April 29, 2010 by Marcos Christodonte II
Here’s a new piece I wrote for SearchSecurity.com on using a risk-based auditing methodology to achieve enterprise security.
Some topics covered include:
- Why use a risk-based audit
- How to perform a risk assessment
- Tips on categorizing assets
- Classifying assets by criticality and confidentiality levels
- Calculating risk and risk ranking
- Developing an audit plan
- A six-step audit methodology
- A risk-based audit use case
Give it a read and let me know if you have any questions.
April 9, 2010 by Marcos Christodonte II
I was a little nervous when I started reading this book. Chapter 1 provided an overview of network analysis, but had a lot of “personality.” When I read, “Wait…more data is coming in…and more…and…SCREECH!” I wasn’t too sure if I was going to finish the book. At over 700 pages, I was hoping that each page contained only “meat and potatoes,” without a lot of dry humor and meaningless analogies. Thankfully, a few pages later I began what turned into a great read — full of solid content.
Wireshark Network Analysis goes well beyond Wireshark functionality. Although the first several chapters outline how to best use Wireshark — examining the settings, filters, and other configurations — I think the true value of the book is in the detailed explanations of network traffic analysis. For instance, pg. 304 delves into DNS. This section tells the reader exactly what DNS is used for and provides an analysis of normal and abnormal DNS traffic. It also shows screenshots of the packet, displays and describes its contents. This type of analysis is provided throughout the book and covers all forms of network traffic (including suspect traffic — my personal favorite).
Page 563 resonated with me, as I’m a firm believer in baselining network traffic. In this section, Wireshark Network Analysis details the importance of baselining and the types of traffic to focus on. Like other sections, this section also provides screenshots, showing how to analyze traffic and packet statistics.
There were minimal grammar errors, and it does seem like the case studies were not tech edited by the book editor — many of them contained several grammar mistakes. Although, it does appear that those were submitted by third parties and probably used as-is. Nevertheless, I can provide plenty of other examples as to why Wireshark Network Analysis is a great book. There are plenty of screenshots, review questions with answers on the next page (instead of making the reader turn to the back of the book), and links to tons of packet captures for analyzing on your own. Overall, the book is well-written and, in my opinion, the best network analysis book on the market today.
March 31, 2010 by Marcos Christodonte II
I recently wrote an article for SearchSecurity.com on creating a proactive incident response program.
Here’s the introduction (click the link above to continue reading):
Information security incidents are a fact of life. We have witnessed them on the news and within our own organizations — attackers are getting into networks and stealing corporate secrets and customer data. It’s vital to take a proactive approach to incident response to be sure certain enterprises are equipped and ready for the next incident.
Incident preparation helps enterprises maintain controlled and efficient responses during chaotic incident response moments. While the ideal scenario would involve companies avoiding incidents altogether, it’s important to be realistic and make preparations that will allow for a brisk response in the event of a security incident. There are numerous steps to take in preparation, and in this tip, I outline several necessary steps for creating an efficient security incident response program.
February 23, 2010 by Marcos Christodonte II
Rutgers just posted a news release about malware research against smartphones. The Professor and student researchers discussed how their rootkits could “eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless.” They were able to send “invisible” text messages to the infected phone, activating the rootkit, and alerting it to make a call and turn on the microphone.
Smartphone malware isn’t a new concept, but as advances in smartphones continue, malware proliferation will follow. A few months ago, there were reports of malware infecting jailbroken iPhones. I’m sure we’ll see similar reports in the future (on non-modified phones), and a greater emphasis on smartphone antivirus to follow.
February 1, 2010 by Marcos Christodonte II
I was reading an article today by Jay Forte about having a value discussion with your employees. The article was quite interesting, and as I read it, I thought about how his guidance also applied to security. Jay outlined what managers could tell their employees to help them add value to their organizations. Part of the sample note that he provided for employees said, “I need you to think through each of your decisions and know its impact on our customers, on your job and on our company.” That statement resonated with me!
The decisions employees make have immense impact on their companies—oftentimes with lasting consequences. As easy as employees can boost sales and generate revenue, they can also create vulnerabilities, cause data loss, ruin reputation, and cost their company in legal or regulatory penalties.
Here are a few things that you can start discussing with your employees (some items target different groups):
- Read and understand policies. If you have a question, ask.
- Speak up if you’re not happy with service-delivery. Don’t try to circumvent controls!
- Your actions may affect service-level agreements with valued partners!
- Operators: Don’t go for the quick work-around — it may create a weakness. Instead, use the change control process.
- Administrators: Be more proactive! When is the last time you tested your backups?
- Don’t mess with your HVAC system just because you have to work in the server room all day. The room is cold for a reason!
- If you’re using a two-person password system, don’t give your colleague your password just because it’s easier and stops them from bothering you!
- Stop using group, or department, passwords! All accounts should tie to a specific person.
- Don’t patch production systems without first testing the patch.
- Network administrators: Disable IP source routing and IP directed broadcasts!
- Security staff: When is the last time you reviewed running network services and validated their necessity? How are you staying current? Have you looked at your logs lately?
These are just a few general topics and questions for various personnel. Sometimes it takes asking the right questions to provoke thought and light a little fire in employees. After we ask questions or give security advice, we have to do a better job at explaining “why” something should be done. Without context, employees won’t understand the true value (and impact) of their actions…or lack thereof.