As the threat of some kind of cyberterrorism hits new highs, it’s likely that IT departments could use some extra-special assistance and resources when it comes to electronic security issues and technologies. A good place to start is SecurityFocus.com, which offers free security news, information, and discussion lists, as well as some interesting premium pay services.
Navigating the site
Aside from selected computer security news, SecurityFocus sports feature-type articles that are organized into six "focus areas," each concentrating on a different security subtopic.
Be aware that there's much more to each focus area than initially meets the eye. Unfortunately, the rather confusing site layout manages to obscure most of the content. Here's one navigation hint: Click the Index links in each focus area to find lists of available articles.
If you’re looking for remedial education, SecurityFocus’ The Basics focus area is the place to start. Here, the site's editors have collected a large set of articles, external resource links, and checklists on general security topics. At present, the site is in the middle of an ongoing series on establishing organizational security policies that diminish the likelihood of an attack and the damage caused by any that do occur.
There are some gems to be found amongst the older content as well. For example, "Password Crackers—Ensuring the Security of Your Password" explains why good passwords are your first line of defense against an intrusion. The article discusses various different types of "password crackers" and how they work and provides suggestions for creating stronger passwords.
An ounce of prevention
There are two vendor/platform-specific sections that represent the bread and butter of SecurityFocus' operation. You'll find an up-to-the-minute listing of uncovered vulnerabilities and links to selected utilities on the main page of each area. Read the vulnerability list at your own risk, however, as it could cost you some sleep, prompt premature gray hairs, or both.
The Microsoft section, as you'd expect, provides security information on or related to the Windows NT and 2000 operating systems and Microsoft enterprise-class applications, such as Exchange and the much-maligned Internet Information Services. You'll find articles providing information on securing and auditing each of these systems plus a section dedicated solely to listing available patches, so you'll always be able to easily find the latest available fix.
The UNIX focus area concentrates on general Linux and Solaris security information. There are more articles available in this area than in the Microsoft area on topics such as Secure Socket Layers (SSL), firewalls, IP filtering, LIDS (a kernel patch that blocks some of the root user's capabilities), and deploying common applications such as Apache.
Detecting an attack
The Intrusion Detection Systems (IDS) focus area houses a wealth of information on intrusion detection. With introductory articles on the theory of intrusion detection, the creative use of honeypots (unprotected network assets that attract an intruder's attention), data analysis, and typical methods of evading detection, there's plenty of reading material here for the security conscious.
You'll find links to some useful UNIX-based detection utilities here as well, like samhain, a file system integrity checker, and saswire, a binary file modification monitor.
Dealing with the aftermath
No matter how tight security is, the truth is that a breach can still occur, given an intruder that is determined and persistent enough. The Incidents focus area is built with that understanding in mind, providing information to help answer the question: "We've been breached; now what do we do?"
Here, there are tips on investigating and analyzing an intrusion, a field guide to reconstructing deleted data, and an interesting series of articles called "Chasing the Wind" that "chronicles the education of folks on each side of the 'digital curtain.'" Although the characters and specific events are fictional, the series is inspired by actual events that the author has witnessed during his career.
E-mail me, and we'll talk
Each focus area has at least one related e-mail discussion list, and there are many others that aren't tied to a specific focus area. The largest is the full-disclosure vulnerability mailing list, Bugtraq. All told, there are no less than 140 e-mail lists. Here is a small sampling:
- Web Application Security is a non-language- and non-platform-specific discussion list on the topic of developing secure Web applications.
- Focus-IDS is for sharing ideas and tools useful for detecting security breaches and attacks.
- Focus-MS, Focus-Linux, and Focus-Sun are general security discussion lists aimed at Windows, Linux, and Solaris administrators, respectively.
- The Forensics list is intended to be a discussion of methodologies for conducting computer forensics, or investigations of an attack after it has occurred.
- Security-Basics is a forum for the discussion of security issues for those new to the subject.
Each list has a dedicated archive available on the site. The archives support browsing by subject thread, year, month, and day, but with a few exceptions, it's not possible to search a specific list's archive. Your only option most of the time is a blanket search of all the archives.
In addition to the free content, SecurityFocus offers two premium subscription services.
The premium Attack Registry and Intelligence Service (ARIS) Predictor service is intended as a preventative tool, allowing subscribers to anticipate and prepare for network attacks.
ARIS works by collecting intrusion data from some 8,900 organizations in over 100 countries in real time. Using this data, SecurityFocus is able to detect larger-scale security problems, like distributed denial of service attacks, and worms, such as Code Red and Nimda. SecurityFocus is then able to make recommendations to the service's clients about preventative action, like the closure of certain ports for instance, usually within an hour of the first incidents.
ARIS is also able to cross-reference intrusion data with SecurityFocus' vulnerabilities database and can usually determine exactly which vulnerabilities an attacker is exploiting.
How sensitive is ARIS? According to SecurityFocus spokesman Chip Mesec, ARIS (which was then in beta) was able to detect what he calls a "beta test" of the Code Red worm some 15 to 18 days before it was released. ARIS' beta customers were given advance warning of the impending attack and given specific advice on what preventative steps to take.
SecurityFocus’ Security Intelligence Alert (SIA) service may be worth considering if media reports of vulnerabilities are not timely enough or if sifting through security sites or bulk mailing lists is not feasible. By subscribing to SIA, you provide SecurityFocus with a list of hardware and software your organization uses. SecurityFocus then notifies you of any new vulnerabilities related to those systems. The service essentially takes all of the legwork out of the equation.
Share your favorite
Do you have a favorite computer security site you'd like to share with other members? Write to us and tell us about it.
If there's one (big) problem with this security site, it's the clunky layout that unfortunately obscures most of the content from easy reach. For example, the mailing lists are very useful resources, yet there's no way to search for a list covering a specific topic or pull out a listing of all lists that the site hosts.
The main page of each focus area is deceptively sparse. This shortcoming doesn't make SecurityFocus a bad site by any stretch of the imagination. It's just that a visit seems like a lot more work than it should be.