var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();
Showing posts with label cyber security. Show all posts
Showing posts with label cyber security. Show all posts

Saturday, May 6, 2017

What Can You Learn On Your Own?


I recently posted the 
below on the SANS Internet Storm Center.

We are all privileged to work in the field of information security. We also carry the responsibility to keep current in our chosen profession. Regularly I hear from fellow colleagues who want to learn something, but do not have a training budget, feel powerless and sometimes give up. I would like to share several approaches that can be used to bridge this gap and will hopefully inspire a self-investment both this weekend and beyond. None of these ideas cost anything more than time.
 
I decided to borrow an idea from an informal mentor, something I generally give them credit for, but not always. I decided to wake up early each morning with the intent to learn something new every day. Maybe the something is a new tool, a new linux distribution or taking an online class. Having done this now for the last 7 years, I can say without hesitation or regret that it has been pivotal in making me a better me. I am convinced that applying just a little bit of incremental effort will serve you well as well.

Ideas to get you started:              
  • SANS Webcasts and in particular their Archive link                         
  • Serve as an informal mentor to a junior team member, while being open to learn from them 
  • Volunteer help out in a local information security group meeting
  • Read that book on your shelf that has a little more dust that you would like to admit
  • Subscribe to Adrian Crenshaw’s YouTube channel 
  • Be intentional by creating a weekly appointment with your team in order to learn something new over a brown bag lunch
  • Foster an environment that facilitates a culture of learning

After considering this topic for a long time, I want to ask this question - What are you doing to invest in yourself, particularly in ways that do not cost anything but your time? Please leave what works for you in the comments section below.

Russell Eubanks

Tuesday, March 14, 2017

What's On Your Not To Do List?


I recently posted the 
below on the SANS Internet Storm Center.

In our craft, there are more than ample opportunities to occupy our time. There are so many things you CAN do. How can you ensure focus on the things that actually make the biggest impact? I suggest that often times you take on more work than what you are able to complete. Many times there is so much work to do that nothing ever seems to get completed. 


I readily remember several cases where a combination of my ambition, auditors and loss of key team members facilitated this behavior in me. One in particular was a very important compliance project deadline that had no tolerance for schedule slippage. The internal auditors wanted to review the project in detail ahead of the external auditors coming to inspect the project. All while the solution was still being deployed. Lots of stress and long hours are my biggest memories of this project. While important at the time, looking back now I struggle to remember many of those details. What I do remember are the other projects that suffered neglect during this heroic effort.

Risk assessments inform you of clear and present problems. Project deadlines are looming and start pile up. Demands from your leaders come in unexpected waves. What is a strategy to position you for success? Consider writing down your projects. On paper. Start to document their priority, their deadlines along with the stakeholder expectations. Regularly and diligently track your progress and communicate them clearly up, down and horizontally to your peers, focusing on the opportunity cost of what is being neglected. 

Many times this extra clarity will help in terms of someone deciding for you that the project that seems so important right now should go on your "not to do" list instead. I am a BIG fan of the not to do list as it helps clearly communicate opportunity cost in terms of risk to the most important projects and initiatives. The clarity that comes from this exercise is worth far more than the effort to put it all together.

What ONE thing will you choose to focus on when you return to work on Monday morning? What TWO things best belong on your "not to do" list? Whether you enter them in our comments section below or keep them to yourself, consider adopting this approach while on your Monday morning commute to work.

Russell Eubanks
@russelleubanks

Saturday, March 11, 2017

Unauthorized Change Detected!


I recently posted the 
below on the SANS Internet Storm Center.

