Sekiur My Thoughts

As with anything else its important to really understand the inner working of the iPhone before attempting to recover any data from it, as two things may happen: the device may be rendered useless or the data on it become contaminated which is just as bad when you are looking for evidence.

The iPhone runs a custom version of Mac OS X 10.5 (Leopard) with several differences which include:

1. an ARM architecture as opposed to the Intel x86 architecture used on desktop machines
2. special hardware including an accelerometer, proximity sensor, multi-touch capable screen and several radios including GSM, Wi-Fi and Bluetooth
3. a user interface framework built around the iPhone to accommodate the proprietary hardware
4. a signed kernel designed to prevent tampering

What can be recovered:

Information stored on the iPhone includes keyboard caches containing usernames, passwords, searches, and some history of what was ever typed on the phone.

Sections of map images from the phone’s Google Maps application, location searches and their coordinates can be found on the phone.

Browser cache and deleted items identifying what websites the user has visited.

Deleted voicemails, email and SMS messages can also be recovered.

A cache of screenshots of the user’s last activities which are kept to improve the experience of opening and closing applications.

Deleted images, address book entries, contacts, calendar events and other personal information can be recovered.

A very detailed call history list beyond what is visibly on the iPhone as well as deleted items from the history.

Disk Layout:

The iPhone uses a solid state NAND flash which is treated as a disk by storing a partition table and a formatted file system. Generally the iPhone will be configured with 2 partitions as shown below.

The first partition is the root which houses the operating system and all the preloaded applications on the iPhone. This partition is read-only and designed to stay like that. The size of the root partition varies depending on the version of the phone (size of the flash).

The remaining space is assigned to the user and is mounted as /private/var as shown above. This allows Apple to upgrade firmware of the devices without in theory touching the user data on the device.

To perform forensics on this type of environment we would need to make the root partition writable  to install forensics software in order to maintain the integrity of the data on the user’s data partition.

Communication:

The iPhone can communicate in multiple ways including the serial port, 802.11 Wi-Fi and Bluetooth. AFC or Apple File Connection is a serial protocol used by iTunes to connect to the iPhone and transfer everything from music to software upgrades.

iTunes is not allowed access to the whole iPhone but is rather placed in a jailed environment. People familiar with Linux will understand the term “jailed”, which in general terms mean restricting access and operations to a specific area within the target device.

The hacker community coined the term “jailbreaking” after successfully breaking out of this restricted environment allowing pirated apps to be installed on the phone and unlocking it to be used with other carriers.

The Firmware:

Apple provides firmware updates on a periodic basis which update the operating system, radio baseband and other device firmware. Although these updates have not resulted in loss of user data, it is not recommended that the firmware be upgraded during the forensics process.

With the explosion of mobile devices there is little doubt that the number of security incidents were a mobile device is involved will also increase exponentially.

My next couple of posts will look at what is takes to perform forensics on mobile devices targeting specifically the iPhone, the Blackberry and the Android platforms.

Some interesting statistics on the iPhone in particular and the number of them that AT&T activated in the last couple of years. As can be seen below the number of iPhones activated in the 3rd quarter 2009 was 3.2 millions devices in the US alone.

This doesn’t equate to iPhone’s sold because activations would also count dad’s giving their iPhone to their daughter and buying a new one for themselves, which would mean 2 activations but just one iPhone bought.

According to AT&T they added 2 million subscribers to that quarter. Nevertheless the evidence is there on an upward trend.

The graph below shows the how activations for the 1st quarter of 2010 rose by 50% over the previous quarter.

In an age were applications are quickly moving to the web, security threats increase the risks of a breach causing economic damage and loss of reputation to businesses.

No longer is it viable to have a firewall protecting internal resources from the outside world without knowing and inspecting the legitimate traffic coming into the network, which hackers take advantage of by climbing the OSI layer were 1st generation firewalls were not protecting.

The OSI layer is an abstract definition for layered communications between computers, starting at the bottom of the layer with the physical wire and moving to to the 7th layer called the application layer.

The first firewalls on the scene allowed the network administrator to protect up to the 3rd and 4th layer which are named the Network and Transport layers, by restricting access to certain to an IP address from a range of IP addresses or restricting access to a server only on port TCP 80 in the case of a web server.

