_gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); Security Ever After: 2011 var _gaq = _gaq || []; (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Thursday, December 22, 2011

SANS Security 401 in Atlanta

In one month SANS Security Essentials (Security 401) comes to Atlanta. Mentor style. SANS Mentor sessions meet at night for 2 hours for 10 weeks. This class will prepare you to earn the GIAC Security Essentials Certification or GSEC.

Mentor sessions brings SANS training to you and avoids all costs of traveling and being away from work for an extended period of time. The classroom size is perfect for in depth discussions and is appropriate for all skill levels. Students receive the same course books and materials, but cover the material in a pace that allows them to spend more time to absorb and apply the course material.

Everything in this Mentor session is backed with the SANS Promise - It will be "full of important and immediately useful techniques that you can put to work as soon as you return to your office".

Contact me if you have any questions or need additional information about this upcoming training. I can provide you with a 10% discount code as a final incentive to register for this course.

Thursday, December 1, 2011

SANS Mentor Special

The SANS Mentor program is offering a $200 Amazon Gift card with your paid registration for any course offered though the SANS Mentor Program. This is a nice opportunity to get a Kindle Fire for free. 

It is also an incentive to register for my upcoming Security 401 session in Atlanta.

Saturday, November 5, 2011

Sweet Spot - Patch Applications

Attacks against applications are certainly a growing threat to organizations. Some argue that as system administrators become better at configuring and patching their systems, the application is the next logical target of attack. What can be done at little to no cost to help prevent these threats to your environment?

Every application that is installed must be continually inventoried and promptly updated. An example of this is found in the software inventory report in the Kaspersky Anti Virus tool. This report lists each software package and version where this software agent is installed. Configuration for this option can be found in the Administration Server at Reports and Notifications and then Server Applications. This report can be automatically generated and emailed on a daily basis.  Become familiar with how the report looks so that any deviation is immediately noticeable.

Qualys BrowserCheck can be used to identify web browsers and associated plug-ins that need to be updated. The free Business Edition generates a unique address that if used by all computers in the company, will generate aggregate reports of all devices that have used this website. Consider setting this as the home page of users and encourage them to regularly update their browsers both at work and at home.

Microsoft System Center Configuration Manager (SCCM), formerly known as Systems Management Server (SMS) as well as Dell Kace KBox provide built –in capabilities to inventory each software package. Of particular value are the software versions that are installed on all systems. This list can be compared to the current versions available.

The free Splunk application for Linux named, Splunk *NIX, includes a standard report package named Latest Packages by Host that can also be automated and emailed daily. This detailed information can be found within the Splunk application at Configs --> OS Packages --> Latest Packages by Host.
Windows includes a fascinating tool, Windows Management Instrumentation Command-line (WMIC) that allows the administrator to determine up to date information on a given Windows system. The WMIC command to list the software installed on Microsoft Windows is discussed at Command Line Kung Fu Blog.

The psexec tool from Microsoft can be used to perform a software inventory, particularly for applications that do not use the standard windows installer. An example of this is to create the batch file on the C drive named baseline.bat and invoke it weekly with scheduled tasks. This command will use psexec to look for all executables and send the output to a file named ExeFound.txt. The following example can be saved as a batch file and regularly scheduled to run on Windows systems.

@echo off
psexec dir *.exe > %computername%_ExeFound.txt

On Linux systems, the application md5sum is typically installed and can be used to create md5 checksums on the contents of a folder and write the results to a file. Md5sum can then be used to compare the current checksums to those stored in the previously generated file. If any files have been changed since the last baseline, it will be noted in the exception report. 

Perfecting and adding this information to an automated baseline script is an excellent way to periodically list the packages installed on a given system. This script, when distributed to all systems can be invaluable in determining changes to your servers and workstations.

Include the Microsoft Malicious Software Removal Tool (MSRT) in the packages distributed by Microsoft Windows Server Update Services (WSUS). The free MSRT tool is deployed monthly and is useful to eliminate known and disruptive malware.

The output from these tools offer concise reports that are good candidates to send to system administrators. It will help them become involved in securing the network as they begin to gain understanding of what software should be installed and learning from you the proper response when unexpected or outdated software is found.

Sunday, October 16, 2011

Security By Design

The Atlanta ISSA chapter, along with the Atlanta Society of Digital Forensics and eDiscovery, the Society of Industrial Security Professionals and the Atlanta OWASP chapter are hosting the Security By Design Conference on November 8 and 9. The conference schedule includes 7 tracks that run on both days and also features a special event on both nights. Registration remains open.

