Interview with John Chirillo, author of "Hack Attacks Testing: How to Conduct Your Own Security Audit"
by Mirko Zorz - Friday, 4 April 2003.
Using ripple security logic we can begin to identify and dissect the security components of each link in an infrastructure or components of a standalone system; for example, following is a common high-level enterprise ripple itemization with necessary security measures:
  • Workstation - Personal IDS, two-factor authentication, antivirus, and monitoring tools implemented, updated regularly, and configured to adhere to company policies.
  • Internetwork/Subnet - Packet filtering, link encryption, and network monitoring/IDS devices.
  • Server Farm/Backbone - Change control, antivirus, audit logs, monitoring, regularly scheduled updates and backups.
  • Internet Portal - Screened subnet with stateful firewalls and application proxies.
  • Physical Building/Data Center - Intrusion monitoring, two-factor access control via swipe card and PIN, CCTV cameras/monitors, and log books.
  • Extranet/Road Warriors - Callback, strong (two-factor) authentication, and virtual private networking, antivirus, personal firewalls, and IDS.
Once each ripple or link is identified and analyzed, appropriate protection measures and tactics can be employed to provide the necessary access while limiting the exposure. Once these are in place, security and business continuity/disaster recovery polices must be updated and enforced, and internal vs. external security audits should occur at regular intervals.

At the station and SOHO level, although it's not practical to think you can be completely safe from exposure, there are ways to fortify your weakest links against most common threats and mitigate risk to an acceptable level. Be sure to follow these seven golden rules:

1. Use a personal firewall. Personal firewalls typically fortify against many incoming intrusions. Among those most popular and proven include, Norton Firewall, McAfee Firewall, BlackICE Defender, and ZoneAlarm Pro.

2. Use antiviral software. Protect your system from downloads and e-mail attachments that contain virii and Trojans with Norton AntiVirus, McAfee VirusScan, or PC-cillin.

3. Use personal intrusion detection software (IDS). Protect your system from hack attacks and malware that gets past your personal firewall and antivirus software. Personal IDS inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise your system. IDS evaluates a suspected intrusion once it has taken place and signals an alarm, and then asks for action or acts-with it you can block an IP address, block a local or remote port, block all, or allow the connection altogether. Every workstation should run products such as TigerGuard IDS and Pest Patrol.

4. Don't take candy from strangers. Defend your right to privacy with a good cookie manager, such as McAfee Internet Guard Dog or Norton Internet Security.

5. Encrypt sensitive data. Don't even think about transmitting sensitive information without using encryption software. Among those most user-friendly is PGP.

6. Update Habitually. It's important to follow a patch implementation schedule, for your operating and protective software, to keep you abreast of vulnerabilities and advisories with alleviations-each week.

7. Just say "No!" It's none of their business--don't ever reveal personal information such as your passwords, credit card limits, home address, birth date, driver's license and social security numbers.

What do you think about the full disclosure of vulnerabilities?

Bearing in mind the pros and cons of the complete details of security vulnerabilities being made public, I personally consent to full disclosure with restrictions. I believe doing so would increase the general level of awareness, compel companies to take risk mitigation more seriously, strengthen the power of security tools, and force vendors to release patches and safeguards more rapidly.

With that said I feel restrictions including the following should apply: the vendor should be first notified, vulnerabilities should be accurately and fully disclosed at appropriate websites and published in monthly periodicals, and a principal consortium should be formed to test and release testing tools in an open source forum.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th