#coletalks

What is a Security Plan?

A Security plan is a a document addressing the security needs of a organization. It’s a “live” document that is periodically reviews and revised.

A good security plan is an official record of current security practices and a blueprint for orderly change to improve these practices. It also gives developers and users a way of measuring the effects of proposed changes, leading to more improvements. This plan should looks to Achieve the 3 Security Goals.

3 Security Goals:

Confidentiality:

Limiting information to only those who are allowed to access it, preventing those who are not. Using techniques such as encryption and access-control.

Integrity

Making sure data is consistant. Using techniques such as error checking, certificates, and digital signatures to make sure data is trustworthy and cannot be altered by a thrid party.

Availability

Availability insures that resources are available and functional, involves things like redundancy and backups.

Contents of a Security Plan:

Policy:

High level statement of organizations security goals. Where the responsibility for security lies and the organizations commitment to security. What is the organization protecting, who is responsible to over see this security and the lengths at which the organization will go for this security.

Current State:

A description of what the current state of security is, listing vulnerabilities to which the system is exposed; who is responsible for protecting what assets; and setting boundaries to those responsibilities. Must be clear who exactly is responsible for what and where their responsibility ends. This leaves no gray areas where responsibilities overlap.

Requirements:

The functional and performance demands on the system to meet the desired level of security. If your security requirements say you need to bio metric identification you’re going to need processing power and equipment to meet this.

Recommendations:

Recommended security techniques and mechanisms that should be put in place to meet the organizations security requirements. Things like password salting and hashing, honey pots, etc.

Accountability:

Who is responsible for each security activity.

Timetable:

When each security goal should be achieved. This help keep the organization on track implementing the security required.

Evaluation Methods:

How to measure the effectiveness of the plan.

Questions to be Addressed:

What needs to be protected? (Inspection)

This can be achieved through Risk Analysis:

Make a formal inventory of all resources (information, software, equipment, algorithms, etc)

Assign ownership of each of these resources (creator, maintainer, user)

Determine value of each resource.

For each resource, list the threats that could cause damage.

Calculate the risk impact, risk probability, risk exposure, and risk leverage of each resource.

Risk Impact (RI): cost to replace resource.

Risk Probability (RP): likely hood of attack on resource.

Risk Exposure (RE): RI x RP = RE.

Risk Leverage (RL): ((RE before security) – (RE after security)) / (cost of security) = RL

When deciding what to use security budget on, protect the resources with the highest RL. The higher the RL the more bang you get for you buck.

How to Protect?

Deploy tools for achieving the 3 security goals for each resource or set of resources, starting with the ones with the highest risk leverage.

How to detect Intrusion?

Detection is all about detecting when an attack has happened, anyone who says their system is 100% secure is either lying or there system is an encrypted CD encased in a block of reinforced concrete buried a km into the earths crust. So you must make sure you can detect when an attack happens.

Some tools and techniques for Detection are:

Signature Analysis:

Comparing log files to the signatures of other attacks. Useful for things like DDoS or detecting brute force attacks etc.

Anomaly Detection:

Look for unusual activities or statistic anomalous behavior.

Dynamic Analysis: (Signature Analysis + Anomaly Detection)

Determine if an attack is underway; tools utilize audit trails and network traffic logs.

Honey Pots:

Sub networks configured with vulnerabilities and not resources of value. Used to study how systems are attacked and identifying attackers that you would want to block from your real resources.

How to React to a attack?

You must have plans in place to react to an attack.

Some Strategies:

Prepare a rapid response team, a team available to be notified 24/7; and given authority to respond to attacks.

Develop a network disconnect plan

Develop rapid recovery procedures (Backup servers, redundant databases etc)

Assess the damage.

Restore information from a trusted backup

Monitor the system for indications of a continued attack.

What to do after an Attack?

You must have procedures in place to reflect on attacks and improve security to prevent them in the future.

Some Steps to Take:

Assemble the information from all involved.

Conduct post-incident briefings to gather information that was not recorded.

Create a technical summary that can be evaluated for the applicability to other systems.

Write and executive summary for upper management to understand the incident’s issues.

Re-evaluate the organizations security plan and make changes.

