BKESCFTE.RVW   20110323

“Enterprise Security for the Executive”, Jennifer L. Bayuk, 2010,
978-0-313-37660-3
%A   Jennifer L. Bayuk www.bayuk.com
%C   130 Cremona Dr., P.O. Box 1911, Santa Barbara, CA   93116-1911
%D   2010
%G   978-0-313-37660-3 0-313-37660-3
%I   ABC-CLIO, LLC/Praeger
%O   CustomerService@abc-clio.com
%O  http://www.amazon.com/exec/obidos/ASIN/0313376603/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0313376603/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0313376603/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   175 p.
%T   “Enterprise Security for the Executive: Setting the Tone from the
Top”

In the introduction, Bayuk argues against security planning based on FUD (Fear, Uncertainty, and Doubt) and piecemeal implementation of security tools, and for a holistic and systemic approach to security.  She also recommends the promotion of a security culture in the top ranks of management, setting the “tone at the top” to consider security in a rational and realistic manner.

In chapter one, the author stresses that every organization has a culture, and that the actions (and particularly consistency of actions) by senior management set it, regardless of formal statements.  She also raises interesting points, such as that separation of security from the operational units creates perceptions which may be at odds with the security policy.  (I appreciate her championing of “no exceptions,” although I would argue that a formal exception policy could work as well.)  The discussion of threats and vulnerabilities, in chapter two, is weaker (and the questionable etymology of the term “patch” does not increase confidence in Bayuk’s technical background): ultimately it just seems to day that there are threats.  The title “Triad and True,” for chapter three, may refer to “protect, detect, correct” or the more conventional confidentiality, integrity, and availability.  In fact there are a number of other “triads” mentioned, and the text raises a number of good security concepts generally related to safeguards, but is somewhat scattered and incomplete.  Chapter four talks about risk management, but the process of using it to define a security program remains unclear.  Security factors related to organizational governance structure are examined in chapter five.  Standards, compliance and audit issues are discussed in chapter six.  Chapter seven reviews monitoring, incident response, and investigation.  Requirements for candidates for the position of CSO (Chief Security Officer) are noted in chapter eight.  A template job description is included, but the document is perhaps too narrowly specified to be applicable in many situations.

A fictional case study concludes the book.  (In the introduction, the author promised that all “security horror stories” would be true, but I assume reality is less important in case studies.)  This recapitulates, in narrative form, much of the content of the work.

There is much of value in the text, and it is useful to present that content as it relates to senior management.  Senior management support is, after all, the single most important factor in a successful security program.  However, as noted above, much important material is missing, along the way, and the volume appears to be focussed at a particular type of industry or corporation, and so be less useful to those outside that sphere.

copyright, Robert M. Slade   2011     BKESCFTE.RVW   20110323

A recent Twitter post by Team Cymru pointed at a (very brief) debate about the value of security awareness training.  It’s an issue that has concerned me for a long time.

I got interested in security starting with research into viruses and malware.  Early on, I did a lot of work reviewing the various available products.  In the responses I got to my efforts, one point was abundantly clear: everyone, almost without exception, was looking for the “perfect” antivirus.  Even though Fred Cohen had proven that such an animal could not possibly exist, everybody wanted something they could “set and forget.”

Notice two things.  The first is that perfect security doesn’t exist.  As (ISC)²’s marketing phrase has it, security transcends technology.  The second point is that people aren’t particularly keen on learning about security.  They fight against it.  They have to be motivated into it.  And that motivation tends to be individual and personal.

Which means security awareness training is hard, and individual, and therefore expensive.  Expensive means that companies are loath to try it, in any significant way.  Hundreds of thousands or millions of dollars can be spent on a raft of security technologies, but security awareness programs can only get a budget of a few thousand a year.  Which means they can’t be individual, which means they won’t work very well, which means companies aren’t willing to try them.

