_gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); Security Ever After: May 2011 var _gaq = _gaq || []; (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Wednesday, May 25, 2011

SANS Mentor Free iPad2 offer through May 31

The SANS Mentor Program is offering a FREE iPad 2 with paid registrations through May 31. This offer applies to any upcoming Mentor session. What a fantastic promotion.

If you are in the Atlanta area, consider my upcoming SANS Security 401 class starting on January 24, 2012. This is a great class for people who are new to Information Security and those that have been at it for a while. I took this class after three years in security and still managed to learn a lot and round off some of my rough edges.

Tuesday, May 17, 2011

Control 2 - Inventory of Authorized and Unauthorized Software

Control 2 focuses on knowing the software that is installed on workstations and servers throughout your organization. Like Control 1, this may seem overwhelming at first. However, once you have started to gain momentum, this one should not be difficult to maintain.

Start with an initial assessment from these tools to begin the process of realizing what software is installed. An immediate benefit is knowing what plugins such as Adobe Reader and Flash Player are out of date and need to be updated.

Ways to Implement this Control:

1 - Use the software inventory report in Kaspersky Anti Virus that lists each software package and version. This is a great way to leverage an existing tool to do something new. 

2 - Software Inventory Report in Microsoft SMS or Dell Kace (KBox) that listed each software package.

3 - For Linux hosts, the Splunk *NIX app has a standard report package Latest Packages by Host that can also be automated.

These reports are a good to send to junior team members. It will let them become involved in securing the network as they begin to gain understanding of what software should be installed and learning from you the proper response when something unexpected is found.

Tuesday, May 10, 2011

Control 1 - Inventory of Authorized and Unauthorized Devices

The first SANS Top 20 Security Control is Inventory of Authorized and Unauthorized Devices. When you first consider this control, you may be tempted to dismiss the value of the opportunity to have near real time awareness. I encourage you to think of creative ways to lean into your existing tools to help solve the problem of knowing what is on your network at all times. The following is an attempt to give you several ways to know what is on your network using existing or no cost means.

Ways to implement this control:

1 - Use SourceFire RNA product to provide constant automation. This is accomplished with alerts that notify on New Host and New MAC found alerts. It is also valuable to have an alert to an IP address change for given MAC address.

2 - Daily network discovery scans using a tool such as nmap can also accomplish this objective. Consider a diff scan to identify all hosts and then in subsequent scans, just the new hosts identified going forward. Depending on the complexity of the network, multiple scanners man need to be deployed for complete coverage.

3 - Use a standard naming convention for your host names. Should a host that does not match the naming appear on the network, it will be noticed more readily.

4 - Seek out the person responsible for purchasing new computers. Review an invoice to see if a MAC address is listed on the documents. Ask them to notify you about new purchases going forward.

It is hard to argue that knowing what is on your network is critical to the success of your information security program. It is just as important to do this with automation. With an automated means to know what is on your network, it would be easier to determine if it is authorized. Or not. Take steps this week towards implementing this control and enhance your continuous monitoring capabilities.