Best information security news and email feeds

Here are the information security news feeds/email subscriptions I subscribe to in order to stay current with the latest in information security news. Drop me a line if you have others that you follow that should be added to the list. I am including details about average number of posts per week when they are available because I know it is easy to get swamped in reading material and understanding frequency of publishing vs. value you get from it is important so you can efficiently use your time.

RSS subscriptions

  • SANS Newsbites – SANS is my go to resource for information security related news and training.
  • All of the US-CERT feeds – I view the US CERT organization as a leading authority along with SANS and subscribe to all of their feeds most of them average less than 1 per week which is manageable.
  • NIST.ORG – Network Information Security & Technology News organization is a leading authority on all things information security.
  • Help Net Security – Excellent source with concise articles detailing the latest in information security threats, tools, and news.
  • Krebs on Security – Nice in depth security investigations especially around the underground criminal market in information security assets.
  • Darkreading Weblog – Good source for staying on top of the latest security compromises and exploits. Averages 20 posts per week
  • Infoworld Security Blog – Covers a variety of diverse and useful information security topics. Averages 1 post per week
  • Experian Data Breach Blog – Provides info around data breaches and things you can do to help stay secure. Averages 1.2 posts per week
  • SearchSecurity: Threat Monitor – Good summary of current information security threats in the wild. Averages .2 posts per week
  • SearchSecurity: Security Wire Daily News – Feed for general information security information around a variety of topics. Averages 3.5 posts per week
  • Qualys Newsletter – Security feed put out by Vendor Qualys I use it to get a vendor’s take on vulnerabilities and vulnerability management best practices. Averages .7 posts per week
  • Eeye Security Blog – Eeye Digital Security’s blog for keeping track of their information security ideas and news. Averages 1.6 posts per week.
  • SC Magazine Cybercrime Corner – Another source for staying on top of cybercrime news. Averages 2 posts per week.

Email newsletters

  • SANS Security Awareness Newsletter – Nice monthly newsletter that can be used for internal information security awareness campaigns.
  • SANS @RISK Newsletter – Weekly newsletter that summarizes the top 3-8 vulnerabilities that currently matter most and how to mitigate the risk from them.
  • Security Focus Mailing lists – I subscribe to a few of the many different mailing lists they offer including Web Application Security and Penetration Testing. I used to subscribe to the popular BUGTRAQ but opted out due to the volume.
  • Slashdot newsletter – Useful cutting edge information security stuff here but I get the summary newsletter because the general RSS feed is very busy and difficult to stay on top of.
  • Microsoft Monthly Newsletter – Nice email newsletter for those of you using and trying to secure Microsoft products
  • Apple security mailing list – For you Apple fans to keep on top of security issues (yes security things happen on Apple devices too, and expect it to expand in the future)

 

Are you protecting your most important information assets?

Information security sometimes feels like a never ending challenge. There are a thousand different things that need to be done from patching systems to educating employees and any one hole can mean big problems. Smart companies have realized the impossibility of securing every asset and have changed the theatre of the information security battlefield.

Effective information security management is no longer about trying to stop every little problem that can go wrong that is an impossible task with failure guaranteed. Leading businesses are now focused on securing the intellectual property and operations that are most critical to their competitive advantage. This new approach is more advanced than previous information security approaches that attempted to throw information security controls against the wall in hopes that enough stuck to keep bad things from happening.

What are the advantages to approaching information security based on a critical asset protection model?

  • Helps focus your information security investment towards protecting the most important assets that matter.
  • Makes information security more manageable and makes realistic assumptions vs. assuming you can protect everything.
  • Allows you to be more specific about your information security objectives vs. operating in a more abstract manner.
  • Increases security oversight over important assets/business processes and enables customized monitoring specific to those resources

What are the challenges in implementing a risk based critical asset information security model?

  • Initially many organizations will struggle with answering the question about which assets are truly critical.
  • Requires a more collaborative model of information security with deeper level of engagement needed with key business partners. Many information security organization struggle with understanding which assets are truly critical because there is an insufficient understanding of how the business really works.
  • Requires a change in mindset from trying to secure the perimeter and keep the bad guys out to assuming they are already inside and layering your controls to focus efforts on protecting critical assets. This is not to say that firewalls and other perimeter based control mechanisms are obsolete only that they have proven ineffective as the primary mechanism of protecting an organizations critical intellectual property.
  • New security tools will be needed to help protect down to the data layer and assist in blocking advanced threats.

