Wednesday, August 31, 2016

Cloud Storage 101

Cloud Storage 101

With today's need for more data storage cloud services are used more and more and the data and the need to secure this data is real concern for users and cloud administrators alike.  First, what is 'the cloud'?  Simply put it is the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.  This means a user can store data, pictures, videos, music etc. remotely to save valuable hard drive space on their local machine.  With the amount of cloud storage available this is where a user wants to make sure their data is secure, private and will not lose data integrity.   As a home user storing personal pictures may not seem too important to keep secure but think of the businesses that rely on cloud storage to keep PII, financial records, business plans and such, they need to know the data is secure.  The threats to cloud storage are well known and include DDos attacks, permanent data loss, malicious insiders, account hijacking, and exploited system vulnerabilities to name a few.

How is this task achieved?  One way is data encryption but this is not always full proof and there can be systems hiccups that cause a decryption problem which would cause the data to be corrupt and unusable. A cloud customer should ask the provider of cloud service what measures are in effect for data security, for instances, biometrics, PIN secure location where the data is stored.  Clouds API’s and software-as-a-service are still evolving which means updates can be frequent but some clouds do not inform their customers that these changes have been made. Making changes to the API means changing the cloud configuration which affects all instances within the cloud. The changes could affect the security of the system as one change could fix one bug but create another. The customers of the cloud provider should enquire if any updates are made and should ask about what security implementations have been put into place to secure their data and what exactly has changed with the system.

A type of cloud storage is Hybrid Storage.  Hybrid Clouds use both public and private clouds within the same network. It allows the organizations to benefit from both deployment models. For example, an organization could hold sensitive information on their private cloud and use the public cloud for handling large traffic and demanding situations.  With the separating the types of data, sensitive on private and large traffic and demanding situations this is considered a safer practice for companies to use.

Many companies offer free cloud storage for their users.  Apple, Google and Drop box to name a few.  The user can purchase more storage if the amount that comes free isn’t enough.  One of the good things of cloud storage is the availability from any source with internet connection.  This saves valuable hard drive space and makes accessibility a breeze.   



When cloud storage is used its always best practice to make sure the user has a backup of all important data even though the data is on the cloud.  I would go a step further and say do not put PII or any personal data in the cloud.  Be certain when we do use cloud storage the user knows the security risks involved and knows the safe practices of the provider.

Thursday, February 18, 2016

IT at the Speed of Light......

Today’s IT person needs to wear many hats to be a relevant and hirable.  Long gone are the days of only needing to be sufficient in a few areas in the IT industry.  Ten years ago this was the normal path to a solid career in IT but with the huge growth of technology this is no longer the case. 
Long gone are the days of having on certification and being able to land a primo job.  Today a person needs to be a “Jack of all trades” and a master of a few.  IT security can require the person to have knowledge with man iOS systems, devices and software. The system may be local on site or housed hundreds of thousands miles away, on a virtual machine in the cloud or an actual machine.

With the use of mobile devices this opens another door of vulnerabilities.  The average mobile device user has no clue the security risks involved with their devices.  One common mistake is the device is not password protected or use a weak password that is easily guessed.  If an employee uses their mobile device for work email or other applications and loses the device this could cause a major security risk.  There’s also the risk of using unprotected (encrypted) Wi-Fi.  An IT technician needs to have a good grasp on mobile devices and know how to configure it keeping in mind someone will be walking around with this device and could easily loose it or it could be stolen.  Knowing how to secure a virtual machine on the cloud is another area IT security people need to know and understand.  It is the security technician that is the first line of defense keeping a network secure.  Cloud storage is another security risk and knowing how to secure it is becoming more common for companies big and small.

A well rounded IT person can take care of an array of equipment, to include printers, iOS, RFID technology, scanners, mobile devices, servers, firewalls etc.  It’s no longer a singular career.  Having industry certifications can be the difference in landing a job or not.  It’s becoming more common for IT employees to hold multiple certificates with or without a 4-year college degree.    All certificates are not created equal either.  Some professional certifications require that you study hard and pass a test, others require that you have years of experience in a specific field before you can even apply to be considered. Before you decide maybe getting a certification is your ticket to a career jump or a promotion, you need to determine whether or not the types of certifications that will get you ahead in your field are the ones that require skills, experience, or just a few classes. 

