var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', '']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + ''; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();
Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Friday, September 22, 2017

What is the State of Your Union?

What if you as an information security leader held an information security State of the Union address with the explicit purpose of educating both your leaders and business partners on your information security program and the areas of focus for the next year? Communicating to those who are not in our area is certainly a challenge; however, the benefits outweigh the effort in several different ways.

By being intentional at sharing the state of your security union, you can not only deliver the status of your program but also equip your leaders with information they can quite literally share in environments that your team is not able to attend.  

What should you consider including?
* Effectiveness of your program
* Opportunities to improve your program
* Communicate recent achievements
* Demonstrate stewardship of your resources
* Show how your team supported objectives of your organization
* Possible actions that you want others to take
* Clear call to action to the leaders to increase support, funding, and staffing
* Opportunity to receive feedback

How are you communicating the State of Your Security Union? Please leave what works in our comments section below.

Russell Eubanks

Friday, April 28, 2017

KNOW before NO

I recently posted the 
below on the SANS Internet Storm Center.

A good friend told me that an engaged information security professional is one who leads with the KNOW instead of the NO. This comment struck me and has resonated well for the last several years. It has encouraged me to better understand the desires of the business areas in an attempt to avoid the perception of being the "no police”. 

We are each able to recognize the value in sprinkling in the information security concepts early and often into software development projects. This approach saves each of the stakeholders a great deal of time and frustration. Especially when compared to the very opposite approach that often causes the information security team to learn at the very last minute of a new high profile project that is about to launch without the proper level of information security engagement.

There are certainly projects and initiatives that may very well still warrant a “no” from an information security perspective. Before we go there by default, I respectfully invite us all to KNOW before we NO. I truly believe that each of us can all improve the level of engagement with our respective business areas by considering this approach. In what areas can you KNOW before you NO next week?

Please leave what works in the comments section below.

Russell Eubanks

Saturday, March 25, 2017

Distraction as a Service

I recently posted the 
below on the SANS Internet Storm Center.

Have you noticed that some security projects never seem to get finished? Despite the best of intentions, often times they linger, sometimes for years. I believe that distractions play a role in security projects being delayed and ultimately never being completed. If not monitored closely, nothing will get moved from the to do list to the this security project is finally done list.

For me, it has always been natural to accept every new project that needs attention. I want to be helpful and perceived as a good team player and I bet you do as well. I found that it is easier to say yes to every request for help than to say no. I suspect that "why yes I do have a minute" and "of course I can help you with that problem” sound very familiar. I have found this behavior can also carry potential for a negative reputation as an information security professional when it impacts the delivery of security projects.

While it is normal to want to help, it is not always natural to remain focused immediately after a distraction occurs. I have determined to ask the question "what is the next action I can take right now?” immediately after a distraction. I found this behavior helpful to remain both mission focused and results oriented. With some intentional discipline and focus on the impact of distractions on security projects, the impact of unplanned distractions can be minimized.

It is impossible to enumerate all of the ways distractions can impact a security project. It is very possible to more quickly recognize them when they occur and put measures in place to reduce the impact of distractions severely impacting productivity. Are distractions keeping you from closing out projects and ultimately preventing you from providing full value to your organization?

Please leave what works for you in the comments section below.

Russell Eubanks


Saturday, May 28, 2016

Applied Lessons Learned

I recently posted the below on the SANS Internet Storm Center.

What were those tough lessons learned that you will never forget and more importantly vowed to never repeat again? Especially those of you who have been in information security for many years and perhaps a member of several different teams. Consider yourself encouraged to remember those "from now on I will Always and I will Never again” lessons that were learned at your $OldJob.  

I remember all to well when I decided to perform a network scan from a new laptop. I was so eager to use the new equipment that I failed to record the MAC and IP address of this shiny new device. I tested it out and everything seemed to be great - until the next morning when an enormous amount of scan traffic was detected inside a sensitive network. Our teams went into full incident response mode in an effort to determine what happened. After learning “who did it”, the team was gracious in its response to me and none of us made that mistake again. 

