Daily Security Tips from Ed Skoudis - Week of January 13, 2003
Security Tip for Friday, January 17th, 2003
Protect Your Browser!
The summer of 2002 was a rough one for the security of Microsoft's flagship browser product, Internet Explorer. Some of these problems were caused by Active Scripting support in the browser itself. Active Scripting helps to paint pretty web pages, but can also be used by attackers to steal cookies or execute arbitrary commands on your browser if you surf to an evil web site. To help avoid problems, make sure you apply the latest patches to your browsers! Additionally, you should disable active scripting support in the browser by selecting Tools‡Internet Options‡Security‡Internet Zone. Then, click on "Custom Level," and scroll down to Scripting‡Active Scripting. Select "Disable". Of course, this setting will impair your ability to view some web sites, but will greatly improve your security. Another option is to choose "Prompt" instead of "Disable", so you get a say-so regarding whether a site can push Active Scripts to your browser.
Security Tip for Thursday, January 16th, 2003
Protect Yourself: Get an Internet-Only Credit Card
Worried about someone stealing the credit card number you use for online purchases? Under government regulations in the United States, you are only responsible for a maximum of US $50.00 for fraudulent purchases, and most banks will waive even that minimum if your card is stolen. Still, a stolen card can be a huge hassle. Suppose you are traveling, and are reliant on a single credit card for a rental car, hotel bills, and meals. If that card gets stolen, you are hosed! Therefore, get a separate credit card to use exclusively for on-line purchases. Monitor the bills for that card more closely, and don't rely on it for real-world purchases. That way, if someone steals your on-line card while you are traveling, you'll still have your real-world card available for transactions without interrupting your trip.
Security Tip for Wednesday, January 15th, 2003
Who's Linking To You?
All kinds of strange, twisted web sites may be linking to your organization's web sites. To find out who is linking to your site, use either Google or AltaVista and search for "link:[your URL]". For example, to see who is linking to www.counterhack.net, search on "link:http://www.counterhack.net". You may find very interesting links, such as vendors advertising your use of their products or even companies claiming that they partner with you. If you discover someone linking to your site who shouldn't be, have your lawyers send them a letter asking them to remove the link. Remember, we do have free speech, so you cannot force them to remove a link unless they are lying about your organization, violating your Intellectual Property rights, or threatening physical harm against your organization.
Security Tip for Tuesday, January 14th, 2003
Don't Let Management Ignore Your Security Team
Sadly, if you do a great job and prevent major attacks, it is possible that your security team will be invisible to management. If management isn't aware of what your security team is accomplishing, your funding will get slashed, lowering your overall security stance. To prevent such problems, create a monthly management summary for the management sponsors of your security team. The summary should be at most one page long (management doesn't have time to read more). It should summarize what your team has accomplished, such as major attacks you've thwarted. If you have nothing to report for your own team, include summaries of attacks against other organizations and describe what you have done to lower the possibility of such attacks in your environment. Finally, put the management summaries on red or orange paper to grab attention. It sounds silly, but it really works!
Security Tip for Monday, January 13th, 2003
Regular Vulnerability Scanning Is Crucial
Conduct periodic vulnerability scans of your own network to find holes before the bad guys do. Because new vulnerabilities are constantly being discovered, you should run a scan at least every three months (quarterly), or more often if you have the resources to do so. One of the best tools for running these scans is the free, open source Nessus tool (www.nessus.org), which runs on UNIX platforms such as Linux and Solaris. You could also use commercial tools, such as the ISS Internet Scanner at http://www.iss.net. Additionally, you could subscribe to services that automatically scan your network on a regular basis, such as Qualys (www.qualys.com), Foundstone's FoundScan (www.foundstone.com), and Vigilante (www.vigilante.com).