https://www.jpsdomain.org/tags/infosec/index.html Hugo en-us https://www.jpsdomain.org/infosec/rulebasebp/index.html Mon, 01 Jan 0001 00:00:00 +0000 https://www.jpsdomain.org/infosec/rulebasebp/index.html Old Content This content is old! It’s still useful, but it’s old, and there may be bit rot, newer/better tools or ways to do things. Sanity check and do your research. This is the companion page for my Firewall Rule Base Best Practices document. I have listed all the resources I would otherwise have put at the bottom of the document. In this way, I hope to keep them current, and to add new material when I find it without having to revise the original document. If I have written it correctly, it should need little revision as time passes and technology changes. We’ll see. https://www.jpsdomain.org/infosec/gnatbox/index.html Mon, 01 Jan 0001 00:00:00 +0000 https://www.jpsdomain.org/infosec/gnatbox/index.html Obsolete Content This content is obsolete, but I am leaving it here as a historical reference. Introduction This is a quick reference guide for installing the free GNATBox Light firewall. GNATBox Light is a complete hardened, stateful, BSD-based firewall that fits on a single floppy disk (how cool is that?). See below for references. You can download a Word document with some sample Avery 5196 diskette labels at http://www.jpsdomain.org/public/ /GNATBox_Diskette_Labels.doc. Also check out my Home Networking diagram and explanation at http://www.jpsdomain.org/infosec/home_networks.html. https://www.jpsdomain.org/infosec/home/index.html Mon, 01 Jan 0001 00:00:00 +0000 https://www.jpsdomain.org/infosec/home/index.html Obsolete Content This content is obsolete, but I am leaving it here as a historical reference. With the advent of more widespread broadband (cable modem, xDSL) Internet access and the greater proliferation of SOHO (Small Office/Home Office) and Virtual Offices, Information Security is becoming more important at home as well as at work. Home Network Designs Recently the question about how to design a relatively secure home network has been coming up a lot. So rather than trying to draw the same thing on whatever napkin happens to be handy, I diagrammed the four most common home network designs, and wrote some text that fleshes out the details. See home_networks.html. Zone Labs, now part of Check Point Software has a similar sort of PDF document. https://www.jpsdomain.org/infosec/home_networks/index.html Mon, 01 Jan 0001 00:00:00 +0000 https://www.jpsdomain.org/infosec/home_networks/index.html Obsolete Content This content is obsolete, but I am leaving it here as a historical reference. The Risks… Are real. There is no security through obscurity. While is it true that it’s very unlikely that someone will specifically try to hack you, that doesn’t matter! There are a large number of hacking tools that simply scan a range of IP Addresses (similar to telephone numbers) for a vulnerability. If you happen to have an IP Address in the target range, and if you happen to have that vulnerability–you are hacked–simple as that. :-( https://www.jpsdomain.org/infosec/principles/index.html Mon, 01 Jan 0001 00:00:00 +0000 https://www.jpsdomain.org/infosec/principles/index.html JP’s Security Principles I firmly believe in the following Security Principles: 100% security is impossible. 99% security may be possible, but is too expensive in terms of effort, money, time and productivity. The goal is reasonable and adequate security with reasonable and sustainable effort. How you define “reasonable” depends on the value of the information you are protecting. It is not reasonable to spend $10,000 to protect $5,000 worth of information. You need to understand what you are protecting, and the realistic threats you are facing. Security through obscurity is no security at all. The best Security is provided by a defense in depth: Prevention Hardening Least Privilege Separation of duties Strong, published, security policies, with End User awareness Strong change management policies and procedures Protection Firewalls, etc. Anti-Virus & Active Content filtering BCP/DR (Business Continuity Planning/Disaster Recovery) Strong authentication methods (especially for Remote Access) Detection (and Assessment) Monitoring (logs/network/everything), IDS, etc. Security/vulnerability assessments Compliance audits Response (and Correction) CIRT (Computer Incident Response Team) Correct environment based on incidents, assessments, audits and changed circumstances Update policies, procedures and guidelines based on incidents, assessments, audits and changed circumstances Security is a never-ending circular process, there are no silver bullets, and it is fundamentally not a technical problem that may be “solved” with point products. Some frequently misused or misunderstood terms: Policy, et al. Policy