Application aware firewalls soon surfaced but the horse power required to break down the packets for analysis and reconstruct them to send them to their destination was not there, taking a big hit on the performance of the link and even then only a few widely used applications (http, ftp, etc.) were available to perform inspection on.

A different device to address this shortfall was introduced and named IDS (Intrusion Detection System) allowing the detection of malicious attempts to access computer systems.

Later IDS (Intrusion Detection System) were able to send control signals to firewalls and routers to actively block attacks and were often used in conjunction with Honeypots which deflected attempts at unauthorized use of the systems it was protecting.

Intrusion Detection Systems (IDS) work by classifying traffic as either normal or anomalous based on rules and in order to create these rules the system must be taught to recognise normal traffic activity using artificial intelligence techniques. Once these systems were taught using neural networks or usage of the system adhering to a strict mathematical model, any traffic deviating from the norm would flagged as an attack.

This proved to be problematic with the introduction of new variables into the system/network like new applications or services that could potentially trigger a Denial of Service (DoS) by making an unwanted change to the firewall. Additionally IDS (Intrusion Detection System) would not be in-line with the firewall but rather out of band adding latency to the process handling attacks.

The IDS (Intrusion Detection System) required two major and critical areas of improvement which included moving beyond the anomaly detection to add vulnerability-based signatures and the capability to work at wire speeds to enable in-line deployment.

Vulnerability-based signatures was a way for security vendors to work proactively with software vendors in finding and patching vulnerabilities before the bad guys did, thus releasing updates to blocked specific attacks to systems which may have not been patched yet.

A device that blocked attacks and let everything else through was born and coined Intrusion Prevention System (IPS).

An Intrusion Prevention System is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology.

As with any inline device, the reliability and availability is of utmost importance. This is mostly addressed by a bypass feature allowing fail-open for copper ports should the device fail.

Market leaders in this space are Cisco Systems, Juniper Networks, McAfee, IBM (ISS), 3Com (Tipping Point) and Sourcefire.

So how do today’s available solutions stack up in the real world? A recent study of 170 randomly selected enterprises compares the results of real customers who use Cisco, IBM ISS, McAfee, Sourcefire, or TippingPoint in live network environments. The vendors were evaluated across eight key measures in three primary categories, including:

1. In Band Blocking: To block unwanted traffic in real time, IPS’s must be placed in-band rather than off a tap or mirror port. Only in-band devices can provide real-time, deep inspection of data packets at layers 2 through 7.
2. Filter Effectiveness: At the heart of the effectiveness of any IPS solution is how many attacks its filters can block.
3. Ease of Use: Network operators are less likely to deploy Intrusion Prevention Systems across the expanse of their networks if the solution is hard to set up and manage.

The real data are in on how leading IPS solutions perform in the real world. Tipping Point scores highest – often by large margins – on each key performance and manageability measure. The Tipping Point IPS provides superior protection against evolving network attacks – and continues to provide timely protection as new forms of attacks emerge.

The Tipping Point 210E provides 200 megabits per seconds of aggregate bandwidth with a typical latency of less than 1 millisecond while providing 10 x 10/100/1000 Ethernet copper ports divided into 5 segments in a little over 1-U package.

Initial configuration is performed by connecting via a console cable to the appliance and setting several parameters using a setup wizard. The management server running a custom version of Fedora also will need to be configured with network and user information.

Management of the appliance is done via an installable program which has 7 major components:

Events: Allows the monitoring of event based on a wide range of criteria including filters, filter taxonomy, network and segments as well as threshold filters.

Reports: Existing templates allow the quick generation of reports on attacks, performance protection, rate limit, device traffic and traffic threshold amongst others. Customized reports can be saved and scheduled for particular times and configured to be delivered via e-mail in a variety of formats including PDF, HTML and Excel. [Download not found]

Profiles: The IPS appliance comes preset with a default profile which contains how the appliance will handle the traffic coming through its segments. All 5 segments can have a different profile making it very easy to apply a policy to a network segment and a completely different one for another network segment or even to protect a certain host.

The filters are categorized as Application Protection, Infrastructure Protection, Performance Protection and Traffic Management.

A large number of filters are set to Block/Notify under Application Protection and Infrastructure Protection leaving the action taken by the other 2 categories to be determined by the Corporate security policy.

Quarantine: This allows the IPS to block particular IP addresses or networks for a particular time. Extremely customizable.