To get you motivated for action, the following are a few ideas to consider.

1 - Never settle for “we have always done it that way”. Assume nothing by asking lots of questions, such as “When was the last time we compared the GPO to the written security policy”?

2 - Share regularly within your trusted communities in a way that does not put your organization at risk, but demonstrates you are still learning and remain willing to contribute. Don’t think that you need to share all of the gory details to make a difference with this approach. In fact, you will be much better off by leaving those out entirely. 

3 - Behave like the Fresh New Guy/Gal (FNG) regularly, especially if has been a very long time since you have served in that role.

By leaning into this approach, you can not only get wisdom as cheaply as you can but also and also help make our world a better place. What lessons are you actively trying to avoid learning over and over again?

Russell Eubanks

Sunday, October 18, 2015

Security Awareness for Security Professionals

I recently posted the below on the SANS Internet Storm Center.

During Cyber Security Awareness Month (CSAM), we develop campaigns for our coworkers that attempt to encourage them to stop clicking on links and  reusing their passwords. These are good reminders for us as information security professionals even though we focus on these topics during the other 11 months of the year.

Is it possible that we too can improve our security awareness during this month? Can we as security professionals use this time to “sharpen our saw” and do things that can increase our awareness of our information security programs? 

One very non-technical event caused me consider this topic. My son found his old bicycle in the garage recently and wanted to ride it in the neighborhood. As he was getting up to speed, he suddenly and unexpectedly realized the handlebars had become disconnected. He had a firm grip on what he needed to successfully control the bike, but the handlebars were no longer effectively controlling his navigation.

With that example in mind, how aware are you of the effectiveness of your information security program? What systems do you have in place to let you know when your security posture changes? What reminders and automation do you need to create that will increase your awareness before blindly depend on your tools? By dedicating sometimes marginal effort you can develop near real time awareness capabilities that will confirm the effectiveness of your information security program.  

Below are just a few examples where increased security awareness would be very helpful to you as an information security professional.

  •  Ensure the running configurations on your network equipment have not changed
  •  Ensure you know within a few minutes when a new administrative account is added
  •  Ensure you know within a few hours if a device stops sending logs to your syslog server

What are you personally doing to make sure that you as a security professional are most aware of the things that matter the most? Use the comments field to share what works!

Tuesday, December 9, 2014

Repost - Stop Admiring The Problem. Start Addressing The Problem.

I recently published the below post on the SANS Internet Storm Center site.

How much energy do you spending admiring your problems? It does not matter what the problem is - asset inventory, vulnerability management or security awareness. You do have problems. What are you doing to make your current problem less of a problem? Set your problems aside for just a minute and take a brief journey to explore how your problems can be viewed as an opportunity. 

I have been guilty of this behavior in the area of vulnerability management. I was so focused on making sure that everything was scanned on a regular basis that I failed to work with the system and application administrators to help them remediate the vulnerabilities the scanners had identified. A much better alternative to just scanning everything on your network is to scan for a brief amount of time and then stop. Stop long enough to fix some issues the scanner identified and then go back and confirm they really were fixed. It does not have to be complicated. Perhaps you can use a simple chart that shows what was found, what was corrected and what still needs to be corrected. 

Collecting a bunch of "High" rated vulnerabilities adds no value. Correcting "High" rated vulnerabilities adds tremendous value. Instead of throwing missing patches over the fence to your administrators, offer help to them in their time of need. Maybe there is a valid business reason the administrators are not responding as quickly as you would like. Maybe they need extra support from your security or compliance teams to make progress in this area. Maybe they could use your help to focus on a solution to this problem. 

Every person should take time to make undeniable progress on one of their security problems because of the positive impact it will make on the security posture of their organization. Make progress, even if it is just baby steps. Make a move in the right direction to become the change agent that is desperately needed. 

What can you do right now to be the catalyst for the positive change your organization so desperately needs? 

What can you do right now to stop admiring the problem?

Saturday, November 8, 2014

Do you remember your "first love"?

I recently published the below post on the SANS Internet Storm Center site.

