Art of Information Security

Number One Wordpress Security Step

So, what is the most important step you can take to keep your Wordpress blog secure?

Keep the software up-to-date

This may sound almost patronizingly obvious, but hold on a second. Every day hackers use unpatched servers or services of one kind or another as the bread and butter of their trade (stealing data, creating Bot networks, selling hacked server access to phishers, etc.).

So, why are there so many unpatched (or under-patched) servers and services?

Lack of awareness that a patch or update is available or needed
Lack of urgency regarding maintenance
Attitude that you are immune to these types of problems, and don’t need to worry about them

The good news is that the Wordpress community has resolved the first two problems.

(Folks with the last issue are the reason there will always be script kiddies…)

Here is the quick and dirty path to keeping your blog up-to-date:

(1) Subscribe to the Wordpress Development Feed

If you log into your Wordpress blog’s administrative interface, you will be notified if a new version is available. But if you are in a low-activity time with your blog, you still want to know when maintenance is needed. The best way is to subscribe to the Wordpress Development Feed in your RSS feed reader (You may also want to subscribe to the RSS feeds for the plug-ins you are using.).

(2) Install and Use the Wordpress Automatic Update Plug-in

I have two blogs, and have used this plug-in for my last three software updates (including the move to 2.5 yesterday), and have been very happy with how well the plug-in works. Now, I do automated daily backups of my blog db and files. So, I would recommend that you perform your own backup before using the script so you know you can recover if the unthinkable happens (Always make sure you are using the latest version of the plug-in before starting an update.).

(3) Wordpress 2.5 Now Includes Built-In Plug-in Updates

I do not think that your site will yet email you when your plug-ins need to be updated (2.5.1 please?), but with 2.5 you can 1-click update your plug-ins, if they are registered with Wordpress.org.

Step four would also be to make sure that your operating system is up-to-date. Automating that is almost always possible, but is dependent on what operating system you are using. Google “X automated security update”, where X is your OS.

BTW, I found the jump to 2.5 very smooth and have encountered no problems - Thanks, Wordpress!

Cheers, Erik

Comments: No Comments »
Categories: News and Info
Tags: Blog Security, Wordpress
Comments rss
Trackback

Blended Attacks and “The Tiger Team”

The following caught my eye during a review of the Cisco 2007 Annual Security Report, on page 16:

Blended Attacks Targeting Both Physical and IT Domains
In 2007, criminals demonstrated their evolving ingenuity by employing blended attacks to obtain sensitive information and evade detection. The most significant example of this trend was a string of attacks on Stop & Shop supermarkets in Rhode Island. Attackers broke into and vandalized supermarkets, leading police to believe the events were largely petty crimes. But during the break-ins, attackers tampered with the stores’ card readers to collect credit card information.

Of course, upon reading this there was a stream of attack ideas that occurred to me such as using a break-in as a cover for things like installing WIFI access to networks, card skimmers, key loggers, etc. Shortly after reading the Cisco report, I ran into a post on Black Bag (a physical security blog) about a TV show called Tiger Team. The TV show is about a team of penetration testers who (in addition to being very impressed with themselves) test complex physical security systems. I reviewed the first two episodes (which I have to confess I enjoyed), which are available via streaming video.

Interestingly, in the first two episodes (which is all I have watched so far…) the team always used a blended attack. There is a social engineering and digital attack as a prelude to the actual ‘theft’ in both episodes.

I think few people will face attackers of this sophistication, but the series is interesting nonetheless.

Cheers, Erik

Comments: 1 Comment »
Categories: News and Info
Tags: Blended Attacks, Social Engineering, Tiger Team
Comments rss
Trackback

What do you want to know about Cryptography in the Enterprise ?

I am working on a presentation entitled “Lessons Learned Deploying and Managing Enterprise Cryptosystems“. I will be presenting this at Information Security World 2008. In the 45 minutes I have for the presentation, it is my goal to touch on several key lessons learned in my work with cryptographic controls over the past several years. Cryptosystems is a broad topic, and can include not only techniques (encryption, digital signatures, timestamps), but also key management and implementation issues. There is a lot of material that I have available to draw from, and I want to make sure that the presentation includes the most valuable and relevant points that it can. After giving a presentation, there is almost nothing more disappointing than reviewing the feedback forms only to find out what people really wanted to know. This is especially disappointing if it is material you could have easily included…

I would love to know what kinds of questions you have and would like to see addressed.

In addition to your question, please provide a little context, such as:

- What are the drivers for your use of cryptographic controls (data protection, compliance, etc.)?
- Will your deployment be externally audited?

Cheers,
Erik

Cross posted on Linked In.

Comments: 1 Comment »
Categories: Cryptography, News and Info
Tags: Audit Preparation, Cryptography, Key Management
Comments rss
Trackback

Art of Information Security Episode 002: GTAGs and Safe Harbors

Art of Info Sec 002: GTAGs and Safe Harbors

GTAG’s

The Institute of Internal Auditors has been releasing a white paper series on issues related to IT Risk Management and Information Security. The paper’s are titled as GTAGs, which is an acronym for Global Technology Audit Guidance. The project is very ambitious, trying to break down major technical topics, the IT risks associated with them, and the controls that are available in a concise format accessible to senior risk executives.

Of the nine that have been released to date, several caught my eye. Here are the ones I would like to highlight:

Auditing Application Controls
Change and Patch Management Controls
Identity and Access Management
Information Technology Outsourcing
Managing and Auditing Privacy Risks
Managing and Auditing IT Vulnerabilities

You can find the library of papers at The IIA’s GTAG portal. New materials are released regularly.

In Other News…

Earlier this month I participated in a Webinar titled “Getting More Encryption for Less”. At the end of the call there were a few interesting questions during the Q and A session, one of which I wanted to recap here…

Question: Will Federal Privacy Regulations include Cryptography Standards for “Safe Harbors” ?

Discuss what a Safe Harbor is, using California Security Breach Information Act (SB-1386) as an example
Introduce NIST, FIPS, and FIPS 140-2

Cheers, Erik

Comments: No Comments »
Categories: News and Info, Podcast
Tags: Encryption, FIPS 140-2, GTAG, NIST
Comments rss
Trackback

Get Rich Quick at FakeChecks.Org - N O T

While I was checking the weather via the internet last night, I saw a banner ad for FakeChecks.org (click here), which turns out to be an anti-check fraud website sponsored by the National Consumers League . Check fraud has been around almost as long as checks themselves (I am sure it took a week or two for someone to try to steal cash using the newly invented check… ), but the anonymity and long distance communications capabilities provided by the Internet are reviving old scams and creating new ones.

A key component in a lot of fraud and scams is Social Engineering of one kind or another. Social Engineering is also a a huge threat to Information Security controls of all kinds. The tool to combat it is user awareness. I applaud FakeChecks.org for their efforts.

Cheers, Erik