Friday, September 28, 2012

<img src="file://localhost/var/mobile/Applications/FD73DEEB-8A71-487D-B1D3-4E05250BB76A/Documents/BPImageUpload%20Image%20Uploads/661415F9-7463-4BE1-818F-191EB6481557">Metrics vs Productivity

Disclaimer: The views expressed in this article are those of the author and NOT necessarily those of his employer or management or even fellow employees.

The emphasis on metrics

As companies seek to reduce th bottom line costs and increase efficiencies, the reliance on metrics increases. Information security departments are often thought of as an overhead and drain on the bottom line and this are striving to product metrics to support their distance. This striving to show value through metrics is a doubl died sword.

On the plus side, metrics can indicate positive performance in the effort to increase the overall security posture of Enterprise.

Such metrics can be the number of tickets closed by an administrator, or he number of incidents reviewed by an analyst.

On the negative side, there can be a tendency to drop important tasks which can be hard to show metrics on and concentrate on routine tasks which are easy to produc metrics on but in reality do not enhance the overall security of the enterprise.

The incident metrics often do not reflect the complexity of each incident or the result of the investigation. This can not easily be quantified and thus an emphasis on numbers and not on quality has a negative impact on the enterprise security posture.

So in summary, Metrics can be good or bad and the decision on which metrics and level / quantity of each metric needs to be carefully discussed before implementation.

DISCLAIMER: These at the authors personal views and not necessarily those of his employer.

S. Russell Dyer
BS CNE CISSP CRISC Security+ CICP
Security Analyst, And Dad to Makayla, Tristan and Michael.


The Best Defense


Disclaimer: the article represents the views of the author and not those of his employer, management or fellow minions.

Information security is evolving but on one front it still lags behind. The area of offensive defenses.
My point is at the best defense I a good offense.

Through the use of honeypots and red herring links in applications we can force web based scanners and the hackers at their controls to waste massive amounts of time and becom disinterested enough to move to an easier target.

Writing links and adding additional extra pages in applications which the end user never sees can be a great tool. These pages can b outside of user navigation paths, and can simulate login pages with links to honeypot databases and file systems with heightened logging. Using this technique the security team will have more info and time to back track attackers and analyse the evolving landscape of web based attacks.

An escalation could be these fake systems launching exploits against whoever is accessing them. Attack is a viabl defense in my opinion.

It's time to go on the offensive against hackers.

S. Russell Dyer BS CNE CISSP CRISC Security+ CICP
Security Analyst, but I'm by no means an expert  ;-)



Wednesday, September 26, 2012

Epic Fail


Disclaimer: The views expressed in this article are those of the author, and not his employer, management or fellow employees. 

Having worked in information security and in the IT field for 20 years, I'm struck with the frequency that systems designed to assist us end up becoming a sink hole for time, money and energy.

Lofty goals often result in the purchase of massively complicated systems with vast ranges of capabilities that should work and perform as the salesman says. Unfortunately the systems that attempt to be all things to all people are often useful things to very few people and a major pain in the butt to everyone else.

Today I'm advocating the selection of a few simple tools to cover what is needed. 

Don't try to combine log archiving and event correlation network monitoring. It's just too cough to be effective. RSA envision tries and fails and Arcsight is only for the rich.

Archive your logs by all means but don't presume that this is easily harvested and turned into events and dashboards and monitoring.

If your goal is network monitoring, then select a network monitoring tool, like net witness or the cheaper Trisul. See the events from the wire and not from logs from the past.

That's all I have to say on this for now.

KISS - keep it simple stupid, 

And avoid the Epic Fail.

S. Russell Dyer
BS CNE CISSP CRISC Security+ CICP
I.T insider, Former Network Engineer, and Security Analyst.




Friday, September 21, 2012

Personal Mobile Devices in the Enterprise

The portable device conundrum and a logical solution

Disclaimer: This article represents the observations, views, opinions and general ramblings of its author and is not the policy, opinions or views of the authors employer, management or fellow employees.

User's want the freedom to bring in personal portable devices for business and personal reasons, both of which can improve the employees overall quality of life, work and job performance.

