War Driving Versus Wireless Network Hacking

While; most of us have heard of hacking, the more recent practice of “war driving” is not so well known.

War Driving

War driving is the practice of cruising around with a wireless enabled laptop complete with a plethora of wireless networking detection and cracking tools. Many war drivers even make use of GPS to physically locate with pin-point accuracy the precise locations of any wireless networks detected.

The major distinction between war driving and hacking into wireless networks is that in the strictest sense war driving is all about discovering the existence of wireless networks.

Wireless Network Hacking

Hacking wireless networks on the other hand is about cracking/breaking into the wireless networks discovered through war driving or any other means for that matter. In short, the hacking of wireless networks is all about gaining access to a network whilst not being a legitimate bone fide network user with authentic access privileges and rights. This does not infer in any way that a would-be intruder/hacker is implicitly malevolent.

War Driving and Wireless Network Hacking Tools

Both war driving and wireless network hacking tend to use the same range of tools as each other. Candidates include specialty wireless packet sniffing tools (Airsnort, Kismet, NetStumbler and Wireshark etc).

The sorry reality is that for tools such as Kismet there really is very little you can do to prevent them from discovering the presence of your wireless network. Fortunately however; there are countermeasures such as fully encrypted transmissions, tunneling and heightened authentication procedures, which you can employ to deny the potential malevolent intruders from progressing beyond the discovery phase.

Legitimate Ethical Wireless Network Hacking

There are many reasons that one may attempt to hack one's own wireless networks. For example; legitimate authorized and authenticated security staff may be conducting site surveys, penetration testing or network security preparedness assessments and will usually harbor no truly malevolent or other “evil” intentions.

I say usually because many security breaches do involve breaches of trust by authentic personal. Subversion from within is an issue that has existed since long before wireless networking capabilities were developed. Then there is that group who may be attempting to access/hack into your wireless network for the thrill of it simply because it's there.

War Driving and Wireless Network Hacking Tools

Note that the standard tools used for war driving and wireless hacking purposes are generally the same. They are also the very same tools that authentic network security personal will use to conduct site surveys and penetration testing etc.

Downloadable Self-Extracting and Automatic Installer Packages

In addition, the vast majority of these wireless network tools are freely available for download via the Internet. In general; you will find that the vast majority of these tools will come in the form of self extracting installation packages and/or user installable software.

Here are a few free for private use wireless networking, survey, network discovery, packet sniffing, site assessment and penetration testing tools currently available: Airsnort, ASLeap, CowPatty, Ethereal, Kismet, NetStumbler and Wireshark

Sophisticated Yet User Friendly

What many may not realize is the degree of user friendly sophistication and capabilities that these tools have attained over the years of their existence and development.

Armed by Default

So it is that in today's wireless networking climate we must assume; that by default, attackers will also be armed with these tools. Bearing this in mind, we will construct our defenses in a manner best suited to counteracting a multiplicity of threats originating from all angles.

War Driving Protective Countermeasures

Countermeasures to protect your wireless network from war driving and hackers in general must be well planned and rigorously maintained and update. Vigilance is the key.

Transmission Medium Access

First line of defense in overcoming the threats posed by war driving and wireless network hacking is achieved by reducing a transmission medium's exposure to potential threats.

Network Surveys

Site surveys need to be conducted to identify signal leakage and rogue Wireless Access Points (WAPs). This can be easily accomplished without high-tech gadgets. Simply walk around the various network zones, zone perimeters and site perimeters with a wireless enabled laptop to see what signals it can detect. You should be doing this in very much the same way using the same wireless detection and hacking tools that a war driver or any potential hacker would.

Wireless Network Physical Security

Wireless Access Points (WAPs) need to be located and secured in such a way that they can remain free from physical interference and tampering. A redirected WAP antenna can present external entities with an access point to your network.

Furthermore; if enough WAP antennae are compromised (out of alignment, redirected or non-functional) total wireless network collapse can result. Regular inspection and adjustment of WAPs is the best way to limit the damage that can be caused as a result of WAP physical security issues. It also has a role to play in overall network performance and assessment.

Antennae

The use of mixed unidirectional and omnidirectional antennae in a production environment will be of considerable assistance in helping to reduce network perimeter signal leakage.

Multiple In Multiple Out (MIMO) antennae can be used for areas of high network traffic that are contained entirely within your internal network's publically inaccessible physical perimeters. Careful antennae selection and placement will contribute greatly to wireless networking coverage pattern shaping.

Network Segmentation

Subdividing your network into a number of smaller logical subnets will also help reduce exposure while at the same time delivering greater overall network efficiency and performance. You can also use this as a means of adding extra layers of authentication.

Demilitarized Zones (DMZs)

Use DMZs with limited access rights and privileges to confine potentially “undesirable” traffic to areas of limited functionality without exposing your entire internal network to the threats that they may pose. In this way you can provision and maintain a lower risk publically accessible zone on your network's periphery if so desired. It also greatly simplifies firewall access lists and rules configuration, management and upkeep.

Disable Internal Anonymous Ad Hoc Connectivity

Sometimes circumstances will dictate that you have no choice other than to permit some degree of anonymous publically accessible ad hoc connectivity to your wireless Network. Confining this type of accessibility to your network's perimeter using DMZs is usually the way to go.

However; anonymous ad hoc wireless connectivity is not needed for purely internal wireless network accessibility. From a security standpoint once authorized users are internal to your wireless network's perimeter, they do not need anonymous ad hoc connectivity capabilities, so disable it. All they need do is log onto the network in their usual prescribed manner. Your network access authentication procedures will define who is, and who is not permitted access.

Signal Leakage

You will need to conduct regular site surveys and network preparedness assessments to check and verify that no signal leakage from the fully internal wireless network to the publically accessible zones is occurring. Also check to ensure that there is no leakage from the publically accessible ad hoc wireless networks into your network core.

Change Default Settings

This one is really a no-brainer. Once your wireless devices are up and running change the manufacturer default settings for such properties as administrator name, password or better still passphrase, authentication mechanisms, network name and ID, broadcast parameters, pre-shared keys and the default encryption methods and settings as well as the connection method used to gain access to network resources.

Microsoft Windows Zero Configuration

Microsoft Windows zero configuration anonymous ad hoc wireless network implementations will; by default, result in both wireless enabled client devices and Wireless Access Points (WAPs) alike to persistently advertise their presence to the rest of the world.

Advertising Connectivity Offers and Requests

The client will continually transmit a request for connectivity and the WAP will continually transmit an offer to provide connectivity. This advertising activity by both sides will continue regardless of whether or not the client and WAP are actually connected.

Wireless Networking Administrative Overheads

Yes; this does contribute to a wireless network's administrative overheads. Most operating systems, networks and wireless access devices also exhibit the same type of behavior when it comes to announcing their presence.

MAC Address Filtering

Wireless enabled device authentication can be most easily implemented through MAC Address filtering. Wireless Access Points (WAPs) and wireless routers have administrator definable access control capabilities based on Layer 2 addressing.

The MAC Addresses of permitted wireless enabled devices are entered into the Wireless Access Point (WAP) or wireless routers MAC Address filter table. Simple Permit/Allow or Deny rules are associated with each MAC Address contained within the devices MAC Address filter table.

The simplest way of using a MAC Address filter table is by entering a list of specifically permitted client MAC Addresses and access is denied to all other devices. All devices lacking a qualified listed in the MAC Address filter table will be automatically denied network access and packets originating from them will be automatically dropped.

MAC Address filter table based access control actually precedes any user based authentication mechanisms since the MAC Address is contained in the Layer 2 header of every packet placed onto the network. This means that packets originating from devices not listed as being permitted in the MAC Address filter table will be dropped without ever being placed on the network transmission medium.

Service Set Identifier (SSID)

Service Set Identifier (SSID) is the name used to identify various different 802.11x wireless networks (WLAN). By default all client devices receive SSID broadcasts from all Wireless Access Points (WAPs) that are within range.