How do you detect what has changed in your environment? Is it possible to think beyond the alerts you get from your tools and consider what changes that you absolutely need to know about when they occur? When systems in your environment move from “normal" to "abnormal", would you even notice?
Occasionally I have a credit card transaction denied. The most common reason for this is being in a part of the country that is outside my normal travel and spending patterns. When that happens, the panic quickly subsides and I recognize that something in my baseline has changed.
How can pattern and trend analysis apply in monitoring and defending your networks? Consider developing a similar baseline to detect possible unauthorized changes. This practice may very well help you detect changes that occur that do not follow the proper change control process and also give you deeper insight into the activities on your network. A practical step of creating a monthly calendar appointment named “What is missing from my baseline?” would help remind you to answer this question on an recurring basis. This will also help you develop a more meaningful relationship with your system administrators and application developers by asking them questions and learning more about these systems - both of which are highly encouraged. 
To detect patterns and trends, consider developing a rolling 30, 60 or 90 day history in a few critical areas to show not only the current status, but also how they compare to recent activity over time. This insight will help identify patterns that exist beyond the point in time alerts that we regularly receive. Not every area requires this extended analysis, but in some cases showing a trend over time reveals pattens that would otherwise go unrecognized and unnoticed.
Consider the following for your baseline
Administrative logins after normal business hours
Administrative logins outside of approved change windows
Badge access to your building after normal business hours
Systems that restart outside of approved change windows
Services that restart outside approved change windows
Please use the comments area to share what’s in your baseline!
Russell Eubanks

Saturday, August 20, 2016

It Is Our Policy

I recently posted the below on the SANS Internet Storm Center.


How many times have you heard someone say out loud our "our security policy requires..."? Many times we hear and are sometimes even threatened with "the security policy". Security policy should set behavioral expectations and be the basis for every technical, administrative and physical control that is implemented. Unfortunately, solid security policies are often elusive for several key reasons.

I regularly get the question, "How many security policies should I have”? My response is often found by raising my hands and wiggling my fingers in the air. There is nothing magic about the number of security policies, my observation is that many times there are more security policies than are actually needed.  

One of the most important aspects of a security policy, just like the jar of mayonnaise in your refrigerator, is an Expiration Date. This non technical control can help facilitate regular updates to account for current issues being faced and capabilities that may not have existed when the security policy was originally created. Think of this as a built in process to ensure that it is regularly reviewed - consider a recurring calendar reminder.

Should your employees be expected to memorize all of your security policies and is that even realistic for them? I hope not for their sake. What if you redefine the win by each of your employees knowing where to find the policy when faced with a decision? A Central Location for security policies, versus being spread all over your company is best and can serve as the set of guardrails to protect both the employee and the company. This will serve as a key resource for everyone to go to when regular faced with a decision of "is this allowed or not in the security policy”. 

Finally, as you start to develop or even assess the quality of your security policy, there are several Key Stakeholders, often outside of the information security team, who can provide valuable feedback specific to their respective areas.
  • Human Resources - Because many times employee behavior is involved in an incident
  • Legal - Because many times employee behavior is involved in an incident
  • Privacy - Because sometimes personally identifiable information is involved in an incident
  • Information Security - Because threats against company systems and data are involved in an incident
  • Physical Security - Because sometimes an employee needs to be encouraged to leave as a part of an incident


Take a look at the SANS policy website and look for any any topics that may be missing in your organization.

All that said, what two things can you do next week to improve your security policies? Let us know in the comments area!

Russell Eubanks

Saturday, August 1, 2015

Your Security Policy Is So Lame


I recently posted the below on the SANS Internet Storm Center.


Every person should avoid lame security policies because of the lack of clarity they leave behind. Often times we find ourselves forced into creating security policies due to compliance requirements. Is there a way to lean into this requirement and get value beyond the checkbox? I certainly think so and would like to share some ideas on how you can do this as well.

I personally avoided being the “policy guy” until the patience of my management had finally expired. It was truly the job that none on the team wanted and it was my turn. My first step was pulling a security policy template book off the shelf. I remember that dust covered book very well. When working on the security policies, unexpectedly and out of no where it suddenly occurred to me - there is a great amount of influence when security policies are done properly. Sure, there are meetings with people who are not on your team, but working together is how anything meaningful gets done these days. I found that by working together with key business areas that security policies could be written so that more than just the auditor was interested in them.

The following are several tips and tricks you can use to make sure you move from "no good to great” security policies. 

