Tuesday, May 24, 2016

The Case for a Divide & Conquer Approach to Penetration Testing

Usually for budget / pricing reasons, some orgs decide to engage a firm with an annual pen test of significant scope (e.g., all ingress / egress, RAS, AD, VoIP, IPS, SIGs, ERP, EHR / EMR, SaaS, WLAN).

However, this approach increases risk of scope, schedule, resource availability, and budgeting from a project management standpoint. 

Stronger orgs, with enough resources, tend to move away from the once and done approach due to the need to assess many vectors, a need for timely and regular remediation actions, and for security compliance purposes (i.e., PCI).

Monday, May 23, 2016

Stop the one-off protocols...


While easier said than done, it is time for orgs to stop using technologies with non-standard protocols.

With the maturation of TCP/IP, UDP, http/s, and ftp, there really is no reason to continue to support deviations.  Doing so just leads to insecurity.

Thursday, May 19, 2016

Why Use an IPS if Only in Monitoring Mode?

Here is a link to a commercial that describes the conundrum here:


Along the LifeLock point here is that many orgs monitor for intrusions vs stopping them.

Now, a misconfigured IPS can bring the train to a halt, but, that is why you "smarten" said IPS before you really start blocking traffic.

Tuesday, May 17, 2016

Red Teaming vs Pen Testing vs Scanning

Many orgs ask for pen tests these days and only get scanning from a vendor (some orgs may only want this).

However, a proper pen test will walk through in detail the safeguards, configurations, and vulnerabilities in scope to determine what exploits may actually be realized.

A red team exercise (these days) builds on a pen test by attempting to exploit the vulnerability completely to determine if the org may actually determine if such an exploit is or has happened.  Additionally, some orgs will engage in war gaming (or a red-blue / purple) exercise to determine if their SOC / MSSP can shut down the exploit attempt.

If an org wants to achieve compliance a scan, or something akin, is all that is needed.  However, most orgs need to engage a third party at least annually for a pen test to prioritize investments in remediation.  Finally, an org that is using a MSSP (external SOC) should certainly conduct a red / purple team exercise to determine the maturity of the provider.

Monday, May 16, 2016

WAF Selection Guidance

Read from the link below that Imperva is not the best fit for all orgs.


More often than not, a cloud-based or open-sourced WAF can prove to be just as effective.

Safe alternatives provided to clients include:

-Modsecurity, iptables, & WAFFLE
-AWS WAF & CloudFront

Thursday, May 12, 2016

InfoSec Policies / Standards vs Patterns

Policies / standards are great and all, but for larger orgs security design patterns are needed.

Said design patterns give guidance on IoT, SCADA, application, system, and network deployments.

With that said, patterns should come after policies / standards and need to be solution / vendor neutral.

Monday, May 9, 2016

IDS, IPS, or Endpoint ATP

Many orgs leverage an IDS (e.g., Snort) for detection, though many should really deploy an IPS (e.g., FireEye) for prevention purposes.  Especially when it comes to anti-malware purposes.

However, many orgs are now looking to use advanced threat prevention (ATP) solutions on Web / cloud, mobile, or SaaS email endpoints. 

Low and behold, it makes sense to take a risk-based approach to negating malware / ransomware.  For many orgs, it makes sense to focus on protection sensitive, core competency data that usually resides in a EHR / EMR, ERP, ecommerce standpoint.  For those orgs that host these systems, it may make sense to deploy an inline IPS.

Wednesday, May 4, 2016

Are SIEMs Effective?

Verizon mentions that log analysis only accounted for 1% of breach detections.


Therefore, does an organization need a SIEM solution?  Yes, but it is one prong of a multi-prong approach to threat analysis and detection.

That is why organizations engage in MSSPs or SOCs, due to the need to incorporate defense-in-depth capabilities.

Monday, May 2, 2016

Insider Users = Reason for 27% Breaches

Malicious insider abuse causes 27% of breaches; so, ensure that local admin rights are constrained and that file shares are locked down via RBAC.  Finally, segregate and separate networks via VLANs.