Sweet Spot - Patch Operating Systems

Microsoft Windows Software Update Services (WSUS) provides automated patching of Microsoft operating systems and products. The WSUS administrator can schedule categories of patches and schedule their installation. Also included is a reporting feature that can send daily reports via email to administrators notifying them of new patch releases and the status of their installation across the organization. This would be valuable not only to the security team, but also for system administrators. It is easily configurable and may lead to an increased awareness of the importance of patching.

Ensure that after patches are applied that you verify outside the patching tool that the patch has actually been applied. Look for clues such as registry values, installed programs and the last system reboot to help measure the effectiveness of this control.

A free and automated way to check for the patches is to use the built-in Windows tool wmic. A wonderful resource on practical and entertaining ways to use wmic can be found in the blog Command Line Kung Fu. Use wmic to perform the below checks help ensure updates are applied as they are delivered. Wmic is an excellent compliment to WSUS as these commands can be automated and run regularly.

·      wmic os get lastbootuptime shows the exact time of the last system reboot
·      wmic os list brief shows the current version of Windows
·      wmic qfe list brief shows the Microsoft patches that are installed

Another free tool, Microsoft Baseline Security Analyzer (MBSA) can be used to help determine the security status of Windows operating systems. It can be run from the graphical or command line interface and can show previous test results for comparison purposes.

Saturday, October 15, 2011

Find Your Sweet Spot

Version 3 of the SANS 20 Security Controls includes integration by the leadership of the Australian Defense Signals Directorate. This includes 35 Mitigation Strategies that were developed and prioritized to prevent targeted computer attacks. Four of these are listed as mandatory and are known as the Sweet Spot. 

These are Patch Applications, Patch Operating Systems, Minimize the number of users with domain or local administrator privileges and Application Whitelisting. These areas will be explored in detail and serve as a means to get wisdom as cheaply as you can.

Sunday, October 9, 2011

Security B-Sides Atlanta

Security B-Sides Atlanta unconference is back. On November 4, all of your local and not so local security friends will be back at Think Inc, located at 1375 Peachtree St. Suite 600, Atlanta, Ga.

Registration is now OPEN and true to Security B-Sides, the admission price is most affordable by everyone.

Friday, October 7, 2011

Control 20: Security Skills Assessment and Training to Fill Gaps

Is your team well trained or does it lack fundamental and often the advanced skills needed to perform their jobs? Are there team members who are the only ones that know certain functions? What happens when they are not available for good reasons or bad ones? Several avenues for acquiring training are available.

Many large cities have some or all of all of the following security focused groups that foster community and learning new concepts. Attend these meeting and become more involved in the security community.

•    OWASP
•    InfraGard
•    NAISG
•    Defcon
•    Security B-Sides

Do not dismiss the value of setting up a home lab of old equipment or virtualized and ISO distributions to practice hacking and defending your home network. The skills acquired away from work are often the skills that make the biggest difference.

Tuesday, October 4, 2011

Control 19: Data Recovery Capability

Develop a written plan that identifies all business owners and the processes needed by them to restore normal operations. Interview the business owners to better understand the dependencies needed to do their normal activities.

Conduct annual tabletop exercises with each business process owner. Use mock scenarios that consider availability loss of people, facilities and technology. Identify and document any gaps identified in the exercise and invite the business process owner to determine if they should be corrected or accepted. Working through this process will help engage the business units as they focus on recovering their operation to a normal state.

Test backup and restore operations on a regular and recurring basis. Create specific procedures that walk the user through how to manually backup and restore data. Just like with Incident Response, this work often occurs during high-pressure moments. Having a written procedure will help ensure critical steps are not missed. Document estimated recovery times for systems and applications. Strive to identify anything that has the potential to keep this from being successful.

Friday, September 30, 2011

Control 18: Incident Response Capability

Enlist all employees to report suspicious activities to the Incident Response Team (IRT). Create a dedicated phone number and email address they can use to report issues to your team. Security awareness training to enable all employees to contact help desk with suspicious issues.

Monthly IRT team member training that covers the steps in the Incident Handling process will be very useful. In this training, demonstrate and practice a single tool that may be used in a real incident. Rotate the training responsibilities of conducting the training as a means to engage the entire team.

After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and vulnerabilities the organization faces. These scenarios help ensure that team members understand their role on the incident response team and also help prepare them to handle incidents. Aggressively look for ways to integrate Lessons Learned from previous incidents into security design.

Tuesday, September 27, 2011

Control 17: Penetration Tests and Red Team Exercises

Penetration testing is often confused with vulnerability assessments, as mentioned in Control 10. Penetration testing differs in that it involves attempted exploitation. Just like in Control 10, penetration testing should occur in each network zone to ensure adequate coverage.