The default position people take is to resist security awareness.  They don’t want to know extraneous stuff.  They just want to get on with their jobs.  So, even if you were to produce a really good security awareness program, there would undoubtedly still be some who would resist to the end, and not learn.  They wouldn’t benefit from the program, and they would still make mistakes.  So security awareness training won’t be perfect, either.  Sorry about that.

However, I’ve noticed something over the years.  I get asked, by all my friends and acquaintances, for advice about virus protection, and home computer protection.  Some learn the ins and outs, the dangerous activities, the marks of a phishing email message.  They never ask me to clean their machines.  Some just ask about the “best” antiviral software.  Usually after they’ve asked me to clean off a computer.  I identify what they’ve got, and tell them how they got it.  You shouldn’t [do music sharing|do instant messaging|go to all those weird Websites|open attachments you receive] I tell them.  They always have reasons why they must do those things.  (Not very good reasons, mind you, just reasons.)

You know that old medical joke about “Doctor, it hurts when I do this” “Well, do do that”?  It’s not funny.

People ask me what antivirus program I use at home.  Very often I don’t use one, unless I’m testing something.  (At the moment I’m testing two, and I’m about ready to take both of them off, since both of them can be real nuisances at times.)  There are long periods where I run without any “protection.”  I know what not to do.  My wife knows what not to do.  (After all, she read my first book seven times over, while she was editing it.)  We don’t get infected.  Not even by “zero days” or “advanced persistent threats.”

Security technology isn’t perfect.  Security awareness training isn’t perfect.  However, at present, and for as long as I can remember, the emphasis has been on security technology.  We need to give awareness more of a try.

Is security awareness “worth it”?  Is security awareness “cost effective”?  Well, we’ve been spending quite a lot on security technologies (sometimes just piecemeal, unmanaged security technologies), and we haven’t got good security.  Three arguments in favour of at least trying security awareness spending:

1)  When you’ve got two areas of benefit, and you are reaching the limits of “diminishing returns” in one area, the place to put your further money is on the one you haven’t stressed.

2)  Security awareness is mostly about risk management.  Business management is mostly about risk management.  Security awareness can give you advantages in more than just security.

3)  Remember that the definition of insanity is trying the same thing over and over again, and expecting a different result.

I’ve mentioned this before.

We seem to have had a number of disasters this year: earthquakes, tsunami, a few hurricanes (with one currently sweeping Japan, and another building right now off the east coast of the US), wildfires, you name it.  In the US, this is National Preparedness Month.

So this is a good time to get trained.  It gets you CPEs, usually for free.

And, in a disaster, it makes you part of the solution, not part of the problem.

Apparently when the coldcalling species of scamming maggot claims to be Microsoft or partnered with Microsoft, there really is sometimes a relationship of sorts lurking behind the scenes there, though that doesn’t mean that Microsoft are at all a party to the scam, of course.

I’ve been gnawing at that particular bone for quite a while now - see, for instance, http://blog.eset.com/?s=Harley+%2B+support+scam and http://go.eset.com/us/resources/white-papers/Hanging-On-The-Telephone.pdf and http://www.scmagazineus.com/supporters-club/article/199459/ - and the name Comantra has turned up time and time again in the context of site registrations, though I haven’t had the resources to confirm links with the company in terms of individual scam calls.

But somehow I’d never realized the company really was a Microsoft Gold Partner. Apparently Microsoft took some time to make the connection too. But they have, and Comantra is no longer a Gold Partner. According to PC Pro, a Microsoft spokesman said:

“We were made aware of a matter involving one of the members of the Microsoft Partner Network acting in a manner that caused us to raise concerns about this member’s business practices.Following an investigation, the allegations were confirmed and we took action to terminate our relationship with the partner in question and revoke their Gold status.”

