Changes to NHT Consulting

Effective November 1st 2012 NHT Consulting is no longer accepting clients. Existing NHT clients will be transitioned to a sister company and still will be handled with the quality and professionalism they have had in the past.

The reason for this is that I have accepted a full time postion with TrustedSec as a Senior Security Consultant.  Here is a little background on TrustedSec:

Company History:

TrustedSec, LLC was founded on the belief that the information security industry is in need of extremely tailored and niche services aimed around maturing a company’s security program. The founder, David Kennedy, started off his career working for the National Security Agency (NSA) and then went on to become the Chief Security Officer (CSO) for a Fortune 1000 company. At this company, he built one of the industry’s cutting edge security programs from the ground up.

We understand the nature of business and the hurdles needed to develop a security conscience culture within an organization. Having built a number of security programs and matured organizations’ security posture, TrustedSec is one of the leading security consulting firms in the nation. Instead of being “just another vendor”, TrustedSec prides itself on establishing a long-term relationship with our customers by establishing trust and making sure we are only offering services that will enhance the security of our clients.

Our team is made up of highly-skilled and technical leaders in security that have the ability to communicate to the business in a way that everyone understands. Our goal isn’t to provide just a penetration test or a risk assessment, but to ensure that the company progresses in a maturity model towards successfully defending against attacks. Successful security programs are built with the idea that the entire organization promotes security. 

We continuously contribute to the open-source community and the betterment of security in general. David Kennedy developed “The Social-Engineer Toolkit (SET)” and “Artillery“, two leading open-source toolsets in the security community with over two million downloads from across the globe. TrustedSec’s President / CEO was one of the founding members of the Penetration Testing Execution Standard (PTES), one of the most popular frameworks and standards to leverage for penetration testing methodologies. In addition to open-source development, TrustedSec consultants speak at a number of security conferences around the world including Blackhat, Defcon, ShmooCon, DerbyCon, Hashdays, InfoSec World, BSIDES, Hack3rcon, Information Security Summit, ISSA, ISACA, Infragard, and many other conferences.

I am looking forward to being a part of a very dynamic and professional team.

For more information check out http://trustedsec.com

RAM Forensic Analysis - Useful in Penetration Testing?

I recently had the privilege of attending an Advanced Live Forensic and RAM Analysis course taught by a close friend of mine, Nick Furneaux, while in England a few weeks ago. Nick is an amazing teacher and an expert on digital forensics. He has been used in investigations from private corporations to law enforcement and other government entities. Recently he was "involved in a prosecution of a man who was accused of various forms of grooming, sexual assault, voyeurism etc of several teenage girls in his community centre." Using some amazing forensic visualization techniques, the pedo-creep defendant was found guilty. More on that in Nick's blog. (link below)

Going into the course, honestly I was thinking it would be a blast and the info would really get my hacker juices flowing, but in a practical way, based on my current job, would I be able to apply it? Being a pen-tester by trade and digital forensics being a small part of what I do, I was skeptical, although very excited to attend. Could I use this in pen-testing?

After the first day I knew the answer. YES! I can use this in pen-testing, primarily, in internal pen-tests with physical access to machines or even remote external post exploitation scenarios. The course focusses on what can be acquired from dumps of live memory before a system is shutdown. It's interesting to note that the de facto method in digital forensics to date, as the way I had been trained previously in the case of a criminal investigation or even corporate espionage , was to power the system off, DD image the drive, lock the drive in a vault and then perform your forensic investigation on the raw image file you have retrieved and maintain chain of evidence.

But what about RAM? What exactly is stored in RAM that could be of use in either a criminal investigation or, from my point of view, what can I dump from RAM that I can use in a pen-test?

Basic fact: If it's running, it's in the RAM! Programs, services, registry, etc etc etc.

Like what?