I will never forget the name of my first server - Rachel. I was very proud to be the person whose job it was to defend Rachel from all types of disruption. To this day I still remember each IP address, user account, service account and application. When patches were installed, I manually verified they had been applied successfully. I diligently reviewed the logs and configured full auditing to let me know the success and failure of just about everything. 
I have administered many servers since Rachel, but do not remember as much about them as I do about my "first love”. Consider this an invitation to fall back in love with your servers. An invitation to return back to the time when you did everything possible to defend them. It may be possible that by returning to the diligence you once had, many problems and outages could be avoided.
How can you do this? The act of actively measuring how well you manage, secure and maintain your severs can very well be the catalyst you need to return back to your "first love”. Consider creating and sending yourself a daily report that clearly shows its current security posture. What are good candidates for this report? Some of my favorites include the below.

  • Mean time to detect a network scan
  • Mean time to identify a new administrator account
  • Mean time to identify a new service running (or not running anymore)
  • Ask psexec to list all executables on a Windows system and send the output to a file using

                 @echo off
                 psexec dir *.exe > %computername%_ExeFound.txt

  • Ask WMIC to tell you the patches that are installed using the command: 
                 wmic qfe > patches.txt 
  • Use the security log to search for Successful ( and unsuccessful ) logins for administrative and service accounts
  • Review the daily log volume, perhaps looking at the last 7 days to show trends that indicate significantly more or less than expected log volume
  • Count the number of Remote Desktop sessions in a "normal" day
  • Look for the events generated when the Security log is cleared

There are certainly many metrics you could track. Pick a few and diligently check them every day for the next month. You'll be glad you did!  

Saturday, June 22, 2013

Augusta ISSA Chapter Meeting

Next week I have the privilege to speak at the Augusta ISSA chapter meeting on June 25th. I will talk about the 20 Security Controls and how they can be implemented in any organization.

This presentation will introduce the 20 Security Controls and provide real examples of how they can be implemented by leveraging existing tools and capabilities. Attendees will be equipped to implement the 20 Security Controls in their own environments. The focus of the presentation will be on initiating a continuous monitoring program based on this framework to detect attacks and closely monitor the security of any network.

The meeting will be held at Georgia Regents University (formerly known as Augusta State) in Room UH-170 of University Hall on Tuesday, June 25th. The format for the meeting will be social/networking with free Pizza from 6:30-7:00PM followed by the presentation starting at 7:00PM. 

To register for the event, visit

Friday, May 24, 2013

Community SANS returns to Augusta

Consider joining me for the next Community SANS event in Augusta

on July 16-21, 2013. I will be teaching the SANS Security Essentials 

Bootcamp Style course. This popular course is appropriate both for

people new to security as well as those who have been in security for

years. This was the first SANS course I attended after I was in security for

over three years. I remember how much I learned in this class as a student

back then and look forward to sharing my passion for this course with you.


It seems wherever you turn organizations are being broken into and the

fundamental question that everyone wants to know is Why? Why do some

organizations get broken into and others do not. SEC401 Security

Essentials is focused on teaching you the right things that need to be

done to keep your organization secure. Organizations are spending millions

of dollars on security and are still compromised. The problem is they are

doing good things but not the right things. Good things will lay a solid

foundation but the right things will stop your organization from being

headline news in the Wall Street Journal. SEC401's focus is to teach

individuals the essential skills and techniques needed to protect and

secure an organization's critical information assets and business systems.

We also understand that security is a journey and not a destination.

Therefore we will teach you how to build a security roadmap that can

scale today and into the future. When you leave this training we promise

that you will be given techniques that you can implement today and

tomorrow to keep your organization at the cutting edge of cyber

security. Most importantly, your organization will be secure.



Community SANS Augusta 2013

When:  July 16-21, 2013

Where: Augusta State University

  Health Science Building, Room EC2238

             987 St. Sebastian Way

             Augusta, GA 30912

             Phone: 706-737-1482

Tuition:  Register by June 5, 2013 to save $850 on this class


ISSA members - use Discount Code "AugustaISSA13" for a 10% savings.