Somehow, though, I doubt if this means the end of coldcall scams. There were lots of sites and lots of names registered for sites that were associated with individual scammers, and there seems to be no real pressure from law-enforcement in the regions where the calls are actually originating. And Comantra is claiming that it’s all to do with negative marketing from their competitors. Gosh, never heard that one before…

On the other hand, since I moved house a few weeks ago, I haven’t had a single support scam call, though there’ve been a few “we can help you sue your mortgage lender” calls with a reassuringly Indian accent. Still, I miss being told I’m leaking viruses all over Surrey. How long do you suppose it will take them to catch up with me?

David Harley CITP FBCS CISSP. And stuff.
Small Blue-Green World

BKABVCLD.RVW   20110323

“Above the Clouds”, Kevin T. McDonald, 2010, 978-1-84928-031-0,
UK#39.95
%A   Kevin T. McDonald
%D   2010
%G   978-1-84928-031-0 1-84928-031-2
%I   IT Governance
%O   UK#39.95
%O  http://www.amazon.com/exec/obidos/ASIN/1849280312/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1849280312/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1849280312/robsladesin03-20
%O   Audience n+ Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   169 p.
%T   “Above the Clouds: Managing Risk in the World of Cloud Computing”

The preface does a complicated job of defining cloud computing.  The introduction does provides a simpler description: cloud computing is the sharing of services, at the time you need them, paying for the services you need or use.  Different terms are listed based on what services are provided, and to whom.  We could call cloud computing time-sharing, and the providers service bureaus.  (Of course, if we did that, a number of people would think they’d walked into a forty-five year time-warp.)

The text is oddly structured: indeed, it is hard to find any organization in the material at all.  Chapter one states that the cloud allows you to do rapid prototyping because you can use patched operating systems.  I would agree that properly up-to-date operating systems are a good thing, but it isn’t made clear what this has to do with either prototyping or the cloud.  There is a definite (and repeated) assertion that “bigger is better,” but this idea is presented as an article of faith, rather than demonstrated.   There is mention of the difficulty of maintaining core competencies, but no discussion of how you would determine that a large entity has such competencies.  Some of the content is contradictory: there are many statements to the effect that the cloud allows instant access to services, but at least one warning that you cannot expect cloud services to be instantly accessible.  Various commercial products and services are noted in one section, but there is almost no description or detail in regard to actual services or availability.

Chapter two does admit that there can be some problems with using cloud services.  Despite this admission some of the material is strange.  We are told that you can eliminate capacity planning by using the cloud, but are immediately warned that we need to determine service levels (which is just a different form of capacity planning).  In terms of preparation and planning, chapter three does mention a number of issues to be addressed.  Even so, it tends to underplay the full range of factors that can determine the success or failure of a cloud project.  (Much content that has been provided previously is duplicated here.)  There is a very brief section on risk  management.  The process outline is fine, but the example given is rather flawed.  (The gap analysis fails to note that the vendor does not actually answer the question asked.)  SAS70 and similar reports are heavily emphasized, although the material fails to mention that many of the reasons that small businesses will be interested in the cloud will be for functions that are beyond the scope of these standards.  Chapter four appears to be about risk assessment, but then wanders into discussion of continuity planning, project management, testing, and a bewildering variety of only marginally related topics.  There is a very terse review of security fundamentals, in chapter five, but it is so brief as to be almost useless, and does not really address issues specifically related to the cloud.  The (very limited) examination of security in chapter six seems to imply that a good cloud provider will automatically provide additional security functions.  In certain areas, such as availability and backup, this may be true.  However, in areas such as access control and identity management, this will most probably involve additional charges/costs, and it is not likely that the service provider will be able to do a better job than you can, yourself.  A final chapter suggests that you analyze your own company to find functions that can be placed into the cloud.

Despite the random nature of the book, the breadth of topics means it can be used as an introduction to the factors which should be considered when attempting to use cloud computing.  The lack of detail would place a heavy burden of research and work on those charged with planning or implementing such activities.  In addition, the heavily promotional tone of the work may lead some readers to underestimate the magnitude of the task.

copyright, Robert M. Slade   2011     BKABVCLD.RVW   20110323

Interesting report by Verizon. Highlights:

• External attacks are up 22% and are now responsible for 92% of losses.
• Insider attack is down 31%. (Finally implementing internal security measures and not just focusing on the perimeter?)
• Victims were not ‘chosen’ because they were large, important or had financial data. They were simply the easiest targets.
• 92% of loss resulted from simple, known vulnerabilities

The conclusions sound a lot like the Gartner report:

“Every year that we study threat actions leading to data breaches, the story is the same; most victims aren’t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them.”

And here’s the same thing in different wording:

“The latest round of evidence leads us to the same conclusion as before: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.”

And of course, I like this one because it highlights Automated Vulnerability Assessment:

“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defenses follow suit? As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to major breaches in the past year.”

Basically, your organization already has the security solution that it needs; you’re just not using it.

I was recently made aware of a site/service called About.Me.  It allows you to sign up, and create a very short Web page about yourself.  I created a page, noted that there wasn’t much else I could do, and figured that was it.

The next day I received a message noting that they were providing email as well.  I could sign up for my own email address (as if I didn’t have enough already) with them.  The instructions said that I could access it via POP and IMAP.

So, I gave it a try.  I activated the email address, and started to test it.  I can send mail to the address (from another account), and retrieve it, but when I tried to send mail through their SMTP server I got an error.  Having done this before, with a variety of servers, I tried some variations on the instructions.  More error messages, and no sent email.

So, I tried their help and support systems.  I ran into the same page of (incorrect) instructions again and again.  I tried to find some way to contact them.  The pages and links labelled “Feedback” have no contact information on them, and no input fields to fill in and send.  Nothing.

Eventually, I did find something that allowed me to send them a message.  I gave details of what I was doing, and sent copies of the error messages I received.

I got a message back.  It asked me for details.  I sent back the same details, including the error messages.  I got a second message.  It asked if I had seen any error messages.

I have sent them a third message with the error messages again.

I very much doubt that this is going to be one of the runaway social media success stories.

The CIA is complaining that news media and other entities are giving away information about it’s agents and operations.

Trouble is, the information being analysed has been provided by the CIA.

If the CIA is being too eager to promote themselves, or careless in censoring the material they do provide, is that the fault of the media?

In doing the CISSP seminars, I use lots of security war stories.  Some of them are from my own work.  Some of them I’ve collected from the attendees over the years.  It’s not hard to use the story to make a point, but leave absolutely no clues as to the company involved, let alone individuals.

I hate illiterate elevators.  I know what buttons labelled “Open Door” and “Close Door” mean.  I have trouble figuring out what two isosceles triangles with their bases towards a vertical line means, as opposed to two isosceles triangles with their vertices towards a vertical line, especially if someone is running for the elevator.  (Particularly when elevator designers insist on making the markings on the buttons chrome on chrome.)  (If I didn’t hold the elevator door for you, that’s why.)

Back when I was doing a lot of computer support and “hands-on” training I developed Slade’s Law of Computer Literacy: There is no such thing as computer illiteracy, only illiteracy itself.

Generally speaking, when I had to help someone who was frustrated because a) the computer wouldn’t do what they wanted, or b) they couldn’t understand what the computer wanted, the answer was right on the screen.  “You must enter user number to proceed.”  “Please indicate you have understood by pressing `Y.’”  “Press any key to continue.”

Windows 7 is going the illiterate elevator route.  Where the buttons on the XP taskbar had a small icon next to the name of the program or file that was open, the Win7 taskbar just has icons.  Of course, if you hover over the icon button, you get all the active windows of that program laid out for you, and the files or titles are given there.  But that doesn’t give me the quick access to exactly the window I wanted anymore.  There is an intermediate step.

(I find this is affecting my operation of the computer in unexpected ways.  I’m using the mouse more, and keyboard shortcuts less, since I have to use the mouse so much for other things.)