The world of technology moves at the speed of light which requires IT personnel to learn and change with it.  In the field of IT its common to learn something new every day and apply it along with something you learned years ago.


Friday, November 15, 2013

Phishing not Fishing


Phishing attacks have risen dramatically since it's inception and anyone is a target. What is phishing? Phishing is an attack which attempts to acquire information like user name, passwords, credit card details and bank account information by impersonation a trustworthy entity in electronic communications ie.emails. The email could contain a link to what appears to be a trustworthy website, like your bank or credit card company, but the site is actually infected with malware. The site can capture keystrokes, in order to get user name and password, pin numbers to accounts along with infecting the users computer with malware and virus'.

There are different types of Phishing techniques. The most common is sent as mentioned above and directed at numerous victims. There is Spear Phishing which is direct at specific individuals or companies. The correspondence spam appears to be from the company's human resource department or technical department and may ask a user to update user name and password. Once hackers have received this information they have gained access to the network and can attack it. The spam may also direct the victim to click on a link which will launch an attack that could steal personal information.

There is also Whaling. This type attacks upper management in private in companies. The content will be crafted to target an upper manager and the person's role in the company. The attack email is often written as a legal subpoena, customer complaint, or executive issue. The attack appears to be critical email sent from a legitimate business source. There is usually a link that can look very legitimate and once user clicks it will launch a phishing attack.


Phishing was reported as early as early 1990's and hit AOL. The software provided an automated password and credit card-stealing mechanism with was dubbed AOHELL.What began as a scheme by rebellious teenagers to steal passwords evolved into one of the top computer security threats affecting people, corporations, and governments.

When phishing first begin the email was full of text, had misspelled words and poor grammar so they were much easier to recognize as being spam. Through out the years tactics have changed. Around 2003 E-mail fraudsters register dozens of lookalike domain names. They also create Web sites that contain the names of well-known companies and brands like microsoft.checkinfo.com.. Unaware of the attack a recipient would click on the link causing their personal information, network information, and various other things to be compromised.


How do you stop Phishing? The most important part is for ALL users to be aware of these tactics. If you receive an email from someone you don't know, delete it. Your bank, ISP, credit card company, will NEVER send an email to you asking to provide user name and password. If you receive this type of email on a business email address, send it to the IT department for further action. At home it's important to keep your system safe. To do this always make sure your firewall is set for Phishing filtering, does not allow suspicious items through the network. Also make certain the anti virus is up to date and running in protection mode. Even with these steps in place you may get attacked so make certain all your invaluable data is back up and you have a plan for recovery. 

Wednesday, November 13, 2013

CIA,Bot nets and other client side attacks.

CIA and Client Side Attacks



The first line of defense is user awareness and education. A client's account should be set to only the level of access required to perform their job without any problems. This is why Confidentiality, Integrity and Availability are key in the digital world. A client should protect all their sensitive information for unauthorized access. Protecting confidentiality hinges upon defining and enforcing appropriate access levels for information. This is the “need to know” theory. Integrity represents data integrity. How accurate is the data being used? Has it been changed or manipulated by unauthorized parties and if it has had changed made can the changes be undone? This leads to the next, Availability. Systems, access channels, and authentication mechanisms must all be working properly for the information they provide and protect to be available when needed. Even with awareness education and strict polices in place there can still be network attacks.


Client Side attacks are the most common and easiest way for malicious threats to enter a network. A user will click a link that looks harmless or download and open an email with an affect attachment. A client can even visit a seemingly harmless website which will inject malicious data, root kits virus's, bot nets, etc. without the client knowing. Web plug ins, Java, Adobe, ActiveX, Flash and many media are common targets for malicious data injection and other attacks. The lack of firewall protection from the “inside-out” is a way threats can enter the network also. This happens when malicious code passes thru the firewall undetected, the code is launched inside the network and then is free to infect the entire network. Technical methods include code injecting, cross-site scripting XSS, phishing scams, email attachments and social networking. Two primary client side attacks include emailing malicious content which can cause the client to host the malicious content without users knowledge.