Selection of the Wireless Access Point (WAP) that is to be used for the current connection depends on the specific configuration of the client, either a pre-configured Wireless Access Point (WAP) or the user will select the Wireless Access Point (WAP) from a list of Wireless Access Points (WAPs) discovered as a result of their SSID broadcasts.

Disabling SSID broadcasting by WAPs is one of the best ways of ensuring that you do not come to the attention of war drivers. Although tools such as Kismet can still discover your non SSID broadcasting wireless network many would be intruders will however be thwarted by a lack of SSID broadcasts. Wireless network SSID verification prior to connecting to a wireless network can also help users to avoid the threats posed by “evil twin” attacks.

Encryption

All traffic over publically accessible transmission media such as wireless networks should be protected by very strong advanced encryption.

128-bit Encryption

If your default encryption is Wired Equivalent Protection (WEP) then you should be using a 128-bit encryption key and not the default 40-bit key as a 128-bit key will take considerably longer for intruders to crack.

WPA and WPA2

However; if your equipment supports it, use WPA or WPA2 instead of WEP (although this may require a firmware or software update). WAP2 uses AES which is essentially unrealistic and impractical to break by most hackers.

Authenticated Access Only

Configure your wireless network to permit authenticated user and system access only.

Pre-Shared Keys

If using pre-shared keys make them long and complex as this type of key has less chance of being cracked via brute force dictionary attacks which means that it is impractical for most hackers to guess/crack.

EAP Protected Authentication

In corporate scenarios use EAP or even EAP-FAST to protect authentication and severely restrict the number and frequency of retries before the account is locked-out.

Certificates

If using certificates configure the certificate-based authentication to validate both user and remote device prior to being granted access to the wireless network. Also ensure that rogue systems will be denied access by default.

Tunneling

Corporate users should be using IPSec VPN with split-tunneling disabled.  This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES. Remember public wireless hot

Application Layer Encryption

Because public wireless hot spots do not generally offer encryption you can use application layer encryption software to rectify this failing. Simplite does a good job of encrypting IM sessions.

Firewalls

Install and run software firewall if you have not already done so. Microsoft Windows XP and Vista both have a built-in firewall application. Although it receives, criticism from some quarters the Windows Firewall application is free with the Microsoft Windows OS and has recently received additional improvements. If nothing else is available, use it.

Directory Services

Correct configuration of user accounts and credentials through directory services such as Microsoft's Active Directory will help with a more granular control over user wireless network access and privileges.

Corporate Firewalls

For larger networks it is probably more appropriate to implement a strategy that includes the deployment of one or more dedicated hardware firewall devices/appliances with Intrusion Detection (IDS) and Intrusion Prevention (IPS) capabilities. Vyatta and Untangle both offer viable lower cost alternatives to other more expensive commercially available firewalls such as Cisco's PIX and Microsoft ISA 2004.

Malware

Use antivirus and other malware applications as appropriate

Updates

Regular updating of your current and future security applications and tools should never be overlooked. This will include regular testing of both your wireless and wired networks and a thorough appraisal and assessment of their current state of readiness. Here is your best protection against so-called zero-hour vulnerabilities.

Security Policies

Develop, implement and maintain appropriate wireless usage security policies.

User Education and Security Culture

Educate your users in wireless security best practices. Update and communicate with wireless users whenever issues arise. What affects one user is in all likelihood capable of affecting them all. Develop a security conscious atmosphere and culture.

Other Technologies

SSL, Extended Validation SSL, SSH, OpenID, PPPTP, L2TP, IPSec VPN, digital certificates, hashing algorithms

Cybercrime Tug "o" War

As attackers develop new strategies defenders develop new countermeasures. So the attackers develop counter-countermeasures to which the defenders respond with counter-counter-countermeasures and so on it goes and at such a rate that it sets your mind spinning. It really does seem to get quite overwhelming at times.

Everybody's objective in the cybercrime, tug "o" war games is to be on the winning side. Nobody likes losing especially when the prize is your own personal property or even worse your identity that is at stake. However, there are steps you can take to reduce both an organization's and your individual personal risk/threat impact levels.

Single Point of Failure

Many systems today, still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance. Having a single point of failure/attack (the logon name/password combo) does leave one more exposed to the efforts of cybercrime.

Ostrich tactics won't work here so be a cold-blooded pragmatic realist and assess your current password security procedures and status honestly. Do not let anyone else know the details of your self-assessment. Identify areas of weakness and put them right.

Passwords - Hard Copies (Paper)

Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive ongoing long-running issues facing the information security specialist.

The best advice concerning the practice of making hard copies of authentication credentials is DON'T. But we live in the real world and people do. So here is what can be done to tighten security for password hard copies.

Keeping a Copy in the Desk

Maintaining a hard copy (paper) of your passwords and locking it in your desk is not as secure a practice as you might think. You cannot guarantee that nobody will attempt to break into your desk.

The locks on most desks are merely a trivial inconvenience to those with a little know-how and a flat-edged envelope opener. Five to ten seconds is usually all that it takes to open the majority of desk drawers.

Failing to lockup your desk compounds the crime. It may save damage to your desk's lock but will do nothing to save the hard copy of your passwords. You cannot keep watch over your desk 24/7 so there really is no way that you can guarantee that your desk is a secure location to store password authentication credentials.

Password Hard Copy Security Basics (If You Really Must)

• Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor
• Do not make a hard copy of your logon and password details and leave it in open public view
• Do not write your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor. This is probably the worst password hard copy security practice of all.
• Lock desk
• Use a safe
• Store the credentials in another room or even off-site

Passwords - Electronic, Magnetic and Optical Copies

While not as risky as maintaining hard copies of your authentication details considerable care still needs to be taken when storing electronic, magnetic or optical copies of authentication credentials. Here are a few pointers to improve your security preparedness with regards to storing password authentication credentials on electronic, magnetic or optical media:

Encryption - You should always encrypt the authentication credentials data when storing it in an electronic, magnetic or optical format.

Password Protection - Use a password to lock and protect the file for additional security.

Hashing - While you are at it I do recommend using a hashing algorithm; such as MD5, to ensure the integrity of the file. It will help by identifying that the file has been tampered with. Apply the hashing algorithm after the file has been saved to disk and make sure that you include the files attributes in the hash. This works best on NTFS systems such as Windows XP, Vista, Server 2003 and Server 2008.

Using a hash will tell you if anybody has attempted to access the file in the period between when you applied the hash and are now checking the files validity. It will not tell you as to whether or not they had any success but it will tell you that they were there. It may not be able to tell you who it was but if it was another network user then they may well have left identifying evidence behind.

Forewarned is forearmed. Knowing that you are under attack removes the advantage of surprise from your attacker they will most likely be unaware that you know that somebody has been there.

Theft - As with paper hard copies, any physical copy of any data is liable to additional risk of physical theft. Many thieves find it easier to steal physical objects compared to electronic objects. They may consider your PC too big to put in their pocket but CDs, USB flash drives, floppies disks and external hard drives are another matter all together.

Physical Security - Protecting electronic, magnetic and optically stored physical copies of your data always begins with physical security measures such as using data vaults, lock and key and off-site storage etc. You should also only store this information in an encrypted format to increase your data protection strategies.

Password Protect Electronic Copies - Password locking the files containing the copies of your password authentication credentials is also important.

Password Complexity

The more complex a password, the harder it is for an attacker to crack. Most attackers will simply move on to easier targets. It is strongly recommended that you ensure that any passwords that you use comply with the following guidelines:

Minimum Length - Make sure that your passwords are 8 characters or greater in length. The more characters in a password/pass phrase the better so using 14 characters provides immensely better password security than using 8, 9, 10 or 11 characters.

Case Sensitive - Ensure that all password authentication mechanisms are case sensitive

Mixed Case - Use a mixture of upper and lower case characters

Numbers - Include at least one numeral in every password

Symbols - Include at least one non-alphanumeric character (symbol) in every password

Dictionary - Try not to use any real words that can be found in a dictionary

Social Engineering - Try not to use names or dates that are associated with you as a person. This means that you should not use your address or birth dates or the names of family, friends or pets either.