A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area. They should not be technology specific, and they should change rarely. Standard Mandatory activities, actions, rules and regulations designed to provide policies with the support structure and specific directions they require to be meaningful and effective. They are often expensive to administer and should be used judiciously. Standards may or may not be technology specific and may or may not change frequently. Standard Standards are documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines, or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose. (Source: ISO; http://www.iso.ch/iso/en/aboutiso/introduction/index.html) Guideline More general statements designed to achieve the policy’s objectives by providing a framework within which to implement procedures. Where standards are mandatory, guidelines are recommendations. Guidelines may change more often than policy’s, but less often than procedures. Procedure Spell out the specifics of how the policy and the supporting standards and guidelines will actually be implemented in an operating environment. These are often step-by-step instructions, and are usually technology (e.g. OS) specific. They may change often, as new technologies are introduced. The source of the above definitions, except as noted is, Information Security Policies and Procedures: A Practitioner’s Reference, by Thomas R. Peltier, with additions relating to frequency of changes by me. https://www.jpsdomain.org/infosec/index.html Mon, 01 Jan 0001 00:00:00 +0000 https://www.jpsdomain.org/infosec/index.html Old Content This content is old! It’s still useful, but it’s old, and there may be bit rot, newer/better tools or ways to do things. Sanity check and do your research. Information Security Portals & Resource Centers Portals SecurityFocus The Razor Team PacketStorm SecuriTeam The Shmoo Group Ernst & Young Security News Searchsecurity.techtarget.com Resource Centers SANS – System Administration, Networking, and Security Institute CERT – The CMU Computer Emergency Response Team FIRST – Forum of Incident Response and Security Teams CERIAS – Center for Education and Research in Information Assurance and Security (was COAST) NIST - CSRC – National Institute of Standards and Technology Computer Security Resource Clearinghouse CISecurity – The Center for Internet Security Security Information Security Links Trade Publications Information Security Magazine SC Magazine Network Computing – Not strictly about Information Security, but they usually have a few good security articles, and the rest of the magazine is good too. MCP Magazine – Even less about security, since this is about Microsoft products and certification, but Roberta Bragg’s columns are always interesting, though I don’t always agree with her 100%. Other Links JP’s Information Security Tools Information Security Links from Intiss ISC² Security Links Information Security Books There are an awful lot of security books out there. This list covers only books that I own and have read and found useful. Some may have newer editions than are listed here, so look for those too. I highly recommend all of them, but if you only read a few, read the first three. Also, see the links above for various trade magazines and web sites. https://www.jpsdomain.org/infosec/sec-tools/index.html Mon, 01 Jan 0001 00:00:00 +0000 https://www.jpsdomain.org/infosec/sec-tools/index.html Old Content This content is old! It’s still useful, but it’s old, and there may be bit rot, newer/better tools or ways to do things. Sanity check and do your research. Tip Everything listed on this page is free, unless otherwise noted (or unless I goofed). Security Tools General The NMap “Top 75 Security Tools” list SecurityConfig.com The Log Analysis Site James Madison University’s R.U.N.S.A.F.E. program (End User tips and awareness) Disk/File Wiping “Autoclave” hard drive sterilization on a bootable floppy (Linux Floppy!) DoD 5200.28-STD secure delete program ($$) Maresware Forensic Processing Software Berkewipe: Secure delete program for Linux/UNIX Wipe: Secure delete program for Linux/UNIX Overwrite: Secure delete program for Linux/UNIX fwipe: Secure delete program for Linux/UNIX Secure Deletion of Data from Magnetic and Solid-State Memory Shred: Secure delete program for Windows sDelete: Secure delete program for Windows (Sysinternals!) Cleandrive (WipeDrv.exe & CleanDrv.exe): Secure delete program for hard drives ($$) pdwipe: Secure delete program for hard drives ($$) Secure delete program for Windows (Restricted) National Industrial Security Program (DoD 5220.22-M) Password Databases You need to use a password database because humans are bad a remembering good passwords, you can’t share passwords among sites, and so you need to have a lot of passwords. Some useful thoughts on this include: