800-810-1885
Home > Blog > Publications

Category Archives: Publications

Publications by Sword & Shield Enterprise Security staff members.

…But You Can Prove Who Did it, Right?

By Lara Bergman | Published: April 27, 2011

“Many times as computer forensic analysts we are asked to answer questions such as, ‘Did the suspect steal this information?’ or ‘How did the intrudeForensic Discoveriesrs get into our system and what did they take?’ From time to time, we are also asked questions such as ‘How do they know everything I am doing?’ or ‘How did they get this information?’ And then there is the statement from the client that makes most of us cringe, ‘Someone has hacked into my computer and is monitoring everything that I do.”

So writes Sword & Shield Director of Computer Forensics Bill Dean in a featured article for Digital Forensics Magazine’s May 2011 edition entitled “Detecting Computer Monitoring and Commercial Spyware Applications.”

Digital Forensics Magazine is a quarterly features and news magazine from the world of computer and cyber crime and digital forensics. The content published in the magazine is all technically reviewed and carries a certain weight of quality that other trade magazines or webzines don’t offer. Digital Forensics Magazine regularly features articles and news regarding cyber terrorism, management issues, investigation technologies and procedures, training, eDiscovery and tools and techniques.

Dean, a certified computer examiner (CCE), certified penetration tester (CPTS),  certified incident handler (GCIH), and certified forensics analyst (GCFA), writes in this online article preview:

You can prove who did it, right?” After wondering which episode of CSI they just watched, your first inclination may be that highly skilled hackers used the latest zeroday exploit or perhaps a nation state has been working to compromise the computer system for years, or maybe the client is “just a bit paranoid”. It is possible that the system has been infected with sophisticated malware that required large sums of money to research and develop. However, the culprit could simply be someone willing to inv est $99 for a piece of very user-friendly, commercial-grade spyware that anyone with a credit card and the ability to follow intuitive installations screens can use. Since this spyware is commercially sold, signature-based protections provide little to no value in detecting its existence.

Some simple and legal commercial spyware applications available on the market today possess certain levels of polymorphic behaviour. In my opinion anti-virus companies typically prefer not to face litigation from flagging commercial software as a “Virus.” Therefore, detecting commercial-level spyware can be challenging with signature-based protection. This level of protection also allows the spyware vendors to make clams such as “completely invisible”, “unparalleled invisibility technology”, and“remains stealth”. In many instances, consistent methods for detecting both commercial and non-commercial spyware do exist. The simple theory is that the spyware will likely “call home” at some point to be effective. Malicious activity can be detected and confirmed by utilizing simple methods for some spyware or by utilizing more detailed methods, like sandboxing, for others. In some instances, the analyst can even uncover details indicating who installed the spyware by closely analyzing the information available. In other instances, using hot-key combinations or attempting to reinstall the suspect commercial spyware may succeed in revealing the spyware’s existence.

The full version of Dean’s article will appear next month. Subscribe to Digital Forensics Magazine to read the story in its entirety.

Also posted in Computer Forensics, Electronic Discovery | Tagged , , , | Leave a comment


Laptop Encryption Can Save Companies Compliance Headaches

By Lara Bergman | Published: June 9, 2010

Sword & Shield’s director of risk, compliance and security assessments, Dave Shackleford, believes using endpoint security controls not only helps organizations stay compliant with multiple regulation mandates, it also helps companies retain customer confidence, protects against litigation and thwarts bad “PR.”

With vast numbers of records being lost or stolen, particularly from mobile systems, more organizations should be using endpoint security controls such as laptop encryption. In addition to the potential loss of customer confidence, litigation concerns, and general “bad press” that come with a public data breach, many organizations need to adhere to multiple compliance and privacy mandates at state, federal, and industry levels. Although few compliance requirements actually mandate the use of laptop encryption, it is definitely needed if laptops routinely carry sensitive payment card, health care, or financial data that fall under PCI DSS, HIPAA, GLBA and Federal Financial Institutions Examination Council security guidelines. In addition, new state privacy laws such as Massachusetts’ new data law, 201 CMR 17.00, specifically require the use of laptop encryption..

There are a number of specific types of laptop encryption available, both as free and commercial products. In addition to product capabilities and implementation types, there are numerous deployment considerations that organizations need to evaluate before rolling out laptop encryption. We’ll address the major types of laptop encryption available today, ranging from pre-encrypted drives to full disk encryption software, as well as everything in-between. We’ll also examine the critical issues of key management and policy management.

To read more, please visit SearchSecurity.Com’s Tech Target E-zine. Free registration is required for full access.

Also posted in Compliance, Security News | Leave a comment


How Virtualization Affects GRC

By Lara Bergman | Published: March 25, 2010

Dave Shackleford, Sword & Shield’s Director of Risk & Compliance, has a new article at The Security Catalyst discussing  virtualization implementation and its effects on compliance.

