Thursday, June 28, 2007

Evaluating Anti-Virus Programs

All anti-virus programs are not the same and making purchasing decisions based on opinions (not facts) could put you at risk.

So which anti-virus (AV) program is best for you? It really depends on who you talk to, but should it? Ever since the advent of anti-virus, debates have raged as to which program is best and most of the time you get plenty of subjective opinions. We all have our opinions, but believe it or not there is significant science to the evaluation of anti-virus programs.

NOTE: This article is written with desktop and server anti-virus in mind. Enterprise management i.e. McAfee ePO, Symantec Corporate Edition, et al. is outside of the scope of this article.

The Science
The science of evaluating anti-virus programs is based on two main criteria; features and effectiveness.

The anti-virus software market is more competitive than it has ever been. Some vendors offer a plethora of features in their offerings to attract more customers. Most people don’t even know what some of these features are or what they do, but there are some features that are important to look for during an evaluation of anti-virus programs.

OS Support
Does the anti-virus program fully support the operating system that it is intended to be used on? Sounds obvious don’t it? It does, but take Windows Vista for instance. Has the anti-virus program been designed for Windows Vista and has the program been tested and/or certified on this platform?

Automatic Updates
Can updates be downloaded manually and/or automatically?

Most people have better things to do than to make sure that anti-virus programs are updated regularly. This is a “must have” for a good anti-virus program. An added benefit is configurable automatic updates, allowing updates on a specific schedule.

On-Access Scanning
This is another critical feature. The on-access scan engine needs to start as early in the boot process as possible and files must be checked the instant there is any interaction with them.

On-Demand Scan
Is there an option to conduct a “deep scan” of files, folder, or drives when needed? All good anti-virus programs have this feature, but it is important to mention as a requirement anyway. It is also important that the anti-virus program allows for the scanning of removable media and network drives.

‘Heuristics’ describes the method of analyzing the code of a file to ascertain whether it contains code typical of a virus. Anti-virus programs that rely solely on signatures of known viruses are ineffective against many new viruses. In order for an anti-virus program to be trusted in my environment it must have the ability to detect viruses that are not yet known to the signature engine.

Scan scheduling
Much like automatic updates, most users typically forget to scan their computer on a regular basis.

Email scanning
Does the anti-virus program have the ability to scan inbound and outbound email? Does the anti-virus program have some controls built-in to prohibit mass-mailing? Email scanning becomes less important if it is certain that the email gateway has a properly installed and configured anti-virus solution, but it is always nice to have added layers of defense.

Reporting is usually more important to technical and security personnel than it is to the typical user. The more reporting options the better. I conduct many information security audits and forensic investigations and enjoy the added benefit of detailed reports.

It is also important to consider what warnings are given to users by the anti-virus program. Are there warnings displayed if there are errors, scans have not been run in X number of days, the program has not been updated in X number of days, etc.

What makes an anti-virus program “effective”? The criteria most often used are detection and cleaning rates compared with the function of time*.

*All good anti-virus programs will “eventually” detect and clean a virus. The time function gives an indication of how effective the program tested with newer viruses.

Testing the effectiveness of anti-virus programs can be cumbersome and very work intensive. It is a good idea to rely on independent lab reports and certifications conducted by companies and people who specialize in testing anti-virus products. The two that I refer to often are iCSA Labs and the Austrian anti-virus experts

iCSA Labs
In order for an anti-virus program to be “ICSA Certified” it must meet certain and fairly rigorous criteria.

The list of certified anti-virus products can be found here:$gdhkkjk-kkkk.
The list of certification criteria is here:$80389867-30af3d4c$5524-512093a1

iCSA Labs does a very good job of testing anti-virus (and other) products. iCSA is a benchmark and lends credibility to the products it tests, but it should not be relied upon as the sole authority for anti-virus effectiveness testing. There are a variety of reasons why you may not see the anti-virus product you use on the list and a product that is certified may not necessarily be better than a product that is not. (
These Austrians know a thing or two about viruses and anti-virus software! If an anti-virus program was not found at iCSA Labs, it might be found here. The tests from AV-comparatives are very comprehensive and the reporting is excellent.