Let's see…

• Internet history/typed URLs
• saved passwords & even leaked passwords from disk encryption products. (i.e. BitLocker, TrueCrypt, etc)
• IM logs (Skype, MSN, AIM, etc)
• Running processes/programs --> malware analysis? yup
• DLL handles
• Windows Registry (Yes the whole windows registry is loaded to RAM during OS operation)
• Network connections, remote IPs, ports, PID of the socket initiator, etc.
• Windows system & SAM hives. I repeat …system & SAM hives! Hash dumps my friends.(Useful in a pen-test, no?)
• And so much more……

A wealth of juicy info ripe for the picking. Fun times await!!

With internal pen-tests, we sometimes over think entry points or ways to gather information during an engagement. How many times have you used social engineering to access someones workstation? Can you get a few minutes alone on the system or even have the user run a small utility to dump the RAM on the machine? Most likely yes.

As a test, I used a small 202kb windows exe called dumpit on a Win7 2ghz 2gb RAM machine to dump the memory of the machine. Total time needed to accomplish this? 48seconds. Granted this wrote it to local disk, which reduced the time needed to write the raw file. Then using the same exe and running from a USB 2.0 drive the time was 2:58. But still, under 3 minutes and you have a raw image of the memory IN USE on the system. And of course there are several other transport methods that could be used and keep in mind the larger the amount of RAM the larger the image dump and this increases the needed time to dump the image.

The course showed practical use of commercial tools such as Helix Pro and F-response. But it also made use of OSS tools like Bulk extractor and the AMAZING Python based Volatility framework. All in all, for me, this solidified the correlation between pen-testing & proper digital forensics. Looking back, I don't think that there was one pen-test that I performed where I couldn't have "made use of the forensic techniques I learned in this course.

Malware analysis is another area in which the use of these techniques has application. Nick provided real RAM image dumps of stuxnet & zeus infected machines and we analyzed these to find the infected processes as well as dissect and understand the logic behind the malware itself. It was very enlightening and educational. This has sparked a new interest in this type of research in me.

In closing, if you want to properly perform digital forensics on a target, as well as have your mind blown, take Nick's course if possible. And stay tuned, you may see it coming to the US in the near future.

Presently, and with permission from Nick, I am putting together a talk on this subject and plan to present it at DerbyCon 2.0 this year. http://derbycon.com

More info:

Nick Furneaux

Company site: CSITECH http://csitech.co.uk

Blog: http://nickfurneaux.blogspot.com

Twitter: @nickfx

Social Engineering: The Art of Human Hacking - Essential Read for any Security Professional

Chris Hadnagy of Social-Engineer.org has done a tremendous job on a ground breaking new SE book.
I must say after reading this book I feel as though the name "Kevin Mitnick" will now be replaced with "Chris Hadnagy" when referring to Social Engineering. I was amazed at how this was not merely a collection of experiences but an in depth, well researched, well organized crash course into the human psyche and the science behind human manipulation. My favorite chapter was number 6: "Influence: The Power of Persuasion" particularly the part on "Framing". This section really drove home the point that humans ARE hackable!
I appreciated how this book is not a "how-to" for would-be malicious hackers or con men. But a guide on the what, how and why techniques behind Social Engineering can be used for malicious purposes. In fact, Chapter 9 is dedicated to "Prevention and Mitigation" of SE attacks
The book is clear, concise and an easy read. This is a must read for anyone in the Information security field, but I think an essential guide for anyone in law enforcement, private security, or even John Q. Public looking to protect himself from being manipulated. Humans will always be the weakest link in security the infrastructure, but this book is a patch for our mental firewall. Highly Recommended.

Available at Amazon
And don't forget to check out Social-Engineer.org

Technical Analysis of the methods used by the Lower Merion School District webcam spying case.

I recently had the pleasure of contributing to Social-Engineer.org on a very interesting topic. Most media outlets are focusing their attention on the "official" theft tracking software and neglecting to analyze the main computer management agent that is installed on the computers and it's capabilities. Thanks, Logan_WHD and the SE.org team for the post.

Click Here for the article.

Watch this space.....

