[SecurityRatty] tag: refresh

Cybercriminals Abusing Lycos Spain To Serve Malware

Thu, 09 Oct 2008 00:28:17 +0000

Spanish cybercriminals have recently started taking advantage of the bogus accounts at Lycos Spain, which they seem to be registering on their own, by releasing a do-it-yourself malicious link generator redirecting to fake YouTube and Adobe Flash video pages. Whereas the concept of abusing legitimate web services for infection and propagation isn't new, what's new is the fact that the FTP access is efficiently abused.

Here's a description of the link generator :

"Download the program and run it asks for an ID (identifier), then copy it and paste it there, then press' Create Installer 'and the program will create the Installer! (this program to run a simulation that is installing the Adobe Flash and indicates to our page that "has been installed Adobe Flash," in order to show the video when YouVideo refresh the page, this you must file tie it in with your server! and what flames or Installer Setup (simulating being an installer)! Now you need to upload that file you've joined an FTP, click Next and put the path of that file in the next step!"

Whereas the tool is exclusively relying on Lycos Spain to host the binaries and the campaign itself, the recent blackhat SEO campaign relying on pre-registered Windows Live Spaces and AOL Journals syndicating hot Google Trends keywords, further indicates the malicious attacker's capabilities of efficiently abusing legitimate services. And with the process of bogus accounts registration performed automatically, or outsourced entirely, malicious services aiming to automate the abuse process are only going to get more efficient.

Internet Explorer security levels compared

Tue, 16 Sep 2008 20:19:36 +0000

A pretty good question came across the newsgroups the other day. Someone was asking what are the differences between IE's "medium" and "medium-high" security settings. I did some digging, and found only this on MSDN: About URL security zone templates. No wonder it's difficult to find -- the terminology is different, and the table is organized by URL actions, not by the text in the dialog.

Someone on the IE security team forwarded me a document that had additional details. So here, for your enjoyment, is a chart listing the default settings for each security level. To answer the newsgroup poster, "medium" and "medium-high" aren't the same.

About the formatting: to get it to fit within the width of the blog's text section, I've made some abbreviations.

Column headings

Entries

H	High	D	Disable
MH	Medium-high	E	Enable
M	Medium	P	Prompt
ML	Medium-low
L	Low

In a few cases, the table shows a number rather than D or E or P; below the table is a description of each such entry.

At the very bottom of this post I've included the settings from the privacy tab, too.

Note: these settings reflect those for Internet Explorer 7 on Vista SP1. Please see the MDSN link above for differences between IE 6 and IE 7.

.NET Framework

	H	MH	M	ML	L
Loose XAML	D	E	E	E	E
XAML browser applications	D	E	E	E	E
XPS documents	D	E	E	E	E

.NET Framework-reliant components

	H	MH	M	ML	L
Permissions for components with manifests	D	1	1	1	1
Run components not signed with Authenticode	D	E	E	E	E
Run components signed with Authenticode	D	E	E	E	E

1 = High safety

ActiveX controls and plug-ins

	H	MH	M	ML	L
Allow previously unused ActiveX controls to run without prompt	D	D	E	E	E
Allow scriptlets	D	D	D	E	E
Automatic prompting for ActiveX controls	D	D	D	E	E
Binary and script behaviors	D	E	E	E	E
Display video and animation on a Web page that doesn't use an external media player	D	D	D	D	D
Download signed ActiveX controls	D	P	P	P	E
Download unsigned ActiveX controls	D	D	D	D	P
Initialize and script ActiveX controls not marked as safe for scripting	D	D	D	D	P
Run ActiveX controls and plug-ins	D	E	E	E	E
Script ActiveX controls marked as safe for scripting	D	E	E	E	E

Downloads

	H	MH	M	ML	L
Automatic prompting for file downloads	D	E	E	E	E
File download	D	E	E	E	E
Font download	P	E	E	E	E

