Risk-based auditing to achieve enterprise security

April 29, 2010 by · Leave a Comment 

Here’s a new piece I wrote for on using a risk-based auditing methodology to achieve enterprise security.

Some topics covered include:

  • Why use a risk-based audit
  • How to perform a risk assessment
  • Tips on categorizing assets
  • Classifying assets by criticality and confidentiality levels
  • Calculating risk and risk ranking
  • Developing an audit plan
  • A six-step audit methodology
  • A risk-based audit use case

Give it a read and let me know if you have any questions.

Book Review: Wireshark Network Analysis

April 9, 2010 by · 3 Comments 




I was a little nervous when I started reading this book. Chapter 1 provided an overview of network analysis, but had a lot of “personality.” When I read, “Wait…more data is coming in…and more…and…SCREECH!” I wasn’t too sure if I was going to finish the book. At over 700 pages, I was hoping that each page contained only “meat and potatoes,” without a lot of dry humor and meaningless analogies. Thankfully, a few pages later I began what turned into a great read — full of solid content.

Wireshark Network Analysis goes well beyond Wireshark functionality. Although the first several chapters outline how to best use Wireshark — examining the settings, filters, and other configurations — I think the true value of the book is in the detailed explanations of network traffic analysis. For instance, pg. 304 delves into DNS. This section tells the reader exactly what DNS is used for and provides an analysis of normal and abnormal DNS traffic. It also shows screenshots of the packet, displays and describes its contents. This type of analysis is provided throughout the book and covers all forms of network traffic (including suspect traffic — my personal favorite).

Page 563 resonated with me, as I’m a firm believer in baselining network traffic. In this section, Wireshark Network Analysis details the importance of baselining and the types of traffic to focus on. Like other sections, this section also provides screenshots, showing how to analyze traffic and packet statistics.

There were minimal grammar errors, and it does seem like the case studies were not tech edited by the book editor — many of them contained several grammar mistakes. Although, it does appear that those were submitted by third parties and probably used as-is. Nevertheless, I can provide plenty of other examples as to why Wireshark Network Analysis is a great book. There are plenty of screenshots, review questions with answers on the next page (instead of making the reader turn to the back of the book), and links to tons of packet captures for analyzing on your own. Overall, the book is well-written and, in my opinion, the best network analysis book on the market today.

Creating a proactive incident response program

March 31, 2010 by · Leave a Comment 

I recently wrote an article for on creating a proactive incident response program.

Here’s the introduction (click the link above to continue reading):

Information security incidents are a fact of life. We have witnessed them on the news and within our own organizations — attackers are getting into networks and stealing corporate secrets and customer data. It’s vital to take a proactive approach to incident response to be sure certain enterprises are equipped and ready for the next incident.

Incident preparation helps enterprises maintain controlled and efficient responses during chaotic incident response moments. While the ideal scenario would involve companies avoiding incidents altogether, it’s important to be realistic and make preparations that will allow for a brisk response in the event of a security incident. There are numerous steps to take in preparation, and in this tip, I outline several necessary steps for creating an efficient security incident response program.


Researchers Display Rootkit Capability on Smartphones

February 23, 2010 by · 1 Comment 

Rutgers just posted a news release about malware research against smartphones. The Professor and student researchers discussed how their rootkits could “eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless.” They were able to send “invisible” text messages to the infected phone, activating the rootkit, and alerting it to make a call and turn on the microphone.

Smartphone malware isn’t a new concept, but as advances in smartphones continue, malware proliferation will follow. A few months ago, there were reports of malware infecting jailbroken iPhones. I’m sure we’ll see similar reports in the future (on non-modified phones), and a greater emphasis on smartphone antivirus to follow.


Employees, Questions, and Business Risk…

February 1, 2010 by · Leave a Comment 

I was reading an article today by Jay Forte about having a value discussion with your employees. The article was quite interesting, and as I read it, I thought about how his guidance also applied to security. Jay outlined what managers could tell their employees to help them add value to their organizations. Part of the sample note that he provided for employees said, “I need you to think through each of your decisions and know its impact on our customers, on your job and on our company.” That statement resonated with me!

