Read The Blog Post View more…

Network Security Assessment Methodology

The best practice assessment methodology is used by determined attackers and network security consultants involves four distinct high-levels components:

  • Network reconnaissance to identify IP networks and hosts of interest
  • Bulk network scanning and probing to identify potential vulnerable hosts
  • Investigation of vulnerabilities and further network probing by hand
  • Exploitation of vulnerabilities and circumvention of security mechanisms

Read On…

Better site performance through Apache .htaccess

Web performance is becoming a large factor on many web applications currently developed, and is a large topic within web development, and has became a factor in google search since the back end of 2014.

Compress content

Compression reduces the response time by reducing the size the HTTP request.

its a worthwhile to implement gzip your HTML documents, scripts & css.

images and downloadable files should be compressed via other means, using image compression.

To compress your web documents with apache  use of mod_deflate

Read On…

Operating System Hardening – Working with Services

Services are programs that run when the operating system boots, and they are often are running in the background without the users interacting directly with them. Many services are quite important -even critical. However a service can provide an attack vector that someone could exploit against your system, so be sure to enable only those services that are absolutely required. Part of operating system hardening is disabling unnecessary service on your windows computer (any version – from XP to windows 8 or windows server 2012), you first select the control panel and then select Administrative Tools.

The remote registry service is shown. This service is used to allow technical support personnel to access that systems registry remotely. The service can be quite usefully in some situations, but it can also function as a means for an attacker to get into your system. If you don’t need it, turn it off. The issue is not that a given service is “bad”; it is more of an issue of ensuring that you know what services to run (or not). Windows also provides a brief summary of what the service does and any services that depend on that service. If you don’t know what a service does, then you should probably leave its default setting.
Read On…

Monitoring Networks

It is important to monitor the network and make sure that the traffic on it belongs then. In this section, we will explore basic network monitors

Network Monitors

Network monitors, also called sniffers, were originally introduced to hep troubleshoot network problems. Simple network configuration programs like Ipconfig don’t get down on the wire and physically happening on a network. Instead, examining the signalling traffic that occurs on a network requires a network monitor.
Read On…

Enable SSH Login Notification on Linux

Is the Linux server utilized by multiple customers? If that’s the case, attempt to add an SSH login notification whenever someone logs in.

The good example below send’s an e-mail if somebody logs to your server. With this to operate, your server must have the ability to send mail while using mail command.

Replace YOUR_EMAIL_ADDRESS with the email address that you want to receive login notifications.

CentOS

Open the file ~/.bash_profile in a text editor.

Append the following lines:
Read On…

Disaster Recovery

Disaster recovery is the ability to recover system operations after a disaster. A key aspect of disaster recovery planning is designed a comprehensive backup plan that includes backup storage, procedures, and maintenance. Many options are available to implement disaster recovery. The following sections discuss backups and disaster recovery planning.

Types of Backup

Backups are duplicate copies of key information, ideally stored in a local other than the one where the information is stored currently. Backups include both paper and computer records. Computer records are usually backed up using a backup program, backup systems, and backup procedures.
Read On…

Redundant Array of Independent Disks

Redundant Array of Independent Disks (RAID) is a technology that uses multiple disks to provide fault tolerance. There are several designations for RAID levels.


 

Raid Level 0

RAID 0 is disk striping. It uses multiple drives and maps them together as signal physical drive. This is done primarily for performance, not for fault tolerance. If any drive in a RAID 0 array fails, the entire logical drive becomes unusable.
Read On…

Identifying Critical Systems and Components

Sometimes your systems are dependent on things that you would not normally consider. Basic utilities such as electricity, water, and natural gas are key aspects of business continuity. In the vast majority of cases, electricity and water are restored – at least on an emergency basis – fairly rapidly. The damage created by blizzards, tornadoes, and other natural disasters in managed and repaired by utility companies and government agencies. Other disasters such as a major earthquake or hurricane, can overwhelm these agencies, and services may be interrupted for quite a while. When these types of events occur, critical infrastructure may be unavailable for days, weeks, or even months.

When you evaluate your business’s sustainability, realize that disasters do indeed happen. If possible, build infrastructure that doesn’t have a single point of failure (SPOF) or connection.; After the September 11, 2001 terrorist attack on the World Trade Centre (WTC), several ISP’s and other companies became non-functional because the WTC houses centralized communication systems and computer departments. If you’re the administrator for a small company, it is not uncommon for the SPOF to be router/gateway. The best way to remove an SPOF from your environment is to add redundancy.
Read On…

Understanding Control Types False Positives/Negatives

Risk Assessment / Analysis involves calculating potential risks and making decisions based on the variables associated with those risks (likelihood, ALE, impact, and so forth). Once you’ve identified risks that you want to address with actions other than avoidance, you put controls in place to address those risks.

The national institute of standards and technology (NIST) places controls into various types. The control Types fall into three main categories: Management, Operational, and Technical, as defined in special publications 800-12. Table 1.3 list the controls the control types and the control they are associated with.
Read On…

Securing wp-login.php with Fail2Ban

 

With the recent dictionary attacks becoming a daily occurrence on WordPress, I installed a simple configuration for fail2ban that requires no access to the backend of each site you host and works as a integral part of any linux server system alongside iptables. This should protect all the sites on a server from being attacked by a lone attacker or a botnet.
Read On…

Developing Policies, Standards, and Guidelines

The process of implementing and maintaining a secure network must first be addressed from a policies, standards, and guidelines perspective, This sets the tone, provides authority, and gives your efforts the teeth they need to be effective. Policies and guidelines set a standard of expectation in an organization, the process of developing these policies will help everyone in an organisation become involved and invested in making security efforts successful.  You can think of policies as providing high-level guidance on large issues.