Social-engineer.org

First of... Whoa first post since July! Zoinks! Busy Busy. Nice new adventures in Pen testing to write about in coming months though. I wanted to post a quick review of a site that ALL security professionals and penetration testers alike should be frequenting.

WWW.SOCIAL-ENGINEER.ORG

By far the best if not the only source of all things social engineering. Move over Mitnik! They are presently on their 3rd month of podcasts, all can say is its pure gold! Partnering with well known figures in the security industry such as mutts (lead Back|Track dev) and Re|ik (creator of fast-track and the new SET, social engineers toolkit) makes this a match made in hax0r Heaven! LoganWHD has taken this sometime fringe aspect of security, the HUMAN computer, and developed an awesome source for SE with the help of several members of the hacker community. John aka Elwood also brings years of law enforcement experience for a very well rounded framework for SE.

Bookmark this site, subscribe to the newsletter and get the podcast. You'll thank yourself!

Defcon 17 - Boing!!!

Well its that time again. Vegas will once again be swamped with the likes of white, gray and black hats from all creeds, colors, income tax brackets and species. What an experience! If you have a chance to attend I HIGHLY recommend it. More info can be found here.... http://defcon.org Be sure to check the DEFCON forums for info on attending. I personally liked checking out some of the you-tube vids from previous years to get a feel for what to expect.

Simple truth.... expect anything and besides getting a flight and hotel, don't really plan anything else. For maximum fun just go with the flow. You may end up in some very cool places rubbing arms with people you've only read about in the hacker community.

This year should be very interesting. Cool talks lined up Johnny Long, Dan "attention whore" Kaminsky and , get this, Adam Savage from Mythbusters on the Discovery channel, will be there this year. Last HOPE in NYC he spoke, I saw it, he's a really cool guy. Hoping to meet him. His twitter is "donttrythis". Checkity check him out.

Here is a couple n3wb tips for maximum fun and $$ savings:

1) Shop for flight & hotel deals. This year from philly direct to vegas and 5 nights hotel at teh Circus Circus a friend and I scored tickets for about $500 a piece. giggity giggity! Unless you want non-stop, no-sleep, no-rest, skip the Riviera for lodging. 10000 hotels other than that one to stay at.

2)DRINK WATER: you're in the friggin desert for mitnick's sake!

3)You won't get much sleep, trust me! Prepare the week before by getting some good rest. out there the place just drains the living crap out of you. I found that fitting in like four hours here and there kept me going. Well that and lots and lots of monster, rockstar and 5 hour energy.

4)Black is cool to wear, hey we're hackers, its what we do. BUT, and its a HUGE BUT, bring black t-shirts that breathe! and shorts are a very good idea. jeans suck! :)

5) Leave room in your luggage for swag! You will totoally score some great stuff. (ie. t-shirts, or other crap you want to bring home.) And is it really nessasary to bring all your tech gear to the con? You may really only need a single system and any gear you may want to play with. Its easier in the long run also.

6)Don't access anything from Public Internet access points in or around the Riviera or anywhere really. Seriously. If you have access or actually own a 3g, GPRS, GSM, CDMA etc WLAN card, use it! Stay off the hotel net and the pub Defcon wifi/lan with anything you care about. It WILL be hacked and/or compromised. Don't be a victim of the "wall of sheep". (google it if you want more info). What I do is use either a sanitized/clean hd with nothing on it of value or use a bootable usb key with Back|Track. (remember to change the default password). But still remember not to check any webmail etc. SSL will not protect you. Ahh yes and one more bit of advice, skip the ATM at the Riv. trust me.... just bring enough cash ahead of time. ;)

7)Be humble. I don't care if you just hacked DOD or changed the Pres' blackberry ring-tone so that he's "rick-rolled" every time biden calls him. There will always be someone who can put you down. Once you go for the first time you'll understand, you can spot a arrogant hacker SOB from a mile away (**ehhemm,kaminsky,cough**). l33t h@xoR$ IMO are always very humble. Trust me sit back be silent unless you're asking questions. Make friends. Learn. No "measuring" of size going on here. Hacking is about learning.