Track all open issues and document through confirmed remediation of all issues to be corrected. Determine an effective means to document the core causes of these issues to make sure new development projects are not subject to the same flaws identified in the penetration test.

Always perform careful screening of potential external pen testers. Make sure the people you engage to perform external testing have to work for their money and do not just point a tool at your network. Force them to articulate the business risk associated with their findings. Identify and resolve as many issues as is possible ahead of their work. Race to see how fast your continuous monitoring program identifies external penetration testers. If they work for long and have not been identified, there are likely gaps in the continuous monitoring program.

BackTrack makes an excellent preconfigured platform to perform penetration tests. BackTrack can easily be used as the primary environment to build and use an internal pen testing program. With so many tools available, it is a good idea to make a weekly task to learn one tool in BackTrack per week. Make it stick by writing a small note of what was learned for future reference.

Sunday, September 18, 2011

Control 16: Secure Network Engineering

Secure networks do not appear by accident. It starts with thoughtful planning and sound engineering principles. Seek out flaws in the current network design as an attacker would and correct all of the faults found in its design. By being intentional and meticulous, a true design can emerge and more importantly it will persist.

A key step to this is creating a document that explicitly lists all approved connections by traffic initiator. This is an excellent source document to audit the firewall rules against each and every quarter. Diligently look for the use of insecure protocols, such as FTP and Telnet in each network segment. When they are found, strongly consider using protocols that do not send their information in clear text format.

Segment networks according to security zones as well as logical departments and divisions. This will allow for more granular firewall rules and a better understanding of the communication paths that are required. Using both color-coded network diagrams and network cables is an excellent visual indicator to the types of traffic and zones being used throughout the environment.

In all monitoring systems that allow it, labeling critical systems within your existing monitoring tools will help reinforce these systems in the monitoring tools. When all else fails, this can help to guide the impact assessment. It is important to include junior team members in these exercises and discussions. Both teaching and learning will happen for everyone involved and will lead to a more informed and engaged team environment.

Monday, September 12, 2011

Control 15: Data Loss Prevention

Data Loss Prevention (DLP) is a new trend in Information Security, but really should not be. DLP may have been a missed opportunity when Network Intrusion Detection (NIDS) was first introduced. Is it all of a sudden that data exfiltration has become important? How was this missed as a priority for so long?

Define what is critical data and write regular expression filters on the NIDS that look for this data passed in unencrypted format. Educate users in security awareness training about importance of remaining diligent when handling sensitive information. Critical data should be defined in formal policy and discussed in new employee security awareness training classes. Snort signatures such as Credit Card Data, Sensitive data credit card numbers 138:2 can be used to specifically look form information that should always be sent securely.

Consider what a data loss prevention incident would look like on your network and design your defenses and alerting to these scenarios. SourceFire Compliance Rules can be configured to alert when the files that are large in size, flows that are long in duration and flows that are new and previously undefined. Once these basic alerts are in place, develop additional data loss scenarios based on recent high profile data loss events and design appropriate controls to detect them. This is a low cost way to get wisdom as cheaply as you can.

Sunday, September 4, 2011

Control 14: Wireless Device Control

Wireless network access allows for better collaboration and mobility. With this relatively new medium comes an extra risk. Be sure to handle this administratively through the use of policy and user education to set clear expectations of appropriate use. Specific policy reference should be made that prohibits the use of peer to peer wireless networking.

Several popular Linux distributions provide pre configured Kismet. Use these platforms to continually run on old laptops in each office location. For no cost, a continual assessment for wireless activity can be performed. As each access point is identified, white list any approved and neighbor business access point and include them in the Wireless Usage policy. All others must be classified as neighbor businesses or rogues to be investigated and disabled.

Discovery of wireless access points can also be performed using traditional network scanning tools, such as Nessus. Using the plugin 11026, daily complimentary scans can help identify rogue and authorized access points. Combining both wired and wireless scanning tools will help identify wireless usage in the environment.

Be sure to check out the recently published book, Hacking Exposed Wireless Second Edition by Johnny Cache, Joshua Wright & Vinnie Liu. This book is well written and included three compelling sections on hacking wireless technology, wireless clients and hacking Bluetooth, ZigBee and DECT.

Monday, August 29, 2011

Control 13: Limitation and Control of Network Ports, Protocols, and Services

Just as mentioned in Control 5 Boundary Defense, proper ingress and egress filtering should be in place. Diligently maintaining awareness of the traffic that is allowed into and out of your network is critical.