Of course, this is all in the name of ease-of-use.  And I dare say that the vast majority of users like it this way, and I’m an old command-line dinosaur who can’t adapt to change.

But I’ve always noted that convenience and hiding-stuff-from-the-user-for-their-own-good generally leads to security problems at some point.

This guide can also be found at http://security-24-7.com/hardening-guide-for-drupal-7-7/
Pre-installation notes The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

PHP installation phase

1. Login to the server using Root account.
2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
   rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
rpm -ivh glibc-headers-2.5-49.i386.rpm
rpm -ivh glibc-devel-2.5-49.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh gcc-4.1.2-48.el5.i386.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
rpm -ivh zlib-devel-1.2.3-3.i386.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
rpm -ivh libjpeg-devel-6b-37.i386.rpm
3. Download MySQL development RPM from: http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
4. Download PHP 5.3.8 source files from: http://php.net/downloads.php
5. Download the latest libxml2 for PHP from: http://xmlsoft.org/sources/
6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
8. Move to /tmp cd /tmp
9. Install the MySQL development RPM:
   rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
10. Remove MySQL development RPM:
    rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
11. Extract the php-5.3.8.tar.gz file: tar -zxvf php-5.3.8.tar.gz
12. Extract the libxml2 source file: tar -zxvf libxml2-2.7.7.tar.gz
13. Move the libxml2-2.7.7 folder: cd /tmp/libxml2-2.7.7
14. Run the commands bellow to compile the libxml2: ./configuremakemake install
15. Move to the PHP source folder: cd /tmp/php-5.3.8
16. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftp
make
    make install
17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php       

    Replace the line from:
    DirectoryIndex index.html
To:
    DirectoryIndex index.php index.html index.htm

    Replace the value of the string, from:
    LimitRequestBody 10000
To:
    LimitRequestBody 600000

18. Copy the PHP.ini file cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
19. Change the permissions on the php.ini file: chmod 640 /etc/php.ini
20. Edit using VI, the file /etc/php.ini Replace the value of the string, from:
    mysql.default_host =
To:
    mysql.default_host = 127.0.0.1:3306       

    Replace the value of the string, from:
pdo_mysql.default_socket=
To:
    pdo_mysql.default_socket=127.0.0.1

    Replace the value of the string, from:
    allow_url_fopen = On
To:
    allow_url_fopen = OffReplace the value of the string, from:
expose_php = On
To:
    expose_php = Off

    To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:Replace the value of the string, from:To:Replace the value of the string, from:To:To:Replace the value of the string, from:To:Replace the value of the string, from:
    memory_limit = 128M
To:
    memory_limit = 64MReplace the value of the string, from:
;open_basedir =
To:
    open_basedir = "/www"

    Replace the value of the string, from:To:Replace the value of the string, from:
    post_max_size = 8M
To:
    post_max_size = 2MReplace the value of the string, from:
disable_functions =
To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

    Replace the value of the string, from:To:Replace the value of the string, from:
    ;include_path = ".:/php/includes"
To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

    Replace the value of the string, from:
    display_errors = On
To:
    display_errors = Off

    Replace the value of the string, from:
    display_startup_errors = On
To:
    display_startup_errors = Off

    Replace the value of the string, from:
    ;gd.jpeg_ignore_warning = 0
To:
    gd.jpeg_ignore_warning = 1

21. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop       

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

22. Remove the PHP source and test files:
    rm -f /tmp/php-5.3.8.tar.gz
rm -f /tmp/libxml2-2.7.7.tar.gz
rm -rf /tmp/php-5.3.8
rm -rf /tmp/libxml2-2.7.7
rm -rf /tmp/pear
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test

Drupal installation phase

1. Login to the server using Root account.
2. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-password       

   Note: Replace the string “new-password” with the actual password for the root account.

