_gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); Security Ever After: 2012 var _gaq = _gaq || []; (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Saturday, December 22, 2012

Scheduled Maintenance

I spent a some time this week on car maintenance. My 1999 Honda Accord with 225,000 miles has never given me any trouble and I credit that to regular maintenance. To help make sure I reach my goal of 300,000 miles, I created regular reminders on my calendar to remind me to perform such tasks as changing the oil and rotating the tires.

A similar reminder can be used to make sure your home computer systems are running as they should. What can be on your calendar reminder? Consider using the Qualys Browser Check plugin each month to make sure each of your browsers and their associated plugins remain updated. Steps on how to use this tool can be found on the STI website

What are you doing regularly to keep your computers running smoothly?


Monday, December 17, 2012

What if Tomorrow Was the Day? - Repost

I recently had my first guest diary published on the SANS Internet Storm Center Diary. I have enjoyed the material on the ISC site for many years and consider it an honor to contribute. I hope this is helpful information that you can use to be better prepared for your next computer security incident.

Saturday, December 1, 2012

SANS Security 566 in Atlanta

I will be leading the SANS Security 566 Implementing and Auditing the Twenty Critical Security Controls - In-Depth course in Atlanta starting February 6, 2013. Mentor style.

You can preview a FREE Preview of this course on the SANS Website. You an also review the 20 Security Controls are listed in detail on the SANS website.

I have personally used the materials from this course to develop and implement a continuous monitoring capability for  several organizations. This course was inspired by the successful work by the US Department of State.

Atlanta Perimeter Hotel and Suites
formerly: W Atlanta Perimeter
111 Perimeter Center West
Atlanta, GA

Meeting Dates:
February 6, 2013 until April 10, 2013

6:30 PM - 8:30 PM

Mentor classes run for 10 weeks, one evening a week for two hours

Tuesday, June 26, 2012

SANS Security 504 Comes to Atlanta

I will be leading a SANS Security 504 -Hacker Techniques, Exploits & Incident Handling course in Atlanta starting September 5th. Mentor style.

You can preview a FREE Excerpt of this course on the SANS Website.

Register using the special promo code of SHARK12 and only spend $2500 for this course!

Atlanta Perimeter Hotel and Suites
formerly: W Atlanta Perimeter
111 Perimeter Center West
Atlanta, GA

6:30 PM - 8:30 PM

Meeting Dates:
September 5th through November 7th 
Mentor classes run for 10 weeks, one evening a week for two hours

Monday, June 18, 2012

Atlanta OWASP June Meeting - New Location

The Atlanta OWASP chapter will meet this Thursday night, June 21st at 6:00pm.

We are excited to announce that this meeting will occur at the Dell SecureWorks headquarters at One Concourse Pkwy, Suite 500, Atlanta, GA 30328.
Please use the following link to RSVP.  

This month we will welcome Rohit Sethi as our guest speaker. Rohit is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.
Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to discovering vulnerabilities late in the development process, thereby either causing project delays or risk acceptance. Neither option is particularly appealing.

This talk is an open discussion about the presence, if any, of scalable, measurable, approaches working to address security into the SDLC. Consideration for how Agile development impacts effectiveness will be explored.

Points of discussion will include:
- Is static analysis sufficient?
- Developer awareness training
- Threat modeling / architecture analysis
- Secure requirements
- Considerations for procured applications

Tuesday, June 5, 2012

SANS@Night Community Evenings in Augusta

SANS invites you to join 2 special complimentary SANS@Night sessions during Community SANS Augusta.  Please plan to join us on Monday June 11 or Thursday June 14 (or  both!).  These evenings will offer informative presentations as well as the opportunity to network with other like-minded Security professionals from the Augusta community, including ISSA members and SANS attendees. 
Earn some CPE's, get great SANS content!

RSVP for either event to coins@sans.org
(include "Augusta" in the subject line)

Registration is still available for our live 6 day classes at Community SANS Augusta!  Visit www.sans.org/community to learn more.

Russell Eubanks
"20 Critical Controls"
A consensus of defensive and offensive security practitioners developed the SANS 20 Security Controls. In their implementation of this program, the United States Department of State demonstrated an 85 percent reduction in vulnerabilities in the first year alone. Small businesses can use practical and often no cost ways to leverage existing security and administration tools to bolster their information security posture. Each control is paired with pragmatic ways for small business to rapidly deploy a continuous monitoring program. By leveraging and leaning into existing tools, the small business can develop a robust continuous monitoring program that is positioned to better recognize and respond to threats.

Doug Burks
"Security Onion"
Traditional Intrusion Detection Systems (IDS) can be costly,
difficult to install, and may not provide all the capabilities that you need to defend your network.  Network Security Monitoring (NSM)combines traditional IDS alerts with additional data to give you a more complete picture of what's happening on your network. This presentation will demonstrate how to deploy NSM in just a few minutes using a free Linux distro called Security Onion.