Defaults - Change all default authentication credentials at the earliest possible time. This will include the default administrator account and password. Also disable the Anonymous and Guest account access privileges.

Retry Limits - You can use Local Users and Groups > Passwords policy to limit the number of retries. Setting the maximum number of retries permitted before the account is locked-out to two or three will go a long way to preventing most password cracking attempts. It also makes brute-force dictionary attacks much harder and for most attackers impossible or undesirable to implement. They won't bother wasting their time on you when there are a lot easy fish to be had.

Retry Rate (Time-to-Wait) - You can also severely restrict the retry rate. Setting the time to wait before another password retry will be permitted after a mismatch to 5 seconds will thwart most “brute force” password cracking tools.

Password Renewal - Regularly change authentication credentials including passwords and passphrases.

Password Policy - Develop, document and implement a password/pass phrase policy and enforce it.

Pass Phrases

Using pass phrases rather than passwords is a far more secure practice. It also means that a higher degree of complexity can be built-in while still remaining user friendly. As an example you could use pass phrases like this - 2Shorts&3Longs. Note that in this example we have a total of 14 characters and that it includes a mixture of upper and lower case, numeric characters and a the ampersand symbol.

A simple modification of this could be - 2*Shorts&3*Longs. Simply including the two asterisks has made this a 16 character mixed upper and lower case alphanumeric with symbols included pass phrase. It is easy to remember if you think of it like this - 2 times Shorts & 3 times Longs.

Automatically Generated Passwords

Most modern operating systems including Windows and Linux have the capacity to automatically generate passwords that adhere rigidly to a predefined set of rules such as those contained within password policies.

The passwords so generated are not necessarily easy to remember for most us mere mortal humans. Thus pass phrases as outlined above may be more appropriate for you.

Here is another pass phrase - InTheDoor4*4 at 12 characters of mixed upper and lower case with numerals and a symbol this is quite a strong pass phrase and will be accepted by most if not all systems. Say it as “In The Door 4 by 4”. It's the rhyming factor that makes it easy to remember.

Security-In-Depth

Using a security-in-depth strategy entails the implementation of more than one mechanism in your defenses. You can build multiple layers of defenses based around password authentication.

One set of credentials (user logon name and password) to open a channel after which you use additional passwords to gain any additional access privileges and user rights as required. This is a strategy that Cisco has used with their IOS. They have also provided the capacity to make the password encrypted through the use of the “enable secret” command.

Here is an example to illustrate the security-in-depth approach using password authentication systems:

1. You log onto the network using one password, which in association with your logon user name will, once authenticated, allow you access to basic network assets, services and resources
2. If some time later you need access to a resource requiring a higher privilege level, such as a database, you may need to supply another user name with a different password. In this way, we now have a two-tiered hierarchy of access privileges to specific resources. Still password-based, but immeasurably more secure than just a one password accesses all system implementation provides.
3. Now suppose you wish to gain access to and modify sensitive information held within that database. In this case, you will need to supply another different user name and password. A third layer of password protection access has now taken place. Your level of security has increased yet again and the best bit is that it is not going to cost you anything.

Most operating systems, including Windows, Linux and Apple MAC along with specialty application software (MS Word, Open Office, security suites etc), will support this strategy natively out of the box.

A classic example of this would be your email account. Your operating system will require you to supply the first password protected authentication level at logon. Your email service provider will require another password protected authentication when you wish to check your email.

WARNING: A word of caution however, most email password authentication processes occur unencrypted which is a very bad idea. Anybody with a “packet sniffer” utility can capture the traffic and view it in plain text at their leisure. To overcome this you can configure more secure communications channels and use multifactor authentication systems, which I do recommend and will discuss in another article which I hope to have finished in a day or two.

Conclusions

NEVER disclose account authentication credentials such as logon names and passwords. At all times and under all circumstances you must ensure that this type of information (authorization credentials) remains known only to you, the user in question, your security, administration and support personal and then only on a need to know basis.

NEVER keep hard copies of passwords and other authentication details

ALWAYS store data in an encrypted format

ALWAYS afford authentication credentials maximal protection and spare no effort in these endeavors, as they will deliver heightened levels of security across the board to your entire system/network

ALWAYS implement multiple layers of password-protected authentication. A security-in-depth approach is applicable to practically every system with a little careful planning.

REACTIVATE the logon password dialogue if it has been disabled

One final thought is to remember the 3 A's:

AAA - Appropriate Authenticated Accessibility

The term “cyber espionage” was first coined by the Department of Defense to characterize methods used by opposing countries such as China and Russia to breach its top secret networks for the purpose of stealing U.S. military or government secrets. However, due to recent evidence regarding the emergence of a number of breaches at U.S. research labs and targeted phishing campaigns against corporations located in the U.S. and abroad, cyber espionage is breaking new ground at an alarming pace.

Today, economic gain appears to be the number one motivating factor for new and seasoned cyber criminals, followed by companies seeking to gain a competitive advantage, and a variety of amateur hackers targeting large companies looking to establish a reputation and bragging rights. According to PricewaterhouseCoopers, corporate espionage costs the world’s 1,000 largest companies in excess of $45 billion every year and the SANS Institute ranks cyber espionage number 3 on it’s “Top Ten Cyber Menaces for 2008”. If fifty percent of corporate espionage was indeed perfected by utilizing covert electronic techniques for stealing information, that would yield a $22.5 billion a year market for cyber espionage, based on PricewaterhouseCoopers estimates. During an economic recession, it would be very hard to find someone who would not want a piece of this market; especially if they could be convinced that their electronic criminal activities could not be traced.

In addition to financial gain, a new wave of cyber espionage is being launched by disgruntled employees who attempt to leverage the confidential data they obtained through network looting as a bargaining chip or for vindication against their own company or co-workers. Ironically, companies that have been victimized by cyber espionage are usually the ones with more than adequate resources and expertise to protect against the attacks.

In 2000, hackers broke into Microsoft’s systems and accessed Windows and Office source code. They had access to the source code for approximately three months before being discovered.

In 2001, Fortune magazine reported that Proctor and Gamble had been involved in illegal corporate espionage against its archrival Unilever. The article alleged agents appointed by P&G misrepresented themselves as market researchers and used other electronic methods to collect information about Unilever.

In 2006, the UK extradited two hackers to Israel because they developed and sold spyware that was used to spy on rival companies in Israel. Several private investigation companies in Israel sent e-mails with Trojan horse viruses that were designed to evade anti-virus applications.

In 2007, members of AirTran Airways’ executive management team in Orlando, Florida were targeted by phishing e-mails that sought to trick them into divulging confidential corporate information and placed bot-like malware on their computers to capture sensitive information.

The details of these cases were made public most likely due to regulatory reporting requirements; however, there are hundreds of cyber espionage incidents that are not publicized, even though regulatory requirements for reporting these types of incidents exist for the majority of companies affected. Publicly traded companies and companies operating in the healthcare, financial, and government contracting sectors all have regulatory reporting requirements as it pertains to information security incidents. However, most companies don’t report cyber security incidents for fear of damaging their reputation and potential revenue loss. Some companies report information security incidents as required, but not until well after the incidents have been mitigated and prevention measures have been implemented.

In most cases, if companies were to adopt an “an ounce of prevention, beats a pound of cure” philosophy regarding cyber security, rather than an “if it isn’t broke, don’t fix it” philosophy, the risk of cyber espionage could be reduced significantly. Unfortunately, most companies’ approach to cyber security is reactionary, which can prove to be detrimental to their reputation and bottom-line when a breach occurs. Additionally, since cyber espionage often goes undetected, it is usually too late to effectively mitigate the breach before significant loss when it is actually detected.