Virtualization technology is becoming ubiquitous. More and more organizations are replacing physical infrastructure with virtualized systems, including desktops and servers, and application and storage virtualization are popular as well. Virtualization changes a number of paradigms across the information technology landscape – some obviously for the good, some possibly for the worse. In the realm of GRC, virtualization has some distinct points to consider, many of which may require changes in operations and policy, as well as overall information security management.

Virtualization can help organizations reduce operating costs, and many feel that it’s a key component to “Green IT” strategies aimed at reducing energy consumption. However, despite popular belief, it actually makes the IT environment more rather than less complex, and a number of new processes and approaches are needed to ensure that security and risk management keep pace with its adoption.

Also posted in Compliance, Virtualization Security | Leave a comment


SANS March 23 Webcast – Automated Operating System Lockdown: Security Blanket 4.0 Review

By Courtney Culver | Published: March 22, 2010

SANS - Automated Operating System Lockdown: Security Blanket 4.0 Review

Featuring: George Kamis and SworSANS Instituted & Shield’s own Dave Shackleford

In complex enterprises, maintaining critical server OS lockdown and state control is difficult to carry out manually. Learn how well TCS Security Blanket 4.0 automates OS assessment, configuration and lockdown across Linux and Solaris server work groups based on a review by SANS Senior Analyst Dave Shackleford.

March 23 1:00 pm Eastern. Register here.

Also posted in Events | Leave a comment


SANS March 17 Webcast – Privileged user monitoring

By Courtney Culver | Published: March 15, 2010

SANS InstituteSANSPrivileged user monitoring – Automating compliance and managing risk

Featuring: Trent Heisler and Sword & Shield’s own Dave Shackleford
Do you have visibility into everything that privileged users are doing on your network? Would you know if an unauthorized user gained access to and misused privileged credentials? The frequency of these threats is increasing and compliance regulations are changing to mandate monitoring of privileged user access. Yet most organizations can’t answer “yes” to these questions.

This webcast will present the challenges related to privileged user monitoring and highly efficient ways to overcome them. Through real end-users sharing their stories and an expert panel discussion, you’ll gain insight into how to detect and thwart rogue behavior. You’ll also learn how to gain rapid and complete visibility into the creation and modification of users and accounts, automatically identifying suspicious behavior, such as accounts created with non-expiring passwords or non-standard naming conventions. You’ll discover how an integrated log management and SIEM 2.0 solution can provide you with unparalleled visibility to privileged user activity and automate compliance.

This discussion will focus on both the practical and regulatory aspects of effective privileged user monitoring — featuring two IT executives and a compliance expert.

Learn how to discover and prevent:

  • Unauthorized or malicious access to confidential assets
  • Inadvertent exposure of confidential systems/assets to unauthorized users
  • Movement of confidential data to unauthorized individuals or destinations
  • Inappropriate or unauthorized changes to user/account profiles and privileges

March 17 1:00 pm Eastern. Register here.

Upcoming Webcasts with Dave Shackleford

March 23 1:00 pm EasternAutomated Operating System Lockdown: Security Blanket 4.0 Review

Also posted in Events | Leave a comment


SANS WebCast: Smart Strategies for Securing Extranet Access

By Courtney Culver | Published: March 8, 2010

Smart Strategies for Securing Extranet Access March 9 1:00 pm Eastern:

SANS InstituteMany organizations leverage extranets to share sensitive information with partners, customers and employees. However, unlocking sensitive business data to outsiders presents access control complexities and the risk of compliance violations. Extranets also offer entry points for malware and social engineering attacks that can wreak havoc with the security infrastructure of organizations.

In this live webcast featuring security experts from SANS and Oracle, learn how you can mitigate risk, improve extranet security, streamline compliance and enable your organization to boost its bottom-line by taking advantage of advanced access management technologies.

Featuring: Sword & Shield’s Dave Shackleford, Senior SANS analyst, course author and instructor; and Eric Leach, Oracle director of product management responsible for Oracle Fusion middleware access management tools.

Register here.

Upcoming Webcasts with Dave Shackleford

March 17 1:00 pm EasternPrivileged user monitoring – Automating compliance and managing risk
March 23 1:00 pm EasternAutomated Operating System Lockdown: Security Blanket 4.0 Review

Posted in Publications | Leave a comment


Making VMWare More Secure

By Courtney Culver | Published: February 26, 2010

SANS InstituteDave Shackleford has a new post at the SANS Blog – IT Audit: 6 VMWare Settings Every IT Auditor Should Know About. Dave teaches the Virtualization Security Fundamentals course at the SANS Institute.

