Exploring security, especially computer security. Security involves controls taken to minimize risk of harm to a target. See also these other related sections:
Security is the set of controls (countermeasures, actions, preparations, plans, policies, procedures) taken to minimize the threat risk (probability, potential) or threat harm (danger, damage, loss, crime, disruption, consequences) of threat actions (attacks, events, incidents) by threat agents (attackers; inside or outside; intentional/intelligent or not) that exploit vulnerabilities in a threat target (asset, resource, system).
Here is a lovely pure text chart from http://tools.ietf.org/html/rfc2828:
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+ | An Attack: | |Counter- | | A System Resource: | | i.e., A Threat Action | | measure | | Target of the Attack | | +----------+ | | | | +-----------------+ | | | Attacker |<==================||<========= | | | | i.e., | Passive | | | | | Vulnerability | | | | A Threat |<=================>||<========> | | | | Agent | or Active | | | | +-------|||-------+ | | +----------+ Attack | | | | VVV | | | | | | Threat Consequences | + - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
Passive attacks usually steal information and thus violate Confidentiality. Active attacks can also write or otherwise affect the target and thus can also violate Integrity and Availability. Accountability and Auditing are important to find out who did what when. Computer security, information security, and information system security focuses on the computer aspects of Confidentiality, Integrity, Availability, Accountability and Auditing (CIA), while information assurance focuses on demonstrating a level of security and often cover other areas (such as domain/sector, business, legal, ethical, and financial).
Targets and the controls/countermeasures have some common categories:
- Things, physical security, "what". The technical information system products:
- Physical and Hardware. Including servers, workstations, printers, monitors, routers, kvm, disk drives, security tokens. Note IPs, make, model, location, source, purchase dates, warranty info, license info, etc.
- Software and Applications. Including source, libraries, utilities, 3rd party, operating systems, diagnostic, communications. Note source, purchase dates, make, model, license info, etc.
- Data and Communications. Including during execution, stored online, archived offline, back ups, audit logs, databases, in transit, encryption, data entry, data collection. Note schema, permissions, code style, data dictionaries, entity relationship diagrams.
- People, personal security, "who". Developers-operators-users who build-run-use the things. Note Windows user names, SQL user names, contact info, access info, role info, date hire, date left, knowledge info. Note Client account info (EG FTP), 3rd party account info.
- Ideas, organizational security, "why". How the people should use the things.
- Need to be discoverable and accessible. Should be reviewed on a schedule.
- Internal policies and procedures. For security as well as safety, operations, continuity, productivity, reliability, reputation, etc.
- External requirements: legal, compliance, laws, regulations. EG: Health Insurance Portability and Accountability Act (HIPAA), state security breach notification laws.
- The principle of least privilege: Entities should have the least amount of permissions to as few resources as possible for the entity to do their job. The principle is similar to a "need-to-know" basis. The less an entity can do, the less of a threat they can pose. Sometimes increased privilege may be given on a temporary basis.
- The principle of separation of duties: Entities cannot complete critical acts alone.
- Access control via authentication, authorization, access control lists (ACL), and capability-based security.
- Depth of defense: Information security must occur for the life span of the information and as it moves between entities and layers. Chain of custodies should be used. Layers include OSI (Application, Presentation, Session, Transport, Network, Data Link, Physical), or simpler models like data-app-host-network.
- Non-repudiation: The non-deniability of having agreed to participation in a contract. Part of accountability.
- "reasonable and prudent person", "due care" and "due diligence": A reasonable and prudent person takes due care to ensure that everything necessary is done to operate the business by sound business principles and in a legal ethical manner. A prudent person is also diligent (mindful, attentive, and ongoing) in their due care of the business. It helps to be able to prove due care and due diligence via an audit trail.
- Fail safe. If a system fails, then the default result should be no harm.
- Capture organizational knowledge. Knowledge transfer. Fewer missed or forgotten steps. Learn from past mistakes. Collaborative. More perspective. Greater efficiency and productivity by eliminating the extraneous, collaborative creativity.
- Avoid bureaucracy. If PP become bureaucratic, they become inefficient, dogmatic, unmanageable, redundant, insane, barriers, stifle creativity, tunnel vision.