I like a few things other than just computers and the science surrounding them. I also really like burgers. So with Halifax’s burger week fast approaching I wanted to see what the selection was looking like and pick some places I wanted to go. The only problem is that the Burger Week website doesn’t make quickly looking through the burgers easy. So I took it upon myself to make a spreadsheet of what in my opinion looked like the most interesting burgers that will be available.  (I mostly excluded plain burgers like bacon cheese burgers or burgers that were too far out of Halifax or burgers that seemed to cost more than they were worth)

For anyone that would like to make use of this spreadsheet click here. Me and some friends will be including rating of the burgers we try.

SPEADSHEET

Today someone preformed a DDoS attack on Dyn a company that manages many DNS services for the Eastern Seaboard. For a couple hours sites like twitter and others were unreachable using DNS. As of writing this many sites still do not have their DNS services restored.

For anyone that doesn’t know what a DNS server is, it’s basically the phonebook for the internet. Your computer sees you type in something like: “http://www.domain.com” and basically asks the internet where to find that site. The DNS sends you to the IP address of that site allowing you to connect to the site. So this DDoS attack is like you are trying to call your friend Bob, but you don’t have his phone number. So you go to look at the phone book and a bunch of people are just taking turns throwing it to each other over your head so you can’t use it. So you can’t call Bob.

What scares me about this situation is this article. Bruce Schneier talks about how someone is probing the internet for weak points to exploit. but the scale of these probes and small attacks is much too large for some small entity to be responsible. This small attack could be whoever is behind this probing of key internet services stretching their legs so to speak, or it might be something else. But either way this is likely a sign of things to come. And that’s a little terrifying. It’s not a matter of “oh no, how will i check reddit?”. Think of all the things that use the internet. All the key services we use every day. If the internet were down, how would the growing number of people without cable get news? How would you be able to access your bank account? Depending on the extent of the attack it could potentially take out the cell phone network as well. Even if this lasted a couple days it would have a huge impact.

All of this is very concerning. As Bruce Schneier states, there’s nothing we can do. We lack the ability to just block these attacks because that’s just how the internet is built. So maybe have some sort of back-up plan for what you would do if most of society as we currently know it shut down for a couple days and you weren’t able to use your cell phone or internet.

I’m just going to quickly go over how a DDoS (distributed denial of Service) attack works.

So, lets imagine the internet as pipe for water. Say you want to connect to Facebook, you send a drop of water to Facebook’s server to get a request, then Facebook sends the information back on your pipe. Now, imagine there are computers that don’t want to use Facebook, but they keep sending it drops of water. Eventually if enough computers are sending these drops to Facebook, there won’t be enough room in the pipe for all the water. So when you send your drop, it never reaches Facebook at all because it can’t fit in the pipe. That’s more or less how a DDoS attack works.

In actuality, you are sending requests to Facebook and Facebook responds. But if too many computers are also sending requests, Facebook won’t be able to keep up and will be forced to start ignoring requests. That’s what a DDoS attack is, so many requests by computers that don’t actually want to use Facebook that computers that do want to use it cannot.

The distributed part is that these requests are coming from hundreds or thousands of different computers. How do that many people commit to sending useless requests to a server? They don’t, its usually a bunch of computers that are unknowingly infected with malicious software that one person somewhere is using to send requests. This is whats called a Botnet. The computers on a botnet are potentially spread out potentially all over the world. This makes it very very difficult to block, its very difficult at the point to separate the legitimate users from computers on the botnet.

Ok, so there’s this meme that one of my friends finds hilarious. She brought up that it’s funny when you switch out the main adjective in it. So I went and learned how to better utilize Laravel, and made a stupid thing.

It just replaces the the adjective, but it uses a controller and templates and is way more complicated than it needs to be.

I figure I may want to post code at some point. So I figured I’d get something to make it look good and easier to read.

This is basically just a test of that:

1 2 3 4 5 6

#include <stdio.h>   int main (){ printf("Hello world!"); return 0; }

I just figure its a bit more professional and flexible than tumblr. I could probably make my own little framework for a blog, but that’s a lot more work than installing WordPress on my server, and it wouldn’t have nearly as much functionality.

But if for some reason you follow this on tumblr, FEAR NOT. I have a plugin installed that posts everything here to tumblr too. Just figured I should document the move somewhere.