The decisions employees make have immense impact on their companies—oftentimes with lasting consequences. As easy as employees can boost sales and generate revenue, they can also create vulnerabilities, cause data loss, ruin reputation, and cost their company in legal or regulatory penalties.

Here are a few things that you can start discussing with your employees (some items target different groups):

  • Read and understand policies. If you have a question, ask.
  • Speak up if you’re not happy with service-delivery. Don’t try to circumvent controls!
  • Your actions may affect service-level agreements with valued partners!
  • Operators: Don’t go for the quick work-around — it may create a weakness. Instead, use the change control process.
  • Administrators: Be more proactive! When is the last time you tested your backups?
  • Don’t mess with your HVAC system just because you have to work in the server room all day. The room is cold for a reason!
  • If you’re using a two-person password system, don’t give your colleague your password just because it’s easier and stops them from bothering you!
  • Stop using group, or department, passwords! All accounts should tie to a specific person.
  • Don’t patch production systems without first testing the patch.
  • Security staff: When is the last time you reviewed running network services and validated their necessity? How are you staying current? Have you looked at your logs lately?

These are just a few general topics and questions for various personnel. Sometimes it takes asking the right questions to provoke thought and light a little fire in employees. After we ask questions or give security advice, we have to do a better job at explaining “why” something should be done.  Without context, employees won’t understand the true value (and impact) of their actions…or lack thereof.

Excerpt of Cyber Within

January 31, 2010 by · Leave a Comment 

I’ve had a few requests for an excerpt of my book, Cyber Within, so I’ve decided to post one online. Here’s the link: Cyber Within Excerpt


Cyber Within is Now Available

January 21, 2010 by · Leave a Comment 

It’s been a busy few weeks! Just wanted to let everyone know that my new book, Cyber Within, is now available at

Q. Why did I write Cyber Within?

A. I wrote Cyber Within to provide employees with an interesting guide to help them understand cyber and insider threats. The book is meant to provoke thought and provide examples concerning the current attacks happening in the corporate world today. I used a story format because I know how tough it is getting employees to read technical—and often dry—security guides.

Q. Why should companies buy this book for their employees?

A. It’s often difficult to get security practices to resonate with employees. Traditional computer-based training allows employees to rush to the end without paying much attention to the content. Additionally, the content is often dry, so employees are often uninterested. Companies should buy Cyber Within for their employees because it’s fun, engaging, and has a memorable story with lessons they can apply today.

Latest Press Release:


NORFOLK, VA. – With the continual rise in cyber crime, corporate secrets are harder to contain (as demonstrated by recent attacks against Google, Adobe and other major companies). To gain unauthorized access, attackers persuade employees to open cleverly crafted e-mail and click on links to sites that silently installs data-stealing software.

To combat this threat and protect company secrets and customer data, all employees should know how to:

  • Spot social engineers trying to manipulate their way to unauthorized information
  • Recognize suspicious e-mail that may contain (or link to) malicious software
  • Identify suspicious behaviors, whether from systems or people
  • Prevent leaking sensitive data to open sources
  • Create a secure password
  • Report security incidents

Through suspenseful events, coupled with lessons learned, a new book titled Cyber Within helps organizations tackle this security challenge head-on. Cyber Within, written by Marcos Christodonte II, MBA, CISSP, is an educational tool for corporate workers that uses an engaging story, lessons, and tips to help employees understand and spot security threats. Robert Lentz, former Deputy Assistant Secretary of Defense for Cyber, Identity and Information Assurance at the U.S. Department of Defense says, “Cyber Within is a stellar portrayal of why user education on Cyber Security threats, tactics and techniques is so critical.”

Kevin Beaver, independent information security consultant with Principle Logic, LLC and author of Hacking For Dummies says, “Lack of awareness is a grand security weakness. This book provides a unique approach to help fill the gaps and would be a great addition to anyone’s information security toolbox.”

Christodonte is well qualified to present security guidance to employees. He is a cyber and information security professional working for a consulting firm. He has developed security strategies for the U.S. Army, U.S. Navy and NATO.

All Versions of IE Vulnerable to Zero-day Attack?