Devices: Provides the ability to manage multiple IPS appliances from one management console providing the capability to push policies, software updates and upgrades, and digital vaccines at the click of a button.

Admin: This allows the management of users and configuration of the management server.

Dashboard: A customizable window into protection and performance metrics provided by the IPS – Intrusion Protection System.

I was surprised to see the small amount of hacking attempts across 4 class ‘C’ networks of public IP addresses coming to the conclusion that the stateful inspection firewall in place was inspecting traffic allowed on certain protocols and thus filtering many of the attacks. Traffic not inspected by the firewall was filtered by the Tipping Point 210E appliance.

A side benefit of using this appliance after customizing the profile for the Application Protection – Spyware category was detecting spyware installed on the network and it being blocked from transmitting data outside the corporate network.

Related articles by Zemanta

• Juniper Networks Positioned in Leaders Quadrant of Leading Analyst Firm’s Magic Quadrant for Network Intrusion Prevention System Appliances (it-sideways.com)
• Cybercriminals in the Cloud (mycompuquest.blogspot.com)
• Report: IT not scrimping on security during recession (arstechnica.com)
• Cisco bakes software security into new Linksys routers (arstechnica.com)
• Security Jeopardy (stillsecureafteralltheseyears.com)
• CIOs: Your networks have already been compromised (macworld.com)
• Where Does The IPS Go? (phoneboy.com)

Without a doubt the whole security professional community have their eyes on the Conficker.C variant which is designed to do something on April 1st.

So what is that something? We’ll find out within 24 hours.

What we do know is that this variant of Conficker has become better at preventing removal and others from taking control of the network of worm infected computers.

The Conficker worm will begin to poll 500 different domain names every day looking for updates to download doubling its current rate.

Interestingly enough one of my most popular posts is on the removal of the Conficker worm from a network environment here and over the last couple of days visitors have exploded exponentially.

In my two other posts in which I talk about the Microsoft flaw and the Social Engineering components of the worm, I take a rather passive approach to the problem which is based on having contingency plans to prevent, contain and remove the worm from infected computers.

A more pro-active approach would be to look for infected machines without waiting for the symptons to appear by actively scanning the network for computers which have been infected.

Locating computers which have been infected with Conficker using a network scan has kept me up multiple nights, until the guys at Honeynet.org came up with the tool here. Thanks to DShield.org for linking to it in their article on locating Conficker.

http://blog.sekiur.com/2009/02/step-by-step-in-dealing-with-conficker/
http://blog.sekiur.com/2008/10/worm-takes-advantage-of-microsoft-flaw/
http://blog.sekiur.com/2009/01/worm-uses-social-engineering/

Related articles by Zemanta

• Your Quick Guide to the Conficker Worm (shankrila.com)
• With global effort, a new type of worm is slowed (infoworld.com)
• My Top Security and Maintenance Tools (idiomag.com)
• New Information Pages on Conficker (blogs.technet.com)
• Windows PC Worm Set to Activate on April 1st (littlegreenfootballs.com)

Its been a while since I blogged as I have been spending a lot of time looking for an angle to take advantage of the current economic crisis. There is little doubt in my mind that this is a prime time to do something so I have been working on generating passive income targeting small businesses on reducing their operating costs and product development which I hope to have something solid within the next four weeks.

I really shouldn’t feed my ego this way, but I can’t avoid to mention that a specific post on the Conficker virus has brought my stats to over 100 visitors on a consistent daily basis to my blog.

With this in mind I intend to continue to blog about security as well as some demo/reviews I will be doing over the next following weeks on several products that I believe are industry leaders. Among these products are SSL VPN appliance from Juniper and its open source counterpart, Tipping Point Intrusion Presention System (IPS) and its open source counterpart, F5 Networks Link Controller & Local/Global Traffic Manager and Riverbed’s Stealhead Appliance for Application Acceleration and WAN Optimization.

This will turn out to be a “trojan horse” literally if actions are not taken to prevent it from spreading within the corporate network.

Below are step by step instructions on mitigating the risk of the threat that “Conficker”/”Downandup” poses.

Symptoms

============

Symptoms to help you determine if you are infected

• Account lockout policies are being tripped
• Automatic Updates, Background Intelligent Transfer Service, Windows Defender and Error Reporting Server Services are disabled
• Errors related to SVCHOST
• Domain Controllers are slow to respond to client requests
• Network congestion
• Various security related websites are not accessible including Windows Update.

