Tech on Tech

25 More Tech Tips and Tricks by David Pogue

David Pogue is at it again and we would be remiss not to listen.

Enjoy!

Easy Steps to Improve Your PC's Performance

This article is from AOL and does recommend some AOL products; however, the majority of the content is informative - and easily overlooked!

Easy Steps to Improve Your PC's Performance

OWASP Top 10 - #1 - Cross Site Scripting (XSS)

In another post, I said I would talk about the OWASP Top 10, which is a list of the 10 most dangerous current Web application security flaws. This list, interestingly, is built into both the PCI DSS standard as well as Shared Assessments.

#1 on the OWASP Top 10 is Cross Site Scripting (XSS), which, per OWASP is:

whenever an application takes user supplied data and sends it to a web
browser without first validating or encoding that content. XSS allows
attackers to execute script in the victim's browser which can hijack
user sessions, deface web sites, possibly introduce worms, etc.

For more information on XSS, check out this nice FAQ.

In the next post we will cover #2 on the Top 10.

DID YOU KNOW? Shared Assessments' Application Vulnerability Assessment actually contains 11 attributes. Can you name #11?

Cisco Tip: ip default-gateway

The ip default-gateway command is used when you need to configure a default router and IP routing is either disabled or not available (on the 2960, for example).

Aside from looking through the configuration (show run | inc default-gateway), how can you check to see that your default router has indeed been configured?

Use the show ip redirects command to see your just configured default router. Give it a try!

What is the best method for baselining your control environment?

CobiT combined with ITIL and ISO27001/2? CobiT in combination with another standard?

What are your thoughts?

Using 1Password & RoboForm can keep you safe.....cont'd

If you need further convincing about the importance of good password management, check out this recent article.

After reading this article and the Newsweek article mentioned here, it is no small wonder that 1Password is the solution to this over 30-year-old problem.

Securing your password.....and your wallet! (Using 1Password & RoboForm can keep you safe)

What do you think of when you think of security? Still thinking, right? Exactly. No surprise, then, that functionality and utility have taken the front seat when it comes to application development. Today, however, with the rampant spread of cross site scripting and sql injection attacks, not to mention the already inescapable viruses and malware that live and breathe on anything running Windows, things are starting to change.

One of the most important facets of security is your password - the key to the castle. Newsweek just came out with a great article on building a better password. But, for my money - and that's what we are really trying to protect a lot of the time when we are online - there is no better solution than 1Password. For those of you still in the unfortunate position of having to use a PC (and that is how I look at it), you can turn to a good solution like RoboForm. But, for those in the know, we use a RoboForm for the Mac, if you will.

I have written about 1Password before, so will let you read my other posts to find out about it. My point in this post is that if you want to be secure online you need to have good (at a minimum) password management. By this, I am talking about a password that is not easily going to be hacked by a brute-force attack - something not easily guessed. With 1Password, you get all of this. And, further, 1Password automatically fills all of your forms for you.

I will be writing more about security soon, but you can find out more about how to secure your Mac now with 1Password here.

Locking Down Your Switch.....Cont'd

I have been talking here and here of the importance of locking down your switch (indeed your network in general) and why this is so important. It seems to me that the most basic controls are often the most overlooked. It is not surprising that most best practices call for basic network physical security and, on the same note, it is not surprising that basic security is often overlooked.

Looking through PCI DSS, for example, you will see a requirement both for WAFs (Web Application Firewalls), which operate at Layer 7, and for restricting physcial access at OSI Layer 1. Indeed, it doesn't make sense to put 3 deadbolts on the front door if the back door or a window is still open.

Shared Assessments is a member-driven industry standard used to "inject standardization, consistency, speed, efficiency and cost savings into the service provider assessment process." This standard also requires that physical ports be locked down (disabled) as referenced in:

I.3 Secure System Hardening Standards: Unnecessary physical access ports disabled or removed.

On another note (and I will discuss in another post), it is interesting to note that both PCI DSS and Shared Assessments include OWASP Top 10 as requirements.

Cybersecurity Act of 2009

The Cybersecurity Act of 2009 is something to keep your eye on.

Here 's what you need to know.

MasterCard's Security Changes and its impact on PCI Compliance

Over the past few months, MasterCard has made some major security changes that, seemingly, will impact PCI compliance now and in the future for quite a number of businesses.

