Disclaimer: These be the thoughts and ramblings of the author, not necessarily those of his employer, management or any other fellow lackies.
When company management seeks to differentiate between devices and attempt to ban certain categories of device from the workplace they can often fail to realize that categories have merged and cannot easily be separated.
Apple mobile devices, for instance, all run the same operating system and apps So banning IPad tablets but not IPhones does nothing from a security, capability or risk standpoint. The same apps and capabilities exist on the phones as the tablets.
In fact, phone calls can be made from an iPad using google voice to any landline, so would that not make an iPad fit into the phone category?
If you say no then would you be classifying the IPad as a tablet on a mere size basis ?
Phones are getting bigger. The galaxy note 2 phone is 5.5 inches. The new iPad mini is only 7.8 inches and has a cellular radio option available. The ipod touch is only 4 inches but has no cellular radio. Which is a phone and which is a tablet ?
I would argue that the whole phone / tablet differentiation is bogus as tablets can have the same operating system , hardware and uses as a phone.
Trying to restrict tablet use only serves to alienate a subset of workers and show managements lack of a true understanding of modern mobile devices.
S. Russell Dyer BS CNE CISSP CRISC Security+ CICP
Mobile device Guru.
Monday, October 29, 2012
Friday, October 26, 2012
The wire is the key
Disclaimer: These be the authors thoughts and ramblings, no other may claim ownership of them. They are not necessarily the thoughts, policies or mindset if the authors employer, management, or fellow slaves.
The wire is the key to enterprise security. Whoever owns the wire holds the keys to the kingdom. Make sure your network security department has the tools to " own the wire".
The majority of Data leakages and breaches happen over the wire, and the wire is what we must maintain a laser focus on.
Sure, log correlation can yield valuable information in a post breach scenario, but the real time relevancy if the traffic on the wire far outweighs the patch detain of server, workstation and device logs.
Think if the fox in the henhouse. Does the farmer want his first alert of trouble to be screaming gens getting slaughtered or would he rather see the fox approaching across an open field and gave time to prevent the slaughter.
This is why a system that monitors the traffic on the wire is an enterprise imperative. Such s system can be a hard sell to executives, as it may not be a regulatory requirement, or helpful to external auditors focused on logs and reports. But the seemingly high cost of such a system pales into insignificance alongside the financial and reputation costs of even a small data breach.
So the enterprises should invest in network monitoring software which can show, alert, and capture, traffic on the wire. This allows the information security teams to identify, intercept and prevent breaches.
All information security teams prefer Prevention of breaches, but are often limited by prior management funding and system acquisition decisions to post breach analysis.
That's all for now
S. Russell Dyer BS CNE CISSP CRISC Security +
The wire is the key to enterprise security. Whoever owns the wire holds the keys to the kingdom. Make sure your network security department has the tools to " own the wire".
The majority of Data leakages and breaches happen over the wire, and the wire is what we must maintain a laser focus on.
Sure, log correlation can yield valuable information in a post breach scenario, but the real time relevancy if the traffic on the wire far outweighs the patch detain of server, workstation and device logs.
Think if the fox in the henhouse. Does the farmer want his first alert of trouble to be screaming gens getting slaughtered or would he rather see the fox approaching across an open field and gave time to prevent the slaughter.
This is why a system that monitors the traffic on the wire is an enterprise imperative. Such s system can be a hard sell to executives, as it may not be a regulatory requirement, or helpful to external auditors focused on logs and reports. But the seemingly high cost of such a system pales into insignificance alongside the financial and reputation costs of even a small data breach.
So the enterprises should invest in network monitoring software which can show, alert, and capture, traffic on the wire. This allows the information security teams to identify, intercept and prevent breaches.
All information security teams prefer Prevention of breaches, but are often limited by prior management funding and system acquisition decisions to post breach analysis.
That's all for now
S. Russell Dyer BS CNE CISSP CRISC Security +
Location:Okemos Rd,Okemos,United States
Wednesday, October 24, 2012
BYOD 5 Commandments
The 5 commandments of Bring Your Own Device.
