CISSP Prep Book Store
Wednesday, November 18, 2009
Data recovery tools
I have been working on a project recently where some important information needed to be recovered from a hard drive. Being a Noob to data recovery I was hitting the web trying to find a free tool that would copy the available the information from the drive. I ran across one tool that seemed to do what I needed called dd_rescue. It's a free linux based tool that can be added to many flavors of linux and does a sector by sector duplication of the drive and it attempts to copy bad sectors. The only limitation to dd_rescue is that it chokes on bad sectors and will only run sequentially sector by sector. So when corrupt sectors are present it extends the time of the copy indefinitely. So I found another tool called ddrescue (not to be confused with dd_rescue). This version of the tool will actually skip bad sectors and come back to them once the available sectors have been copied. In my situation most of the needed data didn't exist on the bad sectors so we were able to collect the data needed. Once this copy is collected a tool for viewing and extracting the files may also be necessary. Sorry no free tool suggestions for this part of the process but I am certain there are some out there. :-)...
Thursday, October 29, 2009
Update - Defense in Depth Protection using a Data-centric Model
Start aligning your security strategy to better protect your organization's most critical asset - data.
While many security proponents lean toward an outside-in strategy - protect every computer in the company from the outside world first - we really need to understand that the data is the asset that must be protected first and foremost. The outside-in strategy starts at a macro level and over time, if funding is available, works its way down to the micro level, which is the data. This methodology misses the critically associated with data exposure. Think about these two scenarios.
1) A hacker gets past your firewall and steals customer information.
2) An employee accidentally deletes your product catalog.
Where is the best place to prevent these risks? Correct, at the data level. In response to scenario 1, the company would have to admit to being penetrated by a hacker, but could confidently say that customer information was encrypted and is therefore unreadable by anyone outside of the company. Concerning scenario two, by setting proper access permissions for the data, no employee would have the authority to erase the catalog. These real-life and too ofter occurring scenarios lead us directly to the need to begin our security quest at the data level.
Please consider these protective steps:
1) Understand, inform and educate everyone that your organization's most critical asset is data.
2) Protect the data using encryption - both when stored and in transit.
3) Limit data access by using proper identification, authentication and audit controls.
4) Build and test several data recovery scenarios, because even the best prevention mechanisms can't thwart a system failure from causing data corruption or loss.
5) Keep expanding your security posture outwardly.
Please recognize that my intention here is to get you to acknowledge the importance of the data owned by your organization. Most companies understand the need and have the funding necessary to implement several layers of protection for their computing assets. Just be sure to consider your investments based on a deliberate understanding of your assets, from which you can then prioritize your security builds.
Visit http://docs.google.com/present/view?id=ddzzxj2h_26fwk5w2hs to see the visual aid.
While many security proponents lean toward an outside-in strategy - protect every computer in the company from the outside world first - we really need to understand that the data is the asset that must be protected first and foremost. The outside-in strategy starts at a macro level and over time, if funding is available, works its way down to the micro level, which is the data. This methodology misses the critically associated with data exposure. Think about these two scenarios.
1) A hacker gets past your firewall and steals customer information.
2) An employee accidentally deletes your product catalog.
Where is the best place to prevent these risks? Correct, at the data level. In response to scenario 1, the company would have to admit to being penetrated by a hacker, but could confidently say that customer information was encrypted and is therefore unreadable by anyone outside of the company. Concerning scenario two, by setting proper access permissions for the data, no employee would have the authority to erase the catalog. These real-life and too ofter occurring scenarios lead us directly to the need to begin our security quest at the data level.
Please consider these protective steps:
1) Understand, inform and educate everyone that your organization's most critical asset is data.
2) Protect the data using encryption - both when stored and in transit.
3) Limit data access by using proper identification, authentication and audit controls.
4) Build and test several data recovery scenarios, because even the best prevention mechanisms can't thwart a system failure from causing data corruption or loss.
5) Keep expanding your security posture outwardly.
Please recognize that my intention here is to get you to acknowledge the importance of the data owned by your organization. Most companies understand the need and have the funding necessary to implement several layers of protection for their computing assets. Just be sure to consider your investments based on a deliberate understanding of your assets, from which you can then prioritize your security builds.
Visit http://docs.google.com/present/view?id=ddzzxj2h_26fwk5w2hs to see the visual aid.
3-step Disaster Recovery Planning Process
1) Determine and prioritize what applications/technologies/data the business must have to operate.
2) Based on priority, build your backup and recovery solutions to fit the defined needs. This may require defining tiers, where tier 1 systems require recovery within 24 hours, tier 2 in 72 hours, etc. etc. etc.
3) Test and test again!!!
If the above steps make no sense, please consider hiring a DR/BCP consultant.
2) Based on priority, build your backup and recovery solutions to fit the defined needs. This may require defining tiers, where tier 1 systems require recovery within 24 hours, tier 2 in 72 hours, etc. etc. etc.
3) Test and test again!!!
If the above steps make no sense, please consider hiring a DR/BCP consultant.
Tuesday, October 20, 2009
More Free Training!!!
Very beneficial training, especially for those of you that may be involved in Federal government or military projects or bids.
Visit the IA site for more information.
Visit the IA site for more information.
Free Security Training!!!
From the web site...
"ACT Online content was developed by the University of Memphis Center for Information Assurance which is recognized by the US Department of Homeland Security and the National Security Agency as a National Center of Academic Excellence in Information Assurance Education."
Visit ACT Online for more information.