    

3. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
   CREATE DATABASE Z5J6Dw1;
   GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
   FLUSH PRIVILEGES;
   quit       

   Note 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

4. Download Drupal 7.7 from: http://drupal.org/project/drupal
5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
6. Move to /www cd /www
7. Extract the file bellow:
   tar -zxvf drupal-7.7.tar.gz
8. Remove Drupal source file:
   rm -f /www/drupal-7.7.tar.gz
9. Rename the Drupal folder:
   mv /www/drupal-7.7 /www/drupal
10. Remove default content:
    rm -f /www/drupal/CHANGELOG.txt
rm -f /www/drupal/COPYRIGHT.txt
rm -f /www/drupal/INSTALL.pgsql.txt
rm -f /www/drupal/LICENSE.txt
rm -f /www/drupal/UPGRADE.txt
rm -f /www/drupal/INSTALL.mysql.txt
rm -f /www/drupal/INSTALL.sqlite.txt
rm -f /www/drupal/INSTALL.txt
rm -f /www/drupal/MAINTAINERS.txt
rm -f /www/drupal/sites/example.sites.php
11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Replace the line from:
    DocumentRoot "/www"
To:
    DocumentRoot "/www/drupal"
12. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop  /usr/local/apache2/bin/apachectl start    

     

     

13. Create the following folders:
    mkdir /www/drupal/sites/default/files  mkdir /www/private    

     

     

14. Copy the settings.php file:
    cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
15. Change permissions on the settings.php file:
    chmod a+w /www/drupal/sites/default/settings.php       

    chmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private

16. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/install.php
17. Select “Standard” installation and click “Save and continue”.
18. Choose the default “English” and click “Save and continue”.
19. Specify the following details:
    • Database type: MySQL
    • Database name: Z5J6Dw1
    • Database username: blgusr
    • Database password: password2
    • Click on Advanced Options
    • Database host: 127.0.0.1
    • Table prefix: Z5J6Dw1_

    Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).

20. Click “Save and Continue”.
21. Specify the following information:
    • Site name
    • Site e-mail address (for automated e-mails, such as registration information)
    • Username (for the default administrator account)
    • E-mail address
    • Password
22. Select “Default country” and “Default time zone”.
23. Unselect the “Update Notifications” checkboxes.
24. Click “Save and Continue”.
25. Close the web browser.
26. Create using VI the file /www/config.php with the following content:
    $databases = array ( ‘default’–>  $databases = array (
    ‘default’ =>
    array (
    ‘driver’ => ‘mysql’,
    ‘database’ => ‘Z5J6Dw1′,
    ‘username’ => ‘blgusr’,
    ‘password’ => ‘password2′,
    ‘host’ => ‘127.0.0.1′,
    ‘port’ => ‘’,
    ‘prefix’ => ‘Z5J6Dw1_’,
    ),
    ),
    );
    ?>    

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

27. Edit using VI, the file /www/drupal/sites/default/settings.php Add the following line:
    include('/www/config.php');       

    Remove the following section:
$databases = array ( 'default' => array ( 'default' => array ( 'driver' => 'mysql', 'database' => 'Z5J6Dw1', 'username' => 'blgusr', 'password' => 'password2', 'host' => '127.0.0.1', 'port' => '', 'prefix' => 'Z5J6Dw1_', ), ), );Replace the string from:
ini_set('session.cookie_lifetime', 2000000);
To:
    ini_set('session.cookie_lifetime', 0);

    To:To:To:To:To:Remove the following section:To:Replace the string from:To:

28. Change permissions on the settings.php file:
    chmod a-w /www/drupal/sites/default/settings.php
29. Add the following lines to the /www/drupal/.htaccess file:
    # Block any file that starts with “.”