- The only way to standardize on one platform and reduce your support, Audit and training costs is to standardize on one platform. Today e options are Apples IOS or Microsofts Windows 8, or Googles Android. I'd recommend Apples IPAD and IPhone as their build quality and security are a much higher level than Android or Windows Phone.
2. Monitor Devices.
- security requires centralized monitoring, alerting and management. Invest in a mobile device management solution with a proven track record.
3. Audit Devices.
- audit regularly to ensure the security profile of the devices is maintained and patching is effective.
4. Update
- ensure devices are bing patched and over time, perhaps every 2 or three years, the devices will will need to be replaced / updated with newer, faster and more productive devices
5. Relax.
Employees are not enherently evil or criminally inclined. Allor employees a few minutes each hour to check personal email and blow off som steam. If managers walk but, don't expect mployees to b buried in work for the full tidiness the office. Expecting this will result in micromanagement impacts, like employees becoming paranoid, timekeeping taking precedence over productivity, and employee morale spiraling into the gutter. This can in turn lead to employees leaving and the dreaded brain drain.
Disclaimer: The views xpressed in his article are those of the author, and not his employer, management or fellow worker bees.
S. Russell Dyer. BS CNE CISSP CRISC Security+
Mobile Device Guru, Security Analyst and Slave to all things Tech.
Monday, October 22, 2012
<img src="file://localhost/var/mobile/Applications/FD73DEEB-8A71-487D-B1D3-4E05250BB76A/Documents/BPImageUpload%20Image%20Uploads/2A5E0112-AC43-4F8B-95E3-103C66784DE3">Liar on the wire
Disclaimer: The views expressed in this article are those of the author and not of his employer, fellow employee lackies or friends and cohorts.
How long until the bad guys integrate code to trick operating systems into generating false log entries to obviscae the real attack.
This is another reason to watch he traffic on the wire and not rely on log entry correlation as a defense.
S. Russell Dyer. BS CE CISSP CRISC Security+
Security Analyst and I.T Guru.
What makes work suck
Disclaimer: The views expressed in this reticle are the authors alone and not of his employer, management or fellow order lackies.
Workplace paranoia is a constant battle and when workers are constantly looking over their shoulder worrying that a manager will walk by and see a worker taking a couple of minutes to check his or her ank account and assume that's all the worker is doing all day, the work environment becomes painful.
Management needs to concentrate on th big picture, and not stoop to micromanagement which kills employee morale.
When one departments employees see that thy are targeted for rules that other departments are not given, it makes for a poor working environment.
Employees need space and time to refocus during the work day and this can in several different forms.
Personal devices can be used to check personal email and share non work news with fellow workers.
Walk outside or inside of the building can be a good re-energizer.
More later,
S.Russell Dyer BS CNE CISSP CRISC Security+
Security slave to the cause.
Sunday, October 21, 2012
Winston Churchill quote
1) “Success is the ability to go from failure to failure with no loss of enthusiasm.” Winston Churchill, former prime minister of
<img src="file://localhost/var/mobile/Applications/FD73DEEB-8A71-487D-B1D3-4E05250BB76A/Documents/BPImageUpload%20Image%20Uploads/30DBFF4E-F2B1-4328-8D39-8EE221C6CA86"> Enterprise security 10 commandments.
1. Define a security policy
This is the document which governs all data security within the company. Some tips? It shouldn't be too lengthy (no employee is likely to engage fully with a fifty page document); it should not demand the impossible; and it should show that you value your employees. (A further recommendation: have an executive or the HR department deliver it, rather than IT support.)
2. Make use of security technologies
These are the basis for the security of the company's data/information. A network that does not have antivirus protection, firewalling or antispam will be exposed to too many risks for other controls to cover adequately. According to data presented in the ESET Security Report Latin America, 38% of enterprises in the region were infected with malware last year.
