I too am guilty of not spending more time in the forums.  We all have "things" going on that tears us away from being here, but spending even a few hours a week will make a big difference. 

The easiest way to get our name out is to be attentive to new posters and keeping the forum moving.  Word of mouth is what will help to propel EH.net to its full potential.

just my 13 pesos

Sorry, I'm late to the party...this is a great idea, and will really help us to position ourselves as one of THE sources for the infosec community. 

Nice work, Don!

For anyone not familiar, Internet Storm Center (ISC) is a great way to keep track of the current condition of the internet.  Each day a different administrator is assigned to keep diary entries.  These entries vary from current attack vectors, to discussions of critical patches for various OS' and applications.  The ISC also contains a list of the top 10 ports being attacked and a world map depicting attack trends. 

The ISC is a resource that helps to paint a picture of what is going on in the cloud, the problem is that most of us have 20 tasks to complete, and even the two minutes needed to browse the site it too much to spare.  Luckily (and if you are running Windows), Tom Liston of Intelguardians, wrote an application that sits in the system tray http://handlers.sans.org/tliston/ISCAlert.zip.

Simply download the .zip file, and double click the .exe.  If you have an environment which restricts executables, simply copy the .exe into C:\Documents and Settings\uuser\Start Menu\Programs\Startup.  In the system tray you will see a small icon of the world, which hopefully will be green, this indicates that everything is normal.  As the threat level increases, the color of the icon changes; for a complete breakdown of each threat level and the color which represents the threat see http://isc.sans.org/infocon.html

ChrisG,

I think that silc is great and I did consider it, but I am hesitant to give my users the ability to stream video and take up that much bandwidth.  I am definitely interested in it, but considering how much info. is spread out (in various forms), I thought jabber would be a fun project that could ramp up to more advanced tools like silc. 

If nothing else I could see my internal IT department using a silc server, making the most of various tutorials that are available to our community, some of which are hosted on this site.

Brian,

I appreciate your post and the technology sounds interesting, but unfortunately we have no budget for IT, let alone information security. I will keep this in mind in case I do find that magic funding well this, or a security course in HI

Congrats on the book, Dan!

I will definitely be picking this up, I like the topic and the waty in which you approach it with the scenarios.  This is an emerging technology which most (myself included) know very little about.  Hopefully after I read this, I won't be so paranoid about turning my bluetooth on

Great article SlimJim100!

I think to a large extent we are at the mercy of our vendors, but to use p2p is irresponsible and should not happen.  I remember for a while (and possibly it still happens) that testing patches (primarily speaking of windows) was the mantra, but as things have advanced and IT staff are forced to handle more responsibilities testing (at least for a lot of us) is not an option. 
Everytime I do my updates, I sweat a little hoping that nothing crashes, but that has become par for the course.

For anyone that wants to combat phoning home (and unauthorized installs) use SpyBot, http://www.spybot.info.  With a little tweaking, nothing will be able to install unless you expressly allow it.  Yes it is a hassle but well worth it.  Spybot allows you to take control of your machine and decide who can and cannot access your machine.  DISCLAIMER:Using Spybot to stop phoning home may cause your machine to stop functioning properly, before using SpyBot make certain you have a good backup of your registry (part of the initial install).

Again great article Slim, thank you.

slimjim100,

No problem, and so your aware they just released an update (v1.1) which promises to make it twice as fast (or perhaps more accurately half as slow)  

They also added custom attributes for reporting and some other stuff that makes it even better.  I will try to highlight other free apps. in the coming mos.  Thanks for reading.

Yeah, that's the latest one as of right nnnnnnnnow.  I'm certain that a new one will be here.  I mean there are 70,000,000 users (according to your link) at myspace, that is insane; especially since over 60,000,000 could care less as long as they can chat.  Sobering, to say the least.

p0et,

Anti-virus
seems to be best in groups, problem is the impact on a network.  Truth is some av companies will "out scoop" the others on some viruses, and other times there defs. will be the last to get updated.  AV is a crapshoot, Symantec seems to have the best reputation, (or at least the biggest market share) but Trend Micro, Sophos, etc. seem to hold their own. Overall I would recommend two virus scanners (from two different companies) for mail servers and one for the enterprise as a whole.  As long as you have it constantly looking for updates thats all you can really do.

Anti-spam

(this is not a commercial and I do not get compensated) you can't get much better than a barracuda spam filter.  I was skeptical at first (and loathed the commercials they play incessantly) but the truth is, it works. 

It allows you as the admin. to set rules and tweak existing heuristics, which stop the spam, before it enters your network.  A common issue with spam filtering is false positives and the loss of critical good email.  This is not an issue with barracuda though, since it sends an email daily to each user letting them know what was blocked.  If there is a good message trapped by the filter, the user simply needs to click whitelist, and the email is delivered.

I love getting my hands dirty and making things work without a fancy gui, but spam is not my passion, and if I can stop spam from becoming someone's full time job (monitoring and retrieving messages) then I couldn't be any happier.

IDS/IPS
I'm sure someone can recommend a good hands on course (believe sourcefire has courses throughout the country)  that will give you the knowledge you need to understand how IDS works, or in the very least give you enough information to get you through an interview.  Hope this helps. Good luck!

I think that what you find in most industries are overworked admins with little to no time to deal with crucial security issues.  I have worked in places where they are global and have staff needing support at all hours in all timezones.  It is nearly impossible to update 80+ servers, without causing downtime, which as we all no is inexcusable  

I am just taking about critical security updates, I must admit that no we did not test the updates they were deployed as fast as possible to both *nix and windows boxes.  Was I lazy absolutely not, just dealing with unfair expectations of no downtime.  Yes there are lazy admins out there, but I think for the most part they are trying no to upset the apple cart, it doesn't make it right but...

