_gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); Security Ever After: 2015 var _gaq = _gaq || []; (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Saturday, December 12, 2015

What Signs Are You Missing?

I recently posted the below on the SANS Internet Storm Center.

While recently listening to a presentation, I found my attention drawn to a metal water container at the center of the conference room table. Condensation was all around it and without ever having to interact with the container, I found there were many properties that were easily observable to everyone nearby.

  • The container had not been used for hours

  • The liquid in the container was colder than the room temperature

  • The amount of liquid in the container could be observed from a distance

In a very unexpected and non-technical way, this container caused me to think about the effectiveness of information security controls. What follows are several non-traditional ideas that can help security professionals know when a change in status has occurred. These approaches, when employed, will serve to increase the confidence in many times very technical capabilities. 

  • Log file status - How long would it take to determine logs from a critical system are no longer being generated and sent to the syslog server? 

  • Baselines - How long would it take to recognize there was “configuration drift” on critical systems? 

  • Log file size - What is the average daily size of security logs on critical systems? 

  • Clipping levels - How would it take to recognize there is too much or too little of something very important has or has not occurred? An example is looking at the number of transactions an employee performed during a day to help answer the question of did they show up to work and how did their performance compare against others who perform the same job.

Without having to look at detailed technical information, there are signs that when not missed indicate something has changed. These signs will help a security professional know when security controls are no longer functioning as intended. Intentionally focusing on items like these that are often above and beyond a required compliance checkbox, provide assurance that security controls remain effective. Often at very little to no cost.

In what unexpected places have you found signs that you had previously missed? Please use the comments area to share what worked for you! 

Sunday, October 18, 2015

Security Awareness for Security Professionals

I recently posted the below on the SANS Internet Storm Center.

During Cyber Security Awareness Month (CSAM), we develop campaigns for our coworkers that attempt to encourage them to stop clicking on links and  reusing their passwords. These are good reminders for us as information security professionals even though we focus on these topics during the other 11 months of the year.

Is it possible that we too can improve our security awareness during this month? Can we as security professionals use this time to “sharpen our saw” and do things that can increase our awareness of our information security programs? 

One very non-technical event caused me consider this topic. My son found his old bicycle in the garage recently and wanted to ride it in the neighborhood. As he was getting up to speed, he suddenly and unexpectedly realized the handlebars had become disconnected. He had a firm grip on what he needed to successfully control the bike, but the handlebars were no longer effectively controlling his navigation.

With that example in mind, how aware are you of the effectiveness of your information security program? What systems do you have in place to let you know when your security posture changes? What reminders and automation do you need to create that will increase your awareness before blindly depend on your tools? By dedicating sometimes marginal effort you can develop near real time awareness capabilities that will confirm the effectiveness of your information security program.  

Below are just a few examples where increased security awareness would be very helpful to you as an information security professional.

  •  Ensure the running configurations on your network equipment have not changed
  •  Ensure you know within a few minutes when a new administrative account is added
  •  Ensure you know within a few hours if a device stops sending logs to your syslog server

What are you personally doing to make sure that you as a security professional are most aware of the things that matter the most? Use the comments field to share what works!

Saturday, October 17, 2015

CIS Critical Security Controls - Version 6.0

I recently posted the below on the SANS Internet Storm Center.

Right in the middle of Cyber Security Awareness Month (CSAM), the Center for Internet Security (CIS) released Version 6.0 of the CIS Critical Security Controls for Effective Cyber Defense. This update incorporates significant changes that represent the latest technologies and threats faced by information security professionals. The most notable changes to the CIS Critical Security Controls are listed below and discussed at length in the archived webcast.

  • A new Control for Email and Web Browser Protections
  • Deletion of the Control on Secure Network Engineering
  • Reordering of the Controls to make Controlled Use of Administration Privileges higher in priority

I believe this update positions the CIS Critical Security Controls to remain both an actionable and relevant framework to build and sustain an effective cyber security program. Implementing them has been the catalyst to many organizations demonstrably increasing their cyber security posture. With intentional planning and focus, you can too. The following are several steps you can take right now to start or continue on your journey.

What will you do differently at your organization as a result of this update? Use the comments field to share your feedback!

Russell Eubanks

Saturday, August 1, 2015

Your Security Policy Is So Lame

I recently posted the below on the SANS Internet Storm Center.

Every person should avoid lame security policies because of the lack of clarity they leave behind. Often times we find ourselves forced into creating security policies due to compliance requirements. Is there a way to lean into this requirement and get value beyond the checkbox? I certainly think so and would like to share some ideas on how you can do this as well.