For further details see the Microsoft Malware Protection Center write up for Win32/Conficker.b. or the Sekiur writeup here.

Solution

=========

Ideally you want to not only automate the removal of the “Conficker”/”Downandup” worm from a large number of computers but also take steps to minimize the risk of them being infected again.

The following script will attempt to remove the “Conficker”/”Downandup” worm and prevent further infection by taking the following steps:

1. Install patch KB958644 for MS08-067 if not installed
2. Attempt to remove the “Conficker”/”Downandup” worm
3. Enable Hidden Setting
4. Delete all scheduled tasks
5. Stop and disable services. (lanmanserver, schedule)
6. Run MSRT – Malicious Software Removal Tool
7. Install Autorun hotfix if not installed
8. Install KB950582 for vulnerability MS08-038
9. Re-enable TCP Receive Window Auto-tuning on Windows Vista and Windows Server 2008
10. Remove Hidden Setting
11. Enable Automatic Updates, Background Intelligent Transfer and Error Reporting Services
12. Restart
13. Install patch KB958644 for MS08-067 and restart

You will need to download the following files and batch script and drop them into the NetLogon share.

• Getver.exe – contained in ConfickerClean-v10.3.zip here ==> [Download not found] and script to remove “Conficker”/”Downandup” locally here ==> [Download not found].
• SC.EXE – contained in ConfickerClean-v10.3.zip
• REG.exe – contained in ConfickerClean-v10.3.zip
• windows-kb890830-v2.6.exe – x86 version of MSRT, available here.
• windows-kb890830-x64-v2.6.exe – x64 version of MSRT, available here.
• sleep.exe – contained in ConfickerClean-v10.3.zip
• Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium.
• Place all 3 updates in the Netlogon directory.
• Security update MS08-038 for Windows Vista and Windows Server 2008 – http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
  This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to autorun, same as the one listed above in KB953252.

Now you will proceed to create and push a Group Policy to the domain.

1. Edit the <domain.com> values in the script.
2. Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\\scriptsfolder (aka, Netlogon share).
3. Create a Startup Script policy and reference this batch file. This needs to be a Startup Script and not a Logon script, so that the script runs under the machine account.
4. Link the GPO with the Startup Script to the OU and Groups where you want it to apply.

Note:

Its not recommend you use this on DC’s or critical servers, those should be cleaned manually so that the services disabled below do not need to be left disabled for an extended period of time.

FAQ:

Why disable the Server service?

This is due to Weak Passwords which the malware attempts to exploit. The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question mark or exclamation point.

Why disable the Task Scheduler service?

This is because the malware creates several AT jobs that run every hour to reinfect the system.

Why install MS08-067?

This is the main attack vector of the malware.

Why disable Autorun?

This is because the malware drops a binary file called Autorun.inf on all removable drives.

Sources:

All credit to Microsoft Support Engineering

A new worm has hit the Internet and its taking its toll on computers worldwide. It has been reported that over 9 million computers have already been infected.

The worm called “Downandup”, “Conficker” or “Kido” by different anti-virus vendors uses the Microsoft vulnerability which I blogged about here (Worm Takes Advantage Of Microsoft Flaw) and here (Microsoft Releases Emergency Patch).

The worm mostly spreads across networks, turning off the system restore and deleting the restore points, blocks access to security website, download additional malware from the author, attempts to infect other computers by scanning network shares and scheduled a task to re-infect the computer if removed.

What is interesting is that it can also spread by USB memory keys or devices making use of social engineering which makes it more dangerous to the untrained eye. When a USB drive is inserted it shows a modified AutoPlay screen seen below which will install the worm when the users inadvertently clicks on it.

According to SANS Internet Storm Center, one of the reasons the worm is infecting so many machines is that “Conficker” uses multiple infection vectors:

1. It exploits the MS08-067 vulnerability,
2. It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
3. It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

• hxxp://www.getmyip.org
• hxxp://getmyip.co.uk
• hxxp://checkip.dyndns.org
• hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

• hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

Suggestions -

1. Disable AutoPlay in your environment.
2. Run a good security suite.
3. Keep your computer updated with the latest patches.
4. Be PROACTIVE and look for the worm in your environment.