All in all, sit back and take in the awesome exchange of knowledge and technical exploration available.

Hope to see you there! Remember to search for the offsec & remote-exploit ppl.

nick8ch

Security Certification Exam Cage Match

What is the best group of letters to have after your name as a security professional?

I thought I would write a brief account of my experience with three of such certifications. Certified Ethical Hacker (CEH), GIAC Certified Penetration Tester (GPEN) and Offensive Security Certified Professional (OSCP).

CEH

My experience with the CEH certification started with a one week boot-camp type training session through a training center in Plano, TX. The training was very “by the book” and when I say that I mean “books”. During the first day we were given three large red books for a total of 2300+ pages of information AND a 500 page lab manual. In the classroom each had a small satellite desktop system loaded with WinXP-pro, win2000 and a BackTrack partition. The trainer we had was actually a very good trainer but the training lacked something. At the time I really couldn't put my finger on it due to my lack of experience with training sessions. More on that later as you will see.
During the training we were told several times that EVERYONE here WILL pass the exam. This made me feel as if the whole purpose of this training was ONLY to pass the exam and get that little piece of paper and those three letters after our name. The books mainly focus on the use of windows/linux based programs and utilities that are already made for a specific task. Very little practical knowledge or challenging exercises. For example a typical day session would be like this; “hello class, open to page such-n-such , we are going to see how to use wireshark to sniff packets.” Following 5-8 slides on the projector explaining what the ins and outs were, we would open the program and start sniffing. “Ok, any questions? Good, moving on to our next tool.....” Was this a Ethical Hacking course or a discussion of man pages?
Overall I am glad I took the class, 7 day session included the CEH and CHFI exam which was a breeze. I'm happy I have the certs because it does show a degree of knowledge in the field of security and penetration testing. But, in the list of security certifications I think the CEH is quickly loosing credibility due to the fact that very little security experience is needed to pass this exam. It is very close to MS certifications in that, a simple memorization of material will allow you to pass the exam. If you can memorize some command line switches for Nmap and Netcat, you can pass this.

GPEN

The GIAC Certified Penetration Tester certification is relatively new to the arena. Approximately 350 certified at the time I received mine last month. From the GIAC website: “The GPEN certification is for security personnel whose job duties involve assessing target networks and systems to find security vulnerabilities. Certification objectives include penetration-testing methodologies, the legal issues surrounding penetration testing and how to properly conduct a penetration test as well as best practice technical and non-technical techniques specific to conduct a penetration test.” The certification is based on the SANS 560 course material.

I did not attend any training for this exam and did not pay for it either. I received this certification basically on a dare :) Let me explain. GIAC decided that their certification didn't have enough publicity or wasn't being recognized so they decided to offer the $900 exam for free to people who had passed one of the rival certifications CEH & OSCP recently. I had just completed my OSCP as I will explain later and I decided to give it a whirl. The test was a 4hr 150 question multiple choice test that needed to be proctored at a testing center. Along with the exam I was given two free practice tests to take ahead of time. I passed those and scheduled my exam. Granted I didn't really study or prepare too much but I was able to pass.
With this certification I only have the exam to compare to the other two, so based on that, the exam still lacked something. I mean, could a person with a tech support level 1 have passed this exam. Well, multiple choice questions, 4 hours, I think so. This is really my point, where is the practicality of the exam? Does it show actual REAL working knowledge. If I can answer a question like; “Which of the following tools would be used to create a Reverse Bind TCP shell?”, does that make me a security professional? Um, no.
Now, let's talk about the last certification.