When performing a security review or information assurance process, the following steps are common.
- Asset Management
- What you're trying to protect.
- Identify, enumerate, and classify assets/targets.
- Security classification of information. EG:
- The business sector: public, sensitive, private, confidential.
- The government sector: unclassified, sensitve but unclassified, restricted, confidential, secret, top secret.
- Traffic Light Protocol (TLP): white (unlimited, regular copyright), green (community wide), amber (limited distribution, need-to-know), red (personal for named recipients only).
- Classifications specific to the organization. EG:
- internal, client, client-specific
- patient-specific, provider-specific, practice-specific, group-specific.
- Risk Assessment
- What threats you're trying to protect against, how likely is the threat, and what would the impact be.
- Identify, enumerate, and classify threats/vulnerabilities. This includes attackers, means, and motivation.
- Stay on top of new kinds of threats.
- The assessment of a threat is often summarized and quantified as product of risk and impact.
- Risk Management
- Develop the controls/countermeasures that mitigate, eliminate, accept, or transfer risks.
- Categorize controls according to enaction relative to an attack:
- Preventative, before. The best, prevent incidents, deterrants. Perception of security and security theater. A honeypot is a trap to draw attacks.
- Detective, during. Real time, notifications and alarms, Computer Emergency Readiness Team (CERT) or Computer Security Incident Management (CSIM).
- Corrective, after. CERT, assess damage, minimize damage, accountability.
- Define the cost of controls (in terms of time, money, resources, etc.) and weigh against the risk.
- Implement the controls and evaluate the results. Repeat on a schedule and as needed.
Security should be applied throughout Software Development Life Cycle (SDLC), Systems Development Life Cycle (SDLC), Change Management, etc.
Information Security Standards
An organization can make its own information security standards, but there are many information security standards (EG: NIST Special Publications (SP) 800-12, 800-14, 800-26, 800-37, 800-53; DoD Instruction 8500.2; ISA-99; NERC 1300; ISF Standard of Good Practice; ISO 15408; RFC 2196). The most well known information security standard is the ISO/IEC 27000-series (aka 'ISMS Family of Standards' or 'ISO27k') by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC). An organization may choose to independently assessed/accredited/certified against the ISO/IEC 27001 standard. Here is an outline of the best practice recommendations for initiating, implementing or maintaining an Information Security Management Systems (ISMS) as per the ISO/IEC 27002 standard:
- Risk assessment and treatment - analysis of the organization's information security risks
- Security policy - management direction
- Organization of information security - governance of information security
- Asset management - inventory and classification of information assets
- Human resources security - security aspects for employees joining, moving and leaving an organization
- Physical and environmental security - protection of the computer facilities
- Communications and operations management - management of technical security controls in systems and networks
- Access control - restriction of access rights to networks, systems, applications, functions and data
- Information systems acquisition, development and maintenance - building security into applications
- Information security incident management - anticipating and responding appropriately to information security breaches
- Business continuity management - protecting, maintaining and recovering business-critical processes and systems
- Compliance - ensuring conformance with information security policies, standards, laws and regulations
As of 2012-05 information security standards are in the news because Google Apps and Microsoft Office 365 both got Federal Information Security Management Act (FISMA) certified. Here is the FISMA compliance framework:
- Inventory of information systems
- Categorize information and information systems according to risk level
- Security controls
- Risk assessment
- System security plan
- Certification and accreditation
- Continuous monitoring
A Computer Emergency Readiness Team (CERT) or Computer Security Incident Management (CSIM) plan security and may also be the same folks who respond to an incident.
When an incident occurs the CERT must be alerted/notified. Automated alert systems are important. For manual alerts, people need to have a security point of contact (POC).
The CERT must first minimize the threat harm. The CERT must also be able to analyze the incident for accountability and to prevent future incidents.
Audits involve logging activity for the purposes of determining what occurred, when, and who did it. Audits include the following:
- Network operating system logs.
- Operating system logs. Like Event Viewer for Windows NT.
- Database logs.
- Specialty server logs. EG: MS IIS, MS VSS.
- Logs kept by applications and business objects.