I personally avoided being the “policy guy” until the patience of my management had finally expired. It was truly the job that none on the team wanted and it was my turn. My first step was pulling a security policy template book off the shelf. I remember that dust covered book very well. When working on the security policies, unexpectedly and out of no where it suddenly occurred to me - there is a great amount of influence when security policies are done properly. Sure, there are meetings with people who are not on your team, but working together is how anything meaningful gets done these days. I found that by working together with key business areas that security policies could be written so that more than just the auditor was interested in them.

The following are several tips and tricks you can use to make sure you move from "no good to great” security policies. 

  • Do not fail to add an expiration date to your security policies. Otherwise they get stinky, just like that jar of mayonnaise in your refrigerator. This will force you to both review and update them on a regular basis or risk being embarrassed because they are out of date.

  • Do not ask anyone to memorize your security policies. Why waste time memorizing a reference document? Spend your time doing something meaningful instead, such as reviewing ways to implement the 20 Security Controls in your company.

  • Do not use your security policy as an attempt to control small and often times personal issues. Instead, make sure your security policy addresses specific risk in your organization. Without a direct mapping to risk, it will be very easy to have too many security policies scattered all over the place.

  • Do not have too many security policies. I recommend you hold up both hands right now and wiggle your fingers as you consider how many security policies you might actually need. I’ll wait.

  • Will violation of your security policy eventually lead to the policy violator realizing their opportunity to violate security policy at a different company? It should - Otherwise your document is really a suggestion and not a policy.

  • Do have your security policy stored in one single and easy to find location? It would be a shame to spend all that time and no one ever read your security policies. Reminds me of that story about a tree that falls in the forest.

One of the very best security policy resources you will find is just a click away at the SANS Institute website. Specifically, the SANS Information Security Policy Templates. There you will readily find many examples that you can customize and make your own.

What are you doing to make sure your security policy is not lame? Use the comments section to share what has worked for you.

Russell Eubanks

Saturday, July 18, 2015

The Value a “Fresh Set Of Eyes” (FSOE)

I recently posted the below on the SANS Internet Storm Center.

The Value a “Fresh Set Of Eyes” (FSOE)

Ever notice that being close to a particular problem has an inherent disadvantage? Often working on a problem for a long time, combined with being very close to the problem leads to less than holistic perspective. You think about the problem as you go to bed at night and again when you wake up in the morning, but you find yourself stuck and need a dose of fresh thinking. I have found a strategy to account for this “syndrome" and want to share what works and also learn from your experience as well.

As a new team member, we are conditioned to sit back, open our ears and close our mouths in order to understand the current environment. Often times questioning things, with a healthy dose of respect for the work that has already occurred, can be quite beneficial to the team. Brutal honesty and crystal clarity is needed during this exercise. As mentioned in The Best Medicine for Your Business: A Fresh Set of Eyes “Odds are, an easy solution will be staring you in the face, but you just can’t see it”.

Every time I have been the “new guy” on a project, team or organization I have been uniquely qualified to provided a fresh perspective. I was not burdened with the baggage or the bias of how it had always been done and often was able to bring some clarity to problems that have existed for a very long time. Another approach I found effective is to ask others who are not on the team to review the project status report and share with you their unfiltered impressions. Can they arrive at the intended conclusion without a lengthy briefing? A great question to seek the answer to is - How much ramp up time do they need in order to understand your message and make a decision? Armed with a “new guy or gal”, your team may find they are surprisingly equipped to get past a current challenge and move on to a higher priority problem, such as delivering effective security metrics or making your security dashboard add business value. 

What is an example of a time that you were able to offer a fresh set of eyes? Use the comments area below to share what works. 

Saturday, May 30, 2015

Weekend Learning - Spoofer Project

I recently posted the below on the SANS Internet Storm Center.

Happy weekend, everyone. Often times there is extra margin on the weekends to learn something new. This weekend I encourage you to consider learning more about the Spoofer project, as recommended by a fellow ISC Handler. With the recent announcement that the Spoofer project is funded and has clients for multiple operating systems, I encourage you to put this project on your weekend "to do list”.
As a visual learner, I found their summary report listing the current state of source address spoofing compelling. As we all strive to improve our Cyber Security posture, efforts theSpoofer project plays a role in improving our "Cyber Hygiene”.

Friday, May 29, 2015

Trust But Verify

I recently posted the below on the SANS Internet Storm Center.