It is important to gather facts when evaluating technical solutions and anti-virus should be no exception. Before spending money on something someone told you was the best, do a little digging yourself. Create a checklist containing the evaluation criteria that are important to you and use it to evaluate the candidate anti-virus programs. If you would like a copy of the checklist I use in my evaluations; send me a note.
Read more!

Thursday, June 21, 2007

Active Directory Account Auditing 101

How many login accounts do you have? What accounts should be disabled or deleted? What accounts are disabled, expired, locked, etc.? What accounts do not have a password expiration “override”, meaning they are not forced to change them? How many accounts are in compliance with your policy? You have a policy right?

In most Microsoft Windows (Active Directory) environments accounts and passwords are everything. Most companies aren’t using biometrics, smart cards, etc. so an account and password become the “keys to the kingdom”. I am going to show you how to do a cursory audit, answer the questions above, and do it in 30 minutes or less. Best of all, this is free!

NOTE: This article is not written to be instructions for a comprehensive account audit nor is it written to audit individual password strength.

To begin you need a policy. Without policy, information security initiatives are likely doomed. In many organizations the policy that correlates most closely with this audit is Password Policy. Your policy (and/or supporting standards) should specify the rules for login account passwords. You may also have supporting policies such as a privilege user policy or account termination policy.

NOTE: If you do not have explicit consent (hopefully written) to conduct an audit of an organization’s information assets, get it BEFORE proceeding.

The Audit
I use free tools regularly for audits, penetration testing, etc. Why write a tool if someone has already made one for you?

Before beginning an audit, define what you plan on using it for. Do you have a SOX auditor breathing down your neck (most SOX auditors want a list of login accounts with password age). Do you want the audit as FYI material? Do you plan to use the audit to initiate subsequent policy non-compliance remediation efforts? Most of the audits I conduct are used as part of an ongoing information security lifecycle. Typically, I will audit accounts on a semi-annual basis.

Anyway, let’s begin.

The Tool:
We need a tool that will enumerate the accounts and provide us with the information we seek. My old and trusty tool of choice is UserDump.exe written by Joe Richards. The step-by-step:

1. Visit Joe’s site at and download the tool.

NOTE: Your email address is OPTIONAL. When I am given the option, I opt not.

For the sake of this exercise, let’s download the file to C:\Tools\UserInfo\UserDump.

2. De-compress (“un-zip”).

3. Open command prompt and change the directory so that you are able to run userdump.exe from the command line.

4. Type the following (without quotes), replace %dcnameorIP% with the IP address or name of an Active Directory domain controller:

“userdump %dcnameorIP% > dcusers.txt

5. After userdump has completed, you should have a tab-delimited text file in the directory that you ran it in.

6. Open Excel. Click File-->Open and locate the newly created dcusers.txt file. You will need to change the “Files of type:” option to “Text Files” in order to see it in the Open dialog box.

7. After you select the file, the Text Import Wizard dialog box will appear. Make sure that “Delimited” is chosen and not “Fixed width”, and click Finish.

8. Viola! Your audit is complete. Now maybe this one calls for some remediation.

The audit conducted in this article should give you answers to the questions we posed at the start. In this audit there were 952 accounts, of which 712 were login accounts. There were numerous password age and no password expiration policy violations as well as accounts that were thought to have been disabled and/or expired that were not.

In a simple exercise lasting no more than 30 minutes, we were able to gather good information. Through remediation we should be able to significantly reduce the risk of unauthorized disclosure, modification and/or destruction to this company’s information assets.

Read more!

Wednesday, June 13, 2007

The Trusted Toolkit June Newsletter

Quick Post...

Get The Trusted Toolkit's June 2007 Newsletter here:

The Trusted Toolkit newsletter is a monthly publication that we make available FREE of charge to customers and non-customers alike.

If you would like to receive our newsletters automatically via email, please visit and sign-up!

Enjoy! Read more!

Monday, June 11, 2007

5 Essentials for CISO Success

Being a CISO ain’t that easy nowadays. Actually, I am not sure if it ever was. Besides the obvious attributes of a good employee; honesty, integrity, confidence, good staffing, etc., what makes a good CISO and what makes a great CISO?

Through conversations with other security professionals and my own observations, I noticed five essentials that great CISOs consistently do well.

DISCLAIMER: In case you thought otherwise, information security is a holistic discipline and this article is not intended to be all-inclusive. To do so would require volumes of books and experience.