3. Educate your users
Moreover, educate all your users. Technically adept users or the IT Department are often not included in security training, as if it were proven that they are less vulnerable to threats. According to ThreatSense.Net statistics, 45% of the threats detected in the region last year made use of social engineering, which against which technical but security-unrelated expertise may offer no defence at all.
4. Take control of physical access to information
Information security is not a problem that should be considered only in terms of "virtual" information, but should also consider the physical media where it is stored. Where are the servers? Who has access to them? Without a doubt, physical access is crucial. Printed data should also be considered in this respect. For example, physical access to offices where confidential information is held (Management, accountants etc.) or where there is access to printers (someone could take "accidentally" see or steal confidential information).
5. Maintain your software
Software vulnerabilities are the gateway to many attacks against the organization. According to the report on the state of malware in Latin America, 41% of USB devices are infected and 17% of the malware used exploitation of vulnerabilities. Keeping the operating system and other applications up to date with the latest security patches is a vital security measure.
6. Don't just rely on IT to defend your systems
One of the most common security errors is to fail to understand that security is not purely a technological problem. There should also be a team whose sole purpose is to manage information security, and this should be given full consideration rather than ignored in favour of issues such as usability and convenience. Security is not the only business need, but it is important.
7. Don't give ordinary users administrative rights
If users don't have administrative rights they don't need, the impact of an intrusion into the system will be limited. Once again, we should emphasise the importance of implementing this control for the entire company: members of the IT department and senior management should also have limited privileges for day-to-day computer usage, using administrator accounts only where the job in hand requires them.
8. Think before you sacrifice security to save money
Security should be designed to protect business information and, therefore, the business. When investing in security, take into account the value of the information that is to be protected, the likelihood of a breach, and the likely consequences of such a breach.
9. Don't finish a security project
That may seem a strange thing to say, but it isn't, because you shouldn't start a project either. Security must be seen as a continuum, not a process with a fixed start and end point. It is true that small implementations of security controls may need to be implemented as projects, but general protection of information protection should not be perceived as a project, but as a continuous process and ongoing business requirement.
10. Don't underestimate the importance of information security
Our last and possibly most important point is to urge you to understand the importance of well-protected busines information. One of the worst mistakes that an executive can make is to thinking that a control should not be implemented because "I don't think I happen". Many companies, especially small and medium-sized enterprises, may not recover from a severe information breach.
Monday, October 8, 2012
Low cost event correlation
Disclaimer: the views expressed in this article are those of the author and not his employer, management, fellow lackies, or family.
So you have a boat load of vents or correlate, and no big budget automated tools. Well , you may have some tools, but its likely that they aren't login up to to sales hype.
Lets look at some basic tools. Your event is typically a source IP address, a destination IP address and maybe a port number.
First off, work out the DNS names. You can use nslookup for internal IP addresses and websites such as ipvoid and speedguide.net for external addresses.
Google the port number and see what the web says are common sues of the port.
For internal windows systems, get sysinternals tools, particularly psloggedon.exe which can tell you who's logged onto the internal system.
If psloggedon doesn't work, try connecting to the c$ administrative share of the windows system and looking at the user profiles folders under the users folder.
These basic tds can get your started.
For a small network, see if you can get a security onion system or a Trisul system with is span port on the outside o you dmz. This can give you all this info and more with the click of an icon or two ifrerly configured.
Cheers and more next time.
S. Russell. Dyer BS CNE CISSP CRISC Security+ CICP
Information Security Analyst and mobile device geek.
Thursday, October 4, 2012
An issue of Priorities
Disclaimer: These ramblings are the authors and his alone, and are in no way attribatible to the authors employer, management or friends.
Often times, we beleive directives handed down from management should be modified to meet the goals we believe are the desired end. Whether it is through the use of differing tools than those suggested or an alternative procedure which would reduce time and improve efficiency, it is often difficult to convey this information successfully back up the management chain. When this happens, resistance and animosity can run rampant.
