the future we will work to realize.

You can download this paper from here: http://www.logicalsecurity.com/resources/whitepapers/Cyberspace_Strategy_INTL%20051611.pdf

Microsoft BitLocker Administration and Monitoring (MBAM)

Enterprise solution which streamlines management

According to Microsoft, organizations around the world rely on BitLocker Drive Encryption and BitLocker To Go to protect data on Windows 7 PCs and portable storage devices. To make large-scale BitLocker implementations easier to manage, enterprises turn to Microsoft® BitLocker® Administration and Monitoring (MBAM).

Microsoft BitLocker Administration and Monitoring, enhances BitLocker by simplifying deployment and key recovery, centralizing provisioning, monitoring and reporting of encryption status for fixed and removable drives, and minimizing support costs.

Simplify BitLocker provisioning and deployment

Microsoft BitLocker Administration and Monitoring can provision BitLocker as part of your Windows 7 upgrade or configure BitLocker deployment to take place after the operating system is installed. Using the additional Group Policy controls in MBAM, it is easier for IT to provision BitLocker specific to their business needs. The controls are checked regularly at intervals set by an IT administrator and any changes are immediately infused.

Additionally, the hardware-blocking feature can be used to identify BitLocker-capable computers and exclude specific hardware that you don’t want encrypted.

Improve compliance

With out-of-box reports that detail compliance with corporate-defined BitLocker policies can get a better view of your compliance status for the organization or individual devices, and easily determine if lost or stolen devices were encrypted. IT staff can also create custom compliance reports using built-in SQL Server Reporting Services tools to show them just the information that they need to see.

MBAM also provides the ability to store BitLocker recovery keys in an encrypted database with granular access controls and creates an audit trail of who has accessed recovery key information, keeping this information protected and only accessible to the right people in the organization.

Reduce support costs
By reducing the burden on IT staff and making it easier for them to support end users, MBAM helps to reduce the support costs and gets the end users up and running quickly if a problem arises.

With a secure, web-based key recovery portal, it is easy for authorized help-desk staff to support end users if they need to recover their BitLocker enabled machine. By automating pre-BitLocker setup steps and making it easy for end users to perform basic tasks such as starting the encryption process and managing their BitLocker PIN—without providing users with administrator rights.

MBAM will be available in Q3 2011 and a beta version of Microsoft BitLocker Administration and Monitoring is now available for download here (Windows Live ID required).

Facebook improving its security or increasing users concern on privacy?

Facebook Introduces OTP (One-time Password) Functionality

Facebook began rolling out new service on Tuesday that allows people using public computers to log into the site without having to enter their regular password.

Instead, users can login with a one-time password that, upon request, Facebook zaps to their mobile phones. The temporary access code is good for 20 minutes only. The new feature is designed to prevent account compromises that result when credentials are entered into machines that have been compromised by keyloggers and similar types of malware.

“We’re launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports,” Jake Brill, a Facebook product manager, blogged here. “If you have any concerns about security of the computer you’re using while accessing Facebook, we can text you a one-time password to use instead of your regular password.”

A lot of banks use a similar system labeled as a TAC (Transaction Authorisation Code) or similar when you want to carry out a transaction which involves moving money out from your account (bill payment, fund transfers etc).

The other new security related features are remote log-out, which Gmail from Google has had forever – if you didn’t know about the feature just scroll to the very bottom of the Gmail window and you’ll see something like this:

This account is open in 1 other location (xxx.xxx.xxx.xxx).
Last account activity: 2 hours ago on this computer. Details

To use the service, users must first configure their accounts to work with a designated mobile phone number. When they text “otp” to 32665, they should immediately receive a password that’s good for the next 20 minutes. The feature is available to select Facebook users for now. Over the next few weeks, it will gradually become available to everyone

What's Needed to Improve Strong Authentication

New Authentication Guidance Coming?

Out-of-band authentication - This method sends the additional authentication factor to the user via a different channel from the one he or she is using to access the bank site. For example, a one-time password sent via text message to the user's mobile phone when logging in with a web browser on a PC. The user has to enter the correct OTP within a short time window (usually a few minutes) in order to initiate the session. This authentication helps against man-in-the-middle attacks.


Out-of-band transaction verification - This sends a verification request to the user in the same way as out-of-band authentication, so that the user is required to review and authorize a high-risk transaction that takes place within an online banking session before the transaction is allowed to proceed. This authentication method helps against MITM and man-in-the-browser attacks.


Device identification - This authentication method uniquely identifies the software and hardware being used to access the online banking session. The device, in effect, becomes an authentication factor. This method helps against manipulation of this information by fraudsters such as spoofing IP addresses or deleting cookies.


Mutual authentication - This method is used in addition to authenticating the user to the site, authenticating the site to the user. The most prevalent way of doing this is with Extended Validation SSL certificates. EV/SSL causes the address bar in the browser to turn green when he or she is on the bank's actual website. Other methods include displaying electronic seals on the server and displaying of a user-selected icon in the browser when the user is accessing the genuine bank server. This method helps against phishing, DNS cache poisoning, and other re-direct attacks.


Transaction monitoring - This is not strictly an authentication tool, but monitoring online sessions for high-risk activity such as known trojan behaviors, both at initiation and while the session is in progress, is a very strong complement to these other various authentication techniques described here. Flagged activities have to be acted upon in real time - examples of appropriate responses include sending an alert to the user or an out-of-band transaction verification as described above, blocking access to the online account, or blocking the bank account. Helps against all types of fraud attacks.


Browser-based controls - Institutions can use client-side tools that lock down the user's web browser against malware infection and exposure of sensitive data. This approach helps against a wide array of online fraud attacks, particularly MITM and MITB.


While none of these techniques is completely "airtight" on its own, each one has its own strengths and weaknesses. When used together, they form a solid defense-in-depth approach to protecting the institution's "electronic front door".

IPS needs to have SSL inspection

The Next-Generation IPS


The network IPS isn't like the firewall -- it's not a must-have security device found in most every enterprise network. Even so, today's intrusion prevention system is still gaining new features and becoming more tightly integrated into the security infrastructure.

The IPS is sharing more traffic attack data with the firewall and gaining virtualization features, horsepower, and enhancements to become more application-aware, as well as to help secure client machines. Compliance has helped keep the IPS alive and well, despite predictions of its demise over the years.

And it could be the federal government that gives IPSes a big boost: The U.S. Department of Homeland Security is currently testing out an IPS system called EINSTEIN 3 that could eventually be deployed across all executive branch civilian networks. Even so, some security experts remain skeptical about the IPS finding a real home in the enterprise.

Refer here to read more details.

Employees are the first line of defence, says PwC

Staff should lead in preventing security attacks

A company's employees are its best defence against security threats, and should be empowered and educated about technology risks, according to a new report from PricewaterhouseCoopers (PwC).

The consulting firm said in its Protecting your Business report (PDF) that organisations are too complacent about security, and assume that they will not be affected. This lax attitude filters down to workers, who then believe that security is "someone else's problem".

PwC argued that companies should make staff more aware of the security risks, and educate them on how to defend against attacks. "The goal is that all those working for an organisation are alert to the risks, will want to act to protect information and will be actively supported in doing so," said Craig Lunnon, senior manager of HR services at PwC.

Only by assessing employee behaviour, and improving their security awareness, will enterprises be able to invest in effective technology, he added.

Security investments will otherwise be fragmented, or create convoluted systems that staff will often bypass in favour of doing their jobs.

PwC also advised organisations to persuade staff to defend against, rather than cause, security threats, and to ensure that they are aware of their own responsibilities.