A Standard for Incident response

Businesses are using the latest protection for their Infrastructure but are still facing threats. Once the breach has been discovered there are many steps to follow in order to keep the continuity of the operations, this process is called Incident response.

Incident response is the set of actions and rules to follow in front of any event that goes towards the security breach of an infrastructure. These protocols have to be applied as soon as the compromise has been detected. Organization should create written guidelines to prioritizing incidents.  The major incidents can be network and application intrusion ,Intellectual property theft investigation ,Copyright Infringement ,Employee misconduct, Insider Threat and malware outbreak. To help the security team in the moment of crisis, The National Institute of Standard And Technology (NIST) has released the NIST Special publication 800-61. This document presents effective guidelines to pay attention to while dealing with a breach.It supports the creation of the computer security Incident response team as well as the duties of the different members.Incident response employees must be familiar with the incident response tools, my favourite is EnCase.

According to the SANS institute,an incident must be addressed using the following life cycle: Preparation,detection,containment, remediation and post-incident activity. The full documentation is here.

Cloud security

Cloud Computing Security

National Institute of standard and technology has defined Cloud computing as  ”a model for enabling ubiquitous,convenient,on-demand network access to a shared pool of configurable computing resources(e.g. networks,servers,storage,applications and services.) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. The service model consists of Infrastructure as a service (Iaas),Platform as a service (Paas), and Software as a service (Saas). Those services are deployed over four deployment models ; Public Cloud, Private Cloud,Hybrid Cloud and community Cloud. The originality of cloud computing is virtualization. The hypervisor is the software that renders a physical servers to a virtual server, thus allowing the creation of virtual machines. VmWare ESX/ESXi, Kernel virtual machine (KVM),Microsoft hyperV and Citrix XenServer are products used to create virtual computing environment. These innovative technologies have softwares and applications with vulnerabilities attracting hackers, malware (Worm, virus,Trojan Horse,Adware). Security professionals have introduced different approaches to securing the Cloud Computing.

Confidentiality, integrity and availability are in the hearth of any information security program. There are many security standards that have evolved over the past year to help cloud computing providers and  customers to reduce the attack surface in their virtual environment. Among those International Standard Organisation 27001 audit standard for Information security management program, National institute of standard and Technology special publication 800-53 Information security, Payment card data security standards (PCI DSS) encryption of credit card records, Health Insurance Portability And Accounting Act (HIPAA) protect  health care records.

Operational security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of critical information”.[1] Using this approach in the Virtual environment consist of : data at rest and in motion must be encrypted in the cloud (asymmetric or symmetric encryption), hypervisors and virtual machines vulnerabilities have to be managed and avoided,web applications are tested based on the Open web application security project (OWASP) testing guide, each virtual machines and each  vitual network are isolated from the others, Host Based Intrusion Detection System(HIDS) installed in virtual instances, virtual network based Intrusion Detection System(IDS) and virtual firewall installed to monitor and allow only authorized traffic in the cloud, and  all the logs have to be kept for a successful Incident response.



A small Look at FLAME , SKYWIPER


The security community has been tuned this week with the discovery of a new malware, Flame. It is a cyber weapon from the same family with Stuxnet and Duqu. Flame is a backdoor with 3000 lines of codes making it too difficult to be analyzed. It is a backdoor , a Trojan with worm capabilities. It infects system through the MS10-033 vulnerability, though it has not yet been confirmed. The post infection phase is rather common, Flame sniffs the network traffic, takes screenshots and record audio conversations and send it to the command-and-control servers. The perpetrators of this complex software can upload further modules to improve the functionality. Another surprising feature is the capability to turn on Bluetooth feature if present in the infected machine, allowing the discovery of other machines nearby.Flame’s code has been written with LUA programming language integrating compression libraries (Zlib) and databases (sqlite3). Kaspersky lab has a detailed analysis of the code here. According to BBC The source of the attack has been pointed to ISRAEL which later denied any implications. Skywiper  has been diagnosed by the University of Technology and economics at Budapest as an hidden virus that was not like any others.


Typosquatting and Doppelganger

Typosquatting is the typographical error made by internet users when inputting a web address into a browser. As a result, the URL request is redirected to the domain that mimics the one the user really wants to access. Then appears the so called doppelganger domains, which are spelled identical to the legitimate domains  but differ only with the missing character separating the subdomain name to the primary domain name.

This morning while accessing my msn mail account, i did a mistake in the URL address in my Opera browser. I wrote instead of, sure I was redirected to the doppelganger domain which was able to execute a javascript script inside my browser,as show in the picture below

Javascript Script in the Opera Browser

They reminded me that I was selected as an Espo’o winner, though I live in Helsinki. To get the prizes,the malicious script suggest I clik ok. Clicking OK leads to an online survey pretending to be gain reclaim, see from the following snapshot

Doppelganger Game Winner

Cybercrooks are getting money from those online scams. The only way to bypass this is to be careful when accessing a web address, type and verify that there is no grammatical mistakes in the URL name. For the firefox users, try to install the NoScript add-on to avoid script being executed in the web browser.


A look at a phishing attempt

I got this when opening my msn email account.

Phishing email

But Fortunately for me, the site has been locked .

Browser sending an Alert

Sharing thoughts with focus on Information security