Enable .NET Framework setup

	H	MH	M	ML	L
Enable .NET Framework setup	D	E	E	E	E

Miscellaneous

	H	MH	M	ML	L
Access data sources across domains	D	D	D	P	E
Allow META REFRESH	D	E	E	E	E
Allow scripting of Internet Explorer Web browser control	D	D	D	E	E
Allow script-initiated windows without size or position constraints	D	D	D	E	E
Allow web pages to use restricted protocols for active content	D	P	P	P	P
Allow web sites to open windows without address or status bars	D	D	D	E	E
Display mixed content	P	P	P	P	P
Don't prompt for client certificate selection when no certificates or only one certificate exists	D	D	D	E	E
Drag and drop or copy and paste files	P	E	E	E	E
Include local directory path when uploading files to a server	D	E	E	E	E
Installation of desktop items	D	P	P	P	E
Launching applications and unsafe files	D	P	P	E	E
Launching programs and files in an IFRAME	D	P	P	P	E
Navigate sub-frames across different domains	D	D	D	E	E
Open files based on content, not file extension	D	E	E	E	E
Software channel permissions	1	2	2	2	3
Submit non-encrypted form data	P	E	E	E	E
Use phishing filter	E	E	E	D	D
Use pop-up blocker	E	E	E	D	D
Userdata persistence	D	E	E	E	E
Web sites in less privileged content zone can navigate into this zone	D	E	E	E	P

     1 = Prohibit downloads from software update channels
     2 = Cache content downloaded from software update channels
     3 = Automatically install software updates

Scripting

	H	MH	M	ML	L
Active scripting	D	E	E	E	E
Allow programmatic clipboard access	D	P	P	P	E
Allow status bar updates via script	D	D	D	E	E
Allow Web sites to prompt for information using scripted windows	D	D	E	E	E
Scripting of Java applets	D	E	E	E	E

User authentication

	H	MH	M	ML	L
Logon	1	2	2	2	3

     1 = Prompt the user for name and password
     2 = Automatic logon only in intranet zone
     3 = Automatic logon with current user name and password

Privacy settings (on the "Privacy" tab)

	H	MH	M	ML	L
Allow persistent cookies	D	E	E	E	E
Allow per-session cookies	D	E	E	E	E
Allow third-party persistent cookies	D	P	P	E	E
Allow third-party session cookies	D	E	E	E	E

When turning updates off really doesnt

Thu, 14 Aug 2008 09:31:32 +0000

In any business dealings, if you cant trust the company to do what they say they will do,
You go elsewhere right?
Its your decision. Not in this instance folks.

clipped from windowssecrets.com

You’ll get a new Windows Update, like it or not

This time, Microsoft is being more up-front about its forthcoming
refresh of Windows Update. For example, product manager Michelle Haven described in a
blog post on July 3 some new features that the upgrade will add.

The new version will reportedly reduce the time WU takes to scan for and send out new updates. In addition, if you use the online version of WU, and you click an update for more information, the new version will offer you more links with additional details.

But the Redmond company hasn’t changed the wording of the Control Panel settings that appear to prevent Windows Update from performing silent downloads — but don’t.

In light of these potentially misleading controls, a few tricks on managing Windows Update are just what the doctor ordered.

Times Up IPv6 OMB Mandate

Mon, 30 Jun 2008 15:27:18 +0000

Three years ago, the OMB set a June 2008 deadline “by which all agencies’ infrastructure (network backbones) must be using IPv6 and agency networks must interface with this infrastructure.”

Agencies are supposed to demonstrate that they can:

Transmit IPv6 traffic from the Internet and external peers, through the core (WAN), to the LAN.
Transmit IPv6 traffic from the LAN, through the core (WAN), out to the Internet and external peers.
Transmit IPv6 traffic from the LAN, through the core (WAN), to another LAN (or another node on the same LAN).

(Source: OMB IPv6 FAQs)

One year ago, the OMB reviewed the Enterprise Architecture Assessment Framework results and found that six of the twenty-four agencies were on track to achieve the June deadline. Two months ago, there was a good article by Carolyn Marsan Duffy about the status of compliance. Take a look at this article because it seemed like there was a lot of backpedaling going on about meeting the date – using phrases like “we don’t like the term mandate” and “more of a recommendation than a mandate.” At the time, only three agencies were in compliance.

Duffy just wrote an updated article, “Feds say they have aced IPv6 deadline”, and suddenly two months later, all lights seem green. As of June 24, ten of the twenty-four agencies sent emails to the OMB stating that “they have successfully transmitted IPv6 packets”. Fourteen still need to report in, but none have asked for an extension. And all of it was done through the regular tech refresh budget over the past three years. So if this is true, kudos to the feds!