First, MasterCard advised all Level 2 merchants (those processing between 1 - 6 million payments cards annually) that Self-Assessment questionnaires would no longer be sufficient for compliance; thus, Level 2 merchants would now be required to have a third-party perform an on-site assessment. This new change "can cost $10,000 - $30,000 per year for a merchant already PCI-compliant and more for a retailer meeting the standard for the first time."

Not too surprisingly, merchants are looking for alternative payment methods (i.e. PayPal) in order to reduce the number of card transactions.

MasterCard, with their second big security change, has decided to disallow merchants' use of RKI (remote key injection) services to install new encryption keys on POS systems. This new rule by MasterCard jeopardizes the on-going Triple DES compliance efforts for all POS terminals: merchants have until July 2010 to upgrade their POS terminals from DES to Triple DES. If this upgrade now has to be done manually, as opposed to automatically with RKI, it could make meeting the July 2010 deadline quite difficult for businesses with a large number of POS terminals.

More on Locking Down Your Switch.....

In my last post I talked about the importance of locking down (disabling) physical access on your network switches to only those with authorized access. I discussed how, along with being a best practice, it is also a requirement of such standards as PCI DSS and ISACA.

Let's add another standard to that list today and that's NERC. Indeed, NERC CIP 007-1: R2 states that "The Responsible Entity shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled."

More to come.....

Lock Down Your Switch, or Else!

Locking down your switch is one of the most important steps to do (for the network engineer) or verify (for the IT auditor). Indeed, restricting physical access to your network to only those authorized is paramount. Further, it is a requirement of PCI DSS (9.1.2. Restrict physical access to publicly accessible network jacks) and ISACA (P8 Security Assessment—Penetration Testing and Vulnerability Analysis - 6.1 Rogue Access Jacks)

Looking at this from both an operational and assurance mindset, it is equally important to ensure physical access control. But, as I am sure you are aware, importance is relative. How often is PCI DSS 9.1.2 given a checkmark for compliance on either your Self-Assessment Questionnaire or on-site assessment?

From an audit, and even an engineering perspective, it is really a best practice to lock down your switches and disable any ports not in use, especially those going to areas where people may have easy, unattended access to the network.

Of course, for those in site support who may have to set up new user connections, it is quite cumbersome if the ports they need to plug their patch cables into are disabled. Indeed, instead of patching their cable and being on their merry way they now need to create that dreaded change request!

When you are on the operational side - and are feeling the pain - it is hard to see the merit of going through these processes. But, when you realize that there is a reason why the change request asks for business impact and, in many cases, will need business approval you start to see a pattern. The work we do is not in a vacuum - it supports the business. To that end, we need to be cognizant of what we are doing and what the risks are to the business.

So, the next time you need to patch in a new user and the port is disabled. Don't get mad (and, please, don't get even!) - just be glad that someone out there is doing what he/she can to keep your business secure. Now it is your turn.

SAS 70 vs. ISAE 3402

This article from PWC touches on some of the key differences. One of note is that service organization management are now required to provide a formal assertion acknowledging responsibility for their controls.

More to come.....

More thoughts on PCI DSS

Network Solutions, whose recent security breach exposed almost 600,000 cardholders, said "We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant." Here again is another example of the mindset to which I referred in my last post: PCI compliance does not equal security.

If PCI compliance doesn't equal security, does it equal culpability? Indeed, Heartland's CEO blamed the PCI QSA for the breach. Interestingly, Nevada in June passed a law that mandated PCI compliance for businesses that accept payment cards and provides that compliance will shield such businesses from liability for damages from a security breach.

As the breaches continue, let's recall Visa's statement after Heartland:

PCI DSS remains an effective security tool when implemented properly - and remains the best defense against the loss of sensitive data. No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. [emphasis added]

Good to know.

Thoughts on PCI DSS

Of the Ten Common Myths of PCI DSS, Myth 4 is surely the one most in need of debunking. Indeed, PCI compliance in and of itself will not make you secure. If an organization is to ensure compliance AND security, there must be a "continuous process of audit and remediation."

As one who has worked in change control, I can appreciate the fact that quite a number of PCI requirements pertain to this area.

Perhaps the most important command you can use on a router is "wri mem" - to save any changes you have made. It is nice to see the importance of this concept (saving your work) memorialized in PCI DSS:

PCI DSS Requirements
1.2.2 Secure and synchronize router configuration files.

Testing Procedures
Verify that router configuration files are secure and synchronized—for example, running configuration files (used for normal running of the routers) and start-up configuration files (used when machines are re-booted), have the same, secure configurations.