Sources:

http://www.nai.com

http://www.symantec.com

http://www.f-secure.com

http://isc.sans.org

In today’s environment of mobile computing and the increasing integration of consumer electronics with the corporate network, it has become a necessity to plan accordingly in order to mitigate the risk this presents.

Whether it be an iPhone or guest laptop connecting via wireless or using an unused network port, brings new challenges to network administrators who need, not only be aware of what is on their network but also prevent an un-managed device from infecting other devices on the network.

The situation grows in complexity in higher education where the inherent open network environment becomes a juggling act balancing network security and open access. Students do not patch and fail to run current anti-virus.

Network Access Control, which is more commonly referred to by the acronym NAC, is the most hyped term in networking today. It’s also one of the least understood.

Network Access Control (NAC) is a computer networking solution that uses a set of protocols to define & implement a policy that describes how to secure access to a network nodes by devices when they initially attempt to access the network^{[citation needed]}. NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed.

The idea behind Network Access Control (NAC) is to implement a set of pre-admission rules and post-admission controls over where users can go and what they can do. Kind of like an in-versed firewall framework on steroids.

What’s important to understand is the Network Access Control (NAC) is not a device or appliance that is dropped in on the network, but rather a structure that needs to be deployed throughout the enterprise network.

The goals that Network Access Control aims to address can be distilled into three categories.

1. Identity Management – Which includes device registration, authentication and role based access.
2. Endpoint Compliance – The ability to prevent devices that lack anti-virus, patches or host prevention software from accessing the corporate network to prevent putting other computers at risk.
3. Policy Enforcement – Provides the ability to enforce company-specific policies in either block, notify or report mode and integration with other solutions to identify and disable unauthorized activities.

Different vendors take different approaches in order to accomplish these goals, were policies are enforced on a pre-admission vs. a post-admission basis, software clients are installed on the users computer vs. scanning those computers in an effort to gather information to automate decision making at the time the policy is enforced, and finally out-of-band vs. in-line solutions.

In 2005 I started experimenting with Network Access Control technology and came across an open-source solution called NetReg.

NetReg is an in-line, pre-admission, client-less Network Access Control solutions. The system sits between the users and the network. Identity management is accomplished by authenticating the user through a website against an LDAP server and storing in a database the username, the IP address assigned and the devices MAC address.

Endpoint compliance is achieved by 2 dynamic DHCP address pools; one for unregistered (unknown hosts) with non-routable IP addresses (network/Internet blocked) and the second for registered (known hosts) with routable IP addresses (network/Internet accessible). A bogus DNS server prevents users from accessing anything but certain websites where a user can download anti-virus and patches for remediation purposes.

Nessus vulnerability scanning software periodically scans devices to determine if these should be quarantined until they have met the established acceptable use policy. If a computer in the unregistered network is found to be non-compliant, it is notified and only when appropriate action has been taken will the computer be assigned a valid routable IP address. If the computer has already been assigned a valid IP address then it is blocked.

Some of the shortfalls of this approach were the inability to determine which patches were missing and firewalled clients are not checked.

Netreg which was originally developed by Southwestern University at Georgetown branched out into several versions and currently the only one being maintained is by Carnegie Mellon here.

Finally is important to note that there is no silver bullet when it comes to security and there are always ways to get around a system. A thought that came to mind was how these products deal with printers, VoIP phones, gaming consoles, etc, when it comes to registration and how by changing one’s MAC address to mimic a VoIP phone or printer vendor would bypass the authentication.

In researching when writing this blog, I came across another open source solutions started in 2007 called PacketFence which I will take a closer look at.

Major Commercial Solutions:

• Bradford Networks
• Cisco
• ConSentry Networks
• Juniper Networks
• Sophos
• StillSecure
• Symantec

Open Source Solutions:

• FreeNAC
• NetReg
• PacketFence
  

Sources:

Wikipedia
Gartner Market Scope for NAC 2008

Early last year India threatened to discontinue Blackberry service if Research In Motion (RIM), the company behind the Blackberry did not allow the Indian Government to monitor the Blackberry network traffic raising serious security concerns. Here are a few articles from PCWorld, InfoWorld, and CNet.

Now president-elect Barack Obama vows to keep his Blackberry despite hacking fears and concerns by the Secret Service.

This will not only be a headache for the Secret Service but its pretty likely that hacking attempts towards the RIM network will increase exponentially.