  • Do not fail to add an expiration date to your security policies. Otherwise they get stinky, just like that jar of mayonnaise in your refrigerator. This will force you to both review and update them on a regular basis or risk being embarrassed because they are out of date.

  • Do not ask anyone to memorize your security policies. Why waste time memorizing a reference document? Spend your time doing something meaningful instead, such as reviewing ways to implement the 20 Security Controls in your company.

  • Do not use your security policy as an attempt to control small and often times personal issues. Instead, make sure your security policy addresses specific risk in your organization. Without a direct mapping to risk, it will be very easy to have too many security policies scattered all over the place.

  • Do not have too many security policies. I recommend you hold up both hands right now and wiggle your fingers as you consider how many security policies you might actually need. I’ll wait.

  • Will violation of your security policy eventually lead to the policy violator realizing their opportunity to violate security policy at a different company? It should - Otherwise your document is really a suggestion and not a policy.

  • Do have your security policy stored in one single and easy to find location? It would be a shame to spend all that time and no one ever read your security policies. Reminds me of that story about a tree that falls in the forest.

One of the very best security policy resources you will find is just a click away at the SANS Institute website. Specifically, the SANS Information Security Policy Templates. There you will readily find many examples that you can customize and make your own.

What are you doing to make sure your security policy is not lame? Use the comments section to share what has worked for you.

Russell Eubanks

Saturday, March 21, 2015

Have you seen my personal information? It has been lost. Again.

I recently posted the below on the SANS Internet Storm Center.


Remember when milk cartons had pictures of lost children on them? I think of those cartons every time I get a notice that my personal information “may have been impacted” as a result of a data breach. As you might imagine, I recently received one of these letters from an organization that needs my personal information in order to provide me with a valuable service.

These notification letters make me consider the risk of becoming numb to the impact of receiving so many of them. Will we eventually achieve perpetual “Identity Protection Services” elite status that continually monitors for misuse of our sensitive information for the rest of our lives? I wonder if the value of this service has the potential to become a little bit diluted with each and every notice we receive. Is it possible that we will will soon treat these notices like a replacement credit card that arrives in our mailboxes?

What are you doing to reduce your risk after receiving a data breach notification letter in the mail?


Tuesday, December 9, 2014

Repost - Stop Admiring The Problem. Start Addressing The Problem.

I recently published the below post on the SANS Internet Storm Center site.

How much energy do you spending admiring your problems? It does not matter what the problem is - asset inventory, vulnerability management or security awareness. You do have problems. What are you doing to make your current problem less of a problem? Set your problems aside for just a minute and take a brief journey to explore how your problems can be viewed as an opportunity. 

I have been guilty of this behavior in the area of vulnerability management. I was so focused on making sure that everything was scanned on a regular basis that I failed to work with the system and application administrators to help them remediate the vulnerabilities the scanners had identified. A much better alternative to just scanning everything on your network is to scan for a brief amount of time and then stop. Stop long enough to fix some issues the scanner identified and then go back and confirm they really were fixed. It does not have to be complicated. Perhaps you can use a simple chart that shows what was found, what was corrected and what still needs to be corrected. 

Collecting a bunch of "High" rated vulnerabilities adds no value. Correcting "High" rated vulnerabilities adds tremendous value. Instead of throwing missing patches over the fence to your administrators, offer help to them in their time of need. Maybe there is a valid business reason the administrators are not responding as quickly as you would like. Maybe they need extra support from your security or compliance teams to make progress in this area. Maybe they could use your help to focus on a solution to this problem. 

Every person should take time to make undeniable progress on one of their security problems because of the positive impact it will make on the security posture of their organization. Make progress, even if it is just baby steps. Make a move in the right direction to become the change agent that is desperately needed. 

What can you do right now to be the catalyst for the positive change your organization so desperately needs? 


What can you do right now to stop admiring the problem?


