var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', '']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + ''; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();
Showing posts with label Operational Security. Show all posts
Showing posts with label Operational Security. Show all posts

Friday, September 22, 2017

What is the State of Your Union?

What if you as an information security leader held an information security State of the Union address with the explicit purpose of educating both your leaders and business partners on your information security program and the areas of focus for the next year? Communicating to those who are not in our area is certainly a challenge; however, the benefits outweigh the effort in several different ways.

By being intentional at sharing the state of your security union, you can not only deliver the status of your program but also equip your leaders with information they can quite literally share in environments that your team is not able to attend.  

What should you consider including?
* Effectiveness of your program
* Opportunities to improve your program
* Communicate recent achievements
* Demonstrate stewardship of your resources
* Show how your team supported objectives of your organization
* Possible actions that you want others to take
* Clear call to action to the leaders to increase support, funding, and staffing
* Opportunity to receive feedback

How are you communicating the State of Your Security Union? Please leave what works in our comments section below.

Russell Eubanks

Tuesday, March 14, 2017

What's On Your Not To Do List?

I recently posted the 
below on the SANS Internet Storm Center.

In our craft, there are more than ample opportunities to occupy our time. There are so many things you CAN do. How can you ensure focus on the things that actually make the biggest impact? I suggest that often times you take on more work than what you are able to complete. Many times there is so much work to do that nothing ever seems to get completed. 

I readily remember several cases where a combination of my ambition, auditors and loss of key team members facilitated this behavior in me. One in particular was a very important compliance project deadline that had no tolerance for schedule slippage. The internal auditors wanted to review the project in detail ahead of the external auditors coming to inspect the project. All while the solution was still being deployed. Lots of stress and long hours are my biggest memories of this project. While important at the time, looking back now I struggle to remember many of those details. What I do remember are the other projects that suffered neglect during this heroic effort.

Risk assessments inform you of clear and present problems. Project deadlines are looming and start pile up. Demands from your leaders come in unexpected waves. What is a strategy to position you for success? Consider writing down your projects. On paper. Start to document their priority, their deadlines along with the stakeholder expectations. Regularly and diligently track your progress and communicate them clearly up, down and horizontally to your peers, focusing on the opportunity cost of what is being neglected. 

Many times this extra clarity will help in terms of someone deciding for you that the project that seems so important right now should go on your "not to do" list instead. I am a BIG fan of the not to do list as it helps clearly communicate opportunity cost in terms of risk to the most important projects and initiatives. The clarity that comes from this exercise is worth far more than the effort to put it all together.

What ONE thing will you choose to focus on when you return to work on Monday morning? What TWO things best belong on your "not to do" list? Whether you enter them in our comments section below or keep them to yourself, consider adopting this approach while on your Monday morning commute to work.

Russell Eubanks

Thursday, June 23, 2016

An Approach to Vulnerability Management

I recently posted the below on the SANS Internet Storm Center.

No need to do anything to make your auditor happy than to purchase the most popular scanning tool

No need to worry, when the scan is over and the report has been produced - you are all done

No need to ever leave your cube and speak directly with your system administrators

No need to ever test the scanner on a non-production network in advance

No need to worry, a clean scan means you are both compliant and secure

No need to ever leave your cube and speak directly with your application developers

No need to ever let anyone know when your scan starts, after all an attacker is not going to do that so why should you

No need to worry, if something becomes unavailable during a scan it is totally not your problem

No need to show good stewardship after the purchase by producing metrics such as the percentage of findings that have been fixed as a percentage of all the findings

No need to seek data that demonstrates your scanner could serve as a platform to improve your security posture

No need to keep your boss informed of your progress, s/he would not understand 

No need to divert any of your time from finding things to fixing things

No need to ever think that your scanning tool is every anything but spot on accurate

No need to hold back, it would be great if you shared your Vulnerability Management “best practices" in our comments section below

Russell Eubanks

Saturday, May 28, 2016

Applied Lessons Learned

I recently posted the below on the SANS Internet Storm Center.

What were those tough lessons learned that you will never forget and more importantly vowed to never repeat again? Especially those of you who have been in information security for many years and perhaps a member of several different teams. Consider yourself encouraged to remember those "from now on I will Always and I will Never again” lessons that were learned at your $OldJob.  

I remember all to well when I decided to perform a network scan from a new laptop. I was so eager to use the new equipment that I failed to record the MAC and IP address of this shiny new device. I tested it out and everything seemed to be great - until the next morning when an enormous amount of scan traffic was detected inside a sensitive network. Our teams went into full incident response mode in an effort to determine what happened. After learning “who did it”, the team was gracious in its response to me and none of us made that mistake again. 

