IT Auditing at ADM

This past Tuesday December 3rd, 2013 we had two  guest speakers from ADM , Gary Hotwick and Wayne Sharp. Gary is a Millikin Grad who graduated with Accounting degree and had a focus in Management information system. He is an Information system manager in Information system audit and also spent sometime working in JD-Edwards as the procurement lead and has traveled around the world a lot with his career. With his job he basically check control and basically procedures to make sure they are actually in place and are working properly. He talked about the idea that became a joke that auditors are actually here to help is really true. His job is actually to ensure that the bad things that can occur don’t because of certain procedures they put in place or protocols they are following.

Wayne’s job was slightly different from that of Gary because his seemed to be more enthusing and he talked about the thrill of it. he attended Eastern Illinois University and has spent most of his life in developing but now he is a data analyst and he loves it a lot. He  analyzes data to find potential risk by basically applying analytics.

Database Security Vunerabilities

There are certain common and serious database vulnerabilities that most businesses that deals with data should know of. Cyber attack has been on the rise lately and especially on databases, this is due to the fact that databases usually contains valuable information. Some and probably the most important that hackers goes after are financial data and if they don't get that most of everything stored are intellectual property and corporate secrets that hackers can profit from.

The top on the list of the database vulnerabilities are deployment failures, when company are usually testing a software, they usually test to see if it is doing everything that it was designed to do, they never check to see if it is doing something that it was designed to do. Then there are the broken databases where most business don't keep their systems regularly patch leaving the database vulnerable.

There are a lot more of theses vulnerability that administrators need to keep in mind and look to best practices to make sure they are up to date some more of these vulnerabilities include data leaks when data is not encrypted with SSL or TLS, SQL Injections and Database inconsistencies.

http://www.zdnet.com/the-top-ten-most-common-database-security-vulnerabilities-7000017320/

Linux is more Secure than Windows

For small businesses or organizations that are lacking dedicated IT security staff using Linux can be very beneficial. There is a saying with windows users, "Security through obscurity". Leading us to believe that the software is basically secure because of it's complexity and closed nature. The idea goes if the hackers cannot see the code they will have a hard time cracking it but that has not been true especially looking at the number  of patches that they often sends out.

So why is Linux security basically better? When it comes to privileges, windows users by default gets admins access from the jump but with Linux you get the lowest level possible and then what you need will be added on. With that if there ever should be a virus it would then not be able to spread thus far to the root but stay local. There is also the social engineering factor where people are tricked to download malicious things on to their computer by means of social engineering, With Linux the user have to download, save, and exec the file.

Also Linux have a diversity of environments so it is difficult to just send out a virus to all of Linux unlike windows. Most users are using Windows so that's a hackers main point of attack. Most people can see and work on the Linux code so with that many eyes it is easier to catch any flaws and fix them quickly unlike windows where Vulnerabilities are not known until they can be fixed.

http://www.pcworld.com/article/202452/why_linux_is_more_secure_than_windows.html

Linux vulnerability

The Linux operating system has a vulnerability within it for the past two years, it gives "untrusted" users with restricted accounts root access over machines. Along with the machines, it also affected severs running in shared web hosting facilities and other sensitive environments. The maintainers of Linux operating system quietly released an update that patched the hole. Even a month after the patch was sent out most users still remains wide open; mostly because they were not aware of the vulnerability.

The severity of the bug is in Linux kernel's performance counters subsystem and became clear when the code exploiting they vulnerability was publicly available. The script is used to take control of servers that are operated by many shared web providers. Basically hackers with limited control over a a Linux machine can use the bud to escalate their privileges.

Security is such a huge matter when it comes to business dealing, it was wrong for Linux not to publicly disclose this issue so that all that were affected can take the necessary steps towards avoiding that.

http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/

Adobe Data Breach

Adobe systems recently confirmed that it's network was breached during an attack in which 2.9 million of their customers had their information compromised. Information compromised includes customer names, passwords, debit and credit cards, and many more.

There was also a theft of source code for their products, Acrobat, ColdFusion Builder, and others. "CISO of Hold Security LLC as the poured over the contents of a server used by the cyber criminals recently revealed to have been behind damaging attacks on multiple data aggregators".

The Chief Security Officer Brad Arkin reported that there are no zero day exploits, so there shouldn't be any surprises but then encourages users to use just supported versions of their products. In response to the attack, the compromised password have been reset, and individuals and companies have been notified.

How did this affect businesses, well most of the big business in the world do use adobe products and what companies tend to do is that they have a common password for most of the applications they get. So what will happen is that now companies have to ensure that all those other password have been changed.

Adobe did indeed indicate that all the users whose account have been compromised have been notified to reset their passwords, there have reports of users whose old compromised password can still log into the Adobe Creative Cloud. It seems as though those systems are not connected to the reset procedure. They should just have all users reset their password entirely so that they do not forget parts of it.

http://www.securityweek.com/adobe-confirms-source-code-breach-theft-customer-data

http://www.pcworld.com/article/2052180/adobe-reports-massive-security-breach.html

Internet Explorer Zero-Day

There is a zero day flaw in Internet explorer, this impacts all versions of the browser but it seemed as though criminals are more focused on IE-8 And IE-9. On zero day, the attack occurs on "day zero" of awareness that the vulnerability exist. Also developers will have zero days to address and patch the vulnerability. It has been discovered that 70 percent of Windows business users are at risk to the IE zero-day exploit. The scope of the problem have been declared bad enough to the point where Microsoft will go "out-of band" to release a fix. People do not have any idea of what exactly but it is believed that the vulnerability has been present since IE-6

Hopefully all users are taking necessary measures to ensure that they and reduce their risk as much as possible. Microsoft should also send the "out-of-band" patch as soon as possible. Also some defense mechanism will include the use of "Address space Layout Randomization(ASLR)", It will not prevent it from happening it just makes it extremely harder.

http://www.networkworld.com/news/2013/091913-70-percent-of-business-users-273996.html?page=2

Security of Picture Gesture Authentication

When windows 8 was introduced it came with a new form of password security with the picture gesture authentication. With time we realized that text passwords was not really overly secure, but with the Microsoft gesture authentication they promise a secure form of security. Your system cannot just be run through a database with words until the right one works. Picture authentication gives us a unique way of locking our systems, the pictures we use are unique, the gestures we make are also unique.

Though this gives us the opportunity to run freely with it and do something more personable it is becoming a problem as researchers notice that the gestures and pictures have a similar trend to it. Most users would choose the tap, tap, tap gesture and one of those will be the eye. it has become the most insecure and easiest to crack according to research.

Researches from Arizona State University, Delaware State University, and GFS Technology inc developed an attack framework and attack models. They found that people mostly choose one of their own photo instead of the one's they have been provided with. The relationship between background pictures and user's identity, personality, or interest with 60% of users selecting area are on an image where special object are located. Based on how long they take to setup the password, users most often will either circle a face, tap an eye or nose, and connect lips on pictures with faces. Now for the pictures without faces mostly spacial objects will be selected or connected.

The attack framework developed by the researchers got so advance to the point where it was capable of cracking passwords on previously unseen pictures in the picture gesture authentication system. This research will be presented to Microsoft so that they can find controls to ensure that their systems and their users are safe. Also to maybe revisit the rules and procedure on the picture authentication and run some testing to see where they can potentially improve and by how much they can improve.

http://www.networkworld.com/community/blog/researchers-develop-attack-framework-cracking-windows-8-picture-passwords?page=0%2C0