     Order allow,deny


     Order allow,deny

# Allow “.” files with safe content types

     Order deny,allow

30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
    chmod 444 /www/drupal/.htaccess
31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    • Drupal Firewall - http://drupal.org/project/dfw
    • SpamSpan filter - http://drupal.org/project/spamspan
    • Content Security Policy - http://drupal.org/project/content_security_policy
    • GoAway - http://drupal.org/project/goaway
    • IP anonymize - http://drupal.org/project/ip_anon
    • Flood control - http://drupal.org/project/flood_control
    • Password policy - http://drupal.org/project/password_policy
    • Persistent Login - http://drupal.org/project/persistent_login
    • Secure Permissions - http://drupal.org/project/secure_permissions
    • Security Review - http://drupal.org/project/security_review
    • System Permissions - http://drupal.org/project/system_perm
    • Block anonymous links - http://drupal.org/project/blockanonymouslinks
32. From SSH session, move to the folder /www/drupal/sites/all/modules.
33. Extract the downloaded above modules:
    tar zxvf dfw-7.x-1.1.tar.gz       

    tar zxvf spamspan-7.x-1.1-beta1.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gz

    tar zxvf security_review-7.x-1.x-dev.tar.gz

    tar zxvf system_perm-7.x-1.x-dev.tar.gz

    tar zxvf blockanonymouslinks-7.x-1.1.tar.gz

34. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gz       

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gz

    rm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

35. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/?q=user/login
36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
40. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Drupal firewall
    • SpamSpan
    • Content Security Policy
    • Content Security Policy Reporting
    • GoAway
    • IP anonymize
    • Flood control
    • Password change tab
    • Password policy
    • Persistent Login
    • Secure Permissions
    • Security Review
    • System Perms
    • BlockAnonymousLinks
41. Click on Save configuration.

Drupal SSL configuration phase

1. Add the following line to the /www/drupal/sites/default/settings.php file:
   $conf['https'] = TRUE;
2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
   • Secure Pages - http://drupal.org/project/securepages
   • Secure Login - http://drupal.org/project/securelogin
3. From SSH session, move to the folder /www/drupal/sites/all/modules.
4. Extract the downloaded above modules:
   tar zxvf securepages-7.x-1.x-dev.tar.gz       

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

5. Remove the modules source files:
   rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gz       

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

6. Open a web browser from a client machine, and enter the URL bellow:
   https://Server_FQDN/?q=user/login
7. From the upper menu, click on Modules -> from the main page, select the following modules:
   • Secure Login
   • Secure Pages
8. Click on Save configuration.
9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

Today when I signed on I got a bit of a shock.  The computer warned me that my password was going to expire in 5 days, and I should probably consider changing it.

It was a shock because this is my computer, and I go along with current password aging thinking, which is that a) we can’t figure out who first figured that password aging was all that hot an idea, and b) if it ever was a good idea, in the modern computing environment, password aging is a non-starter.  Given that passwords should probably exceed 20 characters, and likely should be somewhat complex, trying to get people to choose a good one more than once every few years (when rainbow tables have been extended) is likely more security compromising than enhancing.

So, I went looking.  Having dealt with security for a number of years, it wasn’t too hard for me to figure out that I didn’t want the control panel (since I hadn’t seen anything along that line while I was modifying other settings), and that I likely wanted “Administrative Tools,” and under that “Local Security Policy.”  I had to read through all the options to determine that I probably wanted “Account Policies,” but, under that, it was obvious I wanted “Password Policy,” and, once there, “Maximum password age” stood out.  With no particular options or actions I went back to the menu bar until I found that “Action” had a “Properties” function, bringing up a dialogue box with an entry box with a number in it.  I figured that setting it to zero might turn off password aging, but I didn’t want to do anything that might require me to set a new password every time I signed on, so, when I saw that one of the tabs was “Explain,” I choose that.

(Allow me to digress for just a second here, and note that I suspect that the average home or small office user would not have found it easy to find this setting, and thus would have been stuck with the default.  And all that that implies.)

The explanation did confirm that setting the number of days to zero does mean the passwords never expire.  But it also told me that “It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user’s password and have access to your network resources.”