To get you motivated for action, the following are a few ideas to consider.

1 - Never settle for “we have always done it that way”. Assume nothing by asking lots of questions, such as “When was the last time we compared the GPO to the written security policy”?

2 - Share regularly within your trusted communities in a way that does not put your organization at risk, but demonstrates you are still learning and remain willing to contribute. Don’t think that you need to share all of the gory details to make a difference with this approach. In fact, you will be much better off by leaving those out entirely. 

3 - Behave like the Fresh New Guy/Gal (FNG) regularly, especially if has been a very long time since you have served in that role.

By leaning into this approach, you can not only get wisdom as cheaply as you can but also and also help make our world a better place. What lessons are you actively trying to avoid learning over and over again?

Russell Eubanks

Saturday, December 12, 2015

What Signs Are You Missing?

I recently posted the below on the SANS Internet Storm Center.

While recently listening to a presentation, I found my attention drawn to a metal water container at the center of the conference room table. Condensation was all around it and without ever having to interact with the container, I found there were many properties that were easily observable to everyone nearby.

  • The container had not been used for hours

  • The liquid in the container was colder than the room temperature

  • The amount of liquid in the container could be observed from a distance

In a very unexpected and non-technical way, this container caused me to think about the effectiveness of information security controls. What follows are several non-traditional ideas that can help security professionals know when a change in status has occurred. These approaches, when employed, will serve to increase the confidence in many times very technical capabilities. 

  • Log file status - How long would it take to determine logs from a critical system are no longer being generated and sent to the syslog server? 

  • Baselines - How long would it take to recognize there was “configuration drift” on critical systems? 

  • Log file size - What is the average daily size of security logs on critical systems? 

  • Clipping levels - How would it take to recognize there is too much or too little of something very important has or has not occurred? An example is looking at the number of transactions an employee performed during a day to help answer the question of did they show up to work and how did their performance compare against others who perform the same job.

Without having to look at detailed technical information, there are signs that when not missed indicate something has changed. These signs will help a security professional know when security controls are no longer functioning as intended. Intentionally focusing on items like these that are often above and beyond a required compliance checkbox, provide assurance that security controls remain effective. Often at very little to no cost.

In what unexpected places have you found signs that you had previously missed? Please use the comments area to share what worked for you! 

Saturday, October 17, 2015

CIS Critical Security Controls - Version 6.0

I recently posted the below on the SANS Internet Storm Center.

Right in the middle of Cyber Security Awareness Month (CSAM), the Center for Internet Security (CIS) released Version 6.0 of the CIS Critical Security Controls for Effective Cyber Defense. This update incorporates significant changes that represent the latest technologies and threats faced by information security professionals. The most notable changes to the CIS Critical Security Controls are listed below and discussed at length in the archived webcast.

  • A new Control for Email and Web Browser Protections
  • Deletion of the Control on Secure Network Engineering
  • Reordering of the Controls to make Controlled Use of Administration Privileges higher in priority

I believe this update positions the CIS Critical Security Controls to remain both an actionable and relevant framework to build and sustain an effective cyber security program. Implementing them has been the catalyst to many organizations demonstrably increasing their cyber security posture. With intentional planning and focus, you can too. The following are several steps you can take right now to start or continue on your journey.

What will you do differently at your organization as a result of this update? Use the comments field to share your feedback!

Russell Eubanks

Saturday, May 30, 2015

Weekend Learning - Spoofer Project

I recently posted the below on the SANS Internet Storm Center.

Happy weekend, everyone. Often times there is extra margin on the weekends to learn something new. This weekend I encourage you to consider learning more about the Spoofer project, as recommended by a fellow ISC Handler. With the recent announcement that the Spoofer project is funded and has clients for multiple operating systems, I encourage you to put this project on your weekend "to do list”.
As a visual learner, I found their summary report listing the current state of source address spoofing compelling. As we all strive to improve our Cyber Security posture, efforts theSpoofer project plays a role in improving our "Cyber Hygiene”.

Friday, May 29, 2015

Trust But Verify

I recently posted the below on the SANS Internet Storm Center.