OSCP

The Offensive Security Certified Professional certification is also relatively new. It's a certification that proves that the individual has a real working knowledge of a real-world penetration testing environment. The training, a lab testing environment and Exam is included in a package. The training is called “Pen testing with backtrack”, instead of “Ofsec 101” as it was called previously. From their website: “an on-line course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. The course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students.”
So, the course is on-line and tremendously cheaper than other certifications. Is it any good? Thats a big NO! Its way way better. Its AWESOME. With the lab time you receive with your training, you get VPN access to a real-world pen-testing lab environment with several target machines and objectives and exercises throughout the training. This in itself is an amazing learning tool. You also have a dedicated windows system within the lab with several tools installed including Core Impact which most people haven't had access to due to the cost.
The training itself is CBT based using video and also you receive a very well written training manual that goes along with the training. Each section ends with an exercise and a “extra mile” type exercise that you can preform and document for extra points at the end of your course. All in all the training is A+! Since the pre-reqs for taking this training requires a previous understanding of TCP, network admin, etc. There isn't time wasted on very basic networking concepts. The training is by Mati Aharoni of offensive-security, a seasoned security professional with google being his resume'. He is also the main developer of the BackTrack security Linux distribution. So the training focuses on using BackTrack as the platform for pen testing. If you opt to get the lab time, which again I will say GET IT, If you sign up for the “Pen testing with backtrack” you will have the opportunity at the end of the training to attempt final challenges that have been designed to test all aspects of the training you went through. I give credit to the excellent training I received as being the reason I was able to blast through the GPEN exam. It is unlike previous technical training I have had in that it teaches you how to reason and think, not just fill your head with man pages from hacker tools. But enough about the training. Since we are mainly comparing the exams for the certifications. How did the OSCP fair?

This was no Q&A exam. The OSCP exam is designed to test you as a Penetration Tester. Last time I checked when you were testing a company's network they don't hand you a test with multiple choice questions. So this is where the OSCP, in its awesome practicality, stands above the rest. (The exam is 24 hours, yes that's right, 24 hours to complete.) You are given VPN access to a separate and dedicated only to you specially designed lab for your exam. You are then given objectives to complete. Basically you are told to find, exploit, document and prove exploitation of several systems in the exam lab. Hence the need for 24 hours, and I tell you I almost used all of the exam time (thank you red bull). The system could really be any operating system and you have no prior information regarding what is in the lab you are connected to. It truly is a test of EVERYTHING you were trained on in the course. It will test you to the very limits of what you are capable of and it is a true challenge. Following the exam, you submit your notes and proof of exploits and your are then graded.

Conclusion

With so many people passing themselves off as “Security Professionals”, I think more than ever it is imperative that the individual show practical real-world knowledge of Penetration testing. For instance, do you only take a written test for your drivers license? Of course not. So why do some of the so called “best” security certifications not test REAL working knowledge? Many certifications test the individual on book knowledge and totally ignore the fact that when you are preforming a penetration test you are in essence a malicious hacker for that project, so you in turn need to think like one. You have to think offensively from a black box perspective and the OSCP nails that in all aspects of the training and exam. In my opinion this certification & training should be mandatory for anyone looking to break into the field of penetration testing. Yes other certifications look great on a resume' but as time goes on and the OSCP becomes more well known I think you will see more and more companies looking at this setting the bar for security certifications.

Internal Network Policies Part 3:

The Enemy of my Enemy is my Enemy? Huh?

Yes, that statement may seem odd but it's true. Sometimes the greatest threat can come from within. In the last two articles we discussed how an employee of your own company could compromise your entire network by doing something as simple as downloading & sharing the latest Britney Spears song. But what are the implications of this action? Are your employees trying to sabotage your company? Most likely, No. But are your employees performing an action that is inadvertently compromising your information integrity? They might be....

What have you implemented as a company policy or procedure, to educate your employees of the fact that the action they take may impact the company in a negative way? Most of the time nothing of this sort is done, Why?

The problem lies in the fact that most network administrators dwell too much on making things “work” and not enough on making things “secure”. But what does this involve? It's much more than enforcing strong passwords or insisting that the staff not take out of the premises data that may expose information that could lead to a breach. It involves an overall education of what can be done with a small portion of access to your company's network. For example, what information could I gain from a single e-mail login from say,.. a sales person? Any inside information available there? Perhaps information regarding a product that you have a niche in? Do you ever send financial information to a sales person? The point is this, information you would normally pass off as insignificant between members of your own company may seem common but, to the a rival company or malicious entity could be very lucrative. What would be the cost to your company if that information was in the open? Could you lose your advantage or perhaps a crucial bid to a large contract?