Generally people just don’t think about the risk that a smart-phone poses, specially if its connected to a Blackberry Enterprise Server. How could my phone be a risk to anyone? Well a smartphone is not just a phone, but rather a miniature computer that is not just capable of making calls but it also an un-metered gateway into the corporate network.

In order to understand what actions to take to protect a smart-phone, in particular the Blackberry you have to understand how it works and how it interacts with the Blackberry Enterprise Server.

Vulnerabilities:

• Lack of authentication
• Lack of encryption
• Lack of mobile code execution controls
• Difficult to enforce controls
• Peripheral devices introduce additional vulnerabilities
• Infrastructure vulnerabilities service specific operating systems, platforms, applications, etc.
• Small size is prone to theft and loss
• All devices may not be corporate owned
• Multiple configurations of the Blackberry Enterprise Server (BES) architecture
• Limited centralized update mechanisms
• Limited IT/CIO Control

Sources of Recommended Controls and Security Guidelines:

• The Vendor (Microsoft, Treo, RIM, etc.)
• SANS (www.sans.org)
• NIST has a great publication
• Other existing guidelines
• 3rd Party Solutions often fill the gaps

Once the vulnerabilities have been identified we proceed to implement controls and audits.

Controls:

Controls will include policies, standards, practices, procedures, guidelines, awareness, authentication, encryption, and asset management.

Audits:

Once the scope has been defined, allow to review the implementation of policies between the BES, servers, Blackberry devices, and Blackberry desktop agents. Audits also allow the review of configuration and options to ensure that security is not just available but implemented. Additionally configurations pushed down to end devices need to be audited as well.

The infrastructure design and configuration of network components (firewalls, routers, switches, VLANs, etc.) will need to be audited as they play an intricate part of the overall security of the system.

Risk Assessment:

Although this requires additional resources and expertise, its a must in certain environments like corporate or government. A risk assessment will identity security vulnerabilities and provide a 2nd chance to identify all “assets”.

Once this has been completed, validating the risk by performing an “ethical hack” will remove any uncertainty by proving the vulnerabilities identified actually exist.

Conclusion:

Providing documentation on the findings is vital. The documentation required will contain an executive summary, action items and details for system administrators, and a clear and concise report with both the good and the bad findings.

A couple of things that should not fall through the cracks are ensuring that the corrective actions are implementable within the organization and the next audit scheduled.

Sample Policy:

Sample Blackberry Enterprise Server Policy

It is my intention next year to attend at least a couple of security conferences if not more.

Below is a list of the most established and ones I found attractive.

CSI

The largest information security conference on the East Coast is also the only security conference expressly assembling experts to challenge the status quo.

CSI thinks that we should forget about tweaking the status quo. We’re already well into a post-perimeter world but without a consensus on the strategic plan moving forward. It’s time to grapple with the issues and technologies that can radically alter the way security works-now, and in the months and years ahead.

Site Link

Defcon

It’s the largest underground hacker convention in the world!

When: July 31 – August 2, 2009
Where: Riviera Hotel & Casino in Las Vegas, Nevada, USA
Cost: $100 (USD) NB. It’s cash only. (free if you’re a full badge Black Hat attendee)

Site Link

Black Hat

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and timely, actionable knowledge. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow’s information security landscape.

When: Various
Where: Las Vegas, Amsterdam, Tokyo, Washington DC
Cost: Varies

Site Link

SecTor

SecTor brings the world’s brightest (and darkest) minds together to identify, discuss, dissect and debate the latest digital threats facing corporations today. Unique to central Canada, SecTor provides an unmatched opportunity for IT Professionals to collaborate with their peers and learn from their mentors. Held at the Metro Toronto Convention Centre in downtown Toronto, SecTor runs two full days. The event features Keynotes from North America’s most respected and trusted experts. Speakers are true security professionals with depth of understanding on topics that matter. SecTor is a must attend event for every IT Professional.

When: October 5-7, 2009
Where: Toronto, Ontario, Canada
Cost: Early Bird: $499, Standard: $749, Full: $999 (CDN)

Site Link

ShmooCon

ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks, One Track Mind. The next two days, there are three tracks: Break It!, Build It!, and Bring It On!.

When: February 6-8, 2009
Where: Wardman Park Marriott, Washington DC, USA
Cost: From $100-$300

Site Link

Chaos Communication Congress

The Chaos Communication Congress is an international, five-day open-air event for hackers and associated life-forms. The Camp features two conference tracks with interesting lectures, a workshop-track and over 30 villages providing workshops and gettogethers covering a specific topic.