If your information security organization is still operating with a secure the perimeter mentality as your primary focus you risk becoming obsolete. More is expected of an information security organization in our knowledge based economy. You are expected to understand the business at a sufficient level to know what intellectual property and business processes are critical to ongoing success of your company. This requires deeper business knowledge and business relationships to help validate that you are focusing on the right things.

WordPress website error site reverting to old version

I have been noticing an intermittent problem with this website over the last 6 months or so where the site was reverting to a very old version of the site that showed my old design log and only old posts. At first I thought I had a cache problem on my pc and attempted to flush my local dns hoping that would resolve the issue. The problem manifested itself across multiple machines so I quickly realized that was not the solution but did not seek a more permanent fix since the problem was very intermittent in nature and I have been extremely busy (not a good excuse). When the problem reoccurred today I had finally had enough and logged a ticket with my web hosting support company to work on a permanent resolution.

Problem: Website for this site was having a problem and was reverting to an old version of the site (with an old logo design) and only showing posts as of 1/2012 and older.

Impact: Site design looked dated and visitors were not seeing the improved design/layout of the site or the new material posted on the site. I also suspect this hurt the site from a search engine perspective and lost traffic due to the site appearing old due to lack of new content.

Actions taken to attempt resolution: Thought problem was DNS related so flushed my local dns cache but realized something broader was going on when problem was found across multiple machines. Attempted to research problem using google search engine but most guidance was regarding webmaster tools related options and did not seem applicable. After failing to find a satisfactory fix I logged a support ticket with my webhosting provider.

Root Cause: I had to provide my webhosting technical assistance people admin access to the site and specify what database was used by the site. I created a unique temporary account/password for them and they completed the analysis and resolution very quickly. The root cause of my problem was found to be a corrupted WordPress table and once this table was repaired using the PhpMyAdmin tool the site is now displaying as it should be.

Lessons learned: Do not wait extended periods of time to deal with a problem. I could have had this issue resolved much sooner if I would have taken immediate action and logged a support ticket. The lunarpages support team was very helpful and quickly solved this issue once I provided them the needed access and confirmed the database id.

Information Security Implications: As mentioned above I had to provide site admin credentials to the technical support team to troubleshoot the problem. I followed the following security best practices during the interaction:

  • Had a full backup of my site before the work began
  • Created a unique temporary admin account just for this purpose
  • Deleted the account as soon as my support ticket was closed out successfully

This turned out to be a pretty good operational/security case study so I thought it would be useful to document and share.

How to fix a security certificate error while browsing the internet

The last week or two the pc only used by the kids had been having problems with a security certificate error when they were trying to browse the internet. The browsing eventually got where it needed to go but only after extra clicks of accepting the risks of going to a potentially bad site and adding an exception in the browser. The problem was happening with both Internet Explorer and Firefox browsers so I assumed that a virus was causing the problem.

I performed some basic antivirus scans using the free AVG antivirus software installed on the machine as well as Spybot Search and Destroy. Nothing overly incriminating was found by either scan only the expected low/mid risk cookies always found. I was a bit surprised at this result so started looking for some other alternatives of what could be wrong.

After a bit of research I was able to find a documented case that closely matched my situation. The suggested advice was to check the date on my pc because if the machine is dated in the past with an incorrect date this has been known to cause a problem with internet security certificates. Sure enough the machine had been reset to the original date of when it was purchased and the issue went away after the date was corrected.

Quick Summary:

Problem: Common area machine was generating security certificate errors/warnings while browsing the internet with multiple different browsers (firefox, Internet Explorer etc..)

Solution: Check the date on the machine and make sure it is at the current calendar day. The pc had somehow been reset to default settings and was dated back to 2007 which was the source of the problem.

iPhone 4s security accessories

 

 

 

 

 

 

 

Orders for the iPhone 4s are smoking hot and the volume is only going to ramp up between now and the Christmas season. With a new phone comes the need for new accessories to make your phone more attractive and keep it in good working order. Protective security cases and screen films are essential to help keep your iPhone 4s from suffering damage due to an accident.

iPhone 4s Cases – By choosing a case for your iPhone 4s you can help protect your smart phone from drops, scratches and other wear and tear related issues. Cases are must have accessories to help secure your iPhones and avoid costly repairs.