Wednesday, May 21, 2014

Community SANS in Pittsburgh

Consider joining me for the next Community SANS event in Pittsburgh, PA

on June 16 - June 21, 2014. I will be teaching the SANS Security Essentials 

Bootcamp Style course. This popular course is appropriate both for

people new to security as well as those who have been in security for

years. This was the first SANS course I attended after I was in security for

over three years. I remember how much I learned in this class as a student

back then and look forward to sharing my passion for this course with you.



***************************************************************************



It seems wherever you turn organizations are being broken into and the

fundamental question that everyone wants to know is Why? Why do some

organizations get broken into and others do not. SEC401 Security

Essentials is focused on teaching you the right things that need to be

done to keep your organization secure. Organizations are spending millions

of dollars on security and are still compromised. The problem is they are

doing good things but not the right things. Good things will lay a solid

foundation but the right things will stop your organization from being

headline news in the Wall Street Journal. SEC401's focus is to teach

individuals the essential skills and techniques needed to protect and

secure an organization's critical information assets and business systems.

We also understand that security is a journey and not a destination.

Therefore we will teach you how to build a security roadmap that can

scale today and into the future. When you leave this training we promise

that you will be given techniques that you can implement today and

tomorrow to keep your organization at the cutting edge of cyber

security. Most importantly, your organization will be secure.

(https://www.sans.org/community/event/sec401-pittsburgh-16jun2014-russell-eubanks)



***************************************************************************

What: Community SANS Pittsburgh 2014

When:  June 16 - June 21

Where: National Cyber-Forensics & Training Alliance
2000 Technology Drive, Suite 450
Pittsburgh, PA 15219 US


THE COMMUNITY SANS ADVANTAGE (http://www.sans.org/info/41114)

The Community SANS format offers the most popular SANS courses

in your local community at a reduced tuition fee.  And as with all SANS courses,

the earlier you register, the more your fee is reduced.


SANS promises that you will be able to use what you learn in the classroom as soon

as you return to the office.


Register today to join me in Pittsburgh by visiting

(https://www.sans.org/community/event/sec401-pittsburgh-16jun2014-russell-eubanks).


Let me know if you need any additional information about this course! 

Saturday, January 18, 2014

Community SANS Returns to Charleston

Consider joining me for the next Community SANS event in Charleston, SC

on February 24 - March 1, 2014. I will be teaching the SANS Security Essentials 

Bootcamp Style course. This popular course is appropriate both for

people new to security as well as those who have been in security for

years. This was the first SANS course I attended after I was in security for

over three years. I remember how much I learned in this class as a student

back then and look forward to sharing my passion for this course with you.



***************************************************************************



It seems wherever you turn organizations are being broken into and the

fundamental question that everyone wants to know is Why? Why do some

organizations get broken into and others do not. SEC401 Security

Essentials is focused on teaching you the right things that need to be

done to keep your organization secure. Organizations are spending millions

of dollars on security and are still compromised. The problem is they are

doing good things but not the right things. Good things will lay a solid

foundation but the right things will stop your organization from being

headline news in the Wall Street Journal. SEC401's focus is to teach

individuals the essential skills and techniques needed to protect and

secure an organization's critical information assets and business systems.

We also understand that security is a journey and not a destination.

Therefore we will teach you how to build a security roadmap that can

scale today and into the future. When you leave this training we promise

that you will be given techniques that you can implement today and

tomorrow to keep your organization at the cutting edge of cyber

security. Most importantly, your organization will be secure.

(http://www.sans.org/community/event/sec401-charleston-24feb2014-russell-eubanks)



***************************************************************************

What: Community SANS Charleston 2014

When:  February 24 - March 1, 2014

Where: Hyatt Place

7331 Mazyck Rd

North Charleston, SC 29406 US




Tuition:  Register by January 29 to save $200 on this class

(http://www.sans.org/community/event/sec401-charleston-24feb2014-russell-eubanks)





THE COMMUNITY SANS ADVANTAGE (http://www.sans.org/info/41114)


The Community SANS format offers the most popular SANS courses

in your local community at a reduced tuition fee.  And as with all SANS courses,

the earlier you register, the more your fee is reduced.