Just as other crimes seeking financial gain tend to escalate during economic recessions, it is very logical to assume cyber espionage is among these crimes. However, pouring money into the latest security solutions without a defined strategy will simply lead to more widgets eventually being left on the shelf collecting dust.  To make sure your company is prepared to defend against targeted cyber espionage, I recommend the following strategies:

Increase the Information Security Organization’s Visibility

Most companies make the mistake of burying their information security organization under their information technology organization, which often limits the scope of information security to technological solutions only. Not to mention the intradepartmental political screening in an effort to conceal the vulnerabilities caused by IT solutions from executive management. To achieve optimal effect, the information security organization must be strategically aligned with Legal, Risk Management, Human Resources, Regulatory, and executive management. Depending on the corporate culture, industry, and or the degree in which executive management values or understands the mission of information security, attaining appropriate visibility for the information security organization may be very challenging. Regardless of the challenge, information security leaders must strive to attain this goal because visibility can be an effective deterrent.

Implement a Best Fit Information Security Program 

Reliance on point solutions to protect your company’s information assets is an ineffective strategy with little to no return on investment. To become more effective in protecting the corporate environment from cyber espionage, information security leaders must take a holistic approach to information security by implementing a corporate-wide information security program to encompass all personnel, processes, and technology. Using security best practices as defined with the ISO 27001 certification process, information security leaders can use this as a framework for implementing a best fit information security program for their company.  An effective information security program should include components such as a security policy, training and awareness program, asset management strategy, compliance, personnel and physical security, access control, application/systems development, change management, business continuity strategy, governance, and the most important component, buy-in from executive management and or the board of directors.

Layered Security Approach 

The days of just relying on firewalls to protect enterprise perimeter networks and information assets are long gone; firewall manufacturers realized this years ago when they began integrating intrusion detection and prevention functionality in their products.  Although, the added firewall functionality is a significant improvement, it doesn’t address virus and malware on mobile devices, data leakage and compliance issues, role-based and need-to-know access control, or security vulnerabilities that exist on converged networks such as data, voice, and video. Information security leaders can better minimize the risk of cyber espionage by implementing technologies that will provide protection, monitoring, and enforcement at the perimeter as well as within the defined security zones behind the perimeter such as at the desktop/laptop and data centers.

Technologies to consider for a layered approach are enterprise-class anti-virus and malware solutions for the desktop, email filtering solutions, web filtering solutions with dynamic URL verification and filtering, security information management systems with intrusion prevention and robust notification capabilities, data leakage protection solutions, and firewall technology for the perimeter network protection and laptop protection.

When you sign up for online banking, the bank will generate a password for you to use to log in for the first time. It is important that you change this password to one that you will easily remember, which should not be your birth date. So many people fall victim to fraud simply because they choose their birth date as their password. Anyone can easily gain this information about you and once they know your card number it doesn't take long for them to access your account.

There are measures you can take to prevent someone from gaining access to your account. For one thing, you should never reveal your card number or access code to anyone. If possible memorize your card number so that you don't need to take it out every time you want to check your account of make transactions online.

Even when you use your home computer, you should have anti-virus protection installed. This prevents anyone from gaining access to the information you have stored on the computer. Make sure you download and install the latest security patches and have a firewall installed on the hard drive. Never respond to phishing emails that seemingly come from your bank. These are not legitimate and are ways that con artists use to try to get you to reveal pertinent information. Any email that asks for your PIN should be deleted from your computer.

If you use a shared computer, it is absolutely essential that you don't save any passwords on the computer. Never save your card number. As soon as the next person accesses the same bank from that computer, your card number will come up on the screen for signing in. You should also change your sign in information on a regular basis to prevent any unauthorized access to your account.

At home do not leave your computer logged into your bank account information. Friends of your children may want to use the computer and they could gain access in this way. Log out as soon as you are finished your online banking. Review your account(s) on a regular basis and as soon as you notice any activity that is not of your doing, report the incident to your bank immediately.

To help us all in our daily activities concerning the Internet, I would like to share this great find I encountered: 14 Internet Downloadable Tools (most of them freeware).

Ad-Aware (Free)

Security is a main concern when we go online, that is why Ad-aware is here to offer you protection from PC threats that includes viruses and spywares. It allows you to scan your PC and alerts you when it has detected threat(s). It also allows you to put these threats into quarantine and/or delete them. It is a good idea to have more than one protector, becuase not all scanners find all threats -- just make sure they are all compatible.

Advanced Lan Scanner (Free)

If you have a network at home or at work and is sharing a single Internet connection, this downloadable freeware is for you. It has a powerful scanning capabilities. You can use it for troubleshooting Internet connections, network configurations and even security purposes when connected to the Internet.

Bandwidth Monitor 2 Lite (Free)

Are you a fan of downloading and/or uploading files? Bandwidth Monitor 2 Lite is for you -- it allows you to check your current bandwidth usage over time by displaying that usage in a constantly changing chart (it can also be displayed in text).

Comodo Firewall Pro (Free)

Comodo Firewall Pro protects your PC from inbound and outbound threats. It also protect selected files and folders so that malwares cannot get into them nor alter them in any way.

Digsby (Free)

Communication is very essential from the very start and with different types of messenger popping up, we can't be thankful enough. Digsby is a universal instant messenger that allows you to interact with friends and family who uses other types of instant messenger (eg. YM, AOL IM). It also surpasses these other types of IM because it allows you to check your social networking sites and even emails from web-based mail site not associated with your IMs.

eMail Tracker Pro (Price: $29.95 (15-day free trial))

Unsure if the emails you're receiving are legitimate or not? eMail Tracker Pro gives you a set of tools for examining any email messages that pops into your inbox -- tracing back to its true point of origin and showing you the IP address and location of the sender, thus allowowing you to trace whether the email has been tampered. It also provides contact information for the domain from which the message was sent to that you can report any abuse.

Prompter (Free)

Are you the type of person who has multiple web-based mail accounts, just like me? Oh, yes! And it really takes my time opening one type of email to another -- I got Gmail, Yahoo Mail, Windows Live Mail (it's kind of required in my field of work). Well, ePrompter neatly solves our problem. It allows us to open all our web-based email accounts, check for new mails, compose and even deletes messages; and also tells us how many new messages we got from each emails.

FileZilla (Free)

Many individuals and businesses continue to use file transfer protocol (FTP) as a way to share files because it does not block large file transfers. FileZilla is an excellent FTP client that combines simplicity with a robust feature set and it's interface is easy to use.

FlashGet (Free)

Are you a fan of downloading? FlashGet is for you -- a great download manager that speeds up the process because it uses multithreading, keeps you safe and helps you organize your downloads, allows you to find downloads via many different protocols.

Foxit Reader (Free)

Most of online documents are in Adobe Acrobat format, thus you need Adobe Acrobat Reader to open such documnents; but Adobe Reader takes much time to download and is also prone to crashes. To help us with this, Foxit Reader is here -- it's small and loads much faster, thus doesn't take up much memory when used; it is also not prone to crashes.

Free Internet Window Maker (Free)

Familiar with cache files, browser history, auto-complete information, cookies? These are traceable trails you get to leave behind after an Internet activity, which might be critical in terms of security purposes. To ensure security and privacy when using the Internet, Free Internet Window Washer allows you to remove these traceable trails; it also removes traces of application activity, such as which files and/or folders were recently opened.

PingInfoView (Free)

Pinging a website is like contacting this site to check if it's alive and responds to the ping request. PingInfoView allows you to ping multiple web sites simultaneously; on any schedule you set and displays the results in a graphical interface.

SMTP Diagnostics (Price: $12 (30-day free trial))

Are you handling SMTP servers? Are you encountering problems about it and have no idea what is wrong? SMTP Diagnostics is for you -- it performs a complete set of diagnostics on your SMTP connection and provides an in-depth report about any errors.

VisualRoute 2008 Lite (Free; also with for-pay versions)

VisualRoute 2008 Lite is a command line tool which allows you to display the route you take to contact a web server or other Internet device in a visually appealing way. It also shows a map of every hop, and graphs it accordingly against a background that shows reponse times. Highlighting a hop allows you to see important details, such as pachet loss and speed.