Be of no double that this does pose a security risk, BUT when properly mitigated there can be a measurable benefit to the enterprise. Happier employees are without doubt more productive employees. They are also healthier employees which impacts the companies bottom line for health insurance coverage.

The initial thrust of personal device introduction to the enterprise came with personal cell phones. These phones are now smart phones and susceptible to attack and compromise in much the same ways as computers and laptops. 

Personal laptop computers and more recently tablets, like the IPad line from Apple, represent a more vulnerable threat vector than cell phones, but developers and IT personnel often utilize these tools for work and also for brief periods during the day to refresh their focus. Short breaks during the day can positively impact personnel performance.

A practical solution

The issue of personal devices at work can by addressed piecemeal, by a patchwork of policies and controls, or Boldly and I would argue successfully by a single, all encompassing management led solution.

I propose that the enterprise that wishes to solve this issue cold do so with the following simple steps which would have the added benefits of raising employee moral, reducing support costs and eliminating much of the portable device risk.

1. Give an apple IPhone and Apple IPad to every Employee. Employees who do on call support will have company subsidized devices, and other employees would have to use the phones at thier own cost. The benefits to support are that all users will become familiar with the same operating system and can gain advice and support from each other in addition to the usual channels.

2. Buy a mobile device management solution for apple devices only. 

3.  Regulate to prohibit through policies and enforcement, that use of any other devices within the confines of the enterprise in prohibited and provide a quarantine area when prohibited devices can be dropped off by users and picked up after their work day ends.

4. Add additional value by creating an apple development group and producing applications for your in house systems which customers need to access.

The main point is to standardize on a single platform and reduce support costs. It is an added bonus that Apples IOS is less exploited by hackers than windows.

S. Russell Dyer BS CISSP CRISC
Security wanderer and event handling Lackey.

DISCLAIMER: The views expressed in this article are solely those of the author and not those of his employer, company management or fellow employees. 



Thursday, September 20, 2012

Scan Everything&nbsp;


Previously I proposed that monitoring the wire is vastly more effective for alerting and generating events.

Now I'll cover the other piece of he equation, Vulnerability scanning.

Disclaimer: the views and opinions in his article are entirely mine and not those of my employer, fellow employees or management. 

Back to Scanning.

Firstly, scanning has to be all encompassing, regularly repeated, and something has to be done with the results.

The first caveat of cunning is that you you can't scan when you do not know about. The network needs to be accurately documented and Visio diagrams are a must if no automated solution is in place to dynamically enumerate the network.

The second caveat is that everything gets scanned repeatedly, and preferably on a Weekly basis.
Weekly scanning will more rapidly show you what is changing and the new vulnerabilities. You can then match these vulnerabilities to traffic alerts on your network and you will know when to be concerned.

The third caveat is that you need a good scanning solution that has audits updated more than weekly, and that doesn't crash or fail you when you need results. The solution needs to be all encompassing and able to scan internal and external facing systems regardless of their operating system, level of hardening or age. Just because its only been around for a year or so is no excuse for a scanning vendor not to support scanning of it. The scanning solution must be able to do credentialed or uncredentialed scanning. A solution which can select from a list of credentials depending on the detected system type is a valuable feature.

Finally, vulnerability scanning seldom lay causes issues on target systems and limiting scans to a narrow weekend window gives no flexibility to work around other network or system changes. 

So what scanning solutions hav I used? 

1. EEye Retina and REM was ok but has stability and support issues so I cannot recommend it.

2. Tenable Nessus has a few more features and the government likes it, but alas I do not. There is a better option.

3. Core Impact. While you can in theory scan for vulnerabilities with core its a penetration testing tool and not a vu operability scanner. You may as well tie your shoe laces with mittens on. While you may have success, you won't excel and the results will be mediocre.

3. Rapis7 Nexpose. Options available to scan internal and externally facing systems. Can select credential from a list depending on system detected. Integration with Metasploit for pen testing and validation. This is the preferred commercial solution.

For a cheap alternative..... Can't think of any at the moment.

Thanks for reading and once again, these are my personal views and not those of my employer, its management or fellow employees.