Boost Protective Case – Attractive black protective case is comfortable to the hand and lightweight which are important features to ensure you will continue to use it day in and day out. This case also provides extended battery benefits so it is one of the higher end cases available for your iPhone 4s.

splash VAPOR Slim-Fit Flex Case – This case is made of soft silicone which helps offer protection while keeping the weight in check. Fits nice and has been noted as high quality in the reviews and lists at a nice price of $14.95.

QuickFlipCase for iPhone 4/4S – Case is highly rated on Amazon.com and noted as a good value for the money. Has a useful belt clip that will give you the look of an Old Western gunfighter if you draw your iPhone 4s quickly from your belt. I’m your huckleberry..

OtterBox Commuter Series Hybrid Case – The normal OtterBox cases were noted as being a bit bulky but the Commuter Series is free from that problem and comes in a variety of colors unlike some of the other cases. I am partial to the white/black model which is linked.

Elago slim fit case – This case is priced at the very low end of the spectrum but offers solid value and extra protection for the price. Many of the reviewers were impressed with the slimness of the case and how it felt natural in their pockets.

Tuneband for iPhone 4/4s -Offers front and back device protection and the unique feature of an arm strap for runners and other people who want to take the iPhone 4s on the extreme go. Available in black, pink, purple, red, and glow in the dark.

iPhone 4s Screen films/protection – To help reduce glare, smudging and lower risk of scratch for your iPhone 4s display.

Halo Screen Protector Film – High quality low cost films are a good option to protect your phone screen and keep the smudging/glare problems to a minimum.  $5.95 for 6 films is not a bad deal at all.

splash Masque Clear Screen Protector – 5 pack of films is very affordable and has had mainly good reviews noting its easy bubble free installation and good fit.

AcaseView Screen Protector Film – Another quality film option this one comes in a pack of 6 for $7.25.

iPhone 4s car mounts – Helps securely mount your device in your car to function as a gps or for other hands free use (please be safe and obey local laws). Remember phones can become projectiles in sudden stops or accidents so it is important to securely mount them and keep them off your seats.

Kensington SoundWave Sound Amplifying Mount – Higher end then the one recommended below and my top choice for a reasonably cost mount.

Kensington Quick release car mount – Kensington is a trusted name in the security lock/mounting industry and this mount is highly rated from those who have purchased it.

Black Ultra Durable Compact Car Mount – Not yet rated due to newness

Motorcycle Handlebar Mount – For motorcycle enthusiasts this product is relatively knew but an intriguing option (be safe on the bikes please)

Happy and secure iPhone 4s’ing!

 

iPhone 4S Security

The release of the iPhone 4S caused quite a stir because it was not what everyone was expecting. Many of the pundits were boldly pontificating about advanced new features that would be introduced via “iPhone 5”. Instead they got the iPhone 4S which didn’t match expectations but it has been a pre-order bonanza anyway. It seems Apple can literally do no wrong right now. I decided to order an iPhone 4S (32GB memory black model) and hope to get it towards the end of the month.

When it comes to securing your iPhone 4S not a lot has changed at this point. The iOS 5 update is expected very soon which will likely introduce some security changes worth mentioning so I will provide an update when that hits the street.

Basics of iPhone 4S Security steps:

Set a private pass code to prevent others from accessing your iPhone 4S. If you do not set up a password you are at a bigger risk of having someone snoop or send prank texts/emails from your phone. Remember your code because if you forget you must do a restore.

Select General > Passcode Lock and enter your 4 digit passcode

Set password expiration parameter (which defines how long iPhone 4S will remain unused before pass code needs to be entered). A setting of 30-60 is a good idea.

Select General > Passcode Lock> Require Passcode then select the value you want

Disable Bluetooth if you do not use it. Bluetooth related vulnerabilities have gone from theoretical to actual problems being exploited so if you are not using it definitely turn it off.

Select General > Network and turn Bluetooth off

Set a voice mail password to prevent busy bodies or sleazy European tabloids from accessing your voice messages. Select a pin that will be easy for you to remember but not easily guessable by others (same concept as your debit card pin)

Select phone > Change Voicemail Password

Lock your SIM card to secure your sensitive information located in memory.

Select phone > SIM PIN and turn it on. The manual mentions the default iPhone SIM PIN is 1111 unless the carrier has changed it.