Be intentional about how you spend your time. I believe that every person can incrementally improve their security program by being intentional about how they spend their time. One method is to be intentional about checking several items for compliance each and every month. While not intended to replace the value of an auditor, this approach can generate incremental value from the overall compliance process. If you have the requirement to be in compliance with PCI, you are in luck! You could easily create a table that pairs one of the 12 categories with one of the 12 months in a calendar year. Inside each month, you could list several items that are important to verify. When printed out and kept nearby, it can serve as a reminder to be diligent about tracking progress over time. Compare this table year over year and look for trends that will help identify the sometimes small areas to focus on that can make a big impact.
I have used this approach to expect more out of myself and to set the bar just a little bit higher. I found success in showing this matrix to outside auditors and received positive feedback. There was nothing magic about this table, it just forced me to be intentional each and every month. Using this approach, unexpected “compliance drift” can be identified and remediated on a much more timely basis. This approach can be used inside several of the regulatory compliance requirements. If you do not have one, ask friends and colleagues who do to learn what they find beneficial in their respective environments. As always, a great place to start is with the 20 Security Controls.
Can you make it easier on yourself to do the right thing by being intentional? It believe it is absolutely possible to leverage systems like this to make it easier to do the right thing.
What systems do you use to force you to be intentional? Please use the comments section to share what works for you.
Russell Eubanks

Saturday, March 21, 2015

Have you seen my personal information? It has been lost. Again.

I recently posted the below on the SANS Internet Storm Center.

Remember when milk cartons had pictures of lost children on them? I think of those cartons every time I get a notice that my personal information “may have been impacted” as a result of a data breach. As you might imagine, I recently received one of these letters from an organization that needs my personal information in order to provide me with a valuable service.

These notification letters make me consider the risk of becoming numb to the impact of receiving so many of them. Will we eventually achieve perpetual “Identity Protection Services” elite status that continually monitors for misuse of our sensitive information for the rest of our lives? I wonder if the value of this service has the potential to become a little bit diluted with each and every notice we receive. Is it possible that we will will soon treat these notices like a replacement credit card that arrives in our mailboxes?

What are you doing to reduce your risk after receiving a data breach notification letter in the mail?

Wednesday, February 25, 2015

Leave Things Better Than When You Found Them

I recently posted the below on the SANS Internet Storm Center site.

Whether at the end of a project or at the end of your time with an organization, there are some low impact and high reward actions you can take to ensure that you leave things better than when you found them. Although it is not without risk for us as security professionals, if you have the opportunity it is ideal to spend time training your successor before you leave. Through a few intentional actions you can leave a legacy that can serve to inspire others to not only sustain but to actually improve operations.
This topic is particularly close to me now because I have recently started a new position. I had the opportunity to share my experience with others and found it to be rewarding and also a little uncomfortable for me and for the person who was assuming my duties. I found myself personally and professionally vested in the success of the program while recognizing that it was time for me to let go. There are of course certain circumstances that will prevent this sharing from happening. Sometimes policies will dictate that when someone resigns, the team members are escorted from the premises right away.
Even in you are not making your next career move, maybe you are transitioning from a project and can use this time to help others. The following are some suggestions on what you can provide to your successor:
  • Operational guides
  • Original installation media
  • Configuration checklists
  • Installation guides along with clear documentation of any deviations from the vendor instructions
  • Lessons learned of things that must be done along with those that must *never* be done
  • Key contacts to support sustaining the project such as administrators, change control tickets and project documentation
Even if you are not on the way out, I recommend that you "begin with the end in mind" today. Start by setting a monthly reminder on your work calendar to update and maintain your project or program documentation. You may very well recognize that the person this helps the most is you!
Use the comments section to share what are you doing to leave things better than when you found them.

Sunday, January 4, 2015

Get Wisdom as Cheaply as You Can

Happy New Year!

I recently posted the below on the SANS Internet Storm Center site.

A long time ago I was given advice from a non-security professional that is among the best and most influential I have received in my security career - "Get wisdom as cheaply as you can”. I was encouraged to learn from the mistakes of others as a means to avoid the full pain of what they were forced to experience.

There are so many places where you can get your lessons learned without having to suffer through an outage or a security incident. You can learn from news articles or breach disclosure reports such as the Verizon Data Breach Investigations Report ( and Mandiant M-Trends ( Create case studies based on these sources that your incident response team can use to conduct tabletop exercises. This preparation exercise will help you determine if your prevention and detection capabilities would be effective if faced with these scenarios

To get you started, here is an example when I failed. I thought it would be a good idea to scan a special internal network segment unannounced with unauthorized equipment. This caused a full and unplanned incident response. I discovered what happened and quickly notified the team of what I did and how sorry I was for causing this incident. Most everyone was gracious and everyone was relieved this was not a real incident. I have not forgotten this lesson and have since put checks in place to make sure it does not happen that way ever again. In addition to learning to only use authorized scanning equipment, I learned the importance of notifying all impacted system and application owners before performing any scans.