It is important to be alerted of threats and to be aware that there might be threats at all. It is impossible to maintain a highest level of alertness continuously. It is more sensible to have a minimum alertness level and to be on a hiher alert level when there is a of higher level of risk. Different organizations may use different alert systems, but it is important to be aware of the general concept.
- A generic color-coded alert system.
- Black. An over-response resulting in improper actions.
- Red. Severe alert. Risk probability: Practically imminent. Consequence level: High.
- Orange. High alert. Risk probability: High. Consequence level: Any.
- Yellow. Elevated alert. Risk probability: Medium. Consequence level: Any.
- Blue. Guarded alert. Risk probability: Low. Consequence level: Any.
- Green. Low alert. Risk probability: None perceived. Consequence level: None perceived.
- White. Unalert. Drunk, comatose, texting, daydreaming.
- Homeland Security Advisory System. This has been replaced by the National Terrorism Advisory System which issues only 2 levels of alerts: "elevated" or "imminent".
- BIKINI State. An alert state indicator by the UK Ministry of Defense.
- Red. Info recevied of a specific attack.
- Amber. High alert. Info received of a general attack.
- Black Special. Elevated risk, but target undefined.
- Black. Assessment of elevated risk, but target undefined.
- White. Situation stable. No info about specific attacks.
- UK Threat Levels. Replaced BIKINI.
- Critical. An attack is expected imminently. Response: Exceptional.
- Severe. An attack is highly likely. Response: Heightened.
- Substantial. An attack is a strong possibility. Response: Heightened.
- Moderate. An attack is possible, but not likely. Response: Normal.
- Low. An attack is unlikely. Response: Normal.
- Emergency codes. These vary between hospitals, schools, etc, but a wide standard is by the Hospital Association of Southern California (HASC). "Code X" or "Paging Dr. X" is often used.
- Fire. "Code Red" (HASC).
- Cardiac arrest/Adult medical emergency. "Code Blue" (HASC). "Plan Blue".
- Pediatric medical emergency. "Code White" (HASC).
- Child abduction/missing person. "Amber Alert". "Code Adam".
- Infant abduction. "Code Pink" (HASC).
- Child abduction. "Code Purple" (HASC).
- Bomb threat. "Code Yellow" (HASC).
- Combative person. "Code Gray" (HASC). "Dr. Armstrong".
- Combative person with a weapon or hostage. "Code Silver" (HASC).
- Hazardous material spill/release. "Code Orange" (HASC).
- Patient elopement. "Code Green" (HASC).
- Emergency Alert / Internal Emergency / External Emergency. "Code Triage" (HASC).
- Internal disaster.
- Lockdown/limited access.
- Mass casualty incident.
- Severe weather.
- Theft/armed robbery.
- Total divert/max patient capacity reached.
Physical security means to control the physical and electrical means by which access is gained to a system.
Physical security includes the following:
- Locking doors to sensitive systems.
- Strict policies on who has access to sensitive areas.
- Not allowing sensitive computers to be connected to outside systems.
Fault tolerance is the ability to recover from hardware failure or mistakes with little or no interruption. A fault tolerant system is said to be robust and often has redundant or back up components.
- Eliminate single points of failure. That is if something fails, a replacement should be take over automatically.
- The need for fault tolerance of a point is determined by the number of users that would be hampered if that point failed.
- Points include the following:
- Electrical disaster prevention equipment (surge protectors, UPSs, etc.)
- Data protection and recovery (backup data, RAID, roll back transactions, etc.)
- Software and hardware components that are redundant, parallel, and replaceable, including the following:
- operating system software, application software, storage (disks), power supply (usu. a transformer in a machine), network connectors, network card, processor chip, RAM, etc.
Applications often serve as a bridge tying users to data via a network. Security should be applied throughout Software Development Life Cycle (SDLC), Systems Development Life Cycle (SDLC), Change Management, etc.
Stay abreast of the latest application security threats and best practices.
- Via https://www.owasp.org/index.php/Top_10_2010-Main:
- Injection. SQL injection, OS injection, LDAP injection.
- Cross Site Scripting (XSS).