What are you waiting for? Why don't you try these Internet downloadable tools and see how it can ease the burden of everyday encounter with technology. Just make sure to take the necessary actions to ensure the security of you and your PC. Happy downloading!

Thousands of computers are enrolled every day into a botnet. It is estimated that a fourth of all computers online are a part of various botnets.

A few years ago only a technically adept person could create and deploy botnets. Not so today. A cyber criminal without any technical knowledge, can now buy a botnet kit online for a few dollars. These applications offer point and click functionality. With the click of the mouse a criminal can get information on the geographic location of his newly enrolled bot, the windows patches installed, the browsers used and even encrypted communication between bot operator and the zombie computer.

These steps illustrate how a computer is enrolled as a zombie and then used to send spam, spyware, and conduct other nefarious activities:-

• The Bot operator sends a virus or worm usually through email to an unsuspecting user
• The user opens the mail and clicks on a link or opens an attachment; the virus activates its payload which in this case is the bot
• The bot immediately contacts a control server set up by the Bot operator and announces the success of its mission
• The owner of the bot then monetizes his army of bots or zombies by selling access to the botnet to spammers. The spammers then send thousands of emails to the control server which in turns directs the infected PC to send spam.

These tips will help defend your computer from being enrolled into a zombie army.

• Try not to visit undesirable sites such as those involving sex, nudity, criminal skills, warez, pirated software, and illicit drugs. If you share your computer with other people you can create a firewall rule to prevent access to such sites. Check with your ISP if they offer a content filtering service, if they do sign up for it.
• Since must systems are infected by means of a Trojan, virus or worm it is wise to have a good anti virus program installed with the latest virus definition files
• Emails are favorite medium with cyber crooks for enrolling systems on to their botnets. Be suspicious of every email you receive even if it is from a known person. It is a simple matter for these criminals to spoof an email. Never click on a link instead type the link on your browser address bar. Open attachments only after you have downloaded and scanned it for threats.
• Consider changing your browser to Firefox. Most exploits center on the security flaws of Internet Explorer. You can reduce the odds of your system being turned into a zombie by simply replacing your browser.

If you suspect your system is infected with a bot you can use this excellent free tool RUbotted from Trend Secure (http://www.trendsecure.com) to detect the presence of a bot. Because Bots are typically worms you might want to remove it with an anti-virus tool. Make sure to update your anti-virus with the latest definition files before you attempt to clean the infection.

IM (MSN, Yahoo, AOL)

Isn't Instant Messaging great? In seconds you can talk to all your friends with a few clicks and some simple typing, and you don't have to go through all the hassle of using the phone or tediously sending e-mails. But how can you be sure they're all your friends?

Check Your Buddy List

How many people on there do you know? How many people do you not know? Do you trust the people you don't know? Why not? How can you be sure that anyone who you don't know isn't a paedophile? One sure-fire way of doing this is making them go on webcam, if they make an excuse such as “Oh sorry it's broken” or “I've lost it” then don't believe it instantly. Also, webcam images can actually be faked, so what you're seeing might not be what is actually there. You could ask your friend (someone who you trust and know in real life) if they know who the person is. Of course, I'm not saying you shouldn't have friends who you don't know in real life, but you should be more wary around them and if you feel uncomfortable with them, block/delete them.

“ASL”?

The term “ASL” stands for “Age, Sex, Location” and is often used when trying to get to know someone. My advice is to never give this information out. Just ask yourself, why are they asking? If they're a paedophile then this is going to be practically everything they want to know. “Are you a child? Are you the opposite gender of me? Where can I find you?” You just shouldn't give it out, it's not safe.

“Zomg dere's a piccy of u naked @ http://somewebsite.com/"

If someone says this to you, then it's most probably a virus. Viruses can take control of a computer and make it send unwanted messages, such as the above. These will usually include a link or be followed by an attempted file transfer. You can usually tell that these are viruses if the URL of the website doesn't end in .jpg, .png, .gif or any other known picture format or if the file they're trying to send is a .rar or .zip or even .exe. There are many variations of this so just watch out, just to make sure you could call your friend to see if they're being serious or not.

Big Conversations

Be careful with these, it's possible to have a conversation between several people at once, and anyone in the conversation can add anyone they want who is on their contact list. This means that people who you don't know may be listening in on what you say. So, either be very careful about what you say, or just leave the conversation. If you wouldn't shout it out in a crowded room filled with people you don't know then don't say it on here.

Reporting

If someone is being sexually “weird” with you or abusing and insulting you then you should report it as soon as possible. To do this just click the button circled in the screenshot below:

And then follow the instructions given. It might also help if you save the offending conversation so that you can use it as evidence.

Social Networking Sites (Bebo, MySpace, Facebook)

Social Networking Sites are great aren't they? They allow you to, um, what do they allow you to do? Oh yeah they let you put up personal information so that you can meet strangers. They let you put up pictures of yourself so that people can see them, and they let you tell other people everything about you. Your profile could be a strangers target.

What Information Should I Give Out?

Well, the safest thing would be to not give out any information. But of course, that takes away the entire purpose of a social profile. Things that shouldn't be too much of a problem are:

• First name
• Country of residence
• Gender

Things which could potentially cause you unwanted abuse are:

• Pictures
• Hobbies
• Full Address
• Last Name
• School you go to
• E-Mail Address
• Mobile Phone Number
• Age
• Sexual Orientation
• Religion

If you have a social profile, look at it. Now. Think to yourself, if you were someone who wanted to stalk/rape/insult you, would you be able to?

Make your Profile Private

This will only take a few seconds but seriously, it'll be worth it. It'll provide so much more security of your online presence. Do it.

Your Friends Profiles

Just because your profile cannot be accessed, some of your friends profiles may be accessible. If you leave a comment on your friends profile such as “Oh yeah Alton Towers is gonna be wicked! Can't wait till next Saturday.” then people will be able to see a picture of you next to the comment and they will be able to locate you, having a time and a place. Just be careful, advise them to make there profiles private too.

Other

Are you a hip and trendy YouTuber? Well if so, do any of your videos have a street sign in them? If so then stalkers might be able to track you down. You might wave it aside as just another piece of useless information, but if someone pieces all the pieces together then they could build up a pretty good portfolio on you.

For further more in-depth information about this here are some pretty useful websites:

Reading Room

Get Safe Online

CEOP

Think U Know

I know, this article may have seemed quite boring to you, but it's important. It's very important that you pay attention to this article, internet crime is on the rise and you need to be secure. Pass this on to your friends too, they need to know (no, this isn't just a way for me to cheekily get more views). The next part of this will be “How Safe Are You On The Internet? Part Two: PC Security” and will be about virus, hackers, firewalls etc. Very interesting.

Thanks for viewing.

As the above adage highlights the secure management and handling of information is only part of the issue. Being able to prove that you are in deed in full compliance with all relevant regulations and standards is the real crux of the matter.

With the multitude and often duplicity of current laws, regulations and standards, it can be very bewildering just knowing where to start. If you have cross border and jurisdictional transactions, the issues become even cloudier.

Here are some of the issues and best practices pertaining to information security, management and compliance from a documentary evidence perspective.

Logging Requirements

Fortunately, IT does offer a number of options to ease the burden of regulatory compliance and associated creation and management of substantiating evidence. One of the easiest to implement strategies is the development of customized logging procedures, practices and policies.

The beauty with IT logging processes is that for the large part their mechanics are automatable. The reviewing of logs will require some degree of manual involvement. However, log creation and review processes performed in conjunction with data management techniques present us with many filters that are useful in producing a higher degree of granular inspection and control than is possible by manual observation and review alone.

The secret to the effective and efficient use of these procedures lies in both the plan and procedures you develop taking the specifics or your requirements into account and the consistent adherence to the documented review, analysis, response to anomalies, retention and final destruction procedures thereby developed.

