About Andrew Hay

Andrew Hay is an information security industry veteran with close to 20 years of experience as a security practitioner, industry analyst, and executive. As the Chief Information Security Officer (CISO) at DataGravity, Inc., he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy.

Andrew has served in various roles and responsibilities at a number of companies including OpenDNS (now a Cisco company), CloudPassage, Inc., 451 Research, the University of Lethbridge, Capital G Bank Ltd. (now Clarien Bank Bermuda), Q1 Labs (now IBM), Nokia (now Check Point), Nortel Networks, Magma Communications (now Primus Canada), and Taima Corp (now Convergys).

Andrew is frequently approached to provide expert commentary on security-industry developments, and has been featured in such publications as Forbes, Bloomberg, Wired, USA Today, International Business Times, Sacramento Bee, Delhi Daily News, Austin Business Journal, Ars Technica, RT, VentureBeat, LeMondeInformatique, eWeek, TechRepublic, Infosecurity Magazine, The Data Center Journal, TechTarget, Network World, Computerworld, PCWorld, and CSO Magazine.

Suggested Blog Reading – Wednesday August 29th, 2007

ReadThis week is no better than the last. Hopefully I’ll be able to get these posts back on track shortly.

Here is the list:

Virtualized rootkits – Part 1 / Virtualized rootkits – Part 2 – Interesting articles on virtualized rootkits (a rather hot topic pre- and post-Blackhat)

There has been a lot of buzz around the topic of virtualized rootkits. Joanna Rutkowska has been working on a new version of Blue-Pill, her proof of concept invisible rootkit, while a team made by three prominent security experts (Thomas Ptacek, Nate Lawson, Peter Ferrie) challenged her that there is not an “invisible” rootkit, and that they were going to present at BlackHat conference various techniques to detect Blue-Pill. Federico Biancuzzi interviewed both sides to learn more.

Why IDS will be around – So IDS isn’t dead now? 🙂

OK, here’s the post I promised on why I agree that IDS is not dead and won’t be for a while. What it all essentially comes down to is reality. In theory, the way anyone’s network should be designed is in the fashion of the Core-Distribution-Access methodology.

Event Processing – Normalization – This is a very good article on event normalization and what it is exactly.

The process of taking raw input events and extracting individual fields is called normalization. Sometimes there are other processes which are classified as normalization. I am not going to discuss them right here, but for example normalizing numerical values to fall in a predefined range is generally referred to as normalization as well.

Harvard Business Review: Excellent Data Breach Case Study… – I love seeing stories like these – great info for presentations 😉

I read the Harvard Business Review frequently and find that the quality of writing and insight it provides is excellent. This month’s (September 2007) edition is no exception as it features a timely data breach case study written by Eric McNulty titled “Boss, I think Someone Stole Out Customer Data.”

Pixy – New & Free Open-source XSS and SQL Injection Scanner for PHP Programs – Another tool to add to your belt.

Pixy is a Java program that performs automatic scans of PHP source code, aimed at the detection of XSS and SQL injection vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.

Analyzing a Suspect WMF File – Great article Didier!

My analysis will show that this WMF file doesn’t contain shellcode. I use a tool I discovered recently, the 010 Editor, a professional hex editor with binary templates. Binary templates allow you to define the structure of a binary file with a C-like scripting language. A binary file parsed with a template is much easier to understand, as you will see. Unfortunately, I found no free alternative for this tool.

Studnets Accidentally E-mailed Personal Information On Thousands of UIUC Students – Sigh….

University of Illinois, Urbana-Champaign officials are apologizing to students after an e-mail to 700 College of Engineering students about a new Lego Robotics class was found to contain the personal information of 5,247 students. The e-mail contained a spreadsheet that a staff member used to gather e-mail address. Along with e-mail address, the spreadsheet contained other personal information including name, major, gender, race and ethnicity, class, date admitted, spring 2007 grade point average, and cumulative GPA as well as local address and phone number. The mistake was identified almost immediately after the 7:51am was sent out. By 10:08am the University issued another e-mail to the student that received the spreadsheet asking them to delete the file and the original e-mail message. UIUC officials are meeting to discuss how to best notify the affected students.

Finding Sensitive Data as a Consultant with Nessus – Good post Ron. I’d like to see more of these that focus on using Nessus from a consultants perspective.

There are many consultants that use Nessus to scan a customer network for vulnerabilities and report a laundry list of security issues which need to be fixed. Another valuable service that can be performed by a consultant is to audit where sensitive data resides in an organization and what sort of access can be gained to it. This blog entry discusses what can be accomplished with the Nessus scanner and what additional types of data analysis can be performed with the sensitive content checks available with the Nessus Direct Feed.

Andrew Hay