January 14, 2010 by · Leave a Comment 

In case you haven’t heard, there’s been a zero-day attack against several big companies such as Google, Adobe, and others. The reports and chatter all started when Google reported that they might be taking another approach in conducting operations in China. I think this statement dropped a few jaws, “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.” To be honest, I wasn’t surprised given the advanced threats we face, their intent and evolving capabilities. However, I was glad to see a company as large as Google step up and admit to the breach.

Just after Google’s report, Adobe posted their shorter, less-detailed, account of the attack. These reports came in two days ago. Brian Krebs, former security reporter at the Washington Post, has been following this story quite closely. On his blog, he notes that the attackers appear to have targeted source code and trade secrets, and that MS has posted an advisory about the unpatched vulnerability.

This story is a very interesting and is a prime example of why user education is so important. Using this unpatched zero-day exploit and a clever social engineering attack, trade secrets from countless organizations could get stolen–possibly without notice. That’s why educating users is the aim of my new book, Cyber Within. Through education, users will obtain a better understanding of risks and security challenges and will be able to spot social engineering and other malicious schemes instead of giving up corporate secrets. By the way, Cyber Within will be available in a couple of weeks. I’ll keep you posted, but in the mean time, check out a new article by my colleague Kevin Beaver where he outlines the real deal with internal security threats.

IP Address Spoofing

December 14, 2009 by · 3 Comments 

In everyday conversation, we tend to use language that is foreign to others around us. While people sometimes give us a head nod, or say “uh huh,” they don’t always know what we’re talking about. Frankly, their body language tells the true story, especially when they display the “thousand mile stare,” or confused facial gesture. I was recently talking about IP address spoofing when I saw someone giving me that look. I decided to give them a quick summary of IP address spoofing, but decided to provide a more elaborate version of that conversation below.

Spoofing is simply the act of pretending to be someone you’re not. With IP address spoofing, an attacker will change his or her IP address to appear to be someone or something else on the network or Internet. One might ask, “Why would someone want to spoof their IP address?” Well, if an attacker were remotely accessing an unauthorized network or system, they wouldn’t want that activity traced back to them. Instead, they will spoof their IP address so that the traffic shows a different source.

For instance, if a system provided access, or authentication, based merely upon IP address, an attacker could simply change their IP to an IP address of a privileged system and effectively gain unauthorized access.


Image source: Microsoft

So what if an attacker performed the above scenario and gained unauthorized access to a system? They would probably want to execute a few commands and, depending on their intent, may want to have some information sent back to them. Nevertheless, there’s a small problem with basic IP address spoofing. Because of this thing we call the three-way handshake, once the receiving system receives the request, they will route it back to the real system whose address is being spoofed. Once that system receives the request, they will not complete the three-way handshake, since they never initiated the conversation, and will send a reset message to the sender. Therefore, the attacker wouldn’t receive the information they requested unless they provided their own IP address for routing.

So If I were an attacker, what would be my workaround? One way that an attacker could get around the three-way handshake roadblock is to use source routing. With source routing, an attacker can specify the path that a packet will take to get to its destination. This means that an attacker can direct the path for packets, to include each hop along the way. Since the attacker knows exactly where the packets will go, they can stand by for interception or simply place themselves somewhere along the directed path.

So for all my network security engineers out there, don’t allow IP source routing through your firewalls and routers!

Best practices for (small) botnets

December 3, 2009 by · Leave a Comment 

Check out my new article at where I outline Best practices for (small) botnets.

Short excerpt:

Recent large-scale botnet events, such as those used to disrupt Twitter and Facebook, have been highly publicized in the news. While these high-profile security events have been hard to miss, it’s the smaller, stealthier botnet attacks that may prove to be a greater threat to enterprises.

To take on evolving enterprise defense mechanisms, attackers look for weak spots, and have begun using smaller, less noticeable botnets to evade enterprise safeguards. In this tip, we’ll discuss why these so-called micro-botnets are proving successful, and how to identify and prevent them from doing damage.

Next Page »


Warning: Unknown: open(/home/content/30/5076530/tmp/sess_95rmnkof796rnmg4ukdko3v5d7, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0