SourceFire RNA Compliance Rules allow the administrator to create rules that mirror the firewall rules and alert when any other traffic occurs. This is configured in the administrative console at Policy & Response, Compliance, Rule Management, Create or open a Group.  Select If a flow event occurs and meets the following conditions. Add a condition such as if Payload is AOL Mail. This feature in RNA allows the user to define approved flows and respond to everything not specifically allowed. Policy violations and new traffic flows will become immediately apparent and will be complimentary to the traditional network firewall rules.

Perform daily network discovery scans using nmap. Depending on the complexity of the network, multiple scanners may need to be deployed to ensure complete coverage. List the name of each service running on the network and attempt to justify its business need. Consider an nmap diff scan to identify all hosts and their associated services. Using the diff option, results for the new scan are compared to the previous one, with only the changes being noted.

Wednesday, August 24, 2011

Control 12: Malware Defenses

Malware should certainly be considered unauthorized software and addressed using the techniques listed in Control 2. Maintain a listing of approved software and its business need can be readily compared to all software that has been detected.

Malware protection is often packaged within traditional anti virus software. Configure this tool to send its events to the administration tools and event log servers. Carefully review these logs for indications of system compromise.

Create alerts specifically for malware infection and respond to these promptly to avoid further damage. Ensure that malware defenses are specifically configured to check for updates every hour and configure the policy to push new defenses to all agents when a new update is found.

Include the Microsoft Malicious Software Removal Tool (MSRT) in the packages distributed by WSUS. The MSRT tool is deployed monthly and is useful to eliminate known and disruptive malware.

Monday, August 15, 2011

Control 11: Account Monitoring and Control

What does it really mean to provide Account Monitoring and Control and what are some practical and no cost ways to implement this control?

Send automated alerts to any change or attempted change to any group whose membership grants elevated access. Daily alerts and reports of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire.

Perform a quarterly review of all accounts on systems and reconcile that to the list of employees from Human Resources and the physical access control system. Often one or more of these systems are not current and is an avenue to potential compromise. Develop relationships with Human Resources in order to have a more prompt and efficient employee termination procedure. Working together, a partnership can be created and leveraged when needed.

During internal employee transfers, go through the extra step of revoking all access and then add new access required to perform the new job. This will help avoid accumulation of privileges over their tenure.

Use the log review solution to create automated alerts for any new account, any new administrator access and also for when any account is locked out. At a minimum you will be able to provide better customer service by knowing about accounts that need to be unlocked. Perhaps these same alerts can be used to serve as indications and warnings to an attack.

Tuesday, August 9, 2011

Control 10: Continuous Vulnerability Assessment and Remediation

Is it possible to have a vulnerability assessment program that truly can be considered continuous? I believe the answer is a resounding yes you can.

Configure a network scanner to perform daily discovery scans on the internal and external networks. Review the output for new hosts and unexpected services. Make certain that these scans are detected by your security controls, such as Network Intrusion Detection (NIDS) and file monitoring tools. This technique is very valuable and will help assess the maturity of the continuous monitoring program.

The free Microsoft Windows Server Update Services (WSUS) provides automated patching of Microsoft products. The administrator can schedule categories of patches and schedule their installation. Also included is a reporting capability. WSUS can send daily reports via email to administrators notifying them of new patch releases and the status of their installation.

Ensure that after patches are applied that you verify outside the patching tool that the patch has actually been applied. Look for clues such as registry values, installed programs and the last system reboot to help measure this control.

Even if in a simple spreadsheet format, track all open vulnerabilities across each system type. If you get to the point where you do not know what task to work on next, this will serve as an excellent guide to direct your attention.  This will help move your security program to a more mature state.

Saturday, August 6, 2011

SANS Mentor Offers FREE Noise Cancelling Bluetooth Headphones

Starting Monday, the SANS Mentor program is offering a special promotion. Register for any SANS Mentor event in the next three weeks and receive a fantastic pair of Noise Cancelling Bluetooth Headphones valued at $499! To take advantage of this promotion, enter the code "stereo11" during registration. The headphones will be ordered the second week of class and shipped directly each student.

A most excellent use of this promotion would be for my upcoming SANS Security 401 Security Essentials Bootcamp Style Mentor Session in Atlanta. This course starts on January 24 and meets once a week for ten weeks. This popular SANS course is excellent for new as well as experienced system and security administrators.

Feel free to contact me for more information.