Essential # 1: If you want someone to buy, you need to sell
This is always a challenge for me as deep down I am an introvert. I would be fine if all I had to do was work at my computer all day long, but I would make a much better analyst than I would a CISO. CISOs need to be visible and sell the programs they sponsor. CISOs need to sell everyone from the CEO to the backroom mail worker on how information security can help them conduct business better. People will buy into the concepts and ideas that make sense to them so spend time explaining how security benefits all stakeholders in the company.

My action item:
Each day I make it a point to talk to someone I have not talked to before in the company. Usually during casual conversations I find the opportunity to evangelize.

Essential #2: Align security initiatives with the business objectives
This seems simple enough, but unless a CISO actively seeks an understanding of the businesses goals and objectives they will not be known to him/her. Be careful not to make strategic decisions based on assumptions.

Too often security is viewed as a barrier to conducting business with no tangible benefits. As much as it is my job to protect the company’s information assets, it is equally my job to ensure that security does not get in the way of business and where possible enables it.

My action item:
Actively seek an understanding of the company I work for as each opportunity presents itself. Volunteer for committees, attend meetings on time, and ask questions regularly. When I ask questions I ask them in a manner that conveys my desire to understand and help.

Essential #3: Compliance is not the “end all”
Obviously compliance is very important and all companies face some type of regulation, rule, guidance, or law that they have to contend with in relation to the management of information. I have always viewed compliance as the things that a governing body makes us do because we were not doing the right things to begin with. If companies had adequately protected sensitive information all along, we would have much less red tape to deal with today.

The security program I am responsible for is not designed specifically for compliance but is built specifically for the business. If the security program I manage is managed well, then compliance will be mostly automatic. During audits, answer what is asked and provide what is requested, nothing more and nothing less. If there are deficiencies, attend to them and ask why it was not already designed into the program.

Essential #4: Train, inform, remind and reward
This cannot be underestimated, but in most companies it has been for a long time. How can you expect the users in your company to abide by the rules dictated in policy if they are unaware of the rules and/or do not know how to apply them to their work? In order for users to understand, they must be trained. In order for users to develop good habits, they must be consistently reminded. In order for users to care, they must be rewarded.

Believe it or not users believe they have more important things to think about than information security and in many cases they are right.

My action item
Create an information security training and awareness policy and obtain the approval of business executives. Develop an effective information security training and awareness program. Involve business unit leaders in the process of training and awareness program development.

Essential #5: Information will inevitably be compromised, detect and respond
Business information WILL be compromised through unauthorized disclosure, alteration, or destruction. This is an absolute fact. Prepare for detection and appropriate response.

My action items
Develop standards for various detection mechanisms and logging facilities throughout the organization. Detection and logging should overlap and be redundant in design and implementation. Develop incident response policy and procedures, then test them regularly.

These tips should only compliment what is already being done by an effective CISO. Wouldn’t it be nice if it were all this simple?
Read more!

Thursday, June 7, 2007

Password on a Post-It Note

Sheesh! This is the song that never ends, it just goes on and on my friends...

I don’t think anything in this business torques this ISO more than a user that blatantly writes their password on a Post-It note and prominently displays it somewhere around their workstation. I could preach this until I am blue in the face, but people are people.

I bring this up again and again, but this week I encountered a couple of things that got my blood boiling again on this very topic.

The Survey
Early this week I was reading a recent survey from Cyber-Ark, an authentication management company. Obviously the section in the article titled “Post-It Notes: The IT Favorite for Storing Passwords” caught my eye immediately. The IT favorite? You have to be kidding me.

“It seems that very little changes year over year - more than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders to do differently. What's shocking about this year's annual survey was that the 50% number now applies to IT Professionals as well! More than half of respondents admitted to using Post-It notes to store administrative passwords, the super-powerful codes pre-built into every system such the Administrator ID on your local workstation.” - Survey Reveals Scandal of Snooping IT Staff, 5/30/07 Cyber-Ark

50% of IT Professionals admitted that they store passwords (or have) on a Post-It note! How many do and didn’t admit it? Should I be surprised? I have to admit that I was a little taken aback.

An Incident
The same day I read the article mentioned above, I received a phone call from one of our IT staff in one of our offices. He was calling me to report a suspected incident that may have happened over the weekend. A computer was logged into after-hours and used to commit acts that are against our policy. I will leave it at that.