Here are a few of the laws, regulations and standards that you may need to take into consideration:

• The US Health Insurance Portability and Accountability Act (HIPAA) along with the US Federal Information Security Management Act (FISMA) are of particular importance here. Others US laws of note in the area of information security include Sarbanes-Oxley (SOX) Act, Gramm-Leach-Bliley Act (GLBA). Various states also have a number of individual breach notice laws that will apply differently in their various jurisdictions.
• Canada's Personal Information Protection and Electronic Data Act (PIPEDA)
• The EU's Data Protection Directive along with the European Community Directive Data Privacy Principles (ECDDPP) need evaluating in any assessment(s) undertaken by individual(s) and/or organization(s) currently conducting or hoping to conduct business with organization9s) and/or individual(s), resident or domicile in the EU or jurisdiction thereof
• The Australian Federal Privacy Act (1988) and the subsequent Australian Federal Privacy Act December 2001 Amendments with the provisions pertaining to personally identifiable health related information being of particular note
• The Australian Federal Telecommunications Act 1997, The Australian Federal Corporations Act 2001 and The Australian Federal Spam Act 2003 also merit consideration when developing logging policies pertaining to activities conducted within or with Australian institutions, organizations or individuals
• Local breach notice laws exit in many regional and municipal areas and will therefore need consulting where applicable
• Payment Card Industry (PCI) Data Security Standard (DSS) is a global set of standards more or less adopted by financial institutions and merchants in regards to payment via payment card systems

The Global Perspective

With the multiplicity of these laws, a number of organizations with a more “global” perspective formed to assist with the establishment of greater standards and consistency globally include:

Organisation for Economic Cooperation and Development (OECD) - The OECD is an international organisation that sets policies in areas where multilateral consensus is advantageous for individual countries to make progress in a global economy. The eight basic principles put forth by the OECD are:

1. Collection Limitation - Data must be collected lawfully & fairly with subject's knowledge & consent
2. Data Quality - All data collected and retained must be accurate, complete, current, and relevant for its intended use
3. Purpose Specification - The purpose for the collection of the data should be specified & remain unchanged
4. Use Limitation - Any data collected is not to be used for any purpose other than that originally stated & agreed
5. Security Safeguards - Data collected and held must be protected against unauthorised access, modification, or disclosure
6. Openness Principle - Data Policies should exist and a data controller should be clearly identified
7. Individual Participation - The subject of the data can review, challenge, and enforce correction of their data
8. Accountability - The data controller is responsible for ensuring the above principles are met

Other Agencies and Bodies

Other leading privacy agencies and bodies around the world that incorporate the following basic principles, provisions and functionalities either in law or in statue, Opt-out Policy, Opt-in Policy, Additional Personal Privacy Legislation, Wiretaps, Pen Register and Trap and Trace, include:

• Better Business Bureau Online (BBB Online) (USA)
• TRUSTe (USA)
• Communications Assistance for Law Enforcement Agencies (CALEA) (USA)

Resources and Advice

The US National Institute of Standards and Technology (NIST) - NIST are a very good reference source for information and resources involving security, privacy and compliance issues. They have a number (more than 100) free to download special publication dealing with all aspects of information technologies.

One area in which NIST makes public statements is in the area of recommended technologies. NIST will provide indications that certain technologies and standards conform to their recommendations and so will provide advice in terms of supporting or not supporting specific technologies in lieu of superior alternatives.

An example of a technology that NIST once supported but have now withdrawn their support in favor of a replacement technology is in the area of encryption. NIST have now officially withdrawn their support of the 58-bit Digital Encryption Standard (DES) and now recommend Triple DES; also known as Triple Data Encryption Algorithm (TDEA) or the stronger faster Advanced Encryption Standard (AES) algorithm.

Regarding logs and logging procedures and practices the NIST publication NIST 800-92, Guide to Computer Security Log Management is a great resource as it details many ways to establish, evolve and maintain efficient effective log management structures. Topics covered in this publication include log generation, analysis, storage and monitoring. It can be downloaded free of charge from here.

Log Review and Analysis

The reasons as to why you must regularly review and analyze those logs that you record and maintain include regulatory compliance requirements as well as to enhance your information security, privacy and availability overall.

Through persistent, regular, consistent log, review and analysis you will uncover many otherwise undetected activities capable of negatively affecting you or your organization. Some examples of common issues that I regularly find through the log review and audit process include policy violations, application processing errors, fraud, security incidents and operational functionality and efficiency issues.

Policy Development Guidelines

With so many laws and standards having similar requirements regarding logging and log review and analysis procedures a carefully constructed logging plan implemented via a comprehensive log policy that incorporates all of these various elements into a single united logging procedures and practices policy is the best approach to take.

Do not try to satisfy each set of individual regulatory, statutory, or standards requirements piecemeal style. That is, your best plan of attack is to develop a comprehensive policy, which contains a general logging practices and procedures directive and additional specific requirements clauses as supplemental special recommendations on an individual basis for areas that warrant such treatment.

The importance and cost-effectiveness of developing a risk-oriented policy can often be the easiest means to expedite the implementation of procedures and policies where none currently exists or those that do exist are dated or inadequate.

Expediency in the matter of developing, implementing and then further finessing your logging and information control policies is critical in rapidly reducing the potentially negative impacts any immediate exposure to risk factors would cause due to the lack of such a policy.

PCI DSS Compliance

Without doubt, Payment Card Industry (PCI) Data Security Standard (DSS) compliance and ratification (PCI DSS) is the major concern of all who process credit card payments. This sector is of utmost criticality for online business and “offline” transactions alike with “offline” being defined as transactions other than customer initiated Internet-based transaction processing.

In essential requirements for PCI DSS compliance are contained in Section 10 of the PCI DSS standard and detail those actions required (not mandatory) to monitor network activities and cardholder data access events. The best bit here is that the majority of the audit logs generated in compliance with these stipulations also confirm to the requirements of the majority of aspects in this regard required by other laws and regulations.

IMPORTANT TIP - Getting your house in order regarding PCI DSS compliance will have the beneficial side effect of simultaneously fulfilling the majority of the auditing and logging requirements from other areas. Thereby leaving you to custom plug the gaps as your circumstance dictate.

The bean counters love this approach as it addresses their area of immediate concern first - CASH FLOW. Nobody said you have to reveal your full motivations for this approach.

“Work smarter and not just harder” is something my mother always says. Once again, she is right.

PCI DSS Compliance Logging Requirements

Here are some of the computer, network and Internet activities that you will need to log in order to satisfy PCI DSS compliance requirements grouped by activity and class:

Synchronization

Synchronization procedure and mechanisms relating to all computer, system, network and Internet activities need thorough documentation. Not only must time synchronization data accompany all logs it must be included with specificity to every individual itemized event included in the log

Authentication Mechanisms

Current computer, system and network authentication mechanisms need thorough documentation along with additional log information detailing such criteria as changes to authentication mechanisms, invalid authentication events, password changes, administrative authentication-related activities.

Audit Logs

Events requiring documentation and logging here include access to audit logs, any modifications to audit logs and audit logging procedures, the clearing and destruction of audit logs for all components of the network including individual computers, server computers and networking devices as well as the services offered (e.g. Internet).

Cardholder Data

You must thoroughly document cardholder data access, processes, procedures and security initiatives. This includes details of those who are explicitly authorized to access cardholder data and those are not specifically authorized to access to cardholder information. Details concerning the assets and resources involved in these processes must also require inclusion.

Cardholder data related logs must include access to cardholder data events including valid and invalid events along with maintenance and formal audit access events. Other types of cardholder data related events that need logging include cardholder data storage, updating and maintenance, valid and invalid cardholder data applications access events.

System-Level Objects

You must log all system-level object events including creation, deletion, modifications and read-only events. This includes system-level events at the machine-level including workstations and clustered computer resources as well as the datacenter.

Common Network and Cardholder Access Events

All cardholder data access and/or network access events must contain user identifier, event type, event date and time, attempt result (success/failure), event origin, resource identity attributes such as the data file name, system component, computer,network, application, modifications, administrative activities etc.

