Pages on HolisticInfoSec

Best Practices

Fri, 03 Aug 2018 00:00:00 +0000

Kevin Mitnick, in his book The Art of Intrusion, offers sound and succinct advice:

Ensuring proper configuration management is a critical process that should not be ignored. Even if you properly configure all hardware and software at the time of installation and you keep up-to-date on all essential security patches, improperly configuring just a single item can create a crack in the wall.[1]

So what defines a "best practice"?

Processes and activities that have been shown in practice to be the most effective.[2]

Let's look at it holistically (imagine).

Have you conducted regular internal audits, including reviewing logs and accounts?
Do you utilize the CIS Critical Security Controls as a guide post for success in control practices?
Do test your servers regularly via scans and vulnerabilty tests?
When was the last time you updated your Policies and Procedures? If your P & P content include references to Windows 95, it might be time.
Do you patch regularly?
Do you educate your users regularly (a constant, ongoing effort)?

Enough questions…some answers:

Though specific to the University of Wisconsin-Madison, one of the best overviews I've seen for information security best practices can be found at UW-Standards & Practices. In particular:

Information security is not an end-destination of itself but an ongoing task intended to reduce risk. It is not a binary solution secure or insecure but rather a continuum of practices to help minimize exposures of the CIA of information.[3]

[1] Kevin D. Mitnick, The Art of Intrusion, Wiley, 2005

[2] it.csumb.edu/departments/data/glossary.html

[3] http://www.cio.wisc.edu/security/

Events

Fri, 03 Aug 2018 00:00:00 +0000

HolisticInfoSec.io’s Russ McRee speaks regularly on information security topics in the hope of sharing knowledge and resources with a wide audience.

Past Events

(ISC)2 Security Congress DFIR Redefined: Deeper Functionality for Investigators with R
October 29, 2019

Secure Iowa Conference 2019 Keynote
October 8, 2019

Derbycon 7 DFIR Redefined: Deeper Functionality for Investigators with R
September 2017

BSides Augusta 2017 Keynote
September 16, 2017

Emcee at Microsoft’s BlueHat v14, Redmond, WA, October 10, 2014

Presented Find It, Fix It: Moving Threat Intelligence Beyond Data Brokering at BlueHat v14 Defender’s Day, Redmond, WA, October 8, 2014

Presented C3CM: Defeating the Command, Control and Communications of Digital Assailants at DerbyCon 4.0 in Louisville, KY, September 26, 2014

Presented C3CM: Defeating the Command, Control and Communications of Digital Assailants at SANSFIRE 2014 in Baltimore, MD, June 2014

Presented From the Perspective of a Hacker at Emerald Down III: 2014 Cyber Security Workshop, Auburn, WA, April 1, 2014

Presented C3CM: Defeating the Command, Control and Communications of Digital Assailants at the CTIN Digital Forensics Conference, Seattle, WA, March 26, 2014

Presented Understanding Web Application Security Attacks for Investigators at the CTIN Digital Forensics Conference,Seattle, WA, March 24, 2014

Emcee at Microsoft’s BlueHat v13, Redmond, WA, December 12, 2013

Presented Why I Don’t Sleep at SecurityWeek/Trend Micro Security Event, Bellevue, WA, December 5, 2013

Presented Memory Analysis With Volatility at SecureWorld Expo, Seattle, WA, November 13, 2013

Presented Memory Analysis With Volatility at ISSA International Conference 2013, Nashville, TN, October, 9, 2013

Presented Memory Analysis With Volatility at Microsoft Security Response Alliance 2013, Redmond, WA, July 11, 2013

Presented Memory Analysis With Volatility at SANSFIRE 2013, in Washington, DC, June 18, 2013

Presented Memory Analysis With Volatility at SecureWorld Expo in Portland, OR, June 6, 2013

Presented Memory Analysis With Volatility at the Cloud Focus Group (ISSA & CSA), Microsoft Campus, March 21, 2013

Presented Memory Analysis With Volatility at the CTIN Digital Forensics Conference, March 15, 2013

Emcee at Microsoft’s BlueHat v12, Redmond, WA, December 12, 2012

Presented Evil Though the Lens of Web Logs at the ISSA International Conference in Anaheim, CA, Thursday, October 25, 2012.