Right around the time of the first not-so-rosy article, we ran a survey at FOSE, the big federal government IT show. We asked attendees if their agencies would be ready by the deadline:

33% said they would be ready
6% said they were already there
33% said they would NOT be ready
About a quarter didn’t know

What was really interesting is that we asked this same question in 2007, and the audience was equally split (yes/no) on whether or not their agencies would meet the mandate – 1 in 5 (2007) instead of 1 in 3 (2008).

So what can explain these numbers? Surprisingly, out of the attendees we talked to, only 65% of them said that IPv6 is important to their operations, making it second to last on the list of IT priorities covered by the survey. Maybe the answer lies in the relative “unimportance” of the milestone – that just the network backbones (and the routers supporting them) be capable of passing IPv6 packets. The true test for government IT workers will be when actual IPv6 applications must be supported which will impact networks, systems, application and monitoring tools throughout the government.

So was this a nice checklist item for the Bush administration? This initial deadline is the only one for IPv6 mandates from the current OMB incarnation. Actually running IPv6 applications, that’s a whole ‘nother story, apparently for a new administration.

ShareThis

Evil BETAs Attack!

Mon, 30 Jun 2008 13:45:00 +0000

Read this awesome "The BETA Mindset: Public Enemy #1 " piece from Mike R (BTW, it is a MUST-read). The maybe refresh on what I said after reading "Geekonomics." Then think!

Yes, it is available today (as beta maybe - but then again "all software is beta").
Yes, it is free.
Yes, it works ... well, when it does.
Yes, you can trust, say, your email to it (who cares when it is made public, really! :-))

And then the same programmer mindset trickles up to the software that controls your aircraft engine.

Boom!

That WAS you.

The more I think about it, the more I like the idea of software manufacturers' liability (succinctly described in "Geekonomics"); I suspect that everything bad that might come with it will probably still be better than what we have now (or will have soon...)

Q&A with Geoff Horne of InteropNet

Wed, 25 Jun 2008 12:20:59 +0000

Earlier this week I had the chance to sit down with Geoff Horne, Chief Architect for InteropNet, and discuss how he thought things went at Interop Vegas 2008 and how he thinks the lessons learned apply to enterprises.

(Photo credit: The Tech Stop)

ScienceLogic: How long have you been involved with Interop?

Geoff Horne: Since about 1996.

ScienceLogic: How has it been changing? Does the show get more complex with new technologies or because of the constantly changing size of the show?

Geoff Horne: The technologies have changed. Every year there’s a different market environment. Since we build on customer needs, things change every year. Things like ScienceLogic for Network Monitoring, for how long have Network Management tools been completely web based? In general, it doesn’t really get any better or worse because every year we’re building it again. You don’t get the stability of a standard environment. The upside is that we’re always doing a full upgrade, a full technology refresh and not using old code.

ScienceLogic: Do those kinds of changes influence the types of vendors you look for for InteropNet?

Geoff Horne: The base categories don’t change. You always need to forward packets. You always need switches, you always need routers. We’ve tried to open it up to everyone that has products involved with networks to see if we have the time or space for it.

ScienceLogic: The kind of cooperation that you get between the vendors is what seems to be an unachievable nirvana for Enterprises. What’s the secret to getting 17 vendors to work together in such a short time? Enterprises would kill for that.

Geoff Horne: The honest answer is don’t trust the vendors. If they try and build something the way they want to, its not going to interoperate. You have to pull them out of their safety zone, make them do things that you think the product can/should do to ensure interoperability.

ScienceLogic: In a blog post prior to Interop Vegas 2008 you stated three major goals for InteropNet. They were Education, Monitoring and Statistics. How did you do against these goals?

Geoff Horne: I think we did pretty well. They’re 3 things we really didn’t have before. They’re things that just weren’t focused on the right way. For the first round of changing the focus, changing the way people look at the network (statistics rather than packets), it worked quite well, it gave people a much better idea as to what’s going on.

ScienceLogic: If we look at NY as take two for Interop 2008, are there things you are going to do differently based on lessons learned in Vegas?