Log Generation and Management

It is a sad fact that the majority of IT personnel are not cognizant of, nor do they fully understand the issues, implications and ramifications concerning authentication, logging, computers, networking, network monitoring and security logging, accounting and auditing practices.

To compound this further most compliance personal do not have an IT background and often make the fatal assumption that those in IT log everything and retain the logs generated forever. The logistics of this type of approach are unrealistic since the volumes of data generated from a log everything/keep everything approach would rapidly bury an organization.

Another area that different management areas do not fully appreciate is that for the larger part IT must have sufficient appropriate documentation detailing precisely what is required before those requirements are achievable.

Assuming that IT knows all about every other department's logging requirements is unrealistic. It is essential to inform IT of the logging requirements of other departments if IT is to develop policies appropriate for satisfying organization-wide logging requirements. All logging and reporting activities require resources at the individual computer level as well as the network and organization levels.

A direct result of these factors is that, more times than not, inadequate noncompliant logging procedures and policies become implemented into production environments.

Developing a Log Policy

Here are a few tips to assist you in the development of a log management policy or log management component of your larger log policy.

• General Comprehension - Understand and define the general logging requirements of all sectors of your organization and the types of they logs require. You do not have to fill in all of the nitty-gritty detail at this point.
• Define Specifics - Meet with those responsible for specific areas and discuss in more detail the nature and specifics of their requirements including the types of data and report formats each department needs, the data types that are necessary to achieve organization-wide compliance and the data that each department would require should a breach occur. Discuss matters concerning the feasibility of collecting, collating and storing the logs and reports generated.
• Fiscal Matters - It is best to begin addressing fiscal aspects and concerns now. Without doubt, other departments will be very willing to burden IT with as much of their workload as possible. With IT producing the extra logs and reports in order to satisfy every other department's requirements it is only reasonable to expect that additional resources may be required.
• Analysis - Analyze these results and determine what areas are common for all. Also, define those areas that are common to most and those that are specific to one or two departments only.
• Evaluate - Examine your current logging procedures and analyze the data types currently collected. Note those aspects of the above requirements you already satisfy. Produce a list of the “missing” factors.
• Plan - Define mechanisms to incorporate collection and collation of these “missing” factors compatible with your system's current capabilities.
• Test - Implement a trial run. Collect and collate this data then generate the appropriate reports for each department.
• Determine Satisfaction - Meet with the other departments and discuss your trial reports. Determine if these reports are satisfactory. Have the other departments produce a report detailing areas of the trial reports that need amending.
• Amend and Retest - Incorporate the amendments into a new trial run.
• Reevaluate - Repeat the cycle until satisfaction is unanimous with all departments
• Review Regularly - Regularly review your data collection, collation and report generation procedures and policies to ensure complete alignment with all departments concerned.
• Review Currency - Regularly evaluate the currency component of your current logging practices and policies. Make sure the other departments do likewise. Make sure that all departments notify you immediately of any changes to their policy or requirements.

You cannot begin to develop procedures to satisfy another department's logging requirements if they do not inform you of these changes.

Where Logs Help

Here are some different type of logs and some of the areas in which they are useful.

• Networking Devices Logs - Logs from switches, wireless access points, routers and firewalls can identify intrusion attempts (by hackers for example) as well as connectivity issues such as legitimate authorized users not being able to gain access to assets and resources they are entitled to access.
• Network Access Logs - These logs contain much information concerning network and network metrics as well as authorized and unauthorized access events, which can be very helpful in planning upgrades and network infrastructure changes. You will also find information relating to abuse of privileges and hacking attempts here.
• User Account Logs - User account logs can help in the identification of brute-force password attacks and inappropriate changes in user account privileges.
• Email Logs - Here you will find information that is helpful in the identification of many malicious, unauthorized and undesirable activities. A dramatic increase in inbound email traffic is often the first indicator of an email-based attack. Abnormally large volumes of outbound email traffic can point to a data leakage.
• Application Logs - Will provide information about date, time and identity of client file access. They are a very useful source of information in identifying unauthorized access events as well as fraud and other malicious acts.

Summary

Through a well thought-out and tested network, systems and applications log policy, and the procedures and practices contained within, you will be able to comply with the relevant laws, regulations and standards as well as supporting and improving your organization's bottom line through early detection of errors, fraud, non-compliance penalties and a host of other negatively impacting events.

• Recent Events - First up I present a number of recent events involving breaches of security pertaining to personally identifiable information.
• Concepts and Strategies - A discussion of the key concepts and factors pertinent to the irreversible destruction of information then follows. I then outline a number of simple step-by-step plans to implement these strategies for various media types.
• Quick Reference Guide - Finally, you will find a quick reference guide listing the various types and formats of information storage that you may occasionally need to destroy.

Recent Events

Recent incidents of careless handling and management of personally identifiable information (PII) abound. For instance, the discovery of a stack of boxes belonging to First Magnus Financial outside a University of Phoenix building in Fort Lauderdale, Florida, USA in February, 2008 containing files and paper records holding Social Security numbers, credit card information, names, addresses and other personally identifiable information (PII).

In Australia, another recent incident involved a movie hire chain that had disposed of reams of paper records via the public refuse disposal system. The records contained much PII from customers, employees and job applicants. It ended up at a landfill. Persons unknown retrieved it and not long later, it found its way into the possession of some identity fraud criminals. Police recovered it when investing a number of individuals suspected of identity fraud.

A 2008 report by the National Health Service (NHS) in the UK found that no less than nine NHS trusts had recently lost patient information because of insecure practices regarding laptop computers, external hard drives, USB drives and optical media.

It is all very worrying in deed. Here is what to do to prevent any of the personally identifiable information (PII) that may be in your custody from escaping into the wrong hands.

Information Disposal Concepts and Strategies

As always, start by breaking the topic of generally disposing of information into a number of self-contained subcomponents. Create a number of smaller easy to manage categories that have members whose preferred method of destruction is the same. This will make it easier for people to identify exactly what it is that is required of them in any given situation.

Physical Classification

Try to group items based on physical attributes such as paper, hard drives, flash memory, USB devices, optical storage, peripheral device cache memory, magnetic tapes, computers, handhelds and communications devices such as cell phones and smart phones (iPhone, BlackBerry etc).

Information Disposal Policy

Develop and implement an information disposal policy detailing the procedures that all concerned must follow.

Clearly subdivide the various containers that hold any information that you do not want “leaked”. Define the scope that each component of your information disposal policy covers. For example, make headings such as “Paper Records Disposal Procedures” or “Computer Hardware Disposal Procedure” and “Mobile Devices Disposal Procedures”.

Define Responsibility

Responsibility for the security or personally identifiable information lies with the holder or keeper, if you will, of that information. This means everybody including the cleaner. If the cleaner is not trusted with this information, then do not throw it in the bin where they must access it in the discharge of their normal duties - taking out the trash.

Information Destruction Documentation Procedures

For many devices that have residual value and those that require permanent and irrecoverable destruction, develop a documentation of destruction procedure. Irrecoverable destruction of a device means more than irrecoverable destruction of the information it may have contained. It means that the device and all of its components will never ever function again, no matter how hard anyone tries.

For example, this would include recording the serial numbers of devices such as hard drives and USB flash drives. Details of the irreversible erasure procedures conducted and by whom. The degaussing process and final physical destruction of the device will all need detailing along with the appropriate time information. Then record the ultimate fate of the destroyed device or components.

Toxic Waste

You have now ensured that no data is recoverable from these devices but your responsibilities do not end here. Most components of information systems including the media that the information is stored on contain considerable quantities of toxic materials. This factor needs addressing appropriately, when the time comes for their final disposal.

Education

Develop as part of your information disposal policy appropriate fact finding, user education and information dispersal strategies and programs. You will need to push as well as to pull here. Pull to learn what they do or do not know. Push to make sure everyone is adequately informed and familiar with required policy.

