Apr 3, 2009

SANS Consensus Audit Guidelines (Draft 1.0)

Tags: , ,
On Feb 23, 2009 SANS publishes the first draft of the Consensus Audit Guidelines (CAG). As represented in the press release, the CAG includes 20 controls, 15 of which can be automated and 5 are not.

The 20 Critical Controls subject to automated measurement and validation (AMV):
  1. Inventory of Authorized and Unauthorized Hardware.
  2. Inventory of Authorized and Unauthorized Software.
  3. Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
  4. Secure Configurations of Network Devices Such as Firewalls And Routers.
  5. Boundary Defense
  6. Maintenance and Analysis of Complete Security Audit Logs
  7. Application Software Security ***
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Testing and Remediation
  11. Dormant Account Monitoring and Control
  12. Anti-Malware Defenses
  13. Limitation and Control of Ports, Protocols and Services
  14. Wireless Device Control
  15. Data Leakage Protection
  16. Secure Network Engineering (not AMV)
  17. Red Team Exercises (not AMV)
  18. Incident Response Capability (not AMV)
  19. Assured Data Back-Ups (not AMV)
  20. Security Skills Assessment and Training to Fill Gaps (not AMV)
Two (2) points I would like to make here:
  • When your only tool is hammer (For*ify), you tend to see every problem as a nail. Hey dude, *** is only 1/20 of the entire infosec.
  • RedTeam Exercise isn't an automated measurement and validation.

Does PCI Works?

Tags: ,
This is a news from Computer World.

Payment card industry's data security rules aren't working, critics say; (and of course ) VISA, PCI council continue to defend stand.

Some evidences:
  • Hannaford was certified as PCI-compliant by a 3rd-party assessor in Feb 2008, just 1 day after the company was informed of the system intrusions (which had begun 2 months ago).
  • RBS WorldPay was certified as PCI-compliant prior to breaches that the payment processors disclosed in Dec 2007 and Jan 2008 respectively.
Interesting?

NTFS-hacked in USB without Hacking

Tags: ,
I know there are many tools out there to allow you to format a USB thumb/flash drive to NTFS. By default, Windows allow your USB to be formatted to FAT only. Here's the instruction to allow you to format your USB to NTFS without any hacking.
  1. After plug in your USB, open "My computer".
  2. Right click "My Computer, select "Manage".
  3. Open the 'Device Manager' and find your USB drive under the 'Disk Drives' heading.
  4. Right click the drive and select 'Properties'.
  5. Choose the 'Policies' tab and select the 'Optimize for performance' option.
  6. Click 'OK' to close it.
  7. Now, open 'My Computer'.
  8. Right click the USB drive and select 'Format'.
  9. Choose 'NTFS' in the File System dropdown box.
  10. Click 'Start' to format it in NTFS.

Apr 2, 2009

Software Assurance Maturity Model

Tags: ,
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:
  • Evaluating an organization’s existing software security practices
  • Building a balanced software security assurance program in well-defined iterations
  • Demonstrating concrete improvements to a security assurance program
  • Defining and measuring security-related activities throughout an organization
SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.

Mar 12, 2009

Compiler or Programming Language: Which Came First

Tags: , ,
Have you ever think about this? Which came first, the compiler or the programming language?

This is like the classic causality dilemma on "chicken and egg" question. Here is what I think the sequence of how it comes:
  1. Machine code: The 1st program was written directly in the hardware's machine code
  2. Assembler (Interpreter): A program written in machine code to interpret ASM into machine code.
  3. Compiler: This is a set of programs (lexical analyser, parser linker etc) which could convert source code to assembler/machine code.
Links:

Subscribe to: Posts (Atom)