Learn from the misfortunes of others. By getting wisdom as cheaply as you can, you are given the opportunity to not have to learn the “hard way”. What lessons have you learned and how have you applied them? 

Saturday, November 8, 2014

Do you remember your "first love"?

I recently published the below post on the SANS Internet Storm Center site.

I will never forget the name of my first server - Rachel. I was very proud to be the person whose job it was to defend Rachel from all types of disruption. To this day I still remember each IP address, user account, service account and application. When patches were installed, I manually verified they had been applied successfully. I diligently reviewed the logs and configured full auditing to let me know the success and failure of just about everything. 
I have administered many servers since Rachel, but do not remember as much about them as I do about my "first love”. Consider this an invitation to fall back in love with your servers. An invitation to return back to the time when you did everything possible to defend them. It may be possible that by returning to the diligence you once had, many problems and outages could be avoided.
How can you do this? The act of actively measuring how well you manage, secure and maintain your severs can very well be the catalyst you need to return back to your "first love”. Consider creating and sending yourself a daily report that clearly shows its current security posture. What are good candidates for this report? Some of my favorites include the below.

  • Mean time to detect a network scan
  • Mean time to identify a new administrator account
  • Mean time to identify a new service running (or not running anymore)
  • Ask psexec to list all executables on a Windows system and send the output to a file using

                 @echo off
                 psexec dir *.exe > %computername%_ExeFound.txt

  • Ask WMIC to tell you the patches that are installed using the command: 
                 wmic qfe > patches.txt 
  • Use the security log to search for Successful ( and unsuccessful ) logins for administrative and service accounts
  • Review the daily log volume, perhaps looking at the last 7 days to show trends that indicate significantly more or less than expected log volume
  • Count the number of Remote Desktop sessions in a "normal" day
  • Look for the events generated when the Security log is cleared

There are certainly many metrics you could track. Pick a few and diligently check them every day for the next month. You'll be glad you did!  

Wednesday, June 4, 2014

Community SANS in Fort Lauderdale

Consider joining me for the next Community SANS event in Fort Lauderdale

on July 28 - August 2, 2014. I will be teaching the SANS Security Essentials 

Bootcamp Style course. This popular course is appropriate both for

people new to security as well as those who have been in security for

years. This was the first SANS course I attended after I was in security for

over three years. I remember how much I learned in this class as a student

back then and look forward to sharing my passion for this course with you.


It seems wherever you turn organizations are being broken into and the

fundamental question that everyone wants to know is Why? Why do some

organizations get broken into and others do not. SEC401 Security

Essentials is focused on teaching you the right things that need to be

done to keep your organization secure. Organizations are spending millions

of dollars on security and are still compromised. The problem is they are

doing good things but not the right things. Good things will lay a solid

foundation but the right things will stop your organization from being

headline news in the Wall Street Journal. SEC401's focus is to teach

individuals the essential skills and techniques needed to protect and

secure an organization's critical information assets and business systems.

We also understand that security is a journey and not a destination.

Therefore we will teach you how to build a security roadmap that can

scale today and into the future. When you leave this training we promise

that you will be given techniques that you can implement today and

tomorrow to keep your organization at the cutting edge of cyber

security. Most importantly, your organization will be secure.



What: Community SANS Fort Lauderdale 2014

When:  July 28 - August 2, 2014

Nova Southeastern University
3301 College Avenue
De Santis Building, 4th Floor 
Fort Lauderdale, FL 33314


The Community SANS format offers the most popular SANS courses

in your local community at a reduced tuition fee.  And as with all SANS courses,

the earlier you register, the more your fee is reduced.

SANS promises that you will be able to use what you learn in the classroom as soon

as you return to the office.

Register today to join me in Fort Lauderdale by visiting


Let me know if you need any additional information about this course! 

Sunday, November 10, 2013

Cloud Computing Atlanta

I am looking forward to speaking at the Cloud Computing Atlanta event on Tuesday November 12. This meeting will be held at the Advanced Technology Development Center (ATDC) at Georgia Tech and is open to the public. I will be speaking about the 20 Critical Security Controls and how it can be applied in a cloud hosting environment.

Over the years, many security standards and requirements frameworks have been developed in attempts to address risks to enterprise systems and the critical data in them. Most of these efforts have essentially become exercises in reporting on compliance and have actually diverted security program resources from the constantly evolving attacks that must be addressed. Learn how to implement a proven continuous monitoring capability that has been used to drastically improve the security of many small and large organizations.