Information is everything.

It is the life blood of your way of making money with your product or service.

How do you protect that?

By understanding the flaws that threatened the integrity of that information. Only by understanding how the “would be” attacker of your company thinks, will you understand what really is at risk here. If you do not have someone who understands this very fundamental aspect of information security on your IT team, GET ONE. The need of the cookie cutter “bachelors degree in computer science” is long gone. WORKING knowledge in the REAL world of computer technology and networking is ESSENTIAL.

To the CEO and management personal that are reading this, I write this: there are more vulnerabilities in the software you run each day on your office PC than you can count. And I'm not talking about viruses, ad-ware or spy-ware. Real threats. More and more each day. I don't say this to frighten you but to educate you on the fact that when it comes to “conventional” knowledge of Information Technology, nowadays, it just doesn't cut it. You need to think beyond the out-of-the-box mentality of network security. Norton, McAfee, etc will NOT save you from the real threats that lurk out there. You need real active, intelligent staff in place to deal with the threats that exist.

What can you do as management? Have a conversation with your IT staff or IT provider. Ask them to explain what the TCP/IP stack involves and what tools such as NMAP and Netcat do. Do they understand the various forms of encryption when it comes to wireless? What's the difference between WEP & WPA? Or better yet, keep it short and simple, ask them to give you a detailed report on what steps they have taken to ensure that threats externally and internally are being actively defended against. With this report you should be able to determine what, if any, defense has been implemented against such attacks.

These queries are just the bare minimum in what a qualified IT person should be able to answer today. Why? Because setup and installation of your network is, for the most part, taken care of by the software/hardware manufacturer. Most setup of even enterprise networks is “wizard driven”, meaning automated or really easy. The rest, including securing your information, is up to your staff or IT provider, the human element. Make sure you are protected, in these critical financial times, you cannot afford to lose money due to an information breach.

If you have any questions about this series of articles or need assistance in assessing whether or not your information security is up to par, contact the MAEA. We have a qualified IT and Security staff that can answer your questions.

Nick Hitchcock

OSCP, CEH, CHFI, MCP

NHT Consulting

www.nhtconsulting.com

nickh@nhtconsulting.com

Back|Track 4 Public is now available!

Our friends over at Remote-Exploit & Offensive-Security have rolled out the public version of BT4. The ISO and VMware editions are available via the following links:

http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-vm

You can distribute the ISO and VM, but the team asks that you would please forward the above links for people to download from. This will give them good estimates on how many downloads are being made initially. Thanks and Enjoy!!


Greetz to muts, loganWHD, ziplock, ReL!k, MisterX, ZeroChaos, jabra, omar,TheX1le, and the whole team..... cheerz!
You can thank the team yourself on IRC, freenode net on #remote-exploit.

BackTrack 4 and ShmooCon 2009

I was privileged to be a part of the Remote-Exploit/Offensive-Security team this last weekend at the Washington DC based Hacker Con, ShmooCon. Was an awesome time. Many new friends made and many old acquaintances met again. I was able to be a part of distributing the new beta version of BackTrack 4. This has not been publicly available yet but should be shortly. Keep checking the Back|Track blog over at http://backtrack4.blogspot.com.

Here are a few pics from the event. Was a great time! http://flickr.com/photos/35146528@N07/

Enjoy... More info to come...

Internal Net Policies part 2

Internal Company Network Policies

Part 2: A framework for your IT procedures.

In our last edition of the journal, part 1 touched on the need of your company to have a good internal network policy for your employees and the need to enforce it. In this part we will touch on just how you go about doing that.

Is it a Policy, a Standard or a Guideline?

We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. We are focusing in on “policy” for our discussion.