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross Site Request Forgery (CSRF)
- Security Misconfiguration
- Insecure Cryptograhic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
- Via "Improving Web Application Security: Threats and Countermeasures" [http://msdn.microsoft.com/en-us/library/ff649874] (2003-06):
- Input Validation. Buffer overflow; cross-site scripting; SQL injection; canonicalization
- Authentication. Network eavesdropping ; Brute force attack; dictionary attacks; cookie replay; credential theft
- Authorization. Elevation of privilege; disclosure of confidential data; data tampering; luring attacks
- Configuration management. Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts
- Sensitive information. Access sensitive data in storage; network eavesdropping; data tampering
- Session management. Session hijacking; session replay; man in the middle
- Cryptography. Poor key generation or key management; weak or custom encryption
- Parameter manipulation. Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation
- Exception management. Information disclosure; denial of service
- Auditing and logging. User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks
Testing applications and quality assurance.
- Kinds of testing:
- Sanity testing. Basic, quick, and simple tests.
- Functional v non-functional testing. Non-functional includes security plus other such as: scalability, performance, maintainability, usability, testability, destructive (push to failure).
- Input and precondition combinaton testing. Testing permutations of inputs and initial states.
- Compatability testing. Compatability with components, operating system, broswers, etc.
- Static v dynamic testing. Static looks at code (EG JSLint or human eyes), while dynamic runs code.
- Verification v validation testing. Verification tests if the app works as specified (i.e. was the app built right?). Validation tests if the app is what the users want (i.e. was the right app built?).
- Black box v white box testing. Black box testers are "blind" and have no prior knowledge of the system being tested. White box testers have full disclosure, full prior knowledge of the system being tested. Gray box testing is in between.
- Automated or manual. Manual review with human eyes occurs during build, as well as after an automated test.
- Penetration testing. An ethical hacker (with a black or white hat) simulates a malicious attack. Black box simulates an outside attacker. White box simulates a malicious insider or cases where sensitive info was leaked.
- Testing targets/levels:
- Unit testing. Testing at the function level. Usually done during building.
- Integration testing. Testing the interface between components.
- System testing. Testing the completely integrated system.
- Network. LAN/WAN (Local Area Network and Wide Area Network) access is usually done via the network operating systems control over access authentication.
- Intranet. An intranet is a portion of a LAN/WAN that is connected via TCP/IP and is protected from the Internet.
- Extranet. Two intranets connected together. This may also cover an intranet accessed via VPN (Virtual Private Network) through PPTP (Point-to-Point Tunneling Protocol).
- Internet. LANs/WANs, intranets, and extranets must be protected from the Internet and yet, if possible, have access to the Internet.
A firewall is usually hardware (eg a screening router), software (eg a proxy server), or both. A firewall says what services can access what resources. Most firewall systems use one or more of the following methods:
- Packet filtering: A hardware method that utilizes a screening router (SR) to check incoming and outgoing packets and then either allows or rejects the packet based on security parameters such as whether the IP address is preauthorized, or based upon the TCP and UDP port numbers, thus enabling certain types of connections such as telnet or FTP. This method if effective, but is difficult to configure and may still be surpassed by IP spoofing. Packet filtering operates at the Network layer of the OSI Reference Model.
- Proxy server: A software version of a router. It also intercepts messages to and from the network. It hides the true network address (thus making it spoof proof) and can perform function beyond just security. A proxy server may be an application-specific proxy. EG: A server may proxy HTTP for Web pages, FTP, RealAudio/Video, SMTP/POP for e-mail, NNTP for newsgroups, nearly any MIME type etc. Proxy servers work at the Application layer of the OSI Reference Model.
- Application gateway: A software method that only allows applications like FTP or telnet servers to connect. This method is effective but has connection limitations.
- Circuit level gateway: A hardware methods that only allows certain circuits to connect.
Here is a belt & suspenders firewall, a typical enterprise level setup for network access security:
The SRs are screening routers, ie packet filters. The BHs (Bastion Hosts) are servers such as IIS, RAS, and Exchange. The DMZ (De-Militarized Zone) demarcate machines that have more exposure to the Internet than the LAN does.
Secure transmission ensures that communications are only between the appropriate parties. Secure transmission includes the following:
- Data encryption. Public keys (like PGP), symmetric keys (like DES), SSL, etc.