Standards tell people what is expected, and guidelines provide specific advice on how to accomplish a given task or activity.

We will discuss the policies, standards, and guidelines you’ll need to establish in order for your security efforts to be successful.

  Read On…

Risks Associated with Virtualization

If Cloud computing has grown in popularity, virtualization has become the technology du jour, Virtualization consists of allowing one set of hardware to host multiple virtual machine. Its is in use at most large corporations, and it is also becoming more common at smaller businesses.

Some of the possible security risks with virtualization include the following:
Read On…

Risks Associated with Cloud Computing

The term cloud computing has grown in popularity recent, by few agree on what it truly means. For the purpose of security+, cloud computing means hosting services and data on the internet instead of locally. Some examples of this including running office suit applications such as office 365 or Google Docs from the web instead of having similar applications installed on each workstation; storing data on server space, such as Google Drive, Sky Drive or Amazon Web Services; and using cloud-based sites such as salesforce.com.

Read On…

Apache: Log Management: SetEnvIf

maintenance on an Apache2 webserver takes a bit of fine tuning to get everything logging perfectly to our specifications. Apache has excellent logging capability and these logs, if properly maintained are an excellent information resource for any administrator or web analyst.

However, if unmanaged these logs can get too large to handle and cumbersome to explorer for errors or unauthorized access.
Read On…

Additional Risk Terminology

Ensuring that you understand the scope of terms of hardware and service-level agreement (SLA) related terms. Doing so can help avoid frustration and prevent unanticipated disruption from crippling your organisation. The following notes are key measures with which you should be familiar when research additional risk terminology as a result of risk assessments.
Read On…

Force SSL/TLS https using .htaccess and mod_rewrite

When using Apache, you can use mod_ssl to force SSL with the SSLRequireSSL Directive:

This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL.

This will not do a redirect to https though. To redirect, try the following with mod_rewrite in your .htaccess file

 

or any of the various approaches given at

You can also solve this from within PHP in case your provider has disabled .htaccess (which is unlikely since you asked for it, but anyway)

 

Measuring and Weighing Risk – Risk Assessment.

planning risk

Risk Assessment

Risk assessment is also know as risk analysis or risk calculation. For purposes of uniformity, we will use risk assessment in term of choice for this discussion. Risk assessment deals with the threats, vulnerabilities, and impacts of a loss of information capabilities or a loss of information itself. A vulnerability is a weakness that could be exploited by a threat. Each risk that can be identified should be outlined, described, and evaluated for the likelihood of its occurring. The key here is to think outside the box. Conventional threats and risks are often too limited when considering risk assessment.

The key components of a assessment process are outlined here:

Risk to which the organisation is exposed: This component allows you to develop scenarios that can help you evaluate how to deal with these risks if they occur. An operating system, server, or application may have know risks in certain environments. You should create a plan for how your organisation will best deal with these risks and the best way to respond.

Risks in need of addressing: The risk-assessment component also allows an organisation to provide a reality check on which risk are real and which are unlikely. This process helps and organisation focus on its resources as well as on the risks that are most likely to occur, for example, industrial espionage and theft are likely, but the risk of a hurricane damaging the server room in another state or country is very low. Therefore, more resources should be allocated to prevent espionage or theft as opposed to the latter possibility.

 

Coordination with BIA: The risk-assesment component, in conjunction with the business impact analysis (BIA), provides an organisation with an accurate picture of the situation facing it. It allows on organisation to make intelligent decisions about how to respond to various scenarios.

 

Computing Risk assessment

 

When your not doing dis assessment, one of the most important thing to do its prioritise. Not everything should be weighed evenly because some events have a greater likelihood of happening. In addition, a company can accept some risks, whereas other would be catastrophic of the company.

 

Risk Calculation

 

For the purpose of risk assessment, both in the real world and for the exam you should familiarize yourself with a number of terms to determine the impact an event  could haveL

  • ALE is the anual loss expectancy value. This is a monetary measure of how much loss you could expect in a year.
  • SLE in another monetary value, and it represents how much you expect to lose at any one time: the single loss expectancy. SLE can be devided into two components:
    • AV (asset Value)
    • EF (exposure factor)
  • ARO is the likelihood, often drawn from historical data, of an event occurring within a year: the annualised rate of occurrence.

When you compute the risk assessment, remember this formula:
SLE x ARO = ALE 

 

As an example, if you can reasonably expect that every SLE< which is equal to asset value (AV) times exposure factor (EF), will be the equivalent of £1,000 and that there will be a seven such offurrences a year (ARO), then the ALE is £7,000 conversely, if there is only a 10 percent change of an event occurring within a year time period (ARO = 0.1) then the ALE drops to £100.

 

Quantitate Vs. Qualitative Risk Assessment

 

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (cost-based and objective), depending on whether you are focusing on currency amounts. The formula for single loss expectancy (SLE), annual loss expectancy (ALE), and annualised rate of occurrence (ARO) are all based on doing assessments that lead to currency amounts and are thus quantitive.

 

To understand the difference between quantitative and qualitative, it helps to use a simple example. Imagine that you get an emergency call to help a small company that you have never heard from before. It turns out that their one and only server has crashed and that their backups are useless. One of the lost files was the only copy of the company’s history. This file detailed the company from the day it began to the present day and had the various iterations of the mission statment as it changed over time. As painful a loss as this file represents to the company’s culture, it has nothing to do with filing orders and keeping customers happy, and thus it’s loss is qualitative in nature.

 

Another loss was the customers database, This held customer contact information as well as the history of all past orders, charge numbers, and so on. The company cannot function without this file, and it needs to be re-created by pulling all of the hard copy invoices from storage and re-entering them into the system. This loss can be calculated by the amount of business lost and the amount of time it takes to find/re-enter all the data, and thus it is quantitative loss.