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities.

This is different from a standard which is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows workstation for placement on an external (DMZ) network. A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

A Security Policy indicates senior management’s commitment to maintaining a secure network, which allows the IT Staff to do a more effective job of securing the company’s information assets. Ultimately, a Security Policy will reduce your risk of a damaging security incident.

What is right for me?

The most important thing to remember when starting the process of developing a Security Policy is that there is no “right” or “wrong” way to go about it. No one policy will work for every organization. There is no generic template that will meet every need. A fantastic policy for Company ABC might be useless to Company XYZ. That being said, a Security Policy must be a custom document that reflects your company’s specific security needs. In fact, a useless Security Policy is worse than no policy. Companies that boast of Security Policies thicker than a ream of paper are often the ones that have no idea what those policies say. The false sense of security provided by an ineffective policy is dangerous. The point of a Security Policy is not to create “shelfware” that will look good in a binder, but rather to create an actionable and realistic policy that your company can use to manage its security practices.

A Great Framework

Having an Information Technology framework for your company is an essential first step in how your technology is being handled internally. Thankfully there is a great framework to help companies accomplish this. The Information Technology Infrastructure Library, called the ITIL, is a tool that can help you. It is a customizable framework of good practices designed to promote quality computing services within your company. ITIL provides a systematic approach to the provisioning and management of IT services. The core parts of this framework include Service Strategy, Service Design, Service Transition and Service Operation, including incident management and security management.

Stay tuned for part 3.........

Nick Hitchcock

OSCP, CEH, CHFI, MCP

NHT Consulting

www.nhtconsulting.com

Internal Net Policies. Part 1

I thought a good start to the "re-invigoration" of this blog would be to post a couple articles that have been written for other publication. Enjoy...

Internal Network policies

Part 1: File Sharing

Your company has the convenience and accessibility once thought to be science fiction. Files can be transferred to the other side of the planet within seconds. Communication is a snap. Even within the past five to ten years the speeds available in certain areas for Internet have doubled, tripled or even more in speed. But with this convenience as with anything comes abuse. Could your network at this moment be being used for something other than what you intended it?

Does your company have an internal network policy?

A recent national survey of U.S. white-collar workers commissioned by ISACA found that more than one-third (35%) of employees have violated their company’s information technology (IT) policies at least once and that nearly one-sixth (15%) of employees have used peer-to-peer file-sharing at least once at their place of business, opening the door to security breaches and placing sensitive business and personal information at risk. Do you have a policy in effect to prevent this?

What exactly is the risk?

Many file sharing programs are just that, they “share” files. How so? In many popular easy-to-use file sharing applications, during the initial setup the application may look for files, primarily media files, to allow other users of that particular file sharing network to access. With that in mind think of the following scenario:

Bob wants to install a file-sharing program on his computer at work for something relatively harmless. He just wants some music to listen to at work. During the setup of the file-sharing application the program installs wonderfully and Bob is ready to get some music and get productive at work. But, there is a problem. During the setup, the file-sharing application found a few media files in a directory to share, one is named “widget-demo.avi” and another is “jingle-music.mp3”. The major problem in this is not the fact that it may have shared your commercial video or jingle music, but that, when this file-sharing program shares those files, it shares the entire contents of that file folder. What else could be in that folder? Perhaps “Q4-earnings.xls”, “Board_of_Dirs_minutes.doc” or maybe “CompanyFinancial.qbb”. You get the point, this can be very dangerous.

Conclusion

File sharing is very useful in some aspects of legitimate business. But, this is only one of the various security risks in allowing a file-sharing application to be installed on an unattended client machine. The fact is most file sharing applications can bypass any firewall security you may have in place negating any steps or investments you may have made to stop network attacks.

This is one of the many parts of a full network policy that your company should have. In upcoming articles we will discuss other aspects of a network policy and how to enforce these without restricting productivity.

Nick Hitchcock,

OSCP, CEH, CHFI, MCP

NHT Consulting

www.nhtconsulting.com