Bot-nets is another client side attack where computers are infected with a malicious application called a bot and is now a 'zombie'. The hidden code enable a person “bot herder” to control the bot. Bot-nets are groups of zombie computers being remotely controlled by the bot herder. A bot herder, also referred to as a bot master, can be one person or a group of people. Their primary goal is make certain the the bot net stays intact. The herder sends out malicious  code to the C2C servers (what a user assumes is the DNS server) which in turn infects client computers, thus a zombie computer and a group of zombie computers is a bot-net. Bots can be used to recover sensitive information, bank account information, user names and passwords, record keystrokes and send spam emails. This is also a popular way to launch a DoS attack and to poison search results which spreads the infection. One way to detect bots is by viewing packets which contain an executable in a text editor. There are some common bot net entries to look for. “Load Library” is a common reference by bots and malicious code. The string “Kernel32.dll” could mean a bot is attempting to alter a kernel.

Bot-nets are difficult to detect because malicious, packed an sometimes encrypted bot net code passes unfiltered through the firewall to the zombie computer on the internal network.



Sniffers and Wiresharks and other fun stuff

In the network world there are many tools for doing lots of stuff but Sniffers and Wireshark are not terms you would expect to use but they're both an important part to network security. Sniffers, also referred to as Network Pack Analyzer or Network Protocol Analyzer, are used to capture and “sniff” packets of data coming into your network. They can capture and record data traffic for analyzing and can decrypt packets to display in clear text. This will show important information such as IP address, protocol, host or server name among other things.

In its simple form a packet sniffer simply captures all of the packets of data that pass through a given network interface. Typically, the packet sniffer would only capture packets that were intended for the machine in question. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing all packets traversing the network regardless of destination.


By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted.

With these three things in mind you can see how helpful of a tool it is in combating malicious activity. A sniffer requires to be run in promiscuous mode to collect data. Promiscuous mode allows the system to capture frames that aren't intended to be delivered to the system. Sniffer's can either run by CLI (Command Line Interface) or a GUI (Graphic User Interface). A CLI sniffer can write to file and then be viewed by a GUI sniffer. Advantages to CL sniffers is they are open source, had fewer vulnerabilities and can write date to a file for later analyzes. Some disadvantages are they only show header fields and it requires a knowledgeable analysis to know how to read the packet data.

Detecting malicious packets on your network can be difficult. By its very nature the packet sniffer is passive. It simply captures the packets that are traveling to the network interface it is monitoring. That means there is generally no signature or erroneous traffic to look for that would identify a machine running a packet sniffer. There are ways to identify network interfaces on your network that are running in promiscuous mode though and this might be used as a means for locating rogue packet sniffers

The GUI is also available as open source. It is able to analyze complex protocols. They can identify the header fields for intrusion along with the payload. One draw back to GUI sniffers is they are susceptible to coding errors. Wireshark is on open source GUI network analyzer that is available for cross platforms. It can be used to analyze network traffic, has a network troubleshooting tool and security analysis. It can analyze and dissect hundreds of protocols, analyze payload and header fields, capture packets and save as text files for later analysis. Wireshark requires elevated privileges to deploy and use but a non-elevated account can be read and view the logs and analyze them.

There are many options for Sniffers, Network Package Analyzers and Network Protocol Analyzers. Picking the correct one for your network can be a difficult but with research and knowing the needs of your network is a good step in the right direction.

Tuesday, November 12, 2013

IDS-Intrusion Detection System and other Odds N Ends

IDS-Intrusion Detection System and other Odds N Ends




Intrusion Detection Systems (IDS) are an important part to keeping the DoD network systems protected. IDS is a tool to help identify when system defenses have failed and they monitor for suspicious and malicious activity which provides alerts when suspicious activities or anomalies occur. This allows for mitigation and to limit damage to information systems by identifying intrusions.

There many types of attacks which can affect information systems. Black Hats, Hactivists,
Script-Kiddies,crackers, client side attacks and server side attacks to name a few.

