I apologize for not updating the blog over the past few days but I took some vacation to visit with my in-laws. But now I’m back!
Here’s the list:
Paper On Log Management – Thanks to Dr. A I’ve got some more reading material.
Unusually good trade rag paper on log management.
Why There Is No Syslog in Windows – I was following this thread as well but Anton beat me to the blog post. I don’t agree with the reasoning behind not adding native syslog support AND I don’t care what you say….I like syslog 😛
Ever wondered why after all this years Windows still doesn’t support syslog? This is why; read a very comprehensive answer by Eric Fitzgerald, who “owns” Windows logging. There is also a very lively discussion that ensued, which includes things like “my blood boils and a halo of pink steam forms around my head, throbbing the the gnashing of my teeth and the kodo drum-like thudding of my overworked heart. ” 🙂 /guess who said this/
Configuring Granular Password Settings in Windows Server 2008, Part 1 – Looks like the Win2k8 (wow that feels strange to type) security articles are starting to come out.
In previous versions of Active Directory (AD) we had only one password and account lockout policy for the entire domain. Some companies had to use multiple domains to place different password policies on different users; others had to develop their own password filters or buy third party solutions. With Windows Server 2008 we have the option to specify different password policies for different users and groups “out-of-the-box”.
This first of two articles is a “walkthrough” on creating a password policy in addition to the usual one we have in the “Default Domain Policy” Group Policy placed on the domain level.
Homeland Security to host security forum in August – Will it be called “Don’t do what Donny Don’t Does? – Your guide to succeeding where we failed!”
The U.S. Department of Homeland security will host a invite-only conference two months from now that will bring together security experts from law enforcement, Internet service providers, and the technology industry.
The Internet Security Operations and Intelligence (ISOI) workshop will be held on August 27 and 28 at the Academy for Educational Development in Washington D.C. It is expected to draw about 240 participants who will engage in a frank discussion of the latest trends in cybercrime, said Gadi Evron, a security evangelist with Beyond Security who is one of the event’s planners.
Selenium is a test tool for web applications. Selenium tests run directly in a browser, just as real users do. And they run in Internet Explorer, Mozilla and Firefox on Windows, Linux, and Macintosh. No other test tool covers such a wide array of platforms.
Browser compatibility testing. Test your application to see if it works correctly on different browsers and operating systems. The same script can run on any Selenium platform.
System functional testing. Create regression tests to verify application functionality and user acceptance.
Snort and the IT Appliance Fixation – Having worked as a consultant I completely agree with Bill on this one. The unfortunate reality is that people want the shiny, slick looking car by the company with the huge marketing machine behind it that convince them to buy it in the first place…not the one with the best gas milage and helps protect unladen African or European swallows — Another bonus point to the person who guesses that movie 😉
Assume that a Vendor supplied IDS will cost $50,000 just to purchase. Factor in the time spent finding the right product. Now consider that an organization could easily spend that time configuring a Snort sensor baseline image, and roll that out on computers that are past the end of their life cycle – see where I’m going? Now factor in the open source nature of Snort’s rule sets, and you could easily save money in implementation, and use the money to hire a decently paid IDS analyst.
The bottom line here is that the best solution is not always the newest one, or one that comes with vendor support. If you are in a position to do something useful on a network, it does not always have to cost money.
Paper on Identity Theft – from the SANS Information Security Reading Room
Anton Logging Tip of the Day #11: But These Are OUR Logs! – Another good post by Anton. I completely agree with his statement that “the only way to truly to resolve such control issues is to deploy log management tools across the entire organization and then provide limited access to the logs to all the stakeholders on the “as needed” basis” – this is why soldiers are put on sentry duty have been deployed this way for thousands of years!
A common and unfortunate situation that occurs when dealing with logs is not technical, but political: not being able to get the logs you need due to political, cultural, egotistic, or other “corporate” reasons. In this tip we will try to present a few situations and solutions for those trying to wrangle logs from whatever hostile (or ambivalent – sometimes worse!) entity at your organization and thus to break the siloed approach to log management.
