February 2009 Archives

Since I serve on the EDUCAUSE Security Professionals Conference Program Committee, I am sure none of my readers mind the following shameless plug:

The annual Security Professionals Conference, sponsored by the EDUCAUSE/Internet2 Computer and Network Security Task Force, brings together information security professionals, IT staff, and others from across the higher education community to help improve IT security and effectively address privacy issues at institutions of higher education. The Security 2009 conference, "Safeguarding Our IT Assets, Protecting Our Community's Privacy," will focus on privacy and security topics that cut across the information assurance measures of people, process, and technology. The conference will include keynote speakers, pre- and postconference seminars; corporate displays; and sessions that address privacy and security topics in the areas of management and operations, policy and compliance, and technology. View resources from past conferences at http://net.educause.edu/securityconference.

If you work in higher education, make sure that you visit the conference! It is one of the best conferences I have ever attended with much information targeting the higher ed audience.

SRI International's Malware Threat Center recently published a technical report titled An Analysis of Conficker's Logic and Rendezvous Points. In the report, its authors Phillip Porras, Hassen Saidi, and Vinod Yegneswaran, do an excellent job at analyzing the different Conficker variants.

Conficker targets an array of attack vectors: some are network-based and some are based on users sharing portable media. The authors of the report pose a good question: why has Conficker been able to proliferate so widely? As they point out, one possible solution may be the stubbornness of some PC users to avoid staying current with the latest Microsoft security patches.

Other explanations may be that coporate networks are often slow to deploy patches-- even those marked critical. It is highly possible that in an intial vulnerability assessement, security teams may have decided that the network-based vector is only exploitable when users activate file- and printer sharing, and assigned the patch roll-out a lower priority. By now, I hope that most (if not all) security professionals are aware of the effectiveness and widely-spread nature of Conficker in all its variants.

However, whatever the reason may be that Conficker was so effective in spreading on a large scale, the fact of the matter is that is did. The authors of the report proceed to disect the binary payload of the worm and describe its inner workings. For anyone who is interested in large-scale malware distrubution, this paper is a must-read.

One of the hardest incident types for an incident handler to address are incidents in which a properly authenticated and duly authorized user decides to misuse her privileges.

Imagine a situation in which an employee has access to human resources records for legitimate reasons.

As an information security professional charged with protecting that information, the assessment if someone should be granted access (and if so, under which conditions) must be made by the information owner and not by me. In the example, if the owner of the HR database decides that a user has legitimate access, it is my job to provision that access in a controlled fashion.

As information security professionals, a lot of what we do revolves around the concept of an incident. Most of my time is spent trying to prevent a deviation from the norm that may cause harm to take place in the first place, but sometimes things happen and we need to respond to such an occurrence. Having the appropriate planning in place to know what you will be doing helps tremendously. All plans are subject to what happens to the real world, and those real-world events will influence the execution of the plan.

I am far behind on reading blogs; Twitter is impossible to keep track of, my inbox is overflowing and I have not been posting to my blog very much.

Why is that, you ask?

Good question!

It is because I have been spending most of my free time not on reading blogs, twitter or email, but on working my way through the lab guide of Offensive Security's Pentesting with BackTrack class.