Geoff Horne: We’re building more physical redundancy in the core network, geographic distribution of the infrastructure within the show. This will allow us to bring up chunks of the network independently. It isn’t something that we really thought of before. This helps us take the single point of failure (the NOC) out of the equation.

ScienceLogic: Are there any lessons learned from Interop that you think would help enterprises?

Geoff Horne: Visibility is key. Your network is significantly more functional when more people can see what’s going on. If the only guy that can see what’s going on is the guy with his fingers on the terminal, no one can make good decisions. You have to make people loosen up their control so that everyone can see and therefore make educated decisions.

ShareThis

So, CAN We Have DLP?

Fri, 20 Jun 2008 12:59:00 +0000

Can we have DLP - data leak prevention?

Well, can we have IDS? How about IPS? Can we really "prevent intrusions?" Can we really "control access to our networks?"

The answer to "can we have DLP?" is actually pretty simple: if you think "DLP = box that prevents all data leaks" (and you also think that deploying IPS will "prevent intrusions"), then we can't. Forget it.

But blame the idiots who called it "leak prevention" - if you think that "DLP will prevent all leaks" - sorry, but you are one of them! :-) If you treat "L" not as "leak" but as "loss" and hope that "DLP will prevent all data loss, whether intentional or not," you are an even BIGGER one.

So rambling about "Can DLP Really Stop All Leaks" is pretty silly. No, it can't. Pondering "Is DLP Possible" is just as silly. No, complete prevention of all leaks is impossible, with OR without DLP technology. Go read Mike R instead :-)

Why seemingly smart people behave in such childish manner? I dunno. Scratch all that. Instead ask:

Is today's cutting-edge DLP technologies USEFUL?

And the answer is "Hell yeah!"

If you see how much "fun" sensitive content goes over email (corp and personal web-based), gets uploaded to forums, channeled over IM file transfers, FTP'ed somewhere, you'd scream for one of these boxes. Accidental leaks, email address typos, non-malicious leaks, blatant disregard of security policy for the sake of "productivity", even phishing, "wholesale data theft" and amateur "employee hackers" probably account for 10x (100x?) more damage (in direct losses, brand damage, embarrassment and - yes! - non-compliance fines AND loss frequency) than "uber-hackers" (who might indeed go thru your DLP box like hot knife thru butter.) And if an advanced DLP box does one day stop some determined insider theft, that's just icing on the cake.

That is why smart people don't call it "DLP" - they call it "content monitoring and filtering." This sounds much less sexy, but much more useful. The boxes that will show up on your doorstep will still have "DLP" labels, but what they will do for you is really content monitoring and filtering. And even though it will not stop all data theft, DLP box will likely prove useful more than once...

Finally, all rants about any preventative AND monitoring technologies should really end the same: go refresh your incident response plans.

Possibly related posts:

"In Passing on DLP"

Technorati tags: DLP, security, data loss, data theft, data protection

Payment Card Industry Mandate Stresses Importance of Web Application Security: Recommended Becomes Required

Tue, 10 Jun 2008 17:36:42 +0000

On June 30, another refresh of the Payment Card Industry (PCI) Data Security Standards (PCI DSS) will upgrade Web application security testing from a best practice to a mandatory practice. The deadlin...

The DDoS Attack Against CNN.com

Tue, 22 Apr 2008 15:30:53 +0000

The DDoS attack against CNN.com, whether successful or not in terms of the perspective of complete knock-out, which didn't happen, is a perfect and perhaps the most recent example of a full scale people's information warfare in action. Utilizing the bandwidth of the over 200 million nationalism minded Chinese Internet users, can greatly outpace any botnet's capacity if coordinated, or though the use of automated DIY tools, like the ones we've seen released for the purpose of attacking CNN.com

CNN.com was indeed inacessible for a period of three hours according to NetCraft, and literally any web site performance monitoring too with a historical perspective for a host can prove the same :

"The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas. Subsequently, an attack was purportedly organised to start on Saturday 19th April, but cancelled. However, our performance monitoring graph shows CNN's website suffered downtime within a 3 hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated. Netcraft is continuing to monitor the CNN News website. Live uptime graphs can be viewed here."