Friday, August 5, 2011

Control 9: Controlled Access Based On Need to Know

Simply being an employee should not serve as adequate justification to obtain access to company data. Segregation of logical access must be in place to help deter casual browsing and potential unauthorized data disclosure. Start with broad concepts such as departments and teams as a way to isolate systems and data from those that do not require access.

A data classification program, even if elementary in nature, would be valuable to help achieve the objective of this control. Even if there are broad and limited categories of data types, it would be valuable to know where sensitive data is stored to make sure it is adequately protected from possible misuse.

Enforce strict role based access for all sensitive resources such as directories and servers and configure the default action to deny for all access that is not explicitly granted. Log failed access attempts and alert the team when failed resource attempts are detected.

Set a monthly calendar reminder to review the access of a small number of employees. Be on guard for access that may no longer be required. This can be a delicate process, so be sensitive to both the real and the perceived needs of co-workers. Enforcing this is particularly difficult with employees with tenure who tend to accumulate access over time.

Monday, August 1, 2011

Control 8: Controlled Use of Administrative Privileges

Gaining access to administrative accounts is often the goal of an attacker. What can you do to ensure that only the appropriately trained and fully accountable people have and maintain administrative access on your systems? This effort must start with an accurate inventory of every account with elevated access and must be strictly maintained. The change control board should approve every new account that requires persistent administrative access. Maintaining strict admission guidelines for administrative access will help curb the desire for everyone to be an administrator. Implement an annual renewal process that requires each administrator to justify his or her continued need for elevated access.

Encourage administrators to maintain different passwords for administrator accounts where clear differences in system type exist, such as on workstations and individual server types. This will help deter unintentional access to collateral systems for which system administrators are not explicitly authorized to use.  Encourage this practice by requiring more frequent password expiry and increased complexity rules for these accounts.

Accounts with elevated access must be used only when administrative activities are required. Normal web browsing and email usage should never be permitted from accounts that have elevated access. The damage that could occur is much greater than the convenience gained by allowing a system administrator to check their Twitter account.

Where feasible, require all administrative access to be achieved by elevating their access from a regular user account. Examples to facilitate this to create a Microsoft Management Console (MMC) that includes all tools needed for administration. Open this with a Run As command that uses the credentials of the elevated account.

Accurate and timely recording and distributing all activities performed by members of elevated access groups as found in system and security logs could help deter misuse and increase accountability. Configure a daily automated report that lists all administrative activities from the previous day to the entire team.

Look for default accounts on workstations and servers that can be removed or disabled. It is up to you to explain and justify every account on your system. The faster you can identify new accounts on the system, the better.

The underling goal must be to do everything in your power to not allow untrained or unauthorized people to gain administrative access on your networks or systems.

Monday, July 18, 2011

Control 7: Application Software Security

Attacks against applications are certainly a growing threat to organizations. Some argue that as system administrators are much better at configuring and patching their systems, the application is the next logical target of attack. What can be done at little to no cost to help prevent these threats to your environment? Glad you asked.

  • Teach yourself about the OWASP Top 10 Project. Use this information to create an ongoing workshop for your developers to learn these concepts and be better prepared to avoid them. Meet with your developer and quality assurance teams monthly and review one of the categories each session. With the prevalence of virtualization solutions available, it will be easy to create an environment for them to test these concepts from the comfort of their own cubicles. 
  • A most excellent pre-configured platform to use by your developers and quality assurance teams is Samurai Web Testing Framework (WTF) on a virtual machine. This free linux distribution is purpose built for web application penetration testing, includes numerous tools and is maintained by Kevin Johnson.
  • Integrate at least one component of your information security program into each step of the Software Development Life Cycle (SDLC). The key is to get to the point where the developers seek you out. This may have to involve bribery, staying late with them and an occasional Starbucks run, but this partnership is very possible to achieve with some effort.
  • Look for ways to avoid the 25 Most Dangerous Programming Errors published by Mitre and SANS. Categories of these errors include Insecure Interaction Between Components, Risky Resource Management and Porous Defenses.
  • Institute a peer review program where code is reviewed before it is published by a fellow developer. Consider implementing a nominal reward for each security issue identified before it is released into production.

Using these very cost effective techniques will go a long way to increase the security posture of your applications.

Monday, July 4, 2011

Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Logs are the single most important place to look when it is time to answer the question "what just happened". The more systems you have, the more impractical it is to review at system logs individually. To facilitate this, configure each system to send its logs to a centralized log review and retention solution. This will put all of the logs in one place and also keeps another copy in an alternate location.

SANS provides a Log Vendor Listing that includes popular vendors. Martin Holste wrote his own Enterprise Log Search and Archive (ELSA) solution.

