The Need of Security Metrics

I have a strong believe that everyone needs security metrics. Imagine a case when all information security activities are outsourced. Will you define SLA and implement some metrics to ensure that contractor provides efficient service? Certainly! But what is the big difference when there is no outsourcing?

Here are other reasons for information security metrics implementation:

• You can not improve what you do not measure.
• In many cases just the fact of measurements (and making them visible) leads to improvement.
• You usually have limited resources, so they should be used efficiently. Metrics could be used to ensure this efficiency.
• Metrics can help justification of information security budget.
• Lastly - this is a classic tool of time management, when you firstly define your targets, KPIs etc. and then align your activity with them.
  

And here starts the difficult part - which metrics to implement. Share your experience!

Change Default SSHD Port Number In Mac OS X

I wanted to configure a sshd on my home Mac recently to be able to access it remotely and decided to follow best practice and change port from default value 22/tcp, which is quite an easy task to do on any *nix system.

It turned out that Apple changed service startup process in Mac OS X 10.4 (Tiger) to what is called launchd. So you may guess that changing port number in /etc/sshd_config didn't help and there was no /etc/inetd.conf or xinetd equivalent. At this point it became more interesting.

Finally I've come to the following procedure:

• Add a new service to the /etc/services file. I've called it ssh-NNNN, where NNNN is desired port number (this name is not a requirement and is only for clarity). So I've got a new line like:
  

  ssh-NNNN NNNN/tcp

  in /etc/services.

• Find a file named ssh.plist in /System/Library/LaunchDaemons. In this file find the following text:
  

  <key>SockServiceName</key>
  <string>ssh</string>

  and change ssh to a new service name ssh-NNNN.

• That's it. Now just start or restart SSH service from the System Preferences. Also, don't forget to open required port on the firewall (I leave this up to you)!

Friday Fun - Change Management

Анализ журналов кеширующего сервера

Проведен небольшой анализ недельных журналов работы кеширующего сервера (proxy). Результаты "обнадеживают": примерно 7% серверов, к которым обращаются пользователи, являются кандидатами на блокирование. В свете последних новостей, в число внешних сайтов представляющих угрозу для компьютеров пользователей, попадают рекламные сети. Методы, использованные в процессе анализа, позволяют, кроме выделения почтовых сайтов, форумов и т.д., детектировать, в том числе, банерные сети.
Отчет о проделаной работе.
Приложение к отчету.
В ближайшее время будет опубликован результат анализа журналов за 4 месяца.

Complexity Of Vulnerabilities

It is interesting to see that, although attacks and system vulnerabilities get more and more complicated, we still see obvious and simple problems with well-known protocols and software:

Domain-name issue could aid eavesdroppers

SANS Top20

SANS issued an updated version of their annual Top20 security risks list. Interesting part is the summary, outlining changes and trends. You may have guessed - shift from server-targeted attacks to client-targeted attacks. Botnets. No new "global" network worms. Increase in web vulnerabilities.

Full report is definitely worth reading:
SANS Top20
2007 Press Release