Unrestricted warfare is all about bypassing the most fortified engagement points, and achieving asymmetric dominance by excelling where there are no engagement points, in order for the attacker to enjoy the pioneer advantage. Now that CNN.com was indeed slowed down to a situation where it was unnacessible, what remains to be answered is how was CNN.com DDoS? Throught a botnet, or through the collective bandwidth of virtually recruited Chinese citizens? Despite that the common wisdom in terms of botnets used speaks for itself, this is China hacktivism and therefore common wisdom does not apply in an unrestricted warfare situation, and best of all data speaks for itself.

- Through the use of DIY DDoS Tools

Besides anticnn.exe which I assessed in a previous post, there's also the Supper DDoS tool that as it appears was also getting actively recommended for participating in the attack, courtsy of a Chinese script kiddies group. Some basic info :

Scanners Result: 3/32 (9.38%)
DDoS.Win32.Sdattack.A; DDoS.Trojan
File size: 1510643 bytes
MD5...: ed25e7188e5aa17f6b35496a267be557
SHA1..: 71138f0c0556dde789854398c3c7cde29352662b

For instance, Estonia's DDoS attacks were a combination of botnets and DIY attack tools released in the wild, whereas the attacks on CNN.com were primarily the effect of people's information warfare, a situation where people would on purposely infect themselves with malware released on behalf of Chinese hacktivists to automatically utilize their Internet bandwidth for the purpose of a coordinated attack against a particular site.

- Collectively building bandwidth capacity and mobilizing novice cyber warriors

What if a simple script that is automatically refreshing CNN.com multiple times in several IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds of forums, with a single line stating that - "If you're a patriot, forward this to all your friends"? Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, in fact I can easily state that the bandwidth generated by this massive PSYOPs campaign is greater than the one used by a botnet that's also been DDoS-ing CNN.com. All of these sites are basically refreshing CNN.com every couple of seconds, thereby wasting the sites's bandwidth, the only flaw of this attack approach compared to a botnet, is that all the participating hosts are Chinese, and therefore as NetCraft pointed out, CNN blocked access to certain countries, take these countries as China for instance. If it were a botnet used, the diversity of the infected hosts would have required more efforts into dealing with the attack, then again from another perspective regular web traffic compared to network flood is sometimes harder to detect as a DDoS attack.

hackerhf.com/cnn.html
80aft.com/cnn.htm
tom765.cn/cnn.html
ah930.com/cnn.htm
0851qiche.cn/cnn.html
xdadmin.com/cnn.html
ah930.com/cnn.html
s234sdf3.cn.webz.datasir.com/cnn.asp
bbscar.com.cn/cnn
120abc.cn/cnn.html
hospltal.cn/cnn.html
bbs.cityzx.cn/cnn.htm
bestmf.cn/cnn.html
anlycloud.com/cnn/cnn
qibubbs.net/ddoscnn.htm
maje.cn/cnn.html
edu.sina.googlepages.com/FuckCNN.htm
urlonline.com.cn/kaocnn.html
lmpx.net/cnn.htm
ily88.com/cnn.html
zjipc.net/cnn
axlovechina.cn/
idernice.com/cnn.asp
conncn.com/cnn.html
xuanxuanmu.000webhost.com/cnn.html
jianw1.cn/cnn.htm
bjzs114.com/cnn.htm
0851qiche.cn/cnn.html
yaanren.net/cnn.html
todayol.cn/cnn.html
17bnb.com/cnn.htm
hackerhf.com/cnn.html
hnjdbbs.com/cnn.html
sql8.net/cnn
bh125.cn/cnn.html
razorcn.cn/cnn.html
93HR.com/cnn.html
tke08.com/cnn.htm
vipeee.com/cnn.htm

This is also the statement made for the recruiting purpose across the forums, including remarks against France's policy against China :

Anti-CNN Plans v4.19

"Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows: We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland.

We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. France on bad faith.

Recently, the United States "cnn" Since, as we said a number of Chinese people can not accept things, is that we are willing to endure, willing to yield? We plan on taking the lead in the 2008.4.19 "cnn" Web site attacks, as a Chinese, please support us.