- Data compression. WinZip for PCs, StuffIt for Macs, gzip for UNIX, etc.
- Digital certificates. Clients and servers can acquire certificates of identification by registering with a certificate authority (like www.VeriSign.com). This is usually used for data encryption when accessing pages via https://, i.e. via SSL. See also my article on Encryption.
An Intrusion Detection System (IDS) monitors network or system activities for malicious activities or policy violations. In contrast a network monitoring system (NMS) monitors the network for problems caused by overloaded and/or crashed servers, network connections or other devices. There are many variations such as network monitoring, website monitoriing, etc. Much can be done with a packet analyzer (aka sniffer) like Wireshark.
Basic network attacks:
- Social engineering. Information attacks that seem less technical. Phone surveys, deliveries, texting.
- SPAM. Unwanted email. Some of it may be interesting or tempting, but usually they want to sell you something or steal personally identifying information (PII) like emails, usernames, and passwords for identity theft.
- Keystroke logging. Capturing a user's keystrokes.
- Wiretapping. Eavesdropping in on telephone communications.
- Man-in-the-middle attack (aka MITM attack; bucket-brigade attack; Janus attack). Eavesdropping where the attacker is invisibly between the communicants. Secured transmissions prevent MITM attacks.
- Spoofing. Impersonation of things like a CallerID, a site, an email, an Address Resolution Protocol (ARP) or an IP address.
- Phishing. Trying to steal info by spoofing. Phishing is commonly done to steal financial info, PII, or info about your organization, or install malware. Spear phishing targets a small target group. Whale phishing target specfic individuals. Vishing is phishing via voice or phone. Tab nabbing is phishing via a new tab. See http://iase.disa.mil/eta/phishing_v2/phishing_v2/launchPage.htm.
- Port scanning (1 host/server) or port sweeping (2+ hosts/servers). EG: Scan for hosts listening on TCP port 1433 (SQL Server). An idle scan is a port scan while as spoofing a "zombie" computer.
- Denial of Service (DoS). An attempt to make a computer or network resource unavailable to its intended users. The most common method is to saturate the target with bogus communications. A smurf attack is a DoS attack while spoofing.
- Buffer overflow, uncontrolled format strings, and SQL injection are sometimes put under network security but I put them under application security.
Basic practices for network security:
- Have physical security
- Anti-virus software that is regularly and automatically updated.
- Keep your operating system updated.
- Avoid links and attachments in emails, ads, or pop ups. Avoid entering PII via those methods too. To access financial institutions, use your own links instead of ones sent via email.
- Backup often. Keep files in the cloud. If you must have local files, then back up to the cloud.
- Use strong but memorable passwords that you change periodically.
- If connecting wirelessly, then use a good password and change the default SSID network name.
- Enable MAC Address filtering and track all network MAC devices connecting to the router.
- Assign static IP addresses to network devices.
- Disable ICMP ping on router. "Hides" your router from the Internet.
- Periodically review router or firewall logs for anomalies.
- Have a back up admin account that you do not use for day-to-day activities.
- If you must connect to another network, try Virtual Private Network (VPN).
- An advanced network may be set up with a "honeypot", i.e. a decoy to target for attackers.
- Some data should be encrypted when stored or during transmission or both.
- Data should be backed up on a schedule. Backups should be stored off site.
- Data should be masked (EG: Social security numbers) as needed.
- Data should be destroyed as needed.
- A database should have as few logins as needed.
- A database should utilize database activity monitoring (DAM) technology.
- Continuity and disaster recovery strategies.
- A database should utilize revision control software (RCS) for database objects (EG: table definitions, procedures). This is an audit log for the database system, not the data in the system.
- Audit logs for data creates, reads, updates, and deletes (CRUD): When, who did it, where in the app they did it, and what they changed the data from and to.
Access control deals with enabling an authority to control which entities access which resources with what permissions.
Before proceeding, we must define entities, resources, and permission:
- Entities include computers, processes, individual users, and groups of users. Some entities may have the authority to manage access control.
- Resources include other entities, domains, directories, files, portions of applications, and specialty resources (EG: Web sites on a web server).