Wednesday, October 9, 2013

Security BSides DC

I am thrilled to be a speaker at the upcoming Security BSides DC. The lineup for this 2 day event is outstanding. I look forward to speaking on the 20 Security Controls and specifically how they can be used to improve the security of your network.

Saturday, August 31, 2013

How to get sufficient funding for your security program (without having a major incident) - Repost

I recently had another guest diary published on the SANS Internet Storm Center Diary. I have enjoyed the material on the ISC site for many years and consider it an honor to contribute. I hope this is helpful information that you can use to secure sufficient funding for your security program in advance of your next security incident.


Saturday, June 22, 2013

Augusta ISSA Chapter Meeting

Next week I have the privilege to speak at the Augusta ISSA chapter meeting on June 25th. I will talk about the 20 Security Controls and how they can be implemented in any organization.

This presentation will introduce the 20 Security Controls and provide real examples of how they can be implemented by leveraging existing tools and capabilities. Attendees will be equipped to implement the 20 Security Controls in their own environments. The focus of the presentation will be on initiating a continuous monitoring program based on this framework to detect attacks and closely monitor the security of any network.

The meeting will be held at Georgia Regents University (formerly known as Augusta State) in Room UH-170 of University Hall on Tuesday, June 25th. The format for the meeting will be social/networking with free Pizza from 6:30-7:00PM followed by the presentation starting at 7:00PM. 

To register for the event, visit

Thursday, February 28, 2013

Are You Glad You Bought It?

Remember how you felt during your first meeting with the vendor of that shiny new thing? Do you remember all the possibilities? You could not capture the seemingly endless use cases fast enough. Surely this was the product you had long been looking for. All you had to do was write a business case to secure the needed funding. You knew deep inside that your enemies were already starting to tremble in fear at the thought of the new shiny new thing running in your environment. Move along folks you said, nothing to see here.

All that mockery aside, how well did your shiny new thing actually do everything the sales person claimed it would before you made the purchase? Can you honestly say you feel the same way after using it for a year? If not, what changed? 

Take a moment to look back on these questions as you approach a new vendor relationship.

  • Are you glad you bought the shiny new thing? Really?
  • Should the vendor get all of the blame for a failed experience? 
  • What role did your lack of understanding or lack of attention play?
  • What new requirements would you add based on your previous experiences?
  • What do you wish you knew back then? 
  • Would you recommend the shiny new thing to your closest friends? 
  • Would you make the same decision today?

Like most all of us, I had a similar experience. One in particular was a rush to purchase products for compliance purposes and do so in very short order. Looking back, I should have slowed down a lot and not just looked for a quick win. I recommend staying focused on the "why" behind the purchase and doing and over communicate this to all possible stakeholders ahead of making the purchase. The last thing you want is to have one of your stakeholders asking basic questions during pivotal moments such as the change control board meeting where you are seeking approval to put your shiny thing into production.

Get to know the technical product manager ahead of the purchase. Make sure you can get along with them and more importantly that they know why you are a customer. I have found they are in a better position to know the roadmap better than the people in sales. Also call support and ask questions to which you already know answers. How do they treat you? That will be very important in the future.

It is far too easy to blame the vendor for a failed implementation. It is not as comfortable to ask what could YOU have done better during the evaluation of the shiny new thing. Take a moment now to reflect back on what worked and what did not work and more importantly why it did not. This will help make sure the next time is the best time and it exceeds your expectations. 

If you could go back in time, what additional questions would you ask and new conditions would you place based on what you have learned from past vendor experiences?

Monday, December 17, 2012

What if Tomorrow Was the Day? - Repost

I recently had my first guest diary published on the SANS Internet Storm Center Diary. I have enjoyed the material on the ISC site for many years and consider it an honor to contribute. I hope this is helpful information that you can use to be better prepared for your next computer security incident.

Saturday, December 1, 2012

SANS Security 566 in Atlanta

I will be leading the SANS Security 566 Implementing and Auditing the Twenty Critical Security Controls - In-Depth course in Atlanta starting February 6, 2013. Mentor style.

You can preview a FREE Preview of this course on the SANS Website. You an also review the 20 Security Controls are listed in detail on the SANS website.

I have personally used the materials from this course to develop and implement a continuous monitoring capability for  several organizations. This course was inspired by the successful work by the US Department of State.

Atlanta Perimeter Hotel and Suites
formerly: W Atlanta Perimeter
111 Perimeter Center West
Atlanta, GA

Meeting Dates:
February 6, 2013 until April 10, 2013

6:30 PM - 8:30 PM

Mentor classes run for 10 weeks, one evening a week for two hours