[Presented Evil Though the Lens of Web Logs at Microsoft Security Response Alliance Summit 2012 on Thursday, July 12, 2012.

[Presented OWASP Top 10 Tools and Tactics at SANSFIRE 2012 in Washington, D.C. on Tuesday, July 10, 2012.

[Presented Evil Though the Lens of Web Logs at RSA 2012 , March 2, 2012.

[Presented OWASP Top 10 Tools and Tactics at SecureWorld Expo Seattle in Bellevue, WA on Thursday, November 17, 2011.

[Presented OWASP Top 10 Tools and Tactics at the ISSA International Conference in Baltimore on Friday, October 21, 2011.

[Presented Visualizing APT: Analyzing the Zeus Attack against Government and Military at the Rochester Security Summit in Rochester, NY on October 5th, 2011.

Russ participated in a panel discussion specific to forensics and cloud IR at the Black Hat Executive Briefings at Black Hat Las Vegas, August 2nd, 2011, 4 pm.

[Presented Incident Response in Increasingly Complex Environments on Tuesday February 22nd at 11:30 to the ISSA Alamo Chapter in San Antonio, TX.

[Conducted a breakout session at the RSA 2011 eFraud Network Forum, Malware-Proof: Building Resistant Web Applications, February 14, 2011, 2:10-3:10 pm.

[Presented Incident Response in Increasingly Complex Environments at the ISSA International Conference. September 16, 2010, in Atlanta, GA.

Presented Visualizing APT: Analyzing the targeted attacks against government, military, and industry at the ISSA Puget Sound August 2010 Membership meeting, August 19, 2010, City University, Bellevue, WA.

Presented Incident Response in Virtual Environments: Challenges in the Cloud, with Bryan Casper, at the 22nd Annual FIRST Conference in Miami, on Thursday, June 17, 2010.

Presented Visualizing APT: Analyzing the Zeus attack against government and military to the Washington State HTCIA on April 16, 2010.

Presented Securing Your Company’s Web Presence to ISACA Puget Sound on March 16, 2010.

Presented Visualizing IDS output: Tools and Methodology at RSA 2010, March 5, 2010.

Presented IT Infrastructure Threat Modeling at the ISSA Puget Sound August chapter meeting, August 20, 2009.

Presented CSRF: Yeah, It Still Works with Mike Bailey at Defcon 17 on Saturday, August 1, 2009.

Provided a guest lecture at University of Washington’s Certificate Program in Information Systems Security , specifically on the topics Practical Crytography: TrueCrypt and Web Application Security Flaws (May 21, 2009).

Participated in a panel discussion at the Ziff Davis Enterprise Security Summit 2008 on October 21, 2008 at the Fairmont Olympic Hotel in Seattle, WA. Details here .

Presented The XSS Epidemic: Discovery, Disclosure, and Remediation to the Puget Sound chapter of the ISSA on August 23, 2008.

Presented The XSS Epidemic: Discovery, Disclosure, and Remediation to the Washington Technology Industry Association Security Special Interest Group on July 14, 2008. Details here .

Presented Malcode Analysis Techniques for Incident Handlers at the 20th Annual FIRST Conference in Vancouver, B.C. on June 25th, 2008. Details here. Slides here .

Presented The XSS Epidemic: Discovery, Disclosure, and Remediation at the 2008 ISSA NW Regional Security Conference on April 23rd, 2008, in Olympia, WA. This presentation was the result of a great deal of research for the April 2008 toolsmith of the same approximate title. The most disturbing finding during this process was the discovery of yet another batch of Hacker Safe branded sites that are certainly not. Refer to the blog post and video for more information.

Russ gave an overview of RAPIER during a SANS Ask The Expert Webcast, Malcode Analysis and Response: Proficiency vs. Complexity on March 20th, 2008. “The threat landscape changes constantly, driven in part by the “bot economy” and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.” You can listen to the stream and/or view the slides here.

Russ offered Malcode Analysis Techniques for Incident Handlers at SecureWorld Expo Seattle 2007 : _The threat landscape changes constantly, driven in part by the “bot economy” and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover tools and methodology useful to handlers, analysts, and administrators. From detection and discovery, capture and containment, count on a useful discussion meant to further your understanding of the information security practitioner’s greatest bane._Slides available below.