"ACT Online content was developed by the University of Memphis Center for Information Assurance which is recognized by the US Department of Homeland Security and the National Security Agency as a National Center of Academic Excellence in Information Assurance Education."
Visit ACT Online for more information.
Monday, October 12, 2009
Welcome Shawn Dunn!
Please welcome Shawn Dunn to the IT Security Rookie blog. Shawn currently works in an IT Security role and will be sharing insights from his past and current experiences. Shawn and I had worked together for many years. We should all look forward to his contributions!
Thanks Shawn!
Thanks Shawn!
Thursday, October 1, 2009
New CISSP Prep Book Store
I have added the CISSP Prep book store to this blog to help everyone find CISSP prep books quickly. From the main list of books, I have already read three of the books (read my previous blog entries for details) thus far. I also currently subscribe to the SC Magazine, which by the way will help you earn your continuing education credits once you are a CISSP certificate holder.
Now, I need to figure out what book to read next!
Good luck!
CISSP Prep Book Store
Don't forget to keep your receipts, as you MAY be able to deduct these investments as professional education.
Now, I need to figure out what book to read next!
Good luck!
CISSP Prep Book Store
Don't forget to keep your receipts, as you MAY be able to deduct these investments as professional education.
Monday, September 21, 2009
Mitigating Risk
When it comes to audits and other compliance requirements - think Sarbanes-Oxley, PCI-DSS, internal and external audits, etc. - people tend to get a bit uptight and flustered. Fortunately, by keeping a calm head and a rational perspective, your reaction to these challenges can be cool and calm, allowing you to leverage a methodology you already know - risk mitigation.
Risk mitigation is about identifying a vulnerability, weakness or "hole" in the requirements established by the governing body to which you must comply and then putting resources to work to overcome the identified exposures. For instance, simply put, the PCI-DSS program sets forth a rating of your organization based on the number of credit card transactions processed per year. Based on that determination, you can determine what criteria you must meet and by when. Henceforth, a project plan must be developed and the needed funding requested.
Part of your job as an IT Security Professional is to communicate the requirements, the exposures needing to be mitigated and the estimated costs for completing the project. From there, it becomes the responsibility of the company's senior leadership team to fund the program or to accept responsibility for non-compliance.
Next, with the funding secured and a plan, you manage to the plan and funding as you would most other IT projects. Remember this one important requirement though, you have a hard stop on the project based on the required compliance date, therefore, you will have to keep the project on schedule. However, should you find yourself in a position where you will not meet the required date, be sure to communicate immediately with the governing body outlining your plan and schedule. Most governing bodies are more amiable to your plans if you contact them proactively. Once they start targeting you for non-compliance on their terms, things may get ugly quickly.
Finally, establish a monitoring process to track the status of your compliance points to keep everything on track. This will leave you in a great position for the next round of requirements.
It's good to know that a core process - risk mitigation - can be applied to many problems,in this case compliance.
I do hope your next compliance effort goes smoothly.
Risk mitigation is about identifying a vulnerability, weakness or "hole" in the requirements established by the governing body to which you must comply and then putting resources to work to overcome the identified exposures. For instance, simply put, the PCI-DSS program sets forth a rating of your organization based on the number of credit card transactions processed per year. Based on that determination, you can determine what criteria you must meet and by when. Henceforth, a project plan must be developed and the needed funding requested.
Part of your job as an IT Security Professional is to communicate the requirements, the exposures needing to be mitigated and the estimated costs for completing the project. From there, it becomes the responsibility of the company's senior leadership team to fund the program or to accept responsibility for non-compliance.
Next, with the funding secured and a plan, you manage to the plan and funding as you would most other IT projects. Remember this one important requirement though, you have a hard stop on the project based on the required compliance date, therefore, you will have to keep the project on schedule. However, should you find yourself in a position where you will not meet the required date, be sure to communicate immediately with the governing body outlining your plan and schedule. Most governing bodies are more amiable to your plans if you contact them proactively. Once they start targeting you for non-compliance on their terms, things may get ugly quickly.
Finally, establish a monitoring process to track the status of your compliance points to keep everything on track. This will leave you in a great position for the next round of requirements.
It's good to know that a core process - risk mitigation - can be applied to many problems,in this case compliance.
I do hope your next compliance effort goes smoothly.
Wednesday, September 16, 2009
Server Technology Transition Checklist
Here's a quick list of checks and tasks to perform when you inherit a new server.
To do list:
*secure the privileged accounts
*remove unused accounts and consider account lock and expiration needs
*verify recoverability (backups or snapshot rebuilds)
*determine patch/upgrade needs
*determine capacity for growth OR consolidation, without losing needed availability
*determine the core applications on each server
*have the security team do a security scan; patch vulnerabilities
*define and disable non-essential services
*determine the need for audit logging
*configure monitoring
*document everything, including upstream and downstream connectivity and dependencies
Now, you should be confident that the server is secure and recoverable and can start aligning the management of the server with your IT policies and processes.
To do list:
*secure the privileged accounts
*remove unused accounts and consider account lock and expiration needs
*verify recoverability (backups or snapshot rebuilds)
*determine patch/upgrade needs
*determine capacity for growth OR consolidation, without losing needed availability
*determine the core applications on each server
*have the security team do a security scan; patch vulnerabilities
*define and disable non-essential services
*determine the need for audit logging
*configure monitoring
*document everything, including upstream and downstream connectivity and dependencies
Now, you should be confident that the server is secure and recoverable and can start aligning the management of the server with your IT policies and processes.
Thursday, August 27, 2009
Subscribe to:
Posts (Atom)