Security is a multi-level procedure-oriented applied process, not a single product, and its countermeasures can be difficult to balance with business requirements and functionality. The core of Information Security and Risk Management is the analysis and ability to elicit measurable levels of risk and apply suitable countermeasures that will eliminate vulnerabilities and mitigate exposure. Implementing adequate safeguards to protect the complex interdependencies of business assets requires a comprehensive understanding of the threats that exploit vulnerabilities, the calculable probability it will occur, and the damage and financial impact the loss of a particular asset will have on an organization. Although it is cost prohibitive and fundamentally impossible to eliminate all risk, it is extremely important to exercise due care and sufficiently identify risk so you can protect and prevent a threat from exploiting your infrastructure.

As people, processes, and technology evolve, vulnerabilities will remain a moving target. Securing against the unknown is a daunting task; however, increasing security awareness and proactive risk management can yield significant results toward protecting business assets. To this end, I highly recommend the use of certified security professionals that possess extensive experience in their respective fields. I post links to an array of security sites and articles published by prominent members of the forensics and security profession and hope you find the content on this site beneficial. Please see the Alerts and Technical Resource Links for additional security research information.

NCSP Task Force Releases Security Software Lifecycle Report
Task force members have considered how to achieve meaningful and measurable vulnerability reductions through collaborative standards, tools and measures for software; new tools and methods for rapid patch deployment; and best-practice adoption across the entire critical infrastructure. The work has included discussion of how to build — and how to teach building — secure software from the ground up, as an embedded and simple feature in all software systems going forward. This important task force is comprised of software experts from the vendor, systems integration and end-user communities. A copy of the full report and executive summary is available here. The task force software process subgroup section of the report, Processes to Produce Secure Software, is available at Cigital.

The National Cyber Security Partnership (NCSP) is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies and industry experts. Following the release of the 2003 White House National Strategy to Secure Cyberspace and the National Cyber Security Summit, this public-private partnership was established to develop shared strategies and programs to better secure and enhance America’s critical information infrastructure.

Approaches To Measuring Security
On June 13 and 14, 2000 the Computer System Security and Privacy Advisory Board (CSSPAB) conducted a workshop on security metrics. The goal of the workshop was to survey current information infrastructure protection metrics and their uses and to determine any voids. The focus was on non-classified systems. Workshop presentations are available here in both pdf and PowerPoint. A report of the workshop is also available.

Auditing Web Site Authentication
By Mark Burnett - SecurityFocus
This two-part article highlights some basic questions that should be asked to help mitigate online fraud and identity theft from seemingly secured websites. The authentication scheme, standards and audit policies, or lack thereof, may be the prevailing security hole that can be the easiest to fix; notwithstanding, the many password myths covered by Mark’s Ten Windows Password Myths article 1554.
Part One 1688 | Part Two 1691

A Proven Paradigm for Best Practices in Information Security
The compelling similarities of securing different environments are clearly articulated in this analogical article. It underscores why certain inconveniences are necessary to maintain secure environments and illustrates the difficulty associated with protecting the integrity of mission-critical operations without limiting functionality. To bridge the gap between a theoretical understanding of information security best practices and the reality of implementation requires a top-down executive sponsorship approach. Posted by ITsecurity.com

Blended Attacks Exploits, vulnerabilities, and Buffer-Overflow Techniques in Computer Viruses
In this paper, the authors not only cover such techniques, but also how computer viruses are using them to their advantage. PDF File

Close Encounters of the Hacker kind: A Story from the Front Line
Hackers, Viruses, and Trojans can cause plenty of headaches, as author Seth Fogie knows from personal experience. Although this article contains many mistakes from a forensics perspective, which was not the original objective, it is a good read about the author’s experience with a server that was repeatedly hacked. Part One | Part Two

The Complete Windows Trojans
A Frame4 Security Systems publication about Windows Trojans, how they work, their variations and strategies to minimize the risk of infection. Links to detection software are included as well as many other topics.
PDF File

Definitions and Value of Honeypots
By Lance Spitzner
The definitions and value can be subjective; however, a collaborative effort (see SecurityFocus Honeypot Definition Thread) concluded "A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource." As perplexing as the definition is, Are They Illegal?
Dynamic Honeypots by Lance Spitzner.
Honeytokens: The Other Honeypot by Lance Spitzner.
See our Security & Forensic Tools section for additional Honeypot information.