Russ taught SANS Stay Sharp Google Hacking and Defense on July 19th, 2007 in Bellevue, WA. SSP-GHD offers a “fundamental understanding of technical defense measures to uncover unintended information disclosures, close common holes in web servers and Internet connected devices as well as clean up the exposures discovered.”

3rd Annual ISSA Northwest Regional Security Conference May 11th, 2007. Covered toolsmith highlights.

WSA Security Sig, April 2nd, 2007. Covered toolsmith highlights.

Extrusion Detection with Aanval and Bleeding-Edge Snort at SecureWorld Expo Seattle, October 10, 2006. Details here.

Covered Aanval and Bleeding Snort for the Seattle Snort Users Group on June 6, 2006, at the South Seattle Community College. In an age of compliance, it is hugely beneficial to have the capacity to draw the majority of network security information from one platform. Use of Aanval can offer much information about outbound traffic, in particular, via the use of Bleeding Edge Snort rules to capture both IM and spyware traffic, as well as policy violations and information leakage. Russ presented the use of Aanval as an IDS and Network Monitor, covering the use of Aanval and Bleeding Edge Snort rules for malware detection and policy enforcement at Linuxfest Northwest 2006 in Bellingham, WA, April 29th, 2006

Russ’ article, SELinux, Apache, and Tomcat, A Securely Implemented Web Application Server, was published in Sys Admin, the journal for UNIX and Linux systems adminstrators, in the January 2006 issue. The article covers the use of SELinux, iptables, mod_jk, and mod_security to build a secure web app server.

Russ participated in the Seattle SecureWorld Expo as a panelist on the IT & Physical Security Convergence panel. Seattle SecureWorld Expo took place October 19-20, 2005 at Meydenbauer Center.

Russ was privileged to address an audience of extraordinary scientists and researchers in the field of intrusion detection at RAID 2005 - The 8th International Symposium on Recent Advances in Intrusion Detection held in Seattle September 7-9. The presentation was a short, simple one, designed to motivate further discussion at poster sessions held after the presentations to the audience as a whole.

Guest Blog Posts

Microsoft Internet Explorer Blog: Statistical Validation of the IE8 XSS Filter

[Microsoft Malware Protection Center Threat Research & Response Blog: Another Reason to Avoid Piracy

Presentations

Extrusion Detection with Aanval & Bleeding Edge Threats

RAID 2005 Presentation

RAID 2005 Poster Slides

In The News

Fri, 03 Aug 2018 00:00:00 +0000

Digital Guardian 08/5/2020 Top 50 InfoSec Blogs You Should Be Reading

JAGWIRE NEWS August University 08/25/2017 Augusta University to host cybersecurity conference

12 WRDW 07/03/2017 Organizers prepare for this year’s Augusta Cyber Week

Reciprocity Labs 04/25/2017 69 Information Security Blogs You Should Be Reading

E&E News 10/06/2015 GRID: Friendly hackers break into a utility and make a point

Idaho Statesman 11/18/2014 Hackers are having their way, nearly unchecked

Digital Guardian (Verdasys) 10/22/2014 Top 50 InfoSec Blogs You Should Be Reading

Security Innovation Europe 9/16/2014 40 Information Security Blogs You Should Be Reading

Threatpost 04/30/14 UltraDNS Dealing With DDoS Attack

The Register 02/25/14 Evil or benign? ‘Trusted proxy’ draft debate rages on

Northwest Military 02/18/14 Washington National Guard is on cyberpatrol

Computerworld 09/03/12 Rogue Microsoft Services Agreement email notifications lead to latest Java exploit

Softpedia 7/1/2010 Critical CSRF Bugs Found in eBox and Snare

The Consumerist 8/20/09 Negligence: Ameriprise Website Riddled With Security Vulnerabilities For At Least Five Months

The Register 8/20/09 Security bugs crawl all over financial giant’s website

MaximumPC 8/3/09 Some Linksys and Netgear Routers Vulnerable to New Exploit

The Register 8/2/09 Unholy Trinity: cPanel, Netgear and Linksys susceptible to nasty attack

