06 May 2011

Problem with Maximum Resolution DELL U2711 Flat Panel Monitor

Setting the Maximum Resolution
  1. Right-click on the desktop and select Properties.
  2. Select the Settings tab.
  3. Set the screen resolution to 2560 x 1440 (DVI and DisplayPort) or 2048 x 1152 (VGA) or 1080p (HDMI, Component).
  4. Click OK.
If you do not see 2560 x 1440 as an option, you may need to update your graphics driver. Depending on your computer, complete one of the following procedures.

If you have a Dell desktop or portable computer:
  • Go to support.dell.com, enter your service tag, and download the latest driver for your graphics card.

If you are using a non-Dell computer (portable or desktop):

  • Go to the support site for your computer and download the latest graphic drivers.
  • Go to your graphics card website and download the latest graphic drivers.
In fact, if I used VGA Cable + USB Cable, the maximum resolution is only 2048x1152. And if I used DVI Cable + USB Cable, the maximum resolution is 1600x1200. I can not use DisplayPort Cable, because my VGA Card NVIDIA GeForce FX 5500 doesn't has DisplayPort input.

DELL U2711 have many input, that are :
  • VGA input
  • DVI-D 1 input
  • DVI-D 2 input
  • DisplayPort input
  • HDMI input
  • Component video input
  • Composite video input


Bottom view

Label Description
1 AC power cord connector
2 DC power connector for Dell™ Soundbar
3 Audio out (rear)
4 Audio out (SUB/CTR)
5 Audio out (front)
6 DisplayPort connector
7 DVI connector-1
8

DVI connector-2

9 VGA connector
10 HDMI connector
11 Composite video connector
12 Component video connectors
13

USB upstream port
14 USB downstream ports

I used VGA Card NVIDIA GeForce FX 5500 256MB with 2 input, VGA Input and DVI-D Input.
Posted by at No comments:
Labels:

03 May 2011

Cain & Abel v4.9.35, Testing Results

To test the security systems on multiple servers, I used Cain & Abel version 4.9.35 for Windows XP. Before I do the testing, I have to configure the program to select a specific adapter. For instance, I choose a NIC rather than a Wireless Adapter. Use the Configure menu -> click the Sniffer tab -> click \Device\NPF_bla bla bla -> OK. Choose the Sniffer tab, and than Start Sniffer icon. Check out HTTP group.

The results :
Secure : Yahoo Mail, ssh to nhc, Pustaka Iptek, Blogger, Winbox
Unsecure : Webmail, ftp to nhc, SITP, SIPL,
No checked : wcm, raker, help desk sjk, hotspot
Posted by at No comments:
Labels:

01 May 2011

Wireless LAN Security Summary

Wireless LAN Security Summary based on ISO 27001/ISO17799 are :

1. Develop an agency security policy that addresses the use of wireless technology, including 802.11.
A security policy is the foundation on which other countermeasures—the operational and technical ones—are rationalized and implemented. A documented security policy allows an organization to define acceptable architecture, implementation, and uses for 802.11 wireless technologies.

2. Ensure that users on the network are fully trained in computer security awareness and the risks associated with wireless technology (e.g., 802.11).
A security awareness program helps users to establish good security practices to prevent inadvertent or malicious intrusions into an organization’s information systems.

3. Perform a risk assessment to understand the value of the assets in the agency that need protection.
Understanding the value of organizational assets and the level of protection required is likely to enable more cost-effective wireless solutions that provide an appropriate level of security.

4. Ensure that the client NIC and AP support firmware upgrades so that security patches may be deployed as they become available (prior to purchase).
Wireless products should support upgrade and patching of firmware to be able to take advantage of wireless security enhancements and fixes.

5. Perform comprehensive security assessments at regular and random intervals (including validating that rogue APs do not exist in the 802.11 WLAN) to fully understand the wireless network security posture.
Security assessments, or audits, are an essential tool for checking the security posture of a WLAN and for determining corrective action to make sure it stays secure. Random checks ensure that the security posture is maintained beyond periods of assessment.