SANS promises that you will be able to use what you learn in the classroom as soon

as you return to the office.



Register today to join me in Charleston by visiting

(http://www.sans.org/community/event/sec401-charleston-24feb2014-russell-eubanks).



Let me know if you need any additional information about this course!

Sunday, November 10, 2013

Cloud Computing Atlanta

I am looking forward to speaking at the Cloud Computing Atlanta event on Tuesday November 12. This meeting will be held at the Advanced Technology Development Center (ATDC) at Georgia Tech and is open to the public. I will be speaking about the 20 Critical Security Controls and how it can be applied in a cloud hosting environment.

Over the years, many security standards and requirements frameworks have been developed in attempts to address risks to enterprise systems and the critical data in them. Most of these efforts have essentially become exercises in reporting on compliance and have actually diverted security program resources from the constantly evolving attacks that must be addressed. Learn how to implement a proven continuous monitoring capability that has been used to drastically improve the security of many small and large organizations.

Friday, May 24, 2013

Community SANS returns to Augusta

Consider joining me for the next Community SANS event in Augusta

on July 16-21, 2013. I will be teaching the SANS Security Essentials 

Bootcamp Style course. This popular course is appropriate both for

people new to security as well as those who have been in security for

years. This was the first SANS course I attended after I was in security for

over three years. I remember how much I learned in this class as a student

back then and look forward to sharing my passion for this course with you.



***************************************************************************



It seems wherever you turn organizations are being broken into and the

fundamental question that everyone wants to know is Why? Why do some

organizations get broken into and others do not. SEC401 Security

Essentials is focused on teaching you the right things that need to be

done to keep your organization secure. Organizations are spending millions

of dollars on security and are still compromised. The problem is they are

doing good things but not the right things. Good things will lay a solid

foundation but the right things will stop your organization from being

headline news in the Wall Street Journal. SEC401's focus is to teach

individuals the essential skills and techniques needed to protect and

secure an organization's critical information assets and business systems.

We also understand that security is a journey and not a destination.

Therefore we will teach you how to build a security roadmap that can

scale today and into the future. When you leave this training we promise

that you will be given techniques that you can implement today and

tomorrow to keep your organization at the cutting edge of cyber

security. Most importantly, your organization will be secure.

(http://www.sans.org/community/event/sec401-augusta-16jul2013-russell-eubanks)



***************************************************************************

Community SANS Augusta 2013


When:  July 16-21, 2013

Where: Augusta State University

  Health Science Building, Room EC2238

             987 St. Sebastian Way

             Augusta, GA 30912

             Phone: 706-737-1482


Tuition:  Register by June 5, 2013 to save $850 on this class

(http://www.sans.org/community/event/sec401-augusta-16jul2013-russell-eubanks)



ISSA members - use Discount Code "AugustaISSA13" for a 10% savings.



THE COMMUNITY SANS ADVANTAGE (http://www.sans.org/info/41114)



The Community SANS format offers the most popular SANS courses

in your local community at a reduced tuition fee.  And as with all SANS courses,

the earlier you register, the more your fee is reduced.



SANS promises that you will be able to use what you learn in the classroom as soon

as you return to the office.



Register today to join me in Augusta by visiting

(http://www.sans.org/community/event/sec401-augusta-16jul2013-russell-eubanks).



Let me know if you need any additional information about this course!

Saturday, December 22, 2012

Scheduled Maintenance


I spent a some time this week on car maintenance. My 1999 Honda Accord with 225,000 miles has never given me any trouble and I credit that to regular maintenance. To help make sure I reach my goal of 300,000 miles, I created regular reminders on my calendar to remind me to perform such tasks as changing the oil and rotating the tires.

A similar reminder can be used to make sure your home computer systems are running as they should. What can be on your calendar reminder? Consider using the Qualys Browser Check plugin each month to make sure each of your browsers and their associated plugins remain updated. Steps on how to use this tool can be found on the STI website

What are you doing regularly to keep your computers running smoothly?