S. Russell Dyer BS CSSP CRISC
Information security guru and slave to the cause of securing networks and users.





Securing the network


Disclaimer: the views expressed in this article are mine alone and do not reflect the views of my employer or fellow employees or management and are expressed because we live in the and of the free where speaking your mind usually doesn't result in beheading.

After many years of navigating the information security maze I have come to the conclusion that concentrating on event log correlation from servers, workstations and network equipment and alerting on these events is not the best path to securing the network and preventing security breaches. Indeed, I believe it's defunct and outdated and will eventually fade into oblivian.

Collecting the vast amounts of logs and sifting through them only tells you what has happened in the past, or more importantly, what each log source thinks has happened. It is implausible to think that each system on the network has been programmed with event triggers for every concievable event and if we know what triggers events and alerts, then hackers also know this and may e able to navigate around and avoid these triggers. Collecting all the logs at a central location and then attempting to write triggers is also a monument opus waste of resources, as the network and systems on it continue to be upgraded, replaced or decommissioned, the event triggers need ever increasing maintenance, and their complexity morphs to a point where they no longer perform their originally intended task.

Compliance and Audit requirements often require us to continue collecting and storing and reporting on log data, but we should not rely on this same process for securing the network in real time. It is in reality only useful for after action analysis once an incident has been identified and contained.

The only way to truly know what's happening on the network is to see the traffic on the wire in its raw form, before its received by target systems and interpreted into log data. Assuming that this is our goal then there are several guidelines which must e followed to be successful

1: Use multiple LAN taps or span ports to see the entire picture. If you try to watch your network with one span port then you are one big fool. To know what happening on the network we need a span port on he outside of the firewall to see what's trying to get into the network. if there are multiple Links to the internet, then each needs a span port. Another span port is needed between the dmz and the workstations to see he traffic between then. Another span port for your wireless network. Always remember, unlike  federal spending, more is better when it comes to span ports. BUT also avoid duplication.

2: Centrally collect and monitor data from each spam port. While historical data is nice, don't over do it and try to store months of data. You have event log archiving for that istorical stuff and while its not perfect, it will do nicely.

3: Select the best system you can get that meets the following criteria.
 - from a recognizes vendor who has been in this space for several years
- has a central dashboard with drill down access and does not need the analyst to switch do other screens / applications to trace an event.
- the vendor supplies event trigger updates at least weekly
- reporting is customizable so management and technical staff can get the reports they need.
- integrates with other industry recognized solutions using non proprietary communication vectors.
- vendor supplies support and is in you time zone, but preferably 24/7 support.


NetWitness is a great solution and I have used it so can test to its ease of use, intuitive interface and its interfac is lightening fast. Unfortunately it's been acquired by RSA so I'm not sure what will happen with that.

Trisul. (Trisul.org) is a much cheaper solution and worth investigating. I have used this and seen its value. And if you onl want to be able to look back 3 days, it is free.

4. Assign dedicated staff to monitor, maintain, and run the system. (A note to management - If you jerk your staff around from one tool to another and expect them to be masters of all they will end up being good at none and the only jerk will be you. Sorry to be blunt, but it is what it is)

Finally, when your watching all that traffic on your network, you will need policies, published, backed up and preached to all by the executive management in order to get the traction you need to tighten up your network security.


Disclaimer again. This article represents my views and not those of my employer, an agent or my 5 year old son Michael. No matter how much they may agree or disagree.

Thank you
S. Russell Dyer BS CISSP CRISC
Security Analyst and Network watcher for over 20 years.





Sunday, September 16, 2012

The election approaches

When November arrives and along with it Election Day, I'll vote for the least worst candidate along with most Americans.

The Democratic incumbent openly supports abortion and gay marriage, while testifying to being a Christian.

The Republican challenger is a Christian, but Mormon and not baptist. He republicans are also closer to big business than I would prefer.he Republican challenger is a Christian, but Mormon and not baptist. He republicans are also closer to big business than I would prefer.

When November comes Ill vote Republican because I'm a bible believing baptist and the bible says that thou shall not kill, and marriage shall be between one man and one woman.