Microsoft, you’ve got to be kidding.  If an attacker has enough access to your system in order to start cracking your passwords, then they’ll almost certainly succeed within a few days.  Unless you’ve chosen a really, really good password, in which case it might be some years.  So 30 to 90 days makes very little sense.  (And, if you’re really serious about the maximum of 90 days, how come the entry box allows up to 999?)

But then, right down at the bottom, it tells me that “Default: 42.”

Oh, sorry, Microsoft.  Obviously you are kidding.  Nobody could take that seriously as a default.

(But then, why is that the default, and why is it enabled by default? …)

The issue prompted a little more thinking on my part.  Was it really 37 days (42 minus 5) since I’d installed the machine?  Ah, but then, it couldn’t be.  As previously noted, I had to take it back to the store to clear up some OS registration issue.  They, of course, didn’t ask what password I’d set, they just blew off the passwords.  So, the 37 days would start from that point, wouldn’t it?

Well, apparently not.  When I checked my journal, it was obvious that the 37 days started when I first started setting up the computer, not when the store eliminated the passwords.

Interesting version of “history” there, Microsoft …

Once upon a time, somebody at Microsoft wrote an article on the “10 Immutable Laws of Security.”  (I can’t recall how long ago: it’s now listed as “Archived content.”  And I like the disclaimer that “No warranty is made as to technical accuracy.”)  Now these “laws” are all true, and they are helpful reminders.  But I’m not sure they deserve the iconic status they have achieved.

In terms of significance to security, you have to remember that security depends on situation.  As it is frequently put, one (security) size does not fit all.  Therefore, these laws (which lean heavily towards malware) may not be the most important for all users (or companies).

In terms of coverage, there is little or nothing about management, risk management, classification, continuity, secure development, architecture, telecom and networking, personnel, incidents, or a whole host of other topics.

As a quick recap, the laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

(Avoid malware.)

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

(Avoid malware, same as #1.)

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

(Quite true, and often ignored.  As I tell my students, I don’t care what technical protections you put on your systems, if I have physical access, I’ve got you.)

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

(Sort of a mix of access control and avoiding malware, same as #1.)

Law #5: Weak passwords trump strong security

(You’d think this relates to access control, like #4, but the more important point is that you need to view security holistically.  Security is like a bridge, not a road.  A road halfway is still partly useful.  A bridge half-built is a joke.  In security, any shortcoming can void the whole system.)

Law #6: A computer is only as secure as the administrator is trustworthy

(OK, there’s a little bit about people.  But it’s not just administrators.  Security is a people problem: never forget that.)

Law #7: Encrypted data is only as secure as the decryption key

(This is known as “Kerckhoffs’ Law.”  It’s been known for 130 years.  More significantly, it is a special case of the fact that security-by-obscurity [SBO] does not work.)

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

(I’m not sure that I’d even go along with “marginally.”  As a malware expert, I frequently run without a virus scanner: a lot of scanners [including MSE] impede my work.  But, if I were worried, I’d never rely on an out-of-date scanner, or one that I considered questionable in terms of accuracy [and there are lots of those around].)

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

(True.  But risk management is a little more complex than that.)

Law #10: Technology is not a panacea

(Or, as (ISC)² says, security transcends technology.  And, as #5 implies, management is the basic foundation of security, not any specific technology.)

Complexity is the enemy of security.

I always emphasize that point in the app sec domain when we have those two adjacent slides showing the old system/application environment, and the new.  I also point out that the “new” is now rather old.  When trying to update that slide I came up with eleven different levels without half trying.  Then, of course, you have to add bi-directional arrows between all adjacent components, and between all components on a given level, and between most components on adjacent levels.  Gets convoluted real fast.

Went to a real-time/component trade show recently, and was talking to some people who did embedded systems.  One of their promotional handouts shows a model that has six layers.  (And, of course, you have to add bi-directional arrows between all adjacent components, etc.)  And that’s just for “simple” embedded devices.

We seem to have lost the KISS battle a long time ago.  I guess now we have to try for KIASAPS (Keep It As Simple As Possible, Stupid).