Russell

Sunday, October 9, 2011

Security B-Sides Atlanta

Security B-Sides Atlanta unconference is back. On November 4, all of your local and not so local security friends will be back at Think Inc, located at 1375 Peachtree St. Suite 600, Atlanta, Ga.

Registration is now OPEN and true to Security B-Sides, the admission price is most affordable by everyone.


Friday, October 7, 2011

Control 20: Security Skills Assessment and Training to Fill Gaps

Is your team well trained or does it lack fundamental and often the advanced skills needed to perform their jobs? Are there team members who are the only ones that know certain functions? What happens when they are not available for good reasons or bad ones? Several avenues for acquiring training are available.

Many large cities have some or all of all of the following security focused groups that foster community and learning new concepts. Attend these meeting and become more involved in the security community.

•    OWASP
•    InfraGard
•    NAISG
•    Defcon
•    Security B-Sides

Do not dismiss the value of setting up a home lab of old equipment or virtualized and ISO distributions to practice hacking and defending your home network. The skills acquired away from work are often the skills that make the biggest difference.

Wednesday, December 1, 2010

iptables -L

Recently I decided to teach myself how to use iptables. The concept always made a lot of sense, however until I forced myself to actually use it, my understanding was incomplete. Iptables is a host based firewall implemented in Linux. INPUT defines what traffic can reach the host and OUTPUT defines what traffic can leave the host.

The iptables are typically found at /etc/sysconfig/iptables. You can open this file, as root with your favorite text editor, but it is much easier to interpret using the iptables -L command to list the rules. Saving your changes is accomplished with the command iptables-save.

To help you be more specific in your rule declarations, switches available that include --sport for source port, --dport for destination port -s for source, -d for destination and -p for protocol.

The -A switch appends the rule at the end of the list. The -I switch enters the rule as a rule number, the default being the first. The -D switch is used to remove a specific rule. Review the rules again with iptables -L to make sure the flow of the rules is what you expect. The alternative is to create a condition where a new rule may never execute. 

Examples:

#Create new rule to allow inbound traffic from time.nist.gov on port 123 to 192.168.1.200 on port 123
INPUT: iptables -I INPUT -s 192.43.244.18 --sport 123 -d 192.168.1.200 --dport 123 -j ACCEPT

#Create new rule to drop outbound traffic to www.cnn.com
OUTPUT: iptables -I OUTPUT -d 157.166.255.19  -j DROP

Useful links:
https://help.ubuntu.com/community/IptablesHowTo
http://wiki.centos.org/HowTos/Network/IPTables

Thursday, June 17, 2010

Cyber-Security for Kids Impact Statement

The following are the results from the first 4-H Cyber Security Poster initiative. This was made possible through a partnership with the Hamilton County UT Extension Office and the SouthEast Tennessee InfraGard Members Alliance.

I guarantee you will be impressed at the direct impact of this program on the attendees. This is an excellent program that really allows our chapter to be involved with increasing the security posture of the community.

• 909 youth in grades 4th – 8th participated in a Cyber-Security educational program.

• 909 youth watched movie clips on the dangers of chat rooms and cyber-bullying.

• 909 youth watched movie clips on the potential outcomes of cyber-stalking and talking to/meeting people they do not know.

• 909 youth were educated on potential hazards of file-sharing, opening attachments, posting pictures, and Malware.

• 546 youth or 60% of youth participated in the “How to Stay Safe Online” poster contest. (The contest was completely voluntary.)

• Two youth reported an incident of cyber-bullying to their guidance counselor through this program.

• Over 50% of youth in attendance had been bullied online.

• Nearly 90% of youth in attendance have established social network identities on sites like, MySpace and Facebook.

• 95% of youth in attendance were unaware that once a file is uploaded to the internet, it cannot be deleted.

• 620 youth in attendance were under the age of 12 and therefore could not legally establish social network identities.

• 100% of youth in attendance learned something about cyber-security that they did not know.