Plot:
1, first of all, all the conditions for full, I expect four days later, in the - on April 19, 2008, 8:00 p.m., at www.cnn.com against a DDOS attack! More than three hours on the CNN Web site with the assistance of attacks, How DOS attack CNN website? If you are patriotic, please forward!

iframe Id="cnn" width="100%" height="100">
script>
Var e = document.getElementById ( 'cnn');
SetInterval ( "e.src = 'http://www.cnn.com'", 3000);
/ / 1000 said that 1,000 ms, you can modify and transmit

You can also directly open qibubbs.net/ddoscnn.htm open on the trip, you do not affect anything. I have to, I have friends in all of it again, the strong support of friends, and their repercussions great, and to many people, have been transmitted in other friend, a classmate now has begun to link their Web sites the I believe that compatriots in China, in collaboration with CNN article seconds click rate in the second can at least 50 million times, if the 200 million Internet users click on, I believe CNN, will be suspended instantaneous, as our fellow countrymen will be more hackers the chance to win big, exciting good mood now, and looks forward to 8:00 after we are all fellow hackers smoothly, we will sincerely pray that China win. The great motherland is not to take advantage of the separatist elements, all anti-China reunification of the sophistry of speech are all in vain Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows:

We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland. We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. "

This particular DDoS people's information warfare attack against CNN.com is also a great example of a psychological operations (PSYOPS) chain-letter. Given China's 3.0 state of social networking, messages forwarding people to sites that would automatically refresh their browsers with CNN.com were distributed at over 5000 web forums, with a bit of propanga taste enticing everyone to forward the message by telling them "If you're a patriot forward this attack link", so if you don't, it means you're not a patriot, another indication of China's understanding of the effectiveness of psychological operations (PSYOPS) online.

Audit/Monitor Controls or Audit/Monitor BEFORE Control?

Thu, 28 Feb 2008 08:38:00 +0000

Back in 2004, Forrester paper called "The Natural Order Of Security Yields The Greatest Benefits" proclaimed that "the adoption of security has a natural order: 1) authentication; 2) authorization; 3) administration and 4) audit." Note that audit which, in this case, broadly includes audit, monitoring and detection, comes last. It seems to be fairly in line with common sense: you audit the controls after you put them in place; you monitor after you have authentication and authorization taken care of and you detect the violations after you organized your administration.

The paper even had the following picture, which is presented here to illustrate the point:

(source: Forrester paper named above)

The paper clarifies: "With people and contexts defined, protective controls in place, and policies outlined, the
fourth set of questions [i.e. regarding the audit] includes: “What happened?”, “What is happening?” or, especially, “Is
it working?”

However, is this really so? Or, is this always so? First, when reality collided with plans, many of the organizations that followed that wisdom got mired in one phase (e.g. in trying to get authentication under control) and ended up having no audit whatsoever: in other words, they are flying blind while implementing controls! Second, in some cases controls (authentication, authorization, administration) will actually be impossible to implement, while audit will be possible. Imagine retrofitting a legacy application for granular authorization? Third, in some cases implementing prevention/control will be much more complicated, compared to implementing audit: thus, people will face a choice between a half-baked control to a full-blown audit capability? An example will be managing which file each user can access vs monitoring/auditing which file each user have accessed. The latter is doable, while the former is next to impossible. Another way to phrase it is "reactive but possible" vs "proactive but impossible" (hint: pick the former :-))

I think the idea of putting audit first in some cases is the way we'd need to progress. "Wow, what a blasphemy!", some might say ... After all, if you have not defined controls, what are you going to audit? But remember that audit is meant broadly in this context and thus the opposite question is very relevant: what are you going to control if you have no idea what is going on? People sometimes define a security policy based on how things should be (and then WSJ happens :-) - refresh your memory of the "WSJ saga" here), but then spent years trying to bring policy and reality together (and end up with an environment which is "half-controlled") Won't it be better to audit first, then control?

Obviously, "do IDS before IPS" falls under the same principle: monitor first, [try to] control second. Here is another example: implement log management before identity management. Looking at logs will tell you what privileges the users actually use for doing their daily jobs. Then you can mix it up with what the idea access policy will be.

So, think about it! Questioning the common wisdom does often bring interesting insights.

Technorati tags: logging, security, security management, audit