Video Screencast Help

Cyber Readiness and Response

Showing posts in English
Joseph.Rogalski | 26 Aug 2013 | 0 comments

Many times penetration tests are conducted because they are required because of policy or for compliance that may be for an industry or legal requirement.   This is all well and good and when issues are discovered and there always are issues we prioritize and address them. 

I was visiting with a customer recently who was going through a fire drill as there was a mass phishing attack yesterday on their company that appeared to come from Human Resources and was offering a free $25 gift card and the user just needed to login with your domain username and password then enter your home address.   My customer was trying to identify who internally received the email and was looking to their spam and mail protection provider to quickly provide this to no avail.  Unfortunately for my customer Information Security does not own this service and as we progressed further in the conversation he proceeded to tell me all the issues they are having with it....

rshaker2 | 29 Jul 2013 | 3 comments

Thousands of years ago, news traveled at the pace of man or animal. I mean to say you would only learn what someone else was doing or what was happening either in the next town, village, kingdom, etc. only as fast as it could physically get to you. It took days, weeks or months to learn that your neighbors had a new means of creating fire, that the wheel was invented, that an army was headed your way or that there was a disaster. This made our ability to learn from each other and improve on what we learned slow, inconsistent, and unreliable.

I’ve heard on TV shows, online and in movies that there are those that believe much of the technology we have today came from visiting aliens. That we captured them, or they willingly shared it with us, and we use it in military equipment and then slow roll it out to the general populace. I won’t argue whether or not this is true but I have another hypothesis, the speed at which information is shared, processed and stored...

Phil Harris | 16 Jul 2013 | 4 comments

In a continuation of this blog, my original thought was to outline the Cyber Defense aspects.  However, I think it important to discuss the Vigilante aspect first.  There’s a lot more in the news lately about the potential for companies and/or individuals to consider “Hacking Back” to recover their data, whatever it is.  I have to say, it’s an interesting notion and one that I know is not lost on the American spirit when you consider the long lost days of the Wild West where everyone in one form or another had to take matters into their own hands because law enforcement either wasn’t available or non-existent.  Now fast forward to today and the internet.  I’ve always maintained that the internet is pretty much the Wild West in electronic form where you have good law abiding folks and folks that tend to teeter one way or the other and then folks that are out to do whatever they want even to the wanton destruction of others...

Joseph.Rogalski | 24 Jun 2013 | 0 comments

Recently I have been working with a number of customers who are finally getting it, they are getting that Information Security is actually important and they should pay attention to it.   Much of this has been in response to inquiries from their Executives or Board of Directors.  They are asking more questions as high profile hacks are on the nightly news and reports are speaking to the additional risk that is out there such as the Symantec Internet Security Threat report.  In the 2012 ISTR the manufacturing sector was the most attacked in 2012, this is a change for many of these companies as in the past the worry was only about Nonpublic personal information. 
 
Many if not all security professionals came up through the technical side of the house, we all really enjoy discussing malware and installing the latest security tool or learning about the latest vulnerabilities.    I can guarantee the majority of the Boards of...

Garrett_Bechler | 16 Jun 2013 | 0 comments

Over the last few years as IT Staffing has been trimmed to minimal levels and as the adoption of cloud based services has risen in a dramatic fashion, the erosion of the basic skills, tools, and awareness of running a secure environment has steadily accelerated its pace.  The lack of “IT Fundamentals” becomes eerily apparent as you open a web browser where the results of this oversight are apparent with the number of successful hacking related activities by folks with less than good intentions continue to grab the headlines. Simple things such as basic troubleshooting skills and asset management have been all but ignored, abandoned or left in such a state that their usefulness is questioned by all in the environment.  Doubt creates mistrust, and mistrust creates unjustified blame.
 
I cannot recall the number of conversations related to “Am I protected against this latest threat by your endpoint solution?”  that have the...

PaulTobia | 29 May 2013 | 0 comments

This week the Computer Security Resource Center of the National Insitute of Standards and Technology for the United States of America released the fourth version of Security and Privacy Controls for Federal Information Systems and Organizations. Or more commonly known by the designation SP800-53. Through my career I've been a fan of the NIST Special Publications 800 series. Although the intended audience are the IT organizations of the USA federal government the publications are provided without copyright for use by any organization. I consider it a great free resource to buillding the basics of a security program no matter what industry you are in.

SP800-53 covers a pretty comprehensive catalog of security controls. All the expected categories are there from Access Control to System and Information Integrity. The catalog itself convers 233 pages and includes a handy reference table to link the controls to ISO/IEC 27001 Controls and ISO/IEC 15408 Requirements. What...

Phil Harris | 20 May 2013 | 1 comment

I travel a fair amount for my work and that wouldn’t be so bad except I’m a security professional that travels for work. I consistently see other business travelers do the same or similar security missteps over and over. I thought it might be a good idea to review my top 5 security missteps or, as I like to call them, “Moron Alerts”. This may seem like a very strong term I use, but consider that many of us have been through security awareness training at our respective companies and yet we still do these bad things. With news reports on an almost daily basis about laptops, mobile devices and/or information being stolen, it’s just very difficult to believe that people, especially business travelers, are still making these bad mistakes consistently.
 

1. Laptop unattended in bathroom entrance

This is a relatively new one for me. A couple of weeks ago I was walking out of the bathroom and noticed an...
Michael D Smith | 13 May 2013 | 1 comment

iGoat v2.0 (https://www.owasp.org/index.php/OWASP_iGoat_Project) is a program that demonstrates common iOS mobile application security weaknesses and their remediation.  There are other resources that show the use of this tool. One example, https://www.owasp.org/index.php/Mobile_Top_10_2012-M1, is the OWASP Top 10 entry for Insecure Data Storage (which is the exercise we are going to do).
 
The purpose of this post is to walk through all the steps needed to get iGoat setup “Soup to Nuts”. There is nothing here that is too difficult, but there are a few pitfalls in making this work, so I thought it might be nice to provide some simple steps that take you from having nothing setup to being able to test the iGoat application for Local Data Storage...

Joseph.Rogalski | 29 Apr 2013 | 9 comments

Let’s face it users cannot be trusted to know their entire password, I am not talking about the user that writes down their passwords on sticky notes the bad guys would need physical access to actually access those. What I am really speaking to how easily with social engineering or malware passwords can be compromised. If you are not protecting your Internet facing systems that contain anything but public data with multifactor authentication you are asking to be breached, this includes Outlook Web Access. 
 
So how could Outlook Web Access lead to a breach? When trying to breach your company I would first look to the many lists of username, email addresses and password that are available from any of the Social Media password breaches of late. This is a value because as you know many users reuse passwords and it only takes ONE of out of the 1,000, 5,000, 10,000, 100,000+ users that work for your company that decided to reuse that password. Next I will...

uuallan | 23 Apr 2013 | 0 comments

WordPress is the most commonly used blogging platform. It is easy to install and has a great ecosystem of plugins and enhancements that extend its capabilities beyond simply posting pictures of your cats. Unfortunately, millions of inexperienced users means that it is also a target for attackers. There are generally two types of attacks against WordPress: Password attacks and Cross Site Scripting. Password attacks can occur in two ways. The first is simply to attempt to use the default passwords, which many users don't bother to change. The second type of password attack is a password guessing attack. WordPress, and its plugins, use a number of well-known defauly usernames (usually: admin) and many users don't look at failed password authentication attempts, making it an easy target for attackers. WordPress, and its plugins, are well-known for being vulnerable to cross site scripting attacks. Just since the beginning of 2013 Symantec has reported 12...