The biggest job will be educating everyone that you have an information disposal policy that sets forth all of the does and don'ts. Make sure that everybody understands to compliance with this policy is not voluntary, it is mandatory.

Legislative regulations exist that make it so. Your job is to ensure compliance from your own and everybody else's behavioral practices in this regard. Technically, we call this Information Disposal Practices Dispersal (IDPD).

Repetition is a key component in all aware-raising campaigns. The education of yourself and your users regarding appropriate information destruction and disposal techniques, practices and policy is no different. So develop a multi-phase plan that presents your message multiple times in a number of different formats cyclically over an extended time-period to ensure that it never becomes “stale”.

Communication

Communicate your information disposal policy and its contents clearly and repeatedly using a variety of different communications channels and media. Memos, notice boards and emails are handy here.

Printed materials such as summary check sheets highlighting the procedure for information destruction for each category are essential. Always include contact details at the top and bottom of who to contact if there is any doubt.

Degaussing

Named after Carl Friedrich Gauss, an early researcher in the field of magnetism, degaussing is the process of decreasing or eliminating an unwanted magnetic field.

Because of a property called magnetic hysteresis it is generally not possible to reduce a magnetic field completely to zero. As a result degaussing typically induces a very small "known" field referred to as bias.

Data is stored in magnetic media, such as hard drives, floppy disks and magnetic tape, by making very small areas called magnetic domains change their magnetic alignment to be in the direction of an applied magnetic field.

The object of degaussing is to leave these domains in random patterns with no preference to orientation, thereby rendering previous data unrecoverable. Although some domains will remain nonrandomized after degaussing, they will be by far, too few to permit data reconstruction. The degausser generates a magnetic field in order to degauss magnetic storage media and it may be AC powered, DC powered or a very strong permanent magnet.

Modern monitors use an automatic degausser at startup so you can place a floppy disk against the monitor screen when you turn it on or push the manual degauss button on the monitor and you will find that the data becomes corrupted and very difficult to recover.

Security-In-Depth

The following procedure is far more secure than simply using one technique by itself. This is a basic fundamental concept of security called security-in-depth. It is applicable to all systems at all levels. An old saying that comes to mind expresses this philosophy of this best. “Don't put all of your eggs in one basket”

ALWAYS use multifactor processes or multi-process systems.

Magnetic Storage Media Information Destruction

The recommended practice for irrecoverable erasure and degaussing of magnetic media is as part of a three-cycle process.

1. In the first cycle, you overwrite the media with a randomized pattern of ones and zeros three times. Then you degauss the media.
2. The second cycle will then overwrite the media with irrelevant but real data three times. This could be a set of MP3 or WAV files, followed by document files (PDF, word docs, text files) and then another set of files such as streaming media, jpeg or mpeg files (pictures movies etc.). Some companies will use a set of images of extreme resolution in an uncompressed format. This has the effect of writing data to more than 90% of the discs magnetic domains. Now you repeat your degaussing procedure using a different degaussing device or method (DC instead of AC or permanent magnet).
3. Finally, the last cycle will overwrite the disc another three times with randomized data. Then comes the final degaussing cycle after which the media is ready for permanent physical destruction.

“Why go to such extremes?” you may ask. Well, the answer lies with the toxic composition of information technology systems and media.

Today you will find that there are regulatory requirements concerning the appropriate disposal and probable recycling of the materials used to make your storage media. Thus, you need to be very sure that there is no hope in hell that anything is recoverable from your waste after it leaves your control.

Remember that you are still responsible for the ultimate nondisclosure of all personally identifiable information, company secrets or your own secrets. If they get out, you will be wearing the consequences. By using the above procedure, you do not need to worry about the actions or irregular practices of others.

To illustrate further I recently brought a dozen hard drives on eBay. In every case, their entire contents were readable. Being a little on the paranoid side I always perform the secure irrecoverable information destruction procedure as outlined above. I do not want any of the previous owner's malware coming my way.

The previous owners had merely deleted the files prior to selling them. When the operating system deletes a file it only changes the flag marking that location on the drive as being available for writing new data. It does not overwrite or securely delete the old data.

Electronically Stored Information Destruction

There are many ways in which to destroy electronically stored information. Not all are equal in effectiveness, completeness or reliability. Remember the toxicity issues. Here are some of your options:

Physical Destruction

Use the above magnetic media information destruction process and then physically destroy the device. Sledgehammers and blowtorches do a good job once the device has been electrically and magnetic cleansed.

Degaussing

Use degaussing as outlined above for devices and media slated for retirement. If you intend to reuse the media, then degaussing is probably the best single option. It is often your best option in terms of speed and in prolonging the life of the media particularly when erasure by overwriting involves mechanical processes. All mechanical processes such as spinning hard drive platters or tape reels by their very nature cause wear and tear. Degaussing is magnetic and hence produces negligible physical wear and tear. You can only overwrite USB flash drives so many times before they fail. This is why it is a bad idea to be continually defragmenting USB flash drives.

Low-Level Formatting

Once is not enough and should always be in combination with other techniques. If you are going to reuse the media yourself then a three pass low-level reformat is an option but the formatting tool needs to be of reliably high quality. Performing a full disc low-level butterfly reformat is better than standard formatting processes but takes considerably longer.

Overwriting (also known as wiping)

Overwriting is only reliable in combination with other techniques such as degaussing. By itself, it is probably the least reliable of all of these methods.

The reason for this is that a thorough and methodical approach in conducting a three-pass overwrite cycle is essential. This is something that the Department of Defense (DoD) can ensure through military discipline a luxury we do not have in the civilian world.

Repeatedly performing this procedure numerous times, a day is not something to look forward to with any great anticipation. Human nature being as it is shortcuts and slackness will rapidly become the norm. It is also a lengthy process and hence not cost-effective.

Destruction of Paper Records

Cross shredding is the preferred method here. If cross shredders are not available throughout your organization then you can collect all paper materials including delivery and transport identifiers and packaging for centralized cross shredding.

This is infinitely cheaper than the consequences and bad publicity arising from breaches of personally identifiable information security. People are very sensitive about their own personal information and not very forgiving or sympathetic to those breaching their trust.

Communication Devices Information Destruction

Removing the battery will not destroy the data stored within. You must thoroughly remove data from all mobile communications devices such as cell phones, smart phones, PDA/Phones etc. Develop procedures and policies for doing this. Instruct all concerned in these procedures.

Schedule periodic “refresher” courses and updates which stress the seriousness of breaches of personally identifiable information resultant from improper disposal of these devices.

Decommissioning and Retiring Assets

Assume that all such devices including older computers, workstations, servers, laptops etc contain personally identifiable information and act accordingly. Irreversibly remove all data from the about to be decommissioned asset. Develop appropriate policies and procedures along with suitable education programs.

Quick Reference Guide

It is a good idea to provide everyone with a quick reference guide. Not everybody remembers everything forever. I have listed below a sample quick reference list below that you can use in any way you wish.

• PC with hard drive - Erase irreversibly, degauss, physically destroy if appropriate
• External hard drive - Erase irreversibly, degauss, physically destroy if appropriate
• USB Drive - Erase irreversibly, physically destroy if appropriate
• Thumb Drive - Erase irreversibly, physically destroy if appropriate
• Memory Sticks - Erase irreversibly, physically destroy if appropriate
• Fax Machine - Erase irreversibly, physically destroy if appropriate
• Printer - Erase irreversibly, physically destroy if appropriate
• Copier - Erase irreversibly, physically destroy if appropriate
• Optical Discs - Physically destroy if appropriate
• Floppy Disks - Erase irreversibly, degauss, physically destroy if appropriate
• Tapes - Erase irreversibly, degauss, physically destroy if appropriate
• Handhelds (PDAs etc) - Erase irreversibly, physically destroy if appropriate
• Cell Phones - Erase irreversibly, physically destroy if appropriate
• Smart Phones - Erase irreversibly, physically destroy if appropriate
• Paper - Cross Shred

Attention: Documentary evidence of destruction is required. See information disposal policy for details.