When I receive a call of a potential incident, I begin the incident response process and an investigation. During the course of the investigation it quickly becomes evident that I will not be able to prove who did what during the time in question. For one, all of the people who use(d) the computer in question use a shared account (another separate no-no out of the scope of this article), and two the shared username and password were written on a Post-It note next to the computer.

Physical security i.e. access card controls, CCTV, etc. aside; there is little that can be done to hold anyone accountable for the actions that took place during this incident.

Essentially, case closed with many possible ramifications.

What to do? Policy, Education, and Enforcement
If you do not have a password policy, you need one. In your password policy it must be clearly stated (simple terms) what actions are acceptable and what are not in regards to password creation, usage, re-use and destruction. Your policy must be endorsed by executive management of your company if you have any hope to educate your users and enforce with action.

If I have learned one thing in security, training and awareness cannot be understated. People are creatures of habit. People with bad habits need to learn good ones. The only way people learn good habits is through constant, consistent training and reinforcement. Your training and awareness program should constantly remind people what you have written in policy with real-world examples of how it applies to them.

Enforce your policy. Your password policy should be viewed as management’s expectations of acceptable behavior from your users. If management has truly endorsed your password policy, they should expect you to enforce it as well. Enforcement can range from a friendly reminder to termination, depending on the nature of the offense. No matter which method you attempt to use to enforce your policy, be consistent and include your human resources and legal department as necessary.

Keep in mind that policy, education and enforcement all go “hand-in-hand”. If you are lacking in one, the others will suffer.
Read more!

Abdul has sent me an e-card!

My good friend Abdul sent me an e-card yesterday afternoon. It's good to hear from him again.

Seriously now, sp/cammers are very creative. This is the first spam email I have received that used a legitimate e-card and photo sharing site as a delivery vehicle. You have to give these guys some credit. They are very creative in the methods they use in attempting to evade standard spam filtering techniques.

How it works
This is a new twist on a newer technique used by sp/cammers. Its image spam in a way, but a little different. I’ll call it e-card spam for lack of a better term. Anyway, here is the story; I received Abdul’s e-card in my gmail account.

As you can see from the screen-shot, gmail and most respectable email clients nowadays automatically block images in emails from untrusted sources. This is not a big deal to sp/cammers though as they are interested in getting the email to your inbox then using motivating statements and phrases to get victims to act. Let’s say for a minute that I am one of those people.

I allow the image to be displayed in the email by clicking the “Display images below” link in gmail.

Oh! I see. Abdul wants to give me a large sum of money! This must be my lucky day.

Actually, most of us have seen emails with similar text. We know it’s a scam (I hope!). These scams must be working though otherwise the sp/cammers wouldn’t continue to send the emails and devote the time to find new scan evasion techniques. Clicking on the image in the email brings me to Abdul’s e-card.

NOTE: I do not advise clicking links in emails unless you are absolutely sure you know where it leads first!

The email and techniques used in the spam email are not earth shattering by any means, but there are some important topics to note.

1. These “official” attorney letters promising big payouts from their client’s estates et al must still be luring victims. This is sad.

2. The technique used to get the spam to my inbox was a little different than most I see, i.e. using a public photo sharing site as the host of the image.

3. More than likely the sp/cammers lose the ability to track my actions in clicking the image which is different than if they were hosting the image on their own sites. They are willing to forego this information.

4. You can block this spam easily by clicking the “To stop receiving photos and videos from all Ringo members, click here.” Link. This would work for Ringo originated e-card spam anyway.

NOTE: I do not advise clicking links in emails unless you are absolutely sure you know where it leads first!

5. Review of the email header provides some interesting information (they always do!). This email was in fact sent through Ringo’s systems. Ringo uses Habeas as an email accreditor which makes it much easier for the sp/cammer to get the email to you and me!

6. The bottom of the email includes a warning from Ringo in 7.5pt font; “Ringo advisory - Avoid scams. Beware of messages that mention sweepstakes, lotteries, money-making offers, work-at-home opportunities, etc.”

All-in-all I am not terribly impressed, but I can see potential in sp/cammers enhancing this technique to get more spam past filters and into my inbox. That doesn’t make me happy.

Please comment if you have something to say or shoot me an email.

Read more!