Friday, August 10, 2012

A small business opinion

SANS had a great post the other day on protecting small- and medium-sized businesses.  As I have a small company that responds to many small-business incidents I tend to see first hand the whats and the whys.  Most of my work with my own company comes from a business that has been hacked or that gets some kind of malware infection.  And time and time again, when we go in to look at what happened, we see that there are no controls or very little controls in place.  And, nine times out of ten, the clients have no visibility to even see if there WERE things that might be amiss.  It's only when the pop-ups start, the browsers are hijacked, or the machine crawls that anyone decides to do anything.

So, we end up remediating.  Then we propose actions to take to prevent the issue from occurring again in the future.  Inevitably, I think it comes down to money.  The economy is tough.  Times are tough.  Businesses are scrapping just to stay afloat.  And, as such, whatever is not 100% necessary, or does not SHOW massive improvements to the bottom line gets dropped in favor of something that will help the company stay profitable.  I believe the mindset is that many times it is cheaper to slap band aids on the problem each time that there is an incident rather than fix the deep rooted issues in an attempt to stay safer in the long term.

Just what I've seen.

Tuesday, August 7, 2012

DISA Updates

It has been a while since I last posted....there has been a lot of travel and work of late.  However, while perusing DISA's STIG page, I came across the quarterly updates.

The following STIGs have been updated since I last wrote.  Note that STIGs and tools with (*PKI) will require authentication.

IAVM to CVE Mapping Spreadsheet - Updated August 3, 2012
STIG Viewer Beta - Version 1.1.0 - New August 1, 2012
DoD Host Based Security System (HBSS) STIG - Version 4, Release 2 - Updated July 27, 2012
Enclave Zone A Checklist - Version 4, Release 5 - Updated July 27, 2012
Enclave Zone B Checklist - Version 4, Release 5 - Updated July 27, 2012
Enclave Zone C Checklist - Version 4, Release 5 - Updated July 27, 2012
Enclave Zone D Checklist - Version 4, Release 5 - Updated July 27, 2012
Enclave Security Checklist - Version 4, Release 5 (*PKI) - Updated July 27, 2012
Network Firewall - Version 8, Release 11 - Updated July 27, 2012
Network IDS/IPS - Version 8, Release 11 - Updated July 27, 2012
IPSEC VPN Gateway STIG, Version 1, Release 2 - Updated July 27, 2012
Network Other Devices - Version 8, Release 11 - Updated July 27, 2012
Network Policy - Version 8, Release 11 - Updated July 27, 2012
Network Infrastructure Router L3 Switch - Version 8, Release 11 - Updated July 27, 2012
Network Perimeter Router L3 Switch - Version 8, Release 11 - Updated July 27, 2012
Network L2 Switch STIG Version 8 Release 11 - Updated July 27, 2012
RAS Remote Access Server STIG Version 2, Release 7 - Updated July 27, 2012
Remote Access Policy STIG Version 2, Release 7 - Updated July 27, 2012
Remote Access VPN STIG Version 2, Release 7 - Updated July 27, 2012
Remote Endpoint STIG Version 2, Release 7 - Updated July 27, 2012
Remote XenApp ICA Thin Client STIG Version 2, Release 7 - Updated July 27, 2012
z/OS ACF2 STIG - Version 6, Release 12 - Updated July 27, 2012
z/OS RACF STIG - Version 6, Release 12 - Updated July 27, 2012
z/OS TSS STIG - Version 6, Release 12 - Updated July 27, 2012
zOS SRR Scripts Version 6, Release 12 (*PKI) - Updated July 27, 2012
Windows 2003 STIG - Version 6, Release 1.26 - Updated July 27, 2012
Windows 2003 DC STIG Benchmark Version 6, Release 1.25 - Updated July 27, 2012
Windows 2003 MS STIG Benchmark Version 6, Release 1.26 - Updated July 27, 2012
Windows 2008 STIG - Version 6, Release 1.19 - Updated July 27, 2012
Windows 2008 DC STIG Benchmark Version 6, Release 1.19 - Updated July 27, 2012
Windows 2008 MS STIG Benchmark Version 6, Release 1.18 - Updated July 27, 2012
Windows 2008 R2 STIG - Version 1, Release 5 - Updated July 27, 2012
Windows 2008 R2 DC STIG Benchmark Version 1, Release 5 - Updated July 27, 2012
Windows 2008 R2 MS STIG Benchmark Version 1, Release 5 - Updated July 27, 2012
Windows 7 STIG - Version 1, Release 9 - Updated July 27, 2012
Windows 7 STIG Benchmark Version 1, Release 13 - Updated July 27, 2012
Windows Vista STIG, Version 6, Release 1.26 - Updated July 27, 2012
Windows Vista STIG Benchmark Version 6, Release 1.26 - Updated July 27, 2012
Windows XP STIG, Version 6, Release 1.26 - Updated July 27, 2012
Windows XP STIG Benchmark Version 6, Release 1.26 - Updated July 27, 2012
IAVM 2012 - Benchmark (HBSS Only) (*PKI) - Updated July 27, 2012
McAfee Antivirus Security Guidance - Version 4, Release 6 - Updated July 27, 2012
Internet Explorer 6 STIG - Version 4, Release 7 - Updated July 27, 2012
Internet Explorer 7 STIG - Version 4, Release 7 - Updated July 27, 2012
Internet Explorer 8 STIG - Version 1, Release 7 - Updated July 27, 2012
Internet Explorer 8 STIG Benchmark - Version 1, Release 6 - Updated July 27, 2012
Internet Explorer 9 STIG Version 1, Release 2 - Updated July 27, 2012
Internet Explorer 9 STIG Benchmark - Version 1, Release 2 - Updated July 27, 2012
Microsoft Office 2010 STIG Version 1, Release 4 - Updated July 27, 2012
Microsoft Office 2007 STIG - Version 4, Release 8 - Updated July 27, 2012
Gold Disk (*PKI) - Updated July 27, 2012
IAVM 2012 Benchmarks - Updated July 24, 2012
Draft Intrusion Detection and Prevention System SRG, Version 1, Release 0.3 - Updated July 17, 2012
Windows 7 STIG Benchmark Version 1, Release 12 - Updated July 13, 2012
Database Security Requirements Guide (SRG) - Version 1, Release 1 - Updated July 13, 2012

I made one edit to the list.  The list seems to indicate that the Enclave Zone A checklist was updated four times.  I looked, and found that Zone A, Zone B, Zone C, AND Zone D were updated.  I think it is just a typo in their list of checklists on the main STIG page.  Also note that Gold Disk has been updated. While we use the Gold Disk in limited situations, as auditors, we've been pushing the use of the SCAP Compliance Checker.  So far, we have not had problems; either scripting it out to many machines or in the returning of results.  We have, though, spent some time weeding out false positives.