_gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); Security Ever After: October 2011 var _gaq = _gaq || []; (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Sunday, October 16, 2011

Security By Design

The Atlanta ISSA chapter, along with the Atlanta Society of Digital Forensics and eDiscovery, the Society of Industrial Security Professionals and the Atlanta OWASP chapter are hosting the Security By Design Conference on November 8 and 9. The conference schedule includes 7 tracks that run on both days and also features a special event on both nights. Registration remains open.

Sweet Spot - Patch Operating Systems

Microsoft Windows Software Update Services (WSUS) provides automated patching of Microsoft operating systems and products. The WSUS administrator can schedule categories of patches and schedule their installation. Also included is a reporting feature that can send daily reports via email to administrators notifying them of new patch releases and the status of their installation across the organization. This would be valuable not only to the security team, but also for system administrators. It is easily configurable and may lead to an increased awareness of the importance of patching.

Ensure that after patches are applied that you verify outside the patching tool that the patch has actually been applied. Look for clues such as registry values, installed programs and the last system reboot to help measure the effectiveness of this control.

A free and automated way to check for the patches is to use the built-in Windows tool wmic. A wonderful resource on practical and entertaining ways to use wmic can be found in the blog Command Line Kung Fu. Use wmic to perform the below checks help ensure updates are applied as they are delivered. Wmic is an excellent compliment to WSUS as these commands can be automated and run regularly.

·      wmic os get lastbootuptime shows the exact time of the last system reboot
·      wmic os list brief shows the current version of Windows
·      wmic qfe list brief shows the Microsoft patches that are installed

Another free tool, Microsoft Baseline Security Analyzer (MBSA) can be used to help determine the security status of Windows operating systems. It can be run from the graphical or command line interface and can show previous test results for comparison purposes.

Saturday, October 15, 2011

Find Your Sweet Spot

Version 3 of the SANS 20 Security Controls includes integration by the leadership of the Australian Defense Signals Directorate. This includes 35 Mitigation Strategies that were developed and prioritized to prevent targeted computer attacks. Four of these are listed as mandatory and are known as the Sweet Spot. 

These are Patch Applications, Patch Operating Systems, Minimize the number of users with domain or local administrator privileges and Application Whitelisting. These areas will be explored in detail and serve as a means to get wisdom as cheaply as you can.

Sunday, October 9, 2011

Security B-Sides Atlanta

Security B-Sides Atlanta unconference is back. On November 4, all of your local and not so local security friends will be back at Think Inc, located at 1375 Peachtree St. Suite 600, Atlanta, Ga.

Registration is now OPEN and true to Security B-Sides, the admission price is most affordable by everyone.

Friday, October 7, 2011

Control 20: Security Skills Assessment and Training to Fill Gaps

Is your team well trained or does it lack fundamental and often the advanced skills needed to perform their jobs? Are there team members who are the only ones that know certain functions? What happens when they are not available for good reasons or bad ones? Several avenues for acquiring training are available.

Many large cities have some or all of all of the following security focused groups that foster community and learning new concepts. Attend these meeting and become more involved in the security community.

•    OWASP
•    InfraGard
•    NAISG
•    Defcon
•    Security B-Sides

Do not dismiss the value of setting up a home lab of old equipment or virtualized and ISO distributions to practice hacking and defending your home network. The skills acquired away from work are often the skills that make the biggest difference.

Tuesday, October 4, 2011

Control 19: Data Recovery Capability

Develop a written plan that identifies all business owners and the processes needed by them to restore normal operations. Interview the business owners to better understand the dependencies needed to do their normal activities.

Conduct annual tabletop exercises with each business process owner. Use mock scenarios that consider availability loss of people, facilities and technology. Identify and document any gaps identified in the exercise and invite the business process owner to determine if they should be corrected or accepted. Working through this process will help engage the business units as they focus on recovering their operation to a normal state.

Test backup and restore operations on a regular and recurring basis. Create specific procedures that walk the user through how to manually backup and restore data. Just like with Incident Response, this work often occurs during high-pressure moments. Having a written procedure will help ensure critical steps are not missed. Document estimated recovery times for systems and applications. Strive to identify anything that has the potential to keep this from being successful.