The Enemy Within: Firewalls and Backdoors
By Bob Rudis, CISSP, and Phil Kostenbader, CISSP - SecurityFocus
Can your security infrastructure protect you when you've left the key under the mat? This article presents an overview of modern backdoor techniques, discusses how they can be used to bypass the security infrastructure that exists in most network deployments and issues a wake-up call for those relying on current technologies to safeguard their systems and networks.

HIPAA Security Standards Final Rule Published
The final rule PDF File adopting HIPAA standards for the security of electronic health information will be published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications. See also hhs.gov, HIPPAAdvisory.com and CERT's OCTAVE criteria and methodologies. HIPPA Security Rule: what it is & how to comply with it by Steven Weil SecurityFocus.

Intelligence Gathering Techniques
Chapter 8 from Network Intrusion Detection: An Analyst's Handbook.
Stephen Northcutt is currently the Chief Information Warfare Officer for the U.S. Ballistic Missile Defense Organization, original developer of the Shadow intrusion detection system, and former head of the Department of Defense's Shadow Intrusion Detection team. He is the author of Incident Handling: Step-by-Step and Intrusion Detection: Shadow Style, both published by the SANS Institute. Stephen is a featured lecturer and co-chair of the SANS Conference and is the program chair of the first Intrusion Detection Conference.

Know Your Enemy
A Honeynet Project series dedicated to teaching the tools, tactics, and methodologies of common security breaches and threats. The KYE series of whitepapers has two purposes. The first purpose is to share the information the Honeynet Project has learned on blackhats. Most of this information is on common threats, individuals or automated tools targeting large numbers of systems using known methods or tools. The second purpose of our papers is to share the tools and techniques in how that information was obtained and analyzed.

Network Scanning Techniques
Understanding intrusion reconnaissance can help identify penetration and strengthen network security. This article examines some scanning types combined with hard-to-detect or even non-detectable scanning techniques. PDF File

No Stone Unturned
By H. Carvey - SecurityFocus
A six part series to help determine the nature and purpose of suspicious files found on NT/2K systems. This series references another great paper by Lenny Zeltser "Reverse Engineering Malware" which can be found at: PDF |  HTML

Point and Counterpoint
Regardless of which opinion you support, the recent CCIA publication “CyberInsecurity: The Cost of Monopoly” (PDF) and its counterpoint “The Flaw of Security Through Diversification” published by SecurityFocus provides an interesting gaze into the abyss of security and the complexities involved to mitigate risks.

Snake Oil Warning Signs: Encryption Software to Avoid
By Matt Curtin PDF | HTML
Good cryptography is an excellent and necessary tool for almost anyone. Many good cryptographic products are available commercially, as shareware, or free. However, there are also extremely bad cryptographic products which not only fail to provide security, but also contribute to the many misconceptions and misunderstandings surrounding cryptography and security.

Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues
Special Report by Carnegie Mellon Software Engineering Institute
Howard F. Lipson Ph.D CMU/SEI-2002-SR-009 | PDF File
Part I of this report examines the current state of the Internet environment and the reasons why tracking and tracing cyber-attackers is so difficult. Part II examines some promising research on technical approaches that may greatly improve the ability to track and trace cyber-attacks to their source. Also discussed are some policy considerations with regard to privacy, information sharing, liability, and other policy issues that would be faced by the U. S. State Department in negotiating international agreements for cooperation and collaboration in the tracking and tracing of cyber-attacks. The report concludes with a closer look at technical and policy considerations for next-generation Internet protocols to enhance track and trace capabilities.

Tracking Down Phantom Host
By John Payton - SecurityFocus
In an effort to mitigate the security risk associated with a rogue server, this article explains how to locate that problem host when you are not sure of its physical location

Texas Statutes
The Texas Statutes Penal Code Title 7 Offenses Against Property includes computer crimes and telecommunications crimes. It is a crime to make unauthorized use of protected computer systems or data files on computers, or to make intentionally harmful use of such computers or data files. The FBI uses a number of Federal Statutes to investigate computer crimes including the Federal Rules of Evidence. See How the FBI Investigates Computer Crime at CERT and the Department of Justice CCIPS Computer Crime and Intellectual Property Section Criminal Division Manual on Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.