The Community SANS format offers the most popular SANS courses

in your local community at a reduced tuition fee.  And as with all SANS courses,

the earlier you register, the more your fee is reduced.

SANS promises that you will be able to use what you learn in the classroom as soon

as you return to the office.

Register today to join me in Augusta by visiting


Let me know if you need any additional information about this course!

Thursday, February 28, 2013

Are You Glad You Bought It?

Remember how you felt during your first meeting with the vendor of that shiny new thing? Do you remember all the possibilities? You could not capture the seemingly endless use cases fast enough. Surely this was the product you had long been looking for. All you had to do was write a business case to secure the needed funding. You knew deep inside that your enemies were already starting to tremble in fear at the thought of the new shiny new thing running in your environment. Move along folks you said, nothing to see here.

All that mockery aside, how well did your shiny new thing actually do everything the sales person claimed it would before you made the purchase? Can you honestly say you feel the same way after using it for a year? If not, what changed? 

Take a moment to look back on these questions as you approach a new vendor relationship.

  • Are you glad you bought the shiny new thing? Really?
  • Should the vendor get all of the blame for a failed experience? 
  • What role did your lack of understanding or lack of attention play?
  • What new requirements would you add based on your previous experiences?
  • What do you wish you knew back then? 
  • Would you recommend the shiny new thing to your closest friends? 
  • Would you make the same decision today?

Like most all of us, I had a similar experience. One in particular was a rush to purchase products for compliance purposes and do so in very short order. Looking back, I should have slowed down a lot and not just looked for a quick win. I recommend staying focused on the "why" behind the purchase and doing and over communicate this to all possible stakeholders ahead of making the purchase. The last thing you want is to have one of your stakeholders asking basic questions during pivotal moments such as the change control board meeting where you are seeking approval to put your shiny thing into production.

Get to know the technical product manager ahead of the purchase. Make sure you can get along with them and more importantly that they know why you are a customer. I have found they are in a better position to know the roadmap better than the people in sales. Also call support and ask questions to which you already know answers. How do they treat you? That will be very important in the future.

It is far too easy to blame the vendor for a failed implementation. It is not as comfortable to ask what could YOU have done better during the evaluation of the shiny new thing. Take a moment now to reflect back on what worked and what did not work and more importantly why it did not. This will help make sure the next time is the best time and it exceeds your expectations. 

If you could go back in time, what additional questions would you ask and new conditions would you place based on what you have learned from past vendor experiences?

Wednesday, January 30, 2013

Getting Involved with the Local Community - Repost

I recently had my second guest diary published on the SANS Internet Storm Center Diary. I have enjoyed the material on the ISC site for many years and consider it an honor to contribute. I hope this is helpful information that you can use to be more connected to your local security community.

Saturday, December 22, 2012

Scheduled Maintenance

I spent a some time this week on car maintenance. My 1999 Honda Accord with 225,000 miles has never given me any trouble and I credit that to regular maintenance. To help make sure I reach my goal of 300,000 miles, I created regular reminders on my calendar to remind me to perform such tasks as changing the oil and rotating the tires.

A similar reminder can be used to make sure your home computer systems are running as they should. What can be on your calendar reminder? Consider using the Qualys Browser Check plugin each month to make sure each of your browsers and their associated plugins remain updated. Steps on how to use this tool can be found on the STI website

What are you doing regularly to keep your computers running smoothly?


Monday, December 17, 2012

What if Tomorrow Was the Day? - Repost

I recently had my first guest diary published on the SANS Internet Storm Center Diary. I have enjoyed the material on the ISC site for many years and consider it an honor to contribute. I hope this is helpful information that you can use to be better prepared for your next computer security incident.

Saturday, December 1, 2012

SANS Security 566 in Atlanta

I will be leading the SANS Security 566 Implementing and Auditing the Twenty Critical Security Controls - In-Depth course in Atlanta starting February 6, 2013. Mentor style.