Backup your phone data every few months so that you will not lose your phone lists, pictures and other customized settings. This will be useful if an update goes wrong and your phone requires a total restore.

Install iOS firmware updates when they become available. iOS 5.0 is expected very soon and will contain new functionality and security fixesThe recent passcode bypass vulnerability will be updated in a November update and in general when hardware or software is updated by a vendor it is often is due to security vulnerabilities so it is best to stay current with these important updates.

Only join WiFi networks that you trust or you risk having your information intercepted and possible identity theft.

Use Find My iPhoneFind My iPhone is Apple’s free app that helps recover or remotely wipe your iPhone 4S if you lose it or it gets stolen.

You also have the option for installing additional security applications to provide anti-virus and password related functions. If you are interested in additional security applications for your iPhone 4S be sure to review the best of itunes security store post.

Free antivirus software – How effective is it?

Are you tired of paying for commercial antivirus software? Antivirus software providers are savvy about turning the cost into a required annual financial outlay to allow you to continue to receive current antivirus signatures. I always anted up the cash because I was not willing to go unprotected and increase my risk of picking up a nasty system damaging worm or virus.I was also skeptical about free antivirus solutions dismissing them as inferior without ever giving them a fair shot. I give Norton and McAfee a lot of credit they convinced me that I should not consider free alternatives without direct marketing campaigns saying so.

My epiphany came when the 3 month free Norton subscription ran out for my new Gateway laptop. I decided I no longer wanted to continually pay for antivirus software and committed to giving free alternatives a real chance. After doing some research I narrowed down my list of contenders to AVG and Avast Free Antivirus. After completing my research I decided to go with Avast and have been delighted with my experience using their free antivirus product. Avast free antivirus seems to update itself as frequently as its commercial competition and  has an easy to use user interface as well. I use the Avast product in an identical manner that I used to use Norton and have had no negative effects to my pc in over 6 months of use. I have been converted from a free antivirus skeptic and will never go back to using a commercial offering as long as quality free options like this exist. Consider your own antivirus needs and consider if the commercial product you are using is worth the 30-50$ a year per machine fee when you can get equivalent protection by using Avast.

Quick summary:

Who should be using free antivirus?

Individuals who need protection for their personal systems and balk at the recurring fees commercial offerings charge

Who should continue using commercial products?

Businesses that require more central control and administration of their antivirus solution

Be sure to check out our review of the top 5 free security tools.

 

Information security issues can lead to bankruptcy

Information security is often an after thought at best for many small to midsize businesses. DigiNotar, a Dutch certificate authority, is a great case study on what can go wrong when adequate information security controls are not put in place. DigiNotar was severely compromised leading to the undermining of the very core that their business was built on, trust and authority. The end result was an information security related bankruptcy that was preventable. What went wrong at DigiNotar and what can you learn from their experience?

Lessons learned from DigiNotar information security incident

The more your business relies on trust the greater your information security risk and the more controls you need

Trust is based on your reputation and when you are in a business requiring a high degree of trust it can be game over when a big incident occurs that hits to the core of your model. There is a direct relationship to how much your business relies on trust and how much information security you need. The final straw was when the Dutch government lost confidence after inadequate disclosure and revoked their trusted status.

Full prompt disclosure is the best way to recover your reputation

DigiNotar detected a problem with their certificate authority infrastructure nearly a month before the incident blew their business out of the water. They failed to make adequate disclosure causing their customer to question the trust they had placed in DigiNotar. What if DigiNotar came clean in the beginning? Perhaps they would have been able to salvage the company.

Full security audit needs to be conducted after their is reasonable cause to believe a serious security event has occured

The primary goal should be to determine the method of attack and seek to eliminate sources of vulnerability and to clean affected systems. The security review should be conducted by professionals and it could get quite expensive but it is necessary to prevent worse events such as total implosion of the business. If a full audit and full disclosure occurred the company would be likely still exist.

Are you auditing and controlling the right high risk business activities?

DigiNotar’s compromise led to the creation of 531 unauthorized certificates. If this control was reviewed closer and followed up on with quick terminations and the actions described above the company would still be in business.

Effective information security controls can make the difference between prosperity and bankruptcy. The choice is yours. To help make sure your business is taking information security seriously be sure to review our information security essentials for small and mid size businesses

Information Security Insurance

Information security insurance is designed to protect an individual or business against the risk of possible loss due to information security incidents. Similar to other forms of insurance the policy holder pays a monthly/annual premium to the policy issuer for the agreed to insurance plan.