There are steps to preventing Server Side attacks which include proper DMZ design and firewalls
applying patches in a timely matter.

Server Hardening-Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. With these types of steps Server-Side Attacks have been less frequent but still must be protected against.


Preventing Client Side

Frequent patches to all client software to include Windows, Microsoft Office, 3rd party software such as Flash, Adobe and alternate browsers. It is also important to keep anti-virus up to date to include the definitions database. A thorough scan should be preformed on a regular basis.

There are 2 types of IDS, Host based and Network based.

Host based IDS only monitors the host which the software is installed. This is helpful for monitoring the file system integrity, file permissions and it can log specific actions of each person who has logged onto the system. Host based IDS systems are used to monitor any intrusion attempts on critical servers. One of the drawbacks of Host Intrusion Detection Systems (HIDS) are difficult to analyze the intrusion attempts on multiple computers.

A Network based IDS run on the entire network and monitor the analyze the patterns and report any suspicious activity. Network IDS usually consists of network appliance (sensor) or the NIC card. The IDS is placed along a network segment or boundary and monitors all traffic on that segment.

There are 3 types of Network IDS.

Signature Based-which monitors and compares packets against pre-determined signatures or “attack patterns”;A signature-based system cannot detect attacks for which is has no signature


Protocol Based-which monitors the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication between a connected device and the system it is protecting.

Anomaly Based-a normal baseline is determined and set. Anything out of this “baseline” is considered an anomaly and therefore considers those as possible attacks. Higher false alarms are reported with using Anomaly Based IDS.

When using any type of IDS it is import to know the short comings of each type and be prepared to handle any threat. It's important to use HID along with NID to prevent penetration into a network. The two different type work hand in hand to protect the client, host, servers and inter network from malicious activity.

DMZ-Not what you think it is

What is a DMZ and how to protect your network


Demilitarized Zone (DMZ) is a buffer zone that prevents unwanted communications without jeopardizing or interrupting services. The DMZ receives all incoming packets from the outer network, verifies them and then takes appropriate action as per the firewall rules defined by the security administrators.

There is a classic DMZ which consist of 2 firewalls, perimeter,which allows traffic into DMZ only zone and the second allows traffic from DMZ to internal network. This type of zone is considered more secure since 2 devices would have to be compromised to gain access. It is even more secure if 2 different vendors are used for the devices since it would be less likely that both devices would have the same vulnerabilities. A drawback to this type is cost of equipment. The DMZ configuration is a key aspect for it work effectively.

Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the content of DMZ is not as secure as the internal network. Similarly communication between hosts in the DMZ and to the external network is also restricted, to make the DMZ more secure than the Internet, and suitable for housing these special purpose services. This allows hosts in the DMZ to communicate with both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients, and another firewall would perform some level of control to protect the DMZ from the external network.

Another type of DMZ is a Service Leg. This is for small business or home networks. The “3 legged” DMZ is constructed with 1 external firewall and is configured for 3 different zones. One zone is the internal network, another is the DMZ network and finally the internet. All of the zones are configured to only “see” or “receive” traffic for it's zone. These configurations are accomplished by rules assigned in the firewall. Each zone has it's own set of rules.

You'll probably want to block traffic from the Internet to the internal computers. You should also restrict traffic from the DMZ to the internal network, as well as traffic from the Internet to the DMZ. Allow only the traffic that is necessary for your users to access the resources they need. This means using the "principle of least privilege" in that your default is to start by denying all traffic and then allowing protocols and opening ports on a "need to know" basis

There is a special use for the anonymous DMZ that's being more popular: creating a "honeynet." This is a network that consists of one or more "honeypot" computers that are designed to lure hackers, either so they can be caught or tracked, or to divert them from the network's real resources. Unlike with other DMZs, you actually want this network to be compromised.

Often the computers on the honeynet are virtual machines that are all installed on a single physical machine, and intrusion detection systems and other monitoring systems are put in place to gather information about the hackers' techniques, tactics and identities.




So as you can see DMZ is not only a place in Korea but also an important part of protecting a network.