A good tool not only allows you to search through the logs, but also lets you schedule recurring searches and alert when something is found. The following examples of reports and alerts can serve as the foundation of your indications and warnings of attack or misconfiguration.

  • Any successful (and unsuccessful) logins to firewall
  • All firewall rule changes
  • Daily log volume report for the last several days
  • Alert when a host has not sent logs over the last 24 hours
  • All RDP traffic
  • All two factor authentication system and device usage
  • Security log cleared
  • New users, especially in privileged groups
  • Basic File Integrity Monitoring (FIM) alerts generated by increased logging on critical files and folders

SANS provides a Top 5 Essential Log Reports (PDF) lists categories of events that certainly should be addressed in log review. They are broad enough to be valid in all environments and serve as good conversation starters when looking for proper log review and analysis.

  • Attempts to Gain Access through Existing Accounts
  • Failed File or Resource Access Attempts
  • Unauthorized Changes to Users,Groups and Services
  • Systems Most Vulnerable to Attack
  • Suspicious or Unauthorized Network Traffic Patterns

Control 5 - Boundary Defense

Control 5 builds on Control 4 and is concerned with increased awareness and defense of the network boundary. To defend the boundary means you must be aware of what traffic goes through all network segments. Change control procedures that are strictly followed is also an important step toward successfully implementing this control.

What can be done and where do you start implementing this control to monitor and better manage the boundary defenses?

Good Ingress and Egress filtering must be in place. What traffic is allowed into your network is just as important as what is allowed to leave your network. Blacklist known bad sites. Whitelist approved business sites. Once this is done, a careful analysis of what remains will be fruitful.

What if your business does no business with foreign countries? Filters at the router can be added that will deny inbound and outbound communication with IP addresses assigned to these nations. The Internet Assigned Numbers Authority (IANA) provides a listing of Top Level Domains.

AfriNIC : Africa, portions of the Indian Ocean
: Portions of Asia, portions of Oceania
ARIN : Canada, many Caribbean and North Atlantic islands, and the United States
LACNIC : Latin America, portions of the Caribbean
RIPE : Europe, the Middle East, Central Asia

Always send alerts of successful logins and policy changes to every member of the security team.

Monitor aggregate data from your NIDS to look for trends or new hosts. A fast and free way to do this is with Security Onion. This is a Linux distribution that is pre-installed and configured with Snort, Squil, Squert and many more tools and was created by Doug Burks.

SANS AuditCast 1, Auditing Routers and Switches with Nipper with David Hoelzer gives practical advice and show notes on performing an audit on network equipment.

Security zones must be created and diligently maintained that are based on the different types that traverse your network. All other things being equal, this will help validate that your security efforts are focused on the right network segments.

Thursday, June 23, 2011

Control 4 - Secure Configurations of Network Devices Such as Firewalls, Routers, and Switches

Control 4 is similar to Control 3 in that it is concerned with maintaining a secure configuration. This time the focus is on network devices.

What is the last thing you did on your network devices? Likely it was add a rule to permit a new traffic flow. When was the last time you made sure the configuration is exactly what you expected?

Where to start?
Several authoritative hardening guides exist and are freely available. Choose one of the below and plan to spend a few hours making sure your network device configurations are secure.

             CheckPoint Firewall Benchmarks
             Cisco Device Benchmarks
             Juniper Device Benchmarks
             Network Device Benchmarks
             Novell Netware Benchmarks
             Wireless Network Devices Benchmarks

What else?

Always maintain an updated network diagram. I know. You still should.

Change control forms should be completed (with appropriate approvals) before logging in to the device.

Speaking of logging in, require two factor authentication for every device login.

Alert all administrators of all attempted logins and rule changes.

Compare the current configuration of your network devices to a known good configuration.

Saturday, June 18, 2011

Control 3 - Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

Control 3 builds on the previous two controls, Inventory of Authorized and Unauthorized Devices
and Inventory of Authorized and Unauthorized Software.

The intent of this control is to develop secure configurations for your systems and montior for any deviation from this standard. To implement this control, you must invest in some manual work in making configuration standards and then regular and automated comparison to these standards using readily available tools.

The real work in this control starts by reviewing configuration guides from several expert sources. These resources have detailed guides that explain the security considerations of each setting. It is a considerable amount of effort to review these documents in detail, however going through this process will help you better understand your system settings. It will also undoubtedly make you more aware of the importance better protecting your systems from attackers.

Guides that will help:

Tools that will help:

Wednesday, May 25, 2011

SANS Mentor Free iPad2 offer through May 31

The SANS Mentor Program is offering a FREE iPad 2 with paid registrations through May 31. This offer applies to any upcoming Mentor session. What a fantastic promotion.