Also posted in Virtualization Security | Tagged | Leave a comment


Build Your Own Version of Microsoft’s COFEE

By Courtney Culver | Published: February 17, 2010

Bill Dean, our Director of Computer Forensics, has a new article in Digital Forensics Magazine, Wake up and Smell the COFEE:

As everyone in the digital forensics community is well aware, Microsoft recently developed and released a forensic data collection tool named COFEE (Computer Online Forensic Evidence Extractor), intended for the law enforcement community only. But what seemed to be only minutes later, the tool was leaked to various Internet websites and torrent feeds. Very soon, many digital forensics specialists searched for, found, and then anxiously performed their first test of this revolutionary toolset. Disappointment quickly set in. COFEE doesn’t disclose secret backdoors into the system? COFEE doesn’t automatically bypass all passwords or provide the decryption keys? It doesn’t install the “show all evidence” button? No it doesn’t. I want to make one very important point: COFEE does not perform digital forensics. Its primary function is to perform data collection, to be analyzed at a later time. In my opinion, COFEE has a core design flaw; it is comprised of only Microsoft tools. Since many of us do not legally have access to COFEE, let us instead learn to build our own kit and add key functionality not available from Microsoft tools.

Read the whole thing.

Also posted in Computer Forensics | Leave a comment


Considerations for Buying and Implementing DLP solutions

By Courtney Culver | Published: February 8, 2010

Our own Dave Shackleford explains how to choose a Data Loss Prevention solution at SearchFinancial Security.

The first — and arguably most important — feature of any DLP solution is the depth of content awareness and analysis. These tools need to be able to identify a variety of data types, such as credit card numbers, banking records, personal data and financial statements, all in a number of different formats. There are numerous techniques offered by vendors, ranging from sophisticated regular expression pattern matching to dictionary lookups, but more is usually better, especially with regard to file types (Microsoft Word and Excel documents, database files, email archives, etc.).

  • Integration with existing security systems, such as endpoint security tools and encryption, as well as IT infrastructure components like Active Directory and network monitoring tools. Most advanced solutions will incorporate auditing actions that correlate detection and prevention actions with the users who initiate them at the host and/or application level.
  • Accuracy and tested results from existing customers or independent labs. Although many DLP vendors’ products may have similarities in terms of policy types and content detection algorithms, all differ somewhat in accuracy and implementation. Ensure you talk with reference customers and industry sources to get up-to-date opinions on how the product actually performs in production environments.
  • Cost, both to implement initially and maintain over time. Hardware, software and operational costs such as additional personnel should be factored in.
  • Platform support and performance metrics, taking both host-based and network-based DLP tools into account. In large, high-speed networks, not all solutions are equally capable of parsing data and accurately detecting policy violations. On the host side, some DLP agents consume significant processor and memory resources.

Read the full article here.

Also posted in Network Security Products | Leave a comment


Multifactor Authentication for Online Banking

By Courtney Culver | Published: December 1, 2009

This week’s SearchFinancialSecurity.com has an article on two-factor authentication, with a special focus on banks. The article was written by Dave Shackleford, Sword & Shield’s new Director of Risk and Compliance. Dave was formerly CSO at Configuresoft Inc. and CTO at the Center for Internet Security, and has worked as a security architect, analyst, and manager for several Fortune 500 companies.

“It’s vital that banks and other financial organizations take the steps to implement secure multifactor authentication. Many different options are available, allowing even the largest organizations to add additional factors to identify legitimate users of Web-based banking and other applications. By not putting these solutions in place, banks risk penalties for non-compliance as well as possible liability claims and lack of consumer confidence in their online banking initiatives.”

Single-factor systems such as passwords and PINs are vulnerable to replay attacks. Someone can intercept your password – by looking over your shoulder, for instance, or using a keylogger that records every keystroke. That password can be sent over and over, so once they have your password they have all the information they need to impersonate you.

Two-factor authentication systems add an additional factor that can’t be replayed. The most common factor is a one-time password (OTP). That password can only be used once and typically has an expiration time. Even if someone intercepts it, they can’t use it later to replay your login credentials. The OTP is usually generated by a token on your keychain or in your wallet. A new option that’s proving popular involves having the OTP sent to your cell phone as a text message, eliminating the need to carry an additional device. Dave’s article explores these options and others.

Sword & Shield sells and recommends RSA Security’s SecurID two-factor authentication system. SecurID is available in a variety of hardware and software form factors, including BlackBerry software and the Authenticator On-demand, which sends the OTP to your cell phone. SecurID integrates with hundreds of firewalls, VPNs, network servers, databases, and other network systems. See RSASecured.com for a complete list. With the introduction of the SecurID appliance RSA two-factor authentication is now as simple as it is powerful.

Posted in Publications | Comments closed