Thursday, June 14
7:00 to 9:00 pm

Jacob Williams
"Cloud Forensics: The elephant in the room"
​The cloud is here, and it appears to be here to stay.  There is little doubt that mass migration to the cloud will continue by companies large and small alike.  Every time I check my favorite news feeds, I see another eye catching article about a) how to implement cloud security or b) how security in the cloud can’t be achieved.  People however avoid the elephant in the room: forensics.  No matter how good our security is, incidents can and will happen.  When they do, we jump to our forensics teams to help us make sense of it all and prosecute the offenders.  But what process will they use to gather evidence?  Has it been validated by the courts, or even industry as an accepted best practice?  Hint: you can’t use a hardware write blocker on a cloud “drive” since it isn’t a physical drive at all.
​In this talk we’ll consider the implications of forensics “in the cloud” as well as offer some suggested best practices for performing forensic acquisition of assets located in the cloud. We’ll also discuss some things to look for (from a forensic perspective) when selecting a Cloud Service Provider (CSP).  Even if you aren’t directly involved in forensics, this knowledge is a must in understanding what questions to ask when selecting a CSP so you can set correct managerial expectations when the inevitable incident occurs.

Monday, May 28, 2012

Atlanta OWASP May Meeting

The Atlanta OWASP Chapter is holding its next meeting this Thursday night at the EarthLink Building. Those who are unable to physically attend can still participate by using a GoToMeeting session for this event.

The featured speakers this month are Rob Ragan and Oscar Salazar of Stach & Liu. Rob and Oscar are accomplished penetration testers and will present on the topic of Attack Chaining: Advanced Maneuvers for Hack Fu. Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact.

Chained attacks are far more complex and far more difficult to defend against. Rob and Oscar will explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

Please signup on both the OWASP and Meetup websites to always be reminded about our upcoming meetings!

Tuesday, March 20, 2012

OWASP Atlanta March Meeting

The next Atlanta OWASP meeting is this Thursday at the WiPro office.  The meeting will be presented and sponsored by Trustwave.  This month's topic will be some metrics on their latest numbers on web based threats.  Their research is recently completed and will be unveiled at your Atlanta OWASP chapter this Thursday. Thanks to Trustwave for sponsoring the event and professional social afterward for those that can attend.

More information can be found on the OWASP Meetup page. If you haven't joined, you're missing out as its the primary place where meetings will be announced and you can control your RSVP status for future events.

Hope to see you all there this Thursday!

Thursday, January 26, 2012

Sweet Spot - Minimize the Number of Users with Domain or Local Administrator Privileges

Gaining access to administrative accounts is often the goal of an attacker. What can you do to ensure that only the appropriately trained and fully accountable people have and maintain administrative access on your systems? This effort must start with an accurate inventory of every account with elevated access and must be strictly maintained. The change control board should approve every new account that requires persistent administrative access. Maintaining strict admission guidelines for administrative access will help curb the desire for everyone to be an administrator. Implement an annual renewal process that requires each administrator to justify his or her continued need for elevated access. Allow those with administrative rights to participate in the on call rotation.

Encourage administrators to maintain different passwords for administrator accounts where clear differences in system type exist, such as on workstations and individual server types. Encourage this practice by requiring more frequent passwordexpiry and increased complexity rules for these elevated access accounts.

Accounts with elevated access must be used only when administrative activities are required. Normal web browsing and email usage should never be permitted from accounts that have elevated access. The damage that could occur is much greater than the convenience gained by allowing a system administrator to check their Twitter account.

Where feasible, require all administrative access to be achieved by elevating their access from a regular user account. Examples to facilitate this to create a Microsoft Management Console (MMC) that includes all tools needed for administration. Open this with a Run As command that uses the credentials of the elevated account. The Windows command prompt can also be run as another user by right clicking the icon and selecting the RunAs option.

Accurate and timely recording and distributing all activities performed by members of elevated access groups as found in system and security logs could help determine use and increase accountability. Configure an automated report that daily lists all administrative activities from the previous day to the entire team.

Look for default accounts on workstations and servers that can be removed or disabled. It is up to you to explain and justify every account on your system. The faster you can identify new accounts on the system, the better. The underling goal must be to do everything in your power to not allow untrained or unauthorized people to gain administrative access on your networks or systems.

Send automated alerts to any change or attempted change to any group whose membership grants elevated access. Daily alerts and reports of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire.

Use the log review solution to create automated alerts for any new account, any new administrator access and also for when any account is locked out. At a minimum you will be able to provide better customer service by knowing about accounts that need to be unlocked. Perhaps these same alerts can be used to serve as indications and warnings to an attack.

Splunk is an example of a log review and consolidation tool. This tool compiles all system, device and application logs into one place and provides a Google-like interface into these logs. Searches can be created, refined and scheduled to run at regular intervals. These can be configured to send an alert if the number of results from this automated search is greater than zero. This is alow cost way to get wisdom as cheaply as you can.