If you are in the Atlanta area, consider my upcoming SANS Security 401 class starting on January 24, 2012. This is a great class for people who are new to Information Security and those that have been at it for a while. I took this class after three years in security and still managed to learn a lot and round off some of my rough edges.

Tuesday, May 17, 2011

Control 2 - Inventory of Authorized and Unauthorized Software

Control 2 focuses on knowing the software that is installed on workstations and servers throughout your organization. Like Control 1, this may seem overwhelming at first. However, once you have started to gain momentum, this one should not be difficult to maintain.

Start with an initial assessment from these tools to begin the process of realizing what software is installed. An immediate benefit is knowing what plugins such as Adobe Reader and Flash Player are out of date and need to be updated.

Ways to Implement this Control:

1 - Use the software inventory report in Kaspersky Anti Virus that lists each software package and version. This is a great way to leverage an existing tool to do something new. 

2 - Software Inventory Report in Microsoft SMS or Dell Kace (KBox) that listed each software package.

3 - For Linux hosts, the Splunk *NIX app has a standard report package Latest Packages by Host that can also be automated.

These reports are a good to send to junior team members. It will let them become involved in securing the network as they begin to gain understanding of what software should be installed and learning from you the proper response when something unexpected is found.

Tuesday, May 10, 2011

Control 1 - Inventory of Authorized and Unauthorized Devices

The first SANS Top 20 Security Control is Inventory of Authorized and Unauthorized Devices. When you first consider this control, you may be tempted to dismiss the value of the opportunity to have near real time awareness. I encourage you to think of creative ways to lean into your existing tools to help solve the problem of knowing what is on your network at all times. The following is an attempt to give you several ways to know what is on your network using existing or no cost means.

Ways to implement this control:

1 - Use SourceFire RNA product to provide constant automation. This is accomplished with alerts that notify on New Host and New MAC found alerts. It is also valuable to have an alert to an IP address change for given MAC address.

2 - Daily network discovery scans using a tool such as nmap can also accomplish this objective. Consider a diff scan to identify all hosts and then in subsequent scans, just the new hosts identified going forward. Depending on the complexity of the network, multiple scanners man need to be deployed for complete coverage.

3 - Use a standard naming convention for your host names. Should a host that does not match the naming appear on the network, it will be noticed more readily.

4 - Seek out the person responsible for purchasing new computers. Review an invoice to see if a MAC address is listed on the documents. Ask them to notify you about new purchases going forward.

It is hard to argue that knowing what is on your network is critical to the success of your information security program. It is just as important to do this with automation. With an automated means to know what is on your network, it would be easier to determine if it is authorized. Or not. Take steps this week towards implementing this control and enhance your continuous monitoring capabilities.

Monday, April 25, 2011

SANS National CyberSecurity Innovation Conference

Last week I had the opportunity to attend and participate in a panel discussion at the first SANS National CyberSecurity Innovation Conference in Washington, DC. While there I was able to learn from other security practitioners representing a wide array of industries each describe how they are securing their networks in creative ways. More often than not, success was achieved by leveraging existing tools and capabilities.

One of the more compelling topics was the Department of State implementation of the SANS Top 20 Security Controls. It was noteworthy that the Department of State was able to achieve an 85% decrease in vulnerabilities in the first year. What else are you doing that has this success rate?

SANS provides several resources to help understand and implement these controls, which ultimately provide the basis for continuous monitoring capabilities. There have been several webcasts on the Top 20 Controls. The most recent featured James Tarala who led a discussion on how a SIEM product can help implement these controls. Other resources are case studies, the Security 440 two day class and Security 566, a five day class on understanding and implementing these controls.

Thursday, April 21, 2011

Book Review: Linchpin

Linchpin by Seth Godin is one of the best books I have read. It gives the formula necessary to become the most valued member of an organization and not just a cog in the wheel. What follows are two of my favorite direct quotations from this book, sprinkled with my commentary.


"When you give something away, you benefit more than the recipient does. The act of being generous makes you rich beyond measure, and as the goods or services spread through the community, everyone benefits". I have found this to be so incredibly true in my life. I believe there is nothing more valuable than giving your time and resources to someone who can not possible return the favor.

"You can either fit in or stand out. Not both". I bet you can easily recall many examples where this is true. Think about it and choose wisely. A lot depends on your selection.