Network World 6/15/09 Microsoft’s threat-modeling guide: Think like an attacker

SC Magazine 3/12/09 SaaS vendors should demonstrate security and be held to higher standards

The Register 3/12/09 Multi-site bug exposes cloud computing’s dark lining

Zdnet 2/11/09 Sage shows why bigcos can’t be trusted with SaaS

Securosis 12/24/08 There Are No Trusted Sites: AMEX Edition

ComputerWeekly 12/23/08 AMEX and online security

Bismark.it 12/19/08 (Italian) Xss e American Express

LeMagIT 12/17/08 (French) Un trou flagrant sur le site d’American Express

BetaNews 12/17/08 How to get a security hole fixed (two versions)

The Register 12/16/08 American Express web bug exposes card holders

Dark Reading 5/19/08 Like a Super Hacker

ZDNet Zero Day 5/1/08 Nate McFeters agrees with Dan

PaulDotCom Episode 106 How to pronounce McAfee ;-) Listen at 37:15.

SC Magazine 4/30/08 Hacker Safe II

The Register 4/29/08 Dan Goodin labels the Hacker Safe offering “rubber stamping”

Information Week 1/18/07 Not Hacker Safe or PCI compliant

Information Week 1/17/07 Hacker Safe? Not So Much.

San Francisco Chronicle 12/29/07 Storm spreads holiday infection

Computerworld 12/27/07 Storm switches tactics third time, adds rootkit

National Post 12/26/07 Storm delivers coal to e-mail inboxes

Publications

Fri, 03 Aug 2018 00:00:00 +0000

HolisticInfoSec.org’s Russ McRee writes regularly regarding information security topics in the hope of sharing knowledge and resources with a wide audience.

February’s toolsmith snapshot focuses on network-wide ad blocking via your own Linux hardware with Pi-hole.
Older article copies, particularly from September 2015 through August 2018 are available here and older PDF copies prior to September 2015 are available here.
Award winning toolsmith offers insights on tools useful to the information security practitioner, typically open source and free.

ADMIN Magazine’s Issue 24/2014: Visualize Security features Russ’ article, Security data analytics and visualization with R.

The September 2012 issue of Information Security magazine, as part of TechTarget’s SearchSecurity, includes Russ’ article Mobile application security best practices in a BYOD world.

InfoSec Resources, part of the InfoSec Institute, has published Russ’ article OWASP Top Ten Tools and Tactics which discusses a tool for each of the OWASP Top 10 to aid in discovering and remediating each vulnerabilty type.

InfoSec Resources also offers Security Incident Response Testing To Meet Audit Requirements, Russ’s article on practical guidance and tools to ensure maximum readiness for incident response teams including drill tactics.

SearchFinancialSecurity.com features three of Russ’ articles:

Russ’ article regarding security data visualization is available in Issue 106 (September 2009) of Linux Magazine.

Additionally, his article regarding the open source laptop tracking and recovery offering Adeona is available in Issue 100 (March 2009) of Linux Magazine.

Russ’ article, Safe Keeping, regarding TrueCrypt, is now available in Information Security magazine. TrueCrypt is an open source laptop encryption alternative for your organization. This article also includes a sidebar on Adeona, an open source system for tracking the location of your lost or stolen laptop that does not rely on a proprietary, central service.

July 2008’s (IN)SECURE features Russ’s article Open Redirect Vulnerabilities: Definition and Prevention. Download Issue 17 .

June’s ISSA Journal features Russ’s article, Anatomy of an XSS Attack, as its title piece. This is a unique effort written in the 1st person, as a cybercriminal, to exemplify the grave harm that can come to users and consumers when cross-site scripting (XSS) vulnerabilities are left unmitigated. With kind permission from the ISSA Journal, holistiinfosec.org is able to bring non-members the pdf copy of Anatomy of an XSS Attack. Please consider joining the ISSA today.

Testy Eft , Russ’s article on security testing with nUbuntu , is available in the November 2007 issue 84 of Linux Magazine.

A piece covering Network Security Monitoring and Sguil via Knoppix-NSM is available in the October 2007 Information Security Magazine titled Putting Snort to Work.