6. Ensure that external boundary protection is in place around the perimeter of the building or buildings of the agency.
The external boundaries should be secured to prevent malicious physical access to an organization’s information system infrastructure such as a fence or locked doors.

7. Deploy physical access controls to the building and other secure areas (e.g., using photo IDs or card badge readers).
Identification badges or physical access cards help to ensure that only authorized personnel have access to gain entry to a facility.

8. Complete a site survey to measure and establish the AP coverage for the agency.
Proper placement of Access Points will help ensure that there is adequate wireless coverage of the environment while minimizing exposure to external attack. The site survey should result in a report that proposes AP locations, determines coverage areas, and assigns radio channels to each AP and that ensures that the coverage range does not expose APs to potential malicious activities.

9. Take a complete inventory of all APs and 802.11 wireless devices.
A complete inventory list of APs and 802.11 wireless devices can be referenced when conducting an audit for unauthorized use of wireless technologies.

10. Ensure that wireless networks are not used until they comply with the agency’s security policy.
Security policy enforcement is vital for ensuring that only authorized APs and 802.11 wireless devices are operating in compliance with the organization’s wireless security policy.

Source : http://www.controlscada.com/download-free-iso-27001iso17799-wireless-lan-security-summary
Posted by at No comments:
Labels:

Comparison between COBIT, ITIL and ISO 27001

Many friend of mine keep asking me about what is should be implemented first to improve their information system management: whether taking Cobit, ITIL, or ISO27001. And the next question usually which one is the easiest to be implemented in their company.

To be able to answer this question, let me tell you the definition of this three major standard in information system, who has a little bit difference in basic concept.

COBIT

Cobit is stand for Control Objective over Information and Related Technology. Cobit issued by ISACA (Information System Control Standard) a non profit organization for IT Governance. The Cobit main function is to help the company, mapping their IT process to ISACA best practices standard. Cobit usually choosen by the company who performing information system audit, whether related to financial audit or general IT audit.

ITIL

ITIL is stand for Information Technology Library. ITIL issued by OGC, is a set of framework for managing IT Service Level. Although ITIL is quite similar with COBIT in many ways, but the basic difference is Cobit set the standard by seeing the process based and risk, and in the other hand ITIL set the standard from basic IT service.

ISO27001

ISO27001 is much more different between COBIT and ITIL, because ISO27001 is a security standard, so it has smaller but deeper domain compare to COBIT and ITIL.

Here is the detail table of comparison between this three standard

AREACOBITITILISO27001
FunctionMapping IT ProcessMapping IT Service Level ManagementInformation Security Framework
Area4 Process and 34 Domain9 Process10 Domain
IssuerISACAOGCISO Board
ImplementationInformation System AuditManage Service LevelCompliance to security standard
ConsultantAccounting Firm, IT Consulting FirmIT Consulting firmIT Consulting firm, Security Firm, Network Consultant


What should be implemented first?

There's no exact answer about this question, but i think its really depend on your company and your requirement. Most of company start to implemented Cobit first because its cover general information system. And after that they usually choose between ITIL or ISO27001.

Another consideration is about budget and authoritive. Cobit implementation usually run from internal audit budget and ITIL or ISO27001 usually performed using IT departement budget. This consideration usually makes what kind of standard to implemented first become depend on management policy.

What is the easiest standard?

From the implementatation view, ITIL is the easiest standard to be implemented. Because, ITIL could be implemented partially and still not have impact on performance. Example, if IT departement lack of budget and he could choose to implement IT Service Delivery layer only, and the next year he will try to implement IT Release Management or IT Problem Management.<

However COBIT and ISO27001 is quite difficult to be implemented partially, since it should see a process in bigger view first before they could implemented partially.

How to choose the right vendor?

Many vendor said that he could help your company to implement these standard effectively, in fact there is no one solution for all. Usually the COBIT vendor come from Publci Accounting Firm who has an IT Audit arm, eg PWC, DTT, KPMG, EY. This type of vendor is best choice for COBIT since they also work for COBIT implementation derivative such as COBIT for Sarbanes Oxley.