Saturday, April 2, 2011

Get Wisdom as Cheaply as You Can

New details have emerged about the now famous RSA APT incident. As posted on their Security Blog and as mentioned on the SANS Internet Storm Center, it was disclosed that the incident started by phishing emails that contained a malicious attachment. This allowed the attacker to establish a foothold inside the organization.

What about your organization. How can you remain diligent given the details released from this attack?

1 - Use existing management tools to make sure all third party software stays up to date.

2 - Educate your users about the risks inherited by the information they post to social networking websites.

3 - Remind your users to not opening suspicious email and attachments.

4 - Continue to monitor the network for new or abnormal traffic flows.

5 - Continue to harden systems using CIS and NIST guidelines. Monitor for any deviations.

6 - Intentionally invite your users to let you know if something seems strange. Anything at all.

Monday, February 14, 2011

Book Review: Failure Is Not an Option: Mission Control from Mercury to Apollo 13 and Beyond

Today I finished reading "Failure Is Not an Option: Mission Control from Mercury to Apollo 13 and Beyond" by Gene Kranz, former Flight Director at NASA. The book provides a historical account of how NASA delivered on the promise made by President John F. Kennedy to land a man on the moon and return him back safely to the Earth.

The majority of the book is focused on how the space program and technologies were created and implemented to support this bold initiative. It is easy to watch a spacecraft launch and landing and be impressed. What was previously lost with me was the amount of effort that led up to that point and the continual, real-time problem solving needed for each mission.  I was previously unaware at the depth of knowledge required of the Mission Controllers and how closely they trained with the astronauts.

I remember launching model rockets myself in the 7th grade and often wondered how the real rockets worked and how everything seemed to magically came together. This book answers that question and gives insight into how it was all possible.

My favorite quote from the book occurs close to the end. I believe it accurately and without wasting words summarizes the race to the moon"..the mark of a champion is the ability to thrive in tough times". Well said, sir. I agree that it requires no effort to celebrate success during the easy times. Times when it naturally comes together without stretching yourself or others. Those who make an impact on future generations are the ones who are able to, against insurmountable odds, embrace the challenge and achieve success in the worst possible situations.

This is an excellent book on teamwork and working on and solving seemingly intractable problems. Problems that need immediate attention and do not always come with a guarantee of success. I believe there are lessons form this book that can be applied to circumstances in our lives today:

  • Overwhelming preparedness to perform your daily duties.
  • Trust in the ability of your to deliver sound results.
  • The value and joy of working toward a goal that is as big, or bigger than your ability to achieve alone.

The book ends with a plea for the United States to resume an international leadership role in space. Only time will tell if and when this will ever occur.

Monday, January 3, 2011

How do you do, Auditpol?

What if there were an alternative to using the Local Security Policy to set the options needed to support of your security policy? Starting with Windows 7 and 2008 there is a new, perhaps even better way, Auditpol that offers much more granularity.

The full explanation of this setting is:

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories.  Setting audit policy at the category level will override the new subcategory audit policy feature.  To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.

If the category level audit policy set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set.

To enable this option, visit Local Security Policy --> Local Policies --> Security Options --> Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. By default this option is not enabled.

Auditpol is strictly a command line tool that is invoked by typing, you guessed it, Auditpol. It has several switches that allows you to display, set, clear, backup and restore these settings.

The best way to become comfortable with the use of auditpol is to try it out on a test system.

0) Enable the Audit Setting above
1) Open the Command Prompt as Adminstrator
2) Clear any existing settings with Auditpol /clear
3)  Run the following command to view the current auditpol settings - Auditpol /get /category:*
4) Configure the settings that support your Security Policy
5) Run the following command to view the new Auditpol settings - Auditpol /get /category:*

Sure, this is nice, but what if you have more than one server?

Glad you asked.

The backup option can be used to export the Auditpol settings to a csv or txt file - Auditpol /backup /file:C:\Windows\policy.txt. This can be used to backup from one server and restore to another.

Take a look at the output file in a text editor. The first field is obviously the hostname. If you are comfortable with the security settings, simply replace the original server name with the new server name deploy the Auditpol settings. This will certainly save time over building each setting in the command line. It would save even more time by replacing the value of the hostname field with localhost.

With this change in place, the policy can be saved and then imported very quickly. To import the audit policy,  enter the command - Auditpol /restore /file:C:\Windows\policy.txt. Now these granular security settings are applied without having to go through the meticulous steps via the command line. If you are using Group Policy, you can also it to deploy and enforce auditpol in your domain.

I have not yet determined why the settings you make in Auditpol do not show up in the Local Security Policy. I did spend way too much time confirming these settings are not the same. Perhaps the answer is in the original phrase "override audit policy category settings".