Why might you need information security insurance?

The more your business relies on information systems to operate the more at risk you are if a catastrophic incident affects critical systems.To help manage risk to more acceptable levels information security controls are implemented to protect against various threats. Information security audits are another risk reducing measure a company can take to help validate the effectiveness of their information security controls and document any weaknesses for prioritization and correction. Many companies choose to self insure and pay any information security incident expenses out of pocket vs. pursuing direct insurance although the number of companies obtaining insurance is increasing at a dramatic rate. If you are under the impression that your traditional insurance policies will cover you for technology related risks now is a good time to validate that assumption. Lastly, if you are involved with a start-up it is sometimes a requirement for VC providers that information protection insurance be active to protect their future investment in your company.

Examples of events that can be insured with information security insurance

  • Unauthorized system or network access
  • Theft of sensitive intellectual property
  • Fraudulent ebusiness or online banking activity
  • Lack of availability of systems
  • Disaster Recovery
  • Technology errors and omissions

What are typical costs from an information security incident?

  • Cost of investigating source of incident and scope of systems breached – Expert investigators are very expensive so expect to pay mid to upper 5 figures or even into the 6 figures to investigate and clean up a security incident
  • Cost of loss business – Business that is lost especially if it is not recoverable could amount to significant costs.
  • Cost of lost employee productivity – If your employees can not do their job you still have to meet payroll and other financial obligations
  • Cost of breach disclosure notifications and customer protection measures – If sensitive customer or employee data is lost while under your care you are likely financially obligated to notify and offer credit protection measures to minimize their risk of identity theft.
  • Worst case scenario is inability to recover from an incident leading to failure of the company

Final tips on information security insurance

If you desire information security insurance your first stop should be to try add the coverage via your existing insurer. If they do not offer the service or the cost is too high you should shop around to get the coverage you are looking for. It should be noted that the information security insurance industry is very immature and there is a lack of standardized offerings. When comparing different insurance options be sure to get everything in writing and validate that you are comparing equal coverages when assessing different companies.

Best ipad 2 leather cases

The classic look of leather is a great way to protect your ipad 2 with style. iPad 2 cases are a great way to minimize the chances of your ipad cracking if it suffers an unexpected drop. A case can also offer stability and visibility improvements (if you choose to use the various stand options that many cases have) There are a lot of cool case options for the ipad 2 from metallic looking enclosures that fit with the Apple mystique but if this is not your style choosing leather is a great alternative. An important factor to note is that any case is going to add bulk to your ipad 2 so there is a bit of a trade-off between bulk vs. physical security.

Factors when considering a case for your iPad 2

  • How much bulk does the case add to your ipad?
  • How snug does the case fit to protect all four corners?
  • Quality of the leather the case is made of
  • Personal choice as to attractiveness of design/style
  • Cost

Here is a rundown of the highest rated ipad 2 leather cases that are well reviewed and loved by those that have made the investment to protect their device.

Bear Motion Leather Case with 3-in-1 built in stand – Elegant and conservative this highly rated leather case/stand is noted for its high quality leather and high quality snap magnets. This case is also noted for its high quality stand that greatly helps with reading on the ipad.

Yoobao 3-in-1 Leather case with built in stand – The general consensus is this is an attractive 5 star case that is a top option if you want a leather case. Yoobao is a well respected brand in the ipad case market and their raving fans demonstrate that there is a lot to like about this case.

Toblino 2 Leather Case – Famous for high quality leather and perfect fit around all four corners this ipad 2 case is a high end option for extra protection.

Targus VuScape Cover/Stand – Targus is sort of the workman horse brand of protective cases so their alternatives can always be considered. Others listed above are more attractive but these are functional and get the job done.

Snugg ipad 2 Leather Case with flip stand – Leather has a traditional worn in look to it and the general opinion from the reviews is that it works as advertised at a nice price. Not my top pick but included for the value conscience consumer seeking an affordable case.

For those of you looking for colored leather ipad 2 cases here are some options:

rooCase Premium Leather (red)

Bear Motion Case (brown)

Targus (blue/black)

If you decide to purchase a protective case I think you are making a wise decision. Your chance of having your ipad 2 suffer accidental damage like a screen crack can be significantly reduced by choosing the right case.