U.S. Information Security Law:
By Steven Robinson - SecurityFocus
Part One: Protecting Private Sector Systems, and Information Security Professionals and Trade Secrets. Part Two: Protecting Private Sector Systems and Securing the Working Environment. Part Three: Information Security and the Public Sector - An Introduction to the Criminal Law of Information Security. Part Four: Information Security and the Public Sector - An Introduction to the National Security Law of Information Security.

Protect Critical
Business Assets and
Public Infrastructures

Organizations We Support
InfraGard | (ISC)² | ISSA

Academic Centers
We Recommend
ACCD (ATC) | UTSA CIAS

Please see our Alerts section for Security Mailing Lists and for Patch Resources, Internet Status Reports, DNS Statistics, Block Lists, Spam, Common Vulnerabilities Exposures, Information Technology and Homeland Security News.

The legendary Jim Boyce is a renowned expert with operating systems and business productivity software. He has authored and co-authored about 50 books in the past decade that are essential for any technical library. We are grateful for his endless contributions to the industry.

e-evidence.info is the most distinguished Electronic Evidence Information Center on the Internet. In addition to digital forensics and electronic evidence information, please review their noble list of new and soon to be released computer forensics books such as Windows Forensics and Incident Recovery by Harlan Carvey, a leading voice of authority in incident response and Windows based forensics.

CSI/FBI
Computer Crime and
Security Survey PDF

Current Internet Threat Level

GAO Technology Assessment
Cybersecurity for Critical Infrastructure Protection
May 2004 Report (PDF)

ICAT NIST CVE Search Engine

Internet Traffic Report

ISO 17799
ISO 17799 Toolkit
ISO 17799 Security World
SANS ISO 17799 Checklist

Microsoft's Ten Immutable
Laws of Security and
Security Administration

Microsoft Product Lifecycle

NIST Drafts and Special Publications

SANS/FBI Top 20 List

SANS 7 Top Management Errors that Lead to Computer Security Vulnerabilities

SANS Security Reading Room

S.C.O.R.E. by SANS

Vulnerability Disclosure Publications and Discussion Tracking Document

Zone-H
Defacements-Stats-Spam/Fraud

Security Policies...

Creating High-Quality Security Policies

IETF Site Security Handbook

Information Security Policies Made Easy, Version 9

Security Policies posted by  Securitydocs.com

International Information Security Foundation Generally Accepted System Security Principles GASSP

SANS Security Policy Project

Net-Security.org
Daily Updates

Advisories
Linux Software
News
Press Releases
Vulnerabilities
Windows Software

CIAC-2324 PDF File
Connecting to the Internet Securely; Protecting Home Networks.

CISCO Self-Defending Network
The Cisco Self-Defending Network initiative is an innovative, multiphase security approach that dramatically improves network capability for identifying, preventing, and mitigating security threats. Cisco Network Admission Control (NAC), the first program announced under the Cisco Self-Defending Network initiative, helps customers use Cisco network infrastructure to limit damage from viruses and worms.

Computer Security Incident Response Teams
Security threats have become more diverse, stealthy and disruptive and now more than ever underscore the need to integrate computer security incident response teams as a component of information technology programs. The NIST Computer Security Incident Handling Guide SP 800-61 PDF and CERT Handbook for Computer Security Incident Response Teams (CSIRTs) PDF CSIRT FAQ will help prepare your team to address and respond to computer security incidents. See our Security Reporting and Tracking page for additional incident handling and response information.

Information Security Forum
The ISF Standard of Good Practice for Information Security is designed to help any organization, irrespective of market sector, size or structure, keep the risks associated with its information systems within acceptable limits.

NIST SP 800-27
PDF File (183,214 bytes)
Engineering Principles for Information Technology Security - A Baseline for Achieving Security presents a list of system-level security principles to be considered in the design, development, and operation of an information system.

NIST SP 800-55
PDF File (569 KB)
Security Metrics Guide for Information Technology Systems provides guidance on how to establish a metrics program to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related IT security data.

NIST SP 800-68  DRAFT
Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist.

Website best viewed using MS IE6 with a minimum screen resolution of 1024x768.

Contact | Legal | Links  | Privacy  | Search  | Site Map

Copyright © 2001-2006 McCracken Associates

Website Modified: January 27, 2006