Usually for budget / pricing reasons, some orgs decide to engage a firm with an annual pen test of significant scope (e.g., all ingress / egress, RAS, AD, VoIP, IPS, SIGs, ERP, EHR / EMR, SaaS, WLAN).
However, this approach increases risk of scope, schedule, resource availability, and budgeting from a project management standpoint.
Stronger orgs, with enough resources, tend to move away from the once and done approach due to the need to assess many vectors, a need for timely and regular remediation actions, and for security compliance purposes (i.e., PCI).
Tuesday, May 24, 2016
Monday, May 23, 2016
Stop the one-off protocols...
http://www.pcadvisor.co.uk/news/security/poor-security-decisions-expose-payment-terminals-to-mass-fraud-3632564/?
While easier said than done, it is time for orgs to stop using technologies with non-standard protocols.
With the maturation of TCP/IP, UDP, http/s, and ftp, there really is no reason to continue to support deviations. Doing so just leads to insecurity.
While easier said than done, it is time for orgs to stop using technologies with non-standard protocols.
With the maturation of TCP/IP, UDP, http/s, and ftp, there really is no reason to continue to support deviations. Doing so just leads to insecurity.
Thursday, May 19, 2016
Why Use an IPS if Only in Monitoring Mode?
Here is a link to a commercial that describes the conundrum here:
https://www.youtube.com/watch?v=6ZK01lEepc8
Along the LifeLock point here is that many orgs monitor for intrusions vs stopping them.
Now, a misconfigured IPS can bring the train to a halt, but, that is why you "smarten" said IPS before you really start blocking traffic.
https://www.youtube.com/watch?v=6ZK01lEepc8
Along the LifeLock point here is that many orgs monitor for intrusions vs stopping them.
Now, a misconfigured IPS can bring the train to a halt, but, that is why you "smarten" said IPS before you really start blocking traffic.
Tuesday, May 17, 2016
Red Teaming vs Pen Testing vs Scanning
Many orgs ask for pen tests these days and only get scanning from a vendor (some orgs may only want this).
However, a proper pen test will walk through in detail the safeguards, configurations, and vulnerabilities in scope to determine what exploits may actually be realized.
A red team exercise (these days) builds on a pen test by attempting to exploit the vulnerability completely to determine if the org may actually determine if such an exploit is or has happened. Additionally, some orgs will engage in war gaming (or a red-blue / purple) exercise to determine if their SOC / MSSP can shut down the exploit attempt.
If an org wants to achieve compliance a scan, or something akin, is all that is needed. However, most orgs need to engage a third party at least annually for a pen test to prioritize investments in remediation. Finally, an org that is using a MSSP (external SOC) should certainly conduct a red / purple team exercise to determine the maturity of the provider.
However, a proper pen test will walk through in detail the safeguards, configurations, and vulnerabilities in scope to determine what exploits may actually be realized.
A red team exercise (these days) builds on a pen test by attempting to exploit the vulnerability completely to determine if the org may actually determine if such an exploit is or has happened. Additionally, some orgs will engage in war gaming (or a red-blue / purple) exercise to determine if their SOC / MSSP can shut down the exploit attempt.
If an org wants to achieve compliance a scan, or something akin, is all that is needed. However, most orgs need to engage a third party at least annually for a pen test to prioritize investments in remediation. Finally, an org that is using a MSSP (external SOC) should certainly conduct a red / purple team exercise to determine the maturity of the provider.
Monday, May 16, 2016
WAF Selection Guidance
Read from the link below that Imperva is not the best fit for all orgs.
http://resources.idgenterprise.com/original/AST-0135428_web-application-firewall-comparative-analysis.pdf
More often than not, a cloud-based or open-sourced WAF can prove to be just as effective.
Safe alternatives provided to clients include:
-Modsecurity, iptables, & WAFFLE
-Akamai
-AWS WAF & CloudFront
-F5
http://resources.idgenterprise.com/original/AST-0135428_web-application-firewall-comparative-analysis.pdf
More often than not, a cloud-based or open-sourced WAF can prove to be just as effective.
Safe alternatives provided to clients include:
-Modsecurity, iptables, & WAFFLE
-Akamai
-AWS WAF & CloudFront
-F5
Thursday, May 12, 2016
InfoSec Policies / Standards vs Patterns
Policies / standards are great and all, but for larger orgs security design patterns are needed.
Said design patterns give guidance on IoT, SCADA, application, system, and network deployments.
With that said, patterns should come after policies / standards and need to be solution / vendor neutral.
Said design patterns give guidance on IoT, SCADA, application, system, and network deployments.
With that said, patterns should come after policies / standards and need to be solution / vendor neutral.
Monday, May 9, 2016
IDS, IPS, or Endpoint ATP
Many orgs leverage an IDS (e.g., Snort) for detection, though many should really deploy an IPS (e.g., FireEye) for prevention purposes. Especially when it comes to anti-malware purposes.
However, many orgs are now looking to use advanced threat prevention (ATP) solutions on Web / cloud, mobile, or SaaS email endpoints.
Low and behold, it makes sense to take a risk-based approach to negating malware / ransomware. For many orgs, it makes sense to focus on protection sensitive, core competency data that usually resides in a EHR / EMR, ERP, ecommerce standpoint. For those orgs that host these systems, it may make sense to deploy an inline IPS.
However, many orgs are now looking to use advanced threat prevention (ATP) solutions on Web / cloud, mobile, or SaaS email endpoints.
Low and behold, it makes sense to take a risk-based approach to negating malware / ransomware. For many orgs, it makes sense to focus on protection sensitive, core competency data that usually resides in a EHR / EMR, ERP, ecommerce standpoint. For those orgs that host these systems, it may make sense to deploy an inline IPS.
Wednesday, May 4, 2016
Are SIEMs Effective?
Verizon mentions that log analysis only accounted for 1% of breach detections.
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Therefore, does an organization need a SIEM solution? Yes, but it is one prong of a multi-prong approach to threat analysis and detection.
That is why organizations engage in MSSPs or SOCs, due to the need to incorporate defense-in-depth capabilities.
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Therefore, does an organization need a SIEM solution? Yes, but it is one prong of a multi-prong approach to threat analysis and detection.
That is why organizations engage in MSSPs or SOCs, due to the need to incorporate defense-in-depth capabilities.
Monday, May 2, 2016
Insider Users = Reason for 27% Breaches
Malicious insider abuse causes 27% of breaches; so, ensure that local admin rights are constrained and that file shares are locked down via RBAC. Finally, segregate and separate networks via VLANs.
Subscribe to:
Posts (Atom)