- Permissions (aka rights) are what an entity can do with resources.
- Permissions can vary with different systems, but these are the most common permissions:
- Read, aka
- Write, aka
- Execute. One of the following
- Scripts, aka
- Executables & scripts, aka
- Scripts, aka
- Delete, aka
- Control permissions, aka
- Take ownership, aka
- List contents, aka
- Read, aka
- It is common to use rwx characters as short hand for permissions. EG:
r-xpermissions to read and execute but not write.
r--permissions to read but not write or execute.
rw-permissions to read and write, but not execute.
rwxpermissions to read, write, and execute.
- Other sets of permsissions may be represented with shorthand. EG:
rwxd--permissions to read, write, delete, run scripts, run executables, but not to manage access control or take ownership. This entity is said to have "Modify" permissions.
rwxdpopermissions to read, write, delete, run scripts, run executables, manage access control, and take ownership. This entity is said to have "Full Control" permissions.
- Permissions can vary with different systems, but these are the most common permissions:
An Access Control List (ACL) is a list of permissions attached to a resource. This means which entities have what permissions for that resource. A user is usually a member of multiple groups. When a user is trying to access a resource and is a member of multiple groups that have permissions to that resource, then the permissions of the least restrictive group takes precedence unless the user is a member of a group that is specifically denied access or given "No Access" to that resource.
Access to network resources is ultimately controlled on a per user basis. However there are at least two ways to do this:
- Share-Level Security. In this case each resource must be designated as shared and will ask for a password from each entity that tries to use it.
- User-Level Security. In this case each resource must be designated as shared and must assign which entities have what permissions to the resource. Access can be granted to individual user accounts but it is usually easier to to control access of groups and just change group membership as needed.
Once the entities, resources, and permissions are in place, a system must be provisioned to provide access. Provisioning is initializing, preparing, and equipping a system so it can provide services and resources to users. When an entity wants to access a resource they must first be authenticated then authorized.
- Authentication (aka A1; AuthN; An) is the act of establishing or confirming that an entity is what or who they say they are. They are usually checked by one (the most common) or more means (aka two-factor authhentication; T-FA; 2FA; multi-factor authentication; MFA) :
- Knowledge. The entity knows something like user name, password, PIN, pass phrase.
- Ownership. The entity has something like a wrist band, security token, cell phone.
- Inherence. The entity is or does something like signature, fingerprints, retina, voice, DNA.
- Location. The entity is at the specified location.
- Time. The entity is at the specified date and time.
- Referral. The entity is checked by a social contact, a friend, a 3rd party. Social sites do this. When one party does authentication for another party, then they have federated the identity. A party that provides Single Sign-On (SSO) for other parties does identity federation.
- Authorization (aka A2; AuthR; AuthZ; Az) is the act of parsing the user against the ACL and providing the appropriate resources with the appropriate permissions. EG: Users in human resources can access things that the typical worker can't.
Capability-based security avoids ACLs. In a system with capabilities a user agent must have a capability (aka key) that provides explicit rights to an explicit object. This avoids the "confused deputy problem" where a user agent has fooled a "deputy" program to abuse its access rights. A cross-site request forgery (CSRF/XSRF) attack is an example of a confused deputy attack.
Access control includes the following:
- Network security. Portal devices can protect networks by identifying entities and controlling who has access to portions of the network. This includes repeaters, hubs, bridges, routers, brouters, gateways, dial back modems, firewalls, and proxy servers.
- Network operating system security. This includes identifying domains, users, groups, and computers, and using domain controllers. This is where user-level security is typically applied.
- Operating system security. This is where share-level security is typically applied.
- Database security, eg SQL Server Security.
- Specialty server security, eg MS IIS, MS VSS.
- Application security. Custom security can be placed in apps and web apps. Usually these authenticate a user's input against a database.
- Lightweight Directory Access Protocol (LDAP), a cross-platform application protocol for reading and editing directories over an IP network. The "directories" correspond to resources.
- Kerberos, a cross-platform authentication protocol that uses symmetric key cryptography.
Here are links that lead to off-site pages about security.