Management invariably gives us just the information thy beleive we need to know and this may leave us in the dark as to the true goals of a task.
Example 1:
Management directive for analyst eyes on glass for event monitoring with a requirement to process a certain number of events per day.
Upside: Management needs metrics to show upper management that security is working.
Downside: in an effort to produce metrics, and indeed increase events processed we may focus on volume over quality. An event showing ssh access from another country may be logged and initial log review may show nothing suspicious, so it is filed and the analyst moves to he next event. When further investigation for a day or two may show a pattern and indicate possible progress by an attacker which could warrant defensive action.
Example 2: External influences reducing the effectiveness of the Security Team.
Other teams who are directed to resolve the findings from security team tests, may seek to limit the effectiveness of the tests by influencing the decision on the tools to be used. This can be done at upper management levels which are not visible to the security team, and may result in a task to scan certain systems with a less effective tool than others which are available, or timing parameters which limit the granularity of the testing.
Other vectors for issues are purchasing decisions where the security capabilities of tools are not given sufficient weight.
So, what options are open to security teams to guide and assist their management in producing what we beleive are optimal data most efficiently and effectively.
1. Communication is the primary tool to ensuring smooth running and optimal success.
- regular meetings, say weekly, can foster success providing they are run effectively.
Meeting must be open with all team members and the team management being in attendance. Team members must be able to speak freely and openly about their thoughts on topics. Each team member should be allowed equal time and weight for their input, which can be difficult as here are often big talkers who can monopolies the discussion. It is managements task to ensure equal access during discussions.
Meeting agenda should also be available at least 2 Amy's in advance so team members can be suitable prepared.
2. Information dissemination from management needs to include all relevant data. This is difficult for management as they often seek to limit information so the discussions reach their preconceived desired result. Sometimes confidentiality issues prevent information dissemination also. Management may also b swayed by input from other departments.
3. The information Security Team needs to present a united front externally.
Decide on the optimal combination of tools, procedures and policies, and don't try to change tools every year or two. Because you want to have the optimal toolset, the decision on the tools needs to be a team one, and not a management directive. Take feedback from the analysts and engineers who ha used all the tools and give then the necessary weight and credence. An engineers opinion of a tool he does not use day I and out, should have very little weight when compared to an analysts advice who uses the tool every hour of every day.
Information security is not easy and at times it may seem the biggest obstacles to success are forces inside the enterprise. Yet we must use all the tools in our arsenal to improve security and prove tht security is a valuable department or the Enterprise.
That's all or now.
S. Russell Dyer BS CNE ISSP CRISC Security+ CICP
Remember the Disclaimer!
What's in a Cube
Disclaimer: The following ramblings are those of the author and we in no way the opinions, views, policies, or anything else related to the employer of the author, the authors management or fellow minions.
These days the most common work environment for company employees is an office cube. A bland space which employees endeavor to make their home away from home with pictures, keep sakes and other reminders of their family, and outside life. Office cubes are not the optimum environment but due to economies of space, thy are the best option available.
Some office cubes can be of a less private style with 4 foot walls which customer service departments often prefer. While these can Enable more over the all communication, they remove another level of self worth from the employee and seem to degrade the quality of work.
Then there is the alternative of crowding several people into a room in an effort to allow closer communication and more work output. This is a double edged sword which will invariably result in perhaps a greater volume of work output but output which is of less quality. Without the privacy and calm of their own individual workspaces which foster a deeper and more inciteful thought process the result of certain tasks is not as good.
I beleive that the full size cube is currently the best option and crowding more people in a closer working environment results in diminished productivity, lower morale of employees and in the long term, a hight turnover in staff.
Disclaimer: The abov ramblings are the Authors alon, and in no way represent the opinions of the authors employer, management, fellow employees or friends and strangers.
S. Russell Dyer BS CNE COSSP CRISC Security+ CICP
Security Analyst, Computer enthusiast and mobile device addict.
Subscribe to:
Posts (Atom)