The One Minute Security Manager – Good “quickie” to review every now and then.
Security has a bad name. Whenever I say I work in security, people get paranoid assuming that my job is to block whatever good work they are doing in the name of security. Plus, in many organizations, security is a one way street. Information goes in, but never comes out. There’s no information sharing because neither side wants to discluse their “secrets.” It’s time to change this negative connotation for security.
For my entire security career, I’ve been exploring ways to improve the image and effectiveness of security. Also throughout my professional career, I’ve been studying leadership. Recently it dawned on me (while reading Seth Godin’s The Dip) to put the two together. One of my favorite leadership books is The One Minute Manager by Ken Blanchard, Ph.D. and Spencer Johnson, MD. There is no reason why we can’t use the ideas in The One Minute Manager to improve our security practices.
tcpxtract – Extract Files from Network Traffic AKA Carving – Good way to see exactly what your [employees/colleagues/kids/friends] are downloading that is sucking up your [bandwidth/sanity/resources].
tcpxtract is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and footers (sometimes called “carving”) is an age old data recovery technique. Tools like Foremost employ this technique to recover files from arbitrary data streams. tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network.
Capture an alert fired from an IDS, check netflow for a session, note a “first-time” event recorded in a syslog message, mix in statistical data mining and learning techniques – and do it all in near real time. This is how things get interesting.
Unfortunately it’s hard to get complete visibility (i.e. get all syslog, all netflow, all application logs, etc.). There must be a point though where I can get enough information to successfully prioritize interesting events. I’m not sure exactly where that’s at, but it’s a fun problem to work on.
Office 2007 Event Logs – I really enjoy posts that detail analysis of an incident in some way. I wish there were more out there.
A coworker walked into my office today and asked if I’d take a look at a drive to see if I thought the former owner had tried to tamper with the contents. After a little “pokin’ ’round” I exported the event logs and opened up my event viewer to look at them when I noticed another log on my box. Not the ones I’d exported, but a new event log that comes with a default installation of Office 2007. So naturally, I discarded the investigation that I was supposed to be doing and began investigating what interested me. My proclivity for doing things like this is the reason that my desk is a shambles, but that’s a tale for a different day, on to the new event log!
Antiforensics: When Tools Enable the Masses – Good article…very low ‘fluff factor’ 🙂
Once again, the bad guys are lining their arsenals with new tools to use against you. Computer forensics is an emerging field of study and anti-forensics is certainly developing right alongside. Some say anti-forensics is developing faster. Why? Because what was once only possible for the elite has now washed downstream in the form of automated tools. More or less, anyone can throw trashcans in the path of forensic investigators now that the tools are there to make it all possible…
Security Mentoring – I was lucky enough to have an understanding wife support my self study and employers that fostered my quest for knowledge.
How do you become a “Security Expert”? You can take classes in high school, college and trade school. You can attend “vendor training” or security related classes offered by many different organizations (Global Knowledge, ISC2, New Horizons, etc). You can attend seminars and conferences such as BlackHat, ShmooCon, SANS, etc. You can read books and practice with your own computer, home network or use some online labs. You can participate in forums (security catalysts community, friends in tech, etc). You can read blogs and “security” websites (Andy ITGuy, Tao Security, SearchSecurity, etc). You can join in on chats using IRC or other Instant Messaging type clients. You can join organizations such as ISSA, InfraGard, ISACA.
All of these are good and viable ways to learn about information security and how to practice it and do it. Of course the best way is OJT. On the Job Training. The school of hard knocks. Working side by side with other security professionals who have already been there and learned things by experience. It has been said that experience is the best teacher. This morning on my ride into work I was listening to Chuck Swindoll speak about learning through confrontation. He said that he thinks that the best teacher is “guided experience”. I must agree. You can learn a lot from experience but if you don’t have someone there to help you understand all that the experience has to offer then you are missing out. If you don’t have someone there who will challenge your experience and more importantly, the lessons that you think you are learning then you are missing out on a valuable resource.