You can preview a FREE Preview of this course on the SANS Website. You an also review the 20 Security Controls are listed in detail on the SANS website.

I have personally used the materials from this course to develop and implement a continuous monitoring capability for  several organizations. This course was inspired by the successful work by the US Department of State.

Atlanta Perimeter Hotel and Suites
formerly: W Atlanta Perimeter
111 Perimeter Center West
Atlanta, GA

Meeting Dates:
February 6, 2013 until April 10, 2013

6:30 PM - 8:30 PM

Mentor classes run for 10 weeks, one evening a week for two hours

Monday, June 18, 2012

Atlanta OWASP June Meeting - New Location

The Atlanta OWASP chapter will meet this Thursday night, June 21st at 6:00pm.

We are excited to announce that this meeting will occur at the Dell SecureWorks headquarters at One Concourse Pkwy, Suite 500, Atlanta, GA 30328.
Please use the following link to RSVP.  

This month we will welcome Rohit Sethi as our guest speaker. Rohit is a specialist in building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.
Despite years of research on best practices to integrate security into the early phases of the SDLC, most organizations rely on static analysis, dynamic analysis, and penetration testing as their primary means of eliminating vulnerabilities. This approach leads to discovering vulnerabilities late in the development process, thereby either causing project delays or risk acceptance. Neither option is particularly appealing.

This talk is an open discussion about the presence, if any, of scalable, measurable, approaches working to address security into the SDLC. Consideration for how Agile development impacts effectiveness will be explored.

Points of discussion will include:
- Is static analysis sufficient?
- Developer awareness training
- Threat modeling / architecture analysis
- Secure requirements
- Considerations for procured applications

Thursday, December 22, 2011

SANS Security 401 in Atlanta

In one month SANS Security Essentials (Security 401) comes to Atlanta. Mentor style. SANS Mentor sessions meet at night for 2 hours for 10 weeks. This class will prepare you to earn the GIAC Security Essentials Certification or GSEC.

Mentor sessions brings SANS training to you and avoids all costs of traveling and being away from work for an extended period of time. The classroom size is perfect for in depth discussions and is appropriate for all skill levels. Students receive the same course books and materials, but cover the material in a pace that allows them to spend more time to absorb and apply the course material.

Everything in this Mentor session is backed with the SANS Promise - It will be "full of important and immediately useful techniques that you can put to work as soon as you return to your office".

Contact me if you have any questions or need additional information about this upcoming training. I can provide you with a 10% discount code as a final incentive to register for this course.

Thursday, December 1, 2011

SANS Mentor Special

The SANS Mentor program is offering a $200 Amazon Gift card with your paid registration for any course offered though the SANS Mentor Program. This is a nice opportunity to get a Kindle Fire for free. 

It is also an incentive to register for my upcoming Security 401 session in Atlanta.

Saturday, October 15, 2011

Find Your Sweet Spot

Version 3 of the SANS 20 Security Controls includes integration by the leadership of the Australian Defense Signals Directorate. This includes 35 Mitigation Strategies that were developed and prioritized to prevent targeted computer attacks. Four of these are listed as mandatory and are known as the Sweet Spot. 

These are Patch Applications, Patch Operating Systems, Minimize the number of users with domain or local administrator privileges and Application Whitelisting. These areas will be explored in detail and serve as a means to get wisdom as cheaply as you can.

Friday, October 7, 2011

Control 20: Security Skills Assessment and Training to Fill Gaps

Is your team well trained or does it lack fundamental and often the advanced skills needed to perform their jobs? Are there team members who are the only ones that know certain functions? What happens when they are not available for good reasons or bad ones? Several avenues for acquiring training are available.

Many large cities have some or all of all of the following security focused groups that foster community and learning new concepts. Attend these meeting and become more involved in the security community.

•    OWASP
•    InfraGard
•    NAISG
•    Defcon
•    Security B-Sides

Do not dismiss the value of setting up a home lab of old equipment or virtualized and ISO distributions to practice hacking and defending your home network. The skills acquired away from work are often the skills that make the biggest difference.