- [icsalabs.com]. "For over a decade, ICSA Labs, an independent division of Verizon Business, has been the security industry's central authority for research, intelligence, and certification testing of products. ICSA Labs sets standards for information security products and certifies over 95% of the installed base of anti-virus, firewall, IPSec VPN, cryptography, SSL VPN, network IPS, anti-spyware and PC firewall products commonly deployed in the world today."
- Virus Bulletin [virusbtn.com]. Compares AV software. " Virus Bulletin started in 1989 as a magazine dedicated to providing PC users with a regular source of intelligence about computer viruses, their prevention, detection and removal, and how to recover programs and data following an attack. Virus Bulletin quickly became the leading specialist publication in the field of viruses and related malware."
- Virus Information [http://csrc.nist.gov/archive/virus/]
- Antivirus software [W] and
- Antivirus software
- AVG [avg.com] . Usu. product: AVG Anti-Virus.
- Computer Associates [cai.com] . Usu. product: InoculateIT.
- F-Secure [f-secure.com] (formerly Data Fellows). Usu. product: F-Secure Anti-Virus.
- Kaspersky [http://usa.kaspersky.com]. Usu. product: Anti-Virus; Internet Security.
- McAfee [mcafee.com (aka Network Associates). Usu. product: VirusScan.
- Panda Software [pandasoftware.com] . Usu. product: Panda Antivirus.
- Sophos Plc [sophos.com] . Usu. product: Sophos Anti-Virus.
- Symantec Corporation [symantec.com] (aka Norton). Usu. product: AntiVirus.
- Trend Micro, Inc [trendmicro.com] . Usu. product: PC-cillin.
Wikipedia has many articles related to computer security. Here are just a few.
- Access control
- Audit trail
- Computer emergency response team. Aka Computer Security Incident Response Team (CSIRT).
- Cyber security standards
- Enterprise Information Security Architecture
- Exploit (computer security)
- Federal Information Security Management Act of 2002
- Failing badly
- Http cookies
- Identity management
- Intrusion detection system
- Nines (engineering)
- Packet analyser
- Principle of least privilege. Aka: principle of minimal privilege; principle of least authority.
- Security theater
- Software testing
- Threat (computer)
- Two-factor authentication
- Vulnerability (computing)
Goverment Computer Security Organizations
- Computer Security Division (CSD): Computer Security Resource Center (CSRC) [csrc.nist.gov]. "The CSD mission is to provide standards and technology to protect information systems against threats to the confidentiality of information, integrity of information and processes, and availability of information and services in order to build trust and confidence in Information Technology (IT) systems.". The CSD is part of National Institute of Standards and Technology (NIST).
- Defense Information Systems Agency (DISA) [disa.mil]. "a Combat Support Agency, engineers and provides command and control capabilities and enterprise infrastructure to continuously operate and assure a global net-centric enterprise in direct support to joint warfighters, National level leaders, and other mission and coalition partners across the full spectrum of operations." Information security for the US Department of Defense (DoD).
- Information Assurance Support Environment (IASE) [iase.disa.mil]. Training videos, etc. Some free!
- National Security Agency/Central Security Service (NSA/CSS) [nsa.gov]. "a key member of the Intelligence Community and, by its very nature, requires a high degree of confidentiality."
- National Vulnerability Database (NVD) [nvd.nist.gov]. "the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA)." They are migrating to the SCAP standard.
- Common Weakness Enumeration (CWE). "a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture. Each individual CWE represents a single vulnerability type."
- Security Content Automation Protocol (SCAP) [scap.nist.gov]. Run by the Information Security Automation Program (ISAP), a U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) initiative to enable automation and standardization of technical security operations. ISAP and the NVD are covered by the Federal Information Security Management Act of 2002 (FISMA).
- United States Computer Emergency Readiness Team (US-CERT) [us-cert.gov]. "US-CERT's mission is to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the nation while protecting the constitutional rights of Americans." Part of DHS.
General Computer Security Organizations
- CERT Coorination Center [cert.org]. "located at Carnegie Mellon University's Software Engineering Institute [(SEI)]. We study internet security vulnerabilities, research long-term changes in networked systems, and develop information and training to help you improve security.". As of 1988, the first Computer Emergency Response Team (CERT).
