Safeguarding your critical business information is one of the most important aspects of running a business. Of course, there are various measures used to protect this information, such as firewalls, encryption, and access control. However, using security technology is only the first step to protecting your business information. Using security is not the same as practicing security, and the latter is a much more effective way of protecting your systems.
Practicing good information security means more than just turning on a box or installing software and assuming your business is in the clear. Educating the workforce is a great way to practice good security. Another method (and the purpose of today’s post) is periodic testing of equipment and systems to ensure that they are truly protecting your information. Penetration testing is exactly that - testing your implementation for holes and gaps that could potentially lead to compromise of your business information.
David Maynor, makes a good point in his article about zero-day penetration testing. New attacks appear daily and without warning (known as zero-day attacks). Many times, the technology itself can’t protect against these type of attacks, and they are the most dangerous. Penetration testing looks for these types of vulnerabilities in your systems, and allows us to set up generalized mitigation techniques that will go “above and beyond” the technology itself to secure your business resources. Even though it is difficult to anticipate specific attacks, a good security professional is aware of new issues associated with specific technologies, and can employ measures such as better configuration, education and patching to strengthen the system.
At Etnacom, we have nearly 10 years of experience in all realms of information technology (industry, government and academic) that allow us to test the security of technologies that reside within your organization. We have the tools, knowledge and manpower to assist you in keeping your most vital business resources safe from outside threats.
Spanair 5022 (from Wikipedia)
It has been over 2 years since Spanair Flight 5022 crashed, killing 154 people. MSNBC recently released this article, which mentions that undetected malware could be to blame. As the world becomes more technology dependent, we need to take more steps to ensure safety. It is simply not responsible to allow systems to be interconnected without putting appropriate safeguards in place.
This incident is emerging proof that we live in a world where security sensors and checks on computer systems could mean the difference between life and death. Even in a perfect world (without malware and threats) we would still need to worry about human error and software malfunction.
Can we stop all malware? No. But we can take steps to minimize the impact of malware and reduce risk wherever possible. Monitors and machines that support life or even affect life are obviously those with the highest risk and should operate under the most stringent integrity checks.
In this particular case, the medium with the malevolent payload was a USB thumb-drive. This form of removable media could have been infected with malware, thus infecting the entire system. This leads us to ask: What are the security policies in place at this airline? What are the security policies at any establishment where lives are at risk?
This is a great time to reflect back on the nature of your own organization and think about the systems that you are running. Does your computer network handle systems that could harm others? Does it hold private or confidential data about your company or more importantly, your customers? If so, it might be wise to consider the risks associated with introducing foreign media onto the network.
Yesterday, the Internet “blew up” with hype over the mysterious characters around the U.S. Cyber Command logo. As reported by the various blogs and news outlets all over the world (here’s one from ComputerWorld), people quickly started to catch on that the mysterious string is an MD5 hash. ComputerWorld and many others lead you to believe that these people were also able to “crack” them MD5 hash and recover a secret message, but that is absolutely untrue. In fact, it is impossible to generate an original message or piece of data from an MD5 hash.
MD5 Hashes Explained
For those of you that know what an MD5 hash is, feel free to skip this section. Otherwise, read on. An MD5 hash in simplest terms is a digital “footprint” of a piece of data. That data could be a message, a computer program, a music file, or anything else that occupies data storage. It doesn’t matter how large the file is – an MD-5 hash is usually 128 bits. An algorithm creates a “hash” of the data (for more information on how a hash function works, take a look at thisWikipedia article). The most common application for a hash is to verify the integrity of a file – if you generate a hash, change the file, and then generate a new hash, the hashes will not match. This helps to determine if a file was changed either on purpose or by accident (such as being corrupted in a download). Another important fact is that a hash function is one-way – that means there is no way to recover the original data from the hash itself. The only way to see if a particular piece of data corresponds to the hash is to run the algorithm against the data you think the hash might be for and see if the algorithm yields the same output. Basically, brute force it, or guess and check.
In recent years, researchers found quite a few vulnerabilities in both the MD5 hash and SHA-1, another one-way hash function. These vulnerabilities could compromise the intent of the hash function and could theoretically allow someone to make changes to the file which are undetected by the hash function (in other words, the hash would stay the same after the change). The most secure implementation of the one-way hash at the moment is the SHA-2 algorithm, so if you’re looking for the best, use that.
Obviously, the hash function in the CYBERCOM logo is meant for decoration, and to get some attention. I guess it worked.