OWASP offers Secure Web App Server , in its Papers collection. The paper covers the use of SELinux, iptables, mod_jk, mod_security, and mod_evasive to build a secure web app server. This paper is a living document, updated as needed to stay current. Current version is 1.3 with change notes included.

SMaK - Smoothwall, MySQL and Kiwi Syslog Daemon: Cost Effective Firewall and Logging with Database and Analysis

Systems Security Assessment: A Simple Baseline

Guest Blog Posts

Microsoft Internet Explorer Blog: Statistical Validation of the IE8 XSS Filter

Microsoft Malware Protection Center Threat Research & Response Blog: Another Reason to Avoid Piracy

Simplicity

Fri, 03 Aug 2018 00:00:00 +0000

Employ simplicity as a tool used to keep your systems running securely and efficiently. Simplicity helps eliminate network clutter, performance issues, cost, and reduces risk. Give yourself the space to step back, analyze and test carefully to ensure all your systems and networks meet a secure standard. Streamlining processes greatly enhances uptime and quality of service, as well as aiding in secure systems.

Bruce Schneier, in 1999, wrote for Information Security, "You can't secure what you don't understand." His predictions hold true:

As systems get more complex, security will get worse.
As systems become more interconnected, security will get worse.
Unless manufacturers are held liable for security failures, security will get worse.

"The only way to evaluate the security of a system is to analyze it. This is a time-consuming and expensive process, and almost no one bothers to go through it. If they did, they would quickly realize that most systems are far more complex to analyze, and that there are security flaws everywhere."

For more, refer to Schneier's A Plea for Simplicity.

Further evidence supporting the benefits of simplicity, while decrying the challenges created by complexity, was posted recently by Dr. Gene Spafford of CERIAS, on their blog. As an example, "It is simple that complexity creates problems…the security implications of all this complexity have been obvious for some time." You'll find the entire post enlightening.

Templates

Fri, 03 Aug 2018 00:00:00 +0000

Templates for your use in your organizations and endeavors to improve your security posture.

Incident Response Test Plan

Mon, 01 Jan 0001 00:00:00 +0000

Presentations

HolisticInfoSec.org’s Russ McRee presents regularly regarding information security topics in the hope of sharing knowledge and resources with a wide audience.

Cloud Security Alliance Seattle Chapter: May 2016 Chapter Meeting Attack & Detect: Red vs. Blue PowerShell 25 MAY 2016

Mon, 01 Jan 0001 00:00:00 +0000

Advisories

2008

HIO-2008-0228 Interspire Shopping Cart XSS

2009

HIO-2009-0305 e107 Multiple e107_admin CSRF & XSS Vulnerabilities

2010

HIO-2010-0223 Web Wiz Forums CSRF Vulnerabilities

HolisticInfoSec

Mon, 01 Jan 0001 00:00:00 +0000

HolisticInfoSec.io is dedicated to sharing information security content and resources in an open, clear manner, with the hope of helping improve infosec for all who seek to do so. Information security is best broken down to the most simple components: best practices and common sense. The threat-scape facing an information security practitioner is perpetually dynamic; we must adapt and evolve as do those threats. Holisticinfosec.org endeavors to aid in that process through dynamic content and timely topics in toolsmith. As well we know, those who would do harm never rest: protect your own.

Bio

Russ McRee, Ph.D. is Director, Cloud Protection, for Google Trust & Safety.
He writes toolsmith via holisticinfosec.io, a column for information security practitioners, and has written extensively for additional publications as well. Russ has spoken at numerous security conferences including DEFCON, Derby Con, BlueHat, Black Hat, SANSFIRE, and RSA. He serves as a joint-forces operator and planner on behalf of Washington Military Department’s cyber and emergency management missions.

Contact

russ at holisticinfosec dot io
@holisticinfosec
LinkedIn
Mastodon

HolisticInfoSec

Mon, 01 Jan 0001 00:00:00 +0000

Russ McRee writes award-winning toolsmith, published ~~monthly~~ as often as possible. ;-)

As of August 2018, toolsmith is exclusively published via holisticinfosec.io.
From September 2015 through August 2018, toolsmith was exclusively published at the HolisticInfoSec blog.
From November 2006 through August 2015, toolsmith was published in the ISSA Journal.

Thank you for your continued patronage and support.