- "Governing for Enterprise Security" [http://www.cert.org/governance/]
- Home Computer Security [http://www.cert.org/homeusers/HomeComputerSecurity/]. A cool list of the primary tasks to secure a home computer.
- Institute for Security and Open Methodologies (ISECOM) [isecom.org]. "an open community and a non-profit organization officially registered in Catalonia, Spain." Release the Open Source Security Testing Methodology Manual (OSSTMM).
- Internatonal Organization for Standarization (ISO) [iso.org]. Search for standards like 27002.
- Internet Security Forum (ISF) [securityforum.org]. "an independent, not-for-profit organisation with a Membership comprising many of the world's leading organisations featured on the Fortune 500 and Forbes 2000 lists. We are dedicated to investigating, clarifying and resolving key issues in information security and risk management, by developing best practice methodologies, processes and solutions that meet the business needs of our Members." the have a "Standard of Good Practice for Information Security" available for member or for purchase.
- Open Security Architecture (OSA) [opensecurityarchitecture.org]. "a not for profit organization, supported by volunteers for the benefit of the security community."
- Open Web Application Security Project (OWASP) [owasp.org]. "a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software."
- Mitre Corporation [mitre.org]. A not-for-profit enmeshed with government agencies.
- Making Security Measurable [makingsecuritymeasurable.mitre.org]. "MITRE, in collaboration with government, industry, and academic stakeholders, is improving the measurability of security through registries of baseline security data, providing standardized languages as means for accurately communicating the information, defining proper usage, and helping establish community approaches for standardized processes."
- SANS Institute [sans.org]. "The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. "
- Web Application Security Consortium (WASC) [webappsec.org]. " 501c3 non profit made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web."
- "10 Most Dangerous Web App Security Risks" [http://www.eweek.com/c/a/Security/10-Most-Dangerous-Web-App-Security-Risks-730757/]
- "ASP.NET web application security review: Do's & Don'ts" [http://www.codeproject.com/Articles/291562/Asp-net-web-application-Security-Review-Dos-Dont]
- Schneier on Security [schneier.com]. "Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier." Cory Doctorow has Scheneier's Law: "Any person can invent a security system so clever that he or she can't imagine a way of breaking it."
- CAPTCHA.com. "Completely Automatic Public Turing Test to tell Computers and Humans Apart". The current CAPTCHA programs generate and grade tests that involve distorted text that humans can make out but computers have difficulty with.
- Emergency Codes [http://www.calhospitalprepare.org/emergency-codes]. Health Care Emergency Codes by the Hospital Association of Southern California (HASC).
- EMC [emc.com] and its subsidiary RSA [rsa.com].
- Halock Security Labs [halock.com]. I've personally used their services as part of a security review.
- "Improving Web Application Security: Threats and Countermeasures" [http://msdn.microsoft.com/en-us/library/ff649874] (2003-06).
- "Internet Security Glossary" [http://tools.ietf.org/html/rfc2828]
- ISO 17799 Newsletter: News & Updates for ISO 27001 and ISO17799 [http://17799-news.the-hamster.com/]
- "JSON Hijacking" [http://haacked.com/archive/2009/06/25/json-hijacking.aspx]
- PreEmptive.com. "products and services help businesses reduce risk by helping them protect their intellectual property against hackers and thieves." Particularly in obfuscation of Java and .NET code.
- "Product Management Tips: Do a Security Review Early" [http://www.blog.voximate.com/blog/article/154/product-security-review-early/]
- "Simplicity and Security" [http://www.codesimplicity.com/post/simplicity-and-security/]. It is easier to secure a place that has 2 doors than building that has a 100 doors.
- SecurityFocus.com. "A technical community for Symantec customers, end-users, developers, and partners".
- "Site Security Handbook" [http://tools.ietf.org/html/rfc2196]. Awesomeness from 1997!
- "Top 10 Codes You Aren't Meant To Know" [http://listverse.com/2009/02/22/top-10-codes-you-arent-meant-to-know/]
- "Virus scams, social engineering, victim's stories and community awareness" [http://www.troyhunt.com/2012/08/virus-scams-social-engineering-victims.html]