The other standard ITIL and ISO27001 usually come from General IT Consulting Company, eg. IBM, Accenture. And for ISO27001 most of IT networking company also could offer this standard consultation.

Do you have any other opinion with this comparison?

Others referrence:
ISACA: Aligning COBIT, ITIL and ISO 17799 for Business Benefit

Download Hundreds of Complimentary Industry Resources

Get hundreds of popular Industry magazines, white papers, webinars, podcasts, and more; all available at no cost to you. With more than 600 complimentary offers, you'll find plenty of titles to suit your professional interests and needs. Click Here and Sign up today!

Source : http://www.securityprocedure.com/
Posted by at 12 comments:
Labels:

WikiLeaks Cable about Chinese Hacking of U.S. Networks

We know it's prevalent, but there's some new information:

Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches -- colorfully code-named "Byzantine Hades" by U.S. investigators -- to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China's People's Liberation Army.

Privately, U.S. officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.


U.S. efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department's Cyber Threat Analysis Division noted that several Chinese-registered Web sites were "involved in Byzantine Hades intrusion activity in 2006."

The sites were registered in the city of Chengdu, the capital of Sichuan Province in central China, according to the cable. A person named Chen Xingpeng set up the sites using the "precise" postal code in Chengdu used by the People's Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit of the Chinese military. "Much of the intrusion activity traced to Chengdu is similar in tactics, techniques and procedures to (Byzantine Hades) activity attributed to other" electronic spying units of the People's Liberation Army, the cable says.

[...]


What is known is the extent to which Chinese hackers use "spear-phishing" as their preferred tactic to get inside otherwise forbidden networks. Compromised email accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.

The tactic is so prevalent, and so successful, that "we have given up on the idea we can keep our networks pristine," says Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. It's safer, government and private experts say, to assume the worst -- that any network is vulnerable.

Two former national security officials involved in cyber-investigations told Reuters that Chinese intelligence and military units, and affiliated private hacker groups, actively engage in "target development" for spear-phish attacks by combing the Internet for details about U.S. government and commercial employees' job descriptions, networks of associates, and even the way they sign their emails -- such as U.S. military personnel's use of "V/R," which stands for "Very Respectfully" or "Virtual Regards."

The spear-phish are "the dominant attack vector. They work. They're getting better. It's just hard to stop," says Gregory J. Rattray, a partner at cyber-security consulting firm Delta Risk and a former director for cyber-security on the National Security Council.

Spear-phish are used in most Byzantine Hades intrusions, according to a review of State Department cables by Reuters. But Byzantine Hades is itself categorized into at least three specific parts known as "Byzantine Anchor," "Byzantine Candor," and "Byzantine Foothold." A source close to the matter says the sub-codenames refer to intrusions which use common tactics and malicious code to extract data.

A State Department cable made public by WikiLeaks last December highlights the severity of the spear-phish problem. "Since 2002, (U.S. government) organizations have been targeted with social-engineering online attacks" which succeeded in "gaining access to hundreds of (U.S. government) and cleared defense contractor systems," the cable said. The emails were aimed at the U.S. Army, the Departments of Defense, State and Energy, other government entities and commercial companies.

By the way, reading this blog entry might be illegal under the U.S. Espionage Act:

Dear Americans: If you are not "authorized" personnel, but you have read, written about, commented upon, tweeted, spread links by "liking" on Facebook, shared by email, or otherwise discussed "classified" information disclosed from WikiLeaks, you could be implicated for crimes under the U.S. Espionage Act -- or so warns a legal expert who said the U.S. Espionage Act could make "felons of us all."

As the U.S. Justice Department works on a legal case against WikiLeak's Julian Assange for his role in helping publish 250,000 classified U.S. diplomatic cables, authorities are leaning toward charging Assange with spying under the Espionage Act of 1917. Legal experts warn that if there is an indictment under the Espionage Act, then any citizen who has discussed or accessed "classified" information can be arrested on "national security" grounds.

Maybe I should have warned you at the top of this post.

Source : http://www.schneier.com/
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)