Be intentional about how you spend your time. I believe that every person can incrementally improve their security program by being intentional about how they spend their time. One method is to be intentional about checking several items for compliance each and every month. While not intended to replace the value of an auditor, this approach can generate incremental value from the overall compliance process. If you have the requirement to be in compliance with PCI, you are in luck! You could easily create a table that pairs one of the 12 categories with one of the 12 months in a calendar year. Inside each month, you could list several items that are important to verify. When printed out and kept nearby, it can serve as a reminder to be diligent about tracking progress over time. Compare this table year over year and look for trends that will help identify the sometimes small areas to focus on that can make a big impact.
I have used this approach to expect more out of myself and to set the bar just a little bit higher. I found success in showing this matrix to outside auditors and received positive feedback. There was nothing magic about this table, it just forced me to be intentional each and every month. Using this approach, unexpected “compliance drift” can be identified and remediated on a much more timely basis. This approach can be used inside several of the regulatory compliance requirements. If you do not have one, ask friends and colleagues who do to learn what they find beneficial in their respective environments. As always, a great place to start is with the 20 Security Controls.
Can you make it easier on yourself to do the right thing by being intentional? It believe it is absolutely possible to leverage systems like this to make it easier to do the right thing.
What systems do you use to force you to be intentional? Please use the comments section to share what works for you.
Russell Eubanks

Saturday, March 21, 2015

Have you seen my personal information? It has been lost. Again.

I recently posted the below on the SANS Internet Storm Center.

Remember when milk cartons had pictures of lost children on them? I think of those cartons every time I get a notice that my personal information “may have been impacted” as a result of a data breach. As you might imagine, I recently received one of these letters from an organization that needs my personal information in order to provide me with a valuable service.

These notification letters make me consider the risk of becoming numb to the impact of receiving so many of them. Will we eventually achieve perpetual “Identity Protection Services” elite status that continually monitors for misuse of our sensitive information for the rest of our lives? I wonder if the value of this service has the potential to become a little bit diluted with each and every notice we receive. Is it possible that we will will soon treat these notices like a replacement credit card that arrives in our mailboxes?

What are you doing to reduce your risk after receiving a data breach notification letter in the mail?

Wednesday, February 25, 2015

Leave Things Better Than When You Found Them

I recently posted the below on the SANS Internet Storm Center site.

Whether at the end of a project or at the end of your time with an organization, there are some low impact and high reward actions you can take to ensure that you leave things better than when you found them. Although it is not without risk for us as security professionals, if you have the opportunity it is ideal to spend time training your successor before you leave. Through a few intentional actions you can leave a legacy that can serve to inspire others to not only sustain but to actually improve operations.
This topic is particularly close to me now because I have recently started a new position. I had the opportunity to share my experience with others and found it to be rewarding and also a little uncomfortable for me and for the person who was assuming my duties. I found myself personally and professionally vested in the success of the program while recognizing that it was time for me to let go. There are of course certain circumstances that will prevent this sharing from happening. Sometimes policies will dictate that when someone resigns, the team members are escorted from the premises right away.
Even in you are not making your next career move, maybe you are transitioning from a project and can use this time to help others. The following are some suggestions on what you can provide to your successor:
  • Operational guides
  • Original installation media
  • Configuration checklists
  • Installation guides along with clear documentation of any deviations from the vendor instructions
  • Lessons learned of things that must be done along with those that must *never* be done
  • Key contacts to support sustaining the project such as administrators, change control tickets and project documentation
Even if you are not on the way out, I recommend that you "begin with the end in mind" today. Start by setting a monthly reminder on your work calendar to update and maintain your project or program documentation. You may very well recognize that the person this helps the most is you!
Use the comments section to share what are you doing to leave things better than when you found them.

Sunday, January 4, 2015

Get Wisdom as Cheaply as You Can

Happy New Year!

I recently posted the below on the SANS Internet Storm Center site.

A long time ago I was given advice from a non-security professional that is among the best and most influential I have received in my security career - "Get wisdom as cheaply as you can”. I was encouraged to learn from the mistakes of others as a means to avoid the full pain of what they were forced to experience.

There are so many places where you can get your lessons learned without having to suffer through an outage or a security incident. You can learn from news articles or breach disclosure reports such as the Verizon Data Breach Investigations Report (http://www.verizonenterprise.com/DBIR/) and Mandiant M-Trends (https://www.mandiant.com/resources/mandiant-reports/). Create case studies based on these sources that your incident response team can use to conduct tabletop exercises. This preparation exercise will help you determine if your prevention and detection capabilities would be effective if faced with these scenarios

To get you started, here is an example when I failed. I thought it would be a good idea to scan a special internal network segment unannounced with unauthorized equipment. This caused a full and unplanned incident response. I discovered what happened and quickly notified the team of what I did and how sorry I was for causing this incident. Most everyone was gracious and everyone was relieved this was not a real incident. I have not forgotten this lesson and have since put checks in place to make sure it does not happen that way ever again. In addition to learning to only use authorized scanning equipment, I learned the importance of notifying all impacted system and application owners before performing any scans.

Learn from the misfortunes of others. By getting wisdom as cheaply as you can, you are given the opportunity to not have to learn the “hard way”. What lessons have you learned and how have you applied them?