When: December 27th to 30th, 2008
Where: bcc Berliner Congress Center, Berlin, Germany
Cost: 130 € – 1500 €

Site Link

Toorcon

ToorCon is San Diego’s hacker conference bringing together the top security experts to present their new tricks of the trade and have fun in the sunny and beautiful city of San Diego.

When: September 2009
Where: San Diego, California, USA
Cost: From $120-$200

Site Link

HITB Security Conference

The main aim of our conferences is to enable the dissemination, discussion and sharing of network security information. Presented by respected members of both the mainstream network security arena as well as the underground or black hat community, this years conference promises to deliver a look at several new attack methods that have not been seen or discussed in public before.

When: Various
Where: Dubai, Malaysia
Cost: Varies

Site Link

Phreaknic

PhreakNIC is an annual gathering in Nashville, TN, for hackers, makers, security professionals, and general technology enthusiasts. Hours upon hours of both informative and entertaining presentations are given by volunteers and many areas are set up with the intent of encouraging socialization.

When: October 2009
Where: Nashville, Tennessee, USA
Cost: $25

Site Link

SANS

SANS provides intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems and networks against the most dangerous threats – the ones being actively exploited. The courses are full of important and immediately useful techniques that you can put to work as soon as you return to your offices. They were developed through a consensus process involving hundreds of administrators, security managers, and information security professionals, and address both security fundamentals and awareness, and the in-depth technical aspects of the most crucial areas of IT security.

When: Various
Where: Various
Cost: Varies

Site Link

Techno Security Conference

TheTrainingCo. is both new and old. As a corporation, it is the culmination of a dream that we have been sharing with people for the past decade. In that sense, it is new. We officially opened our doors in early 1999.
We are old in that the experiences of our senior staff are almost unmatched in their knowledge of the subjects being addressed at our conferences and speaking engagements. Every bit of that hard earned knowledge came as a result of years of highly specialized work and contact with thousands of people. Our two senior members alone bring more than one half of a century of pioneering efforts in the fields of Techno-Security and Cyber-Crime Prevention.

When: May 31 – June 3, 2009
Where: Myrtle Beach, SC, USA
Cost: $895

Site Link

CEIC Conference

CEIC offers lectures and hands-on labs delivered by industry-leading experts, which gives attendees the opportunity to learn the latest techniques and methodologies in computer forensics, eDiscovery, incident response and enterprise investigations.

When: May 17-20, 2009
Where: Loews Royal Pacific Resort, Universal Orlando, USA
Cost: $895

Site Link

IntrusionWorld Conference

The IntrusionWorld Conference & Expo is the forum for business and corporate executives, Industry, government, legal and academic experts that aim to present the state-of-the-art of the practice, emerging technologies in intrusion prevention. Peer-to-peer groups will help us understand the trends and confront the challenges inherent in today’s intrusion prevention technologies, products, systems implementation and risk management. Field practitioners will exchange best practices and lessons learned. Participants will share ideas and expand business and professional contacts during lunch roundtables, workshops, receptions and other activities.

When: May , 2009
Where: Baltimore, MD, USA
Cost: $875

Site Link

The Last Hope

We all knew these days would come. The Last HOPE is the seventh Hackers On Planet Earth conference.

When: July, 2009
Where: Hotel PennSylvania, New York, USA
Cost: $

Site Link

RSA Security Conference

In information security, you’re trained to expect the unexpected. Changes occur in a nanosecond. Stay on top by staying one step ahead — attend RSA® Conference 2008!
Join us for the most comprehensive forum in information security. Come learn about the latest trends and technologies, get access to new best practices, and gain insight into the practical and pragmatic perspectives on the most business critical issues facing you today.
Connect and collaborate. Build your professional network. And mingle with 17,000 of the industry’s best and brightest.

When: April 20-24, 2009
Where: Moscone Center, San Francisco, California, USA
Cost: From $1495 – $3295

Site Link

Info Security Canada

When it comes to your critical information – it’s not a question of if it’s at risk, it’s a question of when. Stay in front of the fast, ever changing information security curve, at Infosecurity Canada 2008, your first and best line of defense.

When: June, 2009
Where: Toronto, Ontario, Canada
Cost: TBD

Site Link