The title of the post is inspired by a t-shirt I saw, http://www.jinx.com/scripts/details.asp?productID=636 (I am in no way affiliated with jinx, but I do love the shirt) and not some deep seeded resentment towards an online community.  I am not critiquing the idea of myspace or its ability to re-unite old friends, I am however railing against how myspace operates.  The very way in which myspace users interact with one another flys in the face of good internet practices.  For those not familiar  with myspace, it is a portal where users find each other through a search engine then join one another’s pages. 

Once they become a “friend” they are free to post messages and share files.  Here’s the problem, most users have aliases, so even if they say that they are Jim from second grade how do you know icedancer35 could be someone pretending to be Jim for an insidious purpose.  We have been taught and (hopefully) teach our staff not to open email from people they don’t know, but that is exactly how myspace operates.  If users want to reak havoc on their own computers at home so be it, but our networks should suffer because of it.  In the last week, two worms for myspace have been identified and there are certainly more on the way. 

The latest myspace vulnerability can be found here http://www.gnucitizen.org/blog/myspace-quicktime-worm-follow-up  Basically, links on the users’s sites are re-directed to phishing sites and anyone who visits could be infected as well.  No, this is not a major problem, but that is because they are only phishing links.  What if the links instead brought the unsuspecting user to a page with had a 1X1 pixel of a Browser Helper Object (BHO), that installed a Trojan.  The popularity of myspace could easily create a zombie net of several hundred thousand machines in a matter of minutes.

There are countless others, but this is the latest.  I understand the appeal to re-connect with old friends or re-kindle lost loves, but not on my network.  I am loathe to stop users from browsing the internet, it is more trouble than its worth and everyone deserves the right to browse the internet for a five minute break, to get re-focused.  Myspace however is too susceptible to problems and therefore I am urging all responsible infosec professional to block myspace.

I have done some research and the following are methods that can be used to keep myspace off your lan.

http://www.softwaretipsandtricks.com/forum/internet/26149-how-block-myspace-com.html

http://www.techimo.com/forum/t169608.html

http://www.zemericks.com/support/howtos/blockmyspace/index.asp

Again, the purpose of this post is not to highlight a particular worm or threat, but to illustrate the very real threat that myspace could become. If you do allow your users access to myspace, ask them to verify who it is they allow on their pages and that they only visit trusted sites.

Psychorugger,

What kind of budget do you have to work with?  Are thin clients or virtualization an option?  That might help a little.

Unfortunately, getting the budget for a few new servers and a much needed upgrade to 2003 (server and Exchange) has used up the budget for the foreseeable future.  It is frustrating but also forces me to be resourceful.  Yesterday I received a survey asking about the infosec tools that I had and used.  Every item on the list was commercial and I had to laugh at the end of the survey I hadn’t check a single box, except of course “none of the above”

I would love to get thin clients, as far as I’m concerned the less control a user has over “their” machine the happier I am.  The idea of having all data stored centrally excites me but for now that will not be an option.  I have looked at virtualization, but as of right now I have bigger fish to fry, thanks for your enthusiasm, hope you continue to enjoy the column.

Slimjim100,

I also found running ethereal (wireshark) for a baseline is a very good idea. A lot of networks I have had to clean up had crazy network traffic running wild and it's a good idea to understand where you started and where you are later in the game.

I love wireshark, I can’t say enough good things about.  Glad you mentioned it, great app.

I was able with a packet sniffer to see 5 client computers where listening to internet radio and a lot of others where running p2p network software.

What a surprise, any chance the owner was one of the guilty parties? 
 
I wish you good luck and keep the story going.

Thank you very much, I will do my best.

all you showed was the Class C, can we assume thats all the computers you have?

I did show a Class C, however that may not necessarily be the case

are  you running Active Directory?

We are running AD, sadly it is in mixed mode while we show the dinosaur severs the door, should be fully integrated within the next few months.  I am EXTREMELY eager to lock the servers down using group policy

 I know you probably have to be a bit vague about the network setup but can you say what OS's you are dealing with? 2k, XP, 2k Server, 2k3 Server?

I am vague with something things (network class for example) so I can be detailed with other things.  We are running Windows Server 2003 R2, and Exchange 2003 (of course there are those NT boxes which are being phased out)

You may want to consider creating a baseline OS (master disk, whatever you want to call it) and image all of the machines on your network.

Chris, you read my mind   I am not willing to concede my network to someone else's effort (or lack there of) I am planning on creating a "golden image", which is locked down, free of unnecessary services, and uses efficient software as opposed to bloatware ex. foxit http://www.foxitsoftware.com/downloads/

  its a significant amount of work at first but will save you time later because you'll know that all your machines on your network have the same configuration and when/if a machine is compromised its easy to get that box up an running.

I couldn't have said it any better myself, there is a tremendous amount of piece of mind that comes with all that work

I can help you with that if thats something you want to take on.

I have read your posts in the past, and am thrilled that you have taken interest in my column. I am open to any and all suggestions, this task is somewhat overwhelming and I think that this column and everyone's feedback will help to give it focus.

That is a great idea, thanks ChrisG. I am concerned about blowing the 500 bucks as well.  I know the material, but I'm not 100% sure I'm test ready.

This could be the litmus test I need to convince myself that I am making (not making) the right decision to test now.